374 Zeilen
		
	
	
	
		
			14 KiB
		
	
	
	
		
			PHP
		
	
	
	
	
	
			
		
		
	
	
			374 Zeilen
		
	
	
	
		
			14 KiB
		
	
	
	
		
			PHP
		
	
	
	
	
	
| <?php
 | |
| /**
 | |
|  * Project: 
 | |
|  * Contenido Content Management System
 | |
|  * 
 | |
|  * Description: 
 | |
|  * Rights
 | |
|  * 
 | |
|  * Requirements: 
 | |
|  * @con_php_req 5.0
 | |
|  * 
 | |
|  *
 | |
|  * @package    Contenido Backend includes
 | |
|  * @version    1.0.1
 | |
|  * @author     unknown
 | |
|  * @copyright  four for business AG <www.4fb.de>
 | |
|  * @license    http://www.contenido.org/license/LIZENZ.txt
 | |
|  * @link       http://www.4fb.de
 | |
|  * @link       http://www.contenido.org
 | |
|  * @since      file available since contenido release <= 4.6
 | |
|  * 
 | |
|  * {@internal 
 | |
|  *   created  unknown
 | |
|  *   modified 2008-06-27, Dominik Ziegler, add security fix
 | |
|  *   modified 2008-07-03, Timo Trautmann, moved inline html to template
 | |
|  *   modified 2010-05-20, Murat Purc, removed request check during processing ticket [#CON-307]
 | |
|  *
 | |
|  *   $Id$:
 | |
|  * }}
 | |
|  * 
 | |
|  */
 | |
|  
 | |
| if (!defined('CON_FRAMEWORK')) {
 | |
| 	die('Illegal call');
 | |
| }
 | |
| 
 | |
| 
 | |
| function saverights() {
 | |
|    global $rights_list, $rights_list_old, $db;
 | |
|    global $cfg, $userid, $rights_client, $rights_lang;
 | |
|    global $perm, $sess, $notification;
 | |
| 
 | |
|    //if no checkbox is checked
 | |
|    if (!is_array($rights_list)) {
 | |
|       $rights_list = array ();
 | |
|    }
 | |
| 
 | |
|    //search all checks which are not in the new Rights_list for deleting
 | |
|    $arraydel = array_diff(array_keys($rights_list_old), array_keys($rights_list));
 | |
|    //search all checks which are not in the Rights_list_old for saving
 | |
|    $arraysave = array_diff(array_keys($rights_list), array_keys($rights_list_old));
 | |
| 
 | |
|    if (is_array($arraydel)) {
 | |
| 
 | |
|       foreach ($arraydel as $value) {
 | |
| 
 | |
|          $data = explode("|", $value);
 | |
|          $data[0] = $perm->getIDForArea($data[0]);
 | |
|          $data[1] = $perm->getIDForAction($data[1]);
 | |
| 
 | |
|          $sql = "DELETE FROM ".$cfg["tab"]["rights"]." WHERE user_id='".Contenido_Security::escapeDB($userid, $db)."' AND idclient='".Contenido_Security::toInteger($rights_client)."' AND idlang='".Contenido_Security::toInteger($rights_lang)."' AND idarea='".Contenido_Security::toInteger($data[0])."' AND idcat='".Contenido_Security::toInteger($data[2])."' AND idaction='".Contenido_Security::toInteger($data[1])."' AND type=0";
 | |
|          $db->query($sql);
 | |
|       }
 | |
|    }
 | |
| 
 | |
|    unset($data);
 | |
| 
 | |
|    //search for all mentioned checkboxes
 | |
|    if (is_array($arraysave)) {
 | |
|       foreach ($arraysave as $value) {
 | |
|          //explodes the key     it consits    areait+actionid+itemid
 | |
|          $data = explode("|", $value);
 | |
| 
 | |
|          // Since areas are stored in a numeric form in the rights table, we have
 | |
|          // to convert them from strings into numbers
 | |
| 
 | |
|          $data[0] = $perm->getIDForArea($data[0]);
 | |
|          $data[1] = $perm->getIDForAction($data[1]);
 | |
| 
 | |
|          if (!isset ($data[1])) {
 | |
|             $data[1] = 0;
 | |
|          }
 | |
|          // Insert new right
 | |
