Index: trunk/kernel/action.php
===================================================================
diff -u -N -r4689 -r4698
--- trunk/kernel/action.php (.../action.php) (revision 4689)
+++ trunk/kernel/action.php (.../action.php) (revision 4698)
@@ -21,12 +21,36 @@
unset($script, $skipDebug);
// ====== Debugger related: end ======
- // Session expiration related
-
require_login( !admin_login() && $Action, 'expired=1', true );
- // End session exipration related
-
+ // permission checking: begin
+ $action_mapping = Array(
+ 'm_add_user' => 'in-portal:user_list.add',
+ 'm_edit_user' => 'in-portal:user_list.edit',
+ 'm_delete_user' => 'in-portal:user_list.delete',
+ 'm_user_primarygroup' => 'in-portal:user_list.add|in-portal:user_list.edit',
+ 'm_approve_user' => 'in-portal:user_list.add|in-portal:user_list.edit',
+ 'm_deny_user' => 'in-portal:user_list.add|in-portal:user_list.edit',
+ 'm_clear_searchlog' => 'in-portal:searchlog.delete',
+ 'm_keyword_reset' => 'in-portal:searchlog.delete',
+ 'm_themes_rescan' => 'in-portal:configure_themes.add|in-portal:configure_themes.edit',
+ 'm_theme_primary' => 'in-portal:configure_themes.add|in-portal:configure_themes.edit',
+ 'm_theme_add' => 'in-portal:configure_themes.add',
+ 'm_theme_edit' => 'in-portal:configure_themes.edit',
+ 'm_theme_delete' => 'in-portal:configure_themes.delete',
+ 'm_sql_query' => 'in-portal:sql_query.edit',
+ 'm_purge_email_log' => 'in-portal:emaillog.delete',
+ 'm_session_delete' => 'in-portal:sessionlog.delete',
+ 'm_add_rule' => 'in-portal:user_banlist.add',
+ 'm_edit_rule' => 'in-portal:user_banlist.edit',
+ 'm_rule_move_up' => 'in-portal:user_banlist.add|in-portal:user_banlist.edit',
+ 'm_rule_move_down' => 'in-portal:user_banlist.add|in-portal:user_banlist.edit',
+ 'm_rule_delete' => 'in-portal:user_banlist.delete',
+ 'm_ban_user' => 'in-portal:user_list.add|in-portal:user_list.edit',
+ );
+ checkActionPermission($action_mapping, $Action);
+ // permission checking: end
+
switch($Action)
{
case "m_save_import_config":
@@ -184,13 +208,6 @@
}
break;
- case "m_edit_group":
- $objEditItems = new clsGroupList();
- $objEditItems->SourceTable = $objSession->GetEditTable("PortalGroup");
- $objEditItems->Edit_Group($_POST["group_id"], $_POST["group_name"],$_POST["group_comments"]);
- break;
-
-
case 'm_group_edit': // when editing user membership in group
$membership_expires = DateTimestamp( $_POST['membership_expires_date'], GetDateFormat(0, true) );
$membership_expires += SecondsSinceMidnight( $_POST['membership_expires_time'] );
@@ -200,42 +217,6 @@
$objEditItems->Edit_UserGroup($_POST['GroupId'], $_POST['PortalUserId'], $membership_expires);
break;
- case "m_add_group":
- $objEditItems = new clsGroupList();
- $objEditItems->SourceTable = $objSession->GetEditTable("PortalGroup");
- $objEditItems->Add_Group($_POST["group_name"], $_POST["group_comments"],0);
- break;
- case "m_group_sysperm":
- if($ro_perm) break;
- if ($_POST["GroupEditStatus"] == 0) {
