From e4bc8d2180a63eba9599f6b0a379d9faed5f1e6a Mon Sep 17 00:00:00 2001 From: Uwe Steinmann Date: Fri, 4 Mar 2016 09:36:08 +0100 Subject: [PATCH] add advanced access check --- out/out.Acl.php | 13 ++++++++----- out/out.AdminTools.php | 15 ++++++++------- out/out.GroupMgr.php | 17 ++++++++++++----- out/out.Info.php | 15 ++++++++------- out/out.RoleMgr.php | 13 ++++++++----- out/out.UserList.php | 13 ++++++++----- out/out.UsrMgr.php | 22 +++++++++++++++++----- 7 files changed, 69 insertions(+), 39 deletions(-) diff --git a/out/out.Acl.php b/out/out.Acl.php index 1075b4bbd..04efdb7bf 100644 --- a/out/out.Acl.php +++ b/out/out.Acl.php @@ -25,7 +25,10 @@ include("../inc/inc.ClassUI.php"); include("../inc/inc.ClassAcl.php"); include("../inc/inc.Authentication.php"); -if (!$user->isAdmin()) { +$tmp = explode('.', basename($_SERVER['SCRIPT_FILENAME'])); +$view = UI::factory($theme, $tmp[1], array('dms'=>$dms, 'user'=>$user)); +$accessop = new SeedDMS_AccessOperation($dms, $user, $settings); +if (!$accessop->check_view_access($view, $_GET) && !$user->isAdmin()) { UI::exitError(getMLText("admin_tools"),getMLText("access_denied")); } @@ -40,10 +43,10 @@ if(isset($_GET['roleid']) && $_GET['roleid']) { $selrole = null; } -$tmp = explode('.', basename($_SERVER['SCRIPT_FILENAME'])); -$view = UI::factory($theme, $tmp[1], array('dms'=>$dms, 'user'=>$user, 'settings'=>$settings, 'selrole'=>$selrole, 'allroles'=>$roles)); if($view) { + $view->setParam('settings', $settings); + $view->setParam('selrole', $selrole); + $view->setParam('allroles', $roles); + $view->setParam('accessobject', $accessop); $view($_GET); - exit; } - diff --git a/out/out.AdminTools.php b/out/out.AdminTools.php index dce5690c0..4b02373c5 100644 --- a/out/out.AdminTools.php +++ b/out/out.AdminTools.php @@ -24,15 +24,16 @@ include("../inc/inc.DBInit.php"); include("../inc/inc.ClassUI.php"); include("../inc/inc.Authentication.php"); -if (!$user->isAdmin()) { +$tmp = explode('.', basename($_SERVER['SCRIPT_FILENAME'])); +$view = UI::factory($theme, $tmp[1], array('dms'=>$dms, 'user'=>$user)); +$accessop = new SeedDMS_AccessOperation($dms, $user, $settings); +if (!$accessop->check_view_access($view, $_GET) && !$user->isAdmin()) { UI::exitError(getMLText("admin_tools"),getMLText("access_denied")); } -$tmp = explode('.', basename($_SERVER['SCRIPT_FILENAME'])); -$view = UI::factory($theme, $tmp[1], array('dms'=>$dms, 'user'=>$user, 'enablefullsearch'=>$settings->_enableFullSearch, 'logfileenable'=>$settings->_logFileEnable)); if($view) { - $view->show(); - exit; + $view->setParam('enablefullsearch', $settings->_enableFullSearch); + $view->setParam('logfileenable', $settings->_logFileEnable); + $view->setParam('accessobject', $accessop); + $view($_GET); } - -?> diff --git a/out/out.GroupMgr.php b/out/out.GroupMgr.php index 0ebe39b77..4fdd806b5 100644 --- a/out/out.GroupMgr.php +++ b/out/out.GroupMgr.php @@ -32,7 +32,10 @@ include("../inc/inc.Authentication.php"); */ require_once("SeedDMS/Preview.php"); -if (!$user->isAdmin()) { +$tmp = explode('.', basename($_SERVER['SCRIPT_FILENAME'])); +$view = UI::factory($theme, $tmp[1], array('dms'=>$dms, 'user'=>$user)); +$accessop = new SeedDMS_AccessOperation($dms, $user, $settings); +if (!$accessop->check_view_access($view, $_GET) && !