|          $sql = "INSERT INTO ".$cfg["tab"]["rights"]."
 | |
|                   (idright, user_id,idarea,idaction,idcat,idclient,idlang,type)
 | |
|                   VALUES ('".$db->nextid($cfg["tab"]["rights"])."', '".Contenido_Security::escapeDB($userid, $db)."','".Contenido_Security::toInteger($data[0])."','".Contenido_Security::toInteger($data[1])."','".Contenido_Security::toInteger($data[2])."','".Contenido_Security::toInteger($rights_client)."','".Contenido_Security::toInteger($rights_lang)."',0)";
 | |
|          $db->query($sql);
 | |
|       }
 | |
|    }
 | |
| 
 | |
|    $rights_list_old = $rights_list;
 | |
|    //$notification->displayNotification("info", i18n("Changes saved"),0);
 | |
| }
 | |
| 
 | |
| function saverightsarea()
 | |
| {
 | |
|          global $db, $cfg,$userid,$rights_client,$rights_lang,$rights_admin,$rights_sysadmin,$rights_perms,$rights_list;
 | |
| 
 | |
|          if(!isset($rights_perms)){
 | |
|              //search for the permissions of this user
 | |
|              $sql="SELECT perms FROM ".$cfg["tab"]["phplib_auth_user_md5"]." WHERE user_id='".Contenido_Security::escapeDB($userid, $db)."'";
 | |
|              $db->query($sql);
 | |
|              $db->next_record();
 | |
|              $rights_perms=$db->f("perms");
 | |
|          }
 | |
| 
 | |
|          //if there are no permissions,   delete permissions for lan and client
 | |
|          if(!is_array($rights_list)){
 | |
|             $rights_perms=preg_replace("/,+client\[$rights_client\]/","",$rights_perms);
 | |
|             $rights_perms=preg_replace("/,+lang\[$rights_lang\]/","",$rights_perms);
 | |
|          }else{
 | |
|             if(!strstr($rights_perms,"client[$rights_client]"))
 | |
|                  $rights_perms.=",client[$rights_client]";
 | |
|             if(!strstr($rights_perms,"lang[$rights_lang]"))
 | |
|                  $rights_perms.=",lang[$rights_lang]";
 | |
|          }
 | |
| 
 | |
|          //if admin is checked
 | |
|          if($rights_admin==1){
 | |
|              //if admin is not set
 | |
|              if(!strstr($rights_perms,"admin[$rights_client]"))
 | |
|                  $rights_perms.=",admin[$rights_client]";
 | |
|          }else{
 | |
|              //cut admin from the string
 | |
|              $rights_perms=preg_replace("/,*admin\[$rights_client\]/","",$rights_perms);
 | |
|          }
 | |
| 
 | |
|          //if sysadmin is checked
 | |
|          if($rights_sysadmin==1){
 | |
|              //if sysadmin is not set
 | |
|              if(!strstr($rights_perms,"sysadmin"))
 | |
|                  $rights_perms.=",sysadmin";
 | |
|          }else{
 | |
|              //cat sysadmin from string
 | |
|              $rights_perms=preg_replace("/,*sysadmin/","",$rights_perms);
 | |
|          }
 | |
| 
 | |
| 
 | |
|          //cut ',' in front of the string
 | |
|          $rights_perms=preg_replace("/^,/","",$rights_perms);
 | |
| 
 | |
|          //update table
 | |
|          $sql="UPDATE ".$cfg["tab"]["phplib_auth_user_md5"]." SET perms='".Contenido_Security::escapeDB($rights_perms, $db)."' WHERE user_id='".Contenido_Security::escapeDB($userid, $db)."'";
 | |
|                 
 | |
|          $db->query($sql);
 | |
|          
 | |
|          //save the other rights
 | |
|          saverights();
 | |
| }
 | |
| 
 | |
| if (!is_object($oTpl)) {
 | |
|     $oTpl = new Template();
 | |
| }
 | |
| $oTpl->reset();
