function CheckRights($method, $strong, &$path) { $result = true; if (!parent::CheckRights($method)) { $result = false; $GLOBALS["APPLICATION"]->ThrowException(GetMessage('WD_ACCESS_DENIED'), 'ACCESS_DENIED'); } elseif ($path != '') { $io = CBXVirtualIo::GetInstance(); $path = $io->CombinePath($this->_udecode($path)); $strFileName = GetFileName($path); $extention = "." . strtolower(GetFileExtension($strFileName)); if (in_array($method, array("COPY", "MOVE", "PUT"))) { if (!$GLOBALS["USER"]->IsAdmin() && HasScriptExtension($strFileName)) { $result = false; $GLOBALS['APPLICATION']->ThrowException(GetMessage("WD_FILE_ERROR13"), "FORBIDDEN_EXTENTION"); } elseif (IsFileUnsafe($strFileName) || $strFileName == "index.php") { $result = false; $GLOBALS['APPLICATION']->ThrowException(GetMessage("WD_FILE_ERROR14"), "FORBIDDEN_NAME"); } elseif (!$io->ValidatePathString($io->CombinePath("/", $path)) || !$io->ValidateFilenameString($strFileName)) { $result = false; $GLOBALS['APPLICATION']->ThrowException(GetMessage("WD_FILE_ERROR14"), "FORBIDDEN_NAME"); } elseif (in_array($extention, $this->arFileForbiddenExtentions["WRITE"])) { $result = false; $GLOBALS['APPLICATION']->ThrowException(GetMessage("WD_FILE_ERROR13"), "FORBIDDEN_EXTENTION"); } } elseif (in_array($extention, $this->arFileForbiddenExtentions["READ"])) { $result = false; $GLOBALS["APPLICATION"]->ThrowException(GetMessage('WD_ACCESS_DENIED'), 'ACCESS_DENIED'); } } return $result; }
function CheckRights($method = "", $strong = false, $path = "") { $result = true; if (!parent::CheckRights($method, $strong)) { $result = false; $GLOBALS["APPLICATION"]->ThrowException(GetMessage('WD_ACCESS_DENIED'), 'ACCESS_DENIED'); } elseif (!empty($path)) { $path = $this->_udecode($path); $strFileName = basename($path); $extention = strtolower(strrchr($strFileName, '.')); if (in_array($method, array("COPY", "MOVE", "PUT"))) { if (IsFileUnsafe($strFileName) || $strFileName == "index.php") { $result = false; $GLOBALS['APPLICATION']->ThrowException(GetMessage("WD_FILE_ERROR14"), "FORBIDDEN_NAME"); } } } return $result; }