Business/NewsPen
2
0
Fork 0
Code Issues 4 Pull Requests Releases Wiki Activity

Enforce permissions (TODO: PASSWORD) (issue #1)

Browse Source
This commit is contained in:
Skylar Ittner 2017-12-02 19:00:31 -07:00
parent db75e7dc7c
commit 72c2cb2e1b
7 changed files with 133 additions and 83 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
action.php
View File

@ -33,6 +33,9 @@ switch ($VARS['action']) {
} else {
if ($database->has('publications', ['pubid' => $VARS['pubid']])) {
$insert = false;
if ($database->get("publications", 'uid', ['pubid' => $VARS['pubid']]) != $_SESSION['uid']) {
returnToSender("no_permission");
}
} else {
returnToSender("invalid_pubid");
}
@ -98,6 +101,9 @@ switch ($VARS['action']) {
returnToSender("pub_saved");
case "deletepub":
if ($database->has('publications', ['pubid' => $VARS['pubid']])) {
if ($database->get("publications", 'uid', ['pubid' => $VARS['pubid']]) != $_SESSION['uid']) {
returnToSender("no_permission");
}
$database->delete('tiles', ['pubid' => $VARS['pubid']]);
$database->delete('publications', ['pubid' => $VARS['pubid']]);
returnToSender("pub_deleted");
@ -109,6 +115,10 @@ switch ($VARS['action']) {
die(json_encode(["status" => "ERROR", "msg" => lang("invalid pubid", false)]));
}
if ($database->get("publications", 'uid', ['pubid' => $VARS['pubid']]) != $_SESSION['uid']) {
die(json_encode(["status" => "ERROR", "msg" => lang("no permission", false)]));
}
$data = [
"pubid" => $VARS['pubid'],
"page" => $VARS['page'],
@ -130,6 +140,10 @@ switch ($VARS['action']) {
die(json_encode(["status" => "ERROR", "msg" => lang("invalid tileid", false)]));
}
if ($database->get("publications", 'uid', ['pubid' => $VARS['pubid']]) != $_SESSION['uid']) {
die(json_encode(["status" => "ERROR", "msg" => lang("no permission", false)]));
}
$database->delete('tiles', ["tileid" => $VARS['tileid']]);
exit(json_encode(["status" => "OK"]));
case "signout":

3
lang/en_us.php
View File

@ -60,5 +60,6 @@ define("STRINGS", [
"edit content" => "Edit Content",
"delete" => "Delete",
"open" => "Open",
"page" => "Page"
"page" => "Page",
"no permission" => "You don't have permission to do that."
]);

4
lang/messages.php
View File

@ -25,4 +25,8 @@ define("MESSAGES", [
"string" => "invalid pubid",
"type" => "danger"
],
"no_permission" => [
"string" => "no permission",
"type" => "danger"
],
]);

11
lib/gencontent.php
View File

@ -1,12 +1,19 @@
<?php
require_once __DIR__ . "/../required.php";
dieifnotloggedin();
if (!defined("IN_NEWSPEN")) {
if (is_numeric($VARS['pubid'])) {
if ($database->has('publications', ['pubid' => $VARS['pubid']])) {
$pub = $VARS['pubid'];
$pubdata = $database->get("publications", ["pubname", "pubdate", "styleid", "columns", "page_size", "landscape"], ["pubid" => $pub]);
$pubdata = $database->get("publications", ["[>]pub_permissions" => ["permid" => "permid"]], ["pubname", "uid", "pubdate", "styleid", "columns", "page_size", "landscape", "publications.permid", "permname"], ["pubid" => $pub]);
if ($pubdata["permname"] != "LINK") {
dieifnotloggedin();
}
if ($pubdata["uid"] != $_SESSION['uid']) {
if ($pubdata["permname"] == "OWNER") {
die(lang("no permission"));
}
}
} else {
die(lang("invalid parameters", false));
}

