Business
/
SiteWriter
2
0
Fork 0
Code Issues 3 Pull Requests Releases Wiki Activity

Add permissions enforcement, replace home page with sites, add missing strings, fix a bunch of PHP notices

Browse Source
master
Skylar Ittner 6 years ago
parent 725e3c06d9
commit 008c46ebda
12 changed files with 107 additions and 12 deletions
Show Stats Download Patch File Download Diff File

25
action.php
Unescape Escape View File

@ -9,6 +9,7 @@
*/
require_once __DIR__ . "/required.php";
require_once __DIR__ . "/lib/util.php";
require_once __DIR__ . "/lib/login.php";
if ($VARS['action'] !== "signout") {
dieifnotloggedin();
@ -38,6 +39,9 @@ if ($_SERVER['REQUEST_METHOD'] == 'POST' && empty($_POST) &&
switch ($VARS['action']) {
case "newpage":
if (!account_has_permission($_SESSION['username'], "SITEWRITER") && !account_has_permission($_SESSION['username'], "SITEWRITER_EDIT")) {
returnToSender("no_permission");
}
if (is_empty($VARS['siteid']) || !$database->has("sites", ["siteid" => $VARS['siteid']])) {
returnToSender("invalid_parameters");
}
@ -76,6 +80,9 @@ switch ($VARS['action']) {
returnToSender("page_added", $VARS['siteid'] . "|" . $database->id());
break;
case "pagesettings":
if (!account_has_permission($_SESSION['username'], "SITEWRITER")) {
returnToSender("no_permission");
}
if (is_empty($VARS['siteid']) || !$database->has("sites", ["siteid" => $VARS['siteid']])) {
returnToSender("invalid_parameters");
}
@ -131,6 +138,9 @@ switch ($VARS['action']) {
returnToSender("settings_saved", $VARS['siteid'] . "|" . $VARS['pageid']);
break;
case "sitesettings":
if (!account_has_permission($_SESSION['username'], "SITEWRITER")) {
returnToSender("no_permission");
}
if (!is_empty($VARS['siteid'])) {
if (!$database->has("sites", ["siteid" => $VARS['siteid']])) {
returnToSender("invalid_parameters");
@ -188,6 +198,9 @@ switch ($VARS['action']) {
break;
case "saveedits":
header("Content-Type: application/json");
if (!account_has_permission($_SESSION['username'], "SITEWRITER") && !account_has_permission($_SESSION['username'], "SITEWRITER_EDIT")) {
exit(json_encode(['status' => "ERROR", 'message' => lang("no permission", false)]));
}
$slug = $VARS['slug'];
$site = $VARS['site'];
$content = $VARS['content'];
@ -215,6 +228,9 @@ switch ($VARS['action']) {
exit(json_encode(["status" => "OK"]));
break;
case "deletemessage":
if (!account_has_permission($_SESSION['username'], "SITEWRITER") && !account_has_permission($_SESSION['username'], "SITEWRITER_CONTACT")) {
returnToSender("no_permission");
}
if ($database->count('messages', ["mid" => $VARS['id']]) !== 1) {
returnToSender("invalid_parameters");
}
@ -222,6 +238,9 @@ switch ($VARS['action']) {
returnToSender("message_deleted");
break;
case "fileupload":
if (!account_has_permission($_SESSION['username'], "SITEWRITER") && !account_has_permission($_SESSION['username'], "SITEWRITER_FILES")) {
returnToSender("no_permission");
}
$destpath = FILE_UPLOAD_PATH . $VARS['path'];
if (strpos(realpath($destpath), FILE_UPLOAD_PATH) !== 0) {
returnToSender("file_security_error");
@ -291,6 +310,9 @@ switch ($VARS['action']) {
returnToSender("upload_success", "&path=" . $VARS['path']);
break;
case "newfolder":
if (!account_has_permission($_SESSION['username'], "SITEWRITER") && !account_has_permission($_SESSION['username'], "SITEWRITER_FILES")) {
returnToSender("no_permission");
}
$foldername = preg_replace("/[^a-z0-9_\-]/", "_", strtolower($VARS['folder']));
$newfolder = FILE_UPLOAD_PATH . $VARS['path'] . '/' . $foldername;
@ -300,6 +322,9 @@ switch ($VARS['action']) {
returnToSender("folder_not_created", "&path=" . $VARS['path']);
break;
case "filedelete":
if (!account_has_permission($_SESSION['username'], "SITEWRITER") && !account_has_permission($_SESSION['username'], "SITEWRITER_FILES")) {
returnToSender("no_permission");
}
$file = FILE_UPLOAD_PATH . $VARS['file'];
if (strpos(realpath($file), FILE_UPLOAD_PATH) !== 0) {
returnToSender("file_security_error");

