<?php if (!session_admin()) { return; } $applications = parse_ini_file('inc/conf/auth/applications/index.php'); loader_import('saf.File.Directory'); $d = new Dir('inc/app'); $apps = array(); foreach ($d->read_all() as $file) { if (strpos($file, '.') === 0 || !@is_dir('inc/app/' . $file) || !@file_exists('inc/app/' . $file . '/conf/config.ini.php') || in_array($file, array('cms', 'usradm'))) { continue; } if (session_is_resource('app_' . $file) && !session_allowed('app_' . $file, 'rw', 'resource')) { continue; } if (isset($applications[$file]) && !$applications[$file]) { continue; } $c = @parse_ini_file('inc/app/' . $file . '/conf/config.ini.php'); if (!isset($c['admin_handler']) || !isset($c['admin_handler_type']) || isset($c['admin']) && !$c['admin']) { continue; } if (!isset($c['app_name'])) { $c['app_name'] = $file; } if ($c['admin_handler_type'] == 'box') { $type = 'action'; } else { $type = $c['admin_handler_type']; }
<?php global $cgi; loader_import('saf.Misc.RPC'); if (!$cgi->table || !$cgi->items || !$cgi->key) { echo rpc_response(false); exit; } if (!$cgi->verify('table', 'regex', '/^[a-zA-Z0-9_-]+$/')) { echo rpc_response(false); exit; } if (!$cgi->verify('key', 'regex', '/^[a-zA-Z0-9_-]+$/')) { echo rpc_response(false); exit; } if (session_is_resource($cgi->table) && !session_allowed($cgi->table, 'rw', 'resource')) { echo rpc_response(false); exit; } $items = preg_split('/, ?/', $cgi->items); foreach ($items as $item) { db_execute('insert into ' . $cgi->table . ' (' . $cgi->key . ') values (?)', $item); } echo rpc_response(true); exit;
/** * Checks recursively in the form directory and parent directories * until it checks $formPath finally for an access.php file. It then * parses that file as an INI file and determines whether the form is * accessible by the current user. If a template is specified in the * access.php file, that template name is returned on success, otherwise * a boolean true value is returned on success. False is always returned * if the user is not allowed. * * @access public * @param string $name * @param string $context * @return mixed * */ function formAllowed($name, $context = 'normal') { $app = $this->getApp($name); $name = $this->removeApp($name, $app); if (session_admin() && session_is_resource('app_' . $app) && !session_allowed('app_' . $app, 'rw', 'resource')) { return false; } if (isset($this->applications[$app]) && !$this->applications[$app]) { // app is disabled return false; } $dir = $this->prefix . '/' . $app . '/' . $this->formPath . '/' . $name; while ($dir != $this->prefix . '/' . $app . '/' . $this->formPath) { if (@file_exists($dir . '/access.php')) { $access = parse_ini_file($dir . '/access.php'); $this->formAccess = $access; if (!session_allowed($access['sitellite_access'], 'r', 'access')) { if (isset($access['sitellite_goto'])) { header('Location: ' . site_prefix() . '/index/' . $access['sitellite_goto']); exit; } return false; } elseif (!session_allowed($access['sitellite_status'], 'r', 'status')) { if (isset($access['sitellite_goto'])) { header('Location: ' . site_prefix() . '/index/' . $access['sitellite_goto']); exit; } return false; } elseif ($context == 'action' && !$access['sitellite_action']) { if (isset($access['sitellite_goto'])) { header('Location: ' . site_prefix() . '/index/' . $access['sitellite_goto']); exit; } return false; } elseif ($context != 'normal' && isset($access['sitellite_' . $context]) && !