diff --git a/lib/security.lib.php b/lib/security.lib.php index e4b434e..ed63adf 100755 --- a/lib/security.lib.php +++ b/lib/security.lib.php @@ -15,47 +15,61 @@ */ +/** +* Get the security policy for a specified folder +* +* @param id folder id +* +* @return int 1 = permission granted, 0 = permission denied +*/ function getfolderpolicy($id) { global $default; $sql = new Owl_DB; $sql->query("select security from $default->owl_folders_table where id = '$id'"); while ($sql->next_record()) return $sql->f("security"); } +/** +* Get the security policy for a specified file +* +* @param id file id +* +* @return int security policy +*/ function getfilepolicy($id) { global $default; $sql = new Owl_DB; $sql->query("select security from $default->owl_files_table where id = '$id'"); while ($sql->next_record()) return $sql->f("security"); } -// -// This function is simple...it returns either a 1 or 0 -// If the authentication is good, it returns 1 -// If the authentication is bad, it returns 0 -// -// Policy key for FILES: -// -// 0 = World read -// 1 = World edit -// 6 = World edit no delete -// 2 = Group read -// 3 = Group edit -// 5 = Group edit no delete -// 4 = Creator edit -// 7 = Group edit, World read -// 8 = Group edit, World read - no delete -// -// Policy key for FOLDERS: -// -// 50 = Anyone can read -// 51 = Anyone can upload/create folders -// 56 = Anyone can upload/create folders but not delete -// 52 = Only the group can read -// 53 = Only the group can upload/create folders -// 55 = Only the group can upload/create folders but not delete; except the creator -// 54 = Only the creator can upload/create folders -// 57 = Only the group can upload/create folders but anyone can read -// 58 = Only the group can upload/create folders (no delete) but anyone can read -// +/** +* This function is simple...it returns either a 1 or 0 +* If the authentication is good, it returns 1 +* If the authentication is bad, it returns 0 +* +* Policy key for FILES: +* +* 0 = World read +* 1 = World edit +* 2 = Group read +* 3 = Group edit +* 4 = Creator edit +* 5 = Group edit no delete +* 6 = World edit no delete +* 7 = Group edit, World read +* 8 = Group edit, World read - no delete +* +* Policy key for FOLDERS: +* +* 50 = Anyone can read +* 51 = Anyone can upload/create folders +* 56 = Anyone can upload/create folders but not delete +* 52 = Only the group can read +* 53 = Only the group can upload/create folders +* 55 = Only the group can upload/create folders but not delete; except the creator +* 54 = Only the creator can upload/create folders +* 57 = Only the group can upload/create folders but anyone can read +* 58 = Only the group can upload/create folders (no delete) but anyone can read +*/ function check_auth($id, $action, $userid) { global $default; @@ -64,13 +78,6 @@ function check_auth($id, $action, $userid) { $foldercreator = owlfoldercreator($id); $filegroup = owlfilegroup($id); $foldergroup = owlfoldergroup($id); -// print "Action is $action
"; -// print "filecreation username is $filecreator
"; -// print "filecreation groupname is $filegroup
"; -// print "folder group is $foldergroup
"; -// print "userid is $userid
"; -// print "dbusername is $dbuser
"; -// print "usergroup is $usergroup
"; if (($action == "folder_modify") || ($action == "folder_view") || @@ -80,9 +87,12 @@ function check_auth($id, $action, $userid) { } else { $policy = getfilepolicy($id); } -// print "Policy is $policy