5
lang/en_us.php
Unescape Escape View File

@ -29,6 +29,7 @@ define("STRINGS", [
"login server user data error" => "The login server refused to provide account information. Try again or contact technical support.",
"captcha error" => "There was a problem with the CAPTCHA (robot test). Try again.",
"actions" => "Actions",
"no permission" => "You don't have permission to do that.",
"home" => "Home",
"editor" => "Editor",
"sites" => "Sites",
@ -133,4 +134,8 @@ define("STRINGS", [
"load more" => "Load more",
"search images" => "Search images",
"x results" => "{results} results",
"reply" => "Reply",
"delete" => "Delete",
"new folder" => "New Folder",
"new" => "New",
]);

4
lang/messages.php
Unescape Escape View File

@ -89,4 +89,8 @@ define("MESSAGES", [
"string" => "folder not created",
"type" => "danger"
],
"no_permission" => [
"string" => "no permission",
"type" => "danger"
]
]);

1
lib/mimetypes.php
Unescape Escape View File

@ -69,6 +69,7 @@ $MIMEICONS = [
"audio/x-wav" => "fas fa-file-audio",
"audio/webm" => "fas fa-file-audio",
"audio/midi" => "fas fa-music",
"audio/mpeg" => "fas fa-music",
"audio/3gpp" => "fas fa-file-audio",
"audio/3gpp2" => "fas fa-file-audio",
"audio/other" => "fas fa-file-audio",

2
pages.php
Unescape Escape View File

@ -8,7 +8,7 @@
define("PAGES", [
"home" => [
"title" => "home",
"navbar" => true,
"navbar" => false,
"icon" => "fas fa-home"
],
"sites" => [

24
pages/analytics.php
Unescape Escape View File

@ -7,20 +7,28 @@ require_once __DIR__ . '/../required.php';
redirectifnotloggedin();
require_once __DIR__ . "/../lib/login.php";
if (!account_has_permission($_SESSION['username'], "SITEWRITER") && !account_has_permission($_SESSION['username'], "SITEWRITER_ANALYTICS")) {
if ($_GET['msg'] != "no_permission") {
header("Location: app.php?page=analytics&msg=no_permission");
}
die();
}
$select_filter = [];
if (!is_empty($VARS['siteid'])) {
if (isset($VARS['siteid']) && !is_empty($VARS['siteid'])) {
if ($database->has('sites', ['siteid' => $VARS['siteid']])) {
$select_filter["analytics.siteid"] = $VARS['siteid'];
}
}
if (!is_empty($VARS['after'])) {
if (isset($VARS['after']) && !is_empty($VARS['after'])) {
if (strtotime($VARS['after']) !== FALSE) {
$select_filter["time[>]"] = date("Y-m-d H:i:s", strtotime($VARS['after']));
}
}
if (!is_empty($VARS['before'])) {
if (isset($VARS['before']) && !is_empty($VARS['before'])) {
if (strtotime($VARS['before']) !== FALSE) {
$select_filter["time[<]"] = date("Y-m-d H:i:s", strtotime($VARS['before']));
}
@ -47,9 +55,13 @@ $records = $database->select("analytics", [
], $where);
$format = "Y-m-00 00:00:00";
$max = $records[0];
$min = $records[count($records) - 1];
$diff = strtotime($max['time']) - strtotime($min['time']);
if (count($records) > 1) {
$max = $records[0];
$min = $records[count($records) - 1];
$diff = strtotime($max['time']) - strtotime($min['time']);
} else {
$diff = 0;
}
if ($diff < 60 * 60) { // 1 hour
$format = "Y-m-d H:i:00";
} else if ($diff < 60 * 60 * 24 * 3) { // 3 days

10
pages/editor.php
Unescape Escape View File

@ -7,7 +7,15 @@ require_once __DIR__ . '/../required.php';
redirectifnotloggedin();
if (!is_empty($VARS['arg'])) {
require_once __DIR__ . "/../lib/login.php";
if (!account_has_permission($_SESSION['username'], "SITEWRITER") && !account_has_permission($_SESSION['username'], "SITEWRITER_EDIT")) {
if ($_GET['msg'] != "no_permission") {
header("Location: app.php?page=editor&msg=no_permission");
}
die();
}
if (isset($VARS['arg']) && !is_empty($VARS['arg'])) {
// Allow action.php to do a better redirect
$VARS['siteid'] = $VARS['arg'];
if (strpos($VARS['arg'], "|") !== FALSE) {

