From 0f54b8399a22c0be9b8ed19ca3aa67397ad390d3 Mon Sep 17 00:00:00 2001 From: michael Date: Wed, 22 Jan 2003 07:22:52 +0000 Subject: [PATCH] removed querystring (if any) from page retrieved from SiteMap before adding it to the page level authorisation array (control.php) check the current page (without querystring) against the page level authorisation array when checking if the user has access (control.inc::checkSession) --- control.php | 27 +++++++++++++-------------- lib/session/control.inc | 7 +++---- 2 files changed, 16 insertions(+), 18 deletions(-) diff --git a/control.php b/control.php index ba414ab..8437e95 100644 --- a/control.php +++ b/control.php @@ -12,7 +12,7 @@ require_once("$default->owl_fs_root/lib/session/SiteMap.inc"); * authentication and forwards the request to the appropriate handling * page. * - * Licensed under the GNU GPL. For full terms see the file COPYING. + * Licensed under the GNU GPL. For full terms see the file DOCS/COPYING. * * @version $Revision$ * @author Michael Joseph , Jam Warehouse (Pty) Ltd, South Africa @@ -36,28 +36,27 @@ if (checkSessionAndRedirect(false)) { } } -// (if there is no userID on the session and the action that we're looking up -// from the sitemap requires group access ie. !Anonymous then redirect to no -// permission page) - -// check whether the users group has access to the requested page +// retrieve the page from the sitemap (checks whether this user has access to the requested page) $page = $default->siteMap->getPage($action, $_SESSION["userID"]); $default->log->debug("retrieved page=$page from SiteMap"); if (!$page) { // this user doesn't have permission to access the page // or there is no page mapping for the requested action - - // FIXME: redirect to no permission page - print "you do not have access to view this page! please go away, and come back when you do.
"; - echo generateLink("logout") . "logout"; - - exit; + // redirect to no permission page + redirect("$default->owl_ui_url/noAccess.php"); } else { $page = $default->owl_root_url . $page; // set authorised flag and redirect - $_SESSION["pageAccess"][$page] = true; - $default->log->debug("control.php: just set SESSION[\"pageAccess\"][$page]=" . $_SESSION["pageAccess"][$page]); + // strip querystring form $page before setting page authorisation flag + if (strstr($page, "?")) { + $accessPage = substr($page, 0, strpos($page, "?")); + $default->log->debug("control.php: page without querystring=$accessPage"); + } else { + $accessPage = $page; + } + $_SESSION["pageAccess"][$accessPage] = true; + $default->log->debug("control.php: just set SESSION[\"pageAccess\"][$accessPage]=" . $_SESSION["pageAccess"][$accessPage]); redirect($page); } ?> diff --git a/lib/session/control.inc b/lib/session/control.inc index fb70157..5a5a95e 100644 --- a/lib/session/control.inc +++ b/lib/session/control.inc @@ -103,11 +103,10 @@ function checkSessionAndRedirect($bRedirect) { function checkSession() { global $default; if (checkSessionAndRedirect(true)) { - $default->log->debug("control.inc print the session variables: " . arrayToString($_SESSION)); + $default->log->debug("control.inc: print the session variables: " . arrayToString($_SESSION)); // the session is cool, now check if we access to this page - $currentPage = (strlen($_SERVER['QUERY_STRING']) > 0) ? $_SERVER['PHP_SELF'] . "?" . $_SERVER['QUERY_STRING'] : $_SERVER['PHP_SELF']; - $default->log->debug("control.inc qs=" . $_SERVER['QUERY_STRING'] . "; strlen(qs)=" . strlen($_SERVER['QUERY_STRING']) . "; page=$currentPage ? " . $_SESSION["pageAccess"][$currentPage]); - if ($_SESSION["pageAccess"][$currentPage]) { + $default->log->debug("control.inc: page=" . $_SERVER['PHP_SELF'] . " ? " . $_SESSION["pageAccess"][$_SERVER['PHP_SELF']]); + if ($_SESSION["pageAccess"][$_SERVER['PHP_SELF']]) { return true; } else { return false; -- libgit2 0.21.4