Index: branches/unlabeled/unlabeled-1.103.2/kernel/action.php =================================================================== diff -u -r3962 -r4040 --- branches/unlabeled/unlabeled-1.103.2/kernel/action.php (.../action.php) (revision 3962) +++ branches/unlabeled/unlabeled-1.103.2/kernel/action.php (.../action.php) (revision 4040) @@ -251,32 +251,29 @@ break; case "m_group_sysperm": if($ro_perm) break; - if($_POST["GroupEditStatus"]==0) - { + if ($_POST["GroupEditStatus"] == 0) { $objSession->ResetSysPermCache(); - $GroupId = $_POST["GroupId"]; - if($GroupId) - { + $GroupId = $_POST['GroupId']; + if ($GroupId) { $objEditItems = new clsGroupList(); - $objEditItems->SourceTable = $objSession->GetEditTable("PortalGroup"); - $g = $objEditItems->GetItemByField("ResourceId",$GroupId); - if(is_object($g)) - { - - $PermList = explode(",",$_POST["PermList"]); - for($i=0;$iSourceTable = $objSession->GetEditTable('PortalGroup'); + $g = $objEditItems->GetItemByField('ResourceId', $GroupId); + if (is_object($g)) { + $PermList = explode(',', $_POST['PermList']); + $inheritance = GetVar('inherit') ? GetVar('inherit') : Array(); + $permission_values = GetVar('permvalue') ? GetVar('permvalue') : Array(); + for($i = 0; $i < count($PermList); $i++) { + if (@in_array($PermList[$i], $inheritance)) { $value = -1; } - else - { + else { $value = 0; - if(@in_array($PermList[$i],$_POST["permvalue"])) - $value = 1; + if (@in_array($PermList[$i], $permission_values)) { + $value = 1; + } } - $g->SetSystemPermission($PermList[$i],$value); + + $g->SetSystemPermission($PermList[$i], $value); } } } Index: branches/unlabeled/unlabeled-1.46.16/kernel/include/usersession.php =================================================================== diff -u -r3936 -r4040 --- branches/unlabeled/unlabeled-1.46.16/kernel/include/usersession.php (.../usersession.php) (revision 3936) +++ branches/unlabeled/unlabeled-1.46.16/kernel/include/usersession.php (.../usersession.php) (revision 4040) @@ -32,7 +32,7 @@ $this->adodbConnection = &GetADODBConnection(); $this->PermCache = array(); - $this->PermCacheGroups =""; + $this->PermCacheGroups = ''; $this->UseTempKeys = $TempKeys; $this->AdminSearchFields = array("UserName", "GroupName", "us.IpAddress"); @@ -772,86 +772,98 @@ } } - function SetSysPermCache() - { + function SetSysPermCache() + { unset($this->SysPermCache); - $GroupList = $this->Get("GroupList"); + $GroupList = $this->Get('GroupList'); - if(strlen($GroupList) && $GroupList !="0") - { - $this->SysPermCache = array(); - $sql = "SELECT * FROM ".GetTablePrefix()."Permissions WHERE Type=1 AND GroupId IN (".$GroupList.")"; - //echo $sql."
