From 8454545089b9b77695498cd855cf50075151d957 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Roland=20H=C3=A4der?= Date: Thu, 18 Dec 2008 22:00:53 +0000 Subject: [PATCH] Checking for admin ACL now as filter --- inc/databases.php | 2 +- inc/filters.php | 27 ++++++++++++++++++++++++++- inc/functions.php | 2 +- inc/language/admins_de.php | 1 - inc/language/de.php | 1 + inc/modules/admin.php | 16 ++-------------- inc/modules/admin/admin-inc.php | 4 ++-- 7 files changed, 33 insertions(+), 20 deletions(-) diff --git a/inc/databases.php b/inc/databases.php index 1cb01137c7..35128c568e 100644 --- a/inc/databases.php +++ b/inc/databases.php @@ -114,7 +114,7 @@ define('USAGE_BASE', "usage"); define('SERVER_URL', "http://www.mxchange.org"); // Current SVN revision -define('CURR_SVN_REVISION', "654"); +define('CURR_SVN_REVISION', "655"); // Take a prime number which is long (if you know a longer one please try it out!) define('_PRIME', 591623); diff --git a/inc/filters.php b/inc/filters.php index fe843fb8f0..4a15758156 100644 --- a/inc/filters.php +++ b/inc/filters.php @@ -125,6 +125,9 @@ ORDER BY `filter_id` ASC", __FILE__, __LINE__); // Run SQLs REGISTER_FILTER('run_sqls', 'RUN_SQLS'); + // Admin ACL check + REGISTER_FILTER('check_admin_acl', 'CHECK_ADMIN_ACL'); + // Register shutdown filters REGISTER_FILTER('shutdown', 'FLUSH_FILTERS'); } @@ -474,7 +477,7 @@ function FILTER_UPDATE_LOGIN_DATA () { // Update last module / online time $result = SQL_QUERY_ESC("UPDATE `"._MYSQL_PREFIX."_user_data` SET last_module='%s', last_online=UNIX_TIMESTAMP(), REMOTE_ADDR='%s' WHERE userid=%s LIMIT 1", - array($GLOBALS['what'], GET_REMOTE_ADDR(), $GLOBALS['userid']), __FILE__, __LINE__); + array($GLOBALS['what'], GET_REMOTE_ADDR(), $GLOBALS['userid']), __FILE__, __LINE__); } } else { // Destroy session, we cannot update! @@ -482,5 +485,27 @@ function FILTER_UPDATE_LOGIN_DATA () { } } +// Filter for checking admin ACL +function FILTER_CHECK_ADMIN_ACL () { + // Extension not installed so it's always allowed to access everywhere! + $ret = true; + + // Ok, Cookie-Update done + if ((EXT_IS_ACTIVE("admins")) && (GET_EXT_VERSION("admins") > "0.2")) { + // Check if action GET variable was set + $action = SQL_ESCAPE($GLOBALS['action']); + if (!empty($GLOBALS['what'])) { + // Get action value by what-value + $action = GET_ACTION("admin", $GLOBALS['what']); + } // END - if + + // Check for access control line of current menu entry + $ret = ADMINS_CHECK_ACL($action, $GLOBALS['what']); + } // END - if + + // Return result + return $ret; +} + // ?> diff --git a/inc/functions.php b/inc/functions.php index 999c6e8e64..a1d9b344f6 100644 --- a/inc/functions.php +++ b/inc/functions.php @@ -2004,7 +2004,7 @@ function ADD_CATEGORY_TABLE ($MODE, $return=false) { return REGISTER_ADD_CATEGORY_TABLE ($MODE, $return); } // Generate an email link -function CREATE_EMAIL_LINK($email, $table="admins") { +function CREATE_EMAIL_LINK ($email, $table = "admins") { // Default email link (INSECURE! Spammer can read this by harvester programs) $EMAIL = "mailto:".