diff --git a/cms/includes/functions.navigation.php b/cms/includes/functions.navigation.php index 066a31d..624a679 100644 --- a/cms/includes/functions.navigation.php +++ b/cms/includes/functions.navigation.php @@ -1,5 +1,4 @@ query($sql); - while ($db->next_record()) { - $cat_id = $db->f("idcat"); - $cat_idlang = $db->f("idcatlang"); - $visible = false; - if ($db->f("public") != 0) { - $visible = true; - } elseif (($auth->auth['uid'] != '') && ($auth->auth['uid'] != 'nobody')) { - $FrontendGroupMemberCollection = new FrontendGroupMemberCollection; + while($db->next_record()) + { + $cat_id = $db->f("idcat"); + $cat_idlang = $db->f("idcatlang"); + $visible=false; + if($db->f("public")!=0){ + $visible = true; + }elseif(($auth->auth['uid']!='')&&($auth->auth['uid']!='nobody')){ + $FrontendGroupMemberCollection = new FrontendGroupMemberCollection; - $FrontendGroupMemberCollection->setWhere("idfrontenduser", $auth->auth['uid']); - $FrontendGroupMemberCollection->query(); - $groups = array(); - while ($member = $FrontendGroupMemberCollection->next()) { - $groups[] = $member->get("idfrontendgroup"); - } - } - if (count($groups) > 0) { - for ($i = 0; $i < count($groups); $i++) { - if ($FrontendPermissionCollection->checkPerm($groups[$i], 'category', 'access', $cat_idlang, true)) { - $visible = true; - } - } - } - if ($visible) { - $navigation[$cat_id] = array("idcat" => $cat_id, - "name" => $db->f("name"), - "target" => '_self', # you can not call getTarget($cat_id, &$db) at this point with the same db instance! - "public" => $db->f("public")); - } + $FrontendGroupMemberCollection->setWhere("idfrontenduser",$auth->auth['uid']); + $FrontendGroupMemberCollection->query(); + $groups = array(); + while ($member = $FrontendGroupMemberCollection->next()){ + $groups[] = $member->get("idfrontendgroup"); + } + } + if(count($groups)>0){ + for($i=0;$icheckPerm($groups[$i],'category','access',$cat_idlang, true)){ + $visible=true; + } + } + } + if($visible){ + $navigation[$cat_id] = array("idcat" => $cat_id, + "name" => $db->f("name"), + "target" => '_self', # you can not call getTarget($cat_id, &$db) at this point with the same db instance! + "public" => $db->f("public")); + } } // end while $db->free(); - return $navigation; + return $navigation; } + /** * Return target of a given category id * * @deprecated */ function getTarget($cat_id, $db) { - global $cfg, $client, $lang; + global $cfg, $client, $lang; // SECURITY-FIX $sql = "SELECT a.external_redirect AS ext FROM - " . $cfg["tab"]["art_lang"] . " AS a, - " . $cfg["tab"]["cat_art"] . " AS b, - " . $cfg["tab"]["cat"] . " AS c + ".$cfg["tab"]["art_lang"]." AS a, + ".$cfg["tab"]["cat_art"]." AS b, + ".$cfg["tab"]["cat"]." AS c WHERE - b.idcat = '" . Contenido_Security::escapeDB($cat_id, $db) . "' AND - c.idclient = '" . Contenido_Security::escapeDB($client, $db) . "' AND + b.idcat = '".Contenido_Security::escapeDB($cat_id, $db)."' AND + c.idclient = '".Contenido_Security::escapeDB($client, $db)."' AND c.idcat = b.idcat AND a.idart = b.idart AND - a.idlang = '" . Contenido_Security::escapeDB($lang, $db) . "'"; + a.idlang = '".Contenido_Security::escapeDB($lang, $db)."'"; - $db->query($sql); - $db->next_record(); + $db->query($sql); + $db->next_record(); - $target = ( $db->f('ext') == 0 ) ? '_self' : '_blank'; - - $db->free(); - return $target; + $target = ( $db->f('ext') == 0 ) ? '_self' : '_blank'; + + $db->free(); + return $target; } /** * Return true if $parentid is parent of $catid */ + function isParent($parentid, $catid, $db) { + - - global $cfg, $client, $lang; - // SECURITY-FIX - $sql = "SELECT + global $cfg, $client, $lang; + // SECURITY-FIX + $sql = "SELECT a.parentid FROM - " . $cfg["tab"]["cat"] . " AS a, - " . $cfg["tab"]["cat_lang"] . " AS b + ".