diff options
author | marcelloc <marcellocoutinho@gmail.com> | 2012-06-12 11:08:46 -0300 |
---|---|---|
committer | marcelloc <marcellocoutinho@gmail.com> | 2012-06-12 11:08:46 -0300 |
commit | 14f5f7051edce0cdc930a4af73592b25f4abafa7 (patch) | |
tree | 69c5f17854455457186479db37d3db1ebab753a9 /usr/local/www | |
parent | c449c5f639e5242f67c59b65d8fa094a7fd62f38 (diff) | |
download | pfsense-14f5f7051edce0cdc930a4af73592b25f4abafa7.zip pfsense-14f5f7051edce0cdc930a4af73592b25f4abafa7.tar.gz |
fix permissions check to xml package files and show only menus user has access to
Diffstat (limited to 'usr/local/www')
-rwxr-xr-x | usr/local/www/fbegin.inc | 36 | ||||
-rwxr-xr-x | usr/local/www/guiconfig.inc | 33 | ||||
-rw-r--r-- | usr/local/www/system_usermanager_addprivs.php | 2 |
3 files changed, 26 insertions, 45 deletions
diff --git a/usr/local/www/fbegin.inc b/usr/local/www/fbegin.inc index 1aede7f..ba776d9 100755 --- a/usr/local/www/fbegin.inc +++ b/usr/local/www/fbegin.inc @@ -57,6 +57,7 @@ function return_ext_menu($section) { foreach($config['installedpackages']['menu'] as $menuitem) { if($menuitem['section'] != $section) continue; if($menuitem['url'] <> "") { + $test_url=$menuitem['url']; $addresswithport = getenv("HTTP_HOST"); $colonpos = strpos($addresswithport, ":"); if ($colonpos !== False){ @@ -68,8 +69,11 @@ function return_ext_menu($section) { $description = str_replace('$myurl', $myurl, $menuitem['url']); } else { $description = '/pkg.php?xml=' . $menuitem['configfile']; + $test_url=$description; } - $extarray[] = array($menuitem['name'], $description); + if(isAllowedPage($test_url)){ + $extarray[] = array($menuitem['name'], $description); + } } } return $extarray; @@ -77,21 +81,23 @@ function return_ext_menu($section) { function output_menu($arrayitem, $target = null) { foreach ($arrayitem as $item) { - $attr = sprintf("href=\"%s\"", htmlentities($item[1])); - if ($target) { - $attr .= sprintf(" target=\"%s\"", htmlentities($target)); - } - $class = "navlnk"; - if ($item['class']) { - $class .= " {$item['class']}"; - } - $attr .= sprintf(" class=\"%s\"", htmlentities($class)); - if ($item['style']) { - $attr .= sprintf(" style=\"%s\"", htmlentities($item['style'])); + if (isAllowedPage($item[1]) || $item[1]=="/index.php?logout"){ + $attr = sprintf("href=\"%s\"", htmlentities($item[1])); + if ($target) { + $attr .= sprintf(" target=\"%s\"", htmlentities($target)); + } + $class = "navlnk"; + if ($item['class']) { + $class .= " {$item['class']}"; + } + $attr .= sprintf(" class=\"%s\"", htmlentities($class)); + if ($item['style']) { + $attr .= sprintf(" style=\"%s\"", htmlentities($item['style'])); + } + echo "<li>\n"; + printf("<a %s>%s</a>\n", $attr, $item[0]); + echo "</li>\n"; } - echo "<li>\n"; - printf("<a %s>%s</a>\n", $attr, $item[0]); - echo "</li>\n"; } } diff --git a/usr/local/www/guiconfig.inc b/usr/local/www/guiconfig.inc index 41b7481..eb91962 100755 --- a/usr/local/www/guiconfig.inc +++ b/usr/local/www/guiconfig.inc @@ -931,35 +931,10 @@ function display_top_tabs(& $tab_array, $no_drop_down = false) { $tab_array_char_limit = 92; } - $tab_temp = array (); - foreach ($tab_array as $ta) - if(isAllowedPage($ta[2])) - $tab_temp[] = $ta; - /* - // FIXME : if the checks are not good enough - // in isAllowedPage, it needs to be - // fixed instead of kludging here - - // TODO: humm what shall we do with pkg_edit.php and pkg.php? - if ((strpos($link, "pkg.php")) !== false || (strpos($link, "pkg_edit.php")) !== false) { - $pos_equal = strpos($link, "="); - $pos_xmlsuffix = strpos($link, ".xml"); - // do we match an absolute url including ?xml= foo - if(!isAllowedPage($link, $allowed)) - $link = substr($link, $pos_equal +1, ($pos_xmlsuffix - $pos_equal +3)); - } - // next check - what if the basename contains a query string? - if ((strpos($link, "?")) !== false) { - $pos_qmark = strpos($link, "?"); - $link = substr($link, 0, $pos_qmark); - } - $authorized_text = print_r($allowed, true); - if(is_array($authorized)) - if (in_array(basename($link), $authorized)) - */ - - unset ($tab_array); - $tab_array = & $tab_temp; + foreach ($tab_array as $tab_id => $ta){ + if(!isAllowedPage($ta[2])) + unset ($tab_array[$tab_id]); + } $tab_active_bg = "#EEEEEE"; $tab_inactive_bg = "#777777"; diff --git a/usr/local/www/system_usermanager_addprivs.php b/usr/local/www/system_usermanager_addprivs.php index edfb2ad..29f9bb3 100644 --- a/usr/local/www/system_usermanager_addprivs.php +++ b/usr/local/www/system_usermanager_addprivs.php @@ -180,7 +180,7 @@ function update_description() { <tr> <td width="22%" valign="top" class="vncellreq"><?=gettext("System Privileges");?></td> <td width="78%" class="vtable"> - <select name="sysprivs[]" id="sysprivs" class="formselect" onchange="update_description();" multiple size="20"> + <select name="sysprivs[]" id="sysprivs" class="formselect" onchange="update_description();" multiple size="35"> <?php foreach($priv_list as $pname => $pdata): if (in_array($pname, $a_user['priv'])) |