Commit beb79651 authored by Mal's avatar Mal

Added permission member variables to user class, used in place

of function calls in modules.
Added surcharge field to banking table.
Made download.php more flexible with urls passed in as files.
Bug in permission.php returned before group permission was checked.
parent 4de5a511
......@@ -141,7 +141,7 @@ class Banking extends Base {
// This query does the insert without needing to check for an existing
// user. (The duplicate key update doesn't do anything).
$query = 'INSERT INTO banking VALUES ("'.$this->user->name.'", "'.
$reference.'", "", "", "", "1", "0") ON DUPLICATE KEY UPDATE user="'.
$reference.'", "", "", "", "1", "1", "0") ON DUPLICATE KEY UPDATE user="'.
$this->user->name.'"';
if (!$mysqli->query($query)) {
$this->Log('Banking->Copy 2: '.$mysqli->error);
......@@ -208,9 +208,13 @@ class Banking extends Base {
// This is called when the version of the module is updated,
// to provide a way to update or modify tables etc..
$mysqli = connect_db();
$query = 'ALTER TABLE banking ADD COLUMN surcharge TINYINT(1)';
$query = 'ALTER TABLE banking ADD COLUMN surcharge TINYINT(1) AFTER credit';
if (!$mysqli->query($query)) {
$this->Log('Banking->Update: '.$mysqli->error);
$this->Log('Banking->Update 1: '.$mysqli->error);
}
$query = 'UPDATE banking SET surcharge="1"';
if (!$mysqli->query($query)) {
$this->Log('Banking->Update 2: '.$mysqli->error);
}
$mysqli->close();
}
......
......@@ -23,7 +23,7 @@ class Browser extends Base {
public function Callback() {
$object = array();
if (!can_edit_page()) {
if (!$this->user->canEditPage) {
$object["error"] = "Permission denied.";
return $object;
}
......@@ -163,7 +163,7 @@ class Browser extends Base {
}
public function Content($id) {
if (!can_edit_page()) return false;
if (!$this->user->canEditPage) return false;
$content = '<form id="upload-form">'.
'Upload a file: <input id="upload-input" name="upload" type="file">'.
'<button class="upload">upload</button>'.
......
......@@ -101,7 +101,7 @@ class Cart extends Base {
}
}
else if ($action == "list") {
if (!can_edit_page()) {
if (!$this->user->canEditPage) {
$object["error"] = "You don't have permission to list cart settings.";
$mysqli->close();
return $object;
......@@ -124,7 +124,7 @@ class Cart extends Base {
}
}
else if ($action == "save-item") {
if (!can_edit_page()) {
if (!$this->user->canEditPage) {
$object["error"] = "You don't have permission to edit cart items.";
$mysqli->close();
return $object;
......@@ -153,7 +153,7 @@ class Cart extends Base {
$object["done"] = true;
}
else if ($action == "save-shipping") {
if (!can_edit_page()) {
if (!$this->user->canEditPage) {
$object["error"] = "You don't have permission to edit cart shipping.";
$mysqli->close();
return $object;
......@@ -179,7 +179,7 @@ class Cart extends Base {
$object["done"] = true;
}
else if ($action == "save-checkout") {
if (!can_edit_page()) {
if (!$this->user->canEditPage) {
$object["error"] = "You don't have permission to edit cart checkout.";
$mysqli->close();
return $object;
......@@ -195,7 +195,7 @@ class Cart extends Base {
$object["done"] = true;
}
else if ($action == "remove-item") {
if (!can_edit_page()) {
if (!$this->user->canEditPage) {
$object["error"] = "You don't have permission to remove cart items.";
$mysqli->close();
return $object;
......@@ -209,7 +209,7 @@ class Cart extends Base {
$object = $this->Items();
}
else if ($action == "remove-shipping") {
if (!can_edit_page()) {
if (!$this->user->canEditPage) {
$object["error"] = "You don't have permission to remove cart shipping.";
$mysqli->close();
return $object;
......@@ -364,7 +364,7 @@ class Cart extends Base {
'</form>'.
