Revision 1475
Added by Dietmar almost 13 years ago
| branches/2.8.x/CHANGELOG | ||
|---|---|---|
| 11 | 11 |
! = Update/Change |
| 12 | 12 |
|
| 13 | 13 |
------------------------------------- 2.8.2 ------------------------------------ |
| 14 |
13 Jul-2011 Build 1475 Dietmar Woellbrink (Luisehahne) |
|
| 15 |
+ add SecureForm.mtab.php under mantennance by WebsiteBaker Community |
|
| 16 |
! security fixes media, groups, users, sections |
|
| 17 |
# change lang variable to remove upgrade-script |
|
| 18 |
! reworked add sections in pages |
|
| 19 |
! fix set empty href in show_menu2 |
|
| 20 |
! set show_menu2 version to 4.9.6 |
|
| 21 |
! reworked Droplet LoginBox, add redirect query |
|
| 22 |
- remove unneeded folder js |
|
| 23 |
! set Droplet to version 1.1.0 |
|
| 24 |
+ add checkboxes to change frontend absolute url to relative urls |
|
| 25 |
! set output_filter version to 0.2 |
|
| 14 | 26 |
12 Jul-2011 Build 1474 Werner v.d.Decken(DarkViper) |
| 15 | 27 |
# for security reasons the 'remember me' functionality is deaktivated in |
| 16 | 28 |
class login |
| branches/2.8.x/wb/admin/groups/groups.php | ||
|---|---|---|
| 20 | 20 |
require('../../config.php');
|
| 21 | 21 |
require_once(WB_PATH.'/framework/class.admin.php'); |
| 22 | 22 |
|
| 23 |
// Create new database object |
|
| 24 |
// $database = new database(); |
|
| 23 |
// Set parameter 'action' as alternative to javascript mechanism |
|
| 24 |
$action = 'cancel'; |
|
| 25 |
// Set parameter 'action' as alternative to javascript mechanism |
|
| 26 |
$action = (isset($_POST['modify']) ? 'modify' : $action ); |
|
| 27 |
$action = (isset($_POST['delete']) ? 'delete' : $action ); |
|
| 25 | 28 |
|
| 26 |
if(!isset($_POST['action']) OR ($_POST['action'] != "modify" AND $_POST['action'] != "delete")) {
|
|
| 27 |
header("Location: index.php");
|
|
| 28 |
exit(0); |
|
| 29 |
} |
|
| 29 |
switch ($action): |
|
| 30 |
case 'modify' : |
|
| 30 | 31 |
|
| 31 |
// Set parameter 'action' as alternative to javascript mechanism |
|
| 32 |
if(isset($_POST['modify'])) |
|
| 33 |
$_POST['action'] = "modify"; |
|
| 34 |
if(isset($_POST['delete'])) |
|
| 35 |
$_POST['action'] = "delete"; |
|
| 32 |
// Create new admin object |
|
| 33 |
$admin = new admin('Access', 'groups_modify' );
|
|
| 34 |
// Check if group group_id is a valid number and doesnt equal 1 |
|
| 35 |
$group_id = intval($admin->checkIDKEY('group_id', 0, $_SERVER['REQUEST_METHOD']));
|
|
| 36 |
if( ($group_id < 2 ) ) |
|
| 37 |
{
|
|
| 38 |
// if($admin_header) { $admin->print_header(); }
|
|
| 39 |
$admin->print_error($MESSAGE['GENERIC_SECURITY_ACCESS'] ); |
|
| 40 |
} |
|
| 36 | 41 |
|
| 37 |
// Check if group group_id is a valid number and doesnt equal 1 |
|
| 38 |
if(!isset($_POST['group_id']) OR !is_numeric($_POST['group_id']) OR $_POST['group_id'] == 1) {
|
|
| 39 |
header("Location: index.php");
|
|
| 40 |
exit(0); |
|
| 41 |
} |
|
| 42 |
// Get existing values |
|
| 43 |
$results = $database->query("SELECT * FROM ".TABLE_PREFIX."groups WHERE group_id = '".$group_id."'");
|
|
| 44 |
$group = $results->fetchRow(); |
|
| 45 |
// Setup template object |
|
| 46 |
$template = new Template(THEME_PATH.'/templates'); |
|
| 47 |
$template->set_file('page', 'groups_form.htt');
|
|
| 48 |
$template->set_block('page', 'main_block', 'main');
|
|
| 49 |
$template->set_var( array( |
|
| 50 |
'ACTION_URL' => ADMIN_URL.'/groups/save.php', |
|
| 51 |
'SUBMIT_TITLE' => $TEXT['SAVE'], |
|
| 52 |
'GROUP_ID' => $group['group_id'], |
|
| 53 |
'GROUP_NAME' => $group['name'], |
|
| 54 |
'ADVANCED_ACTION' => 'groups.php', |
|
| 55 |
'FTAN' => $admin->getFTAN() |
|
| 56 |
)); |
|
| 57 |
// Tell the browser whether or not to show advanced options |
|
| 58 |
if( true == (isset( $_POST['advanced']) AND ( strpos( $_POST['advanced'], ">>") > 0 ) ) ) {
|
|
| 59 |
$template->set_var('DISPLAY_ADVANCED', '');
|
|
| 60 |
$template->set_var('DISPLAY_BASIC', 'display:none;');
|
|
| 61 |
$template->set_var('ADVANCED', 'yes');
|
|
| 62 |
$template->set_var('ADVANCED_BUTTON', '<< '.$TEXT['HIDE_ADVANCED']);
|
|
| 63 |
} else {
|
|
| 64 |
$template->set_var('DISPLAY_ADVANCED', 'display:none;');
|
|
| 65 |
$template->set_var('DISPLAY_BASIC', '');
|
|
| 66 |
$template->set_var('ADVANCED', 'no');
|
|
| 67 |
$template->set_var('ADVANCED_BUTTON', $TEXT['SHOW_ADVANCED'].' >>');
|
|
| 68 |
} |
|
| 42 | 69 |
|
| 43 |
if($_POST['action'] == 'modify') {
|
|
| 44 |
// Create new admin object |
|
| 45 |
$admin = new admin('Access', 'groups_modify', false);
|
|
| 46 |
/* */ |
|
| 47 |
if (!$admin->checkFTAN()) |
|
| 48 |
{
|
|
| 49 |
$admin->print_header(); |
|
| 50 |
$admin->print_error($MESSAGE['GENERIC_SECURITY_ACCESS']); |
|
| 51 |
} |
|
| 70 |
// Explode system permissions |
|
| 71 |
$system_permissions = explode(',', $group['system_permissions']);
|
|
| 72 |
// Check system permissions boxes |
|
| 73 |
foreach($system_permissions AS $name) {
|
|
| 74 |
$template->set_var($name.'_checked', ' checked="checked"'); |
|
| 75 |
} |
|
| 76 |
// Explode module permissions |
|
| 77 |
$module_permissions = explode(',', $group['module_permissions']);
|
|
| 78 |
// Explode template permissions |
|
| 79 |
$template_permissions = explode(',', $group['template_permissions']);
|
|
| 52 | 80 |
|
| 53 |
// Print header |
|
| 54 |
$admin->print_header(); |
|
| 55 |
// Get existing values |
|
| 56 |
$results = $database->query("SELECT * FROM ".TABLE_PREFIX."groups WHERE group_id = '".$_POST['group_id']."'");
|
|
| 57 |
$group = $results->fetchRow(); |
|
| 58 |
// Setup template object |
|
| 59 |
$template = new Template(THEME_PATH.'/templates'); |
|
| 60 |
$template->set_file('page', 'groups_form.htt');
|
|
| 61 |
$template->set_block('page', 'main_block', 'main');
|
|
| 62 |
$template->set_var( array( |
|
| 63 |
'ACTION_URL' => ADMIN_URL.'/groups/save.php', |
|
| 64 |
'SUBMIT_TITLE' => $TEXT['SAVE'], |
|
| 65 |
'GROUP_ID' => $group['group_id'], |
|
| 66 |
'GROUP_NAME' => $group['name'], |
|
| 67 |
'ADVANCED_ACTION' => 'groups.php', |
|
| 68 |
'FTAN' => $admin->getFTAN() |
|
| 69 |
)); |
|
| 70 |
// Tell the browser whether or not to show advanced options |
|
| 71 |
if( true == (isset( $_POST['advanced']) AND ( strpos( $_POST['advanced'], ">>") > 0 ) ) ) {
|
|
| 72 |
$template->set_var('DISPLAY_ADVANCED', '');
|
|
| 73 |
$template->set_var('DISPLAY_BASIC', 'display:none;');
|
|
| 74 |
$template->set_var('ADVANCED', 'yes');
|
|
| 75 |
$template->set_var('ADVANCED_BUTTON', '<< '.$TEXT['HIDE_ADVANCED']);
|
|
| 76 |
} else {
|
|
| 77 |
$template->set_var('DISPLAY_ADVANCED', 'display:none;');
|
|
| 78 |
$template->set_var('DISPLAY_BASIC', '');
|
|
| 79 |
$template->set_var('ADVANCED', 'no');
|
|
| 80 |
$template->set_var('ADVANCED_BUTTON', $TEXT['SHOW_ADVANCED'].' >>');
|
|
| 81 |
} |
|
| 81 |
// Insert values into module list |
|
| 82 |
$template->set_block('main_block', 'module_list_block', 'module_list');
|
|
| 83 |
$result = $database->query('SELECT * FROM `'.TABLE_PREFIX.'addons` WHERE `type` = "module" AND `function` = "page" ORDER BY `name`');
|
|
| 84 |
if($result->numRows() > 0) {
|
|
| 85 |
while($addon = $result->fetchRow()) {
|
|
| 86 |
$template->set_var('VALUE', $addon['directory']);
|
|
| 87 |
$template->set_var('NAME', $addon['name']);
|
|
| 88 |
if(!is_numeric(array_search($addon['directory'], $module_permissions))) {
|
|
| 89 |
$template->set_var('CHECKED', ' checked="checked"');
|
|
| 90 |
} else {
|
|
| 91 |
$template->set_var('CHECKED', '');
|
|
| 92 |
} |
|
| 93 |
$template->parse('module_list', 'module_list_block', true);
|
|
| 94 |
} |
|
| 95 |
} |
|
| 82 | 96 |
|
| 83 |
// Explode system permissions |
|
| 84 |
$system_permissions = explode(',', $group['system_permissions']);
|
|
| 85 |
// Check system permissions boxes |
|
| 86 |
foreach($system_permissions AS $name) {
|
|
| 87 |
$template->set_var($name.'_checked', ' checked="checked"'); |
|
| 88 |
} |
|
| 89 |
// Explode module permissions |
|
| 90 |
$module_permissions = explode(',', $group['module_permissions']);
|
|
| 91 |
// Explode template permissions |
|
| 92 |
$template_permissions = explode(',', $group['template_permissions']);
|
|
| 93 |
|
|
| 94 |
// Insert values into module list |
|
| 95 |
$template->set_block('main_block', 'module_list_block', 'module_list');
|
|
| 96 |
$result = $database->query('SELECT * FROM `'.TABLE_PREFIX.'addons` WHERE `type` = "module" AND `function` = "page" ORDER BY `name`');
|
|
| 97 |
if($result->numRows() > 0) {
|
|
| 98 |
while($addon = $result->fetchRow()) {
|
|
| 99 |
$template->set_var('VALUE', $addon['directory']);
|
|
| 100 |
$template->set_var('NAME', $addon['name']);
