Add permissions enforcement, replace home page with sites, add missing strings, fix a bunch of PHP notices

action.php

@@ -9,6 +9,7 @@
  */
 require_once __DIR__ . "/required.php";
 require_once __DIR__ . "/lib/util.php";
+require_once __DIR__ . "/lib/login.php";
 
 if ($VARS['action'] !== "signout") {
     dieifnotloggedin();
@@ -38,6 +39,9 @@ if ($_SERVER['REQUEST_METHOD'] == 'POST' && empty($_POST) &&
 
 switch ($VARS['action']) {
     case "newpage":
+        if (!account_has_permission($_SESSION['username'], "SITEWRITER") && !account_has_permission($_SESSION['username'], "SITEWRITER_EDIT")) {
+            returnToSender("no_permission");
+        }
         if (is_empty($VARS['siteid']) || !$database->has("sites", ["siteid" => $VARS['siteid']])) {
             returnToSender("invalid_parameters");
         }
@@ -76,6 +80,9 @@ switch ($VARS['action']) {
         returnToSender("page_added", $VARS['siteid'] . "|" . $database->id());
         break;
     case "pagesettings":
+        if (!account_has_permission($_SESSION['username'], "SITEWRITER")) {
+            returnToSender("no_permission");
+        }
         if (is_empty($VARS['siteid']) || !$database->has("sites", ["siteid" => $VARS['siteid']])) {
             returnToSender("invalid_parameters");
         }
@@ -131,6 +138,9 @@ switch ($VARS['action']) {
         returnToSender("settings_saved", $VARS['siteid'] . "|" . $VARS['pageid']);
         break;
     case "sitesettings":
+        if (!account_has_permission($_SESSION['username'], "SITEWRITER")) {
+            returnToSender("no_permission");
+        }
         if (!is_empty($VARS['siteid'])) {
             if (!$database->has("sites", ["siteid" => $VARS['siteid']])) {
                 returnToSender("invalid_parameters");
@@ -188,6 +198,9 @@ switch ($VARS['action']) {
         break;
     case "saveedits":
         header("Content-Type: application/json");
+        if (!account_has_permission($_SESSION['username'], "SITEWRITER") && !account_has_permission($_SESSION['username'], "SITEWRITER_EDIT")) {
+            exit(json_encode(['status' => "ERROR", 'message' => lang("no permission", false)]));
+        }
         $slug = $VARS['slug'];
         $site = $VARS['site'];
         $content = $VARS['content'];
@@ -215,6 +228,9 @@ switch ($VARS['action']) {
         exit(json_encode(["status" => "OK"]));
         break;
     case "deletemessage":
+        if (!account_has_permission($_SESSION['username'], "SITEWRITER") && !account_has_permission($_SESSION['username'], "SITEWRITER_CONTACT")) {
+            returnToSender("no_permission");
+        }
         if ($database->count('messages', ["mid" => $VARS['id']]) !== 1) {
             returnToSender("invalid_parameters");
         }
@@ -222,6 +238,9 @@ switch ($VARS['action']) {
         returnToSender("message_deleted");
         break;
     case "fileupload":
+        if (!account_has_permission($_SESSION['username'], "SITEWRITER") && !account_has_permission($_SESSION['username'], "SITEWRITER_FILES")) {
+            returnToSender("no_permission");
+        }
         $destpath = FILE_UPLOAD_PATH . $VARS['path'];
         if (strpos(realpath($destpath), FILE_UPLOAD_PATH) !== 0) {
             returnToSender("file_security_error");
@@ -291,6 +310,9 @@ switch ($VARS['action']) {
         returnToSender("upload_success", "&path=" . $VARS['path']);
         break;
     case "newfolder":
+        if (!account_has_permission($_SESSION['username'], "SITEWRITER") && !account_has_permission($_SESSION['username'], "SITEWRITER_FILES")) {
+            returnToSender("no_permission");
+        }
         $foldername = preg_replace("/[^a-z0-9_\-]/", "_", strtolower($VARS['folder']));
         $newfolder = FILE_UPLOAD_PATH . $VARS['path'] . '/' . $foldername;
 
