ConLite
/
ConLite
1
0
Fork 0
Code Issues 22 Pull-Requests Projekte 2 Releases 2 Wiki Aktivität
ConLite/conlite/includes/rights.inc.php

375 Zeilen
14 KiB
PHP
Originalformat Permalink Blame Verlauf

<?php
/**
* Project:
* Contenido Content Management System
*
* Description:
* Rights
*
* Requirements:
* @con_php_req 5.0
*
*
* @package Contenido Backend includes
* @version 1.0.1
* @author unknown
* @copyright four for business AG <www.4fb.de>
* @license http://www.contenido.org/license/LIZENZ.txt
* @link http://www.4fb.de
* @link http://www.contenido.org
* @since file available since contenido release <= 4.6
*
* {@internal
* created unknown
* modified 2008-06-27, Dominik Ziegler, add security fix
* modified 2008-07-03, Timo Trautmann, moved inline html to template
* modified 2010-05-20, Murat Purc, removed request check during processing ticket [#CON-307]
*
* $Id$:
* }}
*
*/
if (!defined('CON_FRAMEWORK')) {
die('Illegal call');
}
function saverights() {
global $rights_list, $rights_list_old, $db;
global $cfg, $userid, $rights_client, $rights_lang;
global $perm, $sess, $notification;
//if no checkbox is checked
if (!is_array($rights_list)) {
$rights_list = array ();
}
//search all checks which are not in the new Rights_list for deleting
$arraydel = array_diff(array_keys($rights_list_old), array_keys($rights_list));
//search all checks which are not in the Rights_list_old for saving
$arraysave = array_diff(array_keys($rights_list), array_keys($rights_list_old));
if (is_array($arraydel)) {
foreach ($arraydel as $value) {
$data = explode("|", $value);
$data[0] = $perm->getIDForArea($data[0]);
$data[1] = $perm->getIDForAction($data[1]);
$sql = "DELETE FROM ".$cfg["tab"]["rights"]." WHERE user_id='".Contenido_Security::escapeDB($userid, $db)."' AND idclient='".Contenido_Security::toInteger($rights_client)."' AND idlang='".Contenido_Security::toInteger($rights_lang)."' AND idarea='".Contenido_Security::toInteger($data[0])."' AND idcat='".Contenido_Security::toInteger($data[2])."' AND idaction='".Contenido_Security::toInteger($data[1])."' AND type=0";
$db->query($sql);
}
}
unset($data);
//search for all mentioned checkboxes
if (is_array($arraysave)) {
foreach ($arraysave as $value) {
//explodes the key it consits areait+actionid+itemid
$data = explode("|", $value);
// Since areas are stored in a numeric form in the rights table, we have
// to convert them from strings into numbers
$data[0] = $perm->getIDForArea($data[0]);
$data[1] = $perm->getIDForAction($data[1]);
if (!isset ($data[1])) {
$data[1] = 0;
}
// Insert new right
$sql = "INSERT INTO ".$cfg["tab"]["rights"]."
(idright, user_id,idarea,idaction,idcat,idclient,idlang,type)
VALUES ('".$db->nextid($cfg["tab"]["rights"])."', '".Contenido_Security::escapeDB($userid, $db)."','".Contenido_Security::toInteger($data[0])."','".Contenido_Security::toInteger($data[1])."','".Contenido_Security::toInteger($data[2])."','".Contenido_Security::toInteger($rights_client)."','".Contenido_Security::toInteger($rights_lang)."',0)";
$db->query($sql);
}
}
$rights_list_old = $rights_list;
//$notification->displayNotification("info", i18n("Changes saved"),0);
}
function saverightsarea()
{
global $db, $cfg,$userid,$rights_client,$rights_lang,$rights_admin,$rights_sysadmin,$rights_perms,$rights_list;
if(!isset($rights_perms)){
//search for the permissions of this user
$sql="SELECT perms FROM ".$cfg["tab"]["phplib_auth_user_md5"]." WHERE user_id='".Contenido_Security::escapeDB($userid, $db)."'";
$db->query($sql);
$db->next_record();
$rights_perms=$db->f("perms");
}
//if there are no permissions, delete permissions for lan and client
if(!is_array($rights_list)){
$rights_perms=preg_replace("/,+client\[$rights_client\]/","",$rights_perms);
$rights_perms=preg_replace("/,+lang\[$rights_lang\]/","",$rights_perms);
}else{
if(!strstr($rights_perms,"client[$rights_client]"))
$rights_perms.=",client[$rights_client]";
if(!strstr($rights_perms,"lang[$rights_lang]"))
$rights_perms.=",lang[$rights_lang]";
}
//if admin is checked
if($rights_admin==1){
//if admin is not set
if(!strstr($rights_perms,"admin[$rights_client]"))
$rights_perms.=",admin[$rights_client]";
}else{
//cut admin from the string
$rights_perms=preg_replace("/,*admin\[$rights_client\]/","",$rights_perms);
}
//if sysadmin is checked
if($rights_sysadmin==1){
//if sysadmin is not set
if(!strstr($rights_perms,"sysadmin"))
$rights_perms.=",sysadmin";
}else{
//cat sysadmin from string
$rights_perms=preg_replace("/,*sysadmin/","",$rights_perms);
}
//cut ',' in front of the string
$rights_perms=preg_replace("/^,/","",$rights_perms);
//update table
$sql="UPDATE ".$cfg["tab"]["phplib_auth_user_md5"]." SET perms='".Contenido_Security::escapeDB($rights_perms, $db)."' WHERE user_id='".Contenido_Security::escapeDB($userid, $db)."'";
$db->query($sql);
//save the other rights
saverights();
}
if (!is_object($oTpl)) {
$oTpl = new Template();
}
$oTpl->reset();
if(!is_object($db2))
$db2 = new DB_ConLite;
if(!isset($rights_client)){
$rights_client=$client;
$rights_lang=$lang;
}
//set new right_list (=all possible rights)
if(!is_array($right_list)){
# modified 2007-08-03, H. Librenz <holger.librenz@4fb.de> - this breaks, i do not know really know why, the session if storage container for session is other than database!