|
|
| 101 |
if(!is_numeric(array_search($addon['directory'], $module_permissions))) {
|
|
| 102 |
$template->set_var('CHECKED', ' checked="checked"');
|
|
| 103 |
} else {
|
|
| 104 |
$template->set_var('CHECKED', '');
|
|
| 97 |
// Insert values into template list |
|
| 98 |
$template->set_block('main_block', 'template_list_block', 'template_list');
|
|
| 99 |
$result = $database->query('SELECT * FROM `'.TABLE_PREFIX.'addons` WHERE `type` = "template" ORDER BY `name`');
|
|
| 100 |
if($result->numRows() > 0) {
|
|
| 101 |
while($addon = $result->fetchRow()) {
|
|
| 102 |
$template->set_var('VALUE', $addon['directory']);
|
|
| 103 |
$template->set_var('NAME', $addon['name']);
|
|
| 104 |
if(!is_numeric(array_search($addon['directory'], $template_permissions))) {
|
|
| 105 |
$template->set_var('CHECKED', ' checked="checked"');
|
|
| 106 |
} else {
|
|
| 107 |
$template->set_var('CHECKED', '');
|
|
| 108 |
} |
|
| 109 |
$template->parse('template_list', 'template_list_block', true);
|
|
| 110 |
} |
|
| 105 | 111 |
} |
| 106 |
$template->parse('module_list', 'module_list_block', true);
|
|
| 107 |
} |
|
| 108 |
} |
|
| 109 |
|
|
| 110 |
// Insert values into template list |
|
| 111 |
$template->set_block('main_block', 'template_list_block', 'template_list');
|
|
| 112 |
$result = $database->query('SELECT * FROM `'.TABLE_PREFIX.'addons` WHERE `type` = "template" ORDER BY `name`');
|
|
| 113 |
if($result->numRows() > 0) {
|
|
| 114 |
while($addon = $result->fetchRow()) {
|
|
| 115 |
$template->set_var('VALUE', $addon['directory']);
|
|
| 116 |
$template->set_var('NAME', $addon['name']);
|
|
| 117 |
if(!is_numeric(array_search($addon['directory'], $template_permissions))) {
|
|
| 118 |
$template->set_var('CHECKED', ' checked="checked"');
|
|
| 112 |
|
|
| 113 |
// Insert language text and messages |
|
| 114 |
$template->set_var(array( |
|
| 115 |
'TEXT_RESET' => $TEXT['RESET'], |
|
| 116 |
'TEXT_ACTIVE' => $TEXT['ACTIVE'], |
|
| 117 |
'TEXT_DISABLED' => $TEXT['DISABLED'], |
|
| 118 |
'TEXT_PLEASE_SELECT' => $TEXT['PLEASE_SELECT'], |
|
| 119 |
'TEXT_USERNAME' => $TEXT['USERNAME'], |
|
| 120 |
'TEXT_PASSWORD' => $TEXT['PASSWORD'], |
|
| 121 |
'TEXT_RETYPE_PASSWORD' => $TEXT['RETYPE_PASSWORD'], |
|
| 122 |
'TEXT_DISPLAY_NAME' => $TEXT['DISPLAY_NAME'], |
|
| 123 |
'TEXT_EMAIL' => $TEXT['EMAIL'], |
|
| 124 |
'TEXT_GROUP' => $TEXT['GROUP'], |
|
| 125 |
'TEXT_SYSTEM_PERMISSIONS' => $TEXT['SYSTEM_PERMISSIONS'], |
|
| 126 |
'TEXT_MODULE_PERMISSIONS' => $TEXT['MODULE_PERMISSIONS'], |
|
| 127 |
'TEXT_TEMPLATE_PERMISSIONS' => $TEXT['TEMPLATE_PERMISSIONS'], |
|
| 128 |
'TEXT_NAME' => $TEXT['NAME'], |
|
| 129 |
'SECTION_PAGES' => $MENU['PAGES'], |
|
| 130 |
'SECTION_MEDIA' => $MENU['MEDIA'], |
|
| 131 |
'SECTION_MODULES' => $MENU['MODULES'], |
|
| 132 |
'SECTION_TEMPLATES' => $MENU['TEMPLATES'], |
|
| 133 |
'SECTION_LANGUAGES' => $MENU['LANGUAGES'], |
|
| 134 |
'SECTION_SETTINGS' => $MENU['SETTINGS'], |
|
| 135 |
'SECTION_USERS' => $MENU['USERS'], |
|
| 136 |
'SECTION_GROUPS' => $MENU['GROUPS'], |
|
| 137 |
'SECTION_ADMINTOOLS' => $MENU['ADMINTOOLS'], |
|
| 138 |
'TEXT_VIEW' => $TEXT['VIEW'], |
|
| 139 |
'TEXT_ADD' => $TEXT['ADD'], |
|
| 140 |
'TEXT_LEVEL' => $TEXT['LEVEL'], |
|
| 141 |
'TEXT_MODIFY' => $TEXT['MODIFY'], |
|
| 142 |
'TEXT_DELETE' => $TEXT['DELETE'], |
|
| 143 |
'TEXT_MODIFY_CONTENT' => $TEXT['MODIFY_CONTENT'], |
|
| 144 |
'TEXT_MODIFY_SETTINGS' => $TEXT['MODIFY_SETTINGS'], |
|
| 145 |
'HEADING_MODIFY_INTRO_PAGE' => $HEADING['MODIFY_INTRO_PAGE'], |
|
| 146 |
'TEXT_CREATE_FOLDER' => $TEXT['CREATE_FOLDER'], |
|
| 147 |
'TEXT_RENAME' => $TEXT['RENAME'], |
|
| 148 |
'TEXT_UPLOAD_FILES' => $TEXT['UPLOAD_FILES'], |
|
| 149 |
'TEXT_BASIC' => $TEXT['BASIC'], |
|
| 150 |
'TEXT_ADVANCED' => $TEXT['ADVANCED'], |
|
| 151 |
'CHANGING_PASSWORD' => $MESSAGE['USERS']['CHANGING_PASSWORD'], |
|
| 152 |
'HEADING_MODIFY_GROUP' => $HEADING['MODIFY_GROUP'], |
|
| 153 |
)); |
|
| 154 |
|
|
| 155 |
// Parse template object |
|
| 156 |
$template->parse('main', 'main_block', false);
|
|
| 157 |
$template->pparse('output', 'page');
|
|
| 158 |
break; |
|
| 159 |
case 'delete' : |
|
| 160 |
// Create new admin object |
|
| 161 |
$admin = new admin('Access', 'groups_delete');
|
|
| 162 |
$group_id = intval($admin->checkIDKEY('group_id', 0, $_SERVER['REQUEST_METHOD']));
|
|
| 163 |
// Check if user id is a valid number and doesnt equal 1 |
|
| 164 |
if( ($group_id < 2 ) ) |
|
| 165 |
{
|
|
| 166 |
// if($admin_header) { $admin->print_header(); }
|
|
| 167 |
$admin->print_error($MESSAGE['GENERIC_SECURITY_ACCESS'] ); |
|
| 168 |
} |
|
| 169 |
// Print header |
|
| 170 |
$admin->print_header(); |
|
| 171 |
// Delete the group |
|
| 172 |
$database->query("DELETE FROM ".TABLE_PREFIX."groups WHERE group_id = '".$group_id."' LIMIT 1");
|
|
| 173 |
if($database->is_error()) {
|
|
| 174 |
$admin->print_error($database->get_error()); |
|
| 119 | 175 |
} else {
|
| 120 |
$template->set_var('CHECKED', '');
|
|
| 176 |
// Delete users in the group |
|
| 177 |
$database->query("DELETE FROM ".TABLE_PREFIX."users WHERE group_id = '".$group_id."'");
|
|
| 178 |
if($database->is_error()) {
|
|
| 179 |
$admin->print_error($database->get_error()); |
|
| 180 |
} else {
|
|
| 181 |
$admin->print_success($MESSAGE['GROUPS']['DELETED']); |
|
| 182 |
} |
|
| 121 | 183 |
} |
| 122 |
$template->parse('template_list', 'template_list_block', true);
|
|
| 123 |
} |
|
| 124 |
} |
|
| 125 |
|
|
| 126 |
// Insert language text and messages |
|
| 127 |
$template->set_var(array( |
|
| 128 |
'TEXT_RESET' => $TEXT['RESET'], |
|
| 129 |
'TEXT_ACTIVE' => $TEXT['ACTIVE'], |
|
| 130 |
'TEXT_DISABLED' => $TEXT['DISABLED'], |
|
| 131 |
'TEXT_PLEASE_SELECT' => $TEXT['PLEASE_SELECT'], |
|
| 132 |
'TEXT_USERNAME' => $TEXT['USERNAME'], |
|
| 133 |
'TEXT_PASSWORD' => $TEXT['PASSWORD'], |
|
| 134 |
'TEXT_RETYPE_PASSWORD' => $TEXT['RETYPE_PASSWORD'], |
|
| 135 |
'TEXT_DISPLAY_NAME' => $TEXT['DISPLAY_NAME'], |
|
| 136 |
'TEXT_EMAIL' => $TEXT['EMAIL'], |
|
| 137 |
'TEXT_GROUP' => $TEXT['GROUP'], |
|
| 138 |
'TEXT_SYSTEM_PERMISSIONS' => $TEXT['SYSTEM_PERMISSIONS'], |
|
| 139 |
'TEXT_MODULE_PERMISSIONS' => $TEXT['MODULE_PERMISSIONS'], |
|
| 140 |
'TEXT_TEMPLATE_PERMISSIONS' => $TEXT['TEMPLATE_PERMISSIONS'], |
|
| 141 |
'TEXT_NAME' => $TEXT['NAME'], |
|
| 142 |
'SECTION_PAGES' => $MENU['PAGES'], |
|
| 143 |
'SECTION_MEDIA' => $MENU['MEDIA'], |
|
| 144 |
'SECTION_MODULES' => $MENU['MODULES'], |
|
| 145 |
'SECTION_TEMPLATES' => $MENU['TEMPLATES'], |
|
| 146 |
'SECTION_LANGUAGES' => $MENU['LANGUAGES'], |
|
| 147 |
'SECTION_SETTINGS' => $MENU['SETTINGS'], |
|
| 148 |
'SECTION_USERS' => $MENU['USERS'], |
|
| 149 |
'SECTION_GROUPS' => $MENU['GROUPS'], |
|
| 150 |
'SECTION_ADMINTOOLS' => $MENU['ADMINTOOLS'], |
|
| 151 |
'TEXT_VIEW' => $TEXT['VIEW'], |
|
| 152 |
'TEXT_ADD' => $TEXT['ADD'], |
|
| 153 |
'TEXT_LEVEL' => $TEXT['LEVEL'], |
|
| 154 |
'TEXT_MODIFY' => $TEXT['MODIFY'], |
|
| 155 |
'TEXT_DELETE' => $TEXT['DELETE'], |
|
| 156 |
'TEXT_MODIFY_CONTENT' => $TEXT['MODIFY_CONTENT'], |
|
| 157 |
'TEXT_MODIFY_SETTINGS' => $TEXT['MODIFY_SETTINGS'], |
|
| 158 |
'HEADING_MODIFY_INTRO_PAGE' => $HEADING['MODIFY_INTRO_PAGE'], |
|
| 159 |
'TEXT_CREATE_FOLDER' => $TEXT['CREATE_FOLDER'], |
|
| 160 |
'TEXT_RENAME' => $TEXT['RENAME'], |
|
| 161 |
'TEXT_UPLOAD_FILES' => $TEXT['UPLOAD_FILES'], |
|
| 162 |
'TEXT_BASIC' => $TEXT['BASIC'], |
|
| 163 |
'TEXT_ADVANCED' => $TEXT['ADVANCED'], |
|
| 164 |
'CHANGING_PASSWORD' => $MESSAGE['USERS']['CHANGING_PASSWORD'], |
|
| 165 |
'HEADING_MODIFY_GROUP' => $HEADING['MODIFY_GROUP'], |
|
| 166 |
)); |
|
| 167 |
|
|
| 168 |
// Parse template object |
|
| 169 |
$template->parse('main', 'main_block', false);
|
|
| 170 |
$template->pparse('output', 'page');
|
|
| 171 |
} elseif($_POST['action'] == 'delete') {
|
|
| 172 |
// Create new admin object |
|
| 173 |
$admin = new admin('Access', 'groups_delete', false);
|
|
| 174 |
/* */ |
|
| 175 |
if (!$admin->checkFTAN()) |
|
| 176 |
{
|
|
| 177 |
$admin->print_error($MESSAGE['GENERIC_SECURITY_ACCESS'], ADMIN_URL); |
|
| 178 |
} |
|
| 179 |
// Print header |
|
| 180 |
$admin->print_header(); |
|
| 181 |
// Delete the group |
|
| 182 |
$database->query("DELETE FROM ".TABLE_PREFIX."groups WHERE group_id = '".$_POST['group_id']."' LIMIT 1");
|
|
| 183 |
if($database->is_error()) {
|
|
| 184 |
$admin->print_error($database->get_error()); |
|
| 185 |
} else {
|
|
| 186 |
// Delete users in the group |
|
| 187 |
$database->query("DELETE FROM ".TABLE_PREFIX."users WHERE group_id = '".$_POST['group_id']."'");
|
|
| 188 |
if($database->is_error()) {
|
|
| 189 |