- $objSession->ResetSysPermCache();
- $GroupId = $_POST['GroupId'];
- if ($GroupId) {
- $objEditItems = new clsGroupList();
- $objEditItems->SourceTable = $objSession->GetEditTable('PortalGroup');
- $g = $objEditItems->GetItemByField('ResourceId', $GroupId);
- if (is_object($g)) {
- $PermList = explode(',', $_POST['PermList']);
- $inheritance = GetVar('inherit') ? GetVar('inherit') : Array();
- $permission_values = GetVar('permvalue') ? GetVar('permvalue') : Array();
- for($i = 0; $i < count($PermList); $i++) {
- if (@in_array($PermList[$i], $inheritance)) {
- $value = -1;
- }
- else {
- $value = 0;
- if (@in_array($PermList[$i], $permission_values)) {
- $value = 1;
- }
- }
-
- $g->SetSystemPermission($PermList[$i], $value);
- }
- }
- }
- }
- break;
-
case "m_user_sysperm":
if($ro_perm) break;
if($_POST["UserEditStatus"]==0)
@@ -307,14 +288,6 @@
$objUsers->Delete_User($userid);
break;
- case "m_delete_group":
- if($ro_perm) break;
- foreach($_POST["itemlist"] as $groupid)
- {
- $objGroups->Delete_Group($groupid);
- }
- break;
-
case "m_user_assign": // not sure if action is used anywhere
if($ro_perm) break;
$useridlist = implode("-", $userlist);
@@ -461,26 +434,7 @@
}
}
break;
-
- case "m_group_add_user":
- if($ro_perm) break;
- $objSession->SetVariable("HasChanges", 1);
- $group = $_POST["GroupId"];
- $EditGroups = new clsGroupList();
- $EditGroups->SourceTable = $objSession->GetEditTable($objGroups->SourceTable);
- $g = $EditGroups->GetItem($group);
-// echo "Group: $group
\n";
- if(is_numeric($group))
- {
- $users = explode(",",$_POST["userlist"]);
- foreach($users as $userid)
- {
- $u = $objUsers->GetItemByField("ResourceId",$userid);
- $g->AddUser($u->Get("PortalUserId"));
- }
- }
-
- break;
+
case "m_group_removeuser":
if($ro_perm) break;
$objSession->SetVariable("HasChanges", 1);
@@ -841,67 +795,6 @@
$application->HandleEvent($event);
break;
-
- case "m_SearchConfig_Edit":
- if($ro_perm) break;
- $SimpleValues = $_POST["simple"];
- $AdvValues = $_POST["advanced"];
- $module = $_POST["module"];
- $priority = $_POST["pri"];
- //phpinfo(INFO_VARIABLES);
- $objSearchConfig = new clsSearchConfigList($module);
- foreach($objSearchConfig->Items as $i)
- {
- $id = $i->Get("SearchConfigId");
- $objSearchConfig->EditFieldSettings($id,(int)$SimpleValues[$id],(int)$AdvValues[$id],$priority[$id]);
- }
- $objSearchConfig->Clear();
- /* save relevence settings */
- $vals = $_POST["req_increase"];
- foreach($vals as $var=>$value)
- {
- $cfg = "SearchRel_Increase_".$var;
- $objConfig->Set($cfg,$value);
- }
- $vals = $_POST["rel_keyword"];
- foreach($vals as $var=>$value)
- {
- $cfg = "SearchRel_Keyword_".$var;
- $objConfig->Set($cfg,$value);
- }
- $vals = $_POST["rel_pop"];
- foreach($vals as $var=>$value)
- {
- $cfg = "SearchRel_Pop_".$var;
- $objConfig->Set($cfg,$value);
- }
- $vals = $_POST["rel_rating"];
- foreach($vals as $var=>$value)
- {
- $cfg = "SearchRel_Rating_".$var;
- $objConfig->Set($cfg,$value);
