From 21c98c033102f53f05822da4c6030e67a42fe5a7 Mon Sep 17 00:00:00 2001 From: Andre Lorbach Date: Mon, 22 Feb 2010 17:51:07 +0100 Subject: [PATCH] Secured Views and Sources Admin access of NON-Admin users --- src/admin/sources.php | 44 ++++++++++++++++++++++---- src/admin/views.php | 24 ++++++++++++-- src/lang/de/admin.php | 1 + src/lang/en/admin.php | 1 + src/lang/it_IT/admin.php | 1 + src/lang/pt_BR/admin.php | 1 + src/templates/admin/admin_sources.html | 2 +- src/templates/admin/admin_views.html | 2 +- 8 files changed, 65 insertions(+), 11 deletions(-) diff --git a/src/admin/sources.php b/src/admin/sources.php index 7b44ec3..9523cf6 100644 --- a/src/admin/sources.php +++ b/src/admin/sources.php @@ -54,6 +54,13 @@ IncludeLanguageFile( $gl_root_path . '/lang/' . $LANG . '/admin.php' ); // --- BEGIN Custom Code +// --- Set Helpervariable for non-ADMIN users +if ( !isset($_SESSION['SESSION_ISADMIN']) || $_SESSION['SESSION_ISADMIN'] == 0 ) + $content['READONLY_ISUSERONLY'] = "disabled"; +else + $content['READONLY_ISUSERONLY'] = ""; +// --- + if ( isset($_GET['op']) ) { if ($_GET['op'] == "add") @@ -110,6 +117,14 @@ if ( isset($_GET['op']) ) $content['userid'] = null; $content['CHECKED_ISUSERONLY'] = ""; $content['SOURCEID'] = ""; + + // --- Can only create a USER source! + if ( !isset($_SESSION['SESSION_ISADMIN']) || $_SESSION['SESSION_ISADMIN'] == 0 ) + { + $content['userid'] = $content['SESSION_USERID']; + $content['CHECKED_ISUSERONLY'] = "checked"; + } + // --- // --- Check if groups are available $content['SUBGROUPS'] = GetGroupsForSelectfield(); @@ -195,11 +210,17 @@ if ( isset($_GET['op']) ) } $content['SourceDBRecordsPerQuery'] = $mysource['DBRecordsPerQuery']; - - if ( $mysource['userid'] != null ) + // Set UserID if set! + $content['userid'] = $mysource['userid']; + if ( $content['userid'] != null ) $content['CHECKED_ISUSERONLY'] = "checked"; else $content['CHECKED_ISUSERONLY'] = ""; + + // --- Can only EDIT own views! + if ( !isset($_SESSION['SESSION_ISADMIN']) || $_SESSION['SESSION_ISADMIN'] == 0 && $content['userid'] == NULL ) + DieWithFriendlyErrorMsg( $content['LN_ADMIN_ERROR_NOTALLOWEDTOEDIT'] ); + // --- // --- Check if groups are available $content['SUBGROUPS'] = GetGroupsForSelectfield(); @@ -528,11 +549,20 @@ if ( isset($_POST['op']) ) } else { - $content['userid'] = "null"; - if ( isset ($_POST['groupid']) && $_POST['groupid'] != -1 ) - $content['groupid'] = intval($_POST['groupid']); - else - $content['groupid'] = "null"; + // --- Can only create a USER source! + if ( !isset($_SESSION['SESSION_ISADMIN']) || $_SESSION['SESSION_ISADMIN'] == 0 ) + { + $content['userid'] = $content['SESSION_USERID']; + $content['groupid'] = "null"; + } + else + { + $content['userid'] = "null"; + if ( isset ($_POST['groupid']) && $_POST['groupid'] != -1 ) + $content['groupid'] = intval($_POST['groupid']); + else + $content['groupid'] = "null"; + } } // --- Check mandotary values diff --git a/src/admin/views.php b/src/admin/views.php index 243e8f5..8d1e893 100644 --- a/src/admin/views.php +++ b/src/admin/views.php @@ -61,6 +61,13 @@ IncludeLanguageFile( $gl_root_path . '/lang/' . $LANG . '/admin.php' ); // Init helper variable to empty string $content['FormUrlAddOP'] = ""; +// --- Set Helpervariable for non-ADMIN users +if ( !isset($_SESSION['SESSION_ISADMIN']) || $_SESSION['SESSION_ISADMIN'] == 0 ) + $content['READONLY_ISUSERONLY'] = "disabled"; +else + $content['READONLY_ISUSERONLY'] = ""; +// --- + if ( isset($_GET['op']) ) { if ($_GET['op'] == "add") @@ -72,10 +79,18 @@ if ( isset($_GET['op']) ) //PreInit these values $content['DisplayName'] = ""; - $content['userid'] = null; - $content['CHECKED_ISUSERONLY'] = ""; $content['VIEWID'] = ""; $content['FormUrlAddOP'] = "?op=add"; + $content['userid'] = null; + $content['CHECKED_ISUSERONLY'] = ""; + + // --- Can only create a USER source! + if ( !isset($_SESSION['SESSION_ISADMIN']) || $_SESSION['SESSION_ISADMIN'] == 0 ) + { + $content['userid'] = $content['SESSION_USERID']; + $content['CHECKED_ISUSERONLY'] = "checked"; + } + // --- // --- Check if groups are available $content['SUBGROUPS'] = GetGroupsForSelectfield(); @@ -116,6 +131,11 @@ if ( isset($_GET['op']) ) else $content['CHECKED_ISUSERONLY'] = ""; + // --- Can only EDIT own views! + if ( !isset($_SESSION['SESSION_ISADMIN']) || $_SESSION['SESSION_ISADMIN'] == 0 && $content['userid'] == NULL ) + DieWithFriendlyErrorMsg( $content['LN_ADMIN_ERROR_NOTALLOWEDTOEDIT'] ); + // --- + // --- Check if groups are available $content['SUBGROUPS'] = GetGroupsForSelectfield(); if ( is_array($content['SUBGROUPS']) ) diff --git a/src/lang/de/admin.php b/src/lang/de/admin.php index 01d9783..43ab035 100644 --- a/src/lang/de/admin.php +++ b/src/lang/de/admin.php @@ -102,6 +102,7 @@ $content['LN_GEN_INJECTHTMLHEADER'] = "Voranstellen von HTML Code in <head> $content['LN_GEN_INJECTBODYHEADER'] = "Voranstellen von HTML Code am Anfang des <body> Bereichs."; $content['LN_GEN_INJECTBODYFOOTER'] = "Voranstellen von HTML Code Am Ende des <body> Bereichs."; $content['LN_ADMIN_PHPLOGCON_LOGOURL'] = "Optionale phpLogCon-Logo-URL. Bitte für das Standard-Logo leer lassen."; +$content['LN_ADMIN_ERROR_NOTALLOWEDTOEDIT'] = "You are not allowed to edit this configuration item."; // User Center $content['LN_USER_CENTER'] = "Benutzer Optionen"; diff --git a/src/lang/en/admin.php b/src/lang/en/admin.php index 69a28e9..a418851 100644 --- a/src/lang/en/admin.php +++ b/src/lang/en/admin.php @@ -104,6 +104,7 @@ $content['LN_GEN_INJECTHTMLHEADER'] = "Inject this html code into the <head&g $content['LN_GEN_INJECTBODYHEADER'] = "Inject this html code at the beginning of the <body> area."; $content['LN_GEN_INJECTBODYFOOTER'] = "Inject this html code at the end <body> area."; $content['LN_ADMIN_PHPLOGCON_LOGOURL'] = "Optional phpLogCon Logo URL. Leave empty to use the default one."; +$content['LN_ADMIN_ERROR_NOTALLOWEDTOEDIT'] = "You are not allowed to edit this configuration item."; // User Center $content['LN_USER_CENTER'] = "User Options"; diff --git a/src/lang/it_IT/admin.php b/src/lang/it_IT/admin.php index 2d43b4c..d164cf0 100644 --- a/src/lang/it_IT/admin.php +++ b/src/lang/it_IT/admin.php @@ -104,6 +104,7 @@ $content['LN_GEN_INJECTHTMLHEADER'] = "Inject this html code into the <head&g $content['LN_GEN_INJECTBODYHEADER'] = "Inject this html code at the beginning of the <body> area."; $content['LN_GEN_INJECTBODYFOOTER'] = "Inject this html code at the end <body> area."; $content['LN_ADMIN_PHPLOGCON_LOGOURL'] = "Optional phpLogCon Logo URL. Leave empty to use the default one."; +$content['LN_ADMIN_ERROR_NOTALLOWEDTOEDIT'] = "You are not allowed to edit this configuration item."; // User Center $content['LN_USER_CENTER'] = "User Options"; diff --git a/src/lang/pt_BR/admin.php b/src/lang/pt_BR/admin.php index f67ea2a..83e69d5 100644 --- a/src/lang/pt_BR/admin.php +++ b/src/lang/pt_BR/admin.php @@ -102,6 +102,7 @@ $content['LN_GEN_INJECTHTMLHEADER'] = "Inject this html code into the <head&g $content['LN_GEN_INJECTBODYHEADER'] = "Inject this html code at the beginning of the <body> area."; $content['LN_GEN_INJECTBODYFOOTER'] = "Inject this html code at the end <body> area."; $content['LN_ADMIN_PHPLOGCON_LOGOURL'] = "Optional phpLogCon Logo URL. Leave empty to use the default one."; +$content['LN_ADMIN_ERROR_NOTALLOWEDTOEDIT'] = "You are not allowed to edit this configuration item."; // User Center $content['LN_USER_CENTER'] = "User Options"; diff --git a/src/templates/admin/admin_sources.html b/src/templates/admin/admin_sources.html index 0f01296..b4ace41 100644 --- a/src/templates/admin/admin_sources.html +++ b/src/templates/admin/admin_sources.html @@ -290,7 +290,7 @@ {LN_GEN_GROUPONLY} - diff --git a/src/templates/admin/admin_views.html b/src/templates/admin/admin_views.html index 016a177..9d81ea7 100644 --- a/src/templates/admin/admin_views.html +++ b/src/templates/admin/admin_views.html @@ -81,7 +81,7 @@ {LN_GEN_GROUPONLY_LONG} -