Add permissions enforcement, replace home page with sites, add missing strings, fix a bunch of PHP notices

6 years ago · 008c46ebda
parent 725e3c06d9
commit 008c46ebda
12 changed files with 107 additions and 12 deletions
--- a/action.php
+++ b/action.php
@ -9,6 +9,7 @@
 */
 require_once __DIR__ . "/required.php";
 require_once __DIR__ . "/lib/util.php";
 require_once __DIR__ . "/lib/login.php";
 if ($VARS['action'] !== "signout") {
    dieifnotloggedin();
@ -38,6 +39,9 @@ if ($_SERVER['REQUEST_METHOD'] == 'POST' && empty($_POST) &&
 switch ($VARS['action']) {
    case "newpage":
        if (!account_has_permission($_SESSION['username'], "SITEWRITER") && !account_has_permission($_SESSION['username'], "SITEWRITER_EDIT")) {
            returnToSender("no_permission");
        }
        if (is_empty($VARS['siteid']) || !$database->has("sites", ["siteid" => $VARS['siteid']])) {
            returnToSender("invalid_parameters");
        }
@ -76,6 +80,9 @@ switch ($VARS['action']) {
        returnToSender("page_added", $VARS['siteid'] . "|" . $database->id());
        break;
    case "pagesettings":
        if (!account_has_permission($_SESSION['username'], "SITEWRITER")) {
            returnToSender("no_permission");
        }
        if (is_empty($VARS['siteid']) || !$database->has("sites", ["siteid" => $VARS['siteid']])) {
            returnToSender("invalid_parameters");
        }
@ -131,6 +138,9 @@ switch ($VARS['action']) {
        returnToSender("settings_saved", $VARS['siteid'] . "|" . $VARS['pageid']);
        break;
    case "sitesettings":
        if (!account_has_permission($_SESSION['username'], "SITEWRITER")) {
            returnToSender("no_permission");
        }
        if (!is_empty($VARS['siteid'])) {
            if (!$database->has("sites", ["siteid" => $VARS['siteid']])) {
                returnToSender("invalid_parameters");
@ -188,6 +198,9 @@ switch ($VARS['action']) {
        break;
    case "saveedits":
        header("Content-Type: application/json");
        if (!account_has_permission($_SESSION['username'], "SITEWRITER") && !account_has_permission($_SESSION['username'], "SITEWRITER_EDIT")) {
            exit(json_encode(['status' => "ERROR", 'message' => lang("no permission", false)]));
        }
        $slug = $VARS['slug'];
        $site = $VARS['site'];
        $content = $VARS['content'];
@ -215,6 +228,9 @@ switch ($VARS['action']) {
        exit(json_encode(["status" => "OK"]));
        break;
    case "deletemessage":
        if (!account_has_permission($_SESSION['username'], "SITEWRITER") && !account_has_permission($_SESSION['username'], "SITEWRITER_CONTACT")) {
            returnToSender("no_permission");
        }
        if ($database->count('messages', ["mid" => $VARS['id']]) !== 1) {
            returnToSender("invalid_parameters");
        }
@ -222,6 +238,9 @@ switch ($VARS['action']) {
        returnToSender("message_deleted");
        break;
    case "fileupload":
        if (!account_has_permission($_SESSION['username'], "SITEWRITER") && !account_has_permission($_SESSION['username'], "SITEWRITER_FILES")) {
            returnToSender("no_permission");
        }
        $destpath = FILE_UPLOAD_PATH . $VARS['path'];
        if (strpos(realpath($destpath), FILE_UPLOAD_PATH) !== 0) {
            returnToSender("file_security_error");
@ -291,6 +310,9 @@ switch ($VARS['action']) {
        returnToSender("upload_success", "&path=" . $VARS['path']);
        break;
    case "newfolder":
        if (!account_has_permission($_SESSION['username'], "SITEWRITER") && !account_has_permission($_SESSION['username'], "SITEWRITER_FILES")) {
            returnToSender("no_permission");
        }
        $foldername = preg_replace("/[^a-z0-9_\-]/", "_", strtolower($VARS['folder']));
        $newfolder = FILE_UPLOAD_PATH . $VARS['path'] . '/' . $foldername;
@ -300,6 +322,9 @@ switch ($VARS['action']) {
        returnToSender("folder_not_created", "&path=" . $VARS['path']);
        break;
    case "filedelete":
        if (!account_has_permission($_SESSION['username'], "SITEWRITER") && !account_has_permission($_SESSION['username'], "SITEWRITER_FILES")) {
            returnToSender("no_permission");
        }
        $file = FILE_UPLOAD_PATH . $VARS['file'];
        if (strpos(realpath($file), FILE_UPLOAD_PATH) !== 0) {