$admin->print_error($database->get_error()); |
|
| 190 |
} else {
|
|
| 191 |
$admin->print_success($MESSAGE['GROUPS']['DELETED']); |
|
| 192 |
} |
|
| 193 |
} |
|
| 194 |
} |
|
| 184 |
break; |
|
| 185 |
default: |
|
| 186 |
break; |
|
| 187 |
endswitch; |
|
| 195 | 188 |
|
| 196 | 189 |
// Print admin footer |
| 197 | 190 |
$admin->print_footer(); |
| branches/2.8.x/wb/admin/groups/index.php | ||
|---|---|---|
| 53 | 53 |
$template->parse('list', 'list_block', true);
|
| 54 | 54 |
// Loop through groups |
| 55 | 55 |
while($group = $results->fetchRow()) {
|
| 56 |
$template->set_var('VALUE', $group['group_id']);
|
|
| 56 |
$template->set_var('VALUE',$admin->getIDKEY($group['group_id']));
|
|
| 57 | 57 |
$template->set_var('NAME', $group['name']);
|
| 58 | 58 |
$template->parse('list', 'list_block', true);
|
| 59 | 59 |
} |
| ... | ... | |
| 195 | 195 |
|
| 196 | 196 |
// Print the admin footer |
| 197 | 197 |
$admin->print_footer(); |
| 198 |
|
|
| 199 |
?> |
|
| branches/2.8.x/wb/admin/media/rename2.php | ||
|---|---|---|
| 24 | 24 |
// Include the WB functions file |
| 25 | 25 |
require_once(WB_PATH.'/framework/functions.php'); |
| 26 | 26 |
|
| 27 |
// Get list of file types to which we're supposed to append 'txt' |
|
| 28 |
$get_result = $database->query("SELECT value FROM ".TABLE_PREFIX."settings WHERE name='rename_files_on_upload' LIMIT 1");
|
|
| 29 |
$file_extension_string = ''; |
|
| 30 |
if ($get_result->numRows()>0) {
|
|
| 31 |
$fetch_result = $get_result->fetchRow(); |
|
| 32 |
$file_extension_string = $fetch_result['value']; |
|
| 33 |
} |
|
| 34 |
$file_extensions=explode(",",$file_extension_string);
|
|
| 35 |
|
|
| 36 | 27 |
// Get the current dir |
| 37 |
// $directory = $admin->get_post('dir');
|
|
| 38 |
|
|
| 39 |
// Target location |
|
| 40 | 28 |
$requestMethod = '_'.strtoupper($_SERVER['REQUEST_METHOD']); |
| 41 | 29 |
$directory = (isset(${$requestMethod}['dir'])) ? ${$requestMethod}['dir'] : '';
|
| 42 |
if($directory == '/') {
|
|
| 43 |
$directory = ''; |
|
| 44 |
} |
|
| 30 |
$directory = ($directory == '/') ? '' : $directory; |
|
| 45 | 31 |
|
| 46 |
// Check to see if it contains .. |
|
| 32 |
$dirlink = 'browse.php?dir='.$directory; |
|
| 33 |
$rootlink = 'browse.php?dir='; |
|
| 34 |
// $file_id = intval($admin->get_post('id'));
|
|
| 35 |
|
|
| 36 |
// first Check to see if it contains .. |
|
| 47 | 37 |
if (!check_media_path($directory)) {
|
| 48 |
$admin->print_header(); |
|
| 49 |
$admin->print_error($MESSAGE['MEDIA']['DIR_DOT_DOT_SLASH']); |
|
| 38 |
$admin->print_error($MESSAGE['MEDIA']['DIR_DOT_DOT_SLASH'],$rootlink, false); |
|
| 50 | 39 |
} |
| 51 | 40 |
|
| 52 | 41 |
// Get the temp id |
| 53 |
$file_id = $admin->checkIDKEY('id', false, 'POST');
|
|
| 42 |
$file_id = intval($admin->checkIDKEY('id', false, $_SERVER['REQUEST_METHOD']));
|
|
| 54 | 43 |
if (!$file_id) {
|
| 55 |
$admin->print_error($MESSAGE['GENERIC_SECURITY_ACCESS']); |
|
| 44 |
$admin->print_error($MESSAGE['GENERIC_SECURITY_ACCESS'],$dirlink, false);
|
|
| 56 | 45 |
} |
| 57 | 46 |
|
| 47 |
// Check for potentially malicious files and append 'txt' to their name |
|
| 48 |
$rename_file_types = str_replace(',','|',RENAME_FILES_ON_UPLOAD);
|
|
| 49 |
// hardcodet forbidden filetypes |
|
| 50 |
$forbidden_file_types = 'phtml|php5|php4|php|cgi|pl|exe|com|bat|src|'.$rename_file_types; |
|
| 58 | 51 |
// Get home folder not to show |
| 59 | 52 |
$home_folders = get_home_folders(); |
| 60 | 53 |
|
| ... | ... | |
| 62 | 55 |
if($handle = opendir(WB_PATH.MEDIA_DIRECTORY.'/'.$directory)) {
|
| 63 | 56 |
// Loop through the files and dirs an add to list |
| 64 | 57 |
while (false !== ($file = readdir($handle))) {
|
| 58 |
$info = pathinfo($file); |
|
| 59 |
$ext = isset($info['extension']) ? $info['extension'] : ''; |
|
| 65 | 60 |
if(substr($file, 0, 1) != '.' AND $file != '.svn' AND $file != 'index.php') {
|
| 66 |
if(is_dir(WB_PATH.MEDIA_DIRECTORY.$directory.'/'.$file)) {
|
|
| 67 |
if(!isset($home_folders[$directory.'/'.$file])) {
|
|
| 68 |
$DIR[] = $file; |
|
| 61 |
if( !preg_match('/'.$forbidden_file_types.'$/i', $ext) ) {
|
|
| 62 |
if(is_dir(WB_PATH.MEDIA_DIRECTORY.$directory.'/'.$file)) {
|
|
| 63 |
if(!isset($home_folders[$directory.'/'.$file])) {
|
|
| 64 |
$DIR[] = $file; |
|
| 65 |
} |
|
| 66 |
} else {
|
|
| 67 |
$FILE[] = $file; |
|
| 69 | 68 |
} |
| 70 |
} else {
|
|
| 71 |
$FILE[] = $file; |
|
| 72 | 69 |
} |
| 73 | 70 |
} |
| 74 | 71 |
} |
| ... | ... | |
| 94 | 91 |
} |
| 95 | 92 |
} |
| 96 | 93 |
} |
| 94 |
|
|
| 97 | 95 |
$file_id = $admin->getIDKEY($file_id); |
| 96 |
|
|
| 98 | 97 |
if(!isset($rename_file)) {
|
| 99 |
$admin->print_error($MESSAGE['MEDIA']['FILE_NOT_FOUND'], "browse.php?dir=$directory", false);
|
|
| 98 |
$admin->print_error($MESSAGE['MEDIA']['FILE_NOT_FOUND'], $dirlink, false);
|
|
| 100 | 99 |
} |
| 101 | 100 |
|
| 102 | 101 |
// Check if they entered a new name |
| ... | ... | |
| 121 | 120 |
// Join new name and extension |
| 122 | 121 |
$name = $new_name.$extension; |
| 123 | 122 |
|
| 123 |
$info = pathinfo(WB_PATH.MEDIA_DIRECTORY.$directory.'/'.$name); |
|
| 124 |
$ext = isset($info['extension']) ? $info['extension'] : ''; |
|
| 125 |
$dots = (substr($info['basename'], 0, 1) == '.') || (substr($info['basename'], -1, 1) == '.'); |
|
| 126 |
|
|
| 127 |
if( preg_match('/'.$forbidden_file_types.'$/i', $ext) || $dots == '.' ) {
|
|
| 128 |
$admin->print_error($MESSAGE['MEDIA']['CANNOT_RENAME'], "rename.php?dir=$directory&id=$file_id", false); |
|
| 129 |
} |
|
| 130 |
|
|
| 124 | 131 |
// Check if the name contains .. |
| 125 | 132 |
if(strstr($name, '..')) {
|
| 126 | 133 |
$admin->print_error($MESSAGE['MEDIA']['NAME_DOT_DOT_SLASH'], "rename.php?dir=$directory&id=$file_id", false); |
| ... | ... | |
| 136 | 143 |
$admin->print_error($MESSAGE['MEDIA']['BLANK_NAME'], "rename.php?dir=$directory&id=$file_id", false); |
| 137 | 144 |
} |
| 138 | 145 |
|
| 139 |
// Check for potentially malicious files and append 'txt' to their name |
|
| 140 |
foreach($file_extensions as $file_ext) {
|
|
| 141 |
$file_ext_len=strlen($file_ext); |
|
| 142 |
if (substr($name,-$file_ext_len)==$file_ext) {
|
|
| 143 |
$name.='.txt'; |
|
| 144 |
} |
|
| 145 |
} |
|
| 146 |
$info = pathinfo(WB_PATH.MEDIA_DIRECTORY.$directory.'/'.$rename_file); |
|
| 147 |
$ext = isset($info['extension']) ? $info['extension'] : ''; |
|
| 148 |
$dots = (substr($info['basename'], 0, 1) == '.') || (substr($info['basename'], -1, 1) == '.'); |
|
| 146 | 149 |
|
| 150 |
if( preg_match('/'.$forbidden_file_types.'$/i', $ext) || $dots == '.' ) {
|
|
| 151 |
$admin->print_error($MESSAGE['MEDIA']['CANNOT_RENAME'], "rename.php?dir=$directory&id=$file_id", false); |
|
| 152 |
} |
|
| 147 | 153 |
|
| 148 | 154 |
// Check if we should overwrite or not |
| 149 | 155 |
if($admin->get_post('overwrite') != 'yes' AND file_exists(WB_PATH.MEDIA_DIRECTORY.$directory.'/'.$name) == true) {
|
| ... | ... | |
| 160 | 166 |
// feature freeze |
| 161 | 167 |
// require_once(ADMIN_PATH.'/media/dse.php'); |
| 162 | 168 |
|
| 163 |
$admin->print_success($MESSAGE['MEDIA']['RENAMED'], "browse.php?dir=$directory");
|
|
| 169 |
$admin->print_success($MESSAGE['MEDIA']['RENAMED'], $dirlink);
|
|
| 164 | 170 |
} else {
|
| 165 | 171 |
$admin->print_error($MESSAGE['MEDIA']['CANNOT_RENAME'], "rename.php?dir=$directory&id=$file_id", false); |
| 166 | 172 |
} |
| branches/2.8.x/wb/admin/media/browse.php | ||
|---|---|---|
| 94 | 94 |
$currentHome |
| 95 | 95 |
: |
| 96 | 96 |
$admin->strip_slashes($admin->get_get('dir')) ;
|
| 97 |
|
|
| 97 | 98 |
if($directory == '/' OR $directory == '\\') {
|
| 98 | 99 |
$directory = ''; |
| 99 | 100 |
} |
| 100 | 101 |
|
| 102 |
$dir_backlink = 'browse.php?dir='.$directory; |
|
| 103 |
|
|
| 101 | 104 |
// Check to see if it contains ../ |
| 102 | 105 |
if (!check_media_path($directory)) {
|
| 103 | 106 |
// $admin->print_header(); |
| ... | ... | |
| 159 | 162 |
|
| 160 | 163 |
if($handle = opendir(WB_PATH.MEDIA_DIRECTORY.'/'.$directory)) {
|
| 161 | 164 |
// Loop through the files and dirs an add to list |
| 162 |
while(false !== ($file = readdir($handle))) {
|
|
| 165 |
while (false !== ($file = readdir($handle))) {
|
|
| 166 |
$info = pathinfo($file); |
|
| 167 |
$ext = isset($info['extension']) ? $info['extension'] : ''; |
|
| 163 | 168 |
if(substr($file, 0, 1) != '.' AND $file != '.svn' AND $file != 'index.php') {
|
| 164 |
if(is_dir(WB_PATH.MEDIA_DIRECTORY.$directory.'/'.$file)) {
|
|
| 165 |
if(!isset($home_folders[$directory.'/'.$file])) {
|
|
| 166 |
$DIR[] = $file; |
|
| 167 |
} |
|
| 168 |
} else {
|
|
| 169 |
$info = pathinfo($file); |