@@ -300,6 +322,9 @@ switch ($VARS['action']) {
         returnToSender("folder_not_created", "&path=" . $VARS['path']);
         break;
     case "filedelete":
+        if (!account_has_permission($_SESSION['username'], "SITEWRITER") && !account_has_permission($_SESSION['username'], "SITEWRITER_FILES")) {
+            returnToSender("no_permission");
+        }
         $file = FILE_UPLOAD_PATH . $VARS['file'];
         if (strpos(realpath($file), FILE_UPLOAD_PATH) !== 0) {
             returnToSender("file_security_error");

lang/en_us.php

@@ -29,6 +29,7 @@ define("STRINGS", [
     "login server user data error" => "The login server refused to provide account information.  Try again or contact technical support.",
     "captcha error" => "There was a problem with the CAPTCHA (robot test).  Try again.",
     "actions" => "Actions",
+    "no permission" => "You don't have permission to do that.",
     "home" => "Home",
     "editor" => "Editor",
     "sites" => "Sites",
@@ -133,4 +134,8 @@ define("STRINGS", [
     "load more" => "Load more",
     "search images" => "Search images",
     "x results" => "{results} results",
+    "reply" => "Reply",
+    "delete" => "Delete",
+    "new folder" => "New Folder",
+    "new" => "New",
 ]);

lang/messages.php

@@ -89,4 +89,8 @@ define("MESSAGES", [
         "string" => "folder not created",
         "type" => "danger"
     ],
+    "no_permission" => [
+        "string" => "no permission",
+        "type" => "danger"
+    ]
 ]);

lib/mimetypes.php

@@ -69,6 +69,7 @@ $MIMEICONS = [
     "audio/x-wav" => "fas fa-file-audio",
     "audio/webm" => "fas fa-file-audio",
     "audio/midi" => "fas fa-music",
+    "audio/mpeg" => "fas fa-music",
     "audio/3gpp" => "fas fa-file-audio",
     "audio/3gpp2" => "fas fa-file-audio",
     "audio/other" => "fas fa-file-audio",

pages.php

@@ -8,7 +8,7 @@
 define("PAGES", [
     "home" => [
         "title" => "home",
-        "navbar" => true,
+        "navbar" => false,
         "icon" => "fas fa-home"
     ],
     "sites" => [

pages/analytics.php

@@ -7,20 +7,28 @@ require_once __DIR__ . '/../required.php';
 
 redirectifnotloggedin();
 
+require_once __DIR__ . "/../lib/login.php";
+if (!account_has_permission($_SESSION['username'], "SITEWRITER") && !account_has_permission($_SESSION['username'], "SITEWRITER_ANALYTICS")) {
+    if ($_GET['msg'] != "no_permission") {
+        header("Location: app.php?page=analytics&msg=no_permission");
+    }
+    die();
+}
+
 $select_filter = [];
 
-if (!is_empty($VARS['siteid'])) {
+if (isset($VARS['siteid']) && !is_empty($VARS['siteid'])) {
     if ($database->has('sites', ['siteid' => $VARS['siteid']])) {
         $select_filter["analytics.siteid"] = $VARS['siteid'];
     }
 }
 
-if (!is_empty($VARS['after'])) {
+if (isset($VARS['after']) && !is_empty($VARS['after'])) {
     if (strtotime($VARS['after']) !== FALSE) {
         $select_filter["time[>]"] = date("Y-m-d H:i:s", strtotime($VARS['after']));
     }
 }
-if (!is_empty($VARS['before'])) {
+if (isset($VARS['before']) && !is_empty($VARS['before'])) {
     if (strtotime($VARS['before']) !== FALSE) {
         $select_filter["time[<]"] = date("Y-m-d H:i:s", strtotime($VARS['before']));
     }
@@ -47,9 +55,13 @@ $records = $database->select("analytics", [
         ], $where);
 
 $format = "Y-m-00 00:00:00";
+if (count($records) > 1) {
     $max = $records[0];
     $min = $records[count($records) - 1];
     $diff = strtotime($max['time']) - strtotime($min['time']);
+} else {
+    $diff = 0;
+}
 if ($diff < 60 * 60) { // 1 hour
     $format = "Y-m-d H:i:00";
 } else if ($diff < 60 * 60 * 24 * 3) { // 3 days

pages/editor.php

@@ -7,7 +7,15 @@ require_once __DIR__ . '/../required.php';
 
 redirectifnotloggedin();
 
-if (!is_empty($VARS['arg'])) {
+require_once __DIR__ . "/../lib/login.php";
+if (!account_has_permission($_SESSION['username'], "SITEWRITER") && !account_has_permission($_SESSION['username'], "SITEWRITER_EDIT")) {
+    if ($_GET['msg'] != "no_permission") {
+        header("Location: app.php?page=editor&msg=no_permission");
+    }
+    die();
+}
+
+if (isset($VARS['arg']) && !is_empty($VARS['arg'])) {
     // Allow action.php to do a better redirect
     $VARS['siteid'] = $VARS['arg'];
     if (strpos($VARS['arg'], "|") !== FALSE) {

pages/files.php

@@ -7,6 +7,15 @@ require_once __DIR__ . '/../required.php';
 
 redirectifnotloggedin();
 