$user->isAdmin()) { UI::exitError(getMLText("admin_tools"),getMLText("access_denied")); } @@ -52,10 +55,14 @@ if(isset($_GET['groupid']) && $_GET['groupid']) { $selgroup = null; } -$tmp = explode('.', basename($_SERVER['SCRIPT_FILENAME'])); -$view = UI::factory($theme, $tmp[1], array('dms'=>$dms, 'user'=>$user, 'selgroup'=>$selgroup, 'allgroups'=>$allGroups, 'allusers'=>$allUsers, 'strictformcheck'=>$settings->_strictFormCheck, 'cachedir'=>$settings->_cacheDir, 'previewWidthList'=>$settings->_previewWidthList, 'workflowmode'=>$settings->_workflowMode, 'timeout'=>$settings->_cmdTimeout)); if($view) { + $view->setParam('selgroup', $selgroup); + $view->setParam('allgroups', $allGroups); + $view->setParam('allusers', $allUsers); + $view->setParam('strictformcheck', $settings->_strictFormCheck); + $view->setParam('cachedir', $settings->_cacheDir); + $view->setParam('previewWidthList', $settings->_previewWidthList); + $view->setParam('workflowmode', $settings->_workflowMode); + $view->setParam('timeout', $settings->_cmdTimeout); $view($_GET); } - -?> diff --git a/out/out.Info.php b/out/out.Info.php index 3fdc51744..5e63ae1d1 100644 --- a/out/out.Info.php +++ b/out/out.Info.php @@ -27,7 +27,10 @@ include("../inc/inc.DBInit.php"); include("../inc/inc.ClassUI.php"); include("../inc/inc.Authentication.php"); -if (!$user->isAdmin()) { +$tmp = explode('.', basename($_SERVER['SCRIPT_FILENAME'])); +$view = UI::factory($theme, $tmp[1], array('dms'=>$dms, 'user'=>$user)); +$accessop = new SeedDMS_AccessOperation($dms, $user, $settings); +if (!$accessop->check_view_access($view, $_GET) && !$user->isAdmin()) { UI::exitError(getMLText("admin_tools"),getMLText("access_denied")); } @@ -42,11 +45,9 @@ if(@ini_get('allow_url_fopen') == '1') { } } -$tmp = explode('.', basename($_SERVER['SCRIPT_FILENAME'])); -$view = UI::factory($theme, $tmp[1], array('dms'=>$dms, 'user'=>$user, 'version'=>$v, 'availversions'=>$versions)); if($view) { - $view->show(); - exit; + $view->setParam('version', $v); + $view->setParam('availversions', $versions); + $view->setParam('accessobject', $accessop); + $view($_GET); } - -?> diff --git a/out/out.RoleMgr.php b/out/out.RoleMgr.php index 76785d81a..1873fde98 100644 --- a/out/out.RoleMgr.php +++ b/out/out.RoleMgr.php @@ -26,7 +26,10 @@ include("../inc/inc.DBInit.php"); include("../inc/inc.ClassUI.php"); include("../inc/inc.Authentication.php"); -if (!$user->isAdmin()) { +$tmp = explode('.', basename($_SERVER['SCRIPT_FILENAME'])); +$view = UI::factory($theme, $tmp[1], array('dms'=>$dms, 'user'=>$user)); +$accessop = new SeedDMS_AccessOperation($dms, $user, $settings); +if (!$accessop->check_view_access($view, $_GET) && !$user->isAdmin()) { UI::exitError(getMLText("admin_tools"),getMLText("access_denied")); } @@ -46,10 +49,10 @@ if(isset($_GET['roleid']) && $_GET['roleid']) { $selrole = null; } -$tmp = explode('.', basename($_SERVER['SCRIPT_FILENAME'])); -$view = UI::factory($theme, $tmp[1], array('dms'=>$dms, 'user'=>$user, 'selrole'=>$selrole, 'allusers'=>$users, 'allroles'=>$roles)); if($view) { + $view->setParam('selrole', $selrole); + $view->setParam('allusers', $users); + $view->setParam('allroles', $roles); + $view->setParam('accessobject', $accessop); $view($_GET); } - -?