 | |
| 
 | |
| if(!is_object($db2))
 | |
| $db2 = new DB_ConLite;
 | |
| 
 | |
| if(!isset($rights_client)){
 | |
|       $rights_client=$client;
 | |
|       $rights_lang=$lang;
 | |
| }
 | |
| 
 | |
| //set new right_list (=all possible rights)
 | |
| if(!is_array($right_list)){
 | |
|     # modified 2007-08-03, H. Librenz <holger.librenz@4fb.de> - this breaks, i do not know really know why, the session if storage container for session is other than database!
 | |
|     # PS: this is a hard, damn shit area of code -- ARRRGGGHHHH!!!!!!!
 | |
|          //register these list fore following sites
 | |
| //         $sess->register("right_list");
 | |
| 
 | |
|          $plugxml=new XML_Doc();
 | |
| 
 | |
|          //select all rights , actions an theeir locations   without area login
 | |
|         $sql="SELECT A.idarea, A.parent_id, B.location,A.name FROM ".$cfg["tab"]["area"]." as A LEFT JOIN ".$cfg["tab"]["nav_sub"]." as B ON  A.idarea = B.idarea WHERE A.name!='login' AND A.relevant='1' AND A.online='1' GROUP BY A.name, A.idarea, B.location ORDER BY A.idarea";
 | |
|          $db->query($sql);
 | |
| 
 | |
|          while($db->next_record())
 | |
|         {
 | |
|                 if($db->f("parent_id")=="0"){
 | |
|                              $right_list[$db->f("name")][$db->f("name")]["perm"]=$db->f("name");
 | |
| 
 | |
|                              $right_list[$db->f("name")][$db->f("name")]["location"]=$db->f('location');
 | |
|                 }else{
 | |
|                              $right_list[$db->f("parent_id")][$db->f("name")]["perm"]=$db->f("name");
 | |
|                              $right_list[$db->f("parent_id")][$db->f("name")]["location"] = $db->f('location');
 | |
|                 }
 | |
| 
 | |
|                 $sql="SELECT * FROM ".$cfg["tab"]["actions"]." WHERE idarea='".Contenido_Security::toInteger($db->f("idarea"))."' AND relevant='1'";
 | |
|                 $db2->query($sql);
 | |
|                 while($db2->next_record())
 | |
|                 {
 | |
|                       if($db->f("parent_id")=="0"){
 | |
|                               $right_list[$db->f("name")][$db->f("name")]["action"][]=$db2->f("name");
 | |
|                       }else{
 | |
|                               $right_list[$db->f("parent_id")][$db->f("name")]["action"][]=$db2->f("name");
 | |
|                       }
 | |
|                 }
 | |
|          }
 | |
| }
 | |
| 
 | |
| $oTpl->set('s', 'SESS_ID', $sess->id);
 | |
| $oTpl->set('s', 'ACTION_URL', $sess->url("main.php"));
 | |
| // type id for user
 | |
| $oTpl->set('s', 'TYPE_ID', 'userid');
 | |
| $oTpl->set('s', 'USER_ID', $userid);
 | |
| $oTpl->set('s', 'AREA', $area);
 | |
| $oTpl->set('s', 'TABLE_BORDER', $cfg["color"]["table_border"]);
 | |
| $oTpl->set('s', 'TABLE_BGCOLOR', $cfg["color"]["table_dark"]);
 | |
| 
 | |
| if(!isset($actionarea)){
 | |
|     $actionarea="area";
 | |
| }
 | |
| 
 | |
| $muser = new User;
 | |
| $muser->loadUserByUserID($userid);
 | |
| 
 | |
| $userperms = $muser->getField("perms");
 | |
| 
 | |
| ob_start();
 | |
| 
 | |
| $oTpl->set('s', 'RIGHTS_PERMS', $rights_perms);
 | |
| 
 | |
| 
 | |
| //selectbox for clients
 | |
| $oHtmlSelect = new 	cHTMLSelectElement ('rights_clientslang', "", "rights_clientslang");
 | |
| 
 | |
| 	$clientclass = new Client;
 | |
|    	$clientList = $clientclass->getAccessibleClients();
 | |
| 
 | |