$access['sitellite_' . $context]) { return false; // } elseif ($context == 'inline' && ! $access['sitellite_inline']) { // return false; } else { if (isset($access['sitellite_template_set'])) { page_template_set($access['sitellite_template_set']); } if (isset($access['sitellite_template'])) { return $access['sitellite_template']; } else { return true; } } } $dir = preg_split('/\\//', $dir); array_pop($dir); $dir = join('/', $dir); } // check for a global access.php file if (@file_exists($this->prefix . '/' . $app . '/' . $this->formPath . '/access.php')) { $access = parse_ini_file($this->prefix . '/' . $app . '/' . $this->formPath . '/access.php'); $this->formAccess = $access; if (!session_allowed($access['sitellite_access'], 'r', 'access')) { if (isset($access['sitellite_goto'])) { header('Location: ' . site_prefix() . '/index/' . $access['sitellite_goto']); exit; } return false; } elseif (!session_allowed($access['sitellite_status'], 'r', 'status')) { if (isset($access['sitellite_goto'])) { header('Location: ' . site_prefix() . '/index/' . $access['sitellite_goto']); exit; } return false; } elseif ($context == 'action' && !$access['sitellite_action']) { if (isset($access['sitellite_goto'])) { header('Location: ' . site_prefix() . '/index/' . $access['sitellite_goto']); exit; } return false; } elseif ($context == 'inline' && !$access['sitellite_inline']) { return false; } else { if (isset($access['sitellite_template_set'])) { page_template_set($access['sitellite_template_set']); } if (isset($access['sitellite_template'])) { return $access['sitellite_template']; } else { return true; } } } // no access.php found at all, revert to logical defaults if ($context == 'action') { return false; } return true; }
} // END KEEPOUT CHECKING global $cgi; loader_import('cms.Versioning.Rex'); $rex = new Rex($cgi->collection); session_set('imagechooser_path', '/pix'); if (!$rex->collection) { page_title(intl_get('Error: Collection not found!')); echo '<p><a href="' . $_SERVER['HTTP_REFERER'] . '">' . intl_get('Back') . '</a></p>'; return; } if (!session_allowed('add', 'rw', 'resource')) { header('Location: ' . site_prefix() . '/index/cms-cpanel-action'); exit; } if (session_is_resource($cgi->collection) && !session_allowed($cgi->collection, 'r', 'resource')) { header('Location: ' . site_prefix() . '/index/cms-cpanel-action'); exit; } if (isset($rex->info['Collection']['add'])) { list($call, $name) = explode(':', $rex->info['Collection']['add']); if ($call == 'box') { echo loader_box($name); } elseif ($call == 'form') { echo loader_form($name); } else { echo loader_form($call); } return; } else { class CmsAddForm extends MailForm
<?php global $page, $cgi; if (!session_admin()) { return; } if (!isset($parameters['collection'])) { $parameters['collection'] = 'sitellite_page'; } if (!session_allowed('add', 'rw', 'resource')) { return; } if (session_is_resource($parameters['collection']) && !session_allowed($parameters['collection'], 'rw', 'resource')) { return; } loader_import('cms.Versioning.Rex'); $rex = new Rex($parameters['collection']); if (!$rex->collection) { return; } $parameters['type'] = intl_get($rex->info['Collection']['singular']); echo template_simple('buttons/add.spt', $parameters);
/** * Returns the display HTML for this widget. The optional * parameter determines whether or not to automatically display the widget * nicely, or whether to simply return the widget (for use in a template). * * @access public * @param boolean $generate_html * @return string * */ function display($generate_html = 0) { $data = ''; $attrstr = $this->getAttrs(); $selected = explode(',', $this->data_value); loader_import('saf.Misc.RPC'); echo rpc_init('return false'); $mult = 'false'; if ($this->size) { $multiple = ' size="' . $this->size . '"'; $braces = ''; if ($this->multiple) { $multiple = ' multiple="multiple"' . $multiple; $braces = '[]'; $mult = 'true'; } } else { $multiple = ''; $braces = ''; } if (session_is_resource($this->table) && !session_allowed($this->table, 'rw', 'resource')) { $allowed = false; } else { $allowed = true; } if ($allowed) { loader_import('saf.GUI.Prompt'); if ($this->title) { page_add_script(' var cms_' . $this->name . '_form; var cms_' . $this->name . '_oldhandler; function cms_' . $this->name . '_add_handler (words) { f = cms_' . $this->name . '_form; // 2. add the selected keywords to the list for (i = 0; i < words.length; i++) { if (document.all) { f.elements[\'' . $this->name . $braces . '\'].options[f.elements[\'' . $this->name . $braces . '\'].options.length + 1] = new Option (words[i].text, words[i].value, false, true); } else { o = document.createElement (\'option\'); o.text = words[i].text; o.value = words[i].value; f.elements[\'' . $this->name . $braces . '\'].add (o, null); } } rpc_handler = null; rpc_handler = cms_' . $this->name . '_oldhandler; } function cms_' . $this->name . '_add (f) { cms_' . $this->name . '_form = f; // 0. collect our new items(s) from the user prompt ( \'New items(s) -- separate multiple with commas (one, two, three)\', \'\', function (word) { if (word == null || word.length == 0 || word == false) { return false; } words = word.split (/, ?/); cms_' . $this->name . '_oldhandler = rpc_handler; rpc_handler = null; rpc_handler = cms_' . $this->name . '_add_handler; // 1. call {site/prefix}/index/' . str_replace('/', '-', $this->addAction) . '-action in a popup rpc_call (\'' . site_prefix() . '/index/' . str_replace('/', '-', $this->addAction) . '-action?table=' . $this->table . '&key=' . $this->key . '&title=' . $this->title . '&items=\' + word); } ); // 3. cancel the click return false; } function cms_' . $this->name . '_remove (f) { // 0. collect the selected items from the "items" field word = \'\'; show = \'\'; sep = \'\'; for (i = 0; i < f.elements[\'' . $this->name . $braces . '\'].options.length; i++) { if (f.elements[\'' . $this->name . $braces . '\'].options[i].selected) { word = word + sep + f.elements[\'' . $this->name . $braces . '\'].options[i].value; show = show + sep + f.elements[\'' . $this->name . $braces . '\'].options[i].text; sep = \',\'; } } // 0.1. confirm that they want to delete the selected list c = confirm (\'' . intl_get('Are you sure you want to remove these items?') . ' \' + show); if (! c) { return false; } // 1. call {site/prefix}/index/' . str_replace('/', '-', $this->addAction) . '-action in a popup rpc_call (\'' . site_prefix() . '/index/' . str_replace('/', '-', $this->removeAction) . '-action?table=' . $this->table . '&key=' . $this->key . '&title=' . $this->title . '&items=\' + word); // 2. remove the selected keywords from the list multiple = ' . $mult . '; for (i = f.elements[\'' . $this->name . $braces . '\'].options.length - 1; i >= 0; i--) { if (f.elements[\'' . $this->name . $braces . '\'].options[i].selected) { // remove if (document.all) { f.elements[\'' . $this->name . $braces . '\'].options.remove (i); } else { f.elements[\'' . $this->name . $braces . '\'].options[i] = null; } if (! multiple) { break; } } } // 3. cancel the click return false; } '); } else { page_add_script(' function cms_' . $this->name . '_add (f) { cms_' . $this->name . '_form = f; // 0. collect our new items(s) from the user prompt ( \'New items(s) -- separate multiple with commas (one, two, three)\', \'\', function (word) { if (word == null || word.length == 0 || word == false) { return false; } words = word.split (/, ?