            returnToSender("file_security_error");
--- a/lang/en_us.php
+++ b/lang/en_us.php
@ -29,6 +29,7 @@ define("STRINGS", [
    "login server user data error" => "The login server refused to provide account information.  Try again or contact technical support.",
    "captcha error" => "There was a problem with the CAPTCHA (robot test).  Try again.",
    "actions" => "Actions",
    "no permission" => "You don't have permission to do that.",
    "home" => "Home",
    "editor" => "Editor",
    "sites" => "Sites",
@ -133,4 +134,8 @@ define("STRINGS", [
    "load more" => "Load more",
    "search images" => "Search images",
    "x results" => "{results} results",
    "reply" => "Reply",
    "delete" => "Delete",
    "new folder" => "New Folder",
    "new" => "New",
 ]);
--- a/lang/messages.php
+++ b/lang/messages.php
@ -89,4 +89,8 @@ define("MESSAGES", [
        "string" => "folder not created",
        "type" => "danger"
    ],
    "no_permission" => [
        "string" => "no permission",
        "type" => "danger"
    ]
 ]);
--- a/lib/mimetypes.php
+++ b/lib/mimetypes.php
@ -69,6 +69,7 @@ $MIMEICONS = [
    "audio/x-wav" => "fas fa-file-audio",
    "audio/webm" => "fas fa-file-audio",
    "audio/midi" => "fas fa-music",
    "audio/mpeg" => "fas fa-music",
    "audio/3gpp" => "fas fa-file-audio",
    "audio/3gpp2" => "fas fa-file-audio",
    "audio/other" => "fas fa-file-audio",
--- a/pages.php
+++ b/pages.php
@ -8,7 +8,7 @@
 define("PAGES", [
    "home" => [
        "title" => "home",
-        "navbar" => true,
+        "navbar" => false,
        "icon" => "fas fa-home"
    ],
    "sites" => [
--- a/pages/analytics.php
+++ b/pages/analytics.php
@ -7,20 +7,28 @@ require_once __DIR__ . '/../required.php';
 redirectifnotloggedin();
 require_once __DIR__ . "/../lib/login.php";
 if (!account_has_permission($_SESSION['username'], "SITEWRITER") && !account_has_permission($_SESSION['username'], "SITEWRITER_ANALYTICS")) {
    if ($_GET['msg'] != "no_permission") {
        header("Location: app.php?page=analytics&msg=no_permission");
    }
    die();
 }
 $select_filter = [];
-if (!is_empty($VARS['siteid'])) {
+if (isset($VARS['siteid']) && !is_empty($VARS['siteid'])) {
    if ($database->has('sites', ['siteid' => $VARS['siteid']])) {
        $select_filter["analytics.siteid"] = $VARS['siteid'];
    }
 }
-if (!is_empty($VARS['after'])) {
+if (isset($VARS['after']) && !is_empty($VARS['after'])) {
    if (strtotime($VARS['after']) !== FALSE) {
        $select_filter["time[>]"] = date("Y-m-d H:i:s", strtotime($VARS['after']));
    }
 }
-if (!is_empty($VARS['before'])) {
+if (isset($VARS['before']) && !is_empty($VARS['before'])) {
    if (strtotime($VARS['before']) !== FALSE) {
        $select_filter["time[<]"] = date("Y-m-d H:i:s", strtotime($VARS['before']));
    }
@ -47,9 +55,13 @@ $records = $database->select("analytics", [
        ], $where);
 $format = "Y-m-00 00:00:00";
-$max = $records[0];
+if (count($records) > 1) {
-$min = $records[count($records) - 1];
+    $max = $records[0];
-$diff = strtotime($max['time']) - strtotime($min['time']);
+    $min = $records[count($records) - 1];
    $diff = strtotime($max['time']) - strtotime($min['time']);
 } else {
    $diff = 0;
 }
 if ($diff < 60 * 60) { // 1 hour
    $format = "Y-m-d H:i:00";
 } else if ($diff < 60 * 60 * 24 * 3) { // 3 days
--- a/pages/editor.php
+++ b/pages/editor.php
@ -7,7 +7,15 @@ require_once __DIR__ . '/../required.php';
 redirectifnotloggedin();
-if (!is_empty($VARS['arg'])) {
+require_once __DIR__ . "/../lib/login.php";
 if (!account_has_permission($_SESSION['username'], "SITEWRITER") && !account_has_permission($_SESSION['username'], "SITEWRITER_EDIT")) {
    if ($_GET['msg'] != "no_permission") {
        header("Location: app.php?page=editor&msg=no_permission");
    }
    die();
 }
 if (isset($VARS['arg']) && !is_empty($VARS['arg'])) {
    // Allow action.php to do a better redirect
    $VARS['siteid'] = $VARS['arg'];
    if (strpos($VARS['arg'], "|") !== FALSE) {
--- a/pages/files.php
+++ b/pages/files.php
@ -7,6 +7,15 @@ require_once __DIR__ . '/../required.php';
 redirectifnotloggedin();
 require_once __DIR__ . "/../lib/login.php";
 if (!account_has_permission($_SESSION['username'], "SITEWRITER") && !account_has_permission($_SESSION['username'], "SITEWRITER_FILES") && !account_has_permission($_SESSION['username'], "SITEWRITER_EDIT")) {
