[Mapbender-commits] r2172 - branches/2.4.5/http/frames

svn_mapbender at osgeo.org svn_mapbender at osgeo.org
Wed Mar 5 10:23:44 EST 2008 

Author: christoph
Date: 2008-03-05 10:23:44 -0500 (Wed, 05 Mar 2008)
New Revision: 2172

Modified:
   branches/2.4.5/http/frames/index.php
Log:
moved security check from validateSession
refactoring

Modified: branches/2.4.5/http/frames/index.php
===================================================================
--- branches/2.4.5/http/frames/index.php	2008-03-05 15:22:15 UTC (rev 2171)
+++ branches/2.4.5/http/frames/index.php	2008-03-05 15:23:44 UTC (rev 2172)
@@ -18,14 +18,22 @@
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
 
-session_start();
-
 require("../php/mb_validateSession.php");
-$_SESSION["mb_user_gui"] = $_REQUEST["gui_id"];
-require_once("../../conf/mapbender.conf");
-$con = db_connect(DBSERVER,OWNER,PW);
-db_select_db(DB,$con);
 
+//
+// check if user is allowed to access current GUI; 
+// if not, return to login screen
+//
+if (!in_array($gui_id, $_SESSION["mb_user_guis"])) {
+	$e = new mb_exception("mb_validateSession.php: User: " . $_SESSION["mb_user_id"] . " not allowed to access GUI " . $gui_id);
+	header("Location: ".LOGIN);
+	die();
+}
+
+// user is allowed to access GUI, set in session.
+$_SESSION["mb_user_gui"] = $gui_id;
+
+// what is this for?
 $pattern = '/sessionID/';
 
 ?>
@@ -41,13 +49,12 @@
 <meta http-equiv="cache-control" content="no-cache">
 <meta http-equiv="pragma" content="no-cache">
 <meta http-equiv="expires" content="0">
+<meta http-equiv="Content-Type" content="text/html; charset=<?php echo CHARSET;?>">	
+<title><?php echo $gui_id;?> - presented by Mapbender</title>
 <?php
-echo '<meta http-equiv="Content-Type" content="text/html; charset='.CHARSET.'">';	
-?>
-<title><?php  echo  $_REQUEST["gui_id"];?> - presented by Mapbender</title>
-<?php
-$sql = "SELECT * FROM gui_element_vars WHERE fkey_e_id = 'body' AND fkey_gui_id = $1 and var_type='file/css'";
-$v = array($_REQUEST["gui_id"]);
+$sql = "SELECT * FROM gui_element_vars WHERE fkey_e_id = 'body' AND ";
+$sql .= "fkey_gui_id = $1 and var_type='file/css'";
+$v = array($gui_id);
 $t = array('s');
 $res = db_prep_query($sql,$v,$t);
 $cnt = 0;
@@ -58,11 +65,11 @@
 <style type="text/css">
 <!--
 <?php
-$sql = "SELECT * FROM gui_element_vars WHERE fkey_e_id = 'body' AND fkey_gui_id = $1 and var_type='text/css'";
-$v = array($_REQUEST["gui_id"]);
+$sql = "SELECT * FROM gui_element_vars WHERE fkey_e_id = 'body' AND ";
+$sql .= "fkey_gui_id = $1 and var_type='text/css'";
+$v = array($gui_id);
 $t = array('s');
 $res = db_prep_query($sql,$v,$t);
-$cnt = 0;
 while($row = db_fetch_array($res)){
 	echo $row["var_value"];
 }
@@ -74,34 +81,33 @@
 <script type='text/javascript' src="../javascripts/point.js"></script>
 <script type='text/javascript' src="../javascripts/map_obj.js"></script>
 <script type='text/javascript' src="../javascripts/wfs_obj.js"></script>
+
 <?php
-echo "<script type='text/javascript' src='../javascripts/map.php?gui_id=".$_REQUEST["gui_id"]."&".strip_tags(SID)."&mb_myBBOX=".$_REQUEST["mb_myBBOX"]."'></script>";
-echo "<script type='text/javascript' src='../php/mod_createJSObjFromDB.php?". strip_tags (SID)."'></script>";
+echo "<script type='text/javascript' src='../javascripts/map.php?" . $urlParameters . "&mb_myBBOX=".$_REQUEST["mb_myBBOX"]."'></script>";
+echo "<script type='text/javascript' src='../php/mod_createJSObjFromDB.php?". $urlParameters . "'></script>";
 /*********************************************/
 $frame = "";
 /*********************************************/
 
 $sql = "SELECT DISTINCT e_mb_mod FROM gui_element WHERE e_public = 1 AND fkey_gui_id = $1";
-$v = array($_REQUEST["gui_id"]);
+$v = array($gui_id);
 $t = array('s');
 $res = db_prep_query($sql,$v,$t);
-$cnt = 0;
 while($row = db_fetch_array($res)){
 	if($row["e_mb_mod"] != ""){
-		echo "<script type='text/javascript' src='../javascripts/".trim($row["e_mb_mod"])."?gui_id=".$_REQUEST["gui_id"]."'></script> ";
+		echo "<script type='text/javascript' src='../javascripts/".trim($row["e_mb_mod"])."?".$urlParameters."'></script> ";
 	}
-	$cnt++;
 }
 ?>
 </head>
 <?php
 $sql = "SELECT * FROM gui_element WHERE e_public = 1 AND fkey_gui_id = $1 ORDER BY e_pos";
-$v = array($_REQUEST["gui_id"]);
+$v = array($gui_id);
 $t = array('s');
 $res = db_prep_query($sql,$v,$t);
 $i = 0;
 while(db_fetch_row($res)){
-	$replacement = SID."&guiID=".$_REQUEST["gui_id"]."&elementID=".db_result($res,$i,"e_id");
+	$replacement = $urlParameters . "&elementID=" . db_result($res,$i,"e_id");
 	echo "<".db_result($res,$i,"e_element")." ";
 	if(db_result($res,$i,"e_id") != ""){
 		echo " id='".db_result($res,$i,"e_id")."'";

More information about the Mapbender_commits mailing list