[Mapbender-commits] r2173 - branches/2.4.5/http/classes

Wed Mar 5 10:25:25 EST 2008

Author: christoph
Date: 2008-03-05 10:25:25 -0500 (Wed, 05 Mar 2008)
New Revision: 2173

Modified:
   branches/2.4.5/http/classes/class_administration.php
Log:
new function to check module permission by element tag

Modified: branches/2.4.5/http/classes/class_administration.php
===================================================================

--- branches/2.4.5/http/classes/class_administration.php	2008-03-05 15:23:44 UTC (rev 2172)
+++ branches/2.4.5/http/classes/class_administration.php	2008-03-05 15:25:25 UTC (rev 2173)
@@ -760,10 +760,13 @@
  	}
 
    	function checkModulePermission($arrayGuis, $modulePath, $column){
-		$check = CHECK;
+   		$check = CHECK;
 		
    		if($check == true){
 	   		$perm = false;
+			if (!preg_match("/[a-z_]+/", $column)) {
+				return false;
+			}
 	   		if(count($arrayGuis)>0){
 	   			$v = array();
 	   			$t = array();
@@ -791,6 +794,61 @@
    		}
    	}
 
+	/**
+	 * Checks if a user is allowed to access a GUI element
+	 * 
+	 * @return boolean 
+	 * @param $arrayGuis Object
+	 * @param $modulePath Object
+	 * @param $elementTag Object
+	 */
+   	function checkModulePermission_new($userId, $modulePath, $elementTag){
+   		if (CHECK) {
+			$arrayGuis = $this->getGuisByPermission($userId, true);
+
+			switch ($elementTag) {
+				case "a" :
+					$column = "e_attributes";
+					$pattern = "/^.*href\s*=\s*(\'|\")\.\.((\/[a-zA-Z0-9_\/\.]+)+)(\?|\'|\").*$/";
+					$replace = "$2";
+					break;
+				case "iframe" :
+					$column = "e_src";
+					$pattern = "/^\.\.((\/[a-zA-Z0-9_\/\.]+)+)(\?|\'|\").*$/";
+					$replace = "$1";
+					break;
+			}
+
+	   		if ($column && count($arrayGuis) > 0) {
+	   			$v = array();
+	   			$t = array();
+		   		$sql = "SELECT DISTINCT ".$column." FROM gui_element WHERE fkey_gui_id IN (";
+		   		for($i=0; $i<count($arrayGuis); $i++){
+		   			if($i > 0){ $sql .= ","; }
+		   			$sql .= "$".($i+1);
+		   			array_push($v,$arrayGuis[$i]);
+		   			array_push($t,'s');
+		   		}
+		   		$sql .= ") ORDER BY " . $column;
+				$res = db_prep_query($sql,$v,$t);
+				while($row = db_fetch_array($res)){
+					if ($row[$column]) {
+						if (preg_match($pattern, stripslashes($row[$column]))) {
+							$dbFilename = preg_replace($pattern, $replace, stripslashes($row[$column]));
+							$e = new mb_notice($dbFilename . " - " . $modulePath);
+
+							if(strpos($modulePath, $dbFilename) !== false){
+								return true;
+							}
+						}
+					}
+				}
+	   		}
+			return false;
+   		}
+		return true;
+   	}
+
    	function getWMSOWSstring($wms_id){
    		$sql = "SELECT wms_owsproxy FROM wms WHERE wms_id = $1 ";
    		$v = array($wms_id);

