[Mapbender-commits] r2195 - branches/2.5/http/php

svn_mapbender at osgeo.org svn_mapbender at osgeo.org
Thu Mar 6 09:02:17 EST 2008 

Author: christoph
Date: 2008-03-06 09:02:17 -0500 (Thu, 06 Mar 2008)
New Revision: 2195

Modified:
   branches/2.5/http/php/mb_validatePermission.php
   branches/2.5/http/php/mb_validateSession.php
   branches/2.5/http/php/mod_owsproxy_conf.php
Log:
new security module

Modified: branches/2.5/http/php/mb_validatePermission.php
===================================================================
--- branches/2.5/http/php/mb_validatePermission.php	2008-03-06 13:35:20 UTC (rev 2194)
+++ branches/2.5/http/php/mb_validatePermission.php	2008-03-06 14:02:17 UTC (rev 2195)
@@ -20,15 +20,65 @@
 require(dirname(__FILE__)."/../php/mb_validateSession.php");
 require_once(dirname(__FILE__)."/../classes/class_administration.php");
 
-$n = new administration();
-$m = $n->getModulPermission($_SESSION["mb_user_id"], $gui_id, $e_id);
+$admin = new administration();
 
-if (!$m) {
-	$msg = "User " . $_SESSION["mb_user_id"] . "is not allowed to access ".
+//
+// check if GUI id and element id are set
+//
+$msg = "missing in " .  $_SERVER["PHP_SELF"];
+if (!isset($gui_id)) {
+	$e = new mb_exception("GUI id " . $msg);
+	die();
+}
+if (!isset($e_id)) {
+	$e = new mb_exception("Element id " . $msg);
+	die();
+}
+
+//
+// check if the user is allowed to access this module
+//
+$isAllowed = $admin->getModulPermission($_SESSION["mb_user_id"], $gui_id, $e_id);
+
+//
+// if the module is an iframe, also check if the filename matches the
+// filename of the GUI element with the given e_id
+//
+// (if PHP_SELF is "map.php", we trust the script.)
+//
+if (!preg_match("/^.*\/javascripts\/map\.php$/", $_SERVER["PHP_SELF"])) {
+
+	$isCorrectScript = true;
+	
+	$sql = "SELECT e_element FROM gui_element WHERE e_id = $1 AND fkey_gui_id = $2";
+	$v = array($e_id, $gui_id);
+	$t = array("s", "s");
+	$res = db_prep_query($sql, $v, $t);
+	while ($row = db_fetch_array($res)) {
+		if (!$admin->checkModulePermission_new($_SESSION["mb_user_id"], $_SERVER["PHP_SELF"], $row["e_element"])) {
+			$isCorrectScript = false;
+			break;
+		}
+	}
+//	$e = new mb_notice($e_id . ": isAllowed: " . $isAllowed . ", isCorrectScript: " . $isCorrectScript);
+	$isAllowed = $isAllowed && $isCorrectScript;
+}
+
+//
+// If the user is not allowed to access the module, return to the login screen.
+//
+if (!$isAllowed) {
+	$msg = "mb_validatePermission.php: User " . $_SESSION["mb_user_id"] . " is not allowed to access ".
 			"module " . $e_id;
 	$e = new mb_exception($msg);
 	header("Location: ".LOGIN);
-	exit;
 	die();
 }
+
+$e = new mb_notice("mb_validatePermission.php: checking file " . $_SERVER["PHP_SELF"] . "...permission valid.");
+
+//
+// delete global variables
+//
+unset($admin, $isAllowed, $e, $isCorrectScript, $msg, $myGuisArray);
 ?>
\ No newline at end of file

Modified: branches/2.5/http/php/mb_validateSession.php
===================================================================
--- branches/2.5/http/php/mb_validateSession.php	2008-03-06 13:35:20 UTC (rev 2194)
+++ branches/2.5/http/php/mb_validateSession.php	2008-03-06 14:02:17 UTC (rev 2195)
@@ -21,44 +21,48 @@
 require_once(dirname(__FILE__)."/../../conf/mapbender.conf");
 require_once(dirname(__FILE__)."/../classes/class_mb_exception.php");
 
+//
 // establish database connection
-$con = db_connect($DBSERVER,$OWNER,$PW);
-db_select_db(DB,$con);
+//
+$con = db_connect($DBSERVER, $OWNER, $PW);
+db_select_db(DB, $con);
 
