function can_do($user_access_group, $action) { if ($user_access_group == 'SUDO') { return TRUE; } $permissions = get_permissions(); if (!isset($permissions[$user_access_group][$action['class']])) { return FALSE; } $permission = $permissions[$user_access_group][$action['class']]; if (is_bool($permission)) { return $permission; } if (!isset($permission[$action['method']])) { return FALSE; } $permission = $permission[$action['method']]; if (is_array($permission)) { return $permission[0]; } return $permission; }
$chemin_sous_dossier = $dossier; $perms_dossier = get_permissions($chemin_sous_dossier); if ($perms_dossier != $thisSite->DROITS_DOSSIER_ECRITURE) { $infos .= "<div class='erreur'>ATTENTION: Les droits du dossier " . strtoupper($chemin_sous_dossier) . " sont à " . $perms_dossier . " alors qu'ils devraient être à " . $thisSite->DROITS_DOSSIER_ECRITURE . "</div>"; $erreur_perms = 1; } } $chemin_sous_dossier = $racine_smarty . "smarty/templates_c/"; $perms_dossier = get_permissions($chemin_sous_dossier); if ($perms_dossier != $thisSite->DROITS_DOSSIER_ECRITURE) { $infos .= "<div class='erreur'><br>ATTENTION: Les droits du dossier " . strtoupper($chemin_sous_dossier) . " sont à " . $perms_dossier . " alors qu'ils devraient être à " . $thisSite->DROITS_DOSSIER_ECRITURE . "</div>"; $erreur_perms = 1; } $chemin_sous_dossier = $racine_smarty . "smarty/cache/"; $perms_dossier = get_permissions($chemin_sous_dossier); if ($perms_dossier != $thisSite->DROITS_DOSSIER_ECRITURE) { $infos .= "<div class='erreur'>ATTENTION: Les droits du dossier " . strtoupper($chemin_sous_dossier) . " sont à " . $perms_dossier . " alors qu'ils devraient être à " . $thisSite->DROITS_DOSSIER_ECRITURE . "</div>"; $erreur_perms = 1; } $chemin_sous_dossier = $racine_smarty . $thisSite->DOS_LOGS; $perms_dossier = get_permissions($chemin_sous_dossier); if ($perms_dossier != $thisSite->DROITS_DOSSIER_ECRITURE) { $infos .= "<div class='erreur'><br>ATTENTION: Les droits du dossier " . strtoupper($chemin_sous_dossier) . " sont à " . $perms_dossier . " alors qu'ils devraient être à " . $thisSite->DROITS_DOSSIER_ECRITURE . "</div>"; $erreur_perms = 1; } if ($erreur_perms == 1) { $infos .= "<br><div class='erreur'>CELA PEUT POSER DES PROBLEMES LORS DE L'AJOUT DE FICHIERS (UPLOAD)</div>"; $infos .= "<div class='erreur'>CONTACTER LE WEBMASTER POUR QU'IL CORRIGE LE PROBLEME.</div>"; } } $smarty->assign("infos", $infos);
list($UserID, $PermissionID, $CustomPermissions, $PassHash, $Secret, $Enabled) = $DB->next_record(MYSQLI_NUM, array(2)); if (strtotime($BannedUntil) < time()) { if ($UserID && $PassHash == make_hash($_POST['password'], $Secret)) { if ($Enabled == 1) { $SessionID = make_secret(); $Cookie = $Enc->encrypt($Enc->encrypt($SessionID . '|~|' . $UserID)); if (isset($_POST['keeplogged']) && $_POST['keeplogged']) { $KeepLogged = 1; setcookie('session', $Cookie, time() + 60 * 60 * 24 * 365, '/', '', false); } else { $KeepLogged = 0; setcookie('session', $Cookie, 0, '/', '', false); } //TODO: another tracker might enable this for donors, I think it's too stupid to bother adding that // Because we <3 our staff $Permissions = get_permissions($PermissionID); $CustomPermissions = unserialize($CustomPermissions); if (isset($Permissions['Permissions']['site_disable_ip_history']) || isset($CustomPermissions['site_disable_ip_history'])) { $_SERVER['REMOTE_ADDR'] = '127.0.0.1'; } $DB->query("INSERT INTO users_sessions\n\t\t\t\t\t\t\t(UserID, SessionID, KeepLogged, Browser, OperatingSystem, IP, LastUpdate)\n\t\t\t\t\t\t\tVALUES ('{$UserID}', '" . db_string($SessionID) . "', '{$KeepLogged}', '{$Browser}','{$OperatingSystem}', '" . db_string($_SERVER['REMOTE_ADDR']) . "', '" . sqltime() . "')"); $Cache->begin_transaction('users_sessions_' . $UserID); $Cache->insert_front($SessionID, array('SessionID' => $SessionID, 'Browser' => $Browser, 'OperatingSystem' => $OperatingSystem, 'IP' => $_SERVER['REMOTE_ADDR'], 'LastUpdate' => sqltime())); $Cache->commit_transaction(0); $Sql = "UPDATE users_main \n\t\t\t\t\t\t\tSET \n\t\t\t\t\t\t\t\tLastLogin='******',\n\t\t\t\t\t\t\t\tLastAccess='" . sqltime() . "'"; $Sql .= "\tWHERE ID='" . db_string($UserID) . "'"; $DB->query($Sql); if (!empty($_COOKIE['redirect'])) { $URL = $_COOKIE['redirect']; setcookie('redirect', '', time() - 60 * 60 * 24, '/', '', false); header('Location: ' . $URL);
function get_dir($path, $max_depth = '', $l = 0, $total = '') { if (!is_dir($path)) { echo "\nInvalid Path\n"; return; } echo "<table border='0' cellpadding='5' cellspacing='0'>"; $path = substr($path, -1) != "/" ? $path . "/" : $path; if (!$l) { echo "\n<tr><td colspan='4'>Contents of directory {$path} :</td></tr>\n"; echo "\n<tr><td>Permissions</td><td>File Size</td><td>File Name</td><td> </td></tr>\n"; $total = 0; } if ($max_depth === '' || $max_depth > $l && is_int($max_depth)) { $test_depth = true; } else { $test_depth = false; } $pre = ""; $c = $l; while ($c--) { $pre .= "\t"; } $dir = opendir($path); while ($f = readdir($dir)) { if ($f == "." || $f == "..") { continue; } $file = $path . $f; $size = ""; if (is_file($file) || !is_dir($file)) { $s = filesize($file); $total += $s; $size = "[ " . fsize($s) . " ]"; } else { $f .= "/"; } while (strlen($size) < 16) { $size = " " . $size; } // echo "\n".get_permissions(fileperms($file)).$size.$pre."\t".$f; // echo "\n<tr><td>".get_permissions(fileperms($file))."</td><td>".$size.$pre."</td><td>".$f."