$cfg["tab"]["cat"]." AS a, + ".$cfg["tab"]["cat_lang"]." AS b WHERE - a.idclient = '" . Contenido_Security::escapeDB($client, $db) . "' AND - b.idlang = '" . Contenido_Security::escapeDB($lang, $db) . "' AND + a.idclient = '". Contenido_Security::escapeDB($client, $db)."' AND + b.idlang = '".Contenido_Security::escapeDB($lang, $db)."' AND a.idcat = b.idcat AND - a.idcat = '" . Contenido_Security::escapeDB($catid, $db) . "'"; + a.idcat = '".Contenido_Security::escapeDB($catid, $db)."'"; - $db->query($sql); - $db->next_record(); + $db->query($sql); + $db->next_record(); - $pre = $db->f("parentid"); - - if ($parentid == $pre) { - return true; - } else { - return false; - } + $pre = $db->f("parentid"); + + if($parentid == $pre) + { + return true; + } + else + { + return false; + } } function getParent($preid, &$db) { - global $cfg, $client, $lang; + global $cfg, $client, $lang; // SECURITY-FIX - $sql = "SELECT + $sql = "SELECT a.parentid FROM - " . $cfg["tab"]["cat"] . " AS a, - " . $cfg["tab"]["cat_lang"] . " AS b + ".$cfg["tab"]["cat"]." AS a, + ".$cfg["tab"]["cat_lang"]." AS b WHERE - a.idclient = '" . Contenido_Security::escapeDB($client, $db) . "' AND - b.idlang = '" . Contenido_Security::escapeDB($lang, $db) . "' AND + a.idclient = '".Contenido_Security::escapeDB($client, $db)."' AND + b.idlang = '".Contenido_Security::escapeDB($lang, $db)."' AND a.idcat = b.idcat AND - a.idcat = '" . Contenido_Security::escapeDB($preid, $db) . "'"; + a.idcat = '".Contenido_Security::escapeDB($preid, $db)."'"; - $db->query($sql); + $db->query($sql); + + if ($db->next_record()) + { + return $db->f("parentid"); + }else + { + return false; + } - if ($db->next_record()) { - return $db->f("parentid"); - } else { - return false; - } } -function getLevel($catid, &$db) { - global $cfg, $client, $lang; +function getLevel($catid, &$db) +{ + global $cfg, $client, $lang; // SECURITY-FIX - $sql = "SELECT + $sql = "SELECT level FROM - " . $cfg["tab"]["cat_tree"] . " + ".$cfg["tab"]["cat_tree"]." WHERE - idcat = '" . Contenido_Security::escapeDB($catid, $db) . "' "; + idcat = '". Contenido_Security::escapeDB($catid, $db)."' "; + + $db->query($sql); - $db->query($sql); - - if ($db->next_record()) { - return $db->f("level"); - } else { - return false; - } + if ($db->next_record()) + { + return $db->f("level"); + }else + { + return false; + } + } + /** * Return path of a given category up to a certain level */ function getCategoryPath($cat_id, $level, $reverse = true, &$db) { - $root_path = array(); + $root_path = array(); - array_push($root_path, $cat_id); + array_push($root_path, $cat_id); - $parent_id = $cat_id; - - while (getLevel($parent_id, $db) != false AND getLevel($parent_id, $db) > $level AND getLevel($parent_id, $db) >= 0) { - - $parent_id = getParent($parent_id, $db); - if ($parent_id != false) { - array_push($root_path, $parent_id); - } - } - - if ($reverse == true) { - $root_path = array_reverse($root_path); - } - - return $root_path; + $parent_id = $cat_id; + + while (getLevel($parent_id, $db) != false AND getLevel($parent_id, $db) > $level AND getLevel($parent_id, $db) >= 0) + { + + $parent_id = getParent($parent_id, $db); + if ($parent_id != false) + { + array_push($root_path, $parent_id); + } + + } + + if ($reverse == true) + { + $root_path = array_reverse($root_path); + } + + return $root_path; + } + /** * Return location string of a given category */ -function getLocationString($iStartCat, $level, $seperator, $sLinkStyleClass, $sTextStyleClass, $fullweblink = false, $reverse = true, $mod_rewrite = true, $db) { - global $sess, $cfgClient, $client; - - $aCatPath = getCategoryPath($iStartCat, $level, $reverse, $db); - - if (is_array($aCatPath) AND count($aCatPath) > 0) { - $aLocation = array(); - foreach ($aCatPath as $value) { - if (!$fullweblink) { - if ($mod_rewrite == true) { - $linkUrl = $sess->url("index-a-$value.html"); - } else { - $linkUrl = $sess->url("front_content.php?idcat=$value"); - } - } else { - if ($mod_rewrite == true) { - $linkUrl = $sess->url($cfgClient[$client]["path"]["htmlpath"] . "index-a-$value.html"); - } else { - $linkUrl = $sess->url($cfgClient[$client]["path"]["htmlpath"] . "front_content.php?idcat=$value"); - } - } - $name = getCategoryName($value, $db); - $aLocation[] = '' . $name . ''; - } - } - - $sLocation = implode($seperator, $aLocation); - $sLocation = '' . $sLocation . ''; - - - return $sLocation; +function getLocationString($iStartCat, $level, $seperator, $sLinkStyleClass, $sTextStyleClass, $fullweblink = false, $reverse = true, $mod_rewrite = true, $db) +{ + global $sess, $cfgClient, $client; + + $aCatPath = getCategoryPath($iStartCat, $level, $reverse, $db); + + if(is_array($aCatPath) AND count($aCatPath) > 0) + { + $aLocation = array(); + foreach($aCatPath as $value) + { + if (!$fullweblink) + { + if ($mod_rewrite == true) + { + $linkUrl = $sess->url("index-a-$value.html"); + }else + { + $linkUrl = $sess->url("front_content.php?idcat=$value"); + } + }else + { + if ($mod_rewrite == true) + { + $linkUrl = $sess->url($cfgClient[$client]["path"]["htmlpath"] . "index-a-$value.html"); + }else + { + $linkUrl = $sess->url($cfgClient[$client]["path"]["htmlpath"] . "front_content.php?idcat=$value"); + } + } + $name = getCategoryName($value, $db); + $aLocation[] = ''.$name.''; + + } + } + + $sLocation = implode($seperator, $aLocation); + $sLocation = ''.$sLocation.''; + + + return $sLocation; } + /** * * get subtree by a given id @@ -263,33 +296,38 @@ function getLocationString($iStartCat, $level, $seperator, $sLinkStyleClass, $sT * * @copyright four for business AG */ -function getSubTree($idcat_start, $db) { + +function getSubTree($idcat_start, $db) +{ global $client, $cfg; // SECURITY-FIX $sql = "SELECT B.idcat, A.level FROM - " . $cfg["tab"]["cat_tree"] . " AS A, - " . $cfg["tab"]["cat"] . " AS B + ".$cfg["tab"]["cat_tree"]." AS A, + ".$cfg["tab"]["cat"]." AS B WHERE A.idcat = B.idcat AND - idclient = '" . Contenido_Security::escapeDB($client, $db) . "' + idclient = '". Contenido_Security::escapeDB($client, $db)."' ORDER BY idtree"; $db->query($sql); - $subCats = false; - $curLevel = 0; - while ($db->next_record()) { - if ($db->f("idcat") == $idcat_start) { - $curLevel = $db->f("level"); - $subCats = true; - } else if ($db->f("level") <= $curLevel) { // ending part of tree - $subCats = false; - } - + $subCats = false; + $curLevel = 0; + while ($db->next_record()) + { + if ($db->f("idcat") == $idcat_start) + { + $curLevel = $db->f("level"); + $subCats = true; + } else if ($db->f("level") <= $curLevel) // ending part of tree + { + $subCats = false; + } + if ($subCats == true) { //echo "true"; echo $db->f("idcat"); echo "