'</div>';
$edit = '<br>';
if (can_edit_page()) {
if ($this->user->canEditPage) {
$edit = '<button id="cart-edit-button"></button>'.
'<div id="cart-editor"></div>';
}
......
......@@ -74,7 +74,7 @@ class Comment extends Base {
$this->Log('Comment->Callback 1: '.$mysqli->error);
}
}
else if ($mode == "remove" && can_edit_page()) {
else if ($mode == "remove" && $this->user->canEditPage) {
$comment_id = substr($mysqli->escape_string($_POST['commentId']), 15);
$query = 'DELETE FROM comment WHERE user="'.$this->owner.
'" AND box_id="'.$id.'" AND comment_id="'.$comment_id.'"';
......@@ -120,7 +120,7 @@ class Comment extends Base {
$form = "";
$edit = "";
if (can_edit_page()) {
if ($this->user->canEditPage) {
$edit = '<button class="comments-editor"></button>';
}
if (!$this->Locked($id)) {
......@@ -251,7 +251,7 @@ class Comment extends Base {
htmlspecialchars(stripslashes($name)).'</a>';
}
$remove = "";
if (can_edit_page()) {
if ($this->user->canEditPage) {
$remove = '<button id="remove-comment-'.$comment_id.
'" class="remove-comment"></button>';
}
......
......@@ -76,7 +76,7 @@ class Gift extends Base {
}
// If the user can edit the page, they can manage the registry.
if (can_edit_page()) {
if ($this->user->canEditPage) {
if ($result = $mysqli->query('SELECT name FROM gift_type')) {
if ($mode == "manage" || $result->num_rows == 0) {
$result->close();
......@@ -344,7 +344,7 @@ class Gift extends Base {
$name = $mysqli->escape_string($_POST['name']);
$message = $mysqli->escape_string($_POST['message']);
if (!can_edit_page()) {
if (!$this->user->canEditPage) {
$object['error'] = "Permission denied editing gift registry";
}
else if ($type == "email-message") {
......
......@@ -107,7 +107,7 @@ class Purchase extends Base {
public function CanAdd($page) {
// Need admin privileges to add the purchase module.
if (!can_edit_site()) return false;
if (!$this->user->canEditSite) return false;
// Can only have one purchase module on a page.
return !$this->AlreadyOnPage("purchase", $page);
}
......
......@@ -27,7 +27,7 @@ class Reader extends Base {
$feed = "rss/index.php?page=".$_SESSION['page'];
$xml_url .= $this->owner == "admin" ? $feed : $this->owner."/".$feed;
$title = $this->config->title_includes_page() ?
$_SESSION['page'].' - '.$this->config->title() : $this->config->title();
$this->config->title().' - '.$_SESSION['page'] : $this->config->title();
$mysqli = connect_db();
$query = 'INSERT INTO reader VALUES ("'.$this->owner.'","'.$id.'","'.
......
......@@ -23,7 +23,7 @@ class Stock extends Base {
public function Callback() {
$object = array();
if (!can_edit_page()) {
if (!$this->user->canEditPage) {
$object["error"] = "Permission denied.";
return $object;
}
......@@ -96,7 +96,7 @@ class Stock extends Base {
public function CanAdd($page) {
// Need admin privileges to add the stock module.
if (!can_edit_site()) return false;
if (!$this->user->canEditSite) return false;
// Can only have one stock module on a page.
return !$this->AlreadyOnPage("stock", $page);
}
......
......@@ -39,7 +39,7 @@ class Writer extends Base {
}
public function Content($id) {
if (!can_edit_page()) return false;
if (!$this->user->canEditPage) return false;
return '<textarea id="writer-content">'.
'Write a new post...'.
'</textarea>'.
......