"; + + //if policy is: world read if ($policy == "0") { + //if the user want to delete/modify if (($action == "file_delete") || ($action == "file_modify")) { + //if the user is not the file create if ($userid != $filecreator) { $authorization = "0"; } else { @@ -92,10 +102,13 @@ function check_auth($id, $action, $userid) { $authorization = "1"; } } + //if the policy is: world edit if ($policy == "1") { $authorization = "1"; } + //if the policy is: group read if ($policy == "2") { + //if the user wants to delete/modify the file if (($action == "file_delete") || ($action == "file_modify")) { if ($userid != $filecreator) { $authorization = "0"; @@ -106,6 +119,7 @@ function check_auth($id, $action, $userid) { // Bozz Change Begin $sql = new Owl_DB; $sql->query("SELECT * FROM $default->owl_users_grpmem_table WHERE userid = '$userid' and groupid = '$filegroup'"); + //if the user is in the group if ($filegroup == $usergroup || $sql->num_rows($sql) > 0) { // Bozz Change End $authorization = "1"; @@ -115,33 +129,38 @@ function check_auth($id, $action, $userid) { } } + //if the policy is: group edit if ($policy == "3") { if (($action == "file_delete") || ($action == "file_modify") || ($action == "file_download")) { // Bozz Change Begin $sql = new Owl_DB; $sql->query("SELECT * FROM $default->owl_users_grpmem_table WHERE userid = '$userid' and groupid = '$filegroup'"); // Bozz Change End + //if the user is not in the group if ($usergroup != $filegroup && $sql->num_rows($sql) == 0) { $authorization = "0"; } else { $authorization = "1"; } - } } + //if the policy is: creator edit if ($policy == "4") { + //if the user is the creator if ($filecreator == $userid) { $authorization = "1"; } else { $authorization = "0"; } } + //if the policy is: group edit no delete if ($policy == "5") { if (($action == "file_modify") || ($action == "file_download")) { // Bozz Change Begin $sql = new Owl_DB; $sql->query("SELECT * FROM $default->owl_users_grpmem_table WHERE userid = '$userid' and groupid = '$filegroup'"); // Bozz Change End + //if the user is in the group if ($usergroup != $filegroup && $sql->num_rows($sql) == 0) { $authorization = "0"; } else { @@ -149,6 +168,7 @@ function check_auth($id, $action, $userid) { } } if ($action == "file_delete") { + //if the user is the file creator if ($filecreator == $userid) { $authorization = "1"; } else { @@ -156,9 +176,11 @@ function check_auth($id, $action, $userid) { } } } + //if the policy is: world edit no delete if ($policy == "6") { $authorization = "1"; if ($action == "file_delete") { + //if the user is the creator if ($filecreator == $userid) { $authorization = "1"; } else { @@ -166,26 +188,28 @@ function check_auth($id, $action, $userid) { } } } + //if the policy is: group edit world read if ($policy == "7") { if (($action == "file_delete") || ($action == "file_modify")) { $sql = new Owl_DB; - $sql->query("SELECT * FROM $default->owl_users_grpmem_table WHERE userid = '$userid' and groupid = '$filegroup'"); + $sql->query("SELECT * FROM $default->owl_users_grpmem_table WHERE userid = '$userid' and groupid = '$filegroup'"); + //if the user is not in the group if ($usergroup != $filegroup && $sql->num_rows($sql) == 0) { $authorization = "0"; } else { $authorization = "1"; } - } if ($action == "file_download") { $authorization = "1"; } } - + //if the policy is: group edit, world read, no delete if ($policy == "8") { if ($action == "file_modify") { $sql = new Owl_DB; - $sql->query("SELECT * FROM $default->owl_users_grpmem_table WHERE userid = '$userid' and groupid = '$filegroup'"); + $sql->query("SELECT * FROM $default->owl_users_grpmem_table WHERE userid = '$userid' and groupid = '$filegroup'"); + //if the user is not in the group if ($usergroup != $filegroup && $sql->num_rows($sql) == 0) { $authorization = "0"; } else { @@ -196,6 +220,7 @@ function check_auth($id, $action, $userid) { $authorization = "1"; } if ($action == "file_delete") { + //if the user is the creator if ($filecreator == $userid) { $authorization = "1"; } else { @@ -203,11 +228,12 @@ function check_auth($id, $action, $userid) { } } } - + //if the policy is: anyone can read if ($policy == "50") { if (($action == "folder_delete") || ($action == "folder_property") || ($action == "folder_modify")) { + //if the user is not the creator