/); f = cms_' . $this->name . '_form; // 1. call {site/prefix}/index/' . str_replace('/', '-', $this->addAction) . '-action in a popup rpc_call (\'' . site_prefix() . '/index/' . str_replace('/', '-', $this->addAction) . '-action?table=' . $this->table . '&key=' . $this->key . '&items=\' + word); // 2. add the selected keywords to the list for (i = 0; i < words.length; i++) { if (document.all) { f.elements[\'' . $this->name . $braces . '\'].options[f.elements[\'' . $this->name . $braces . '\'].options.length + 1] = new Option (words[i], words[i], false, true); } else { o = document.createElement (\'option\'); o.text = words[i]; o.value = words[i]; f.elements[\'' . $this->name . $braces . '\'].add (o, null); } } } ); // 3. cancel the click return false; } function cms_' . $this->name . '_remove (f) { // 0. collect the selected items from the "items" field word = \'\'; sep = \'\'; for (i = 0; i < f.elements[\'' . $this->name . $braces . '\'].options.length; i++) { if (f.elements[\'' . $this->name . $braces . '\'].options[i].selected) { word = word + sep + f.elements[\'' . $this->name . $braces . '\'].options[i].value; sep = \',\'; } } // 0.1. confirm that they want to delete the selected list c = confirm (\'' . intl_get('Are you sure you want to remove these items?') . ' \' + word); if (! c) { return false; } // 1. call {site/prefix}/index/' . str_replace('/', '-', $this->addAction) . '-action in a popup rpc_call (\'' . site_prefix() . '/index/' . str_replace('/', '-', $this->removeAction) . '-action?table=' . $this->table . '&key=' . $this->key . '&items=\' + word); // 2. remove the selected keywords from the list multiple = ' . $mult . '; for (i = f.elements[\'' . $this->name . $braces . '\'].options.length - 1; i >= 0; i--) { if (f.elements[\'' . $this->name . $braces . '\'].options[i].selected) { // remove if (document.all) { f.elements[\'' . $this->name . $braces . '\'].options.remove (i); } else { f.elements[\'' . $this->name . $braces . '\'].options[i] = null; } if (! multiple) { break; } } } // 3. cancel the click return false; } '); } // end title } // end allowed if ($generate_html) { $data .= '<tr> <td class="label"' . $this->invalid() . ' valign="top"> <label for="' . $this->name . '" id="' . $this->name . '-label">' . template_simple($this->label_template, $this, '', true) . '</label> </td> <td class="field"> <table border="0" cellpadding="3" cellspacing="0"> <tr> <td valign="top"> <select name="' . $this->name . $braces . '" ' . $multiple . $attrstr . ' ' . $this->extra . '>' . NEWLINE; foreach ($this->getList() as $obj) { if (!$this->title) { $key = $obj->{$this->key}; $keyword = $obj->{$this->key}; } else { $key = $obj->{$this->key}; $keyword = $obj->{$this->title}; } $data .= TABx2 . TABx2 . TABx2 . '<option value="' . $key . '"'; if (in_array($key, $selected)) { $data .= ' selected="selected"'; } $data .= '>' . $keyword . '</option>' . NEWLINE; } $data .= '</select> </td>' . NEWLINE; if ($allowed) { $data .= ' <td valign="top" width="100%"> <input type="submit" value="' . intl_get('Add') . '" onclick="return cms_' . $this->name . '_add (this.form)" /><br /> <input type="submit" value="' . intl_get('Remove') . '" onclick="return cms_' . $this->name . '_remove (this.form)" /> </td> </tr> </table> </td>' . NEWLINE; } else { $data .= '</tr></table></td>'; } $data .= ' </tr>' . NEWLINEx2; } else { } return $data; }
} $data['links'] = array(); foreach ($rex->info as $key => $vals) { if (strpos($key, 'link:') === 0) { $perms = $vals['requires']; switch ($perms) { case 'r': case 'w': case 'rw': if (session_is_resource($cgi->collection) && !session_allowed($cgi->collection, $perms, 'resource')) { continue; } break; } if (isset($vals['requires resource'])) { if (session_is_resource($vals['requires resource']) && !session_allowed($vals['requires resource'], 'rw', 'resource')) { continue; } } $vals['text'] = intl_get($vals['text']); if (strpos($vals['url'], '/index/') === 0) { $vals['url'] = site_prefix() . $vals['url']; } $data['links'][] = $vals; } } echo template_simple(CMS_JS_ALERT_MESSAGE, $GLOBALS['cgi']); echo loader_box('cms/nav'); template_simple_register('pager', $pg); template_simple_register('locks', $locks); template_simple_register('editable', $editable);