......@@ -24,10 +24,6 @@ include "functions/db.php";
include "functions/permission.php";
include "functions/write_style.php";
include "config.php";
include "module.php";
include "user.php";
$object = array();
$object['error'] = false;
......@@ -73,6 +69,11 @@ if ($object['error'] !== false) {
$current_page = $_SESSION['page'];
$current_owner = $_SESSION['owner'];
// These are included for copy_page.
include "config.php";
include "module.php";
include "user.php";
$object['name'] = copy_page($current_page, $current_owner,
$new_page, $new_owner);
echo json_encode($object);
......
......@@ -20,9 +20,13 @@ session_start();
// TODO: At the moment only the public directory is supported.
// Next step is to support uploads to a directory named 'private' that Apache
// will not be allowed to serve from.
$regex = "/^public\/[a-zA-Z0-9_-]{1,200}\.[a-z0-9]{1,10}$/";
$regex = "/(public\/[a-zA-Z0-9_-]{1,200}\.[a-z0-9]{1,10})$/";
$file = $_GET["file"];
if (!preg_match($regex, $file)) return;
if (!preg_match($regex, $file, $matches)) return;
// Remove the protocol and domain from the file if present.
$path = $matches[1];
// Make sure this file is in the cart.
if (!$_SESSION['cart']) return;
......@@ -36,16 +40,16 @@ for ($i = 0; $i < count($_SESSION['cart']); $i++) {
if (!$in_cart) return;
if ($_SESSION['owner'] != "admin") {
$file = $_SESSION['owner']."/".$file;
$path = $_SESSION['owner']."/".$path;
}
$file = "../".$file;
$path = "../".$path;
if (file_exists($file)) {
if (file_exists($path)) {
header("Cache-Control: private");
header("Content-Type: application/octet");
header("Content-Length: ".filesize($file));
header("Content-Disposition: attachment; filename=".basename($file));
readfile($file);
header("Content-Length: ".filesize($path));
header("Content-Disposition: attachment; filename=".basename($path));
readfile($path);
}
?>
......@@ -82,8 +82,12 @@ function new_user($user, $owner, $config,
chmod($prefix.$user->name."/owner.php", 0644);
$handle = fopen($prefix.$user->name."/rss/index.php", "w");
fwrite($handle, '<?php include "../../php/functions/rss.php"; '.
'include "../../php/config.php"; rss("'.$user->name.'"); ?>');
fwrite($handle, "<?php\n".
'include "../../php/functions/db.php";'."\n".
'include "../../php/functions/rss.php";'."\n".
'include "../../php/config.php";'."\n".
'rss("'.$user->name.'");'."\n".
'?>');
fclose($handle);
chmod($prefix.$user->name."/rss/index.php", 0644);
}
......
......@@ -51,24 +51,24 @@ function permission($action, $mode, $name = "") {
if ($result = $mysqli->query($query)) {
if ($result->num_rows > 0) $permission = true;
$result->close();
$mysqli->close();
return $permission;
}
else {
error_log('permission 1: '.$mysqli->error);
}
// Find all groups that have permission to edit/copy the page, for this
// user and visitor (it doesn't matter what the group is called).
$query = 'SELECT visitor FROM groups, group_permission WHERE '.
'groups.name=group_permission.name AND group_permission.page="'.$page.
'" AND '.'groups.visitor="'.$user.'" AND groups.user="'.$owner.'" AND '.
'groups.user=group_permission.user AND group_permission.'.$action.'="1"';
if ($result = $mysqli->query($query)) {
if ($result->num_rows > 0) $permission = true;
$result->close();
}
else {
error_log('permission 2: '.$mysqli->error);
if (!$permission) {
// Find all groups that have permission to edit/copy the page, for this
// user and visitor (it doesn't matter what the group is called).
$query = 'SELECT visitor FROM groups, group_permission WHERE '.
'groups.name=group_permission.name AND group_permission.page="'.$page.