|
| 170 |
$ext = isset($info['extension']) ? $info['extension'] : ''; |
|
| 171 |
if( !preg_match('/'.$forbidden_file_types.'$/i', $ext) ) {
|
|
| 169 |
if( !preg_match('/'.$forbidden_file_types.'$/i', $ext) ) {
|
|
| 170 |
if(is_dir(WB_PATH.MEDIA_DIRECTORY.$directory.'/'.$file)) {
|
|
| 171 |
if(!isset($home_folders[$directory.'/'.$file])) {
|
|
| 172 |
$DIR[] = $file; |
|
| 173 |
} |
|
| 174 |
} else {
|
|
| 172 | 175 |
$FILE[] = $file; |
| 173 | 176 |
} |
| 174 | 177 |
} |
| ... | ... | |
| 186 | 189 |
'NAME' => $name, |
| 187 | 190 |
'NAME_SLASHED' => addslashes($name), |
| 188 | 191 |
'TEMP_ID' => $admin->getIDKEY($temp_id), |
| 192 |
// 'TEMP_ID' => $temp_id, |
|
| 189 | 193 |
'LINK' => "browse.php?dir=$directory/$link_name", |
| 190 | 194 |
'LINK_TARGET' => '_self', |
| 191 | 195 |
'ROW_BG_COLOR' => $row_bg_color, |
| ... | ... | |
| 246 | 250 |
'NAME' => $name, |
| 247 | 251 |
'NAME_SLASHED' => addslashes($name), |
| 248 | 252 |
'TEMP_ID' => $admin->getIDKEY($temp_id), |
| 253 |
// 'TEMP_ID' => $temp_id, |
|
| 249 | 254 |
'LINK' => WB_URL.MEDIA_DIRECTORY.$directory.'/'.$name, |
| 250 | 255 |
'LINK_TARGET' => '_blank', |
| 251 | 256 |
'ROW_BG_COLOR' => $row_bg_color, |
| branches/2.8.x/wb/admin/media/delete.php | ||
|---|---|---|
| 26 | 26 |
|
| 27 | 27 |
// Get the current dir |
| 28 | 28 |
$directory = $admin->get_get('dir');
|
| 29 |
if($directory == '/') {
|
|
| 30 |
$directory = ''; |
|
| 31 |
} |
|
| 29 |
$directory = ($directory == '/') ? '' : $directory; |
|
| 32 | 30 |
|
| 31 |
$dirlink = 'browse.php?dir='.$directory; |
|
| 32 |
$rootlink = 'browse.php?dir='; |
|
| 33 |
|
|
| 33 | 34 |
// Check to see if it contains .. |
| 34 | 35 |
if (!check_media_path($directory)) {
|
| 35 | 36 |
// $admin->print_header(); |
| 36 |
$admin->print_error($MESSAGE['MEDIA']['DIR_DOT_DOT_SLASH'],WB_URL.'/admin/media/browse.php?dir=',false );
|
|
| 37 |
$admin->print_error($MESSAGE['MEDIA']['DIR_DOT_DOT_SLASH'],$rootlink,false );
|
|
| 37 | 38 |
} |
| 38 | 39 |
|
| 39 |
// Get the temp id
|
|
| 40 |
$file_id = $admin->checkIDKEY('id', false, 'GET');
|
|
| 40 |
// Get the file id
|
|
| 41 |
$file_id = $admin->checkIDKEY('id', false, $_SERVER['REQUEST_METHOD']);
|
|
| 41 | 42 |
if (!$file_id) {
|
| 42 |
$admin->print_error($MESSAGE['GENERIC_SECURITY_ACCESS'], WB_URL.'/admin/media/browse.php?dir=',false);
|
|
| 43 |
$admin->print_error($MESSAGE['GENERIC_SECURITY_ACCESS'], $dirlink,false);
|
|
| 43 | 44 |
} |
| 44 | 45 |
|
| 45 | 46 |
// Get home folder not to show |
| ... | ... | |
| 52 | 53 |
if(!empty($currentdir)) {
|
| 53 | 54 |
$usedFiles = $Dse->getMatchesFromDir( $directory, DseTwo::RETURN_USED); |
| 54 | 55 |
} |
| 55 |
print '<pre><strong>function '.__FUNCTION__.'();</strong> basename: '.basename(__FILE__).' line: '.__LINE__.' -> <br />'; |
|
| 56 |
print_r( $usedFiles ); print '</pre>'; // flush ();sleep(10); die(); |
|
| 57 | 56 |
*/ |
| 58 | 57 |
// Figure out what folder name the temp id is |
| 59 | 58 |
if($handle = opendir(WB_PATH.MEDIA_DIRECTORY.'/'.$directory)) {
|
| ... | ... | |
| 94 | 93 |
|
| 95 | 94 |
// Check to see if we could find an id to match |
| 96 | 95 |
if(!isset($delete_file)) {
|
| 97 |
$admin->print_error($MESSAGE['MEDIA']['FILE_NOT_FOUND'], "browse.php?dir=$directory", false);
|
|
| 96 |
$admin->print_error($MESSAGE['MEDIA']['FILE_NOT_FOUND'], $dirlink, false);
|
|
| 98 | 97 |
} |
| 99 | 98 |
$relative_path = WB_PATH.MEDIA_DIRECTORY.'/'.$directory.'/'.$delete_file; |
| 100 | 99 |
// Check if the file/folder exists |
| 101 | 100 |
if(!file_exists($relative_path)) {
|
| 102 |
$admin->print_error($MESSAGE['MEDIA']['FILE_NOT_FOUND'], "browse.php?dir=$directory", false);
|
|
| 101 |
$admin->print_error($MESSAGE['MEDIA']['FILE_NOT_FOUND'], $dirlink, false);
|
|
| 103 | 102 |
} |
| 104 | 103 |
|
| 105 | 104 |
// Find out whether its a file or folder |
| 106 | 105 |
if($type == 'folder') {
|
| 107 | 106 |
// Try and delete the directory |
| 108 | 107 |
if(rm_full_dir($relative_path)) {
|
| 109 |
$admin->print_success($MESSAGE['MEDIA']['DELETED_DIR'], "browse.php?dir=$directory");
|
|
| 108 |
$admin->print_success($MESSAGE['MEDIA']['DELETED_DIR'], $dirlink);
|
|
| 110 | 109 |
} else {
|
| 111 |
$admin->print_error($MESSAGE['MEDIA']['CANNOT_DELETE_DIR'], "browse.php?dir=$directory", false);
|
|
| 110 |
$admin->print_error($MESSAGE['MEDIA']['CANNOT_DELETE_DIR'], $dirlink, false);
|
|
| 112 | 111 |
} |
| 113 | 112 |
} else {
|
| 114 | 113 |
// Try and delete the file |
| 115 | 114 |
if(unlink($relative_path)) {
|
| 116 |
$admin->print_success($MESSAGE['MEDIA']['DELETED_FILE'], "browse.php?dir=$directory");
|
|
| 115 |
$admin->print_success($MESSAGE['MEDIA']['DELETED_FILE'], $dirlink);
|
|
| 117 | 116 |
} else {
|
| 118 |
$admin->print_error($MESSAGE['MEDIA']['CANNOT_DELETE_FILE'], "browse.php?dir=$directory", false);
|
|
| 117 |
$admin->print_error($MESSAGE['MEDIA']['CANNOT_DELETE_FILE'], $dirlink, false);
|
|
| 119 | 118 |
} |
| 120 | 119 |
} |
| 121 | 120 |
|
| branches/2.8.x/wb/admin/media/create.php | ||
|---|---|---|
| 18 | 18 |
|
| 19 | 19 |
// Print admin header |
| 20 | 20 |
require('../../config.php');
|
| 21 |
|
|
| 21 | 22 |
require_once(WB_PATH.'/framework/class.admin.php'); |
| 23 |
// Include the WB functions file |
|
| 24 |
require_once(WB_PATH.'/framework/functions.php'); |
|
| 25 |
|
|
| 22 | 26 |
// suppress to print the header, so no new FTAN will be set |
| 23 | 27 |
$admin = new admin('Media', 'media_create', false);
|
| 24 | 28 |
|
| 25 | 29 |
// Get dir name and target location |
| 26 | 30 |
$requestMethod = '_'.strtoupper($_SERVER['REQUEST_METHOD']); |
| 27 | 31 |
$name = (isset(${$requestMethod}['name'])) ? ${$requestMethod}['name'] : '';
|
| 28 |
if($name == '') {
|
|
| 29 |
header("Location: index.php");
|
|
| 30 |
exit(0); |
|
| 32 |
|
|
| 33 |
// Check to see if name or target contains ../ |
|
| 34 |
if(strstr($name, '..')) {
|
|
| 35 |
$admin->print_header(); |
|
| 36 |
$admin->print_error($MESSAGE['MEDIA']['NAME_DOT_DOT_SLASH']); |
|
| 31 | 37 |
} |
| 32 | 38 |
|
| 39 |
// Remove bad characters |
|
| 40 |
$name = trim(media_filename($name),'.'); |
|
| 41 |
|
|
| 33 | 42 |
// Target location |
| 34 | 43 |
$requestMethod = '_'.strtoupper($_SERVER['REQUEST_METHOD']); |
| 35 | 44 |
$target = (isset(${$requestMethod}['target'])) ? ${$requestMethod}['target'] : '';
|
| 36 |
if($target == '') {
|
|
| 37 |
header("Location: index.php");
|
|
| 38 |
exit(0); |
|
| 39 |
} |
|
| 40 | 45 |
|
| 41 |
require_once(WB_PATH.'/framework/class.admin.php'); |
|
| 42 |
// suppress to print the header, so no new FTAN will be set |
|
| 43 |
$admin = new admin('Media', 'media_create', false);
|
|
| 44 | 46 |
if (!$admin->checkFTAN()) |
| 45 | 47 |
{
|
| 46 | 48 |
$admin->print_header(); |
| ... | ... | |
| 49 | 51 |
// After check print the header |
| 50 | 52 |
$admin->print_header(); |
| 51 | 53 |
|
| 52 |
// Include the WB functions file |
|
| 53 |
require_once(WB_PATH.'/framework/functions.php'); |
|
| 54 |
|
|
| 55 |
// Check to see if name or target contains ../ |
|
| 56 |
if(strstr($name, '..')) {
|
|
| 57 |
$admin->print_error($MESSAGE['MEDIA']['NAME_DOT_DOT_SLASH']); |
|
| 58 |
} |
|
| 59 | 54 |
if (!check_media_path($target, false)) {
|
| 60 |
w_debug("target: $target");
|
|
| 61 | 55 |
$admin->print_error($MESSAGE['MEDIA']['TARGET_DOT_DOT_SLASH']); |
| 62 | 56 |
} |
| 63 | 57 |
|
| 64 |
// Remove bad characters |
|
| 65 |
$name = media_filename($name); |
|
| 66 |
|
|
| 67 | 58 |
// Create relative path of the new dir name |
| 68 | 59 |
$directory = WB_PATH.$target.'/'.$name; |
| 69 | 60 |
|
| 70 |
/* */ |
|
| 71 | 61 |
// Check to see if the folder already exists |
| 72 | 62 |
if(file_exists($directory)) {
|
| 73 | 63 |
$admin->print_error($MESSAGE['MEDIA']['DIR_EXISTS']); |
| 74 | 64 |
} |
| 75 | 65 |
|
| 76 |
|
|
| 77 | 66 |
if ( sizeof(createFolderProtectFile( $directory )) ) |
| 78 | 67 |
{
|
| 79 | 68 |
$admin->print_error($MESSAGE['MEDIA']['DIR_NOT_MADE']); |
| branches/2.8.x/wb/admin/media/rename.php | ||
|---|---|---|
| 26 | 26 |
|
| 27 | 27 |
// Get the current dir |
| 28 | 28 |
$directory = $admin->get_get('dir');
|
| 29 |
if($directory == '/') {
|
|
| 30 |
$directory = ''; |
|
| 31 |
} |
|
| 29 |
$directory = ($directory == '/') ? '' : $directory; |
|
| 32 | 30 |
|
| 33 |
// Check to see if it contains .. |
|
| 31 |
$dirlink = 'browse.php?dir='.$directory; |
|
| 32 |
$rootlink = 'browse.php?dir='; |
|
| 33 |
// $file_id = intval($admin->get_get('id'));
|
|
| 34 |
|
|
| 35 |
// first Check to see if it contains .. |
|
| 34 | 36 |
if (!check_media_path($directory)) {
|
| 35 |