if ($userid != $foldercreator) { $authorization = "0"; } else { @@ -217,9 +243,13 @@ function check_auth($id, $action, $userid) { $authorization = "1"; } } + + //if the policy is: anyone can upload/create folders if ($policy == "51") { $authorization = "1"; } + + //if the policy is: only the group can read folders if ($policy == "52") { if (($action == "folder_delete") || ($action == "folder_property") || @@ -242,6 +272,8 @@ function check_auth($id, $action, $userid) { } } + + //if the policy is: only the group can upload/create folders if ($policy == "53") { if (($action == "folder_delete") || ($action == "folder_modify") || @@ -250,6 +282,7 @@ function check_auth($id, $action, $userid) { // Bozz Change Begin $sql = new Owl_DB; $sql->query("SELECT * FROM $default->owl_users_grpmem_table WHERE userid = '$userid' and groupid = '$foldergroup'"); + //if the user is not in the group if ($usergroup != $foldergroup && $sql->num_rows($sql) == 0) { // Bozz Change End $authorization = "0"; @@ -258,13 +291,18 @@ function check_auth($id, $action, $userid) { } } } + + //if the policy is: only the creator can upload/change files if ($policy == "54") { + //if the user is the creator if ($foldercreator == $userid) { $authorization = "1"; } else { $authorization = "0"; } } + + //if the policy is: only the group can upload/create folders but not delete; except the creator if ($policy == "55") { if (($action == "folder_modify") || ($action == "folder_view")) { // Bozz Change Begin @@ -286,10 +324,12 @@ function check_auth($id, $action, $userid) { } } } + //if the policy is: anyone can upload/create folders but not delete if ($policy == "56") { $authorization = "1"; if (($action == "folder_delete") || ($action == "folder_property")) { + //if the user is the creator if ($foldercreator == $userid) { $authorization = "1"; } else { @@ -298,10 +338,12 @@ function check_auth($id, $action, $userid) { } } + //if the policy is: only the group can upload/create folders but anyone can read if ($policy == "57") { if (($action == "folder_modify") || ($action == "folder_delete")) { $sql = new Owl_DB; - $sql->query("SELECT * FROM $default->owl_users_grpmem_table WHERE userid = '$userid' and groupid = '$foldergroup'"); + $sql->query("SELECT * FROM $default->owl_users_grpmem_table WHERE userid = '$userid' and groupid = '$foldergroup'"); + //if the user is not in the group if (($usergroup != $foldergroup) && ($sql->num_rows($sql) == 0)) { $authorization = "0"; } else { @@ -309,6 +351,7 @@ function check_auth($id, $action, $userid) { } } if ($action == "folder_property") { + //if the user is the creator if ($foldercreator == $userid) { $authorization = "1"; } else { @@ -319,11 +362,12 @@ function check_auth($id, $action, $userid) { $authorization = "1"; } } - + //if the policy is: only the group can upload/create folders (no delete) but anyone can read if ($policy == "58") { if ($action == "folder_modify") { $sql = new Owl_DB; - $sql->query("SELECT * FROM $default->owl_users_grpmem_table WHERE userid = '$userid' and groupid = '$foldergroup'"); + $sql->query("SELECT * FROM $default->owl_users_grpmem_table WHERE userid = '$userid' and groupid = '$foldergroup'"); + //if the user is not in the group if ($usergroup != $foldergroup && $sql->num_rows($sql) == 0) { $authorization = "0"; } else { @@ -331,6 +375,7 @@ function check_auth($id, $action, $userid) { } } if ($action == "folder_property") { + //if the user is the creator if ($foldercreator == $userid) { $authorization = "1"; } else { @@ -338,6 +383,7 @@ function check_auth($id, $action, $userid) { } } if ($action == "folder_delete") { + //if the user is the creator if ($foldercreator == $userid) { $authorization = "1"; } else { diff --git a/move.php b/move.php index 17438d6..f85df35 100755 --- a/move.php +++ b/move.php @@ -3,6 +3,8 @@ /* * move.php * + * Move a folder or a file to a new destination + * * Copyright (c) 1999-2002 The Owl Project Team * Licensed under the GNU GPL. For full terms see the file COPYING. * @@ -46,14 +48,18 @@ switch ($order) { if($action == "file") { + //if the user does not have permission to modify the file if(check_auth($id, "file_modify", $userid) == 0) { include("./lib/header.inc"); print("table_expand_width BGCOLOR=$default->main_header_bgcolor CELLSPACING=0 CELLPADDING=0 BORDER=$default->table_border HEIGHT=30>"); ?>