- }
-
- $vals = $_POST["multiple"];
-
- if (count($vals) > 0) {
- foreach($vals as $var=>$value)
- {
- $cfg = "Search_ShowMultiple_".$var;
- $objConfig->Set($cfg,$value);
- }
- }
- else {
- $cfg = "Search_ShowMultiple_".$_POST['cfg_var'];
- $objConfig->Set($cfg, 0);
- }
-
- if (isset($_POST['minkeyword'])) {
- $objConfig->Set("Search_MinKeyword_Length", $_POST['minkeyword']);
- }
-
- $objConfig->Save();
- break;
case "m_keyword_reset":
if($ro_perm) break;
$objSearchList = new clsSearchLogList();
@@ -913,6 +806,7 @@
break;
case 'm_clear_searchlog':
+ if($ro_perm) break;
$objSearchList = new clsSearchLogList();
$db =& GetADODBConnection();
$db->Execute('DELETE FROM '.$objSearchList->SourceTable );
@@ -1059,9 +953,6 @@
}
break;
-
-
-
case "m_review_deny":
if (isset($_POST["itemlist"]))
{
@@ -1089,10 +980,6 @@
}
break;
-
-
-
-
case "m_review_move_up":
if (isset($_POST["itemlist"]))
{
@@ -1256,216 +1143,7 @@
$dummy->Delete();
}
break;
-
- case "m_lang_add":
- $ado = &GetADODBConnection();
- $objEditItems = new clsLanguageList();
- $objEditItems->SourceTable = $objSession->GetEditTable("Language");
-
- $l = $objEditItems->AddLanguage($_POST["packname"],$_POST["localname"],
- (int)$_POST["enabled"],(int)$_POST["primary"],
- $_POST["icon"],$_POST["date_format"],$_POST["time_format"],
- $_POST["decimal"],$_POST["thousand"],$_POST['charset']);
-
- $rs = $ado->Execute("SELECT MIN(LanguageId) as MinValue FROM ".$objEditItems->SourceTable);
- $NewId = $rs->fields["MinValue"]-1;
- $sql = "UPDATE ".$objEditItems->SourceTable." SET LanguageId=".$NewId." WHERE LanguageId=".$l->Get("LanguageId");
- if($objSession->HasSystemPermission("DEBUG.LIST"))
- echo $sql."
\n";
- $ado->Execute($sql);
- if($_POST["importlabels"]==1 && $_POST["srcpack"]>0)
- {
- // Phrase import
-/*
- $sql = "SELECT * FROM ".GetTablePrefix()."Phrase WHERE LanguageId=".$_POST["srcpack"];
- if($objSession->HasSystemPermission("DEBUG.LIST"))
- echo $sql."
\n";
-
- $rs = $ado->Execute($sql);
- $plist = new clsPhraseList();
- $plist->SourceTable = $objSession->GetEditTable("Phrase");
- $sql = "SELECT MIN(PhraseId) as MinId FROM ".$plist->SourceTable;
- $as = $ado->Execute($sql);
- if($as && !$as->EOF)
- {
- $MinId = (int)$as->fields["MinId"];
- }
- else
- $MinId = 0;
- $MinId--;
- while($rs && !$rs->EOF)
- {
- $data = $rs->fields;
- $plist->AddPhrase($data["Phrase"],$NewId,$data["Translation"],$data["PhraseType"]);
- $sql = "UPDATE ".$plist->SourceTable." SET PhraseId=$MinId WHERE PhraseId=0 LIMIT 1";
- $ado->Execute($sql);
- $MinId--;
- $rs->MoveNext();
- }
-*/
- $sql='INSERT INTO '.$objSession->GetEditTable('Phrase').' SELECT Phrase, Translation, PhraseType, 0-PhraseId, '.$NewId.' FROM '.GetTablePrefix().'Phrase WHERE LanguageId='.$_POST['srcpack'];
- $ado->Execute($sql);
- // Events import
- $sql = "SELECT * FROM ".GetTablePrefix()."EmailMessage WHERE LanguageId=".$_POST["srcpack"];
- if($objSession->HasSystemPermission("DEBUG.LIST"))
- echo $sql."
