Business/SiteWriter
2
0
Fork 0
Code Issues 3 Pull Requests Releases Wiki Activity

Add permissions enforcement, replace home page with sites, add missing strings, fix a bunch of PHP notices

Browse Source
This commit is contained in:
Skylar Ittner 2018-05-21 15:47:42 -06:00
parent 725e3c06d9
commit 008c46ebda
12 changed files with 107 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
action.php
View File

@ -9,6 +9,7 @@
*/
require_once __DIR__ . "/required.php";
require_once __DIR__ . "/lib/util.php";
require_once __DIR__ . "/lib/login.php";
if ($VARS['action'] !== "signout") {
dieifnotloggedin();
@ -38,6 +39,9 @@ if ($_SERVER['REQUEST_METHOD'] == 'POST' && empty($_POST) &&
switch ($VARS['action']) {
case "newpage":
if (!account_has_permission($_SESSION['username'], "SITEWRITER") && !account_has_permission($_SESSION['username'], "SITEWRITER_EDIT")) {
returnToSender("no_permission");
}
if (is_empty($VARS['siteid']) || !$database->has("sites", ["siteid" => $VARS['siteid']])) {
returnToSender("invalid_parameters");
}
@ -76,6 +80,9 @@ switch ($VARS['action']) {
returnToSender("page_added", $VARS['siteid'] . "|" . $database->id());
break;
case "pagesettings":
if (!account_has_permission($_SESSION['username'], "SITEWRITER")) {
returnToSender("no_permission");
}
if (is_empty($VARS['siteid']) || !$database->has("sites", ["siteid" => $VARS['siteid']])) {
returnToSender("invalid_parameters");
}
@ -131,6 +138,9 @@ switch ($VARS['action']) {
returnToSender("settings_saved", $VARS['siteid'] . "|" . $VARS['pageid']);
break;
case "sitesettings":
if (!account_has_permission($_SESSION['username'], "SITEWRITER")) {
returnToSender("no_permission");
}
if (!is_empty($VARS['siteid'])) {
if (!$database->has("sites", ["siteid" => $VARS['siteid']])) {
returnToSender("invalid_parameters");
@ -188,6 +198,9 @@ switch ($VARS['action']) {
break;
case "saveedits":
header("Content-Type: application/json");
if (!account_has_permission($_SESSION['username'], "SITEWRITER") && !account_has_permission($_SESSION['username'], "SITEWRITER_EDIT")) {
exit(json_encode(['status' => "ERROR", 'message' => lang("no permission", false)]));
}
$slug = $VARS['slug'];
$site = $VARS['site'];
$content = $VARS['content'];
@ -215,6 +228,9 @@ switch ($VARS['action']) {
exit(json_encode(["status" => "OK"]));
break;
case "deletemessage":
if (!account_has_permission($_SESSION['username'], "SITEWRITER") && !account_has_permission($_SESSION['username'], "SITEWRITER_CONTACT")) {
returnToSender("no_permission");
}
if ($database->count('messages', ["mid" => $VARS['id']]) !== 1) {
returnToSender("invalid_parameters");
}
@ -222,6 +238,9 @@ switch ($VARS['action']) {
returnToSender("message_deleted");
break;
case "fileupload":
if (!account_has_permission($_SESSION['username'], "SITEWRITER") && !account_has_permission($_SESSION['username'], "SITEWRITER_FILES")) {
returnToSender("no_permission");
}
$destpath = FILE_UPLOAD_PATH . $VARS['path'];
if (strpos(realpath($destpath), FILE_UPLOAD_PATH) !== 0) {
returnToSender("file_security_error");
@ -291,6 +310,9 @@ switch ($VARS['action']) {
returnToSender("upload_success", "&path=" . $VARS['path']);
break;
case "newfolder":
if (!account_has_permission($_SESSION['username'], "SITEWRITER") && !account_has_permission($_SESSION['username'], "SITEWRITER_FILES")) {
returnToSender("no_permission");
}
$foldername = preg_replace("/[^a-z0-9_\-]/", "_", strtolower($VARS['folder']));
$newfolder = FILE_UPLOAD_PATH . $VARS['path'] . '/' . $foldername;
@ -300,6 +322,9 @@ switch ($VARS['action']) {
returnToSender("folder_not_created", "&path=" . $VARS['path']);
break;
case "filedelete":
if (!account_has_permission($_SESSION['username'], "SITEWRITER") && !account_has_permission($_SESSION['username'], "SITEWRITER_FILES")) {
returnToSender("no_permission");
}
$file = FILE_UPLOAD_PATH . $VARS['file'];
if (strpos(realpath($file), FILE_UPLOAD_PATH) !== 0) {
returnToSender("file_security_error");