'" AND groups.visitor="'.$user.'" AND groups.user="'.$owner.'" AND '.
'groups.user=group_permission.user AND group_permission.'.$action.'="1"';
if ($result = $mysqli->query($query)) {
if ($result->num_rows > 0) $permission = true;
$result->close();
}
else {
error_log('permission 2: '.$mysqli->error);
}
}
$mysqli->close();
return $permission;
......
......@@ -15,12 +15,11 @@
// You should have received a copy of the GNU Affero General Public License
// along with this program. If not, see <http://www.gnu.org/licenses/>.
include "db.php";
function rss($user) {
$mysqli = connect_db();
$page = "index";
if (isset($_GET['page'])) {
if (isset($_GET['page']) &&
preg_match("/^[a-z0-9_-]{1,200}$/i", $_GET['page'])) {
$page = $mysqli->escape_string($_GET['page']);
}
$action = "feed";
......@@ -36,13 +35,17 @@ function rss($user) {
$end = $mysqli->escape_string($_GET['end']);
}
// title and description need to do the same as Reader->Add.
$config = new Config();
$fancy_url = $config->fancy_url();
$title = $config->title_includes_page() ?
$config->title().' - '.$page : $config->title();
echo '<?xml version="1.0" ?>'."\n".
'<rss version="2.0">'."\n".
'<channel>'."\n".
'<title>Dobrado</title>'."\n".
'<title>'.$title.'</title>'."\n".
'<link>http://'.$_SERVER['SERVER_NAME'].'/</link>'."\n".
'<description>Dobrado website creator.</description>'."\n";
'<description>Syndicated by Dobrado.</description>'."\n";
// The notify table specifies which modules have placed themselves in a feed.
$query = 'SELECT box_id, label FROM notify WHERE user="'.
......@@ -68,32 +71,33 @@ function rss($user) {
$title = stripslashes($item['title']);
// Replace encoded spaces in the html.
$description = preg_replace("/&nbsp;/", ' ', $item['description']);
// Skip empty items.
// Skip empty items but only when both title and description are empty.
if ($title === "" && $description === "") continue;
echo "<item>\n";
if ($title != "") {
if ($title !== "") {
echo "<title>".$title."</title>\n";
}
if ($item['permalink'] != "") {
$config = new Config();
$url = $config->fancy_url() ?
$item['permalink'] : "index.php?page=".$item['permalink'];
$url = $item['permalink'];
if ($url !== "") {
if (!$fancy_url) {
$url = "index.php?page=".$url;
}
$permalink = "http://".$_SERVER['SERVER_NAME']."/";
$permalink .= $user == "admin" ? $url : $user."/".$url;
echo "<link>".$permalink."</link>\n";
}
if ($description != "") {
if ($description !== "") {
echo "<description>".htmlspecialchars(stripslashes($description)).
"</description>\n";
}
if ($item['author'] != "") {
if ($item['author'] !== "") {
echo "<author>".stripslashes($item['author'])."</author>\n";
}
if ($item['category'] != "") {
if ($item['category'] !== "") {
echo "<category>".stripslashes($item['category'])."</category>\n";
}
if ($item['enclosure'] != "") {
if ($item['enclosure'] !== "") {
echo "<enclosure>".stripslashes($item['enclosure'])."</enclosure>\n";
}
date_default_timezone_set("GMT");
......
......@@ -38,7 +38,7 @@ class Account extends Base {
$message = "To register, choose a username and provide your ".
"email address, and you will be sent a confirmation link.";
}
else if (can_edit_site()) {
else if ($this->user->canEditSite) {
$message = "To add a new user, choose a username and provide their ".
"email address, and they will be sent an email to log in.";
}
......@@ -99,7 +99,7 @@ class Account extends Base {
else if ($action == "add-user") {
$new_user = $mysqli->escape_string($_POST["newUser"]);
$email = $mysqli->escape_string($_POST["email"]);
if (can_edit_site()) {
if ($this->user->canEditSite) {
// The User class checks $_SESSION["user"] to set the name.