</td><td><a href=\"upld1/download.php?name=$f&mode=view\">View</a> <a href=\"upld1/download.php?name=$f\">Download</a> <a href=\"$me?mode=delete&name=$f\" onclick=\"return delete_confirm();\">Delete</a></td></tr>"; echo "\n<tr><td>" . get_permissions(fileperms($file)) . "</td><td>" . $size . $pre . "</td><td>" . $f . "</td><td>"; switch ($f) { case 'download.php': case 'dl.php': case 'index.php': echo " </td></tr>"; break; default: echo "<a href=\"{$urlpath}/dl.php?name={$f}&mode=view\">View</a> <a href=\"{$urlpath}/dl.php?name={$f}\">Download</a> <a href=\"{$me}?mode=delete&name={$f}\" onclick=\"return delete_confirm();\">Delete</a></td></tr>"; break; } if (is_dir($file) && $test_depth) { $total = get_dir($file, $max_depth, $l + 1, $total); } } if (!$l) { echo "\n<tr><td colspan='4'>Total size: " . fsize($total) . "</td></tr></table>"; } return $total; }
function isAllowed($permission, $context_type, $context_id) { global $cs_url; $now = time(); $permission_manager = null; if (array_key_exists(PERMISSION_MANAGER_TAG, $_SESSION)) { $permission_manager = $_SESSION[PERMISSION_MANAGER_TAG]; } $permission_manager_timestamp = null; if (array_key_exists(PERMISSION_MANAGER_TIMESTAMP_TAG, $_SESSION)) { $permission_manager_timestamp = $_SESSION[PERMISSION_MANAGER_TIMESTAMP_TAG]; } $permission_manager_account_id = null; if (array_key_exists(PERMISSION_MANAGER_ACCOUNT_ID_TAG, $_SESSION)) { $permission_manager_account_id = $_SESSION[PERMISSION_MANAGER_ACCOUNT_ID_TAG]; } // error_log("SESSION = " . print_r($_SESSION, true)); // error_log("PMT = " . $permission_manager_timestamp . " " . $now); if ($permission_manager == null || $permission_manager_account_id != $this->account_id || $now - $permission_manager_timestamp > GeniUser::STALE_PERMISSION_MANAGER_THRESHOLD_SEC) { // error_log("PM = " . $permission_manager . ", " . $this->account_id . ", " . $permission_manager_account_id); // error_log("PMT = " . $permission_manager_timestamp . " " . $now); if ($cs_url == null) { $cs_url = get_first_service_of_type(SR_SERVICE_TYPE::CREDENTIAL_STORE); } $permission_manager = get_permissions($cs_url, $this, $this->account_id); $permission_manager_timestamp = $now; $permission_manager_account_id = $this->account_id; // error_log("Refreshing permission manager " . $permission_manager_timestamp . " " // . $permission_manager_account_id . " " // . print_r($permission_manager, true)); $_SESSION[PERMISSION_MANAGER_TAG] = $permission_manager; $_SESSION[PERMISSION_MANAGER_TIMESTAMP_TAG] = $now; $_SESSION[PERMISSION_MANAGER_ACCOUNT_ID_TAG] = $this->account_id; } // error_log("PM = " . print_r($permission_manager, true)); $result = $permission_manager->is_allowed($permission, $context_type, $context_id); return $result; }
if (($_GET['action'] == 'grant' or $_GET['action'] == 'revoke') and isset($_GET['permission']) and isset($_GET['tool'])) { $result_message = store_one_permission('group', $_GET['action'], $group_id, $_GET['tool'], $_GET['permission']); } if (isset($_GET['role']) and ($_GET['action'] == 'grant' or $_GET['action'] == 'revoke')) { $result_message = assign_role('group', $_GET['action'], $group_id, $_GET['role'], $_GET['scope']); echo 'hier'; } } if (isset($result_message)) { Display::display_normal_message($result_message); } // --------------------------------------------------- // RETRIEVING THE PERMISSIONS // --------------------------------------------------- $current_group_permissions = array(); $current_group_permissions = get_permissions('group', $group_id); // @todo current group permissions and current role permissions // --------------------------------------------------- // INHERITED PERMISSIONS (group roles) // --------------------------------------------------- $group_course_roles_permissions = get_roles_permissions('group', $group_id, 'course'); $group_platform_roles_permissions = get_roles_permissions('group', $group_id, 'platform'); $inherited_permissions = permission_array_merge($group_course_roles_permissions, $group_platform_roles_permissions); // --------------------------------------------------- // LIMITED OR FULL // --------------------------------------------------- $current_group_permissions = limited_or_full($current_group_permissions); $inherited_permissions = limited_or_full($inherited_permissions); if (api_get_setting('permissions') == 'limited') { $header_array = $rights_limited; }
/** * Checks whether the user is allowed in a specific tool for a specific action * @param $tool the tool we are checking if the user has a certain permission * @param $action the action we are checking (add, edit, delete, move, visibility) * @author Patrick Cool <*****@*****.**>, Ghent University * @author Julio Montoya * @version 1.0 */ function api_is_allowed($tool, $action, $task_id = 0) { $_user = api_get_user_info(); $_course = api_get_course_info(); if (api_is_course_admin()) { return true; } //if (!$_SESSION['total_permissions'][$_course['code']] and $_course) if (is_array($_course) and count($_course) > 0) { require_once api_get_path(SYS_CODE_PATH) . 