$parameters['inline'] = true; } if (!isset($parameters['return']) && $parameters['collection'] == 'sitellite_page') { $parameters['return'] = site_current(); } $parameters['return_v1'] = site_current(); loader_import('cms.Workflow.Lock'); lock_init(); if (lock_exists($parameters['collection'], $parameters['id'])) { $parameters['editable'] = false; $lock_info = lock_info($parameters['collection'], $parameters['id']); $parameters['lock_owner'] = $lock_info->user; $parameters['lock_expires'] = $lock_info->expires; loader_import('cms.Filters'); } if (session_is_resource('delete') && !session_allowed('delete', 'rw', 'resource')) { $parameters['deletable'] = false; } if ($rex->isVersioned && $parameters['editable']) { //session_allowed ('approved', 'w', 'status')) { $parameters['history'] = true; } else { $parameters['history'] = false; } if ($parameters['collection'] == 'sitellite_page') { $c = $rex->getCurrent($parameters['id']); if ($c->sitellite_status == 'draft' || $c->sitellite_status == 'pending') { //$parameters['status'] = $c->sitellite_status; $p = $rex->getSource($parameters['id']); if ($p == $c) { $parameters['draft'] = false;
$c = 0; foreach ($one as $k => $v) { $ct = str_replace(site_prefix() . '/index/cms-browse-action?collection=', '', $k); $r = new Rex($ct); if ($r->info['Collection']['icon']) { $icon = site_prefix() . '/' . $r->info['Collection']['icon']; } else { $icon = site_prefix() . '/inc/app/cms/pix/icons/content-type.gif'; } $data['content_panel']['icons'][] = array('href' => $k, 'src' => $icon, 'alt' => $v); $c++; if ($c >= 3) { break; } } if (session_is_resource('app_usradm') && !session_allowed('app_usradm', 'rw', 'resource')) { $data['admin_panel'] = array('name' => 'admin', 'caption' => intl_get('Admin'), 'action' => '#', 'method' => 'get', 'select' => 'list', 'selected' => '', 'select-extra' => 'disabled="disabled"', 'options' => array(array()), 'icons' => array(array('href' => '#', 'src' => site_prefix() . '/inc/app/cms/pix/icons/users_disabled.gif', 'alt' => intl_get('Users')), array('href' => '#', 'src' => site_prefix() . '/inc/app/cms/pix/icons/roles_disabled.gif', 'alt' => intl_get('Roles')), array('href' => '#', 'src' => site_prefix() . '/inc/app/cms/pix/icons/teams_disabled.gif', 'alt' => intl_get('Teams')))); if (!appconf('panels_show_disabled')) { $data['admin_panel']['icons'] = array(); } } else { $data['admin_panel'] = array('name' => 'admin', 'caption' => intl_get('Admin'), 'action' => site_prefix() . '/index/usradm-browse-action', 'method' => 'get', 'select' => 'list', 'selected' => '', 'select-extra' => 'onchange="this.form.submit ()"', 'options' => array(array(site_prefix() . '/index/usradm-browse-action?list=accesslevels' => intl_get('Access Levels'), site_prefix() . '/index/usradm-browse-action?list=log' => intl_get('Activity Log'), site_prefix() . '/index/usradm-applications-action' => intl_get('Applications'), site_prefix() . '/index/usradm-cache-form' => intl_get('Cache Settings'), site_prefix() . '/index/usradm-browse-action?list=prefs' => intl_get('Preferences'), site_prefix() . '/index/usradm-browse-action?list=resources' => intl_get('Resources')), array(site_prefix() . '/index/usradm-browse-action?list=roles' => intl_get('Roles'), site_prefix() . '/index/usradm-settings-form' => intl_get('Site