$_SESSION["user"] = $new_user;
$user = new User();
......
......@@ -41,10 +41,9 @@ class Control extends Base {
// If none of the editing options are to be shown then
// no need to display the toolbar at all.
$show_tools = false;
$can_edit_site = can_edit_site();
$can_edit_page = can_edit_page();
$can_copy_page = can_copy_page();
if ($can_edit_site || $can_edit_page || $can_copy_page) {
if ($this->user->canEditSite ||
$this->user->canEditPage ||
$this->user->canCopyPage) {
$show_tools = true;
}
// Just display 'guest' in the account button if a guest account.
......@@ -61,7 +60,7 @@ class Control extends Base {
$account_menu .= '<li><a href="#" id="register">Register...</a></li>';
}
else {
if ($can_edit_site) {
if ($this->user->canEditSite) {
$account_menu .= '<li><a href="#" id="register">Add User...</a></li>';
}
$account_menu .=
......@@ -122,10 +121,10 @@ class Control extends Base {
'title="tools">Tools</label>'.
'<div class="toolbar hidden">';
}
if ($can_edit_site) {
if ($this->user->canEditSite) {
$content .= '<div class="control-button site" title="site"></div>';
}
if ($can_edit_page) {
if ($this->user->canEditPage) {
$content .= '<div class="control-button page" title="page"></div>'.
'<div class="control-button add" title="add"></div>'.
'<input type="checkbox" id="control-edit" '.
......@@ -133,7 +132,7 @@ class Control extends Base {
'<label for="control-edit" class="control-button edit" '.
'title="edit">Edit</label>';
}
if ($can_copy_page) {
if ($this->user->canCopyPage) {
$content .= '<div class="control-button copy" title="copy"></div>';
}
if ($show_tools) {
......
......@@ -29,7 +29,7 @@ class Extended extends Base {
$media = $mysqli->escape_string($_POST["media"]);
if ($mode == "site") {
if (!can_edit_site()) {
if (!$this->user->canEditSite) {
$object["error"] = "You don't have permission to edit the site ".
"configuration.";
$mysqli->close();
......@@ -95,7 +95,7 @@ class Extended extends Base {
}
}
else if ($mode == "page") {
if (!can_edit_page()) {
if (!$this->user->canEditPage) {
$object["error"] = "You don't have permission to edit this page.";
$mysqli->close();
return $object;
......@@ -168,7 +168,7 @@ class Extended extends Base {
$object["history"] = "Page History";
}
else if ($mode == "box") {
if (!can_edit_page()) {
if (!$this->user->canEditPage) {
$object["error"] = "You don't have permission to edit modules on ".
"this page.";
$mysqli->close();
......
......@@ -80,19 +80,19 @@ class Login extends Base {
public function CanAdd($page) {
// Must have admin access to add the login module.
if (!can_edit_site()) return false;
if (!$this->user->canEditSite) return false;
// Also can only have one login module on a page.
return !$this->AlreadyOnPage("login", $page);
}
public function CanEdit($id) {
// Must have admin access to edit the login module.
return can_edit_site();
return $this->user->canEditSite;
}
public function CanRemove($id) {
// Must have admin access to remove the login module.
return can_edit_site();
return $this->user->canEditSite;
}
public function Content($id) {
......
......@@ -60,7 +60,7 @@ class More extends Base {
$mysqli->close();
// Only use tabs if also displaying the install tab.
if (!can_edit_site()) {
if (!$this->user->canEditSite) {
return '<div id="more-menu">'.$menu.'</div>';
}
return '<div id="more-tabs">'.
......
......@@ -22,9 +22,6 @@ if (session_expired()) return;
include "functions/db.php";
include "functions/permission.php";
include "module.php";
include "user.php";
$object = array();
if (!can_edit_page()) {
......