\n";
-
- $rs = $ado->Execute($sql);
-
- $eList = new clsEmailMessageList();
- //$eList->SourceTable = $objSession->GetEditTable("EmailMessage");
-
- if (!$l->TableExists($objSession->GetEditTable("EmailMessage"))) {
- $eList->CreateEmptyEditTable("EmailMessageId", true);
- $eList->SourceTable = $objSession->GetEditTable("EmailMessage");
- }
- else {
- $eList->SourceTable = $objSession->GetEditTable("EmailMessage");
- }
-
- $sql = "SELECT MIN(EmailMessageId) as MinId FROM ".$eList->SourceTable;
- $as = $ado->Execute($sql);
-
- if($as && !$as->EOF)
- {
- $MinId = (int)$as->fields["MinId"];
- }
- else {
- $MinId = 0;
- }
-
- $MinId--;
-
- while($rs && !$rs->EOF)
- {
- $data = $rs->fields;
- $eList->AddEmailEvent($data["Template"], $data["MessageType"], $NewId, $data["EventId"]);
-
- $sql = "UPDATE ".$eList->SourceTable." SET EmailMessageId=$MinId WHERE EmailMessageId=0 LIMIT 1";
- $ado->Execute($sql);
-
- $MinId--;
-
- $rs->MoveNext();
- }
- }
- break;
- case "m_lang_export":
- if($ro_perm) break;
- include_once($pathtoroot."kernel/include/xml.php");
- $Ids = $_POST["LangList"]; // language ids list to export phrases from
-
- $phrase_types = GetVar('langtypes');
- $phrase_types = ($phrase_types !== false) ? implode(',',$phrase_types) : null;
-
- $filename=$_POST["filename"];
- if(strlen($filename)>0)
- {
- $ExportFilename = $pathtoroot.$admin."/export/".$filename;
- $ExportResult = $objLanguages->ExportPhrases($ExportFilename,$Ids, $phrase_types);
- }
- break;
-
- case "m_lang_edit":
- $ado = &GetADODBConnection();
- $objEditItems = new clsLanguageList();
- $objEditItems->SourceTable = $objSession->GetEditTable("Language");
-
- $objEditItems->EditLanguage($_POST["LanguageId"],$_POST["packname"],
- $_POST["localname"],(int)GetVar('enabled'),
- (int)GetVar('primary'), $_POST["icon"],$_POST["date_format"],
- $_POST["time_format"], $_POST["decimal"],$_POST["thousand"],
- $_POST['charset']);
-
- if( GetVar('importlabels') && $_POST["srcpack"]>0)
- {
- $rs = $ado->Execute("SELECT * FROM ".GetTablePrefix()."Phrase WHERE LanguageId=".$_POST["srcpack"]);
- $plist = new clsPhraseList();
- $plist->SourceTable = $objSession->GetEditTable("Phrase");
- $sql = "SELECT MIN(PhraseId) as MinId FROM ".$plist->SourceTable;
- $as = $ado->Execute($sql);
- if($as && !$as->EOF)
- {
- $MinId = (int)$as->fields["MinId"];
- }
- else
- $MinId = 0;
- $MinId--;
- while($rs && !$rs->EOF)
- {
- $data = $rs->fields;
- $plist->AddPhrase($data["Phrase"],$_POST["LanguageId"],$data["Translation"],$data["PhraseType"]);
- $sql = "UPDATE ".$plist->SourceTable." SET PhraseId=$MinId WHERE PhraseId=0 LIMIT 1";
- $ado->Execute($sql);
- $MinId--;
- $rs->MoveNext();
- }
- unset($plist);
-
- // Events import
- $sql = "SELECT * FROM ".GetTablePrefix()."EmailMessage WHERE LanguageId=".$_POST["srcpack"];
- if($objSession->HasSystemPermission("DEBUG.LIST"))
- echo $sql."
