diff options
| -rw-r--r-- | etc/inc/authgui.inc | 2 | ||||
| -rw-r--r-- | etc/inc/priv.inc | 18 | ||||
| -rw-r--r-- | etc/inc/priv/user.priv.inc | 4 | ||||
| -rwxr-xr-x | usr/local/www/fbegin.inc | 36 | ||||
| -rwxr-xr-x | usr/local/www/guiconfig.inc | 33 | ||||
| -rw-r--r-- | usr/local/www/system_usermanager_addprivs.php | 2 |
6 files changed, 36 insertions, 59 deletions
diff --git a/etc/inc/authgui.inc b/etc/inc/authgui.inc index ae59197..1591c07 100644 --- a/etc/inc/authgui.inc +++ b/etc/inc/authgui.inc @@ -56,7 +56,7 @@ $allowedpages = getAllowedPages($HTTP_SERVER_VARS['AUTH_USER']); /* * redirect to first allowed page if requesting a wrong url */ -if (!isAllowedPage($_SERVER['SCRIPT_NAME'])) { +if (!isAllowedPage($_SERVER['REQUEST_URI'])) { if (count($allowedpages) > 0) { $page = str_replace('*', '', $allowedpages[0]); $_SESSION['Post_Login'] = true; diff --git a/etc/inc/priv.inc b/etc/inc/priv.inc index ec941d2..c100a23 100644 --- a/etc/inc/priv.inc +++ b/etc/inc/priv.inc @@ -119,15 +119,10 @@ function cmp_page_matches($page, & $matches, $fullwc = true) { continue; /* compare exact or wildcard match */ - $wcpos = strpos($match, "*"); - if ($wcpos === false) - $result = strcmp($page, $match); - else { - $match = "/" . str_replace(array(".", "*"), array("\.", ".*"), $match) . "/"; - $result = !preg_match($match, $page); - } - - if (!$result) + $match = str_replace(array(".", "*","?"), array("\.", ".*","\?"), $match); + $result = preg_match("@^/{$match}$@", "/{$page}"); + + if ($result) return true; } @@ -222,10 +217,7 @@ function isAllowedPage($page) { return true; /* user privelege access check */ - if (cmp_page_matches($page, $_SESSION['page-match'])) - return true; - - return false; + return cmp_page_matches($page, $_SESSION['page-match']); } function getPrivPages(& $entry, & $allowed_pages) { diff --git a/etc/inc/priv/user.priv.inc b/etc/inc/priv/user.priv.inc index c2b293c..8afdd95 100644 --- a/etc/inc/priv/user.priv.inc +++ b/etc/inc/priv/user.priv.inc @@ -2,6 +2,10 @@ global $priv_list; +$priv_list['help-all'] = array(); +$priv_list['help-all']['name'] = "Help - All help pages"; +$priv_list['help-all']['descr'] = "Show all items on help menu"; + $priv_list['page-dashboard-all'] = array(); $priv_list['page-dashboard-all']['name'] = "WebCfg - Dashboard (all)"; $priv_list['page-dashboard-all']['descr'] = "Allow access to all pages required for the dashboard."; diff --git a/usr/local/www/fbegin.inc b/usr/local/www/fbegin.inc index 1aede7f..ba776d9 100755 --- a/usr/local/www/fbegin.inc +++ b/usr/local/www/fbegin.inc @@ -57,6 +57,7 @@ function return_ext_menu($section) { foreach($config['installedpackages']['menu'] as $menuitem) { if($menuitem['section'] != $section) continue; if($menuitem['url'] <> "") { + $test_url=$menuitem['url']; $addresswithport = getenv("HTTP_HOST"); $colonpos = strpos($addresswithport, ":"); if ($colonpos !== False){ @@ -68,8 +69,11 @@ function return_ext_menu($section) { $description = str_replace('$myurl', $myurl, $menuitem['url']); } else { $description = '/pkg.php?xml=' . $menuitem['configfile']; + $test_url=$description; } - $extarray[] = array($menuitem['name'], $description); + if(isAllowedPage($test_url)){ + $extarray[] = array($menuitem['name'], $description); + } } } return $extarray; @@ -77,21 +81,23 @@ function return_ext_menu($section) { function output_menu($arrayitem, $target = null) { foreach ($arrayitem as $item) { - $attr = sprintf("href=\"%s\"", htmlentities($item[1])); - if ($target) { - $attr .