+$e = new mb_notice("mb_validateSession.php: checking file " . $_SERVER["PHP_SELF"]);
+
+//
 // check if user data is valid; if not, return to login screen
-if (!isset($_SESSION["mb_user_id"]) || !isset($_SESSION["mb_user_ip"]) || 
+//
+if (!isset($_SESSION["mb_user_id"]) || 
+	!isset($_SESSION["mb_user_ip"]) || 
 	$_SESSION['mb_user_ip'] != $_SERVER['REMOTE_ADDR']) {
-	$e = new mb_exception("Invalid user: " . $_SESSION["mb_user_id"]);
-	header("Location: ".LOGIN);
-	exit;
-	die();
+
+		$e = new mb_exception("mb_validateSession.php: Invalid user: " . $_SESSION["mb_user_id"]);
+		header("Location: " . LOGIN);
+		die();
 }
 
-// check if GUI ID is set; if not, return to login screen
-if (!isset($gui_id)) {
-	if (isset($_REQUEST["guiID"])) {
+//
+// set the global var gui_id
+//
+if (!$gui_id) {
+	$e = new mb_notice("gui id not set");
+	if ($_REQUEST["guiID"]) {
+		$e = new mb_notice("gui id set to guiID");
 		$gui_id = $_REQUEST["guiID"];
 	}
-	elseif (isset($_REQUEST["gui_id"])) {
+	elseif ($_REQUEST["gui_id"]) {
+		$e = new mb_notice("gui id set to gui_id");
 		$gui_id = $_REQUEST["gui_id"];
 	}
 	else {
-		$e = new mb_exception("gui_id not set in module: " . $e_id);
-		die();
+		$e = new mb_notice("mb_validateSession.php: gui_id not set in script: " . $_SERVER["PHP_SELF"]);
 	}
 }
 
-// check if user is allowed to access current GUI; 
-// if not, return to login screen
-if (!in_array($gui_id, $_SESSION["mb_user_guis"])) {
-	$e = new mb_exception("Invalid user: " . $_SESSION["mb_user_id"]);
-	header("Location: ".LOGIN);
-	exit;
-	die();
-}
-
-// check if element ID is set
-if (!isset($e_id)) {
+//
+// set the global var e_id
+//
+if (!$e_id) {
 	if (isset($_REQUEST["elementID"])) {
 		$e_id = $_REQUEST["elementID"];
 	}
@@ -66,12 +70,21 @@
 		$e_id = $_REQUEST["e_id"];
 	}
 	else {
-		$e = new mb_exception("e_id not set in script: " . $PHP_SELF);
-		die();
+		$e = new mb_notice("mb_validateSession.php: e_id not set in script: " . $_SERVER["PHP_SELF"]);
 	}
 }
 
+//
 // set variables used for form targets or links
-$urlParameters = SID . "&guiID=" . $gui_id . "&elementID=" . $e_id;
-$self = $PHP_SELF . "?" . $urlParameters;
+//
+$urlParameters = SID;
+if (isset($gui_id)) {
+	$urlParameters .= "&guiID=" . $gui_id;
+}
+if (isset($e_id)) {
+	$urlParameters .= "&elementID=" . $e_id;
+}
+$self = $_SERVER["PHP_SELF"] . "?" . $urlParameters;
+
+$e = new mb_notice("mb_validateSession.php: GUI: " . $gui_id . ", checking file " . $_SERVER["PHP_SELF"] . "...session valid.");
 ?>
\ No newline at end of file

Modified: branches/2.5/http/php/mod_owsproxy_conf.php
===================================================================
--- branches/2.5/http/php/mod_owsproxy_conf.php	2008-03-06 13:35:20 UTC (rev 2194)
+++ branches/2.5/http/php/mod_owsproxy_conf.php	2008-03-06 14:02:17 UTC (rev 2195)
@@ -17,8 +17,8 @@
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
 
-include(dirname(__FILE__)."/../php/mb_validatePermission.php");
-include(dirname(__FILE__)."/../classes/class_administration.php");
+require_once(dirname(__FILE__)."/../php/mb_validatePermission.php");
+require_once(dirname(__FILE__)."/../classes/class_administration.php");
 $admin = new administration();
 $ownwms = $admin->getWmsByOwner($_SESSION["mb_user_id"]);
 if(isset($_REQUEST["wms_id"]) && isset($_REQUEST["status"])){

More information about the Mapbender_commits mailing list