[mapguide-trac] #821: server admin PHP pages can be brought up
without logging in
MapGuide Open Source
trac_mapguide at osgeo.org
Tue Jan 13 19:34:55 EST 2009
#821: server admin PHP pages can be brought up without logging in
------------------------+---------------------------------------------------
Reporter: tonyfang | Owner: tonyfang
Type: defect | Status: new
Priority: medium | Milestone: 2.1
Component: General | Version: 2.0.1
Severity: major | Keywords:
External_id: 1184740 |
------------------------+---------------------------------------------------
The following server admin php pages can be accessed without logging in:
* addserver.php
* wmsproperties.php
* wfsproperties.php
* about.php
LoadSessionVars is NOT preventing the php pages to be loaded.
For all the other pages that do NOT load, it is calls to:
* $siteServerAddress = $site->GetCurrentSiteAddress();
* $groups = GetGroups();
* $users = GetUsers();
...that are preventing the php pages from loading.
In sessionvars.php LoadSessionVars(), when the $webConfigFile is empty, I
will throw an exception -- rather than simply return. If it simply
returns, then the page will continue loading -- even though
LoadSessionVars has failed.
Also, the catch in LoadSessionVars will now catch all Exceptions (not just
MgException). This is so it can catch the exception thrown when
$webConfigFile is empty.
The final change is to resizablepagecomponents.php's
LogoutWithFatalException. I added a check for a null $site before calling
$site->Close(). When the user has not logged in, then $site is still null,
and a falal error results when we try to call Close on a null $site.
So now, when a user tries to access any of the pages (without logging in
first), it punts you to the login.php screen -- and there's a message that
says: "Fatal error encountered! Please login again."
--
Ticket URL: <http://trac.osgeo.org/mapguide/ticket/821>
MapGuide Open Source <http://mapguide.osgeo.org/>
MapGuide Open Source Internals
More information about the mapguide-trac
mailing list