"; $deeper_cats[] = $db->f("idcat"); } @@ -297,36 +335,39 @@ function getSubTree($idcat_start, $db) { return $deeper_cats; } -function getTeaserDeeperCategories($iIdcat, $db) { - global $client, $cfg, $lang; - - // SECURITY-FIX - $sql = "SELECT +function getTeaserDeeperCategories($iIdcat, $db) +{ + global $client, $cfg, $lang; + + // SECURITY-FIX + $sql = "SELECT B.parentid, B.idcat FROM - " . $cfg["tab"]["cat_tree"] . " AS A, - " . $cfg["tab"]["cat"] . " AS B, - " . $cfg["tab"]["cat_lang"] . " AS C + ".$cfg["tab"]["cat_tree"]." AS A, + ".$cfg["tab"]["cat"]." AS B, + ".$cfg["tab"]["cat_lang"]." AS C WHERE A.idcat = B.idcat AND B.idcat = C.idcat AND - C.idlang = '" . Contenido_Security::escapeDB($lang, $db) . "' AND + C.idlang = '". Contenido_Security::escapeDB($lang, $db)."' AND C.visible = '1' AND - B.idclient = '" . Contenido_Security::escapeDB($client, $db) . "' + B.idclient = '". Contenido_Security::escapeDB($client, $db) ."' ORDER BY idtree"; - $db->query($sql); - - $subCats = false; - $curLevel = 0; - while ($db->next_record()) { - if ($db->f("idcat") == $iIdcat) { - $curLevel = $db->f("level"); - $subCats = true; - } else if ($curLevel == $db->f("level")) { // ending part of tree - $subCats = false; - } + $db->query($sql); + $subCats = false; + $curLevel = 0; + while ($db->next_record()) { + if ($db->f("idcat") == $iIdcat) + { + $curLevel = $db->f("level"); + $subCats = true; + } else if ($curLevel == $db->f("level")) // ending part of tree + { + $subCats = false; + } + if ($subCats == true) { $deeper_cats[] = $db->f("idcat"); } @@ -343,38 +384,42 @@ function getTeaserDeeperCategories($iIdcat, $db) { * * @copyright four for business AG */ -function getProtectedSubTree($idcat_start, $db) { + +function getProtectedSubTree($idcat_start, $db) +{ global $client, $cfg, $lang; - - // SECURITY-FIX + + // SECURITY-FIX $sql = "SELECT B.parentid, B.idcat FROM - " . $cfg["tab"]["cat_tree"] . " AS A, - " . $cfg["tab"]["cat"] . " AS B, - " . $cfg["tab"]["cat_lang"] . " AS C + ".$cfg["tab"]["cat_tree"]." AS A, + ".$cfg["tab"]["cat"]." AS B, + ".$cfg["tab"]["cat_lang"]." AS C WHERE A.idcat = B.idcat AND B.idcat = C.idcat AND - C.idlang = '" . Contenido_Security::escapeDB($lang, $db) . "' AND + C.idlang = '".Contenido_Security::escapeDB($lang, $db)."' AND C.visible = '1' AND C.public = '1' AND - B.idclient = '" . Contenido_Security::escapeDB($client, $db) . "' + B.idclient = '".Contenido_Security::escapeDB($client, $db)."' ORDER BY idtree"; - + $db->query($sql); - $subCats = false; - $curLevel = 0; - while ($db->next_record()) { - if ($db->f("idcat") == $idcat_start) { - $curLevel = $db->f("level"); - $subCats = true; - } else if ($curLevel == $db->f("level")) { // ending part of tree - $subCats = false; - } - + $subCats = false; + $curLevel = 0; + while ( $db->next_record() ) { + if ($db->f("idcat") == $idcat_start) + { + $curLevel = $db->f("level"); + $subCats = true; + } else if ($curLevel == $db->f("level")) // ending part of tree + { + $subCats = false; + } + if ($subCats == true) { //echo "true"; echo $db->f("idcat"); echo "
