function authmgr_intercept_admin() { authmgr_require_capability(AuthmgrCapability::ShowAdmin); // we use this GET param to send up a feedback notice to user if (isset($_GET['access']) && $_GET['access'] == 'denied') { yourls_add_notice('Access Denied'); } $action_capability_map = array('add' => AuthmgrCapability::AddURL, 'delete' => AuthmgrCapability::DeleteURL, 'edit_display' => AuthmgrCapability::EditURL, 'edit_save' => AuthmgrCapability::EditURL, 'activate' => AuthmgrCapability::ManagePlugins, 'deactivate' => AuthmgrCapability::ManagePlugins); // intercept requests for plugin management if (isset($_REQUEST['plugin'])) { $action_keyword = $_REQUEST['action']; $cap_needed = $action_capability_map[$action_keyword]; if ($cap_needed !== NULL && authmgr_have_capability($cap_needed) !== true) { yourls_redirect(yourls_admin_url('?access=denied'), 302); } } // also intercept AJAX requests if (yourls_is_Ajax()) { $action_keyword = $_REQUEST['action']; $cap_needed = $action_capability_map[$action_keyword]; if (authmgr_have_capability($cap_needed) !== true) { $err = array(); $err['status'] = 'fail'; $err['code'] = 'error:authorization'; $err['message'] = 'Access Denied'; $err['errorCode'] = '403'; echo json_encode($err); die; } } }
/** * Yourls action auth_successful * * @return bool */ public function action_auth_successful() { if (!yourls_is_admin()) { return true; } /** * Check page permissions */ if (preg_match('#\\/admin\\/(.*?)\\.php#', $_SERVER['SCRIPT_FILENAME'], $matches)) { if (!in_array($matches[1], $this->helperGetAllowedPermissions())) { yourls_add_notice(yourls__('Denied access to this page', self::APP_NAMESPACE)); yourls_html_head('accessdenied', yourls__('Denied access to this page', self::APP_NAMESPACE)); yourls_html_logo(); yourls_html_menu(); yourls_html_footer(); die; } } /** * Check action permissions */ if (yourls_is_Ajax()) { $action = $this->getRequest('action'); $permissions = $this->helperGetAllowedPermissions(); $bol = false; switch ($action) { case 'edit_display': case 'edit_save': if (!in_array('edit', $permissions['action'])) { $bol = true; } break; case 'add': case 'delete': if (!in_array($action, $permissions['action'])) { $bol = true; } break; } if ($bol) { $this->setRequest('action_old', $action); $this->setRequest('action', 'accessdenied'); } } }
function yourls_has_interface() { if (yourls_is_API() or yourls_is_GO() or yourls_is_Ajax()) { return false; } return true; }