Do a check on all ID's > -1. When we a dup a rule with id 0 the checks where bypassed. Spotted-by: billm

2 files changed, 3 insertions, 2 deletions

diff --git a/usr/local/www/firewall_nat_edit.php b/usr/local/www/firewall_nat_edit.php
index 6e111d8..a8f0031 100755
--- a/usr/local/www/firewall_nat_edit.php
+++ b/usr/local/www/firewall_nat_edit.php
@@ -61,7 +61,7 @@ if (isset($id) && $a_nat[$id]) {
 	$pconfig['interface'] = "wan";
 }
 
-if($id) {
+if($id > -1) {
 	$if = $a_nat[$id]['interface'];
 	$security_url = "firewall_nat_edit.php?if=". strtolower($if);
 	if (!isSystemAdmin($HTTP_SERVER_VARS['AUTH_USER'])) {
diff --git a/usr/local/www/firewall_rules_edit.php b/usr/local/www/firewall_rules_edit.php
index cd427d4..25e36a8 100755
--- a/usr/local/www/firewall_rules_edit.php
+++ b/usr/local/www/firewall_rules_edit.php
@@ -55,10 +55,11 @@ if (isset($_GET['dup'])) {
 	$after = $_GET['dup'];
 }
 
-if($id) {
+if($id > -1) {
 	$if = $a_filter[$id]['interface'];
 	$security_url = "firewall_rules_edit.php?if=". strtolower($if);
 	if (!isSystemAdmin($HTTP_SERVER_VARS['AUTH_USER'])) {
+		log_error("Checking for {$security_url}");
 		if(!in_array($security_url, $allowed)) {
 			// User does not have access
 	//		echo "displaying error {$security_url}"; print_r($allowed);