* @license http://www.contenido.org/license/LIZENZ.txt * @link http://www.4fb.de * @link http://www.contenido.org * @since file available since contenido release <= 4.6 * * {@internal * created unknown * modified 2008-06-30, Dominik Ziegler, add security fix * * $Id$: * }} * */ if(!defined('CON_FRAMEWORK')) { die('Illegal call'); } class Contenido_Backend { /** * Debug flag */ var $debug = 0; /** * Possible actions * @var array */ var $actions = array(); /** * Files * @var array */ var $files = array(); /** * Stores the frame number * @var int */ var $frame = 0; /** * Errors * @var array */ var $errors = array(); /** * Save area * @var string */ var $area = ''; /** * Constructor */ function __construct() { # do nothing } # end function /** * Set the frame number * in which the file is * loaded * @return void */ function setFrame($frame_nr = 0) { $frame_nr = Contenido_Security::toInteger($frame_nr); $this->frame = $frame_nr; } # end function /** * Loads all required data * from the DB and stores it * in the $actions and $files array * * @param $area string selected area * @return */ function select($area) { # Required global vars global $cfg, $client, $lang, $db, $perm, $action, $idcat; global $idcat, $idtpl, $idmod, $idlay; if (isset($idcat)) { $itemid = $idcat; } elseif (isset($idtpl)) { $itemid = $idtpl; } elseif (isset($idmod)) { $itemid = $idmod; } elseif (isset($idlay)) { $itemid = $idlay; } else { $itemid = 0; } $itemid = Contenido_Security::toInteger($itemid); $area = Contenido_Security::escapeDB($area, $db); # Store Area $this->area = $area; # extract actions $sql = "SELECT b.name AS name, b.code AS code, b.relevant as relevant_action, a.relevant as relevant_area FROM ".$cfg["tab"]["area"]." AS a, ".$cfg["tab"]["actions"]." AS b WHERE a.name = '".$area."' AND b.idarea = a.idarea AND a.online = '1'"; # Check if the user has # access to this area. # Yes -> Grant him all actions # No -> Grant him only action # which are irrelevant # = (Field 'relevant' is 0) if (!$perm->have_perm_area_action($area)) { $sql .= " AND a.relevant = '0'"; } $db->query($sql); while ($db->next_record()) { # Save the action only access to # the desired action is granted. # If this action is relevant for rights # check if the user has permission to # execute this action if ($db->f("relevant_action") == 1 && $db->f("relevant_area") == 1) { if ($perm->have_perm_area_action_item($area, $db->f("name"), $itemid)) { $this->actions[$area][$db->f('name')] = $db->f('code'); } if ($itemid == 0) { // itemid not available, since its impossible the get the correct rights out // we only check if userrights are given for these three items on any item if ($action=="mod_edit" || $action=="tpl_edit" || $action=="lay_edit") { if ($perm->have_perm_area_action_anyitem($area, $db->f("name"))) { $this->actions[$area][$db->f('name')] = $db->f('code'); } } } } else { $this->actions[$area][$db->f('name')] = $db->f('code'); } } # end while $sql = "SELECT b.filename AS name, b.filetype AS type, a.parent_id AS parent_id FROM ".$cfg['tab']['area']." AS a, ".$cfg['tab']['files']." AS b, ".$cfg['tab']['framefiles']." AS c WHERE a.name = '".$area."' AND b.idarea = a.idarea AND b.idfile = c.idfile AND c.idarea = a.idarea AND c.idframe = '".$this->frame."' AND a.online = '1'"; # Check if the user has # access to this area. # Yes -> Extract all files # No -> Extract only irrelevant # Files = (Field 'relevant' is 0) if (!$perm->have_perm_area_action($area)) { $sql .= " AND a.relevant = '0'"; } $sql .= " ORDER BY b.filename"; $db->query($sql); while ($db->next_record()) { # Test if entry is a plug-in. # If so don't add the Include path if (strstr($db->f('name'), "/")) { $filepath = $cfg["path"]["plugins"] . $db->f('name'); } else { $filepath = $cfg["path"]["includes"] . $db->f('name'); } # If filetype is Main AND # parent_id is 0 file is # a sub file if ($db->f('parent_id') != 0 && $db->f('type') == 'main'){ $this->files['sub'][] = $filepath; } $this->files[$db->f('type')][] = $filepath; } # end while if ($this->debug) { echo '