'permissions/permissions_functions.inc.php'; // Getting the permissions of this user. if ($task_id == 0) { $user_permissions = get_permissions('user', $_user['user_id']); $_SESSION['total_permissions'][$_course['code']] = $user_permissions; } // Getting the permissions of the task. if ($task_id != 0) { $task_permissions = get_permissions('task', $task_id); /* !!! */ $_SESSION['total_permissions'][$_course['code']] = $task_permissions; } //print_r($_SESSION['total_permissions']); // Getting the permissions of the groups of the user //$groups_of_user = GroupManager::get_group_ids($_course['db_name'], $_user['user_id']); //foreach($groups_of_user as $group) // $this_group_permissions = get_permissions('group', $group); // Getting the permissions of the courseroles of the user $user_courserole_permissions = get_roles_permissions('user', $_user['user_id']); // Getting the permissions of the platformroles of the user //$user_platformrole_permissions = get_roles_permissions('user', $_user['user_id'], ', platform'); // Getting the permissions of the roles of the groups of the user //foreach($groups_of_user as $group) // $this_group_courserole_permissions = get_roles_permissions('group', $group); // Getting the permissions of the platformroles of the groups of the user //foreach($groups_of_user as $group) // $this_group_platformrole_permissions = get_roles_permissions('group', $group, 'platform'); } // If the permissions are limited, we have to map the extended ones to the limited ones. if (api_get_setting('permissions') == 'limited') { if ($action == 'Visibility') { $action = 'Edit'; } if ($action == 'Move') { $action = 'Edit'; } } // The session that contains all the permissions already exists for this course // so there is no need to requery everything. //my_print_r($_SESSION['total_permissions'][$_course['code']][$tool]); if (is_array($_SESSION['total_permissions'][$_course['code']][$tool])) { if (in_array($action, $_SESSION['total_permissions'][$_course['code']][$tool])) { return true; } else { return false; } } }
// If not table ID, get ID from name if ($_GET['table'] || $_GET['table'] == 0) { $table_id = array_search($_GET['table'], $tables) !== false ? array_search($_GET['table'], $tables) : $_GET['table']; $table_rows = get_rows($table_id); //print_r($table_rows); } ////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// // If nothing is found... if (!$table_rows) { $_SESSION['alert'] = "no_such_table_" . addslashes($_GET['table']); header("Location: " . CMS_INSTALL_PATH . "tables.php"); die; } ////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// // Check Permissions $allow = get_permissions($table_rows['name']); if (!$allow['view']) { $_SESSION['alert'] = "permissions_view"; header("Location: " . CMS_INSTALL_PATH . "tables.php"); die; } // Disable Reordering if more than X items if (count($table_rows['rows']) > MAX_TABLE_REORDERABLE_ITEMS) { $allow['reorder'] = false; } ////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// // Get browse rows (Loop through all items in this table) function show_browse_rows() { global $dbh; global $table_rows;
function step_2($lang) { require './samsclass.php'; $langmodule = "./lang/lang.{$lang}"; require $langmodule; $SAMSConf = new MAINCONF(); print "<INPUT TYPE=\"HIDDEN\" NAME=\"step\" value=\"3\">\n"; print "<INPUT TYPE=\"HIDDEN\" NAME=\"lang\" value=\"{$lang}\">\n"; print "<H2 ALIGN=\"CENTER\">{$setup_5}</H2>\n"; echo "<INPUT CLASS=\"button\" TYPE=\"button\" onclick=\"window.location=window.location\" VALUE=\"{$setup_18}\">\n"; print "<H4>{$setup_6}</H4>\n"; echo "<TABLE WIDTH=80%>\n"; echo "<H3><FONT COLOR=BLUE>{$setup_19}:</FONT></H3>\n"; if (get_permissions("data/test.txt", "w", $setup_7, $lang) == 0) { echo "<BR><font color=red> {$setup_8}</font>"; echo "<BR>{$setup_9}"; } echo "</TABLE>"; echo "<H3><FONT COLOR=BLUE>{$setup_21}:</FONT></H3>"; echo "<TABLE WIDTH=80%>"; if ($SAMSConf->DB_ENGINE == "MySQL") { get_php_function("mysql_connect", $setup_24, $lang); } if ($SAMSConf->DB_ENGINE == "PostgreSQL") { get_php_function("pg_connect", $setup_35, $lang); } get_php_function("gzopen", $setup_22, $lang); get_php_function("imagecreatetruecolor", $setup_23, $lang); echo "</TABLE>"; echo "<H3><FONT COLOR=BLUE>{$setup_20}:</FONT></H3>"; echo "<TABLE WIDTH=90%>"; echo "<TR>"; echo "<TD WIDTH=30%><B>{$setup_31}</B>"; echo "<TD WIDTH=35%><B>{$setup_29}</B>"; echo "<TD WIDTH=35%><B>{$setup_30}</B>"; echo "<TR>"; echo "<TD WIDTH=50%><B>safe_mode</B>"; echo "<TD>on"; if (function_exists('ini_get')) { $safe_switch = @ini_get("safe_mode") ? 1 : 0; } if ($safe_switch == 0) { echo "<TD><font color=RED>off</b></font>"; } else { echo "<TD><font color=GREEN>on</b></font>"; $safe_mode_exec_dir = @ini_get("safe_mode_exec_dir") ? 1 : 0; $safe_mode_exec_dir_path = @ini_get("safe_mode_exec_dir"); $real_path = realpath("."); echo "<TR>"; echo "<TD WIDTH=50%><B>safe_mode_exec_dir</B>"; echo "<TD>{$real_path}/bin"; if ($safe_mode_exec_dir == 0) { echo "<TD><font color=RED>{$setup_28}</b></font>"; } else { if ($safe_mode_exec_dir_path == "{$real_path}/bin") { echo "<TD><font color=GREEN>{$safe_mode_exec_dir_path}</b></font>"; } else { echo "<TD><font color=RED>{$safe_mode_exec_dir_path}</b></font>"; } } echo "<TR>"; echo "<TD><TD COLSPAN=2>{$setup_40}"; $disable_functions = @ini_get("disable_functions") ? 1 : 0; $disable_functions_names = @ini_get("disable_functions"); echo "<TR>"; echo "<TD WIDTH=50%><B>disable_functions</B>"; echo "<TD>{$setup_41} <B>exec</B>"; if (strstr($disable_functions_names, ",exec")) { echo "<TD><font color=RED>disable_functions= " . str_replace(",", ", ", $disable_functions_names) . "</b></font>"; } else { echo "<TD><font color=GREEN>disable_functions= " . str_replace(",", ", ", $disable_functions_names) . "</b></font>"; } // echo "<TR>"; // echo "<TD><TD COLSPAN=2>$setup_40"; } echo "</TABLE>\n"; }
