diff --git a/action.php b/action.php index d9d9f78..0bcb6d2 100644 --- a/action.php +++ b/action.php @@ -9,6 +9,7 @@ */ require_once __DIR__ . "/required.php"; require_once __DIR__ . "/lib/util.php"; +require_once __DIR__ . "/lib/login.php"; if ($VARS['action'] !== "signout") { dieifnotloggedin(); @@ -38,6 +39,9 @@ if ($_SERVER['REQUEST_METHOD'] == 'POST' && empty($_POST) && switch ($VARS['action']) { case "newpage": + if (!account_has_permission($_SESSION['username'], "SITEWRITER") && !account_has_permission($_SESSION['username'], "SITEWRITER_EDIT")) { + returnToSender("no_permission"); + } if (is_empty($VARS['siteid']) || !$database->has("sites", ["siteid" => $VARS['siteid']])) { returnToSender("invalid_parameters"); } @@ -76,6 +80,9 @@ switch ($VARS['action']) { returnToSender("page_added", $VARS['siteid'] . "|" . $database->id()); break; case "pagesettings": + if (!account_has_permission($_SESSION['username'], "SITEWRITER")) { + returnToSender("no_permission"); + } if (is_empty($VARS['siteid']) || !$database->has("sites", ["siteid" => $VARS['siteid']])) { returnToSender("invalid_parameters"); } @@ -131,6 +138,9 @@ switch ($VARS['action']) { returnToSender("settings_saved", $VARS['siteid'] . "|" . $VARS['pageid']); break; case "sitesettings": + if (!account_has_permission($_SESSION['username'], "SITEWRITER")) { + returnToSender("no_permission"); + } if (!is_empty($VARS['siteid'])) { if (!$database->has("sites", ["siteid" => $VARS['siteid']])) { returnToSender("invalid_parameters"); @@ -188,6 +198,9 @@ switch ($VARS['action']) { break; case "saveedits": header("Content-Type: application/json"); + if (!account_has_permission($_SESSION['username'], "SITEWRITER") && !account_has_permission($_SESSION['username'], "SITEWRITER_EDIT")) { + exit(json_encode(['status' => "ERROR", 'message' => lang("no permission", false)])); + } $slug = $VARS['slug']; $site = $VARS['site']; $content = $VARS['content']; @@ -215,6 +228,9 @@ switch ($VARS['action']) { exit(json_encode(["status" => "OK"])); break; case "deletemessage": + if (!account_has_permission($_SESSION['username'], "SITEWRITER") && !account_has_permission($_SESSION['username'], "SITEWRITER_CONTACT")) { + returnToSender("no_permission"); + } if ($database->count('messages', ["mid" => $VARS['id']]) !== 1) { returnToSender("invalid_parameters"); } @@ -222,6 +238,9 @@ switch ($VARS['action']) { returnToSender("message_deleted"); break; case "fileupload": + if (!account_has_permission($_SESSION['username'], "SITEWRITER") && !account_has_permission($_SESSION['username'], "SITEWRITER_FILES")) { + returnToSender("no_permission"); + } $destpath = FILE_UPLOAD_PATH . $VARS['path']; if (strpos(realpath($destpath), FILE_UPLOAD_PATH) !== 0) { returnToSender("file_security_error"); @@ -291,6 +310,9 @@ switch ($VARS['action']) { returnToSender("upload_success", "&path=" . $VARS['path']); break; case "newfolder": + if (!account_has_permission($_SESSION['username'], "SITEWRITER") && !account_has_permission($_SESSION['username'], "SITEWRITER_FILES")) { + returnToSender("no_permission"); + } $foldername = preg_replace("/[^a-z0-9_\-]/", "_", strtolower($VARS['folder'])); $newfolder = FILE_UPLOAD_PATH . $VARS['path'] . '/' . $foldername; @@ -300,6 +322,9 @@ switch ($VARS['action']) { returnToSender("folder_not_created", "&path=" . $VARS['path']); break; case "filedelete": + if (!account_has_permission($_SESSION['username'], "SITEWRITER") && !account_has_permission($_SESSION['username'], "SITEWRITER_FILES")) { + returnToSender("no_permission"); + } $file = FILE_UPLOAD_PATH . $VARS['file']; if (strpos(realpath($file), FILE_UPLOAD_PATH) !