# PS: this is a hard, damn shit area of code -- ARRRGGGHHHH!!!!!!!
//register these list fore following sites
// $sess->register("right_list");
$plugxml=new XML_Doc();
//select all rights , actions an theeir locations without area login
$sql="SELECT A.idarea, A.parent_id, B.location,A.name FROM ".$cfg["tab"]["area"]." as A LEFT JOIN ".$cfg["tab"]["nav_sub"]." as B ON A.idarea = B.idarea WHERE A.name!='login' AND A.relevant='1' AND A.online='1' GROUP BY A.name, A.idarea, B.location ORDER BY A.idarea";
$db->query($sql);
while($db->next_record())
{
if($db->f("parent_id")=="0"){
$right_list[$db->f("name")][$db->f("name")]["perm"]=$db->f("name");
$right_list[$db->f("name")][$db->f("name")]["location"]=$db->f('location');
}else{
$right_list[$db->f("parent_id")][$db->f("name")]["perm"]=$db->f("name");
$right_list[$db->f("parent_id")][$db->f("name")]["location"] = $db->f('location');
}
$sql="SELECT * FROM ".$cfg["tab"]["actions"]." WHERE idarea='".Contenido_Security::toInteger($db->f("idarea"))."' AND relevant='1'";
$db2->query($sql);
while($db2->next_record())
{
if($db->f("parent_id")=="0"){
$right_list[$db->f("name")][$db->f("name")]["action"][]=$db2->f("name");
}else{
$right_list[$db->f("parent_id")][$db->f("name")]["action"][]=$db2->f("name");
}
}
}
}
$oTpl->set('s', 'SESS_ID', $sess->id);
$oTpl->set('s', 'ACTION_URL', $sess->url("main.php"));
// type id for user
$oTpl->set('s', 'TYPE_ID', 'userid');
$oTpl->set('s', 'USER_ID', $userid);
$oTpl->set('s', 'AREA', $area);
$oTpl->set('s', 'TABLE_BORDER', $cfg["color"]["table_border"]);
$oTpl->set('s', 'TABLE_BGCOLOR', $cfg["color"]["table_dark"]);
if(!isset($actionarea)){
$actionarea="area";
}
$muser = new User;
$muser->loadUserByUserID($userid);
$userperms = $muser->getField("perms");
ob_start();
$oTpl->set('s', 'RIGHTS_PERMS', $rights_perms);
//selectbox for clients
$oHtmlSelect = new cHTMLSelectElement ('rights_clientslang', "", "rights_clientslang");
$clientclass = new Client;
$clientList = $clientclass->getAccessibleClients();
$firstsel = false;
$i = 0;
foreach ($clientList as $key=>$value) {
$sql="SELECT * FROM ".$cfg["tab"]["lang"]." as A, ".$cfg["tab"]["clients_lang"]." as B WHERE B.idclient='".Contenido_Security::toInteger($key)."' AND A.idlang=B.idlang";
$db->query($sql);
while($db->next_record())
{
if((strpos($userperms, "client[$key]") !== false) &&
(strpos($userperms, "lang[".$db->f("idlang")."]") !== false)
&& ($perm->have_perm("lang[".$db->f("idlang")."]"))){
if ($firstsel == false)
{
$firstsel = true;
$firstclientslang = $db->f("idclientslang");
}
if ($rights_clientslang == $db->f("idclientslang")) {
$oHtmlSelectOption = new cHTMLOptionElement($value["name"] . " -> ".$db->f("name"), $db->f("idclientslang"), true);
$oHtmlSelect->addOptionElement($i, $oHtmlSelectOption);
$i++;
if(!isset($rights_client))
{
$firstclientslang = $db->f("idclientslang");
}
} else {
$oHtmlSelectOption = new cHTMLOptionElement($value["name"] . " -> ".$db->f("name"), $db->f("idclientslang"), false);
$oHtmlSelect->addOptionElement($i, $oHtmlSelectOption);
$i++;
}
}
}
}
$oTpl->set('s', 'INPUT_SELECT_CLIENT', $oHtmlSelect->render());
if ($area == 'user_content') {
#filter for displaying rights
$oHtmlSelect = new cHTMLSelectElement ('filter_rights', '', "filter_rights");
$oHtmlSelectOption = new cHTMLOptionElement('--- '.i18n("All").' ---', '', false);
$oHtmlSelect->addOptionElement(0, $oHtmlSelectOption);
$oHtmlSelectOption = new cHTMLOptionElement(i18n("Article rights"), 'article', false);