= sprintf(" target=\"%s\"", htmlentities($target)); - } - $class = "navlnk"; - if ($item['class']) { - $class .= " {$item['class']}"; - } - $attr .= sprintf(" class=\"%s\"", htmlentities($class)); - if ($item['style']) { - $attr .= sprintf(" style=\"%s\"", htmlentities($item['style'])); + if (isAllowedPage($item[1]) || $item[1]=="/index.php?logout"){ + $attr = sprintf("href=\"%s\"", htmlentities($item[1])); + if ($target) { + $attr .= sprintf(" target=\"%s\"", htmlentities($target)); + } + $class = "navlnk"; + if ($item['class']) { + $class .= " {$item['class']}"; + } + $attr .= sprintf(" class=\"%s\"", htmlentities($class)); + if ($item['style']) { + $attr .= sprintf(" style=\"%s\"", htmlentities($item['style'])); + } + echo "<li>\n"; + printf("<a %s>%s</a>\n", $attr, $item[0]); + echo "</li>\n"; } - echo "<li>\n"; - printf("<a %s>%s</a>\n", $attr, $item[0]); - echo "</li>\n"; } } diff --git a/usr/local/www/guiconfig.inc b/usr/local/www/guiconfig.inc index 41b7481..eb91962 100755 --- a/usr/local/www/guiconfig.inc +++ b/usr/local/www/guiconfig.inc @@ -931,35 +931,10 @@ function display_top_tabs(& $tab_array, $no_drop_down = false) { $tab_array_char_limit = 92; } - $tab_temp = array (); - foreach ($tab_array as $ta) - if(isAllowedPage($ta[2])) - $tab_temp[] = $ta; - /* - // FIXME : if the checks are not good enough - // in isAllowedPage, it needs to be - // fixed instead of kludging here - - // TODO: humm what shall we do with pkg_edit.php and pkg.php? - if ((strpos($link, "pkg.php")) !== false || (strpos($link, "pkg_edit.php")) !== false) { - $pos_equal = strpos($link, "="); - $pos_xmlsuffix = strpos($link, ".xml"); - // do we match an absolute url including ?xml= foo - if(!isAllowedPage($link, $allowed)) - $link = substr($link, $pos_equal +1, ($pos_xmlsuffix - $pos_equal +3)); - } - // next check - what if the basename contains a query string? - if ((strpos($link, "?")) !== false) { - $pos_qmark = strpos($link, "?"); - $link = substr($link, 0, $pos_qmark); - } - $authorized_text = print_r($allowed, true); - if(is_array($authorized)) - if (in_array(basename($link), $authorized)) - */ - - unset ($tab_array); - $tab_array = & $tab_temp; + foreach ($tab_array as $tab_id => $ta){ + if(!isAllowedPage($ta[2])) + unset ($tab_array[$tab_id]); + } $tab_active_bg = "#EEEEEE"; $tab_inactive_bg = "#777777"; diff --git a/usr/local/www/system_usermanager_addprivs.php b/usr/local/www/system_usermanager_addprivs.php index edfb2ad..29f9bb3 100644 --- a/usr/local/www/system_usermanager_addprivs.php +++ b/usr/local/www/system_usermanager_addprivs.php @@ -180,7 +180,7 @@ function update_description() { <tr> <td width="22%" valign="top" class="vncellreq"><?=gettext("System Privileges");?></td> <td width="78%" class="vtable"> - <select name="sysprivs[]" id="sysprivs" class="formselect" onchange="update_description();" multiple size="20"> + <select name="sysprivs[]" id="sysprivs" class="formselect" onchange="update_description();" multiple size="35"> <?php foreach($priv_list as $pname => $pdata): if (in_array($pname, $a_user['priv'])) |
