From ca9b3cb2458ed697183806eb26a2b6709460edc2 Mon Sep 17 00:00:00 2001 From: Uwe Steinmann Date: Tue, 21 Mar 2017 11:35:39 +0100 Subject: [PATCH 1/6] no need to check for password, but check for ip, guest login and disabled accounts (Closes #250) --- webdav/webdav.php | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/webdav/webdav.php b/webdav/webdav.php index dd58d7868..e2ebd9790 100644 --- a/webdav/webdav.php +++ b/webdav/webdav.php @@ -138,7 +138,14 @@ class HTTP_WebDAV_Server_SeedDMS extends HTTP_WebDAV_Server if(!$userobj) return false; - if(md5($pass) != $userobj->getPwd()) + + if(($userobj->getID() == $settings->_guestID) && (!$settings->_enableGuestLogin)) + return false; + + if($userobj->isDisabled()) + return false; + + if($userobj->isAdmin() && ($_SERVER['REMOTE_ADDR'] != $settings->_adminIP ) && ( $settings->_adminIP != "")) return false; $this->user = $userobj; From fd6055d57723b9815b74bca4e0634cdd2929bb06 Mon Sep 17 00:00:00 2001 From: Uwe Steinmann Date: Tue, 21 Mar 2017 11:36:36 +0100 Subject: [PATCH 2/6] start new version 4.3.35 --- CHANGELOG | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/CHANGELOG b/CHANGELOG index a0a22f313..ca2f1cad3 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,3 +1,8 @@ +-------------------------------------------------------------------------------- + Changes in version 4.3.35 +-------------------------------------------------------------------------------- +- fix authentication in webdav.php (Closes #250) + -------------------------------------------------------------------------------- Changes in version 4.3.34 -------------------------------------------------------------------------------- From 6bb6662de414650344b8b827be56b3458963c32f Mon Sep 17 00:00:00 2001 From: Uwe Steinmann Date: Thu, 23 Mar 2017 15:39:18 +0100 Subject: [PATCH 3/6] start new version 4.3.35 --- Makefile | 2 +- SeedDMS_Core/Core/inc.ClassDMS.php | 2 +- SeedDMS_Core/Core/inc.DBAccessPDO.php | 8 ++++---- SeedDMS_Core/package.xml | 23 +++++++++++++++++++---- inc/inc.Version.php | 2 +- install/install.php | 2 +- 6 files changed, 27 insertions(+), 12 deletions(-) diff --git a/Makefile b/Makefile index 1870d74a9..66711f42a 100644 --- a/Makefile +++ b/Makefile @@ -1,4 +1,4 @@ -VERSION=4.3.34 +VERSION=4.3.35 SRC=CHANGELOG inc conf utils index.php languages views op out doc styles LICENSE webdav install restapi pdfviewer # webapp diff --git a/SeedDMS_Core/Core/inc.ClassDMS.php b/SeedDMS_Core/Core/inc.ClassDMS.php index 957d5c868..37215e77b 100644 --- a/SeedDMS_Core/Core/inc.ClassDMS.php +++ b/SeedDMS_Core/Core/inc.ClassDMS.php @@ -307,7 +307,7 @@ class SeedDMS_Core_DMS { $this->callbacks = array(); $this->version = '@package_version@'; if($this->version[0] == '@') - $this->version = '4.3.34'; + $this->version = '4.3.35'; } /* }}} */ /** diff --git a/SeedDMS_Core/Core/inc.DBAccessPDO.php b/SeedDMS_Core/Core/inc.DBAccessPDO.php index 1b71bcd9b..ae271e46c 100644 --- a/SeedDMS_Core/Core/inc.DBAccessPDO.php +++ b/SeedDMS_Core/Core/inc.DBAccessPDO.php @@ -38,7 +38,7 @@ class SeedDMS_Core_DatabaseAccess { protected $_hostname; /** - * @var int port number of database + * @var int port number of database */ protected $_port; @@ -91,7 +91,7 @@ class SeedDMS_Core_DatabaseAccess { * @var boolean set to true if in a database transaction */ private $_intransaction; - + /** * Return list of all database tables * @@ -233,7 +233,7 @@ class SeedDMS_Core_DatabaseAccess { */ function getResultArray($queryStr) { /* {{{ */ $resArr = array(); - + $res = $this->_conn->query($queryStr); if ($res === false) { if($this->_debug) @@ -263,7 +263,7 @@ class SeedDMS_Core_DatabaseAccess { return false; } else return true; - + return $res; } /* }}} */ diff --git a/SeedDMS_Core/package.xml b/SeedDMS_Core/package.xml index 5d8181ce2..de00b956c 100644 --- a/SeedDMS_Core/package.xml +++ b/SeedDMS_Core/package.xml @@ -12,11 +12,11 @@ uwe@steinmann.cx yes - 2017-02-28 + 2017-03-22 - 4.3.34 - 4.3.34 + 4.3.35 + 4.3.35 stable @@ -24,7 +24,6 @@ GPL License -SeedDMS_Core_DMS::getDuplicateDocumentContent() returns complete document @@ -1125,5 +1124,21 @@ SeedDMS_Core_DMS::getNotificationsByUser() are deprecated - SeedDMЅ_Core_User::setFullname() minor fix in sql statement + + 2017-02-28 + + + 4.3.34 + 4.3.34 + + + stable + stable + + GPL License + +SeedDMS_Core_DMS::getDuplicateDocumentContent() returns complete document + + diff --git a/inc/inc.Version.php b/inc/inc.Version.php index 472cb634c..61bf92141 100644 --- a/inc/inc.Version.php +++ b/inc/inc.Version.php @@ -20,7 +20,7 @@ class SeedDMS_Version { - public $_number = "4.3.34"; + public $_number = "4.3.35"; private $_string = "SeedDMS"; function __construct() { diff --git a/install/install.php b/install/install.php index 313dcb475..6a04997dc 100644 --- a/install/install.php +++ b/install/install.php @@ -118,7 +118,7 @@ function fileExistsInIncludePath($file) { /* {{{ */ * Load default settings + set */ define("SEEDDMS_INSTALL", "on"); -define("SEEDDMS_VERSION", "4.3.34"); +define("SEEDDMS_VERSION", "4.3.35"); require_once('../inc/inc.ClassSettings.php'); From 46582a2be409a5cd79eec39a22063a9f33b2be5e Mon Sep 17 00:00:00 2001 From: Uwe Steinmann Date: Thu, 23 Mar 2017 17:25:54 +0100 Subject: [PATCH 4/6] update last access time only once a minute --- inc/inc.Authentication.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/inc/inc.Authentication.php b/inc/inc.Authentication.php index 64ef29d89..9226f62b2 100644 --- a/inc/inc.Authentication.php +++ b/inc/inc.Authentication.php @@ -48,7 +48,8 @@ if (!isset($_COOKIE["mydms_session"])) { } /* Update last access time */ -$session->updateAccess($dms_session); +if((int)$resArr['lastAccess']+60 < time()) + $session->updateAccess($dms_session); /* Load user data */ $user = $dms->getUser($resArr["userID"]); From 4265c965de3d4e3f7877a1e872a3b8af298c9f07 Mon Sep 17 00:00:00 2001 From: Uwe Steinmann Date: Thu, 23 Mar 2017 17:27:31 +0100 Subject: [PATCH 5/6] log all sql statements into file if log file is given --- SeedDMS_Core/Core/inc.DBAccessPDO.php | 41 +++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/SeedDMS_Core/Core/inc.DBAccessPDO.php b/SeedDMS_Core/Core/inc.DBAccessPDO.php index ae271e46c..76a5366a1 100644 --- a/SeedDMS_Core/Core/inc.DBAccessPDO.php +++ b/SeedDMS_Core/Core/inc.DBAccessPDO.php @@ -92,6 +92,16 @@ class SeedDMS_Core_DatabaseAccess { */ private $_intransaction; + /** + * @var string set a valid file name for logging all sql queries + */ + private $_logfile; + + /** + * @var resource file pointer of log file + */ + private $_logfp; + /** * Return list of all database tables * @@ -139,6 +149,13 @@ class SeedDMS_Core_DatabaseAccess { $this->_user = $user; $this->_passw = $passw; $this->_connected = false; + $this->_logfile = ''; + if($this->_logfile) { + $this->_logfp = fopen($this->_logfile, 'a+'); + if($this->_logfp) + fwrite($this->_logfp, microtime()." BEGIN ------------------------------------------\n"); + } else + $this->_logfp = null; // $tt*****id is a hack to ensure that we do not try to create the // temporary table twice during a single connection. Can be fixed by // using Views (MySQL 5.0 onward) instead of temporary tables. @@ -154,6 +171,24 @@ class SeedDMS_Core_DatabaseAccess { $this->_debug = false; } /* }}} */ + /** + * Constructor of SeedDMS_Core_DatabaseAccess + * + * Sets all database parameters but does not connect. + * + * @param string $driver the database type e.g. mysql, sqlite + * @param string $hostname host of database server + * @param string $user name of user having access to database + * @param string $passw password of user + * @param string $database name of database + */ + function __destruct() { /* {{{ */ + if($this->_logfp) { + fwrite($this->_logfp, microtime()." END --------------------------------------------\n"); + fclose($this->_logfp); + } + } /* }}} */ + /** * Connect to database * @@ -234,6 +269,9 @@ class SeedDMS_Core_DatabaseAccess { function getResultArray($queryStr) { /* {{{ */ $resArr = array(); + if($this->_logfp) { + fwrite($this->_logfp, microtime()." ".$queryStr."\n"); + } $res = $this->_conn->query($queryStr); if ($res === false) { if($this->_debug) @@ -256,6 +294,9 @@ class SeedDMS_Core_DatabaseAccess { * @return boolean true if query could be executed otherwise false */ function getResult($queryStr, $silent=false) { /* {{{ */ + if($this->_logfp) { + fwrite($this->_logfp, microtime()." ".$queryStr."\n"); + } $res = $this->_conn->exec($queryStr); if($res === false) { if($this->_debug) From 77aa03c318dc08bb1606a047af88c17bb5c2fa3f Mon Sep 17 00:00:00 2001 From: Uwe Steinmann Date: Thu, 23 Mar 2017 17:29:22 +0100 Subject: [PATCH 6/6] add entry for 4.3.35 --- CHANGELOG | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG b/CHANGELOG index ca2f1cad3..e4ef825b3 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -2,6 +2,7 @@ Changes in version 4.3.35 -------------------------------------------------------------------------------- - fix authentication in webdav.php (Closes #250) +- update last access time only once a minute -------------------------------------------------------------------------------- Changes in version 4.3.34