+require_once __DIR__ . "/../lib/login.php";
+if (!account_has_permission($_SESSION['username'], "SITEWRITER") && !account_has_permission($_SESSION['username'], "SITEWRITER_FILES") && !account_has_permission($_SESSION['username'], "SITEWRITER_EDIT")) {
+    // Note: the EDIT permission is valid here because content editors can browse files anyways
+    if ($_GET['msg'] != "no_permission") {
+        header("Location: app.php?page=files&msg=no_permission");
+    }
+    die();
+}
+
 include_once __DIR__ . "/../lib/mimetypes.php";
 
 $base = FILE_UPLOAD_PATH;
@@ -111,7 +120,7 @@ $fullpath = $base . $folder;
                         } else { // Allow broad generic <format>/other icons
                             $mimefirst = explode("/", $mimetype, 2)[0];
                             if (array_key_exists($mimefirst . "/other", $MIMEICONS)) {
-                                $icon = $MIMEICONS[$mimetype];
+                                $icon = $MIMEICONS[$mimefirst . "/other"];
                             }
                         }
                     }

pages/home.php

@@ -6,6 +6,9 @@
 require_once __DIR__ . '/../required.php';
 
 redirectifnotloggedin();
+
+header("Location: app.php?page=sites");
+die();
 ?>
 <div class="card-deck">
     <?php
@@ -49,7 +52,7 @@ redirectifnotloggedin();
     $visits_week = count($uuids);
     $views_week = count($visitors);
     ?>
-    <div class="card bg-<?php echo ($lowcnt > 0 ? "deep-orange" : "green"); ?> text-light">
+    <div class="card bg-green text-light">
         <div class="card-body">
             <h4 class="card-title"><?php lang("this week") ?></h4>
             <h1><i class="fas fa-fw fa-users"></i> <?php echo $visits_week; ?> <?php

pages/messages.php

@@ -6,6 +6,14 @@
 require_once __DIR__ . '/../required.php';
 
 redirectifnotloggedin();
+
+require_once __DIR__ . "/../lib/login.php";
+if (!account_has_permission($_SESSION['username'], "SITEWRITER") && !account_has_permission($_SESSION['username'], "SITEWRITER_CONTACT")) {
+    if ($_GET['msg'] != "no_permission") {
+        header("Location: app.php?page=messages&msg=no_permission");
+    }
+    die();
+}
 ?>
 <table id="msgtable" class="table table-bordered table-hover table-sm">
     <thead>

pages/sites.php

@@ -7,6 +7,12 @@ require_once __DIR__ . '/../required.php';
 require_once __DIR__ . '/../lib/util.php';
 
 redirectifnotloggedin();
+
+require_once __DIR__ . "/../lib/login.php";
+$showbuttons = true;
+if (!account_has_permission($_SESSION['username'], "SITEWRITER") && !account_has_permission($_SESSION['username'], "SITEWRITER_EDIT")) {
+    $showbuttons = false;
+}
 ?>
 <div class="btn-group mb-2">
     <a href="app.php?page=sitesettings" class="btn btn-success"><i class="fas fa-plus"></i> <?php lang("new site"); ?></a>
@@ -37,8 +43,14 @@ redirectifnotloggedin();
             <tr>
                 <td></td>
                 <td>
+                    <?php
+                    if ($showbuttons) {
+                        ?>
                         <a class="btn btn-primary btn-sm" href="app.php?page=editor&siteid=<?php echo $site['siteid']; ?>"><i class="fas fa-edit"></i> <?php lang("editor"); ?></a>
                         <a class="btn btn-secondary btn-sm" href="app.php?page=sitesettings&siteid=<?php echo $site['siteid']; ?>"><i class="fas fa-cog"></i> <?php lang("settings"); ?></a>
+                        <?php
+                    }
+                    ?>
                     <a class="btn btn-info btn-sm" href="<?php echo formatsiteurl($site['url']); ?>" target="_BLANK"><i class="fas fa-eye"></i> <?php lang("view"); ?></a>
                 </td>
                 <td><?php echo $site['sitename']; ?></td>

pages/sitesettings.php

@@ -7,6 +7,14 @@ require_once __DIR__ . '/../required.php';
 
 redirectifnotloggedin();
 
+require_once __DIR__ . "/../lib/login.php";
+if (!account_has_permission($_SESSION['username'], "SITEWRITER")) {
+    if ($_GET['msg'] != "no_permission") {
+        header("Location: app.php?page=sitesettings&msg=no_permission");
+    }
+    die();
+}
+
 $editing = true;
 
 $siteid = "";