function jr_admin_secure($file) { global $HTTP_GET_VARS, $HTTP_POST_VARS, $phpEx, $db, $lang, $userdata; /* Debugging in this function causes changes to the way ADMIN users are interpreted. You are warned */ $debug = false; $jr_admin_userdata = jr_admin_get_user_info($userdata['user_id']); if ($debug) { if (!preg_match("/^index.{$phpEx}/", $file)) { print '<pre><span class="gen"><font color="red">DEBUG - File Accessed - '; print $file; print '</pre></font></span><br />'; } } if ($userdata['user_level'] == ADMIN && !$debug) { //Admin always has access return true; } elseif (empty($jr_admin_userdata['user_jr_admin'])) { //This user has no modules and no business being here return false; } elseif (preg_match("/^index.{$phpEx}/", $file)) { //We are at the index file, which is already secure pretty much return true; } elseif (isset($HTTP_GET_VARS['module_md5']) && in_array($HTTP_GET_VARS['module_md5'], explode(EXPLODE_SEPERATOR_CHAR, $jr_admin_userdata['user_jr_admin']))) { //The user has access for sure by module_id security from GET vars only return true; } elseif (!isset($HTTP_GET_VARS['module_md5']) && count($HTTP_POST_VARS)) { //This user likely entered a post form, so let's use some checking logic //to make sure they are doing it from where they should be! //Get the filename without any arguments $file = preg_replace("/\\?.+=.*\$/", '', $file); //Return the check to make sure the user has access to what they are submitting return jr_admin_check_file_hashes($file); } elseif (!isset($HTTP_GET_VARS['module_md5']) && isset($HTTP_GET_VARS['sid'])) { //This user has clicked on a url that specified items if ($HTTP_GET_VARS['sid'] != $userdata['session_id']) { return false; } else { //Get the filename without any arguments $file = preg_replace("/\\?.+=.*\$/", '', $file); //Return the check to make sure the user has access to what they are submitting return jr_admin_check_file_hashes($file); } } else { //Something came up that shouldn't have! return false; } }
function jr_admin_secure($file) { global $db, $user, $lang; /* Debugging in this function causes changes to the way ADMIN users are interpreted. You are warned */ $debug = false; // We need this for regular expressions... to avoid errors!!! $phpEx = PHP_EXT; $jr_admin_userdata = jr_admin_get_user_info($user->data['user_id']); $selected_module = request_get_var('module', ''); $sid = request_var('sid', ''); if ($debug) { if (!preg_match("/^index.{$phpEx}/", $file)) { print '<pre><span class="gen"><span class="text_red">DEBUG - File Accessed - '; print $file; print '</pre></span></span><br />'; } } if ($user->data['user_level'] == ADMIN && !$debug) { //Admin always has access return true; } elseif (empty($jr_admin_userdata['user_jr_admin'])) { //This user has no modules and no business being here return false; } elseif (preg_match("/^index.{$phpEx}/", $file)) { //We are at the index file, which is already secure pretty much return true; } elseif (!empty($selected_module) && in_array($selected_module, explode(EXPLODE_SEPARATOR_CHAR, $jr_admin_userdata['user_jr_admin']))) { //The user has access for sure by module_id security from GET vars only return true; } elseif (!!empty($selected_module) && sizeof($_POST)) { //This user likely entered a post form, so let's use some checking logic //to make sure they are doing it from where they should be! //Get the filename without any arguments $file = preg_replace("/\\?.+=.*\$/", '', $file); //Return the check to make sure the user has access to what they are submitting return jr_admin_check_file_hashes($file); } elseif (!!empty($selected_module) && !empty($sid)) { //This user has clicked on a url that specified items if ($sid != $user->data['session_id']) { return false; } else { //Get the filename without any arguments $file = preg_replace("/\\?.+=.*\$/", '', $file); //Return the check to make sure the user has access to what they are submitting return jr_admin_check_file_hashes($file); } } else { //Something came up that shouldn't have! return false; } }