"; $deeper_cats[] = $db->f("idcat"); } @@ -382,37 +427,42 @@ function getProtectedSubTree($idcat_start, $db) { return $deeper_cats; } + + /** * Return category name */ + function getCategoryName($cat_id, &$db) { - + global $cfg, $client, $lang; - - // SECURITY-FIX + + // SECURITY-FIX $sql = "SELECT * FROM - " . $cfg["tab"]["cat"] . " AS A, - " . $cfg["tab"]["cat_lang"] . " AS B + ".$cfg["tab"]["cat"]." AS A, + ".$cfg["tab"]["cat_lang"]." AS B WHERE A.idcat = B.idcat AND - A.idcat = '" . Contenido_Security::escapeDB($cat_id, $db) . "' AND - A.idclient = '" . Contenido_Security::escapeDB($client, $db) . "' AND - B.idlang = '" . Contenido_Security::escapeDB($lang, $db) . "' + A.idcat = '". Contenido_Security::escapeDB($cat_id, $db)."' AND + A.idclient = '".Contenido_Security::escapeDB($client, $db)."' AND + B.idlang = '".Contenido_Security::escapeDB($lang, $db)."' "; $db->query($sql); - - if ($db->next_record()) { - $cat_name = $db->f("name"); - return $cat_name; - } else { - return ''; + + if ($db->next_record()) + { + $cat_name = $db->f("name"); + return $cat_name; } -} - -// end function + else + { + return ''; + } + +} // end function // get direct subcategories of a given category function getSubCategories($parent_id, $db) { @@ -420,36 +470,37 @@ function getSubCategories($parent_id, $db) { $subcategories = array(); global $cfg, $client, $lang; - + // SECURITY-FIX $sql = "SELECT A.idcat FROM - " . $cfg["tab"]["cat_tree"] . " AS A, - " . $cfg["tab"]["cat"] . " AS B, - " . $cfg["tab"]["cat_lang"] . " AS C + ".$cfg["tab"]["cat_tree"]." AS A, + ".$cfg["tab"]["cat"]." AS B, + ".$cfg["tab"]["cat_lang"]." AS C WHERE A.idcat = B.idcat AND B.idcat = C.idcat AND - B.idclient = '" . Contenido_Security::escapeDB($client, $db) . "' AND - C.idlang = '" . Contenido_Security::escapeDB($lang, $db) . "' AND + B.idclient = '". Contenido_Security::escapeDB($client, $db)."' AND + C.idlang = '".Contenido_Security::escapeDB($lang, $db)."' AND C.visible = '1' AND C.public = '1' AND - B.parentid = '" . Contenido_Security::escapeDB($parent_id, $db) . "' + B.parentid = '".Contenido_Security::escapeDB($parent_id, $db)."' ORDER BY A.idtree"; $db->query($sql); - while ($db->next_record()) { + while ( $db->next_record() ) { $subcategories[] = $db->f("idcat"); + } // end while - return $subcategories; -} + return $subcategories; + +} // end function -// end function // get direct subcategories with protected categories function getProtectedSubCategories($parent_id, $db) { @@ -463,59 +514,59 @@ function getProtectedSubCategories($parent_id, $db) { $sql = "SELECT A.idcat FROM - " . $cfg["tab"]["cat_tree"] . " AS A, - " . $cfg["tab"]["cat"] . " AS B, - " . $cfg["tab"]["cat_lang"] . " AS C + ".$cfg["tab"]["cat_tree"]." AS A, + ".$cfg["tab"]["cat"]." AS B, + ".$cfg["tab"]["cat_lang"]." AS C WHERE A.idcat = B.idcat AND B.idcat = C.idcat AND - B.idclient = '" . Contenido_Security::escapeDB($client, $db) . "' AND - C.idlang = '" . Contenido_Security::escapeDB($lang, $db) . "' AND - B.parentid = '" . Contenido_Security::escapeDB($parent_id, $db) . "' + B.idclient = '".Contenido_Security::escapeDB($client, $db)."' AND + C.idlang = '".Contenido_Security::escapeDB($lang, $db)."' AND + B.parentid = '".Contenido_Security::escapeDB($parent_id, $db)."' ORDER BY A.idtree"; $db->query($sql); - while ($db->next_record()) { + while ( $db->next_record() ) { $subcategories[] = $db->f("idcat"); + } // end