$admin->print_error($MESSAGE['MEDIA']['DIR_DOT_DOT_SLASH'], "browse.php?dir=$directory", false);
|
|
| 37 |
$admin->print_error($MESSAGE['MEDIA']['DIR_DOT_DOT_SLASH'],$rootlink, false);
|
|
| 36 | 38 |
} |
| 37 | 39 |
|
| 38 | 40 |
// Get the temp id |
| 39 |
$file_id = $admin->checkIDKEY('id', false, 'GET');
|
|
| 41 |
$file_id = intval($admin->checkIDKEY('id', false, $_SERVER['REQUEST_METHOD']));
|
|
| 40 | 42 |
if (!$file_id) {
|
| 41 |
$admin->print_error($MESSAGE['GENERIC_SECURITY_ACCESS']); |
|
| 43 |
$admin->print_error($MESSAGE['GENERIC_SECURITY_ACCESS'],$dirlink, false);
|
|
| 42 | 44 |
} |
| 43 | 45 |
|
| 44 | 46 |
// Get home folder not to show |
| 45 | 47 |
$home_folders = get_home_folders(); |
| 48 |
// Check for potentially malicious files and append 'txt' to their name |
|
| 49 |
$rename_file_types = str_replace(',','|',RENAME_FILES_ON_UPLOAD);
|
|
| 50 |
// hardcodet forbidden filetypes |
|
| 51 |
$forbidden_file_types = 'phtml|php5|php4|php|cgi|pl|exe|com|bat|src|'.$rename_file_types; |
|
| 46 | 52 |
|
| 47 | 53 |
// Figure out what folder name the temp id is |
| 48 | 54 |
if($handle = opendir(WB_PATH.MEDIA_DIRECTORY.'/'.$directory)) {
|
| 49 | 55 |
// Loop through the files and dirs an add to list |
| 50 | 56 |
while (false !== ($file = readdir($handle))) {
|
| 57 |
$info = pathinfo($file); |
|
| 58 |
$ext = isset($info['extension']) ? $info['extension'] : ''; |
|
| 51 | 59 |
if(substr($file, 0, 1) != '.' AND $file != '.svn' AND $file != 'index.php') {
|
| 52 |
if(is_dir(WB_PATH.MEDIA_DIRECTORY.$directory.'/'.$file)) {
|
|
| 53 |
if(!isset($home_folders[$directory.'/'.$file])) {
|
|
| 54 |
$DIR[] = $file; |
|
| 60 |
if( !preg_match('/'.$forbidden_file_types.'$/i', $ext) ) {
|
|
| 61 |
if(is_dir(WB_PATH.MEDIA_DIRECTORY.$directory.'/'.$file)) {
|
|
| 62 |
if(!isset($home_folders[$directory.'/'.$file])) {
|
|
| 63 |
$DIR[] = $file; |
|
| 64 |
} |
|
| 65 |
} else {
|
|
| 66 |
$FILE[] = $file; |
|
| 55 | 67 |
} |
| 56 |
} else {
|
|
| 57 |
$FILE[] = $file; |
|
| 58 | 68 |
} |
| 59 | 69 |
} |
| 60 | 70 |
} |
| 71 |
|
|
| 61 | 72 |
$temp_id = 0; |
| 62 | 73 |
if(isset($DIR)) {
|
| 63 | 74 |
sort($DIR); |
| ... | ... | |
| 69 | 80 |
} |
| 70 | 81 |
} |
| 71 | 82 |
} |
| 83 |
|
|
| 72 | 84 |
if(isset($FILE)) {
|
| 73 | 85 |
sort($FILE); |
| 74 | 86 |
foreach($FILE AS $name) {
|
| ... | ... | |
| 82 | 94 |
} |
| 83 | 95 |
|
| 84 | 96 |
if(!isset($rename_file)) {
|
| 85 |
$admin->print_error($MESSAGE['MEDIA']['FILE_NOT_FOUND'], "browse.php?dir=$directory", false);
|
|
| 97 |
$admin->print_error($MESSAGE['MEDIA']['FILE_NOT_FOUND'], $dirlink, false);
|
|
| 86 | 98 |
} |
| 87 | 99 |
|
| 88 | 100 |
// Setup template object |
| ... | ... | |
| 109 | 121 |
'FILENAME' => $rename_file, |
| 110 | 122 |
'DIR' => $directory, |
| 111 | 123 |
'FILE_ID' => $admin->getIDKEY($file_id), |
| 124 |
// 'FILE_ID' => $file_id, |
|
| 112 | 125 |
'TYPE' => $type, |
| 113 | 126 |
'EXTENSION' => $extension, |
| 114 | 127 |
'FTAN' => $admin->getFTAN() |
| branches/2.8.x/wb/admin/media/upload.php | ||
|---|---|---|
| 22 | 22 |
include_once('parameters.php');
|
| 23 | 23 |
|
| 24 | 24 |
require_once(WB_PATH.'/framework/class.admin.php'); |
| 25 |
require_once(WB_PATH.'/include/pclzip/pclzip.lib.php'); // Required to unzip file. |
|
| 25 |
// require_once(WB_PATH.'/include/pclzip/pclzip.lib.php'); // Required to unzip file.
|
|
| 26 | 26 |
// suppress to print the header, so no new FTAN will be set |
| 27 | 27 |
$admin = new admin('Media', 'media_upload', false);
|
| 28 | 28 |
|
| ... | ... | |
| 52 | 52 |
$resizepath = str_replace(array('/',' '),'_',$target);
|
| 53 | 53 |
|
| 54 | 54 |
// Find out whether we should replace files or give an error |
| 55 |
if($admin->get_post('overwrite') != '') {
|
|
| 56 |
$overwrite = true; |
|
| 57 |
} else {
|
|
| 58 |
$overwrite = false; |
|
| 59 |
} |
|
| 55 |
$overwrite = ($admin->get_post('overwrite') != '') ? true : false;
|
|
| 60 | 56 |
|
| 61 | 57 |
// Get list of file types to which we're supposed to append 'txt' |
| 62 | 58 |
$get_result=$database->query("SELECT value FROM ".TABLE_PREFIX."settings WHERE name='rename_files_on_upload' LIMIT 1");
|
| ... | ... | |
| 65 | 61 |
$fetch_result=$get_result->fetchRow(); |
| 66 | 62 |
$file_extension_string=$fetch_result['value']; |
| 67 | 63 |
} |
| 64 |
|
|
| 68 | 65 |
$file_extensions=explode(",",$file_extension_string);
|
| 69 | 66 |
// get from settings and add to forbidden list |
| 70 | 67 |
$rename_file_types = str_replace(',','|',RENAME_FILES_ON_UPLOAD);
|
| branches/2.8.x/wb/admin/start/index.php | ||
|---|---|---|
| 64 | 64 |
} |
| 65 | 65 |
|
| 66 | 66 |
$msg = (file_exists(WB_PATH.'/install/')) ? $MESSAGE['START']['INSTALL_DIR_EXISTS'] : ''; |
| 67 |
$msg .= (file_exists(WB_PATH.'/upgrade-script.php')) ? '<br />'.$TEXT['DELETE'].' upgrade-script.php ' : '';
|
|
| 67 |
$msg .= (file_exists(WB_PATH.'/upgrade-script.php')) ? '<br />'.$MESSAGE['START_UPGRADE_SCRIPT_EXISTS'] : '';
|
|
| 68 | 68 |
|
| 69 | 69 |
// Check if installation directory still exists |
| 70 | 70 |
if(file_exists(WB_PATH.'/install/') || file_exists(WB_PATH.'/upgrade-script.php') ) {
|
| ... | ... | |
| 138 | 138 |
|
| 139 | 139 |
// Print admin footer |
| 140 | 140 |
$admin->print_footer(); |
| 141 |
|
|
| 142 |
?> |
|
| branches/2.8.x/wb/admin/templates/details.php | ||
|---|---|---|
| 33 | 33 |
header("Location: index.php");
|
| 34 | 34 |
exit(0); |
| 35 | 35 |
} else {
|
| 36 |
$file = preg_replace("/\W/", "", $admin->add_slashes($_POST['file'])); // fix secunia 2010-92-2
|
|
| 36 |
$file = preg_replace("/\W/", "", $_POST['file']); // fix secunia 2010-92-2
|
|
| 37 | 37 |
} |
| 38 | 38 |
|
| 39 | 39 |
// Check if the template exists |
| branches/2.8.x/wb/admin/pages/index.php | ||
|---|---|---|
| 28 | 28 |
?> |
| 29 | 29 |
<script type="text/javascript" src="<?php print ADMIN_URL; ?>/pages/eggsurplus.js"></script> |
| 30 | 30 |
<?php |
| 31 |
/* |
|
| 32 |
urlencode function and rawurlencode are mostly based on RFC 1738. |
|
| 33 |
However, since 2005 the current RFC in use for URIs standard is RFC 3986. |
|
| 34 |
Here is a function to encode URLs according to RFC 3986. |
|
| 35 |
*/ |
|
| 36 |
function url_encode($string) {
|
|
| 37 |
$string = html_entity_decode($string,ENT_QUOTES,'UTF-8'); |
|
| 38 |
$entities = array('%21', '%2A', '%27', '%28', '%29', '%3B', '%3A', '%40', '%26', '%3D', '%2B', '%24', '%2C', '%2F', '%3F', '%25', '%23', '%5B', '%5D');
|
|
| 39 |
$replacements = array('!', '*', "'", "(", ")", ";", ":", "@", "&", "=", "+", "$", ",", "/", "?", "%", "#", "[", "]");
|
|
| 40 |
return str_replace($entities, $replacements, rawurlencode($string)); |
|
| 41 |
} |
|
| 31 |
|
|
| 42 | 32 |
// fixes A URI contains impermissible characters or quotes around the URI are not closed. |
| 43 | 33 |
$MESSAGE['PAGES_DELETE_CONFIRM'] = url_encode( $MESSAGE['PAGES_DELETE_CONFIRM'] ); |
| 44 | 34 |
|
| ... | ... | |
| 607 | 597 |
|
| 608 | 598 |
// Print admin |
| 609 | 599 |
$admin->print_footer(); |
| 610 |
|
|
| 611 |
?> |
|
| branches/2.8.x/wb/admin/pages/settings2.php | ||
|---|---|---|
| 56 | 56 |
// Get values |
| 57 | 57 |
$page_title = str_replace(array("[[", "]]"), '', htmlspecialchars($admin->get_post_escaped('page_title')));
|
| 58 | 58 |
$menu_title = str_replace(array("[[", "]]"), '', htmlspecialchars($admin->get_post_escaped('menu_title')));
|
| 59 |
$page_code = (int) $admin->get_post_escaped('page_code');
|
|
| 59 |
$page_code = intval($admin->get_post('page_code')) ;
|
|
| 60 | 60 |
$description = str_replace(array("[[", "]]"), '', htmlspecialchars($admin->add_slashes($admin->get_post('description'))));
|
| 61 | 61 |
$keywords = str_replace(array("[[", "]]"), '', htmlspecialchars($admin->add_slashes($admin->get_post('keywords'))));
|
| 62 |
$parent = (int) $admin->get_post_escaped('parent'); // fix secunia 2010-91-3
|
|
| 62 |
$parent = intval($admin->get_post('parent')); // fix secunia 2010-91-3
|
|
| 63 | 63 |
$visibility = $admin->get_post_escaped('visibility');
|
| 64 | 64 |
if (!in_array($visibility, array('public', 'private', 'registered', 'hidden', 'none'))) {$visibility = 'public';} // fix secunia 2010-93-3
|
| 65 |
$template = preg_replace("/\W/", "", $admin->get_post_escaped('template')); // fix secunia 2010-93-3
|
|
| 66 |
$target = preg_replace("/\W/", "", $admin->get_post_escaped('target'));
|
|
| 65 |
$template = preg_replace("/\W/", "", $admin->get_post('template')); // fix secunia 2010-93-3
|
|
| 66 |
$target = preg_replace("/\W/", "", $admin->get_post('target'));
|
|
| 67 | 67 |
$admin_groups = $admin->get_post_escaped('admin_groups');
|
| 68 | 68 |