|   	$firstsel = false;
 | |
|   	
 | |
| 	$i = 0;
 | |
|    	foreach ($clientList as $key=>$value) {
 | |
|    		
 | |
|    		$sql="SELECT * FROM ".$cfg["tab"]["lang"]." as A, ".$cfg["tab"]["clients_lang"]." as B WHERE B.idclient='".Contenido_Security::toInteger($key)."' AND A.idlang=B.idlang";
 | |
| 		$db->query($sql);
 | |
| 
 | |
| 		while($db->next_record())
 | |
| 		{
 | |
|     		if((strpos($userperms, "client[$key]") !== false) && 
 | |
|     		   (strpos($userperms, "lang[".$db->f("idlang")."]") !== false)
 | |
|     		   && ($perm->have_perm("lang[".$db->f("idlang")."]"))){
 | |
|     		   	
 | |
|     		   	if ($firstsel == false)
 | |
|     		   	{
 | |
|     		   		$firstsel = true;
 | |
|     		   		$firstclientslang = $db->f("idclientslang");
 | |
|     		   	}
 | |
|     		   	
 | |
| 		       if ($rights_clientslang == $db->f("idclientslang")) {
 | |
| 			        $oHtmlSelectOption = new cHTMLOptionElement($value["name"] . " -> ".$db->f("name"), $db->f("idclientslang"), true);
 | |
|                     $oHtmlSelect->addOptionElement($i, $oHtmlSelectOption);
 | |
| 					$i++;
 | |
| 					
 | |
|                     if(!isset($rights_client))
 | |
|                     {
 | |
|                    	    $firstclientslang = $db->f("idclientslang");
 | |
|                     }
 | |
|                } else {
 | |
| 			        $oHtmlSelectOption = new cHTMLOptionElement($value["name"] . " -> ".$db->f("name"), $db->f("idclientslang"), false);
 | |
|                     $oHtmlSelect->addOptionElement($i, $oHtmlSelectOption);
 | |
| 					$i++;
 | |
|                }
 | |
|     		}
 | |
| 		}
 | |
|     }
 | |
| 
 | |
| 	$oTpl->set('s', 'INPUT_SELECT_CLIENT', $oHtmlSelect->render());
 | |
|       
 | |
|       if ($area == 'user_content') {
 | |
|         #filter for displaying rights
 | |
|         $oHtmlSelect = new 	cHTMLSelectElement ('filter_rights', '', "filter_rights");  
 | |
|         $oHtmlSelectOption = new cHTMLOptionElement('--- '.i18n("All").' ---', '', false);
 | |
|         $oHtmlSelect->addOptionElement(0, $oHtmlSelectOption);
 | |
|         $oHtmlSelectOption = new cHTMLOptionElement(i18n("Article rights"), 'article', false);
 | |
|         $oHtmlSelect->addOptionElement(1, $oHtmlSelectOption);
 | |
|         $oHtmlSelectOption = new cHTMLOptionElement(i18n("Category rights"), 'category', false);
 | |
|         $oHtmlSelect->addOptionElement(2, $oHtmlSelectOption);
 | |
|         $oHtmlSelectOption = new cHTMLOptionElement(i18n("Template rights"), 'template', false);
 | |
|         $oHtmlSelect->addOptionElement(3, $oHtmlSelectOption);
 | |
|         $oHtmlSelectOption = new cHTMLOptionElement(i18n("Plugin/Other rights"), 'other', false);
 | |
|         $oHtmlSelect->addOptionElement(4, $oHtmlSelectOption);
 | |
|         $oHtmlSelect->setEvent('change', "document.rightsform.submit();");
 | |
|         $oHtmlSelect->setDefault($_POST['filter_rights']);
 | |
| 
 | |
|         #set global array which defines rights to display
 | |
|         $aArticleRights = array('con_syncarticle', 'con_lock', 'con_deleteart', 'con_makeonline', 'con_makestart', 'con_duplicate', 'con_editart', 'con_newart', 'con_edit');
 | |
|         $aCategoryRights = array('con_synccat', 'con_makecatonline', 'con_makepublic');
 | |
|         $aTempalteRights = array('con_changetemplate', 'con_tplcfg_edit');
 | |
| 
 | |
|         $aViewRights = array();
 | |
