public function log($msg, $level)
{
$log = new DBLog();
$log->setAuthor($this->author);
$log->setPriority($level);
$log->setMessage($msg);
$this->em->persist($log);
$this->em->flush();
}
/**
* standard constructor
* @param string Role, a user must have to access the page. Note that Administrators
* can access just any page and that a page wirh no permissions set may be accessed
* by every user of the CMS. A page can be accessible by several user-roles, just
* use '&' to combine roles.
* @param boolean Flag, that says if the user must be in systemgroup (when true.)
*/
function auth($permission = "ANY", $sys = false)
{
global $c, $db;
$this->sys = $sys;
// collect data
if ($_SERVER['REMOTE_ADDR'] != "") {
$this->remote = $_SERVER['REMOTE_ADDR'];
}
if (value("passwd") != "0" && value("login") != "0") {
//try to login user
if ($this->checkLogin(value("login"), value("passwd"))) {
$this->createSession($this->userId);
} else {
$log1 = new DBLog("AUTH");
$log1->log("Login failed for user " . value("login") . " with IP " . $_SERVER["REMOTE_ADDR"]);
$db->close();
header("Location: " . $c["docroot"] . "api/auth/loginform.php?status=failed");
exit;
}
} else {
if (value("sid", "NOSPACES") != "0") {
$this->session = value("sid", "NOSPACES");
//$GLOBALS["sid"];
}
}
// verify data
if (!$this->validateSession()) {
$db->close();
header("Location: " . $c["docroot"] . "api/auth/loginform.php");
exit;
} else {
$this->loggedIn = true;
}
if (!$this->loggedIn) {
// forward to login page
$db->close();
header("Location: " . $c["docroot"] . "api/auth/loginform.php");
exit;
}
if ($this->loggedIn) {
$sql = "SELECT LANGID, USE_JAVASCRIPT, USE_AGENT FROM users WHERE USER_ID = " . $this->userId;
$query = new query($db, $sql);
$query->getrow();
$this->lang = $query->field("LANGID");
$this->isJS = $query->field("USE_JAVASCRIPT");
if (PMA_USR_BROWSER_AGENT == 'IE') {
$this->useAgent = $query->field("USE_AGENT");
}
if ($this->lang != "") {
global $c, $lang;
$lang->language = $this->lang;
}
//get list of roles this user has
// preselect system group, if system flag is not deselected.
$additum = "";
if ($this->sys) {
$additum = " AND (p.GROUP_ID = {$this->group} OR p.GROUP_ID=1)";
}
// get all roleIDs the user has
$sql = "SELECT DISTINCT r.ROLE_NAME, p.ROLE_ID FROM roles r, user_permissions p WHERE p.ROLE_ID = r.ROLE_ID AND p.USER_ID = {$this->userId}" . $additum;
$query = new query($db, $sql);
while ($query->getrow()) {
$this->roles[$query->field("ROLE_ID")] = strtoupper($query->field("ROLE_NAME"));
}
$query->free();
//get list of functions allowed for this user
$rolesString = "";
$tmpRoleIDs = array_keys($this->roles);
for ($i = 0; $i < count($tmpRoleIDs); $i++) {
$rolesString .= "," . $tmpRoleIDs[$i];
}
$rolesString = substr($rolesString, 1);
$sql = "SELECT DISTINCT rsf.FUNCTION_ID FROM role_sys_functions as rsf WHERE rsf.ROLE_ID in ( " . $rolesString . " )";
$query = new query($db, $sql);
$counter = 0;
while ($query->getrow()) {
$this->allowedFunctions[$counter] = $query->field("FUNCTION_ID");
$counter++;
}
$query->free();
if (($permission != "ANY" || !$this->checkAccessToFunction("ALLOW_CMS_LOGIN")) && $this->userName != "Administrator") {
// check permission.
if (!$this->checkPermission($permission, false) || !$this->checkAccessToFunction("ALLOW_CMS_LOGIN")) {
// no permission
$db->close();
header("Location: " . $c["docroot"] . "api/auth/login.php");
exit;
}
}
}
}
/**
* Help function of nxDelete. Deletes a file destination
* @param string $destPath Destination-Location where delete shall be performed.
* @param string $destFile Destination-File to delete.
* @param string $mode file or ftp transfer.
* @param object FTP-Connection-Object if needed.
*/
function _executeDelete($destPath, $destFile, $mode, $conn=null) {
if ($mode == "file") {
if (file_exists($destPath.$destFile)) {
@unlink($destPath.$destFile);
return true;
} else {
$log = new DBLog("LAUNCH");
$log->log($destPath.$destFile." could not be deleted.");
unset($log);
return false;
}
} else if ($mode == "ftp") {
$conn->ftp_chdir($destPath);
if ($conn->ftp_file_exists($destFile)) {
$conn->ftp_delete($destFile);
}
}
return true;
}
/**
* Returns the value of a variable sent with post or get
* returns "", if variable not found.
* @param string $variable_name Name of the variable to get value of
* @param string $validate Validate the input variable. Allowed are NUMERIC, NOSPACES
* @param string $default Value that is set if value is not found.
