diff options
author | marcelloc <marcellocoutinho@gmail.com> | 2012-06-12 11:08:46 -0300 |
---|---|---|
committer | marcelloc <marcellocoutinho@gmail.com> | 2012-06-12 11:08:46 -0300 |
commit | 14f5f7051edce0cdc930a4af73592b25f4abafa7 (patch) | |
tree | 69c5f17854455457186479db37d3db1ebab753a9 /usr/local/www/fbegin.inc | |
parent | c449c5f639e5242f67c59b65d8fa094a7fd62f38 (diff) | |
download | pfsense-14f5f7051edce0cdc930a4af73592b25f4abafa7.zip pfsense-14f5f7051edce0cdc930a4af73592b25f4abafa7.tar.gz |
fix permissions check to xml package files and show only menus user has access to
Diffstat (limited to 'usr/local/www/fbegin.inc')
-rwxr-xr-x | usr/local/www/fbegin.inc | 36 |
1 files changed, 21 insertions, 15 deletions
diff --git a/usr/local/www/fbegin.inc b/usr/local/www/fbegin.inc index 1aede7f..ba776d9 100755 --- a/usr/local/www/fbegin.inc +++ b/usr/local/www/fbegin.inc @@ -57,6 +57,7 @@ function return_ext_menu($section) { foreach($config['installedpackages']['menu'] as $menuitem) { if($menuitem['section'] != $section) continue; if($menuitem['url'] <> "") { + $test_url=$menuitem['url']; $addresswithport = getenv("HTTP_HOST"); $colonpos = strpos($addresswithport, ":"); if ($colonpos !== False){ @@ -68,8 +69,11 @@ function return_ext_menu($section) { $description = str_replace('$myurl', $myurl, $menuitem['url']); } else { $description = '/pkg.php?xml=' . $menuitem['configfile']; + $test_url=$description; } - $extarray[] = array($menuitem['name'], $description); + if(isAllowedPage($test_url)){ + $extarray[] = array($menuitem['name'], $description); + } } } return $extarray; @@ -77,21 +81,23 @@ function return_ext_menu($section) { function output_menu($arrayitem, $target = null) { foreach ($arrayitem as $item) { - $attr = sprintf("href=\"%s\"", htmlentities($item[1])); - if ($target) { - $attr .= sprintf(" target=\"%s\"", htmlentities($target)); - } - $class = "navlnk"; - if ($item['class']) { - $class .= " {$item['class']}"; - } - $attr .= sprintf(" class=\"%s\"", htmlentities($class)); - if ($item['style']) { - $attr .= sprintf(" style=\"%s\"", htmlentities($item['style'])); + if (isAllowedPage($item[1]) || $item[1]=="/index.php?logout"){ + $attr = sprintf("href=\"%s\"", htmlentities($item[1])); + if ($target) { + $attr .= sprintf(" target=\"%s\"", htmlentities($target)); + } + $class = "navlnk"; + if ($item['class']) { + $class .= " {$item['class']}"; + } + $attr .= sprintf(" class=\"%s\"", htmlentities($class)); + if ($item['style']) { + $attr .= sprintf(" style=\"%s\"", htmlentities($item['style'])); + } + echo "<li>\n"; + printf("<a %s>%s</a>\n", $attr, $item[0]); + echo "</li>\n"; } - echo "<li>\n"; - printf("<a %s>%s</a>\n", $attr, $item[0]); - echo "</li>\n"; } } |