16
lib/getpubtable.php
View File

@ -62,6 +62,13 @@ if (!is_null($order)) {
$where["ORDER"] = $order;
}
$where["OR #perms"] = [
"uid" => $_SESSION['uid'],
"permname #logg" => "LOGGEDIN",
"permname #link" => "LINK"
];
//var_dump($where);
$pubs = $database->select('publications', [
'[>]pub_styles' => ['styleid' => 'styleid'],
@ -82,7 +89,6 @@ $pubs = $database->select('publications', [
], $where);
$out['status'] = "OK";
if ($filter) {
$recordsFiltered = $database->count('publications', [
@ -96,8 +102,12 @@ $out['recordsFiltered'] = $recordsFiltered;
$usercache = [];
for ($i = 0; $i < count($pubs); $i++) {
$pubs[$i]["editbtn"] = '<a class="btn btn-blue btn-xs" href="app.php?page=editpub&id=' . $pubs[$i]['pubid'] . '"><i class="fa fa-pencil-square-o"></i> ' . lang("edit", false) . '</a>';
$pubs[$i]["clonebtn"] = '<a class="btn btn-green btn-xs" href="app.php?page=editpub&id=' . $pubs[$i]['pubid'] . '&clone=1"><i class="fa fa-clone"></i> ' . lang("clone", false) . '</a>';
if ($pubs[$i]["uid"] == $_SESSION['uid']) {
$pubs[$i]["editbtn"] = '<a class="btn btn-primary btn-xs" href="app.php?page=editpub&id=' . $pubs[$i]['pubid'] . '"><i class="fa fa-pencil-square-o"></i> ' . lang("edit", false) . '</a>';
} else {
$pubs[$i]["editbtn"] = '<a class="btn btn-purple btn-xs" href="app.php?page=content&pubid=' . $pubs[$i]['pubid'] . '"><i class="fa fa-eye"></i> ' . lang("view", false) . '</a>';
}
$pubs[$i]["clonebtn"] = '<a class="btn btn-success btn-xs" href="app.php?page=editpub&id=' . $pubs[$i]['pubid'] . '&clone=1"><i class="fa fa-clone"></i> ' . lang("clone", false) . '</a>';
$pubs[$i]["pubdate"] = date(DATETIME_FORMAT, strtotime($pubs[$i]["pubdate"]));
if (is_null($pubs[$i]['uid'])) {
$pubs[$i]["username"] = "";

22
pages/content.php
View File

@ -7,10 +7,20 @@ $pub = false;
$pubdata = [];
$edit = false;
if (is_numeric($VARS['pubid'])) {
if ($database->has('publications', ['pubid' => $VARS['pubid']])) {
$pub = $VARS['pubid'];
$pubdata = $database->get("publications", ["pubname", "pubdate", "styleid", "columns", "page_size", "landscape"], ["pubid" => $pub]);
$pubdata = $database->get("publications", ["[>]pub_permissions" => ["permid" => "permid"]], ["pubname", "uid", "pubdate", "styleid", "columns", "page_size", "landscape", "publications.permid", "permname"], ["pubid" => $pub]);
if ($pubdata["uid"] == $_SESSION['uid']) {
$edit = true;
} else {
if ($pubdata["permname"] == "OWNER") {
header("Location: app.php?page=content&msg=no_permission");
die();
}
}
} else {
header("Location: app.php?page=content&msg=invalid_pubid");
die();
@ -33,13 +43,13 @@ if ($pub === false) {
?>
</select>
<input type="hidden" name="page" value="content" />
<button type="submit" class="btn btn-success"><i class="fa fa-arrow-right"></i> <?php lang("open"); ?></button>
<button type="submit" class="btn btn-success"><i class="fa fa-folder-open-o"></i> <?php lang("open"); ?></button>
</form>
</div>
<?php
} else {
?>
<?php if ($edit) { ?>
<div class="modal fade" id="tile-options-modal" tabindex="-1" role="dialog" aria-labelledby="tile-options-title">
<div class="modal-dialog" role="document">
<div class="modal-content">
@ -125,15 +135,19 @@ if ($pub === false) {
</div>
</div>
<?php } ?>
<div class="btn-group mgn-btm-10px">
<?php if ($edit) { ?>
<div class="btn btn-success" id="new_tile_btn" data-toggle="modal" data-target="#new-tile-modal"><i class="fa fa-plus"></i> <?php lang("new tile"); ?></div>
<?php } ?>
<a class="btn btn-primary" id="preview_btn" href="lib/gencontent.php?pubid=<?php echo $pub; ?>" target="_BLANK"><i class="fa fa-search"></i> <?php lang("preview"); ?></a>
</div>
<div class="pages-box">
<?php
define("IN_NEWSPEN", true);
define("EDIT_MODE", true);
define("EDIT_MODE", $edit);
require_once __DIR__ . "/../lib/gencontent.php";
echo $content;
?>

2
pages/editpub.php
View File

@ -43,7 +43,7 @@ if (!is_empty($VARS['id'])) {
?>
<form role="form" action="action.php" method="POST">
<div class="panel panel-blue">
<div class="panel panel-primary">
<div class="panel-heading">
<h3 class="panel-title">
<?php