\n";
-
- $rs = $ado->Execute($sql);
-
- $eList = new clsEmailMessageList();
- //$eList->SourceTable = $objSession->GetEditTable("EmailMessage");
- $l = new clsEmailMessage();
- if (!$l->TableExists($objSession->GetEditTable("EmailMessage"))) {
- $eList->CreateEmptyEditTable("EmailMessageId", true);
- $eList->SourceTable = $objSession->GetEditTable("EmailMessage");
- }
- else {
- $eList->SourceTable = $objSession->GetEditTable("EmailMessage");
- }
-
- $sql = "SELECT MIN(EmailMessageId) as MinId FROM ".$eList->SourceTable;
- $as = $ado->Execute($sql);
-
- if($as && !$as->EOF)
- {
- $MinId = (int)$as->fields["MinId"];
- }
- else {
- $MinId = 0;
- }
-
- $MinId--;
-
- while($rs && !$rs->EOF)
- {
- $data = $rs->fields;
- $eList->AddEmailEvent($data["Template"], $data["MessageType"], $_POST["LanguageId"], $data["EventId"]);
-
- $sql = "UPDATE ".$eList->SourceTable." SET EmailMessageId=$MinId WHERE EmailMessageId=0 LIMIT 1";
- $ado->Execute($sql);
-
- $MinId--;
-
- $rs->MoveNext();
- }
- unset($eList);
- }
-
- break;
- case "m_lang_delete":
- if($ro_perm) break;
- if (isset($_POST["itemlist"]))
- {
- $Phrases = new clsPhraseList();
- $Messages = new clsEmailMessageList();
- foreach($_POST["itemlist"] as $id)
- {
- $objLanguages->DeleteLanguage($id);
- $Phrases->DeleteLanguage($id);
- $Messages->DeleteLanguage($id);
- }
- unset($Phrases);
- unset($Messages);
- }
- break;
-
+
case "m_lang_select":
if($ro_perm) break;
$LangId = (int)$_POST["langselect"];
@@ -1561,52 +1239,12 @@
}
unset($objPhraseList);
break;
- case "m_emailevent_disable":
- if($ro_perm) break;
- $objEvents = new clsEventList();
- if (isset($_POST["itemlist"]))
- {
- foreach($_POST["itemlist"] as $id)
- {
- $m =& $objEvents->GetItem($id);
- $m->Set("Enabled",0);
- $m->Update();
- }
- }
- unset($objEvents);
- break;
- case "m_emailevent_enable":
- if($ro_perm) break;
- $objEvents = new clsEventList();
- if (isset($_POST["itemlist"]))
- {
- foreach($_POST["itemlist"] as $id)
- {
- $m =& $objEvents->GetItem($id);
- $m->Set("Enabled",1);
- $m->Update();
- }
- }
- unset($objEvents);
- break;
- case "m_emailevent_frontonly":
- if($ro_perm) break;
- $objEvents = new clsEventList();
- if (isset($_POST["itemlist"]))
- {
- foreach($_POST["itemlist"] as $id)
- {
- $m =& $objEvents->GetItem($id);
- $m->Set("Enabled",2);
- $m->Update();
- }
- }
- unset($objEvents);
- break;
+
case "m_dlid":
echo $Action.":".$DownloadId;
die();
break;
+
case "m_emailevent_user":
if($ro_perm) break;
$objEvents = new clsEventList();
@@ -1655,31 +1293,7 @@
$m->Update();
}
break;
- case "m_config_edit":
- //phpinfo(INFO_VARIABLES);
- if($ro_perm) break;
- $objAdmin = new clsConfigAdmin();
- $objAdmin->module = $_POST["module"];
- $objAdmin->section = $_POST["section"];
- if($objAdmin->section=="in-portal:configure_users")
- {
- if(strlen($_POST["RootPass"]) && strlen($_POST["RootPassVerify"]))