"); + print(""); } print uid_to_name($userid); print (""); @@ -69,14 +75,18 @@ if($action == "file") { exit($lang_nofilemod); } } else { + //if the user does not have permission to modify the folder if(check_auth($id, "folder_modify", $userid) == 0) { include("./lib/header.inc"); print("table_expand_width BGCOLOR=$default->main_header_bgcolor CELLSPACING=0 CELLPADDING=0 BORDER=$default->table_border HEIGHT=30>"); ?>
"); + print(""); } print uid_to_name($userid); print (""); @@ -92,9 +102,17 @@ if($action == "file") { } } + +/** +* Check for new folders. Sets $newFolder to the new folder id +*/ function checkForNewFolder() { global $HTTP_POST_VARS, $newFolder; - if (!is_array($HTTP_POST_VARS)) return; + if (!is_array($HTTP_POST_VARS)) + { + return; + } + while (list($key, $value) = each ($HTTP_POST_VARS)) { if (substr($key,0,2)=="ID") { $newFolder = intval(substr($key,2)); @@ -103,27 +121,58 @@ function checkForNewFolder() { } } +/** +* Display all the sub-folders in a folder +* +* @param $fid folder id +* @param $folder folder name +* +*/ function showFoldersIn($fid, $folder) { global $folderList, $fCount, $fDepth, $excludeID, $action, $id, $default, $userid ; for ($c=0 ;$c < ($fDepth-1) ; $c++) print ""; if ($fDepth) print ""; $gray=0; // Work out when to gray out folders ... - if ($fid==$excludeID) $gray=1; // current parent for all moves - if (($action=="folder") && ($fid==$id)) $gray=1; // subtree for folder moves - if (check_auth($fid, "folder_modify", $userid) == 0) $gray = 1; // check for permissions - + + //current parent for all moves + if ($fid==$excludeID) + { + $gray=1; + } + //subtree for folder moves + //can't move a folder to itself + if (($action=="folder") && ($fid==$id)) + { + $gray=1; + } + //check for permissions + //if you don't have folder modify permissions + if (check_auth($fid, "folder_modify", $userid) == 0) + { + $gray = 1; + } + if ($gray) { print ""; print " $folder
\n"; - } else { + } + else + { print " $folder
\n"; } - if (($action=="folder") && ($fid==$id)) return; // Don't show subtree of selected folder as target for folder move - for ($c=0; $c<$fCount; $c++) { + //Don't show subtree of selected folder as target for folder move + if (($action=="folder") && ($fid==$id)) + { + return; + } + + //recurse through all the folders in the current folder and + //display their sub-folders + for ($c=0; $c < $fCount; $c++) { if ($folderList[$c][2]==$fid) { $fDepth++; showFoldersIn( $folderList[$c][0] , $folderList[$c][1] ); @@ -138,12 +187,14 @@ if ($action=="$lang_cancel_button") { } checkForNewFolder(); +//if there is a new folder if (isset($newFolder)) { $sql = new Owl_DB; $source=""; $fID=$parent; do { + //build the directory path from the root folder to the current parent folder $sql->query("select name,parent from $default->owl_folders_table where id='$fID'"); while($sql->next_record()) { $tName = $sql->f("name"); @@ -155,6 +206,7 @@ if (isset($newFolder)) { $dest=""; $fID=$newFolder; do { + //build the directory path from the root folder to the new folder $sql->query("select name,parent from $default->owl_folders_table where id='$fID'"); while($sql->next_record()) { $tName = $sql->f("name"); @@ -180,6 +232,8 @@ if (isset($newFolder)) { } + //if we're using the file system + //then move the file if($default->owl_use_fs) { if ($type != "url") { if (!file_exists("$default->owl_FileDir/$dest$fname")) {