== 0) { returnToSender("file_security_error"); diff --git a/lang/en_us.php b/lang/en_us.php index 189d325..b7e61c5 100644 --- a/lang/en_us.php +++ b/lang/en_us.php @@ -29,6 +29,7 @@ define("STRINGS", [ "login server user data error" => "The login server refused to provide account information. Try again or contact technical support.", "captcha error" => "There was a problem with the CAPTCHA (robot test). Try again.", "actions" => "Actions", + "no permission" => "You don't have permission to do that.", "home" => "Home", "editor" => "Editor", "sites" => "Sites", @@ -133,4 +134,8 @@ define("STRINGS", [ "load more" => "Load more", "search images" => "Search images", "x results" => "{results} results", + "reply" => "Reply", + "delete" => "Delete", + "new folder" => "New Folder", + "new" => "New", ]); \ No newline at end of file diff --git a/lang/messages.php b/lang/messages.php index c29154d..6751854 100644 --- a/lang/messages.php +++ b/lang/messages.php @@ -89,4 +89,8 @@ define("MESSAGES", [ "string" => "folder not created", "type" => "danger" ], + "no_permission" => [ + "string" => "no permission", + "type" => "danger" + ] ]); diff --git a/lib/mimetypes.php b/lib/mimetypes.php index 04bf2c5..f379b3f 100644 --- a/lib/mimetypes.php +++ b/lib/mimetypes.php @@ -69,6 +69,7 @@ $MIMEICONS = [ "audio/x-wav" => "fas fa-file-audio", "audio/webm" => "fas fa-file-audio", "audio/midi" => "fas fa-music", + "audio/mpeg" => "fas fa-music", "audio/3gpp" => "fas fa-file-audio", "audio/3gpp2" => "fas fa-file-audio", "audio/other" => "fas fa-file-audio", diff --git a/pages.php b/pages.php index 29af8ab..caf9b72 100644 --- a/pages.php +++ b/pages.php @@ -8,7 +8,7 @@ define("PAGES", [ "home" => [ "title" => "home", - "navbar" => true, + "navbar" => false, "icon" => "fas fa-home" ], "sites" => [ diff --git a/pages/analytics.php b/pages/analytics.php index 26d0767..1116192 100644 --- a/pages/analytics.php +++ b/pages/analytics.php @@ -7,20 +7,28 @@ require_once __DIR__ . '/../required.php'; redirectifnotloggedin(); +require_once __DIR__ . "/../lib/login.php"; +if (!account_has_permission($_SESSION['username'], "SITEWRITER") && !account_has_permission($_SESSION['username'], "SITEWRITER_ANALYTICS")) { + if ($_GET['msg'] != "no_permission") { + header("Location: app.php?page=analytics&msg=no_permission"); + } + die(); +} + $select_filter = []; -if (!is_empty($VARS['siteid'])) { +if (isset($VARS['siteid']) && !is_empty($VARS['siteid'])) { if ($database->has('sites', ['siteid' => $VARS['siteid']])) { $select_filter["analytics.siteid"] = $VARS['siteid']; } } -if (!is_empty($VARS['after'])) { +if (isset($VARS['after']) && !is_empty($VARS['after'])) { if (strtotime($VARS['after']) !== FALSE) { $select_filter["time[>]"] = date("Y-m-d H:i:s", strtotime($VARS['after'])); } } -if (!is_empty($VARS['before'])) { +if (isset($VARS['before']) && !is_empty($VARS['before'])) { if (strtotime($VARS['before']) !