*/
function value($variable_name, $validate = "", $default = "0") {
$result = $default;
if (isset($_GET[$variable_name]))
$result = $_GET[$variable_name];
else if (isset($_POST[$variable_name]))
$result = $_POST[$variable_name];
// doing the validation check
$validate = strtoupper($validate);
if ($validate == "NUMERIC") {
if ((!is_numeric($result)) && $result != "" && $result != 0) {
$log = new DBLog("INTRUSION");
$log->log("There seems to be a variable modification on variable " . $variable_name . " on page " . $_SERVER["REQUEST_URI"] . ". The request was blocked. IP:" . $_SERVER['REMOTE_ADDR']);
echo "The provided data is not of correct type.";
exit();
$result = $default;
}
} else if ($validate == "NOSPACES") {
if (strstr($result, " ") != false) {
global $auth;
$log = new DBLog("INTRUSION");
$log->log("There seems to be a variable modification on variable " . $variable_name . " on page " . $_SERVER["REQUEST_URI"] . " The request was blocked. IP:" . $_SERVER['REMOTE_ADDR']);
echo "Type mismatch! Exiting....";
exit();
$result = $default;
}
}
if ($result == "")
$result = $default;
return $result;
}
/**
* standard constructor
* @param string Role, a user must have to access the page. Note that Administrators
* can access just any page and that a page wirh no permissions set may be accessed
* by every user of the CMS. A page can be accessible by several user-roles, just
* use '&' to combine roles.
* @param boolean Flag, that says if the user must be in systemgroup (when true.)
* @param boolean Flag, that says if the user must be logged in in any case
*/
function authSMA($permission = "ANY", $sys = true, $forceLogin = true)
{
global $c, $db, $sid;
global $passwd, $login;
$v = value("v");
$page = value("page", "NUMERIC");
$this->sys = $sys;
// collect data
if ($_SERVER['REMOTE_ADDR'] != "") {
$this->remote = $_SERVER['REMOTE_ADDR'];
}
if (value("passwd") != "0" && value("login") != "0") {
//try to login user
if ($this->checkLogin(value("login"), value("passwd"))) {
$this->createSession($this->userId);
} else {
$log1 = new DBLog("AUTH");
$log1->log("Login failed for user " . value("login") . " with IP" . $_SERVER["REMOTE_ADDR"]);
header("Location: " . $this->forwardToOnAuthFail() . "&status=failed");
exit;
}
} else {
if ($_COOKIE[$this->myCookie] != "") {
$this->session = $_COOKIE[$this->myCookie];
} else {
if (value("sid") != "0") {
$this->session = value("sid");
}
}
}
// verify data
if (!$this->validateSession()) {
if ($forceLogin) {
header("Location: " . $this->forwardToOnAuthFail());
exit;
}
} else {
$this->loggedIn = true;
}
if (!$this->loggedIn) {
// forward to login page
if ($forceLogin) {
header("Location: " . $this->forwardToOnAuthFail());
exit;
}
}
if ($this->loggedIn) {
$sql = "SELECT LANGID, USE_JAVASCRIPT FROM users WHERE USER_ID = " . $this->userId;
$query = new query($db, $sql);
$query->getrow();
$this->lang = $query->field("LANGID");
$this->isJS = $query->field("USE_JAVASCRIPT");
if ($this->lang != "") {
global $c, $lang;
$lang->language = $this->lang;
}
//get list of roles this user has
// preselect system group, if system flag is not deselected.
$additum = "";
if ($this->sys) {
$additum = " AND (p.GROUP_ID = {$this->group} OR p.GROUP_ID=1)";
}
// get all roleIDs the user has
$sql = "SELECT DISTINCT r.ROLE_NAME, p.ROLE_ID FROM roles r, user_permissions p WHERE p.ROLE_ID = r.ROLE_ID AND p.USER_ID = {$this->userId}" . $additum;
$query = new query($db, $sql);
while ($query->getrow()) {
$this->roles[$query->field("ROLE_ID")] = strtoupper($query->field("ROLE_NAME"));
}
$query->free();
//get list of functions allowed for this user
$rolesString = "";
$tmpRoleIDs = array_keys($this->roles);
for ($i = 0; $i < count($tmpRoleIDs); $i++) {
$rolesString .= "," . $tmpRoleIDs[$i];
}
$rolesString = substr($rolesString, 1);
$sql = "SELECT DISTINCT rsf.FUNCTION_ID FROM role_sys_functions as rsf WHERE rsf.ROLE_ID in ( " . $rolesString . " )";
$query = new query($db, $sql);
$counter = 0;
while ($query->getrow()) {
$this->allowedFunctions[$counter] = $query->field("FUNCTION_ID");
$counter++;
}
$query->free();
if ($permission != "ANY") {
// check permission.
if (!$this->checkPermission($permission, false)) {
// no permission
if ($forceLogin) {
header("Location: " . $this->forwardToOnAuthFail());
exit;
}
}
}
}
// set the cookie now
setcookie($this->myCookie, $this->session, time() + 60 * 60, '/');
}
/**********************************************************************
* N/X - Web Content Management System
* Copyright 2004 Sven Weih
*
* This file is part of N/X.
*
* N/X is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* N/X is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with N/X; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
**********************************************************************/
require_once "../../config.inc.php";
$auth = new auth("ANY");
$page = new page("Access Violation");
$form = new MessageForm($lang->get("access_violation", "Access violation"), $lang->get("access_v_text", "You have not rights to access this object!"), $c["docroot"]."api/userinterface/page/blank_page.php");
$log = new DBLog("Access Violation");
$log->log("User ".$auth->userName." tried to access resource with guid ".value("guid", "NUMERIC"));
$page->add($form);
$page->draw();
$db->close();
?>