11
pages/files.php
Unescape Escape View File

@ -7,6 +7,15 @@ require_once __DIR__ . '/../required.php';
redirectifnotloggedin();
require_once __DIR__ . "/../lib/login.php";
if (!account_has_permission($_SESSION['username'], "SITEWRITER") && !account_has_permission($_SESSION['username'], "SITEWRITER_FILES") && !account_has_permission($_SESSION['username'], "SITEWRITER_EDIT")) {
// Note: the EDIT permission is valid here because content editors can browse files anyways
if ($_GET['msg'] != "no_permission") {
header("Location: app.php?page=files&msg=no_permission");
}
die();
}
include_once __DIR__ . "/../lib/mimetypes.php";
$base = FILE_UPLOAD_PATH;
@ -111,7 +120,7 @@ $fullpath = $base . $folder;
} else { // Allow broad generic <format>/other icons
$mimefirst = explode("/", $mimetype, 2)[0];
if (array_key_exists($mimefirst . "/other", $MIMEICONS)) {
$icon = $MIMEICONS[$mimetype];
$icon = $MIMEICONS[$mimefirst . "/other"];
}
}
}

5
pages/home.php
Unescape Escape View File

@ -6,6 +6,9 @@
require_once __DIR__ . '/../required.php';
redirectifnotloggedin();
header("Location: app.php?page=sites");
die();
?>
<div class="card-deck">
<?php
@ -49,7 +52,7 @@ redirectifnotloggedin();
$visits_week = count($uuids);
$views_week = count($visitors);
?>
<div class="card bg-<?php echo ($lowcnt > 0 ? "deep-orange" : "green"); ?> text-light">
<div class="card bg-green text-light">
<div class="card-body">
<h4 class="card-title"><?php lang("this week") ?></h4>
<h1><i class="fas fa-fw fa-users"></i> <?php echo $visits_week; ?> <?php

8
pages/messages.php
Unescape Escape View File

@ -6,6 +6,14 @@
require_once __DIR__ . '/../required.php';
redirectifnotloggedin();
require_once __DIR__ . "/../lib/login.php";
if (!account_has_permission($_SESSION['username'], "SITEWRITER") && !account_has_permission($_SESSION['username'], "SITEWRITER_CONTACT")) {
if ($_GET['msg'] != "no_permission") {
header("Location: app.php?page=messages&msg=no_permission");
}
die();
}
?>
<table id="msgtable" class="table table-bordered table-hover table-sm">
<thead>

16
pages/sites.php
Unescape Escape View File

@ -7,6 +7,12 @@ require_once __DIR__ . '/../required.php';
require_once __DIR__ . '/../lib/util.php';
redirectifnotloggedin();
require_once __DIR__ . "/../lib/login.php";
$showbuttons = true;
if (!account_has_permission($_SESSION['username'], "SITEWRITER") && !account_has_permission($_SESSION['username'], "SITEWRITER_EDIT")) {
$showbuttons = false;
}
?>
<div class="btn-group mb-2">
<a href="app.php?page=sitesettings" class="btn btn-success"><i class="fas fa-plus"></i> <?php lang("new site"); ?></a>
@ -37,8 +43,14 @@ redirectifnotloggedin();
<tr>
<td></td>
<td>
<a class="btn btn-primary btn-sm" href="app.php?page=editor&siteid=<?php echo $site['siteid']; ?>"><i class="fas fa-edit"></i> <?php lang("editor"); ?></a>
<a class="btn btn-secondary btn-sm" href="app.php?page=sitesettings&siteid=<?php echo $site['siteid']; ?>"><i class="fas fa-cog"></i> <?php lang("settings"); ?></a>
<?php
if ($showbuttons) {
?>
<a class="btn btn-primary btn-sm" href="app.php?page=editor&siteid=<?php echo $site['siteid']; ?>"><i class="fas fa-edit"></i> <?php lang("editor"); ?></a>
<a class="btn btn-secondary btn-sm" href="app.php?page=sitesettings&siteid=<?php echo $site['siteid']; ?>"><i class="fas fa-cog"></i> <?php lang("settings"); ?></a>
<?php
}
?>
<a class="btn btn-info btn-sm" href="<?php echo formatsiteurl($site['url']); ?>" target="_BLANK"><i class="fas fa-eye"></i> <?php lang("view"); ?></a>
</td>
<td><?php echo $site['sitename']; ?></td>

8
pages/sitesettings.php
Unescape Escape View File

@ -7,6 +7,14 @@ require_once __DIR__ . '/../required.php';
redirectifnotloggedin();
require_once __DIR__ . "/../lib/login.php";
if (!account_has_permission($_SESSION['username'], "SITEWRITER")) {
if ($_GET['msg'] != "no_permission") {
header("Location: app.php?page=sitesettings&msg=no_permission");
}
die();
}
$editing = true;
$siteid = "";

Write Preview
Loading…
Cancel
Save