';
            echo "Na, wieder scheisse gebaut?? ;-)\n\n";
            echo "Files:\n\n";
            print_r($this->files);
            echo "\n\nActions:\n\n";
            print_r($this->actions[$this->area]);
            echo "\n\nInformation:\n\n";
            echo "Area: $area\n";
            echo "Action: $action\n";
            echo "Client: $client\n";
            echo "Lang: $lang\n";
            echo '
'; } } # end function /** * Checks if choosen action exists. * If so, execute/eval it. * * @param $action String Action to execute * @return $action String Code for selected Action */ function getCode($action) { global $notification; if (isset($this->actions[$this->area][$action])) { return ($this->actions[$this->area][$action]); } else { # There is no action or # user has no access to # it } } # end function /** * Returns the specified file path. * Distinction between 'inc' and 'main' * files. * * 'inc' => Required file like functions/classes etc. * 'main' => Main file * * @param $which String 'inc' / 'main' */ function getFile($which) { if (isset($this->files[$which])) { return $this->files[$which]; } else { # There is no action or # user has no access to # it } } # end function /** * Creates a log entry for the specified parameters. * * @param $idcat Category-ID * @param $idart Article-ID * @param $client Client-ID * @param $lang Language-ID * @param $action Action (ID or canonical name) */ function log($idcat, $idart, $client, $lang, $idaction) { global $perm, $auth, $cfg, $classarea, $area; $db_log = new DB_ConLite; $lastentry = $db_log->nextid($cfg["tab"]["actionlog"]); $timestamp = date("Y-m-d H:i:s"); $idcatart = "0"; $idcat = Contenido_Security::toInteger($idcat); $idart = Contenido_Security::toInteger($idart); $client = Contenido_Security::toInteger($client); $lang = Contenido_Security::toInteger($lang); $idaction = Contenido_Security::escapeDB($idaction, $db_log); $area = Contenido_Security::escapeDB($area, $db_log); if (!Contenido_Security::isInteger($client)) { return; } if (!Contenido_Security::isInteger($lang)) { return; } if (isset($idcat) && isset($idart) && $idcat != "" && $idart != "") { $sql = "SELECT idcatart FROM ". $cfg["tab"]["cat_art"] ." WHERE idcat = '".$idcat."' AND idart = '".$idart."'"; $db_log->query($sql); $db_log->next_record(); $idcatart = $db_log->f("idcatart"); } $oldaction = $idaction; $idaction = $perm->getIDForAction($idaction); if ($idaction != "") { $sql = "INSERT INTO ". $cfg["tab"]["actionlog"]." SET idlog = '".$lastentry."', user_id = '".$auth->auth["uid"]."', idclient = '".$client."', idlang = '".$lang."', idaction = '".$idaction."', idcatart = '".$idcatart."', logtimestamp = '".$timestamp."'"; } else { echo $oldaction. " is not in the actions table!

"; echo "Use the following statement to insert it with minimal functionsinto the actions table:
"; echo ""; $myareaid = $classarea->getAreaID($area); $sql = "SELECT max(idaction) FROM " . $cfg["tab"]["actions"]; $db_log->query($sql); $db_log->next_record(); $mynextid = $db_log->f(0) + 1; echo "INSERT INTO ". $cfg["tab"]["actions"]." SET idaction = '".$mynextid."', idarea = '".$myareaid."', name = '".$oldaction."', relevant = '1'"; echo ""; } $db_log->query($sql); } } # end class Contenido_Backend ?>