5
lang/en_us.php
View File

@ -29,6 +29,7 @@ define("STRINGS", [
"login server user data error" => "The login server refused to provide account information. Try again or contact technical support.",
"captcha error" => "There was a problem with the CAPTCHA (robot test). Try again.",
"actions" => "Actions",
"no permission" => "You don't have permission to do that.",
"home" => "Home",
"editor" => "Editor",
"sites" => "Sites",
@ -133,4 +134,8 @@ define("STRINGS", [
"load more" => "Load more",
"search images" => "Search images",
"x results" => "{results} results",
"reply" => "Reply",
"delete" => "Delete",
"new folder" => "New Folder",
"new" => "New",
]);

4
lang/messages.php
View File

@ -89,4 +89,8 @@ define("MESSAGES", [
"string" => "folder not created",
"type" => "danger"
],
"no_permission" => [
"string" => "no permission",
"type" => "danger"
]
]);

1
lib/mimetypes.php
View File

@ -69,6 +69,7 @@ $MIMEICONS = [
"audio/x-wav" => "fas fa-file-audio",
"audio/webm" => "fas fa-file-audio",
"audio/midi" => "fas fa-music",
"audio/mpeg" => "fas fa-music",
"audio/3gpp" => "fas fa-file-audio",
"audio/3gpp2" => "fas fa-file-audio",
"audio/other" => "fas fa-file-audio",

2
pages.php
View File

@ -8,7 +8,7 @@
define("PAGES", [
"home" => [
"title" => "home",
"navbar" => true,
"navbar" => false,
"icon" => "fas fa-home"
],
"sites" => [

24
pages/analytics.php
View File

@ -7,20 +7,28 @@ require_once __DIR__ . '/../required.php';
redirectifnotloggedin();
require_once __DIR__ . "/../lib/login.php";
if (!account_has_permission($_SESSION['username'], "SITEWRITER") && !account_has_permission($_SESSION['username'], "SITEWRITER_ANALYTICS")) {
if ($_GET['msg'] != "no_permission") {
header("Location: app.php?page=analytics&msg=no_permission");
}
die();
}
$select_filter = [];
if (!is_empty($VARS['siteid'])) {
if (isset($VARS['siteid']) && !is_empty($VARS['siteid'])) {
if ($database->has('sites', ['siteid' => $VARS['siteid']])) {
$select_filter["analytics.siteid"] = $VARS['siteid'];
}
}
if (!is_empty($VARS['after'])) {
if (isset($VARS['after']) && !is_empty($VARS['after'])) {
if (strtotime($VARS['after']) !== FALSE) {
$select_filter["time[>]"] = date("Y-m-d H:i:s", strtotime($VARS['after']));
}
}
if (!is_empty($VARS['before'])) {
if (isset($VARS['before']) && !is_empty($VARS['before'])) {
if (strtotime($VARS['before']) !== FALSE) {
$select_filter["time[<]"] = date("Y-m-d H:i:s", strtotime($VARS['before']));
}
@ -47,9 +55,13 @@ $records = $database->select("analytics", [
], $where);
$format = "Y-m-00 00:00:00";
$max = $records[0];
$min = $records[count($records) - 1];
$diff = strtotime($max['time']) - strtotime($min['time']);
if (count($records) > 1) {
$max = $records[0];
$min = $records[count($records) - 1];
$diff = strtotime($max['time']) - strtotime($min['time']);
} else {
$diff = 0;
}
if ($diff < 60 * 60) { // 1 hour
$format = "Y-m-d H:i:00";
} else if ($diff < 60 * 60 * 24 * 3) { // 3 days

10
pages/editor.php
View File

@ -7,7 +7,15 @@ require_once __DIR__ . '/../required.php';
redirectifnotloggedin();
if (!is_empty($VARS['arg'])) {
require_once __DIR__ . "/../lib/login.php";
if (!account_has_permission($_SESSION['username'], "SITEWRITER") && !account_has_permission($_SESSION['username'], "SITEWRITER_EDIT")) {
if ($_GET['msg'] != "no_permission") {
header("Location: app.php?page=editor&msg=no_permission");
}
die();
}
if (isset($VARS['arg']) && !is_empty($VARS['arg'])) {
// Allow action.php to do a better redirect
$VARS['siteid'] = $VARS['arg'];
if (strpos($VARS['arg'], "|") !== FALSE) {

