include_once $validation . "user_validation.php"; if (isset($_GET['pkId'])) { $pkId = urldecode($_GET['pkId']); } else { $messageType = "d"; $errorTitle = "Serious Error"; $log->error("Serious Error: PK Missing at save time User " . $_SESSION['userName']); $message = "A serious error has occurred and you should immediately contact Thought-Development Support for assistance."; processError("Missing Primary Key", $message, "spotViewerResponse.php", "", $errorTitle); exit; } if (!session_id()) { session_start(); } //reset the session timeout before saving the data. This will avoid data loss due to session timeout resetSessionTimeout(); //validate the user prior to save operation do avoid anyone attempting to load data to database without using the form //if this user was not logged in at save time the redirect them to index page. $pageUrl = $site_prefix . "/onspot/index.php"; validateUser($site_prefix, $pageUrl, $siteSection, $onSpotView, $OnSpotPluginToValidate); //Globals used by process notes or approval block information $spotViewerLayout = "[WEB] cwp_spotviewer_browse"; $userNotesLayout = "[WEB] UserNotes"; $noteType = "Approval Notes"; //Process the Approval information only as a user selected a Approval Radio button //Since the calling page is now a dual form this code accepts a click event occurred so the data should be // persisted to FileMaker for each section if (isset($_POST['userApprover'])) { $log->debug("Processing approver selection"); $spotViewerFind = $fmWorkDB->newFindCommand($spotViewerLayout); $spotViewerFind->addFindCriterion('__pk_ID', '==' . $pkId);
function validateUser($site_prefix, $fullUrl, $siteSection, $viewCheck, $pluginToValidate) { global $log; //currently set at 2 hour time out and is only checked per page load $sessionTimeoutMax = 7200; $log->debug("validateUser() - method called for section: " . $siteSection); if (!session_id()) { session_start(); } //Added this method to detect session timeout of no more than hours now if set if (isset($_SESSION['LAST_ACTIVITY']) && time() - $_SESSION['LAST_ACTIVITY'] > $sessionTimeoutMax) { $log->debug("Session timed out Username: "******"You have been logged out due to inactivity. Please login."; session_unset(); session_destroy(); if (!session_id()) { session_start(); } $_SESSION['forwardingUrl'] = urldecode($fullUrl); header("location: " . $site_prefix . "login.php?error=" . $errorMsg); exit; } if (!isset($_SESSION['authenticated'])) { $log->debug("user is not authenticated for page: " . urldecode($fullUrl)); $indexPage = "index.php"; $phpSuffix = "php"; if (!strpos(urldecode($fullUrl), $phpSuffix) || strpos(urldecode($fullUrl), $indexPage)) { header("location: " . $site_prefix . "login.php"); exit; } else { $_SESSION['forwardingUrl'] = urldecode($fullUrl); $errorMsg = "User must be logged in to access the site"; header("location: " . $site_prefix . "login.php?error=" . $errorMsg); exit; } } //Test if user has licensed ON-SPOT plugin on user record. If not redirect the user to error page //Note this validation was moved below authentication check validatePlugin($_SESSION['userName'], $_SESSION['installedPlugins'], $pluginToValidate); if (empty($_SESSION['accessLevel'])) { $log->debug("validateUser() - user access level is set to null/empty send that user to error page"); $errorMessage = "You do not have the necessary access rights in " . strtoupper($siteSection); $messageTitle = "Access Denied"; processError($errorMessage, "N/A", "user_validate.php", "N/A", $messageTitle); } else { if ($siteSection == "View") { $log->debug("Validate user can View or edit spot viewer"); //this test is specific to OnSpot/OnSpotView for viewing the page //TODO we need to figure out the privs for Request side of the site. For now we skip this as can edit method controls this if (!canViewOrEdit($_SESSION['accessLevel'], $siteSection, $viewCheck)) { $log->debug("User does not have access privilege to the site section: " . $siteSection . " Username: "******"You do not have the necessary access rights in " . strtoupper($siteSection); $messageTitle = "Access Denied"; processError($errorMessage, "N/A", "user_validate.php", "N/A", $messageTitle); } } } //Update session timer for each page visited. Once the session is dormant for 2 hours the test for session //session timeout is caught by timeout test ahead of this reset method resetSessionTimeout(); $log->debug("User is fully validated so redirect to page URL: " . urldecode($fullUrl)); }