> diff --git a/out/out.UserList.php b/out/out.UserList.php index f53da8030..f95547e96 100644 --- a/out/out.UserList.php +++ b/out/out.UserList.php @@ -25,17 +25,20 @@ include("../inc/inc.ClassUI.php"); include("../inc/inc.Authentication.php"); include("../inc/inc.ClassPasswordStrength.php"); -if (!$user->isAdmin()) { +$tmp = explode('.', basename($_SERVER['SCRIPT_FILENAME'])); +$view = UI::factory($theme, $tmp[1], array('dms'=>$dms, 'user'=>$user)); +$accessop = new SeedDMS_AccessOperation($dms, $user, $settings); +if (!$accessop->check_view_access($view, $_GET) && !$user->isAdmin()) { UI::exitError(getMLText("admin_tools"),getMLText("access_denied")); } $allUsers = $dms->getAllUsers($settings->_sortUsersInList); -$tmp = explode('.', basename($_SERVER['SCRIPT_FILENAME'])); -$view = UI::factory($theme, $tmp[1], array('dms'=>$dms, 'user'=>$user, 'allusers'=>$allUsers, 'httproot'=>$settings->_httpRoot, 'quota'=>$settings->_quota, 'pwdexpiration'=>$settings->_passwordExpiration)); if($view) { + $view->setParam('allusers', $allUsers); + $view->setParam('httproot', $settings->_httpRoot); + $view->setParam('quota', $settings->_quota); + $view->setParam('pwdexpiration', $settings->_passwordExpiration); $view($_GET); exit; } - -?> diff --git a/out/out.UsrMgr.php b/out/out.UsrMgr.php index 0800254ba..2a5688f20 100644 --- a/out/out.UsrMgr.php +++ b/out/out.UsrMgr.php @@ -26,7 +26,10 @@ include("../inc/inc.DBInit.php"); include("../inc/inc.ClassUI.php"); include("../inc/inc.Authentication.php"); -if (!$user->isAdmin()) { +$tmp = explode('.', basename($_SERVER['SCRIPT_FILENAME'])); +$view = UI::factory($theme, $tmp[1], array('dms'=>$dms, 'user'=>$user)); +$accessop = new SeedDMS_AccessOperation($dms, $user, $settings); +if (!$accessop->check_view_access($view, $_GET) && !$user->isAdmin()) { UI::exitError(getMLText("admin_tools"),getMLText("access_denied")); } @@ -51,10 +54,19 @@ if(isset($_GET['userid']) && $_GET['userid']) { $seluser = null; } -$tmp = explode('.', basename($_SERVER['SCRIPT_FILENAME'])); -$view = UI::factory($theme, $tmp[1], array('dms'=>$dms, 'user'=>$user, 'seluser'=>$seluser, 'allusers'=>$users, 'allgroups'=>$groups, 'allroles'=>$roles, 'passwordstrength'=>$settings->_passwordStrength, 'passwordexpiration'=>$settings->_passwordExpiration, 'httproot'=>$settings->_httpRoot, 'enableuserimage'=>$settings->_enableUserImage, 'undeluserids'=>explode(',', $settings->_undelUserIds), 'workflowmode'=>$settings->_workflowMode, 'quota'=>$settings->_quota, 'strictformcheck'=>$settings->_strictFormCheck)); if($view) { + $view->setParam('seluser', $seluser); + $view->setParam('allusers', $users); + $view->setParam('allgroups', $groups); + $view->setParam('allroles', $roles); + $view->setParam('passwordstrength', $settings->_passwordStrength); + $view->setParam('passwordexpiration', $settings->_passwordExpiration); + $view->setParam('httproot', $settings->_httpRoot); + $view->setParam('enableuserimage', $settings->_enableUserImage); + $view->setParam('undeluserids', explode(',', $settings->_undelUserIds)); + $view->setParam('workflowmode', $settings->_workflowMode); + $view->setParam('quota', $settings->_quota); + $view->setParam('strictformcheck', $settings->_strictFormCheck); + $view->setParam('accessobject', $accessop); $view($_GET); } - -?>