$viewing_groups = $admin->get_post_escaped('viewing_groups');
|
| 69 |
$searching = (int) $admin->get_post_escaped('searching');
|
|
| 69 |
$searching = intval($admin->get_post('searching'));
|
|
| 70 | 70 |
$language = strtoupper($admin->get_post('language'));
|
| 71 | 71 |
$language = (preg_match('/^[A-Z]{2}$/', $language) ? $language : DEFAULT_LANGUAGE);
|
| 72 |
$menu = (int) $admin->get_post_escaped('menu'); // fix secunia 2010-91-3
|
|
| 72 |
$menu = intval($admin->get_post('menu')); // fix secunia 2010-91-3
|
|
| 73 | 73 |
|
| 74 | 74 |
// Validate data |
| 75 | 75 |
if($page_title == '' || substr($page_title,0,1)=='.') |
| ... | ... | |
| 325 | 325 |
|
| 326 | 326 |
// Print admin footer |
| 327 | 327 |
$admin->print_footer(); |
| 328 |
|
|
| 329 |
?> |
|
| branches/2.8.x/wb/admin/pages/sections.php | ||
|---|---|---|
| 28 | 28 |
/* */ |
| 29 | 29 |
$debug = false; // to show position and section_id |
| 30 | 30 |
If(!defined('DEBUG')) { define('DEBUG',$debug);}
|
| 31 |
// Include the WB functions file |
|
| 32 |
require_once(WB_PATH.'/framework/functions.php'); |
|
| 31 | 33 |
// Create new admin object |
| 32 | 34 |
require_once(WB_PATH.'/framework/class.admin.php'); |
| 33 |
$admin = new admin('Pages', 'pages_modify');
|
|
| 35 |
$admin = new admin('Pages', 'pages_modify', false);
|
|
| 34 | 36 |
|
| 37 |
$action = 'show'; |
|
| 35 | 38 |
// Get page id |
| 36 |
if(!isset($_GET['page_id']) || !is_numeric($_GET['page_id'])) |
|
| 37 |
{
|
|
| 38 |
header("Location: index.php");
|
|
| 39 |
exit(0); |
|
| 40 |
} else {
|
|
| 41 |
$page_id = $_GET['page_id']; |
|
| 42 |
} |
|
| 39 |
$requestMethod = '_'.strtoupper($_SERVER['REQUEST_METHOD']); |
|
| 40 |
$page_id = intval((isset(${$requestMethod}['page_id'])) ? ${$requestMethod}['page_id'] : 0);
|
|
| 41 |
$action = ($page_id ? 'show' : $action); |
|
| 42 |
// Get section id if there is one |
|
| 43 |
$requestMethod = '_'.strtoupper($_SERVER['REQUEST_METHOD']); |
|
| 44 |
$section_id = ((isset(${$requestMethod}['section_id'])) ? ${$requestMethod}['section_id'] : 0);
|
|
| 45 |
$action = ($section_id ? 'delete' : $action); |
|
| 46 |
// Get module if there is one |
|
| 47 |
$requestMethod = '_'.strtoupper($_SERVER['REQUEST_METHOD']); |
|
| 48 |
$module = ((isset(${$requestMethod}['module'])) ? ${$requestMethod}['module'] : 0);
|
|
| 49 |
$action = ($module != '' ? 'add' : $action); |
|
| 50 |
$admin_header = true; |
|
| 51 |
$backlink = ADMIN_URL.'/pages/sections.php?page_id='.(int)$page_id; |
|
| 43 | 52 |
|
| 44 |
/* |
|
| 45 |
if( (!($page_id = $admin->checkIDKEY('page_id', 0, $_SERVER['REQUEST_METHOD']))) )
|
|
| 46 |
{
|
|
| 47 |
$admin->print_error($MESSAGE['GENERIC_SECURITY_ACCESS']); |
|
| 48 |
exit(); |
|
| 49 |
} |
|
| 50 |
*/ |
|
| 51 |
/* |
|
| 52 |
urlencode function and rawurlencode are mostly based on RFC 1738. |
|
| 53 |
However, since 2005 the current RFC in use for URIs standard is RFC 3986. |
|
| 54 |
Here is a function to encode URLs according to RFC 3986. |
|
| 55 |
*/ |
|
| 56 |
function url_encode($string) {
|
|
| 57 |
$string = html_entity_decode($string,ENT_QUOTES,'UTF-8'); |
|
| 58 |
$entities = array('%20', '%21', '%2A', '%27', '%28', '%29', '%3B', '%3A', '%40', '%26', '%3D', '%2B', '%24', '%2C', '%2F', '%3F', '%25', '%23', '%5B', '%5D');
|
|
| 59 |
$replacements = array(' ','!', '*', "'", "(", ")", ";", ":", "@", "&", "=", "+", "$", ",", "/", "?", "%", "#", "[", "]");
|
|
| 60 |
return str_replace($entities, $replacements, rawurlencode($string)); |
|
| 61 |
} |
|
| 53 |
switch ($action): |
|
| 54 |
case 'delete' : |
|
| 62 | 55 |
|
| 63 |
// Check if we are supposed to add or delete a section |
|
| 64 |
if(isset($_GET['section_id']) && is_numeric($_GET['section_id'])) |
|
| 65 |
{
|
|
| 66 |
// Get more information about this section |
|
| 67 |
$section_id = $_GET['section_id']; |
|
| 68 |
$sql = 'SELECT `module` FROM `'.TABLE_PREFIX.'sections` '; |
|
| 69 |
$sql .= 'WHERE `section_id` ='.$section_id; |
|
| 70 |
$query_section = $database->query($sql); |
|
| 56 |
if( ( !($section_id = intval($admin->checkIDKEY('section_id', 0, $_SERVER['REQUEST_METHOD'])) )) )
|
|
| 57 |
{
|
|
| 58 |
if($admin_header) { $admin->print_header(); }
|
|
| 59 |
$admin->print_error($MESSAGE['GENERIC_SECURITY_ACCESS'],$backlink); |
|
| 60 |
} |
|
| 71 | 61 |
|
| 72 |
if($query_section->numRows() == 0) |
|
| 73 |
{
|
|
| 74 |
$admin->print_error('Section not found');
|
|
| 75 |
} |
|
| 76 |
$section = $query_section->fetchRow(); |
|
| 77 |
// Include the modules delete file if it exists |
|
| 78 |
if(file_exists(WB_PATH.'/modules/'.$section['module'].'/delete.php')) |
|
| 79 |
{
|
|
| 80 |
require(WB_PATH.'/modules/'.$section['module'].'/delete.php'); |
|
| 81 |
} |
|
| 82 |
$sql = 'DELETE FROM `'.TABLE_PREFIX.'sections` '; |
|
| 83 |
$sql .= 'WHERE `section_id` ='.$section_id.' LIMIT 1'; |
|
| 84 |
$query_section = $database->query($sql); |
|
| 62 |
$action = 'show'; |
|
| 63 |
$sql = 'SELECT `module` FROM `'.TABLE_PREFIX.'sections` '; |
|
| 64 |
$sql .= 'WHERE `section_id` ='.$section_id; |
|
| 65 |
if( ( ($modulname = $database->get_one($sql)) == $module) && ($section_id > 0 ) ) {
|
|
| 66 |
// Include the modules delete file if it exists |
|
| 67 |
if(file_exists(WB_PATH.'/modules/'.$modulname.'/delete.php')) |
|
| 68 |
{
|
|
| 69 |
require(WB_PATH.'/modules/'.$modulname.'/delete.php'); |
|
| 70 |
} |
|
| 71 |
$sql = 'DELETE FROM `'.TABLE_PREFIX.'sections` '; |
|
| 72 |
$sql .= 'WHERE `section_id` ='.(int)$section_id.' LIMIT 1'; |
|
| 73 |
if( !$database->query($sql) ) {
|
|
| 74 |
if($admin_header) { $admin->print_header(); }
|
|
| 75 |
$admin->print_error($database->get_error(),$backlink); |
|
| 76 |
} else {
|
|
| 77 |
require_once(WB_PATH.'/framework/class.order.php'); |
|
| 78 |
$order = new order(TABLE_PREFIX.'sections', 'position', 'section_id', 'page_id'); |
|
| 79 |
$order->clean($page_id); |
|
| 80 |
$format = $TEXT['SECTION'].' %d %s %s '.strtolower( $TEXT['DELETED']); |
|
| 81 |
$message = sprintf ($format,$section_id,strtoupper($modulname),strtolower($TEXT['SUCCESS'])); |
|
| 82 |
if($admin_header) { $admin->print_header(); }
|
|
| 83 |
$admin_header = false; |
|
| 84 |
unset($_POST); |
|
| 85 |
$admin->print_success($message, $backlink ); |
|
| 86 |
} |
|
| 87 |
} else {
|
|
| 88 |
if($admin_header) { $admin->print_header(); }
|
|
| 89 |
$admin->print_error($module.' '.strtolower($TEXT['NOT_FOUND']),$backlink); |
|
| 90 |
} |
|
| 85 | 91 |
|
| 86 |
if($database->is_error()) |
|
| 87 |
{
|
|
| 88 |
$admin->print_error($database->get_error()); |
|
| 89 |
} else {
|
|
| 90 |
require(WB_PATH.'/framework/class.order.php'); |
|
| 92 |
break; |
|
| 93 |
case 'add' : |
|
| 94 |
|
|
| 95 |
if (!$admin->checkFTAN()) |
|
| 96 |
{
|
|
| 97 |
$admin->print_header(); |
|
| 98 |
$admin->print_error($MESSAGE['GENERIC_SECURITY_ACCESS'],$backlink); |
|
| 99 |
} |
|
| 100 |
$action = 'show'; |
|
| 101 |
$module = preg_replace('/\W/', '', $module ); // fix secunia 2010-91-4
|
|
| 102 |
require_once(WB_PATH.'/framework/class.order.php'); |
|
| 103 |
// Get new order |
|
| 91 | 104 |
$order = new order(TABLE_PREFIX.'sections', 'position', 'section_id', 'page_id'); |
| 92 |
$order->clean($page_id); |
|
| 93 |
$admin->print_success($TEXT['SUCCESS'], ADMIN_URL.'/pages/sections.php?page_id='.$page_id ); |
|
| 94 |
$admin->print_footer(); |
|
| 95 |
exit(); |
|
| 96 |
} |
|
| 97 |
} elseif(isset($_POST['module']) && $_POST['module'] != '') |
|
| 98 |
{
|
|
| 99 |
// Get section info |
|
| 100 |
$module = preg_replace("/\W/", "", $admin->add_slashes($_POST['module'])); // fix secunia 2010-91-4
|
|
| 101 |
// Include the ordering class |
|
| 102 |
require(WB_PATH.'/framework/class.order.php'); |
|
| 103 |
// Get new order |
|
| 104 |
$order = new order(TABLE_PREFIX.'sections', 'position', 'section_id', 'page_id'); |
|
| 105 |
$position = $order->get_new($page_id); |
|
| 106 |
// Insert module into DB |
|
| 107 |
$sql = 'INSERT INTO `'.TABLE_PREFIX.'sections` SET '; |
|
| 108 |
$sql .= '`page_id` = '.$page_id.', '; |
|
| 109 |
$sql .= '`module` = "'.$module.'", '; |
|
| 110 |
$sql .= '`position` = '.$position.', '; |
|
| 111 |
$sql .= '`block`=1'; |
|
| 112 |
$database->query($sql); |
|
| 113 |
// Get the section id |
|
| 114 |
$section_id = $database->get_one("SELECT LAST_INSERT_ID()");
|
|
| 115 |
// Include the selected modules add file if it exists |
|
| 116 |
if(file_exists(WB_PATH.'/modules/'.$module.'/add.php')) |
|
| 117 |
{
|
|
| 118 |
require(WB_PATH.'/modules/'.$module.'/add.php'); |
|
| 119 |
} |
|
| 120 |
} |
|
| 105 |
$position = $order->get_new($page_id); |
|
| 106 |