11
pages/files.php
View File

@ -7,6 +7,15 @@ require_once __DIR__ . '/../required.php';
redirectifnotloggedin();
require_once __DIR__ . "/../lib/login.php";
if (!account_has_permission($_SESSION['username'], "SITEWRITER") && !account_has_permission($_SESSION['username'], "SITEWRITER_FILES") && !account_has_permission($_SESSION['username'], "SITEWRITER_EDIT")) {
// Note: the EDIT permission is valid here because content editors can browse files anyways
if ($_GET['msg'] != "no_permission") {
header("Location: app.php?page=files&msg=no_permission");
}
die();
}
include_once __DIR__ . "/../lib/mimetypes.php";
$base = FILE_UPLOAD_PATH;
@ -111,7 +120,7 @@ $fullpath = $base . $folder;
} else { // Allow broad generic <format>/other icons
$mimefirst = explode("/", $mimetype, 2)[0];
if (array_key_exists($mimefirst . "/other", $MIMEICONS)) {
$icon = $MIMEICONS[$mimetype];
$icon = $MIMEICONS[$mimefirst . "/other"];
}
}
}

5
pages/home.php
View File

@ -6,6 +6,9 @@
require_once __DIR__ . '/../required.php';
redirectifnotloggedin();
header("Location: app.php?page=sites");
die();
?>
<div class="card-deck">
<?php
@ -49,7 +52,7 @@ redirectifnotloggedin();
$visits_week = count($uuids);
$views_week = count($visitors);
?>
<div class="card bg-<?php echo ($lowcnt > 0 ? "deep-orange" : "green"); ?> text-light">
<div class="card bg-green text-light">
<div class="card-body">
<h4 class="card-title"><?php lang("this week") ?></h4>
<h1><i class="fas fa-fw fa-users"></i> <?php echo $visits_week; ?> <?php

8
pages/messages.php
View File

@ -6,6 +6,14 @@
require_once __DIR__ . '/../required.php';
redirectifnotloggedin();
require_once __DIR__ . "/../lib/login.php";
if (!account_has_permission($_SESSION['username'], "SITEWRITER") && !account_has_permission($_SESSION['username'], "SITEWRITER_CONTACT")) {
if ($_GET['msg'] != "no_permission") {
header("Location: app.php?page=messages&msg=no_permission");
}
die();
}
?>
<table id="msgtable" class="table table-bordered table-hover table-sm">
<thead>

16
pages/sites.php
View File

@ -7,6 +7,12 @@ require_once __DIR__ . '/../required.php';
require_once __DIR__ . '/../lib/util.php';
redirectifnotloggedin();
require_once __DIR__ . "/../lib/login.php";
$showbuttons = true;
if (!account_has_permission($_SESSION['username'], "SITEWRITER") && !account_has_permission($_SESSION['username'], "SITEWRITER_EDIT")) {
$showbuttons = false;
}
?>
<div class="btn-group mb-2">
<a href="app.php?page=sitesettings" class="btn btn-success"><i class="fas fa-plus"></i> <?php lang("new site"); ?></a>
@ -37,8 +43,14 @@ redirectifnotloggedin();
<tr>
<td></td>
<td>
<a class="btn btn-primary btn-sm" href="app.php?page=editor&siteid=<?php echo $site['siteid']; ?>"><i class="fas fa-edit"></i> <?php lang("editor"); ?></a>
<a class="btn btn-secondary btn-sm" href="app.php?page=sitesettings&siteid=<?php echo $site['siteid']; ?>"><i class="fas fa-cog"></i> <?php lang("settings"); ?></a>
<?php
if ($showbuttons) {
?>
<a class="btn btn-primary btn-sm" href="app.php?page=editor&siteid=<?php echo $site['siteid']; ?>"><i class="fas fa-edit"></i> <?php lang("editor"); ?></a>
<a class="btn btn-secondary btn-sm" href="app.php?page=sitesettings&siteid=<?php echo $site['siteid']; ?>"><i class="fas fa-cog"></i> <?php lang("settings"); ?></a>
<?php
}
?>
<a class="btn btn-info btn-sm" href="<?php echo formatsiteurl($site['url']); ?>" target="_BLANK"><i class="fas fa-eye"></i> <?php lang("view"); ?></a>
</td>
<td><?php echo $site['sitename']; ?></td>

8
pages/sitesettings.php
View File

@ -7,6 +7,14 @@ require_once __DIR__ . '/../required.php';
redirectifnotloggedin();
require_once __DIR__ . "/../lib/login.php";
if (!account_has_permission($_SESSION['username'], "SITEWRITER")) {
if ($_GET['msg'] != "no_permission") {
header("Location: app.php?page=sitesettings&msg=no_permission");
}
die();
}
$editing = true;
$siteid = "";