\n"; - $rs = $this->adodbConnection->Execute($sql); - - while($rs && !$rs->EOF) - { - $val = $rs->fields["PermissionValue"]; - //if($val==1) - $this->SysPermCache[$rs->fields["Permission"]] = $val; - $PermList[] = $rs->fields["Permission"]; - $rs->MoveNext(); - } - if( isset($PermList) && count($PermList) > 0) // I think this is never issued (comment by Alex) - $this->SetVariable("SysPerm",implode(",",$PermList)); + if ($GroupList && $GroupList != '0') { + $this->SysPermCache = Array(); + $sql = 'SELECT * + FROM '.GetTablePrefix().'Permissions + WHERE Type = 1 AND GroupId IN ('.$GroupList.')'; // AND PermissionValue = 1'; + + $rs = $this->adodbConnection->Execute($sql); + + $PermList = Array(); + while (!$rs->EOF) { + $this->SysPermCache[ $rs->fields['Permission'] ] = $rs->fields['PermissionValue']; + $PermList[] = $rs->fields['Permission']; + $rs->MoveNext(); + } + + if ($PermList) { + $this->SetVariable('SysPerm', implode(',', $PermList)); + } } } + /** + * Fills system permission cache in session (memory only, not db) + * + */ function GetSysPermCache() { - $perms = trim($this->GetVariable("SysPerm")); - if(!strlen($perms)) - { + $perms = trim($this->GetVariable('SysPerm')); + if (!$perms) { $this->SetSysPermCache(); } - else - { - $p = explode(",",$perms); - - $this->SysPermCache = array(); - for($i=0;$iSysPermCache = Array(); + for($i = 0; $i < count($p); $i++) { $n = $p[$i]; - $this->SysPermCache[$n]=1; + $this->SysPermCache[$n] = 1; } } } + /** + * Allows to detect if system permissions are loaded + * + * @return bool + */ function SysPermCacheLoaded() { - return (isset($this->SysPermCache)); + return isset($this->SysPermCache); } + /** + * Resets system permission cache + * + */ function ResetSysPermCache() { - // echo "Resetting Perm Cache
\n"; - $this->SetVariable("SysPerm",""); + $this->SetVariable('SysPerm', ''); unset($this->SysPermCache); - //$this->SysPermCache=array(); } function HasSystemPermission($PermissionName) { global $objGroups; - if($this->Get("PortalUserId")==-1 && ($PermissionName=="ADMIN" || $PermissionName=="LOGIN")) - return TRUE; - //echo "Looking up $PermissionName:".$this->Get("GroupList")."
\n"; - //echo $this->Get("GroupList")." - ".$this->PermCacheGroups; - $GroupList = $this->Get("GroupList"); - if(substr($GroupList,-1)==",") - { - $GroupList = substr($GroupList,0,-1); - $this->Set("GroupList",$GroupList); + // "root" is always allowed to login to admin + if ($this->Get('PortalUserId') == -1 && ($PermissionName == 'ADMIN' || $PermissionName == 'LOGIN') ) { + return true; } - //print_pre( $GroupList); - if($this->Get("GroupList")!=$this->PermCacheGroups) - $this->ResetSysPermCache(); - if(!$this->SysPermCacheLoaded()) - { - //echo "Loading Perm Cache
\n"; + + // cut last comma (just in case in-portal made a mistake before) + $GroupList = $this->Get('GroupList'); + if (substr($GroupList, -1) == ',') { + $GroupList = substr($GroupList, 0, -1); + $this->Set('GroupList', $GroupList); + } + + // if loaded permissions are from other group list, then current (e.g. user is become logged-in during script run) + if ($this->Get('GroupList') != $this->PermCacheGroups) { + $this->ResetSysPermCache(); + } + + // load system permission cache if not already loaded + if (!$this->SysPermCacheLoaded()) { $this->GetSysPermCache(); - $this->PermCacheGroups = $this->Get("GroupList"); + $this->PermCacheGroups = $this->Get('GroupList'); } //echo "SysPerm $PermissionName: [". $this->SysPermCache[$PermissionName]."]
\n"; return isset($this->SysPermCache[$PermissionName]) ? $this->SysPermCache[$PermissionName] == 1 : false; Index: branches/unlabeled/unlabeled-1.17.44/kernel/include/portalgroup.php =================================================================== diff -u -r3962 -r4040 --- branches/unlabeled/unlabeled-1.17.44/kernel/include/portalgroup.php (.../portalgroup.php) (revision 3962) +++ branches/unlabeled/unlabeled-1.17.44/kernel/include/portalgroup.php (.../portalgroup.php) (revision 4040) @@ -45,38 +45,38 @@ } /* set $Value to -1 to delete the permission row from the DB */ - function SetSystemPermission($PermName,$Value) + function SetSystemPermission($PermName, $Value) { - //echo "Setting $PermName to $Value
\n"; - $oldval = $this->HasSystemPermission($PermName); - if($Value != $oldval) - { - if($Value>-1) - { - if($oldval>-1) - { - $sql = "UPDATE ".GetTablePrefix()."Permissions SET PermissionValue=$Value "; - $sql .=" WHERE Type=1 AND Permission='$PermName' AND GroupId=".$this->Get("GroupId"); - - //echo "UPDATE SQL: $sql
"; - } - else - { - $sql = "INSERT INTO ".GetTablePrefix()."Permissions (Permission, GroupId, PermissionValue, Type, CatId) "; - $sql .="VALUES ('$PermName',".$this->Get("GroupId").",$Value,1,0)"; - //echo "INSERT SQL: $sql
"; - } - $this->adodbConnection->Execute($sql); - //echo $sql."