echo "<td></td>"; } $fileowner = ""; $filegroup = ""; if (is_executable($dir) && installed_php("fileowner") && installed_php("filegroup")) { $fileowner = fileowner($curr_dir); $filegroup = filegroup($curr_dir); if (installed_php("posix_getpwuid")) { $fileowner = posix_getpwuid($fileowner)["name"]; $filegroup = posix_getgrgid($filegroup)["name"]; } } echo "<td>{$fileowner}</td>"; echo "<td>{$filegroup}</td>"; if (is_executable($dir)) { echo "<td>" . get_permissions($curr_dir) . "</td>"; } else { echo "<td></td>"; } echo "<td>"; if (is_dir($curr_dir)) { //for directories only if (is_readable($curr_dir)) { echo "\n\t\t\t\t\t\t\t<form style='font-color=;display:inline;' action='#File Manager' method='post'>\n\t\t\t\t\t\t\t\t<input type='hidden' name='zip' value='" . xor_this($curr_dir) . "'/>\n\t\t\t\t\t\t\t\t<input type='hidden' name='dir' value='" . xor_this($dir) . "' />\n\t\t\t\t\t\t\t\t<input type='submit' class='a_button' value='Zip'/>\n\t\t\t\t\t\t\t</form>"; } } else { //for files only if (is_readable($curr_dir)) { echo "\n\t\t\t\t\t\t\t<form style='font-color=;display:inline;' action='#File Manager' method='post'>\n\t\t\t\t\t\t\t\t<input type='hidden' name='download' value='" . xor_this($curr_dir) . "'/>\n\t\t\t\t\t\t\t\t<input type='submit' class='a_button' value='Download'/>\n\t\t\t\t\t\t\t</form>"; } if (is_readable($curr_dir) && is_writable($curr_dir)) {
get_token(); check_permissions($_SESSION['admin_purview'], "reward_check_list"); require_once QISHI_ROOT_PATH . 'include/page.class.php'; $wheresql = " WHERE 1=1 "; $oederbysql = " order BY addtime DESC "; if ($_GET['status'] != "") { //未分配 $consultant = intval($_GET['status']); if ($consultant == "0") { $wheresql .= " AND m.member_id is null"; } elseif ($consultant == "1") { $wheresql .= " AND m.member_id <> null"; } } //分配权限 $assign = get_permissions($_SESSION['admin_purview'], "reward_check_list_assign"); if (!$assign) { $wheresql .= " AND c.admin_id = " . $_SESSION["admin_id"]; } $total_sql = "SELECT COUNT(*) AS num FROM " . table('jobs_reward_clue') . " as m " . $wheresql; $total_val = $db->get_total($total_sql); $page = new page(array('total' => $total_val, 'perpage' => $perpage, 'getarray' => $_GET)); $currenpage = $page->nowindex; $offset = ($currenpage - 1) * $perpage; $member = get_clue_check_list($offset, $perpage, $wheresql . $oederbysql); $admin = $db->getall("select * from " . table("admin") . " where admin_id!=1 order by admin_id"); $smarty->assign('admin', $admin); $smarty->assign('pageheader', "人才线索"); $smarty->assign('member', $member); $smarty->assign('page', $page->show(3)); $smarty->assign("assign", $assign);
if ($ssl_admin_order_details && strlen($secure_url)) { $order_details_site_url = $admin_secure_url; } else { $order_details_site_url = $admin_site_url; } if ($ssl_admin_orders_pages && strlen($secure_url)) { $orders_pages_site_url = $admin_secure_url; } else { $orders_pages_site_url = $admin_site_url; } if ($secure_admin_order_create && strlen($secure_url)) { $admin_order_call_url = $admin_secure_url . "admin_order_call.php"; } else { $admin_order_call_url = $admin_site_url . "admin_order_call.php"; } $permissions = get_permissions(); //BEGIN product privileges changes $products_categories_perm = get_setting_value($permissions, "products_categories", 0); $products_settings_perm = get_setting_value($permissions, "products_settings", 0); $product_types_perm = get_setting_value($permissions, "product_types", 0); $manufacturers_perm = get_setting_value($permissions, "manufacturers", 0); $features_groups_perm = get_setting_value($permissions, "features_groups", 0); $products_reviews_perm = get_setting_value($permissions, "products_reviews", 0); $products_report_perm = get_setting_value($permissions, "product_report", 0); $shipping_methods_perm = get_setting_value($permissions, "shipping_methods", 0); $shipping_times_perm = get_setting_value($permissions, "shipping_times", 0); $shipping_rules_perm = get_setting_value($permissions, "shipping_rules", 0); $downloadable_products_perm = get_setting_value($permissions, "downloadable_products", 0); $coupons_perm_perm = get_setting_value($permissions, "coupons", 0); $saved_types_perm = get_setting_value($permissions, "saved_types", 0); $advanced_search_perm = get_setting_value($permissions, "advanced_search", 0);
<?php authorize(); $UserID = $_REQUEST['userid']; if (!is_number($UserID)) { error(404); } //if($LoggedUser['ID']==1) die($_POST['countrySelect']); //For the entire of this page we should in general be using $UserID not $LoggedUser['ID'] and $U[] not $LoggedUser[] $U = user_info($UserID); if (!$U) { error(404); } $Permissions = get_permissions($U['PermissionID']); if ($UserID != $LoggedUser['ID'] && !check_perms('users_edit_profiles', $Permissions['Class'])) { send_irc("PRIVMSG " . ADMIN_CHAN . " :User " . $LoggedUser['Username'] . " (http://" . NONSSL_SITE_URL . "/user.php?id=" . $LoggedUser['ID'] . ") just tried to edit the profile of http://" . NONSSL_SITE_URL . "/user.php?id=" . $_REQUEST['userid']); error(403); } $Val->SetFields('stylesheet', 1, "number", "You forgot to select a stylesheet."); $Val->SetFields('styleurl', 0, "regex", "You did not enter a valid stylesheet url.", array('regex' => '/^https?:\\/\\/(localhost(:[0-9]{2,5})?|[0-9]{1,3}(\\.[0-9]{1,3}){3}|([a-zA-Z0-9\\-\\_]+\\.)+([a-zA-Z]{1,5}[^\\.]))(:[0-9]{2,5})?