$email; diff --git a/inc/language/admins_de.php b/inc/language/admins_de.php index c715072183..28ef7b6a9a 100644 --- a/inc/language/admins_de.php +++ b/inc/language/admins_de.php @@ -64,7 +64,6 @@ define('ADMINS_CONTACT_TYPE_MSG', "Nachricht"); define('ADMINS_CONTACT_DEFAULT_MAIL', "Ihre Nachricht wird als Mail versendet."); define('ADMINS_MSG_FROM_ADMIN', "Nachricht von einem Admin"); define('ADMINS_ADMIN_CONTACTED', "Administrator wurde benachrichtigt!"); -define('ADMINS_ACCESS_DENIED', "Zugriff nicht gestattet."); define('ADMIN_ADMINS_ADD_ACL', "Zugriffkontrollzeile hinzufügen"); define('ADMIN_ADMINS_SELECT_LOGIN', "Admin-Login auswählen"); define('ADMIN_ADMINS_SELECT_ACTION', "Hauptmenü"); diff --git a/inc/language/de.php b/inc/language/de.php index 74ecd9dcb7..8ce3b7db2f 100644 --- a/inc/language/de.php +++ b/inc/language/de.php @@ -1197,6 +1197,7 @@ define('ADMIN_BUILD_STATUS_HANDLER', "Status-Handler"); define('TASK_SUBJ_EXTENSION_DEACTIVATED', "Erweiterung deaktiviert"); define('ADMIN_SUBJECT_EXTENSION_DEACTIVATED', "Automatische Deaktivierung einer Erweiterung"); define('FATAL_EXTENSION_LOADED', "Erweiterung %s/u> bereits geladen!"); +define('ADMIN_ACCESS_DENIED', "Zugriff auf diesen Adminmenüpunkt nicht gestattet."); define('MEMBER_MAIL_BONUS_CONFIRMED_ON', "Sie haben diese Bonusmail %s bestätigt."); define('MEMBER_MAIL_NORMAL_CONFIRMED_ON', "Sie haben diese Klickmail %s bestätigt."); diff --git a/inc/modules/admin.php b/inc/modules/admin.php index cccd51af5a..1c58a7b53e 100644 --- a/inc/modules/admin.php +++ b/inc/modules/admin.php @@ -334,20 +334,8 @@ if (!isBooleanConstantAndTrue('admin_registered')) { // Cookie-Data accepted if ((set_session("admin_md5", get_session('admin_md5'))) && (set_session("admin_login", get_session('admin_login'))) && (set_session("admin_last", time())) && (set_session("admin_to", bigintval(get_session('admin_to'))))) { // Ok, Cookie-Update done - if ((EXT_IS_ACTIVE("admins")) && (GET_EXT_VERSION("admins") > "0.2")) { - // Check if action GET variable was set - $act = SQL_ESCAPE($GLOBALS['action']); - if (!empty($GLOBALS['what'])) { - // Get action value by what-value - $act = GET_ACTION("admin", $GLOBALS['what']); - } - - // Check for access control line of current menu entry - define('__ACL_ALLOW', ADMINS_CHECK_ACL($act, $GLOBALS['what'])); - } else { - // Extension not installed so it's always allowed to access everywhere! - define('__ACL_ALLOW', true); - } + // Check for access control line of current menu entry + define('__ACL_ALLOW', RUN_FILTER('check_admin_acl')); // When type of admin menu is not set fallback to old menu system if (getConfig('admin_menu') == null) $_CONFIG['admin_menu'] = "OLD"; diff --git a/inc/modules/admin/admin-inc.php b/inc/modules/admin/admin-inc.php index 9aa13b1b54..4937318b2e 100644 --- a/inc/modules/admin/admin-inc.php +++ b/inc/modules/admin/admin-inc.php @@ -352,8 +352,8 @@ LIMIT 1", array($act, $wht, $wht), __FILE__, __LINE__); include($INC); } elseif (__ACL_ALLOW == false) { // Access denied - LOAD_TEMPLATE("admin_menu_failed", false, ADMINS_ACCESS_DENIED); - ADD_FATAL(ADMINS_ACCESS_DENIED); + LOAD_TEMPLATE("admin_menu_failed", false, ADMIN_ACCESS_DENIED); + ADD_FATAL(ADMIN_ACCESS_DENIED); } else { // Include file not found! :-( LOAD_TEMPLATE("admin_menu_failed", false, ADMIN_404_ACTION); -- 2.39.5