== FALSE) { $select_filter["time[<]"] = date("Y-m-d H:i:s", strtotime($VARS['before'])); } @@ -47,9 +55,13 @@ $records = $database->select("analytics", [ ], $where); $format = "Y-m-00 00:00:00"; -$max = $records[0]; -$min = $records[count($records) - 1]; -$diff = strtotime($max['time']) - strtotime($min['time']); +if (count($records) > 1) { + $max = $records[0]; + $min = $records[count($records) - 1]; + $diff = strtotime($max['time']) - strtotime($min['time']); +} else { + $diff = 0; +} if ($diff < 60 * 60) { // 1 hour $format = "Y-m-d H:i:00"; } else if ($diff < 60 * 60 * 24 * 3) { // 3 days diff --git a/pages/editor.php b/pages/editor.php index 8b87873..64f7572 100644 --- a/pages/editor.php +++ b/pages/editor.php @@ -7,7 +7,15 @@ require_once __DIR__ . '/../required.php'; redirectifnotloggedin(); -if (!is_empty($VARS['arg'])) { +require_once __DIR__ . "/../lib/login.php"; +if (!account_has_permission($_SESSION['username'], "SITEWRITER") && !account_has_permission($_SESSION['username'], "SITEWRITER_EDIT")) { + if ($_GET['msg'] != "no_permission") { + header("Location: app.php?page=editor&msg=no_permission"); + } + die(); +} + +if (isset($VARS['arg']) && !is_empty($VARS['arg'])) { // Allow action.php to do a better redirect $VARS['siteid'] = $VARS['arg']; if (strpos($VARS['arg'], "|") !== FALSE) { diff --git a/pages/files.php b/pages/files.php index c472fcb..960f2f3 100644 --- a/pages/files.php +++ b/pages/files.php @@ -7,6 +7,15 @@ require_once __DIR__ . '/../required.php'; redirectifnotloggedin(); +require_once __DIR__ . "/../lib/login.php"; +if (!account_has_permission($_SESSION['username'], "SITEWRITER") && !account_has_permission($_SESSION['username'], "SITEWRITER_FILES") && !account_has_permission($_SESSION['username'], "SITEWRITER_EDIT")) { + // Note: the EDIT permission is valid here because content editors can browse files anyways + if ($_GET['msg'] != "no_permission") { + header("Location: app.php?page=files&msg=no_permission"); + } + die(); +} + include_once __DIR__ . "/../lib/mimetypes.php"; $base = FILE_UPLOAD_PATH; @@ -111,7 +120,7 @@ $fullpath = $base . $folder; } else { // Allow broad generic /other icons $mimefirst = explode("/", $mimetype, 2)[0]; if (array_key_exists($mimefirst . "/other", $MIMEICONS)) { - $icon = $MIMEICONS[$mimetype]; + $icon = $MIMEICONS[$mimefirst . "/other"]; } } } diff --git a/pages/home.php b/pages/home.php index 965fe02..2439896 100644 --- a/pages/home.php +++ b/pages/home.php @@ -6,6 +6,9 @@ require_once __DIR__ . '/../required.php'; redirectifnotloggedin(); + +header("Location: app.php?page=sites"); +die(); ?>
-
text-light"> +

diff --git a/pages/sites.php b/pages/sites.php index 8e4dad4..64f8fde 100644 --- a/pages/sites.php +++ b/pages/sites.php @@ -7,6 +7,12 @@ require_once __DIR__ . '/../required.php'; require_once __DIR__ . '/../lib/util.php'; redirectifnotloggedin(); + +require_once __DIR__ . "/../lib/login.php"; +$showbuttons = true; +if (!account_has_permission($_SESSION['username'], "SITEWRITER") && !account_has_permission($_SESSION['username'], "SITEWRITER_EDIT")) { + $showbuttons = false; +} ?>
@@ -37,8 +43,14 @@ redirectifnotloggedin();
diff --git a/pages/sitesettings.php b/pages/sitesettings.php index accb53c..97ebe9b 100644 --- a/pages/sitesettings.php +++ b/pages/sitesettings.php @@ -7,6 +7,14 @@ require_once __DIR__ . '/../required.php'; redirectifnotloggedin(); +require_once __DIR__ . "/../lib/login.php"; +if (!account_has_permission($_SESSION['username'], "SITEWRITER")) { + if ($_GET['msg'] != "no_permission") { + header("Location: app.php?page=sitesettings&msg=no_permission"); + } + die(); +} + $editing = true; $siteid = "";
- - + + + +