\n"; - } - else - { - $sql = "DELETE FROM ".GetTablePrefix()."Permissions "; - $sql .=" WHERE Type=1 AND Permission='$PermName' AND GroupId=".$this->Get("GroupId"); - //echo "DELETE SQL: $sql
"; - $this->adodbConnection->Execute($sql); + // don't save DENY system permissions + + //echo "Setting $PermName to $Value
\n"; + $old_value = $this->HasSystemPermission($PermName); + if ($Value == $old_value) { + return true; } - } + + if ($Value == 1) { + // new value is ALLOWED + if ($old_value > -1) { + // old value is ALLOWED/DENIED + $sql = 'UPDATE '.GetTablePrefix().'Permissions + SET PermissionValue = '.$Value.' + WHERE Type = 1 AND Permission = '.$this->adodbConnection->qstr($PermName).' AND GroupId = '.$this->Get('GroupId'); + } + else { + // permission was inherited before => no record in db + $sql = 'INSERT INTO '.GetTablePrefix().'Permissions (Permission, GroupId, PermissionValue, Type, CatId) '; + $sql .= 'VALUES ('.$this->adodbConnection->qstr($PermName).','.$this->Get('GroupId').','.$Value.',1,0)'; + } + $this->adodbConnection->Execute($sql); + } + else { + // permission becomes inherited now or set to DENIED + $sql = 'DELETE FROM '.GetTablePrefix().'Permissions + WHERE Type = 1 AND Permission = '.$this->adodbConnection->qstr($PermName).' AND GroupId = '.$this->Get('GroupId'); + $this->adodbConnection->Execute($sql); + } + } function CheckPermission($permissionName) Index: branches/unlabeled/unlabeled-1.4.2/admin/install/upgrades/inportal_upgrade_v1.1.7.sql =================================================================== diff -u -r4039 -r4040 --- branches/unlabeled/unlabeled-1.4.2/admin/install/upgrades/inportal_upgrade_v1.1.7.sql (.../inportal_upgrade_v1.1.7.sql) (revision 4039) +++ branches/unlabeled/unlabeled-1.4.2/admin/install/upgrades/inportal_upgrade_v1.1.7.sql (.../inportal_upgrade_v1.1.7.sql) (revision 4040) @@ -15,4 +15,6 @@ CREATE TABLE ImportCache (CacheId int(11) NOT NULL auto_increment, CacheName varchar(255) NOT NULL default '', VarName int(11) NOT NULL default '0', VarValue text NOT NULL, PRIMARY KEY (CacheId), KEY CacheName (CacheName), KEY VarName (VarName)); +DELETE FROM Permissions WHERE Type = 1 AND PermissionValue = 0; + UPDATE Modules SET Version = '1.1.7' WHERE Name = 'In-Portal'; \ No newline at end of file Index: branches/unlabeled/unlabeled-1.3.2/admin/install/upgrades/readme_1_1_7.txt =================================================================== diff -u -r4030 -r4040 --- branches/unlabeled/unlabeled-1.3.2/admin/install/upgrades/readme_1_1_7.txt (.../readme_1_1_7.txt) (revision 4030) +++ branches/unlabeled/unlabeled-1.3.2/admin/install/upgrades/readme_1_1_7.txt (.../readme_1_1_7.txt) (revision 4040) @@ -2,4 +2,5 @@ 0011217 error message was not shown on search form (on front, default theme) 0011210 custom field values were not stripslashed after submit 0011209 mod_rewrite now works a bit faster -0011211 category sorting in admin in case when we have non-editor pics new categories and already edited ones \ No newline at end of file +0011211 category sorting in admin in case when we have non-editor pics new categories and already edited ones +0011367 system permissions with DENIED value are not saved to db (e.g. LOGIN) + upgrade script that fixes perms \ No newline at end of file