// Insert module into DB |
|
| 107 |
$sql = 'INSERT INTO `'.TABLE_PREFIX.'sections` SET '; |
|
| 108 |
$sql .= '`page_id` = '.(int)$page_id.', '; |
|
| 109 |
$sql .= '`module` = \''.$module.'\', '; |
|
| 110 |
$sql .= '`position` = '.(int)$position.', '; |
|
| 111 |
$sql .= '`block` = 1'; |
|
| 112 |
if($database->query($sql)) {
|
|
| 113 |
// Get the section id |
|
| 114 |
$section_id = $database->get_one("SELECT LAST_INSERT_ID()");
|
|
| 115 |
// Include the selected modules add file if it exists |
|
| 116 |
if(file_exists(WB_PATH.'/modules/'.$module.'/add.php')) |
|
| 117 |
{
|
|
| 118 |
require(WB_PATH.'/modules/'.$module.'/add.php'); |
|
| 119 |
} |
|
| 120 |
} elseif ($database->is_error()) {
|
|
| 121 |
if($admin_header) { $admin->print_header(); }
|
|
| 122 |
$admin->print_error($database->get_error()); |
|
| 123 |
} |
|
| 124 |
break; |
|
| 125 |
default: |
|
| 126 |
break; |
|
| 127 |
endswitch; |
|
| 121 | 128 |
|
| 122 |
// Get perms |
|
| 123 |
// $database = new database(); |
|
| 124 |
$sql = 'SELECT `admin_groups`,`admin_users` FROM `'.TABLE_PREFIX.'pages` '; |
|
| 125 |
$sql .= 'WHERE `page_id` = '.$page_id; |
|
| 126 |
$results = $database->query($sql); |
|
| 129 |
switch ($action): |
|
| 130 |
default: |
|
| 127 | 131 |
|
| 128 |
$results_array = $results->fetchRow(); |
|
| 129 |
$old_admin_groups = explode(',', $results_array['admin_groups']);
|
|
| 130 |
$old_admin_users = explode(',', $results_array['admin_users']);
|
|
| 131 |
$in_old_group = FALSE; |
|
| 132 |
foreach($admin->get_groups_id() as $cur_gid) |
|
| 133 |
{
|
|
| 134 |
if (in_array($cur_gid, $old_admin_groups)) |
|
| 135 |
{
|
|
| 136 |
$in_old_group = TRUE; |
|
| 137 |
} |
|
| 138 |
} |
|
| 139 |
if((!$in_old_group) && !is_numeric(array_search($admin->get_user_id(), $old_admin_users))) |
|
| 140 |
{
|
|
| 141 |
$admin->print_error($MESSAGE['PAGES']['INSUFFICIENT_PERMISSIONS']); |
|
| 142 |
} |
|
| 132 |
if($admin_header) { $admin->print_header(); }
|
|
| 133 |
// Get perms |
|
| 134 |
$sql = 'SELECT `admin_groups`,`admin_users` FROM `'.TABLE_PREFIX.'pages` '; |
|
| 135 |
$sql .= 'WHERE `page_id` = '.$page_id; |
|
| 136 |
$results = $database->query($sql); |
|
| 143 | 137 |
|
| 144 |
// Get page details |
|
| 145 |
// $database = new database(); |
|
| 146 |
$sql = 'SELECT * FROM `'.TABLE_PREFIX.'pages` '; |
|
| 147 |
$sql .= 'WHERE `page_id` = '.$page_id; |
|
| 148 |
$results = $database->query($sql); |
|
| 138 |
$results_array = $results->fetchRow(); |
|
| 139 |
$old_admin_groups = explode(',', $results_array['admin_groups']);
|
|
| 140 |
$old_admin_users = explode(',', $results_array['admin_users']);
|
|
| 141 |
$in_old_group = FALSE; |
|
| 142 |
foreach($admin->get_groups_id() as $cur_gid) |
|
| 143 |
{
|
|
| 144 |
if (in_array($cur_gid, $old_admin_groups)) |
|
| 145 |
{
|
|
| 146 |
$in_old_group = TRUE; |
|
| 147 |
} |
|
| 148 |
} |
|
| 149 |
if((!$in_old_group) && !is_numeric(array_search($admin->get_user_id(), $old_admin_users))) |
|
| 150 |
{
|
|
| 151 |
$admin->print_header(); |
|
| 152 |
$admin->print_error($MESSAGE['PAGES']['INSUFFICIENT_PERMISSIONS']); |
|
| 153 |
} |
|
| 149 | 154 |
|
| 150 |
if($database->is_error()) |
|
| 151 |
{
|
|
| 152 |
// $admin->print_header(); |
|
| 153 |
$admin->print_error($database->get_error()); |
|
| 154 |
} |
|
| 155 |
if($results->numRows() == 0) |
|
| 156 |
{
|
|
| 157 |
// $admin->print_header(); |
|
| 158 |
$admin->print_error($MESSAGE['PAGES']['NOT_FOUND']); |
|
| 159 |
} |
|
| 160 |
$results_array = $results->fetchRow(); |
|
| 155 |
// Get page details |
|
| 156 |
$sql = 'SELECT * FROM `'.TABLE_PREFIX.'pages` '; |
|
| 157 |
$sql .= 'WHERE `page_id` = '.$page_id; |
|
| 158 |
$results = $database->query($sql); |
|
| 161 | 159 |
|
| 162 |
// Set module permissions |
|
| 163 |
$module_permissions = $_SESSION['MODULE_PERMISSIONS']; |
|
| 160 |
if($database->is_error()) |
|
| 161 |
{
|
|
| 162 |
// $admin->print_header(); |
|
| 163 |
$admin->print_error($database->get_error()); |
|
| 164 |
} |
|
| 165 |
if($results->numRows() == 0) |
|
| 166 |
{
|
|
| 167 |
// $admin->print_header(); |
|
| 168 |
$admin->print_error($MESSAGE['PAGES']['NOT_FOUND']); |
|
| 169 |
} |
|
| 170 |
$results_array = $results->fetchRow(); |
|
| 164 | 171 |
|
| 165 |
// Unset block var |
|
| 166 |
unset($block); |
|
| 167 |
// Include template info file (if it exists) |
|
| 168 |
if($results_array['template'] != '') |
|
| 169 |
{
|
|
| 170 |
$template_location = WB_PATH.'/templates/'.$results_array['template'].'/info.php'; |
|
| 171 |
} else {
|
|
| 172 |
$template_location = WB_PATH.'/templates/'.DEFAULT_TEMPLATE.'/info.php'; |
|
| 173 |
} |
|
| 174 |
if(file_exists($template_location)) |
|
| 175 |
{
|
|
| 176 |
require($template_location); |
|
| 177 |
} |
|
| 178 |
// Check if $menu is set |
|
| 179 |
if(!isset($block[1]) || $block[1] == '') |
|
| 180 |
{
|
|
| 181 |
// Make our own menu list |
|
| 182 |
$block[1] = $TEXT['MAIN']; |
|
| 183 |
} |
|
| 172 |
// Set module permissions |
|
| 173 |
$module_permissions = $_SESSION['MODULE_PERMISSIONS']; |
|
| 184 | 174 |
|
| 185 |
/*-- load css files with jquery --*/ |
|
| 186 |
// include jscalendar-setup |
|
| 187 |
$jscal_use_time = true; // whether to use a clock, too |
|
| 188 |
require_once(WB_PATH."/include/jscalendar/wb-setup.php"); |
|
| 175 |
// Unset block var |
|
| 176 |
unset($block); |
|
| 177 |
// Include template info file (if it exists) |
|
| 178 |
if($results_array['template'] != '') |
|
| 179 |
{
|
|
| 180 |
$template_location = WB_PATH.'/templates/'.$results_array['template'].'/info.php'; |
|
| 181 |
} else {
|
|
| 182 |
$template_location = WB_PATH.'/templates/'.DEFAULT_TEMPLATE.'/info.php'; |
|
| 183 |
} |
|
| 184 |
if(file_exists($template_location)) |
|
| 185 |
{
|
|
| 186 |
require($template_location); |
|
| 187 |
} |
|
| 188 |
// Check if $menu is set |
|
| 189 |
if(!isset($block[1]) || $block[1] == '') |
|
| 190 |
{
|
|
| 191 |
// Make our own menu list |
|
| 192 |
$block[1] = $TEXT['MAIN']; |
|
| 193 |
} |
|
| 189 | 194 |
|
| 190 |
// Setup template object |
|
| 191 |
$template = new Template(THEME_PATH.'/templates'); |
|
| 192 |
$template->set_file('page', 'pages_sections.htt');
|
|
| 193 |
$template->set_block('page', 'main_block', 'main');
|
|
| 194 |
$template->set_block('main_block', 'module_block', 'module_list');
|
|
| 195 |
$template->set_block('main_block', 'section_block', 'section_list');
|
|
| 196 |
$template->set_block('section_block', 'block_block', 'block_list');
|
|
| 197 |
$template->set_block('main_block', 'calendar_block', 'calendar_list');
|
|
| 198 |
$template->set_var('FTAN', $admin->getFTAN());
|
|
| 195 |
/*-- load css files with jquery --*/ |
|
| 196 |
// include jscalendar-setup |
|
| 197 |
$jscal_use_time = true; // whether to use a clock, too |
|
| 198 |
require_once(WB_PATH."/include/jscalendar/wb-setup.php"); |
|
| 199 | 199 |
|
| 200 |
// set first defaults and messages |
|
| 201 |
$template->set_var(array( |
|
| 202 |
'PAGE_ID' => $results_array['page_id'], |
|
| 203 |
// 'PAGE_IDKEY' => $admin->getIDKEY($results_array['page_id']), |
|
| 204 |
'PAGE_IDKEY' => $results_array['page_id'], |
|
| 205 |
'TEXT_PAGE' => $TEXT['PAGE'], |
|
| 206 |
'PAGE_TITLE' => ($results_array['page_title']), |
|
| 207 |
'MENU_TITLE' => ($results_array['menu_title']), |
|
| 208 |
'TEXT_CURRENT_PAGE' => $TEXT['CURRENT_PAGE'], |
|
| 209 |
'HEADING_MANAGE_SECTIONS' => $HEADING['MANAGE_SECTIONS'], |
|
| 210 |
'HEADING_MODIFY_PAGE' => $HEADING['MODIFY_PAGE'], |
|
| 211 |
'TEXT_CHANGE_SETTINGS' => $TEXT['CHANGE_SETTINGS'], |
|
| 212 |
'TEXT_ADD_SECTION' => $TEXT['ADD_SECTION'], |
|
| 213 |
'TEXT_ID' => 'ID', |
|
| 214 |
'TEXT_TYPE' => $TEXT['TYPE'], |
|
| 215 |
'TEXT_BLOCK' => $TEXT['BLOCK'], |
|
| 216 |
'TEXT_PUBL_START_DATE' => $TEXT{'PUBL_START_DATE'},
|
|
| 217 |
'TEXT_PUBL_END_DATE' => $TEXT['PUBL_END_DATE'], |
|
| 218 |
'TEXT_ACTIONS' => $TEXT['ACTIONS'], |
|
| 219 |
'ADMIN_URL' => ADMIN_URL, |
|
| 220 |
'WB_URL' => WB_URL, |
|
| 221 |
'THEME_URL' => THEME_URL |
|
| 222 |
) |
|
| 223 |
); |
|
| 200 |
// Setup template object |
|
| 201 |
$tpl = new Template(THEME_PATH.'/templates'); |
|
| 202 |
$tpl->set_file('page', 'pages_sections.htt');
|
|
| 203 |
$tpl->set_block('page', 'main_block', 'main');
|
|
| 204 |
$tpl->set_block('main_block', 'module_block', 'module_list');
|
|
| 205 |
$tpl->set_block('main_block', 'section_block', 'section_list');
|
|
| 206 |
$tpl->set_block('section_block', 'block_block', 'block_list');
|
|
| 207 |
$tpl->set_block('main_block', 'calendar_block', 'calendar_list');
|
|
| 208 |
$tpl->set_var('FTAN', $admin->getFTAN());
|
|