$oHtmlSelect->addOptionElement(1, $oHtmlSelectOption);
$oHtmlSelectOption = new cHTMLOptionElement(i18n("Category rights"), 'category', false);
$oHtmlSelect->addOptionElement(2, $oHtmlSelectOption);
$oHtmlSelectOption = new cHTMLOptionElement(i18n("Template rights"), 'template', false);
$oHtmlSelect->addOptionElement(3, $oHtmlSelectOption);
$oHtmlSelectOption = new cHTMLOptionElement(i18n("Plugin/Other rights"), 'other', false);
$oHtmlSelect->addOptionElement(4, $oHtmlSelectOption);
$oHtmlSelect->setEvent('change', "document.rightsform.submit();");
$oHtmlSelect->setDefault($_POST['filter_rights']);
#set global array which defines rights to display
$aArticleRights = array('con_syncarticle', 'con_lock', 'con_deleteart', 'con_makeonline', 'con_makestart', 'con_duplicate', 'con_editart', 'con_newart', 'con_edit');
$aCategoryRights = array('con_synccat', 'con_makecatonline', 'con_makepublic');
$aTempalteRights = array('con_changetemplate', 'con_tplcfg_edit');
$aViewRights = array();
$bExclusive = false;
if (isset($_POST['filter_rights'])) {
switch($_POST['filter_rights']) {
case 'article':
$aViewRights = $aArticleRights;
break;
case 'category':
$aViewRights = $aCategoryRights;
break;
case 'template':
$aViewRights = $aTempalteRights;
break;
case 'other':
$aViewRights = array_merge($aArticleRights, $aCategoryRights, $aTempalteRights);
$bExclusive = true;
break;
default:
break;
}
}
$oTpl->set('s', 'INPUT_SELECT_RIGHTS', $oHtmlSelect->render());
$oTpl->set('s', 'DISPLAY_RIGHTS', 'block');
} else {
$oTpl->set('s', 'INPUT_SELECT_RIGHTS', '');
$oTpl->set('s', 'DISPLAY_RIGHTS', 'none');
}
//navigation
if(!isset($rights_clientslang))
{
$rights_clientslang = $firstclientslang;
}
$sql = "SELECT idclient, idlang FROM ".$cfg["tab"]["clients_lang"]." WHERE idclientslang = '".Contenido_Security::toInteger($rights_clientslang)."'";
$db->query($sql);
$bEndScript = false;
if ($db->next_record())
{
$rights_client = $db->f("idclient");
$rights_lang = $db->f("idlang");
$oTpl->set('s', 'NOTIFICATION', '');
$oTpl->set('s', 'DISPLAY_FILTER', 'block');
} else {
$bEndScript = true;
ob_end_clean();
// Account is sysadmin
if (strpos($userperms, "sysadmin") !== false)
{
$oTpl->set('s', 'NOTIFICATION', $notification->messageBox("warning", i18n("The selected user is a system administrator. A system administrator has all rights for all clients for all languages and therefore rights can't be specified in more detail."),0));
}
// Account is only assigned to clients with admin rights
else if (strpos($userperms, "admin[") !== false)
{
$oTpl->set('s', 'NOTIFICATION', $notification->messageBox("warning", i18n("The selected user is assigned to clients as admin, only. An admin has all rights for a client and therefore rights can't be specified in more detail."),0));
}
else
{
$oTpl->set('s', 'NOTIFICATION', $notification->messageBox("error", i18n("Current user doesn't have any rights to any client/language."),0));
}
$oTpl->set('s', 'DISPLAY_FILTER', 'none');
}
if ($bEndScript != true) {
$tmp = ob_get_contents();
ob_end_clean();
$oTpl->set('s', 'OB_CONTENT', $tmp);
} else {
$oTpl->set('s', 'OB_CONTENT', '');
}
if ($bEndScript == true) {
$oTpl->set('s', 'RIGHTS_CONTENT', '');
$oTpl->set('s', 'JS_SCRIPT_BEFORE', '');
$oTpl->set('s', 'JS_SCRIPT_AFTER', '');
$oTpl->set('s', 'RIGHTS_CONTENT', '');
$oTpl->set('s', 'EXTERNAL_SCRIPTS', '');
$oTpl->generate('templates/standard/'.$cfg['templates']['rights_inc']);
die();
}
?>
In neuem Issue referenzieren Git Blame ansehen Permalink kopieren