Exemplo n.º 1
0
 function __wakeup()
 {
     $aAccounts[$this->aAccount['account_id']] = true;
     if (!empty($this->aUser['is_admin'])) {
         $adminAccountId = OA_Dal_ApplicationVariables::get('admin_account_id');
         $aAccounts[$adminAccountId] = true;
     }
     $doAUA = OA_Dal::factoryDO('account_user_assoc');
     $doAUA->whereInAdd('account_id', array_keys($aAccounts));
     $doAUA->user_id = $this->aUser['user_id'];
     $doAUA->find();
     while ($doAUA->fetch()) {
         unset($aAccounts[$doAUA->account_id]);
     }
     if (!empty($this->aUser['is_admin']) && isset($aAccounts[$adminAccountId])) {
         $this->aUser['is_admin'] = false;
     }
     OA_Permission::enforceTrue($this->aUser['is_admin'] || !isset($aAccounts[$this->aAccount['account_id']]));
 }
Exemplo n.º 2
0
 /**
  * CVE-2013-5954
  *
  * Helper method which checks if the correct session token is present
  * when CRUD actions (generally deletes) are performed using a GET instead
  * of a POST (for historical reasons). Allows the CSRF vulnerabilities
  * reported in CVE-2013-5954 to be closed off without the required (and
  * eventually needed) refactoring of the enture UI to a proper MVC
  * framework.
  */
 public static function checkSessionToken()
 {
     $token = isset($_GET['token']) ? $_GET['token'] : false;
     OA_Permission::enforceTrue(phpAds_SessionValidateToken($token));
 }
Exemplo n.º 3
0
| along with this program; if not, write to the Free Software               |
| Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA |
+---------------------------------------------------------------------------+
$Id: userlog-details.php 37157 2009-05-28 12:31:10Z andrew.hill $
*/
// Require the initialisation file
require_once '../../init.php';
// Required files
require_once MAX_PATH . '/lib/OA/Dal.php';
require_once MAX_PATH . '/lib/max/language/Loader.php';
require_once MAX_PATH . '/www/admin/config.php';
// Security check
OA_Permission::enforceAccount(OA_ACCOUNT_ADMIN);
// Get userlog data and enforce it exists
$doUserLog = OA_Dal::staticGetDO('userlog', $userlogid);
OA_Permission::enforceTrue($doUserLog);
/*-------------------------------------------------------*/
/* HTML framework                                        */
/*-------------------------------------------------------*/
phpAds_PageHeader('userlog-index');
phpAds_UserlogSelection("maintenance");
// Load the required language files
Language_Loader::load('userlog');
/*-------------------------------------------------------*/
/* Main code                                             */
/*-------------------------------------------------------*/
if ($row = $doUserLog->toArray()) {
    echo "<br />";
    echo "<table cellpadding='0' cellspacing='0' border='0'>";
    echo "<tr height='20'><td><b>" . $strDate . "</b>:&nbsp;&nbsp;</td>";
    echo "<td>" . strftime($date_format, $row['timestamp']) . ", " . strftime($minute_format, $row['timestamp']) . "</td></tr>";
Exemplo n.º 4
0
 /**
  * CVE-2013-5954
  *
  * Helper method which checks if the correct session token is present
  * when CRUD actions (generally deletes) are performed using a GET instead
  * of a POST (for historical reasons). Allows the CSRF vulnerabilities
  * reported in CVE-2013-5954 to be closed off without the required (and
  * eventually needed) refactoring of the enture UI to a proper MVC
  * framework.
  */
 public static function checkSessionToken()
 {
     if ($_SERVER['REQUEST_METHOD'] == 'POST') {
         $token = isset($_POST['token']) ? $_POST['token'] : false;
     } else {
         $token = isset($_GET['token']) ? $_GET['token'] : false;
     }
     OA_Permission::enforceTrue(phpAds_SessionValidateToken($token));
 }
/*
+---------------------------------------------------------------------------+
| Revive Adserver                                                           |
| http://www.revive-adserver.com                                            |
|                                                                           |
| Copyright: See the COPYRIGHT.txt file.                                    |
| License: GPLv2 or later, see the LICENSE.txt file.                        |
+---------------------------------------------------------------------------+
*/
// Require the initialisation file
require_once '../../init.php';
// Required files
require_once MAX_PATH . '/www/admin/config.php';
require_once MAX_PATH . '/lib/max/other/common.php';
// OA-900, hide graph
OA_Permission::enforceTrue(false);
require_once MAX_PATH . '/lib/OA/Admin/Statistics/Factory.php';
// Make data loading depending only on period_start & period_end
$tempPeriodPreset = $_REQUEST['period_preset'];
$_REQUEST['period_preset'] = 'specific';
$period_preset = 'specific';
$session['prefs']['GLOBALS']['period_preset'] = 'specific';
$period_preset = MAX_getStoredValue('period_preset', 'today');
phpAds_registerGlobal('breakdown', 'entity', 'agency_id', 'advertiser_id', 'clientid', 'campaignid', 'placement_id', 'ad_id', 'bannerid', 'publisher_id', 'affiliateid', 'zone_id', 'zoneid', 'start_date', 'end_date', 'sort', 'asc', 'show', 'expand', 'day', 'plugin', 'peroid_preset', 'tempPeriodPreset', 'GraphFile', 'graphFilter', 'graphFields', 'listorder');
if (!isset($listorder)) {
    $prm['listorder'] = MAX_getStoredValue('listorder', null, 'stats.php');
}
// Handle filters
if (is_numeric($advertiser_id)) {
    $clientid = $advertiser_id;
}
Exemplo n.º 6
0
 /**
  * A method to show an error if the current user/account doesn't have access
  * to the specified DB_DataObject (defined by table name and entity ID).
  *
  * @static
  * @param string  $entityTable    The name of the table.
  * @param integer $entityId       Optional entity ID -- when set, tests if the current
  *                                account has access to the enity, when not set,  tests
  *                                if the current account can create a new entity in the
  *                                table.
  * @param boolean $allowNewEntity Allow creation of a new entity, defaults to false.
  */
 function enforceAccessToObject($entityTable, $entityId = null, $allowNewEntity = false)
 {
     if (!$allowNewEntity) {
         OA_Permission::enforceTrue(!empty($entityId));
     }
     // Verify that the ID is numeric
     OA_Permission::enforceTrue(preg_match('/^\\d*$/D', $entityId));
     $entityId = (int) $entityId;
     $hasAccess = OA_Permission::hasAccessToObject($entityTable, $entityId);
     if (!$hasAccess) {
         if (!OA_Permission::isManualAccountSwitch()) {
             if (OA_Permission::isUserLinkedToAdmin()) {
                 // Check object existence
                 OA_Permission::enforceTrue(OA_Permission::getAccountIdForEntity($entityTable, $entityId));
             }
             // if has access switch to the manager account that owns this object
             if ($hasAccess) {
                 if (OA_Permission::switchToManagerAccount($entityTable, $entityId)) {
                     // Now that the admin user is working with the manager
                     // account that owns the object, show to him the page.
                     $url = $_SERVER['REQUEST_URI'];
                     header("Location: {$url}");
                     exit;
                 } else {
                     // If is not possible to switch redirect the admin to his home page
                     OX_Admin_Redirect::redirect();
                 }
             }
         }
     }
     if (!$hasAccess) {
         OA_Permission::redirectIfManualAccountSwitch();
         $hasAccess = OA_Permission::attemptToSwitchForAccess($entityTable, $entityId);
     }
     OA_Permission::enforceTrue($hasAccess);
 }