| 224 | 209 |
|
| 225 |
// Insert variables |
|
| 226 |
$template->set_var(array( |
|
| 227 |
'PAGE_ID' => $results_array['page_id'], |
|
| 228 |
// 'PAGE_IDKEY' => $admin->getIDKEY($results_array['page_id']), |
|
| 229 |
'PAGE_IDKEY' => $results_array['page_id'], |
|
| 230 |
'VAR_PAGE_TITLE' => $results_array['page_title'], |
|
| 231 |
'SETTINGS_LINK' => ADMIN_URL.'/pages/settings.php?page_id='.$results_array['page_id'], |
|
| 232 |
'MODIFY_LINK' => ADMIN_URL.'/pages/modify.php?page_id='.$results_array['page_id'] |
|
| 233 |
) |
|
| 234 |
); |
|
| 210 |
// set first defaults and messages |
|
| 211 |
$tpl->set_var(array( |
|
| 212 |
'PAGE_ID' => $results_array['page_id'], |
|
| 213 |
// 'PAGE_IDKEY' => $admin->getIDKEY($results_array['page_id']), |
|
| 214 |
'PAGE_IDKEY' => $results_array['page_id'], |
|
| 215 |
'TEXT_PAGE' => $TEXT['PAGE'], |
|
| 216 |
'PAGE_TITLE' => ($results_array['page_title']), |
|
| 217 |
'MENU_TITLE' => ($results_array['menu_title']), |
|
| 218 |
'TEXT_CURRENT_PAGE' => $TEXT['CURRENT_PAGE'], |
|
| 219 |
'HEADING_MANAGE_SECTIONS' => $HEADING['MANAGE_SECTIONS'], |
|
| 220 |
'HEADING_MODIFY_PAGE' => $HEADING['MODIFY_PAGE'], |
|
| 221 |
'TEXT_CHANGE_SETTINGS' => $TEXT['CHANGE_SETTINGS'], |
|
| 222 |
'TEXT_ADD_SECTION' => $TEXT['ADD_SECTION'], |
|
| 223 |
'TEXT_ID' => 'ID', |
|
| 224 |
'TEXT_TYPE' => $TEXT['TYPE'], |
|
| 225 |
'TEXT_BLOCK' => $TEXT['BLOCK'], |
|
| 226 |
'TEXT_PUBL_START_DATE' => $TEXT{'PUBL_START_DATE'},
|
|
| 227 |
'TEXT_PUBL_END_DATE' => $TEXT['PUBL_END_DATE'], |
|
| 228 |
'TEXT_ACTIONS' => $TEXT['ACTIONS'], |
|
| 229 |
'ADMIN_URL' => ADMIN_URL, |
|
| 230 |
'WB_URL' => WB_URL, |
|
| 231 |
'THEME_URL' => THEME_URL |
|
| 232 |
) |
|
| 233 |
); |
|
| 235 | 234 |
|
| 236 |
$sql = 'SELECT `section_id`,`module`,`position`,`block`,`publ_start`,`publ_end` '; |
|
| 237 |
$sql .= 'FROM `'.TABLE_PREFIX.'sections` '; |
|
| 238 |
$sql .= 'WHERE `page_id` = '.$page_id.' '; |
|
| 239 |
$sql .= 'ORDER BY `position` ASC'; |
|
| 240 |
$query_sections = $database->query($sql); |
|
| 235 |
// Insert variables |
|
| 236 |
$tpl->set_var(array( |
|
| 237 |
'PAGE_ID' => $results_array['page_id'], |
|
| 238 |
// 'PAGE_IDKEY' => $admin->getIDKEY($results_array['page_id']), |
|
| 239 |
'PAGE_IDKEY' => $results_array['page_id'], |
|
| 240 |
'VAR_PAGE_TITLE' => $results_array['page_title'], |
|
| 241 |
'SETTINGS_LINK' => ADMIN_URL.'/pages/settings.php?page_id='.$results_array['page_id'], |
|
| 242 |
'MODIFY_LINK' => ADMIN_URL.'/pages/modify.php?page_id='.$results_array['page_id'] |
|
| 243 |
) |
|
| 244 |
); |
|
| 241 | 245 |
|
| 242 |
if($query_sections->numRows() > 0) |
|
| 243 |
{
|
|
| 244 |
$num_sections = $query_sections->numRows(); |
|
| 245 |
while($section = $query_sections->fetchRow()) |
|
| 246 |
{
|
|
| 247 |
if(!is_numeric(array_search($section['module'], $module_permissions))) |
|
| 248 |
{
|
|
| 249 |
// Get the modules real name |
|
| 250 |
$sql = 'SELECT `name` FROM `'.TABLE_PREFIX.'addons` '; |
|
| 251 |
$sql .= 'WHERE `directory` = "'.$section['module'].'"'; |
|
| 252 |
if(!$database->get_one($sql) || !file_exists(WB_PATH.'/modules/'.$section['module'])) |
|
| 253 |
{
|
|
| 254 |
$edit_page = '<span class="module_disabled">'.$section['module'].'</span>'; |
|
| 255 |
}else |
|
| 256 |
{
|
|
| 257 |
$edit_page = ''; |
|
| 258 |
} |
|
| 259 |
$edit_page_0 = '<a id="sid'.$section['section_id'].'" href="'.ADMIN_URL.'/pages/modify.php?page_id='.$results_array['page_id']; |
|
| 260 |
$edit_page_1 = $section['section_id'].'">'.$section['module'].'</a>'; |
|
| 261 |
if(SECTION_BLOCKS) |
|
| 262 |
{
|
|
| 263 |
if($edit_page == '') |
|
| 264 |
{
|
|
| 265 |
if(defined('EDIT_ONE_SECTION') && EDIT_ONE_SECTION)
|
|
| 246 |
$sql = 'SELECT `section_id`,`module`,`position`,`block`,`publ_start`,`publ_end` '; |
|
| 247 |
$sql .= 'FROM `'.TABLE_PREFIX.'sections` '; |
|
| 248 |
$sql .= 'WHERE `page_id` = '.$page_id.' '; |
|
| 249 |
$sql .= 'ORDER BY `position` ASC'; |
|
| 250 |
$query_sections = $database->query($sql); |
|
| 251 |
|
|
| 252 |
if($query_sections->numRows() > 0) |
|
| 253 |
{
|
|
| 254 |
$num_sections = $query_sections->numRows(); |
|
| 255 |
while($section = $query_sections->fetchRow()) |
|
| 256 |
{
|
|
| 257 |
if(!is_numeric(array_search($section['module'], $module_permissions))) |
|
| 258 |
{
|
|
| 259 |
// Get the modules real name |
|
| 260 |
$sql = 'SELECT `name` FROM `'.TABLE_PREFIX.'addons` '; |
|
| 261 |
$sql .= 'WHERE `directory` = "'.$section['module'].'"'; |
|
| 262 |
if(!$database->get_one($sql) || !file_exists(WB_PATH.'/modules/'.$section['module'])) |
|
| 266 | 263 |
{
|
| 267 |
$edit_page = $edit_page_0.'&wysiwyg='.$edit_page_1; |
|
| 264 |
$edit_page = '<span class="module_disabled">'.$section['module'].'</span>'; |
|
| 265 |
}else |
|
| 266 |
{
|
|
| 267 |
$edit_page = ''; |
|
| 268 |
} |
|
| 269 |
$edit_page_0 = '<a id="sid'.$section['section_id'].'" href="'.ADMIN_URL.'/pages/modify.php?page_id='.$results_array['page_id']; |
|
| 270 |
$edit_page_1 = $section['section_id'].'">'.$section['module'].'</a>'; |
|
| 271 |
if(SECTION_BLOCKS) |
|
| 272 |
{
|
|
| 273 |
if($edit_page == '') |
|
| 274 |
{
|
|
| 275 |
if(defined('EDIT_ONE_SECTION') && EDIT_ONE_SECTION)
|
|
| 276 |
{
|
|
| 277 |
$edit_page = $edit_page_0.'&wysiwyg='.$edit_page_1; |
|
| 278 |
} else {
|
|
| 279 |
$edit_page = $edit_page_0.'#wb_'.$edit_page_1; |
|
| 280 |
} |
|
| 281 |
} |
|
| 282 |
$input_attribute = 'input_normal'; |
|
| 283 |
$tpl->set_var(array( |
|
| 284 |
'STYLE_DISPLAY_SECTION_BLOCK' => ' style="visibility:visible;"', |
|
| 285 |
'NAME_SIZE' => 300, |
|
| 286 |
'INPUT_ATTRIBUTE' => $input_attribute, |
|
| 287 |
'VAR_SECTION_ID' => $section['section_id'], |
|
| 288 |
'VAR_SECTION_IDKEY' => $admin->getIDKEY($section['section_id']), |
|
| 289 |
// 'VAR_SECTION_IDKEY' => $section['section_id'], |
|
| 290 |
'VAR_POSITION' => $section['position'], |
|
| 291 |
'LINK_MODIFY_URL_VAR_MODUL_NAME' => $edit_page, |
|
| 292 |
'SELECT' => '', |
|
| 293 |
'SET_NONE_DISPLAY_OPTION' => '' |
|
| 294 |
) |
|
| 295 |
); |
|
| 296 |
// Add block options to the section_list |
|
| 297 |
$tpl->clear_var('block_list');
|
|
| 298 |
foreach($block AS $number => $name) |
|
| 299 |
{
|
|
| 300 |
$tpl->set_var('NAME', htmlentities(strip_tags($name)));
|
|
| 301 |
$tpl->set_var('VALUE', $number);
|
|
| 302 |
$tpl->set_var('SIZE', 1);
|
|
| 303 |
if($section['block'] == $number) |
|
| 304 |
{
|
|
| 305 |
$tpl->set_var('SELECTED', ' selected="selected"');
|
|
| 306 |
} else {
|
|
| 307 |
$tpl->set_var('SELECTED', '');
|
|
| 308 |
} |
|
| 309 |
$tpl->parse('block_list', 'block_block', true);
|
|
| 310 |
} |
|
| 268 | 311 |
} else {
|
| 269 |
$edit_page = $edit_page_0.'#wb_'.$edit_page_1; |
|
| 312 |
if($edit_page == '') |
|
| 313 |
{
|
|
| 314 |
$edit_page = $edit_page_0.'#wb_'.$edit_page_1; |
|
| 315 |
} |
|
| 316 |
$input_attribute = 'input_normal'; |
|
| 317 |
$tpl->set_var(array( |
|
| 318 |
'STYLE_DISPLAY_SECTION_BLOCK' => ' style="visibility:hidden;"', |
|
| 319 |
'NAME_SIZE' => 300, |
|
| 320 |
'INPUT_ATTRIBUTE' => $input_attribute, |
|
| 321 |
'VAR_SECTION_ID' => $section['section_id'], |
|
| 322 |
'VAR_SECTION_IDKEY' => $admin->getIDKEY($section['section_id']), |
|
| 323 |
// 'VAR_SECTION_IDKEY' => $section['section_id'], |
|
| 324 |
'VAR_POSITION' => $section['position'], |
|
| 325 |
'LINK_MODIFY_URL_VAR_MODUL_NAME' => $edit_page, |
|
| 326 |
'NAME' => htmlentities(strip_tags($block[1])), |
|
| 327 |
'VALUE' => 1, |
|
| 328 |
'SET_NONE_DISPLAY_OPTION' => '' |
|
| 329 |
) |
|
| 330 |
); |
|
| 270 | 331 |
} |
| 271 |
} |
|
| 272 |
$input_attribute = 'input_normal'; |
|
| 273 |
$template->set_var(array( |
|
| 274 |
'STYLE_DISPLAY_SECTION_BLOCK' => ' style="visibility:visible;"', |
|
| 275 |
'NAME_SIZE' => 300, |
|
| 276 |
'INPUT_ATTRIBUTE' => $input_attribute, |
|
| 277 |
'VAR_SECTION_ID' => $section['section_id'], |
|
| 278 |
// 'VAR_SECTION_IDKEY' => $admin->getIDKEY($section['section_id']), |
|
| 279 |
'VAR_SECTION_IDKEY' => $section['section_id'], |
|
| 280 |
'VAR_POSITION' => $section['position'], |
|
| 281 |
'LINK_MODIFY_URL_VAR_MODUL_NAME' => $edit_page, |
|
| 282 |
'SELECT' => '', |
|
| 283 |
'SET_NONE_DISPLAY_OPTION' => '' |
|
| 284 |
) |
|
| 285 |
); |
|
Also available in: Unified diff
! security fixes media, groups, users, sections
! reworked add sections in pages
! fix set empty href in show_menu2
! set show_menu2 version to 4.9.6
! reworked Droplet LoginBox, add redirect query
- remove unneeded folder js
! set Droplet to version 1.1.0
+ add checkboxes to change frontend absolute url to relative urls
! set output_filter version to 0.2