[Mapbender-commits] r2175 - branches/2.4.5/http/php

Wed Mar 5 10:29:03 EST 2008

Author: christoph
Date: 2008-03-05 10:29:03 -0500 (Wed, 05 Mar 2008)
New Revision: 2175

Modified:
   branches/2.4.5/http/php/mb_validatePermission.php
   branches/2.4.5/http/php/mb_validateSession.php
Log:
added more security checks
set some global vars

Modified: branches/2.4.5/http/php/mb_validatePermission.php
===================================================================

--- branches/2.4.5/http/php/mb_validatePermission.php	2008-03-05 15:27:48 UTC (rev 2174)
+++ branches/2.4.5/http/php/mb_validatePermission.php	2008-03-05 15:29:03 UTC (rev 2175)
@@ -20,12 +20,65 @@
 require(dirname(__FILE__)."/../php/mb_validateSession.php");
 require_once(dirname(__FILE__)."/../classes/class_administration.php");
 
-$n = new administration();
-$m = $n->getModulPermission($_SESSION["mb_user_id"],$_REQUEST["guiID"],$_REQUEST["elementID"]) || 
-		$n->getModulPermission($_SESSION["mb_user_id"],$_REQUEST["gui_id"],$_REQUEST["elementID"]);
-if($m == false){
+$admin = new administration();
+
+//
+// check if GUI id and element id are set
+//
+$msg = "missing in " .  $_SERVER["PHP_SELF"];
+if (!isset($gui_id)) {
+	$e = new mb_exception("GUI id " . $msg);
+	die();
+}
+if (!isset($e_id)) {
+	$e = new mb_exception("Element id " . $msg);
+	die();
+}
+
+//
+// check if the user is allowed to access this module
+//
+$isAllowed = $admin->getModulPermission($_SESSION["mb_user_id"], $gui_id, $e_id);
+
+//
+// if the module is an iframe, also check if the filename matches the
+// filename of the GUI element with the given e_id
+//
+// (if PHP_SELF is "map.php", we trust the script.)
+//
+if (!preg_match("/^.*\/javascripts\/map\.php$/", $_SERVER["PHP_SELF"])) {
+
+	$isCorrectScript = true;
+	
+	$sql = "SELECT e_element FROM gui_element WHERE e_id = $1 AND fkey_gui_id = $2";
+	$v = array($e_id, $gui_id);
+	$t = array("s", "s");
+	$res = db_prep_query($sql, $v, $t);
+	while ($row = db_fetch_array($res)) {
+		if (!$admin->checkModulePermission_new($_SESSION["mb_user_id"], $_SERVER["PHP_SELF"], $row["e_element"])) {
+			$isCorrectScript = false;
+			break;
+		}
+	}
+//	$e = new mb_notice($e_id . ": isAllowed: " . $isAllowed . ", isCorrectScript: " . $isCorrectScript);
+	$isAllowed = $isAllowed && $isCorrectScript;
+}
+
+//
+// If the user is not allowed to access the module, return to the login screen.
+//
+if (!$isAllowed) {
+	$msg = "mb_validatePermission.php: User " . $_SESSION["mb_user_id"] . " is not allowed to access ".
+			"module " . $e_id;
+	$e = new mb_exception($msg);
 	header("Location: ".LOGIN);
-	exit;
 	die();
 }
+
+$e = new mb_notice("mb_validatePermission.php: checking file " . $_SERVER["PHP_SELF"] . "...permission valid.");
+
+//
+// delete global variables
+//
+unset($admin, $isAllowed, $e, $isCorrectScript, $msg, $myGuisArray);
 ?>
\ No newline at end of file

Modified: branches/2.4.5/http/php/mb_validateSession.php
===================================================================
--- branches/2.4.5/http/php/mb_validateSession.php	2008-03-05 15:27:48 UTC (rev 2174)
+++ branches/2.4.5/http/php/mb_validateSession.php	2008-03-05 15:29:03 UTC (rev 2175)
@@ -19,22 +19,72 @@
 
 session_start();
 require_once(dirname(__FILE__)."/../../conf/mapbender.conf");
+require_once(dirname(__FILE__)."/../classes/class_mb_exception.php");
 
-$urlParameters = SID . "&guiID=" . $_REQUEST["guiID"] . "&elementID=" . $_REQUEST["elementID"];
-$self = $PHP_SELF . "?" . $urlParameters;
+//
+// establish database connection
+//
+$con = db_connect($DBSERVER, $OWNER, $PW);
+db_select_db(DB, $con);
 
-if(!isset($_SESSION["mb_user_id"]) || !isset($_SESSION["mb_user_ip"]) || $_SESSION['mb_user_ip'] != $_SERVER['REMOTE_ADDR']){
-	header("Location: ".LOGIN);
-	exit;
-	die();
+$e = new mb_notice("mb_validateSession.php: checking file " . $_SERVER["PHP_SELF"]);
+
+//
+// check if user data is valid; if not, return to login screen
+//
+if (!isset($_SESSION["mb_user_id"]) || 
+	!isset($_SESSION["mb_user_ip"]) || 
+	$_SESSION['mb_user_ip'] != $_SERVER['REMOTE_ADDR']) {
+
+		$e = new mb_exception("mb_validateSession.php: Invalid user: " . $_SESSION["mb_user_id"]);
+		header("Location: " . LOGIN);
+		die();
 }
 
-if(isset($_REQUEST["gui_id"]) || isset($_REQUEST["guiID"])){
-	if( !in_array($_REQUEST["gui_id"],$_SESSION["mb_user_guis"]) && 
-		!in_array($_REQUEST["guiID"],$_SESSION["mb_user_guis"])){
-		header("Location: ".LOGIN);
-		exit;
-		die();
+//
+// set the global var gui_id
+//
+if (!$gui_id) {
+	$e = new mb_notice("gui id not set");
+	if ($_REQUEST["guiID"]) {
+		$e = new mb_notice("gui id set to guiID");
+		$gui_id = $_REQUEST["guiID"];
 	}
+	elseif ($_REQUEST["gui_id"]) {
+		$e = new mb_notice("gui id set to gui_id");
+		$gui_id = $_REQUEST["gui_id"];
+	}
+	else {
+		$e = new mb_notice("mb_validateSession.php: gui_id not set in script: " . $_SERVER["PHP_SELF"]);
+	}
 }
+
+//
+// set the global var e_id
+//
+if (!$e_id) {
+	if (isset($_REQUEST["elementID"])) {
+		$e_id = $_REQUEST["elementID"];
+	}
+	elseif (isset($_REQUEST["e_id"])) {
+		$e_id = $_REQUEST["e_id"];
+	}
+	else {
+		$e = new mb_notice("mb_validateSession.php: e_id not set in script: " . $_SERVER["PHP_SELF"]);
+	}
+}
+
+//
+// set variables used for form targets or links
+//
+$urlParameters = SID;
+if (isset($gui_id)) {
+	$urlParameters .= "&guiID=" . $gui_id;
+}
+if (isset($e_id)) {
+	$urlParameters .= "&elementID=" . $e_id;
+}
+$self = $_SERVER["PHP_SELF"] . "?" . $urlParameters;
+
+$e = new mb_notice("mb_validateSession.php: GUI: " . $gui_id . ", checking file " . $_SERVER["PHP_SELF"] . "...session valid.");
 ?>
\ No newline at end of file

