Peter M. Groen / knowledgetree

Commit fd1248bf515d13a3287084643fd9d958510ab305

Authored by Michael Joseph
1 parent b17904e2

removed querystring (if any) from page retrieved from SiteMap before adding it t… 

…o the page level authorisation array (control.php)
check the current page (without querystring) against the page level authorisation array when checking if the user has access (control.inc::checkSession)


git-svn-id: https://kt-dms.svn.sourceforge.net/svnroot/kt-dms/trunk@441 c91229c3-7414-0410-bfa2-8a42b809f60b
Inline Side-by-side
Showing 2 changed files with 16 additions and 18 deletions
control.php
  View file @fd1248b
... ... @@ -12,7 +12,7 @@ require_once("$default->owl_fs_root/lib/session/SiteMap.inc");
12 12 * authentication and forwards the request to the appropriate handling
13 13 * page.
14 14 *
15   - * Licensed under the GNU GPL. For full terms see the file COPYING.
  15 + * Licensed under the GNU GPL. For full terms see the file DOCS/COPYING.
16 16 *
17 17 * @version $Revision$
18 18 * @author Michael Joseph <michael@jamwarehouse.com>, Jam Warehouse (Pty) Ltd, South Africa
... ... @@ -36,28 +36,27 @@ if (checkSessionAndRedirect(false)) {
36 36 }
37 37 }
38 38  
39   -// (if there is no userID on the session and the action that we're looking up
40   -// from the sitemap requires group access ie. !Anonymous then redirect to no
41   -// permission page)
42   -
43   -// check whether the users group has access to the requested page
  39 +// retrieve the page from the sitemap (checks whether this user has access to the requested page)
44 40 $page = $default->siteMap->getPage($action, $_SESSION["userID"]);
45 41  
46 42 $default->log->debug("retrieved page=$page from SiteMap");
47 43 if (!$page) {
48 44 // this user doesn't have permission to access the page
49 45 // or there is no page mapping for the requested action
50   -
51   - // FIXME: redirect to no permission page
52   - print "you do not have access to view this page! please go away, and come back when you do.<br>";
53   - echo generateLink("logout") . "logout</a>";
54   -
55   - exit;
  46 + // redirect to no permission page
  47 + redirect("$default->owl_ui_url/noAccess.php");
56 48 } else {
57 49 $page = $default->owl_root_url . $page;
58 50 // set authorised flag and redirect
59   - $_SESSION["pageAccess"][$page] = true;
60   - $default->log->debug("control.php: just set SESSION[\"pageAccess\"][$page]=" . $_SESSION["pageAccess"][$page]);
  51 + // strip querystring form $page before setting page authorisation flag
  52 + if (strstr($page, "?")) {
  53 + $accessPage = substr($page, 0, strpos($page, "?"));
  54 + $default->log->debug("control.php: page without querystring=$accessPage");
  55 + } else {
  56 + $accessPage = $page;
  57 + }
  58 + $_SESSION["pageAccess"][$accessPage] = true;
  59 + $default->log->debug("control.php: just set SESSION[\"pageAccess\"][$accessPage]=" . $_SESSION["pageAccess"][$accessPage]);
61 60 redirect($page);
62 61 }
63 62 ?>
... ...
lib/session/control.inc
  View file @fd1248b
... ... @@ -103,11 +103,10 @@ function checkSessionAndRedirect($bRedirect) {
103 103 function checkSession() {
104 104 global $default;
105 105 if (checkSessionAndRedirect(true)) {
106   - $default->log->debug("control.inc print the session variables: " . arrayToString($_SESSION));
  106 + $default->log->debug("control.inc: print the session variables: " . arrayToString($_SESSION));
107 107 // the session is cool, now check if we access to this page
108   - $currentPage = (strlen($_SERVER['QUERY_STRING']) > 0) ? $_SERVER['PHP_SELF'] . "?" . $_SERVER['QUERY_STRING'] : $_SERVER['PHP_SELF'];
109   - $default->log->debug("control.inc qs=" . $_SERVER['QUERY_STRING'] . "; strlen(qs)=" . strlen($_SERVER['QUERY_STRING']) . "; page=$currentPage ? " . $_SESSION["pageAccess"][$currentPage]);
110   - if ($_SESSION["pageAccess"][$currentPage]) {
  108 + $default->log->debug("control.inc: page=" . $_SERVER['PHP_SELF'] . " ? " . $_SESSION["pageAccess"][$_SERVER['PHP_SELF']]);
  109 + if ($_SESSION["pageAccess"][$_SERVER['PHP_SELF']]) {
111 110 return true;
112 111 } else {
113 112 return false;
... ...