......@@ -23,6 +23,10 @@ class Page {
public $config = NULL;
function __construct($user, $owner, $config) {
$this->user = $user;
$this->owner = $owner;
$this->config = $config;
if ($_GET['page'] === "" ||
!preg_match("/^[a-z0-9_-]{1,200}$/i", $_GET['page'])) {
$this->name = "index";
......@@ -32,26 +36,23 @@ class Page {
$this->name = $mysqli->escape_string($_GET['page']);
$mysqli->close();
}
$config->set_timezone();
$this->config->set_timezone();
// Special case if auto_login is available, which is done when not
// logged in and a special page is navigated to. This is just for
// testing, shouldn't be used for public websites.
if ($owner == "admin" && $this->name == $config->auto_page() &&
!$user->loggedIn && $config->auto_login()) {
$user->Guest();
if ($this->owner == "admin" && $this->name == $this->config->auto_page() &&
!$this->user->loggedIn && $this->config->auto_login()) {
$this->user->Guest();
// If there's no database connection the user won't be created and
// this redirect won't work.
if ($user->loggedIn) {
header("Location: http://".$_SERVER['SERVER_NAME']."/".$user->name);
if ($this->user->loggedIn) {
header("Location: http://".$_SERVER['SERVER_NAME']."/".
$this->user->name);
return;
}
}
$this->user = $user;
$this->owner = $owner;
$this->config = $config;
// When a user first logs in, redirect to their default page.
if ($this->user->defaultPage) {
$this->DefaultPage();
......@@ -61,9 +62,11 @@ class Page {
if ($this->user->loggedIn) {
$_SESSION['user'] = $this->user->name;
}
// Some modules require the page name and owner when not logged in.
// (Some modules require the page name and owner when not logged in.)
$_SESSION['page'] = $this->name;
$_SESSION['owner'] = $this->owner;
// SetPermission relies on page being set in the session.
$this->user->SetPermission();
if ($this->Permission()) $this->Display();
else $this->Unavailable();
......@@ -143,7 +146,7 @@ class Page {
// Only display content outside the layout if logged in.
if ($this->user->loggedIn) echo $content['outside'];
$sortable = can_edit_page() ? " sortable" : "";
$sortable = $this->user->canEditPage ? " sortable" : "";
echo '<div class="main">'."\n".
' <div class="header'.$sortable.'">'."\n".
......@@ -264,7 +267,8 @@ class Page {
$mysqli->close();
if ($published_page) return true;
if (can_edit_page()) return true;
if ($this->user->canEditPage || $this->user->canCopyPage) return true;
return false;
}
......
......@@ -17,6 +17,7 @@
include "functions/db.php";
include "functions/new_module.php";
include "functions/permission.php";
include "functions/write_style.php";
include "config.php";
......
......@@ -23,6 +23,9 @@ class User {
public $loginFailed = false;
public $emailReset = false;
public $defaultPage = false;
public $canEditSite = false;
public $canEditPage = false;
public $canCopyPage = false;
public function __construct($config = NULL) {
// Check if a (possibly different) user is trying to log in.
......@@ -66,6 +69,16 @@ class User {
$this->loggedIn = true;
setcookie("user", $this->name, time()+60*60*24*7, "/");
}
$this->SetPermission();
}
public function SetPermission() {
// The permission functions rely on page being set in the session.
if (isset($_SESSION['page'])) {
$this->canEditSite = can_edit_site();
$this->canEditPage = can_edit_page();
$this->canCopyPage = can_copy_page();
}
}
public function Guest($config) {
......
<?php include "../php/functions/rss.php"; include "../php/config.php"; rss("admin"); ?>
\ No newline at end of file
<?php
include "../php/functions/db.php";
include "../php/functions/rss.php";
include "../php/config.php";
rss("admin");
?>
\ No newline at end of file
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment