Revision: 1363
http://mrbs.svn.sourceforge.net/mrbs/?rev=1363&view=rev
Author: cimorrison
Date: 2010-06-29 21:48:54 +0000 (Tue, 29 Jun 2010)
Log Message:
-----------
Made it possible to deny public access to MRBS by setting a single config
variable (in response to multiple requests from the mailing list).
Modified Paths:
--------------
mrbs/trunk/web/add.php
mrbs/trunk/web/admin.php
mrbs/trunk/web/confirm_entry_handler.php
mrbs/trunk/web/day.php
mrbs/trunk/web/del.php
mrbs/trunk/web/del_entry.php
mrbs/trunk/web/edit_area_room.php
mrbs/trunk/web/edit_entry.php
mrbs/trunk/web/edit_entry_handler.php
mrbs/trunk/web/edit_users.php
mrbs/trunk/web/help.php
mrbs/trunk/web/month.php
mrbs/trunk/web/mrbs_auth.inc
mrbs/trunk/web/pending.php
mrbs/trunk/web/report.php
mrbs/trunk/web/search.php
mrbs/trunk/web/systemdefaults.inc.php
mrbs/trunk/web/view_entry.php
mrbs/trunk/web/week.php
Modified: mrbs/trunk/web/add.php
===================================================================
--- mrbs/trunk/web/add.php 2010-06-29 21:42:37 UTC (rev 1362)
+++ mrbs/trunk/web/add.php 2010-06-29 21:48:54 UTC (rev 1363)
@@ -14,12 +14,8 @@
$capacity = get_form_var('capacity', 'int');
$type = get_form_var('type', 'string');
-$required_level = (isset($max_level) ? $max_level : 2);
-if (!getAuthorised($required_level))
-{
- showAccessDenied($day, $month, $year, $area, "");
- exit();
-}
+// Check the user is authorised for this page
+checkAuthorised();
// This file is for adding new areas/rooms
Modified: mrbs/trunk/web/admin.php
===================================================================
--- mrbs/trunk/web/admin.php 2010-06-29 21:42:37 UTC (rev 1362)
+++ mrbs/trunk/web/admin.php 2010-06-29 21:48:54 UTC (rev 1363)
@@ -47,13 +47,10 @@
exit;
}
-// Users must be at least Level 1 for this page as we will be displaying
-// information such as email addresses
-if (!getAuthorised(1))
-{
- showAccessDenied($day, $month, $year, $area, "");
- exit();
-}
+// Check the user is authorised for this page
+checkAuthorised();
+
+// Also need to know whether they have admin rights
$user = getUserName();
$required_level = (isset($max_level) ? $max_level : 2);
$is_admin = (authGetUserLevel($user) >= $required_level);
Modified: mrbs/trunk/web/confirm_entry_handler.php
===================================================================
--- mrbs/trunk/web/confirm_entry_handler.php 2010-06-29 21:42:37 UTC (rev
1362)
+++ mrbs/trunk/web/confirm_entry_handler.php 2010-06-29 21:48:54 UTC (rev
1363)
@@ -32,13 +32,8 @@
$area = get_default_area();
}
-// Check that we're allowed to use this page
-// We must be at least a logged in user
-if(!getAuthorised(1))
-{
- showAccessDenied($day, $month, $year, $area, isset($room) ? $room : "");
- exit;
-}
+// Check the user is authorised for this page
+checkAuthorised();
$user = getUserName();
Modified: mrbs/trunk/web/day.php
===================================================================
--- mrbs/trunk/web/day.php 2010-06-29 21:42:37 UTC (rev 1362)
+++ mrbs/trunk/web/day.php 2010-06-29 21:48:54 UTC (rev 1363)
@@ -52,6 +52,9 @@
}
}
+// Check the user is authorised for this page
+checkAuthorised();
+
// form the room parameter for use in query strings. We want to preserve
room information
// if possible when switching between views
if (empty($room))
Modified: mrbs/trunk/web/del.php
===================================================================
--- mrbs/trunk/web/del.php 2010-06-29 21:42:37 UTC (rev 1362)
+++ mrbs/trunk/web/del.php 2010-06-29 21:48:54 UTC (rev 1363)
@@ -24,12 +24,8 @@
$area = get_default_area();
}
-$required_level = (isset($max_level) ? $max_level : 2);
-if (!getAuthorised($required_level))
-{
- showAccessDenied($day, $month, $year, $area, "");
- exit();
-}
+// Check the user is authorised for this page
+checkAuthorised();
// This is gonna blast away something. We want them to be really
// really sure that this is what they want to do.
Modified: mrbs/trunk/web/del_entry.php
===================================================================
--- mrbs/trunk/web/del_entry.php 2010-06-29 21:42:37 UTC (rev 1362)
+++ mrbs/trunk/web/del_entry.php 2010-06-29 21:48:54 UTC (rev 1363)
@@ -16,6 +16,9 @@
$action = get_form_var('action', 'string');
$note = get_form_var('note', 'string');
+// Check the user is authorised for this page
+checkAuthorised();
+
if (!isset($note))
{
$note = "";
@@ -37,7 +40,7 @@
$returl .= "?year=$year&month=$month&day=$day&area=$area";
}
-if (getAuthorised(1) && ($info = mrbsGetBookingInfo($id, FALSE, TRUE)))
+if ($info = mrbsGetBookingInfo($id, FALSE, TRUE))
{
$user = getUserName();
// check that the user is allowed to delete this entry
Modified: mrbs/trunk/web/edit_area_room.php
===================================================================
--- mrbs/trunk/web/edit_area_room.php 2010-06-29 21:42:37 UTC (rev 1362)
+++ mrbs/trunk/web/edit_area_room.php 2010-06-29 21:48:54 UTC (rev 1363)
@@ -123,13 +123,10 @@
$year = date("Y");
}
-// Users must be at least Level 1 for this page as we will be displaying
-// information such as email addresses
-if (!getAuthorised(1))
-{
- showAccessDenied($day, $month, $year, $area, "");
- exit();
-}
+// Check the user is authorised for this page
+checkAuthorised();
+
+// Also need to know whether they have admin rights
$user = getUserName();
$required_level = (isset($max_level) ? $max_level : 2);
$is_admin = (authGetUserLevel($user) >= $required_level);
Modified: mrbs/trunk/web/edit_entry.php
===================================================================
--- mrbs/trunk/web/edit_entry.php 2010-06-29 21:42:37 UTC (rev 1362)
+++ mrbs/trunk/web/edit_entry.php 2010-06-29 21:48:54 UTC (rev 1363)
@@ -55,11 +55,10 @@
$returl = isset($HTTP_REFERER) ? $HTTP_REFERER : "";
}
-if (!getAuthorised(1))
-{
- showAccessDenied($day, $month, $year, $area, isset($room) ? $room : "");
- exit;
-}
+// Check the user is authorised for this page
+checkAuthorised();
+
+// Also need to know whether they have admin rights
$user = getUserName();
$is_admin = (authGetUserLevel($user) >= 2);
// You're only allowed to make repeat bookings if you're an admin
Modified: mrbs/trunk/web/edit_entry_handler.php
===================================================================
--- mrbs/trunk/web/edit_entry_handler.php 2010-06-29 21:42:37 UTC (rev
1362)
+++ mrbs/trunk/web/edit_entry_handler.php 2010-06-29 21:48:54 UTC (rev
1363)
@@ -145,11 +145,10 @@
$isprivate = ((isset($private) && ($private == "yes")));
}
-if (!getAuthorised(1))
-{
- showAccessDenied($day, $month, $year, $area, isset($room) ? $room : "");
- exit;
-}
+// Check the user is authorised for this page
+checkAuthorised();
+
+// Also need to know whether they have admin rights
$user = getUserName();
$is_admin = (authGetUserLevel($user) >= 2);
Modified: mrbs/trunk/web/edit_users.php
===================================================================
--- mrbs/trunk/web/edit_users.php 2010-06-29 21:42:37 UTC (rev 1362)
+++ mrbs/trunk/web/edit_users.php 2010-06-29 21:48:54 UTC (rev 1363)
@@ -267,12 +267,8 @@
{
$user = getUserName();
$level = authGetUserLevel($user);
- // Do not allow unidentified people to browse the list.
- if(!getAuthorised(1))
- {
- showAccessDenied($day, $month, $year, $area, "");
- exit;
- }
+ // Check the user is authorised for this page
+ checkAuthorised();
}
else
// We've just created the table. Assume the person doing this IS an
administrator
Modified: mrbs/trunk/web/help.php
===================================================================
--- mrbs/trunk/web/help.php 2010-06-29 21:42:37 UTC (rev 1362)
+++ mrbs/trunk/web/help.php 2010-06-29 21:48:54 UTC (rev 1363)
@@ -25,6 +25,9 @@
$area = get_default_area();
}
+// Check the user is authorised for this page
+checkAuthorised();
+
print_header($day, $month, $year, $area, isset($room) ? $room : "");
echo "<h3>" . get_vocab("about_mrbs") . "</h3>\n";
Modified: mrbs/trunk/web/month.php
===================================================================
--- mrbs/trunk/web/month.php 2010-06-29 21:42:37 UTC (rev 1362)
+++ mrbs/trunk/web/month.php 2010-06-29 21:48:54 UTC (rev 1363)
@@ -15,8 +15,6 @@
$room = get_form_var('room', 'int');
$debug_flag = get_form_var('debug_flag', 'int');
-$user = getUserName();
-
// 3-value compare: Returns result of compare as "< " "= " or "> ".
function cmp3($a, $b)
{
@@ -68,14 +66,20 @@
}
}
+if (empty($room))
+{
+ $room = get_default_room($area);
+}
+// Check the user is authorised for this page
+checkAuthorised();
+
+$user = getUserName();
+
// print the page header
print_header($day, $month, $year, $area, isset($room) ? $room : "");
-if (empty($room))
-{
- $room = get_default_room($area);
-}
+
// Note $room will be 0 if there are no rooms; this is checked for below.
// Month view start time. This ignores morningstarts/eveningends because it
Modified: mrbs/trunk/web/mrbs_auth.inc
===================================================================
--- mrbs/trunk/web/mrbs_auth.inc 2010-06-29 21:42:37 UTC (rev 1362)
+++ mrbs/trunk/web/mrbs_auth.inc 2010-06-29 21:48:54 UTC (rev 1363)
@@ -9,7 +9,37 @@
require_once "session_$auth[session].inc";
}
+// MINIMUM PAGE ACCESS LEVELS
+// These pages are open to the public by default as they only contain
+// read features. However if $auth['deny_public_access'] is TRUE then
+// access to the public is denied
+$page_level['day.php'] = ($auth['deny_public_access']) ? 1 :
0;
+$page_level['help.php'] = ($auth['deny_public_access']) ? 1 :
0;
+$page_level['month.php'] = ($auth['deny_public_access']) ? 1 :
0;
+$page_level['report.php'] = ($auth['deny_public_access']) ? 1 :
0;
+$page_level['search.php'] = ($auth['deny_public_access']) ? 1 :
0;
+$page_level['view_entry.php'] = ($auth['deny_public_access']) ? 1 :
0;
+$page_level['week.php'] = ($auth['deny_public_access']) ? 1 :
0;
+
+// These pages are set to have a minimum access level of 1 as ordinary users
+// should be able to access them because they will have read access and in some
+// cases write access for their own entries. Where necessary further checks
are
+// made within the page to prevent ordinary users gaining access to admin
features.
+$page_level['admin.php'] = 1; // Ordinary users can view room
details
+$page_level['confirm_entry_handler.php'] = 1; // Ordinary users are allowed
to remind admins
+$page_level['del_entry.php'] = 1; // Ordinary users can delete
their own entries
+$page_level['edit_area_room.php'] = 1; // Ordinary users can view room
details
+$page_level['edit_entry.php'] = 1; // Ordinary users can edit
their own entries
+$page_level['edit_entry_handler.php'] = 1; // Ordinary users can edit
their own entries
+$page_level['edit_users.php'] = 1; // Ordinary users can edit
their own details
+$page_level['pending.php'] = 1; // Ordinary users can view
their own entries
+
+// These pages have a minimum access level of 2 as they only contain admin
features
+$page_level['add.php'] = 2;
+$page_level['del.php'] = 2;
+
+
/* getAuthorised($level)
*
* Check to see if the current user has a certain level of rights
@@ -23,7 +53,15 @@
function getAuthorised($level)
{
global $auth;
+
+ // If the minimum level is zero (or not set) then they are
+ // authorised, whoever they are
+ if (empty($level))
+ {
+ return TRUE;
+ }
+ // Otherwise we need to check who they are
$user = getUserName();
if(isset($user) == FALSE)
{
@@ -39,6 +77,54 @@
return authGetUserLevel($user) >= $level;
}
+/* checkAuthorised()
+ *
+ * Checks to see that a user is authorised to access the current page.
+ * If they are not, then shows an Access Denied message and exits.
+ *
+ * Required page level authorisations are defined in systemdefaults/config
+ * If they are not defined then the function plays safe and requires the
+ * highest level of authorisation.
+ */
+function checkAuthorised()
+{
+ global $page_level, $max_level;
+ global $day, $month, $year, $area, $room;
+ global $PHP_SELF;
+
+ // Get the minimum authorisation level for this page
+ if (isset($page_level[basename($PHP_SELF)]))
+ {
+ $required_level = $page_level[basename($PHP_SELF)];
+ }
+ elseif (isset($max_level))
+ {
+ $required_level = $max_level;
+ }
+ else
+ {
+ $required_level = 2;
+ }
+
+ // Check that the user has this level
+ if (!getAuthorised($required_level))
+ {
+ // If we dont know the right date then use today's
+ if (!isset($day) or !isset($month) or !isset($year))
+ {
+ $day = date("d");
+ $month = date("m");
+ $year = date("Y");
+ }
+ if (empty($area))
+ {
+ $area = get_default_area();
+ }
+ showAccessDenied($day, $month, $year, $area, isset($room) ? $room : "");
+ exit();
+ }
+}
+
/* getWritable($creator, $user, $room)
*
* Determines if a user is able to modify an entry
Modified: mrbs/trunk/web/pending.php
===================================================================
--- mrbs/trunk/web/pending.php 2010-06-29 21:42:37 UTC (rev 1362)
+++ mrbs/trunk/web/pending.php 2010-06-29 21:48:54 UTC (rev 1363)
@@ -133,8 +133,6 @@
echo "</tr>\n";
}
-$user = getUserName();
-
// Get form variables
$day = get_form_var('day', 'int');
$month = get_form_var('month', 'int');
@@ -154,12 +152,10 @@
$area = get_default_area();
}
+// Check the user is authorised for this page
+checkAuthorised();
-if(!getAuthorised(1))
-{
- showAccessDenied($day, $month, $year, $area, isset($room) ? $room : "");
- exit;
-}
+// Also need to know whether they have admin rights
$user = getUserName();
$is_admin = (authGetUserLevel($user) >= 2);
Modified: mrbs/trunk/web/report.php
===================================================================
--- mrbs/trunk/web/report.php 2010-06-29 21:42:37 UTC (rev 1362)
+++ mrbs/trunk/web/report.php 2010-06-29 21:48:54 UTC (rev 1363)
@@ -558,10 +558,6 @@
$sumby = get_form_var('sumby', 'string');
-// Need to know user name and if they are an admin
-$user = getUserName();
-$is_admin = (isset($user) && authGetUserLevel($user)>=2) ;
-
//If we dont know the right date then make it up