(\\/[^<>]+)+\\.css$/i')); $Val->SetFields('disablegrouping', 1, "number", "You forgot to select your torrent grouping option.", array('minlength' => 0, 'maxlength' => 1)); $Val->SetFields('torrentgrouping', 1, "number", "You forgot to select your torrent grouping option.", array('minlength' => 0, 'maxlength' => 1)); $Val->SetFields('discogview', 1, "number", "You forgot to select your discography view option.", array('minlength' => 0, 'maxlength' => 1)); $Val->SetFields('postsperpage', 1, "number", "You forgot to select your posts per page option.", array('inarray' => array(25, 50, 100))); $Val->SetFields('hidecollage', 1, "number", "You forgot to select your collage option.", array('minlength' => 0, 'maxlength' => 1)); $Val->SetFields('showtags', 1, "number", "You forgot to select your show tags option.", array('minlength' => 0, 'maxlength' => 1)); $Val->SetFields('avatar', 0, "regex", "You did not enter a valid avatar url.", array('regex' => "/^" . IMAGE_REGEX . "\$/i")); $Val->SetFields('email', 1, "email", "You did not enter a valid email address."); $Val->SetFields('irckey', 0, "string", "You did not enter a valid IRCKey, must be between 6 and 32 characters long.", array('minlength' => 6, 'maxlength' => 32)); $Val->SetFields('cur_pass', 0, "string", "You did not enter a valid password, must be between 6 and 40 characters long.", array('minlength' => 6, 'maxlength' => 40)); $Val->SetFields('new_pass_1', 0, "string", "You did not enter a valid password, must be between 6 and 40 characters long.", array('minlength' => 6, 'maxlength' => 40));
private function _check_role_permission($aroname, $aconame) { if (!trim($aroname)) { return false; } if (function_exists("get_permissions")) { $perm = get_permissions($aroname); } else { $perm = @$this->acos_aros[$aconame]; } if (is_array(@$perm["deny"])) { //配置了拒绝项 $denys = $this->_in_array($aroname, $perm["deny"]); //拒绝当前ARO if ($denys) { //拒绝当前ACO的所有action return false; } } if (is_array(@$perm["allow"])) { //允许当前ACO $allow = $this->_in_array($aroname, $perm["allow"]); //允许当前ARO if ($allow) { //允许当前ACO的所有action return true; } } if (@$perm["deny"] == "*") { return false; } //拒绝优先 if (@$perm["allow"] == "*") { return true; } //允许所有 if ($aroname == "/") { return false; } //都没找到 $aronames = explode("/", $aroname); array_pop($aronames); $aroname = count($aronames) == 1 ? "/" : join("/", $aronames); return $this->_check_role_permission($aroname, $aconame, $matched_aco); }
//$LoggedUser['RatioWatch'] as a bool to disable things for users on Ratio Watch $LoggedUser['RatioWatch'] = ( $LoggedUser['RatioWatchEnds'] != '0000-00-00 00:00:00' && time() < strtotime($LoggedUser['RatioWatchEnds']) && ($LoggedUser['BytesDownloaded']*$LoggedUser['RequiredRatio'])>$LoggedUser['BytesUploaded'] ); // Manage 'special' inherited permissions if($LoggedUser['Artist']) { $ArtistPerms = get_permissions(ARTIST); } else { $ArtistPerms['Permissions'] = array(); } if($LoggedUser['Donor']) { $DonorPerms = get_permissions(DONOR); } else { $DonorPerms['Permissions'] = array(); } if(is_array($LoggedUser['CustomPermissions'])) { $CustomPerms = $LoggedUser['CustomPermissions']; } else { $CustomPerms = array(); } $LoggedUser['Permissions'] = array_merge($LoggedUser['Permissions'], $DonorPerms['Permissions'], $ArtistPerms['Permissions'], $CustomPerms); // Because we <3 our staff if (check_perms('site_disable_ip_history')) { $_SERVER['REMOTE_ADDR'] = '127.0.0.1'; }
function phpraid_login() { global $db_raid, $phpraid_config; global $db_user_id, $db_user_name, $db_user_email, $db_user_password, $table_prefix, $db_table_user_name; $username = $password = ""; if (isset($_POST['username'])) { // User is logging in, set encryption flag to 0 to identify login with plain text password. $pwdencrypt = FALSE; $username = mb_strtolower(scrub_input($_POST['username']), "UTF-8"); $password = $_POST['password']; } elseif (isset($_COOKIE['username']) && isset($_COOKIE['password'])) { // User is not logging in but processing cooking, set encryption flag to 1 to identify login with encrypted password. $pwdencrypt = TRUE; $username = mb_strtolower(scrub_input($_COOKIE['username']), "UTF-8"); $password = $_COOKIE['password']; } else { phpraid_logout(); } $sql = "SELECT * FROM " . $phpraid_config['db_prefix'] . "profile"; $sql = sprintf("SELECT " . $db_user_id . " , " . $db_user_name . " , " . $db_user_email . " , " . $db_user_password . " FROM " . $table_prefix . $db_table_user_name . " WHERE " . $db_user_name . " = %s", quote_smart($username)); $result = $db_raid->sql_query($sql) or print_error($sql, mysql_error(), 1); while ($data = $db_raid->sql_fetchrow($result, true)) { if ($username == mb_strtolower($data[$db_user_name], "UTF-8") && ($cmspass = password_check($password, $data[$db_user_id], $pwdencrypt))) { // User is properly logged in and is allowed to use WRM, go ahead and process his login. $autologin = scrub_input($_POST['autologin']); if (isset($autologin)) { // they want automatic logins so set the cookie // set to expire in one month setcookie('username', $data[$db_user_name], time() + 2629743); setcookie('password', $cmspass, time() + 2629743); } // set user profile variables $_SESSION['username'] = mb_strtolower($data[$db_user_name], "UTF-8"); $_SESSION['session_logged_in'] = 1; $_SESSION['profile_id'] = $data[$db_user_id]; $_SESSION['email'] = $data[$db_user_email]; // get user permissions get_permissions(); // ******************** // * NOTE * IUMS Auth does not do profile checking like external bridges do. // ******************** /* if($phpraid_config['default_group'] != 'nil') $user_priv = $phpraid_config['default_group']; else $user_priv = '0'; */ // User is all logged in and setup, the session is initialized properly. Now we need to create the users // profile in the WRM database if it does not already exist. /* $sql = sprintf("SELECT * FROM " . $phpraid_config['db_prefix'] . "profile WHERE profile_id = %s", quote_smart($_SESSION['profile_id']) ); $result = $db_raid->sql_query($sql) or print_error($sql, mysql_error(), 1); if ($data = $db_raid->sql_fetchrow($result)) {*/ //We found the profile in the database, update. /* $sql = sprintf( "UPDATE " . $phpraid_config['db_prefix'] . "profile ". " SET email = %s, password = %s, last_login_time = %s WHERE profile_id = %s", quote_smart($_SESSION['email']),quote_smart($wrmuserpassword), quote_smart(time()),quote_smart($_SESSION['profile_id']) ); $db_raid->sql_query($sql) or print_error($sql, mysql_error(), 1); } else { //Profile not found in the database or DB Error, insert. $sql = sprintf("INSERT INTO " . $phpraid_config['db_prefix'] . "profile VALUES (%s, %s, %s, %s, %s, %s)", quote_smart($_SESSION['profile_id']), quote_smart($_SESSION['email']), quote_smart($wrmuserpassword), quote_smart($user_priv), quote_smart(strtolower($_SESSION['username'])), quote_smart(time()) ); $db_raid->sql_query($sql) or print_error($sql, mysql_error(), 1); }*/ $sql = sprintf("UPDATE " . $phpraid_config['db_prefix'] . "profile SET last_login_time=%s WHERE profile_id=%s", quote_smart(time()), quote_smart($_SESSION['profile_id'])); $db_raid->sql_query($sql) or print_error($sql, mysql_error(), 1); //security fix unset($username); unset($password); unset($cmspass); return 1; } } return 0; }
function get_permissions_for_user($UserID, $CustomPermissions = false) { global $DB; $UserInfo = user_info($UserID); if ($CustomPermissions === false) { $DB->query('SELECT um.CustomPermissions FROM users_main AS um WHERE um.ID = ' . (int) $UserID); list($CustomPermissions) = $DB->next_record(MYSQLI_NUM, false); } if (!empty($CustomPermissions) && !is_array($CustomPermissions)) { $CustomPermissions = unserialize($CustomPermissions); } $Permissions = get_permissions($UserInfo['PermissionID']); // Manage 'special' inherited permissions if ($UserInfo['Artist']) { $ArtistPerms = get_permissions(ARTIST); } else { $ArtistPerms = array('Permissions' => array()); } if ($UserInfo['Donor']) { $DonorPerms = get_permissions(DONOR); } else { $DonorPerms = array('Permissions' => array()); } if (!empty($CustomPermissions)) { $CustomPerms = $CustomPermissions; } else { $CustomPerms = array(); } //Combine the permissions return array_merge($Permissions['Permissions'], $DonorPerms['Permissions'], $ArtistPerms['Permissions'], $CustomPerms, array('MaxCollages' => $MaxCollages)); }
} } // course roles $all_roles = get_all_roles(); foreach ($all_roles as $role) { echo '<div><a href="roles.php?action=view&role_id=' . $role['role_id'] . '">' . $role['role_name'] . '</a><a href="roles.php?action=delete&role_id=' . $role['role_id'] . '"><img src="../img/delete.gif" /></a></div>'; echo '<div>' . $role['role_comment'] . '</div><br />'; if ($role['role_id'] == $_GET['role_id']) { $current_role_info = $role; } } // =================================================== // DISPLAYING THE PERMISSIONS OF A GIVEN ROLE // =================================================== if ($_GET['role_id']) { $current_role_permissions = get_permissions('role', $_GET['role_id']); // --------------------------------------------------- // LIMITED OR FULL // --------------------------------------------------- $current_role_permissions = limited_or_full($current_role_permissions); if (api_get_setting('permissions') == 'limited') { $header_array = $rights_limited; } if (api_get_setting('permissions') == 'full') { $header_array = $rights_full; } // --------------------------------------------------- // DISPLAYING THE MATRIX // --------------------------------------------------- echo "<form method=\"post\" action=\"" . str_replace('&', '&', $_SERVER['REQUEST_URI']) . "\">"; // the list of the roles for the user
<?php include 'functions.php'; session_start(); if (!isset($_SESSION['ID'])) { header('Location: /index.php'); } if (isset($_GET['id'])) { $permissions = get_permissions($_SESSION['ID'], $_GET['id']); if ($permissions == 3 || $permissions == 2) { show('document_editor', null, null); $document = get_document($_GET['id']); echo ' <form class="basic-grey-e" action="./document_editor.php?id=' . $_GET['id'] . '" name="save_doc" method="post"> <a class="basic-grey-text" href="./documents.php">Вернуться к документам</a> <input type="text" id="title" name="title"></br> <textarea class="basic-grey-e" name="body" id="body"></textarea></br> <input type="submit" name="save_doc" value="Сохранить документ"> <a class="basic-grey-text" href="./document_editor.php?id=' . $document['ID'] . '&sign=' . $document['ID'] . '">Подписать документ</a> <a class="basic-grey-text" href="./contributors.php?document_id=' . $document['ID'] . '">Настроить доступ сотрудников к документу</a> </form>'; set_element_value('title', $document['TITLE']); set_element_value('body', $document['BODY']); if (isset($_POST['save_doc'])) { $title = $_POST['title']; $body = $_POST['body']; if ($title !== '' && $body !== '') { edit_document($title, $body, $document['ID'], null); } }