    // Note: the EDIT permission is valid here because content editors can browse files anyways
    if ($_GET['msg'] != "no_permission") {
        header("Location: app.php?page=files&msg=no_permission");
    }
    die();
 }
 include_once __DIR__ . "/../lib/mimetypes.php";
 $base = FILE_UPLOAD_PATH;
@ -111,7 +120,7 @@ $fullpath = $base . $folder;
                        } else { // Allow broad generic <format>/other icons
                            $mimefirst = explode("/", $mimetype, 2)[0];
                            if (array_key_exists($mimefirst . "/other", $MIMEICONS)) {
-                                $icon = $MIMEICONS[$mimetype];
+                                $icon = $MIMEICONS[$mimefirst . "/other"];
                            }
                        }
                    }
--- a/pages/home.php
+++ b/pages/home.php
@ -6,6 +6,9 @@
 require_once __DIR__ . '/../required.php';
 redirectifnotloggedin();
 header("Location: app.php?page=sites");
 die();
 ?>
 <div class="card-deck">
    <?php
@ -49,7 +52,7 @@ redirectifnotloggedin();
    $visits_week = count($uuids);
    $views_week = count($visitors);
    ?>
-    <div class="card bg-<?php echo ($lowcnt > 0 ? "deep-orange" : "green"); ?> text-light">
+    <div class="card bg-green text-light">
        <div class="card-body">
            <h4 class="card-title"><?php lang("this week") ?></h4>
            <h1><i class="fas fa-fw fa-users"></i> <?php echo $visits_week; ?> <?php
--- a/pages/messages.php
+++ b/pages/messages.php
@ -6,6 +6,14 @@
 require_once __DIR__ . '/../required.php';
 redirectifnotloggedin();
 require_once __DIR__ . "/../lib/login.php";
 if (!account_has_permission($_SESSION['username'], "SITEWRITER") && !account_has_permission($_SESSION['username'], "SITEWRITER_CONTACT")) {
    if ($_GET['msg'] != "no_permission") {
        header("Location: app.php?page=messages&msg=no_permission");
    }
    die();
 }
 ?>
 <table id="msgtable" class="table table-bordered table-hover table-sm">
    <thead>
--- a/pages/sites.php
+++ b/pages/sites.php
@ -7,6 +7,12 @@ require_once __DIR__ . '/../required.php';
 require_once __DIR__ . '/../lib/util.php';
 redirectifnotloggedin();
 require_once __DIR__ . "/../lib/login.php";
 $showbuttons = true;
 if (!account_has_permission($_SESSION['username'], "SITEWRITER") && !account_has_permission($_SESSION['username'], "SITEWRITER_EDIT")) {
    $showbuttons = false;
 }
 ?>
 <div class="btn-group mb-2">
    <a href="app.php?page=sitesettings" class="btn btn-success"><i class="fas fa-plus"></i> <?php lang("new site"); ?></a>
@ -37,8 +43,14 @@ redirectifnotloggedin();
            <tr>
                <td></td>
                <td>
-                    <a class="btn btn-primary btn-sm" href="app.php?page=editor&siteid=<?php echo $site['siteid']; ?>"><i class="fas fa-edit"></i> <?php lang("editor"); ?></a>
+                    <?php
-                    <a class="btn btn-secondary btn-sm" href="app.php?page=sitesettings&siteid=<?php echo $site['siteid']; ?>"><i class="fas fa-cog"></i> <?php lang("settings"); ?></a>
+                    if ($showbuttons) {
                        ?>
                        <a class="btn btn-primary btn-sm" href="app.php?page=editor&siteid=<?php echo $site['siteid']; ?>"><i class="fas fa-edit"></i> <?php lang("editor"); ?></a>
                        <a class="btn btn-secondary btn-sm" href="app.php?page=sitesettings&siteid=<?php echo $site['siteid']; ?>"><i class="fas fa-cog"></i> <?php lang("settings"); ?></a>
                        <?php
                    }
                    ?>
                    <a class="btn btn-info btn-sm" href="<?php echo formatsiteurl($site['url']); ?>" target="_BLANK"><i class="fas fa-eye"></i> <?php lang("view"); ?></a>
                </td>
                <td><?php echo $site['sitename']; ?></td>
--- a/pages/sitesettings.php
+++ b/pages/sitesettings.php
@ -7,6 +7,14 @@ require_once __DIR__ . '/../required.php';
 redirectifnotloggedin();
 require_once __DIR__ . "/../lib/login.php";
 if (!account_has_permission($_SESSION['username'], "SITEWRITER")) {
    if ($_GET['msg'] != "no_permission") {
        header("Location: app.php?page=sitesettings&msg=no_permission");
    }
    die();
 }
 $editing = true;
 $siteid = "";