if (!isset($day) or !isset($month) or !isset($year))
{
@@ -573,6 +569,14 @@
{
$area = get_default_area();
}
+
+// Check the user is authorised for this page
+checkAuthorised();
+
+// Also need to know whether they have admin rights
+$user = getUserName();
+$is_admin = (isset($user) && authGetUserLevel($user)>=2) ;
+
if (empty($summarize))
{
$summarize = REPORT;
Modified: mrbs/trunk/web/search.php
===================================================================
--- mrbs/trunk/web/search.php 2010-06-29 21:42:37 UTC (rev 1362)
+++ mrbs/trunk/web/search.php 2010-06-29 21:48:54 UTC (rev 1363)
@@ -14,8 +14,6 @@
$total = get_form_var('total', 'int');
$advanced = get_form_var('advanced', 'int');
-$user = getUserName();
-$is_admin = (isset($user) && authGetUserLevel($user)>=2) ;
// If we dont know the right date then make it up
if (!isset($day) or !isset($month) or !isset($year))
@@ -30,6 +28,13 @@
$area = get_default_area();
}
+// Check the user is authorised for this page
+checkAuthorised();
+
+// Also need to know whether they have admin rights
+$user = getUserName();
+$is_admin = (isset($user) && authGetUserLevel($user)>=2) ;
+
// Need all these different versions with different escaping.
if (!empty($search_str))
{
Modified: mrbs/trunk/web/systemdefaults.inc.php
===================================================================
--- mrbs/trunk/web/systemdefaults.inc.php 2010-06-29 21:42:37 UTC (rev
1362)
+++ mrbs/trunk/web/systemdefaults.inc.php 2010-06-29 21:48:54 UTC (rev
1363)
@@ -634,6 +634,9 @@
// If you want only administrators to be able to make repeat bookings,
// set this variable to TRUE
$auth['only_admin_can_book_repeat'] = FALSE;
+// If you want to prevent the public (ie un-logged in users) from
+// being able to view bookings, set this variable to TRUE
+$auth['deny_public_access'] = FALSE;
/**********************************************
Modified: mrbs/trunk/web/view_entry.php
===================================================================
--- mrbs/trunk/web/view_entry.php 2010-06-29 21:42:37 UTC (rev 1362)
+++ mrbs/trunk/web/view_entry.php 2010-06-29 21:48:54 UTC (rev 1363)
@@ -84,12 +84,6 @@
}
-$user = getUserName();
-$is_admin = (authGetUserLevel($user) >= 2);
-// You're only allowed to make repeat bookings if you're an admin
-// or else if $auth['only_admin_can_book_repeat'] is not set
-$repeats_allowed = $is_admin || empty($auth['only_admin_can_book_repeat']);
-
// Get form variables
//
// If $series is TRUE, it means that the $id is the id of an
@@ -117,6 +111,16 @@
$area = get_default_area();
}
+// Check the user is authorised for this page
+checkAuthorised();
+
+// Also need to know whether they have admin rights
+$user = getUserName();
+$is_admin = (authGetUserLevel($user) >= 2);
+// You're only allowed to make repeat bookings if you're an admin
+// or else if $auth['only_admin_can_book_repeat'] is not set
+$repeats_allowed = $is_admin || empty($auth['only_admin_can_book_repeat']);
+
print_header($day, $month, $year, $area, isset($room) ? $room : "");
Modified: mrbs/trunk/web/week.php
===================================================================
--- mrbs/trunk/web/week.php 2010-06-29 21:42:37 UTC (rev 1362)
+++ mrbs/trunk/web/week.php 2010-06-29 21:48:54 UTC (rev 1363)
@@ -55,6 +55,8 @@
}
}
+// Check the user is authorised for this page
+checkAuthorised();
// Calculate how many days to skip back to get to the start of the week
$time = mktime(12, 0, 0, $month, $day, $year);
This was sent by the SourceForge.net collaborative development platform, the
world's largest Open Source development site.
------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________
Mrbs-commits mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/mrbs-commits