</select> </div> </div> <div class="form-group"> <label for="permission" class="col-sm-3 control-label"><?php echo tr('_GLOBAL_permission_'); ?> </label> <div class="col-sm-5"> <select name="permission" id="permission" class="form-control" <?php echo $data['user']['id'] == user('uID') ? 'disabled="disabled"' : ''; ?> > <?php foreach (get_permissions() as $permission_id => $permission) { ?> <option value="<?php echo $permission_id; ?> " <?php echo set_select('permission', $permission_id, $permission_id == $data['user']['permission_id']); ?> ><?php echo $permission; ?> </option> <?php } ?> <?php
} } if (isset($result_message)) { Display::display_normal_message($result_message); } // --------------------------------------------------- // RETRIEVING THE PERMISSIONS OF THE USER // --------------------------------------------------- $current_user_permissions = array(); $current_user_permissions = get_permissions('user', $user_id); // INHERITED PERMISSIONS (group permissions, user roles, group roles) // RETRIEVING THE PERMISSIONS OF THE GROUPS OF THE USER $groups_of_user = array(); $groups_of_user = GroupManager::get_group_ids($_course['real_id'], $user_id); foreach ($groups_of_user as $group) { $this_group_permissions = get_permissions('group', $group); foreach ($this_group_permissions as $tool => $permissions) { foreach ($permissions as $permission) { $inherited_group_permissions[$tool][] = $permission; } } } $inherited_permissions = $inherited_group_permissions; // RETRIEVING THE PERMISSIONS OF THE ROLES OF THE USER if (api_get_setting('user_roles') == 'true') { // course roles that are assigned to the user $current_user_role_permissions_of_user = get_roles_permissions('user', $user_id); $inherited_permissions = permission_array_merge($inherited_permissions, $current_user_role_permissions_of_user); // NOTE: deze array moet nog gemerged worden met de $inherited_permissions array // (heet momenteel nog $current_group_permissions_of_user omdat voorlopig enkel de // groepsge�rfde permissions in beschouwing worden genomen
function phpraid_login() { global $db_user_id, $db_group_id, $db_user_name, $db_user_email, $db_user_password, $db_table_user_name; global $db_table_group_name, $auth_user_class, $auth_alt_user_class, $table_prefix, $db_raid, $phpraid_config; $username = $password = ""; if (isset($_POST['username'])) { // User is logging in, set encryption flag to 0 to identify login with plain text password. $pwdencrypt = FALSE; $username = mb_strtolower(scrub_input($_POST['username']), "UTF-8"); $password = $_POST['password']; $wrmpass = md5($_POST['password']); } elseif (isset($_COOKIE['username']) && isset($_COOKIE['password'])) { // User is not logging in but processing cooking, set encryption flag to 1 to identify login with encrypted password. $pwdencrypt = TRUE; $username = mb_strtolower(scrub_input($_COOKIE['username']), "UTF-8"); $password = $_COOKIE['password']; $wrmpass = ''; } else { phpraid_logout(); } // from site/page/.. change pwd (testing) //if(isset($_POST['username2'])){ // $username = scrub_input(strtolower($_POST['username2'])); //$password = $pwd_hasher->HashPassword($_POST['password2']); // $password = md5($_POST['password2']); //} //database $sql = sprintf("SELECT " . $db_user_id . "," . $db_user_name . "," . $db_user_email . "," . $db_user_password . " FROM " . $table_prefix . $db_table_user_name . " WHERE " . $db_user_name . " = %s", quote_smart($username)); $result = $db_raid->sql_query($sql) or print_error($sql, mysql_error(), 1); //WRM database //$sql = sprintf("SELECT username, password FROM " . $phpraid_config['db_prefix'] . "profile WHERE username = %s", // quote_smart($username) // ); //$result2 = $db_raid->sql_query($sql) or print_error($sql, mysql_error(), 1); //if ($data2 = $db_raid->sql_fetchrow($result2)) //{ // $wrmuserpassword = $data2['password']; //} while ($data = $db_raid->sql_fetchrow($result, true)) { //$testVal = password_check($password, $data[$db_user_id]); //echo "<br>Processing: " . $data[$db_user_name] . " : Password Check: " . $testVal; if ($username == mb_strtolower($data[$db_user_name], "UTF-8") && ($cmspass = password_check($password, $data[$db_user_id], $pwdencrypt))) { // The user has a matching username and proper password in the phpbb database. // We need to validate the users group. If it does not contain the user group that has been set as // authorized to use WRM, we need to fail the login with a proper message. if ($auth_user_class != 0) { $FoundUserInGroup = FALSE; $sql = sprintf("SELECT " . $db_user_id . "," . $db_group_id . " FROM " . $table_prefix . $db_table_group_name . " WHERE " . $db_user_id . " = %s", quote_smart($data[$db_user_id])); $resultgroup = $db_raid->sql_query($sql) or print_error($sql, mysql_error(), 1); while ($datagroup = $db_raid->sql_fetchrow($resultgroup, true)) { if ($datagroup[$db_group_id] == $auth_user_class or $datagroup[$db_group_id] == $auth_alt_user_class) { $FoundUserInGroup = TRUE; } } if ($FoundUserInGroup == FALSE) { phpraid_logout(); return -1; } } // User is properly logged in and is allowed to use WRM, go ahead and process his login. $autologin = scrub_input($_POST['autologin']); if (isset($autologin)) { // they want automatic logins so set the cookie // set to expire in one month setcookie('username', $data[$db_user_name], time() + 2629743); setcookie('password', $cmspass, time() + 2629743); } // set user profile variables $_SESSION['username'] = mb_strtolower($data[$db_user_name], "UTF-8"); $_SESSION['session_logged_in'] = 1; $_SESSION['profile_id'] = $data[$db_user_id]; $_SESSION['email'] = $data[$db_user_email]; if ($phpraid_config['default_group'] != 'nil') { $user_priv = $phpraid_config['default_group']; } else { $user_priv = '0'; } // User is all logged in and setup, the session is initialized properly. Now we need to create the users // profile in the WRM database if it does not already exist. $sql = sprintf("SELECT * FROM " . $phpraid_config['db_prefix'] . "profile WHERE profile_id = %s", quote_smart($_SESSION['profile_id'])); $result = $db_raid->sql_query($sql) or print_error($sql, mysql_error(), 1); if ($data = $db_raid->sql_fetchrow($result)) { //We found the profile in the database, update. if ($wrmpass != '') { $sql = sprintf("UPDATE " . $phpraid_config['db_prefix'] . "profile SET email = %s, password = %s, last_login_time = %s WHERE profile_id = %s", quote_smart($_SESSION['email']), quote_smart($wrmpass), quote_smart(time()), quote_smart($_SESSION['profile_id'])); } else { $sql = sprintf("UPDATE " . $phpraid_config['db_prefix'] . "profile SET email = %s, last_login_time = %s WHERE profile_id = %s", quote_smart($_SESSION['email']), quote_smart(time()), quote_smart($_SESSION['profile_id'])); } $db_raid->sql_query($sql) or print_error($sql, mysql_error(), 1); } else { //Profile not found in the database or DB Error, insert. $sql = sprintf("INSERT INTO " . $phpraid_config['db_prefix'] . "profile VALUES (%s, %s, %s, %s, %s, %s)", quote_smart($_SESSION['profile_id']), quote_smart($_SESSION['email']), quote_smart($wrmpass), quote_smart($user_priv), quote_smart(mb_strtolower($_SESSION['username'], "UTF-8")), quote_smart(time())); $db_raid->sql_query($sql) or print_error($sql, mysql_error(), 1); } get_permissions(); //security fix unset($username); unset($password); unset($cmspass); unset($wrmpass); return 1; } } return 0; }
if ($_GET['table'] || $_GET['table'] == 0) { // If not table ID, get table ID from name $table_id = array_search($_GET['table'], $tables) !== false ? array_search($_GET['table'], $tables) : $_GET['table']; // Bypass getting item data if we're creating a new item $get_id = isset($_GET['item']) ? $_GET['item'] : 'bypass'; // Get table and row data $table_rows = get_rows($table_id, $get_id); // Set cleaned variables $table = $table_rows['name']; $id = $table_rows['item_id']; // New or Edit $has_id = is_numeric($id) && $id > 0 ? true : false; } ////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// // Get restrictions (If you shouldnt be here, redirect and warn) $allow = get_permissions($table); if (!$allow['view'] || $table_id === false) { $_SESSION['alert'] = "permissions_view"; header("Location: " . CMS_INSTALL_PATH . "tables.php"); die; } if (!$allow['edit'] && $has_id) { $_SESSION['alert'] = "permissions_edit"; header("Location: " . CMS_INSTALL_PATH . "tables.php"); die; } if (!$allow['add'] && !$has_id) { $_SESSION['alert'] = "permissions_add"; header("Location: " . CMS_INSTALL_PATH . "tables.php"); die; }
echo "\t\t<th align='center'>" . get_lang('Edit') . "</th>\n"; echo "\t\t<th align='center'>" . get_lang('Rate') . "</th>\n"; echo "\t\t<th align='center'>" . get_lang('Add') . "</th>\n"; echo "\t\t<th align='center'>" . get_lang('Delete') . "</th>\n"; echo "\t\t<th align='center'>" . get_lang('Rate') . "</th>\n"; echo "\t\t<th align='center'>" . get_lang('Tasks') . "</th>\n"; echo "\t\t<th align='center'>" . get_lang('Members') . "</th>\n"; echo "\t\t<th align='center'>" . get_lang('Roles') . "</th>\n"; echo "\t</tr>\n"; // the main area with the checkboxes or images foreach ($blog_users as $user_id => $user_name) { // --------------------------------------------------- // RETRIEVING THE PERMISSIONS OF THE USER // --------------------------------------------------- $current_user_permissions = array(); $current_user_permissions = get_permissions('user', $user_id); echo "\t<tr>\n"; echo "\t\t<td>\n"; echo $user_name; echo "\t\t</td>\n"; foreach ($rights_full as $key => $value) { echo "\t\t<td align='center'>\n"; if (in_array($value, $rights_blog)) { display_image_matrix_for_blogs($current_user_permissions, $user_id, 'BLOG_' . $blog_id, $value, $inherited_permissions, $course_admin); } // note: in a later stage this part will be replaced by a function // so that we can easily switch between a checkbox approach or an image approach // where every click is in fact a change of status. In the checkbox approach you first have to // do the changes and then store them by clicking the submit button. echo "\t\t</td>\n"; }
exit; } global $current_action; $current_action = 'edit'; if (isset($_POST['update'])) { if (edit_permissions($_GET['type'], $_POST, $_GET['id'])) { global $edited; $edited = 1; MAD_Admin_Redirect::redirect('permission_management.php?edited=1&id=' . $_GET['id'] . '&type=' . $_GET['type'] . ''); } else { global $edited; $edited = 2; } } if ($edited != 2) { $editdata = get_permissions($_GET['type'], $_GET['id']); } switch ($_GET['type']) { case 'group': $tt = 'Group'; $group_detail = get_group_detail($_GET['id']); $tt_det = $group_detail['group_name']; break; case 'user': $tt = 'User'; $usr_detail = get_user_detail($_GET['id']); $tt_det = $usr_detail['first_name'] . ' ' . $usr_detail['last_name']; break; } require_once MAD_PATH . '/www/cp/templates/header.tpl.php'; ?>