while - return $subcategories; -} + return $subcategories; -// end function +} // end function function checkCatPermission($idcatlang, $public) { - #Check if current user has permissions to access cat + #Check if current user has permissions to access cat - global $auth; + global $auth; + + $oDB = new DB_Contenido; + + $FrontendPermissionCollection = new FrontendPermissionCollection; + $visible=false; - $oDB = new DB_ConLite(); - - $FrontendPermissionCollection = new FrontendPermissionCollection; - $visible = false; - - if ($public != 0) { - $visible = true; - $groups = array(); - } elseif (($auth->auth['uid'] != '') && ($auth->auth['uid'] != 'nobody')) { - $FrontendGroupMemberCollection = new FrontendGroupMemberCollection; - $FrontendGroupMemberCollection->setWhere("idfrontenduser", $auth->auth['uid']); - $FrontendGroupMemberCollection->query(); - $groups = array(); - while ($member = $FrontendGroupMemberCollection->next()) { - $groups[] = $member->get("idfrontendgroup"); - } - } - if (count($groups) > 0) { - for ($i = 0; $i < count($groups); $i++) { - if ($FrontendPermissionCollection->checkPerm($groups[$i], 'category', 'access', $idcatlang, true)) { - $visible = true; - } - } - } - - return $visible; -} \ No newline at end of file + if($public!=0){ + $visible = true; + }elseif(($auth->auth['uid']!='')&&($auth->auth['uid']!='nobody')){ + $FrontendGroupMemberCollection = new FrontendGroupMemberCollection; + $FrontendGroupMemberCollection->setWhere("idfrontenduser",$auth->auth['uid']); + $FrontendGroupMemberCollection->query(); + $groups = array(); + while ($member = $FrontendGroupMemberCollection->next()){ + $groups[] = $member->get("idfrontendgroup"); + } + } + if(count($groups)>0){ + for($i=0;$icheckPerm($groups[$i],'category','access',$idcatlang, true)){ + $visible=true; + } + } + } + + return $visible; +} +?> \ No newline at end of file diff --git a/setup/data/base/base_area1.sql b/setup/data/base/base_area1.sql index 35bbcd4..ef58dcd 100644 --- a/setup/data/base/base_area1.sql +++ b/setup/data/base/base_area1.sql @@ -43,7 +43,6 @@ INSERT INTO !PREFIX!_area VALUES('47', 'lang', 'lang_edit', '1', '1', '0'); INSERT INTO !PREFIX!_area VALUES('48', 'client', 'client_edit', '1', '1', '0'); INSERT INTO !PREFIX!_area VALUES('49', '0', 'logs', '1', '1', '1'); INSERT INTO !PREFIX!_area VALUES('50', '0', 'recipients', '1', '1', '0'); -INSERT INTO !PREFIX!_area VALUES('51', '0', 'myArea', '1', '1', '1'); INSERT INTO !PREFIX!_area VALUES('52', '0', 'info', '0', '1', '1'); INSERT INTO !PREFIX!_area VALUES('53', '0', 'symbolhelp', '0', '1', '1'); INSERT INTO !PREFIX!_area VALUES('54', '0', 'groups', '1', '1', '0'); @@ -85,8 +84,6 @@ INSERT INTO !PREFIX!_area VALUES('91', 'recipients', 'recipients_import', '1', ' INSERT INTO !PREFIX!_area VALUES('92', 'mod', 'mod_package', '1', '1', '0'); INSERT INTO !PREFIX!_area VALUES('93', 'mod', 'mod_sync', '1', '1', '0'); INSERT INTO !PREFIX!_area VALUES('96', '0', 'cl_sample_plugin', '1', '1', '1'); -INSERT INTO !PREFIX!_area VALUES('97', '0', 'myArea', '1', '1', '1'); -INSERT INTO !PREFIX!_area VALUES('98', '0', 'myArea', '1', '1', '1'); INSERT INTO !PREFIX!_area VALUES('400', 'lay', 'lay_history', '1', '1', '0'); INSERT INTO !PREFIX!_area VALUES('401', 'style', 'style_history', '1', '1', '0'); INSERT INTO !PREFIX!_area VALUES('402', 'js', 'js_history', '1', '1', '0');