Settings'), site_prefix() . '/index/usradm-browse-action?list=statuses' => intl_get('Statuses'), site_prefix() . '/index/usradm-browse-action?list=teams' => intl_get('Teams'), site_prefix() . '/index/usradm-browse-action?list=users' => intl_get('Users'), site_prefix() . '/index/usradm-workflow-action' => intl_get('Workflow Services'))), 'icons' => array(array('href' => site_prefix() . '/index/usradm-browse-action?list=users', 'src' => site_prefix() . '/inc/app/cms/pix/icons/users.gif', 'alt' => intl_get('Users')), array('href' => site_prefix() . '/index/usradm-browse-action?list=roles', 'src' => site_prefix() . '/inc/app/cms/pix/icons/roles.gif', 'alt' => intl_get('Roles')), array('href' => site_prefix() . '/index/usradm-browse-action?list=teams', 'src' => site_prefix() . '/inc/app/cms/pix/icons/teams.gif', 'alt' => intl_get('Teams')))); } $apps = loader_box('cms/admintools'); $apps = explode(NEWLINE, $apps); $c = 0; foreach ($apps as $k => $v) { if (empty($v)) { unset($apps[$k]); continue; }
/** * DELETE method handler * * @param array general parameter passing array * @return bool true on success */ function DELETE($options) { if (isset($options['dest'])) { $options['path'] = $options['dest']; } else { $options['path'] = $this->_path(); } $path = $this->base . strtolower(rtrim($options["path"], '/')); $debug = array(); foreach ($options as $k => $v) { $debug[] = $k . '=' . $v; } $this->_debug(__LINE__, 0, 'DELETE: ' . join(', ', $debug)); if ($this->checkLock($options['path'], true)) { $this->_debug(__LINE__, 423, 'Locked : ' . $options['path']); return '423 Locked'; } if (!file_exists($path)) { $this->_debug(__LINE__, 404, 'File doesn\'t exist: ' . $path); return "404 Not found"; } if (session_is_resource('delete') && !session_allowed('delete', 'rw', 'resource')) { $this->_debug(__LINE__, 403, 'Permissions failed: delete'); return '403 Forbidden'; } if (is_dir($path)) { return $this->_rmdir_recursive(trim($path, '/')); } elseif (strpos($path, '/.') !== false) { // dot-file $res = unlink($path); if (!$res) { $this->_debug(__LINE__, 403, 'Unlinking dot-file failed: ' . $path); return '403 Forbidden'; } } else { $info = $this->rex->getCurrent(ltrim($options['path'], '/')); if (!session_allowed($info, 'rw')) { $this->_debug(__LINE__, 403, 'Permissions failed: ' . $info->name); return '403 Forbidden'; } if (!$this->rex->delete(ltrim($options['path'], '/'), 'Deleted via WebDAV.')) { $this->_debug(__LINE__, 500, 'Delete failed: ' . $this->rex->error . ' (' . $options['path'] . ')'); return '500 Internal server error'; } } return "204 No Content"; }
/** * Returns the display HTML for this widget. The optional * parameter determines whether or not to automatically display the widget * nicely, or whether to simply return the widget (for use in a template). * * @access public * @param boolean $generate_html * @return string * */ function display($generate_html = 0) { $data = ''; $attrstr = $this->getAttrs(); $selected = explode(',', $this->data_value); if (session_is_resource($this->table) && !session_allowed($this->table, 'rw', 'resource')) { $allowed = false; } else { $allowed = true; } $this->_list = $this->getList(); $this->_selected = $this->getSelected(); foreach ($this->_list as $k => $v) { if (in_array($v->id, $this->_selected)) { $this->_list[$k]->selected = true; } else { $this->_list[$k]->selected = false; } } if (!$this->id) { $this->_id = $this->id; $this->id = 'false'; } static $loaded = false; if (!$loaded) { page_add_style($this->_style); page_add_script(site_prefix() . '/js/rpc-compressed.js'); } $this->loaded = $loaded; page_add_script(template_simple($this->_script, $this)); $loaded = true; if (isset($this->_id)) { $this->id = $this->_id; unset($this->_id); } return template_simple($this->_output, $this); }