2008-10-14 Esteban Sanchez <estebans@artica.es>

* operation/reporting/reporting_viewer.php,
        operation/reporting/custom_reporting.php: Fixed checking of private
        reports.

        * operation/reporting/custom_reporting.php: Do not show reports that
        user can not see.



git-svn-id: https://svn.code.sf.net/p/pandora/code/trunk@1148 c3f86ba8-e40f-0410-aaad-9ba5e7f4b01f
This commit is contained in:
Esteban Sanchez 2008-10-14 06:40:05 +00:00
parent a508f64b7e
commit 4b1b4dc1cc
4 changed files with 47 additions and 35 deletions

View File

@ -1,3 +1,12 @@
2008-10-14 Esteban Sanchez <estebans@artica.es>
* operation/reporting/reporting_viewer.php,
operation/reporting/custom_reporting.php: Fixed checking of private
reports.
* operation/reporting/custom_reporting.php: Do not show reports that
user can not see.
2008-10-13 Sancho Lerena <slerena@artica.es>
* agent_disk_conf_editor.php: Now load enterprise code

View File

@ -53,6 +53,10 @@ $table->align[3] = 'center';
$table->data = array ();
foreach ($reports as $report) {
if ($report['private'] && ($report['id_user'] != $config['id_user'] && ! dame_admin ($config['id_user']))) {
continue;
}
$data = array ();
$data[0] = $report['name'];

View File

@ -42,7 +42,8 @@ if (! give_acl ($config['id_user'], $report['id_group'], "AR")) {
require ("include/functions_reporting.php");
/* Check if the user can see the graph */
if ($report['id_user'] != $config['id_user'] && ! dame_admin ($config['id_user']) && ! $report['private']) {
if ($report['private'] && ($report['id_user'] != $config['id_user'] && ! dame_admin ($config['id_user']))) {
include ("general/noaccess.php");
return;
}

View File

@ -60,38 +60,36 @@ if (isset ($_GET["direct"])) {
$nick = get_parameter ("nick");
$pass = get_parameter ("pass");
// Connect to Database
$sql = sprintf("SELECT `id_usuario`, `password` FROM `tusuario` WHERE `id_usuario` = '%s'",$nick);
$row = get_db_row_sql ($sql);
$sql = sprintf("SELECT `id_usuario`, `password` FROM `tusuario` WHERE `id_usuario` = '%s'",$nick);
$row = get_db_row_sql ($sql);
// For every registry
if ($row !== false) {
if ($row["password"] == md5 ($pass)) {
// Login OK
// Nick could be uppercase or lowercase (select in MySQL
// is not case sensitive)
// We get DB nick to put in PHP Session variable,
// to avoid problems with case-sensitive usernames.
// Thanks to David Muñiz for Bug discovery :)
$nick = $row["id_usuario"];
update_user_contact ($nick);
$_SESSION['id_usuario'] = $nick;
$config['id_user'] = $nick;
unset ($_GET['pass'], $pass);
} else {
// Login failed (bad password)
echo "Logon failed";
audit_db ($nick, $_SERVER['REMOTE_ADDR'], "Logon Failed",
"Incorrect password: " . $nick);
exit;
}
} else {
// User not known
echo "Logon failed";
audit_db ($nick, $_SERVER['REMOTE_ADDR'], "Logon Failed",
"Invalid username: " . $nick);
exit;
}
// For every registry
if ($row !== false) {
if ($row["password"] == md5 ($pass)) {
// Login OK
// Nick could be uppercase or lowercase (select in MySQL
// is not case sensitive)
// We get DB nick to put in PHP Session variable,
// to avoid problems with case-sensitive usernames.
// Thanks to David Muñiz for Bug discovery :)
$nick = $row["id_usuario"];
update_user_contact ($nick);
$_SESSION['id_usuario'] = $nick;
$config['id_user'] = $nick;
unset ($_GET['pass'], $pass);
} else {
// Login failed (bad password)
echo "Logon failed";
audit_db ($nick, $_SERVER['REMOTE_ADDR'], "Logon Failed",
"Incorrect password: " . $nick);
exit;
}
} else {
// User not known
echo "Logon failed";
audit_db ($nick, $_SERVER['REMOTE_ADDR'], "Logon Failed", "Invalid username: " . $nick);
exit;
}
} else {
require_once ("include/config.php");
@ -118,7 +116,7 @@ if (! give_acl ($config['id_user'], $report['id_group'], "AR")) {
}
/* Check if the user can see the graph */
if ($report['id_user'] != $config['id_user'] && ! dame_admin ($config['id_user']) && ! $report['private']) {
if ($report['private'] && ($report['id_user'] != $config['id_user'] && ! dame_admin ($config['id_user']))) {
return;
}