- {
- if($_POST["RootPass"]==$_POST["RootPassVerify"])
- {
- $_POST["RootPass"] = md5($_POST["RootPass"]);
- }
- }
- else
- {
- $_POST["RootPass"] = $objConfig->Get("RootPass");
- $_POST["RootPassVerify"] = $objConfig->Get("RootPassVerify");
- }
- }
- $objAdmin->LoadItems(FALSE);
- $objAdmin->SaveItems($_POST);
- break;
-
+
case "m_mod_enable":
if($ro_perm) break;
if (isset($_POST["itemlist"]))
@@ -2138,13 +1752,12 @@
$SqlErrorNum = $ado->ErrorNo();
}
break;
- case "m_purge_email_log":
- if($ro_perm) break;
- $ado = &GetADODBConnection();
-
- $sql = "DELETE FROM ".GetTablePrefix()."EmailLog";
- $ado->Execute($sql);
- break;
+
+ case 'm_purge_email_log':
+ $conn =& $application->GetADODBConnection();
+ $conn->Query('DELETE FROM '.TABLE_PREFIX.'EmailLog');
+ break;
+
case "m_session_delete":
if($ro_perm) break;
$ado = &GetADODBConnection();
@@ -2162,6 +1775,7 @@
$ado->Execute($sql);
}
break;
+
case "m_add_rule":
$objEditItems = new clsBanRuleList();
$objEditItems->SourceTable = $objSession->GetEditTable("BanRules");
@@ -2303,12 +1917,8 @@
//echo "==== BEGIN ====
";
$has_perm = $objSession->HasSystemPermission("SYSTEM_ACCESS.READONLY");
-//echo "PortalUserID: [".$objSession->Get("PortalUserId")."]
";
-//print_pre($objSession);
-//echo "PermSet: [".$has_perm."]
";
-if( !$has_perm )
-{
+if (!$has_perm) {
if( GetVar('ReviewEditStatus') == 1 )
{
$objReviews=new clsItemReviewList();
@@ -2391,28 +2001,6 @@
$objGroups->Clear();
}
- /* Group Edit */
- if( GetVar('GroupEditStatus') == 1 )
- {
- $objUserGroupsList = new clsUserGroupList();
- $objUserGroupsList->CopyFromEditTable("GroupId");
-
- $group_ids = $objGroups->CopyFromEditTable("GroupId");
- if ($group_ids) {
-// $objCustomDataList->CopyFromEditTable('g');
- }
-
- $objGroups->Clear();
- }
- if( GetVar('GroupEditStatus') == 2 )
- {
- $objUserGroupsList = new clsUserGroupList();
- $objGroups->PurgeEditTable("GroupId");
-// $objCustomDataList->PurgeEditTable('g');
- $objUserGroupsList->PurgeEditTable("PortalUserId");
- $objGroups->Clear();
- }
-
/* Theme Edit */
if( GetVar('ThemeEditStatus') == 1 )
{
@@ -2426,32 +2014,6 @@
$objThemes->Clear();
}
- /* Language Edit */
- if( GetVar('LangEditStatus') == 1 )
- {
- $objLanguages->CopyFromEditTable();
- $objLanguages->Clear();
- $objLanguages->PurgeEditTable();
-
- $Phrases = new clsPhraseList();
- $Phrases->CopyFromEditTable();
- $Phrases->Clear();
- $Phrases->PurgeEditTable();
-
- $Messages = new clsEmailMessageList();
- $Messages->CopyFromEditTable();
- $Messages->Clear();
- }
- if( GetVar('LangEditStatus') == 2 )
- {
- $objLanguages->PurgeEditTable();
- $objLanguages->Clear();
- $Phrases = new clsPhraseList();
- $Phrases->PurgeEditTable();
- $Messages = new clsEmailMessageList();
- $Messages->PurgeEditTable();
- }
-
if( GetVar('MissingLangEditStatus') == 1 )
{
$objPhraseList = new clsPhraseList();