function jr_admin_secure($file)
{
global $HTTP_GET_VARS, $HTTP_POST_VARS, $phpEx, $db, $lang, $userdata;
/* Debugging in this function causes changes to the way ADMIN users
are interpreted. You are warned */
$debug = false;
$jr_admin_userdata = jr_admin_get_user_info($userdata['user_id']);
if ($debug) {
if (!preg_match("/^index.{$phpEx}/", $file)) {
print '<pre><span class="gen"><font color="red">DEBUG - File Accessed - ';
print $file;
print '</pre></font></span><br />';
}
}
if ($userdata['user_level'] == ADMIN && !$debug) {
//Admin always has access
return true;
} elseif (empty($jr_admin_userdata['user_jr_admin'])) {
//This user has no modules and no business being here
return false;
} elseif (preg_match("/^index.{$phpEx}/", $file)) {
//We are at the index file, which is already secure pretty much
return true;
} elseif (isset($HTTP_GET_VARS['module_md5']) && in_array($HTTP_GET_VARS['module_md5'], explode(EXPLODE_SEPERATOR_CHAR, $jr_admin_userdata['user_jr_admin']))) {
//The user has access for sure by module_id security from GET vars only
return true;
} elseif (!isset($HTTP_GET_VARS['module_md5']) && count($HTTP_POST_VARS)) {
//This user likely entered a post form, so let's use some checking logic
//to make sure they are doing it from where they should be!
//Get the filename without any arguments
$file = preg_replace("/\\?.+=.*\$/", '', $file);
//Return the check to make sure the user has access to what they are submitting
return jr_admin_check_file_hashes($file);
} elseif (!isset($HTTP_GET_VARS['module_md5']) && isset($HTTP_GET_VARS['sid'])) {
//This user has clicked on a url that specified items
if ($HTTP_GET_VARS['sid'] != $userdata['session_id']) {
return false;
} else {
//Get the filename without any arguments
$file = preg_replace("/\\?.+=.*\$/", '', $file);
//Return the check to make sure the user has access to what they are submitting
return jr_admin_check_file_hashes($file);
}
} else {
//Something came up that shouldn't have!
return false;
}
}
function jr_admin_secure($file)
{
global $db, $user, $lang;
/* Debugging in this function causes changes to the way ADMIN users are interpreted. You are warned */
$debug = false;
// We need this for regular expressions... to avoid errors!!!
$phpEx = PHP_EXT;
$jr_admin_userdata = jr_admin_get_user_info($user->data['user_id']);
$selected_module = request_get_var('module', '');
$sid = request_var('sid', '');
if ($debug) {
if (!preg_match("/^index.{$phpEx}/", $file)) {
print '<pre><span class="gen"><span class="text_red">DEBUG - File Accessed - ';
print $file;
print '</pre></span></span><br />';
}
}
if ($user->data['user_level'] == ADMIN && !$debug) {
//Admin always has access
return true;
} elseif (empty($jr_admin_userdata['user_jr_admin'])) {
//This user has no modules and no business being here
return false;
} elseif (preg_match("/^index.{$phpEx}/", $file)) {
//We are at the index file, which is already secure pretty much
return true;
} elseif (!empty($selected_module) && in_array($selected_module, explode(EXPLODE_SEPARATOR_CHAR, $jr_admin_userdata['user_jr_admin']))) {
//The user has access for sure by module_id security from GET vars only
return true;
} elseif (!!empty($selected_module) && sizeof($_POST)) {
//This user likely entered a post form, so let's use some checking logic
//to make sure they are doing it from where they should be!
//Get the filename without any arguments
$file = preg_replace("/\\?.+=.*\$/", '', $file);
//Return the check to make sure the user has access to what they are submitting
return jr_admin_check_file_hashes($file);
} elseif (!!empty($selected_module) && !empty($sid)) {
//This user has clicked on a url that specified items
if ($sid != $user->data['session_id']) {
return false;
} else {
//Get the filename without any arguments
$file = preg_replace("/\\?.+=.*\$/", '', $file);
//Return the check to make sure the user has access to what they are submitting
return jr_admin_check_file_hashes($file);
}
} else {
//Something came up that shouldn't have!
return false;
}
}