|         $bExclusive = false;
 | |
|         if (isset($_POST['filter_rights'])) {
 | |
|             switch($_POST['filter_rights']) {
 | |
|                 case 'article':
 | |
|                     $aViewRights = $aArticleRights;
 | |
|                     break;
 | |
|                 case 'category':
 | |
|                     $aViewRights = $aCategoryRights;
 | |
|                     break;
 | |
|                 case 'template':
 | |
|                     $aViewRights = $aTempalteRights;
 | |
|                     break;
 | |
|                 case 'other':
 | |
|                     $aViewRights = array_merge($aArticleRights, $aCategoryRights, $aTempalteRights);
 | |
|                     $bExclusive = true;
 | |
|                     break;
 | |
|                 default:
 | |
|                     break;
 | |
|             }
 | |
|         }
 | |
|         $oTpl->set('s', 'INPUT_SELECT_RIGHTS', $oHtmlSelect->render());
 | |
| 		$oTpl->set('s', 'DISPLAY_RIGHTS', 'block');
 | |
| 	} else {
 | |
| 	    $oTpl->set('s', 'INPUT_SELECT_RIGHTS', '');
 | |
| 		$oTpl->set('s', 'DISPLAY_RIGHTS', 'none');
 | |
| 	}
 | |
| //navigation
 | |
| 
 | |
| if(!isset($rights_clientslang))
 | |
| {
 | |
| 	$rights_clientslang = $firstclientslang;
 | |
| }
 | |
| 
 | |
| $sql = "SELECT idclient, idlang FROM ".$cfg["tab"]["clients_lang"]." WHERE idclientslang = '".Contenido_Security::toInteger($rights_clientslang)."'";
 | |
| $db->query($sql);
 | |
| 
 | |
| $bEndScript = false;
 | |
| 
 | |
| if ($db->next_record())
 | |
| {
 | |
| 	$rights_client = $db->f("idclient");
 | |
| 	$rights_lang = $db->f("idlang");
 | |
| 	$oTpl->set('s', 'NOTIFICATION', '');
 | |
| 	$oTpl->set('s', 'DISPLAY_FILTER', 'block');
 | |
| } else {
 | |
|     $bEndScript = true;
 | |
| 	ob_end_clean();
 | |
| 
 | |
| 	// Account is sysadmin
 | |
| 	if (strpos($userperms, "sysadmin") !== false) 
 | |
| 	{
 | |
| 		$oTpl->set('s', 'NOTIFICATION', $notification->messageBox("warning", i18n("The selected user is a system administrator. A system administrator has all rights for all clients for all languages and therefore rights can't be specified in more detail."),0));
 | |
| 	} 
 | |
| 	// Account is only assigned to clients with admin rights
 | |
| 	else if (strpos($userperms, "admin[") !== false) 
 | |
| 	{
 | |
| 		$oTpl->set('s', 'NOTIFICATION', $notification->messageBox("warning", i18n("The selected user is assigned to clients as admin, only. An admin has all rights for a client and therefore rights can't be specified in more detail."),0));
 | |
| 	} 
 | |
| 	else 
 | |
| 	{
 | |
| 		$oTpl->set('s', 'NOTIFICATION', $notification->messageBox("error", i18n("Current user doesn't have any rights to any client/language."),0));
 | |
| 	}
 | |
| 	$oTpl->set('s', 'DISPLAY_FILTER', 'none');
 | |
| }
 | |
| 
 | |
| if ($bEndScript != true) {
 | |
| 	$tmp = ob_get_contents();
 | |
| 	ob_end_clean();
 | |
| 	$oTpl->set('s', 'OB_CONTENT', $tmp);
 | |
| } else {
 | |
|     $oTpl->set('s', 'OB_CONTENT', '');
 | |
| }
 | |
| 
 | |
| if ($bEndScript == true) {
 | |
|     $oTpl->set('s', 'RIGHTS_CONTENT', '');
 | |
| 	$oTpl->set('s', 'JS_SCRIPT_BEFORE', '');
 | |
| 	$oTpl->set('s', 'JS_SCRIPT_AFTER', '');
 | |
| 	$oTpl->set('s', 'RIGHTS_CONTENT', '');
 | |
| 	$oTpl->set('s', 'EXTERNAL_SCRIPTS', '');
 | |
| 	$oTpl->generate('templates/standard/'.$cfg['templates']['rights_inc']);
 | |
| 	die();
 | |
| }
 | |
| ?>
 |