Project

General

Profile

« Previous | Next » 

Revision 1372

Added by Dietmar almost 14 years ago

fixed class.wb.php to add class SecureForm

View differences:

class.wb.php
5 5
 * @package         framework
6 6
 * @author          WebsiteBaker Project
7 7
 * @copyright       2004-2009, Ryan Djurovich
8
 * @copyright       2009-2011, Website Baker Org. e.V.
8
 * @copyright       2009-2010, Website Baker Org. e.V.
9 9
 * @link			http://www.websitebaker2.org/
10 10
 * @license         http://www.gnu.org/licenses/gpl.html
11 11
 * @platform        WebsiteBaker 2.8.x
12
 * @requirements    PHP 5.2.2 and higher
12
 * @requirements    PHP 4.3.4 and higher
13 13
 * @version         $Id$
14
 * @filesource		$HeadURL: $
15
 * @lastmodified    $Date:  $
14
 * @filesource		$HeadURL: http://svn29.websitebaker2.org/trunk/wb/framework/class.wb.php $
15
 * @lastmodified    $Date: 2010-11-23 00:55:43 +0100 (Di, 23. Nov 2010) $
16 16
 *
17 17
 */
18

  
18
/*
19
// Must include code to stop this file being access directly
20
if(defined('WB_PATH') == false) { exit("Cannot access this file directly"); }
21
*/
19 22
// Include PHPLIB template class
20 23
require_once(WB_PATH."/include/phplib/template.inc");
21 24

  
......
29 32
class wb extends SecureForm
30 33
{
31 34

  
32
	var $password_chars = 'a-zA-Z0-9\_\-\!\#\*\+';
35
	private $password_chars = 'a-zA-Z0-9\_\-\!\#\*\+';
33 36
	// General initialization function
34 37
	// performed when frontend or backend is loaded.
35 38

  
36
	function wb() {
39
	public function wb() {
40
		parent::__construct();
37 41
	}
38 42

  
39
/* ****************
40
 * check if current user is member of at least one of given groups
41
 * ADMIN (uid=1) always is treated like a member of any groups
42
 *
43
 * @access public
44
 * @param mixed $groups_list: an array or a coma seperated list of group-ids
45
 * @return bool: true if current user is member of one of this groups, otherwise false
46
 */
47
	function ami_group_member( $groups_list = '' )
48
	{
49
		if( $this->get_user_id() == 1 ) { return true; }
50
		return $this->is_group_match( $groups_list, $this->get_groups_id() );
51
	}
52

  
53 43
	// Check whether a page is visible or not.
54 44
	// This will check page-visibility and user- and group-rights.
55 45
	/* page_is_visible() returns
56 46
		false: if page-visibility is 'none' or 'deleted', or page-vis. is 'registered' or 'private' and user isn't allowed to see the page.
57 47
		true: if page-visibility is 'public' or 'hidden', or page-vis. is 'registered' or 'private' and user _is_ allowed to see the page.
58 48
	*/
59
	function page_is_visible($page)
49
	public function page_is_visible($page)
60 50
    {
51
		// First check if visibility is 'none', 'deleted'
61 52
		$show_it = false; // shall we show the page?
62
		$page_id = $page['page_id'];
63
		$visibility = $page['visibility'];
64
		$viewing_groups = $page['viewing_groups'];
65
		$viewing_users = $page['viewing_users'];
66

  
67
		// First check if visibility is 'none', 'deleted'
68
		if($visibility == 'none')
69
        {
70
			return(false);
71
		} elseif($visibility == 'deleted')
72
        {
73
			return(false);
53
		switch( $page['visibility'] )
54
		{
55
			case 'none':
56
			case 'deleted':
57
				$show_it = false;
58
				break;
59
			case 'hidden':
60
			case 'public':
61
				$show_it = true;
62
				break;
63
			case 'private':
64
			case 'registered':
65
				if($this->is_authenticated() == true)
66
				{
67
					$show_it = ( $this->is_group_match($this->get_groups_id(), $page['viewing_groups']) ||
68
								 $this->is_group_match($this->get_user_id(), $page['viewing_users']) );
69
				}
74 70
		}
75 71

  
76
		// Now check if visibility is 'hidden', 'private' or 'registered'
77
		if($visibility == 'hidden') { // hidden: hide the menu-link, but show the page
78
			$show_it = true;
79
		} elseif($visibility == 'private' || $visibility == 'registered')
80
        {
81
			// Check if the user is logged in
82
			if($this->is_authenticated() == true)
83
            {
84
				// Now check if the user has perms to view the page
85
				$in_group = false;
86
				foreach($this->get_groups_id() as $cur_gid)
87
                {
88
				    if(in_array($cur_gid, explode(',', $viewing_groups)))
89
                    {
90
				        $in_group = true;
91
				    }
92
				}
93
				if($in_group || in_array($this->get_user_id(), explode(',', $viewing_users))) {
94
					$show_it = true;
95
				} else {
96
					$show_it = false;
97
				}
98
			} else {
99
				$show_it = false;
100
			}
101
		} elseif($visibility == 'public') {
102
			$show_it = true;
103
		} else {
104
			$show_it = false;
105
		}
106 72
		return($show_it);
107 73
	}
74

  
75
	function section_is_active($section_id)
76
	{
77
		global $database;
78
		$now = time();
79
		$sql  = 'SELECT COUNT(*) FROM `'.TABLE_PREFIX.'sections` ';
80
		$sql .= 'WHERE ('.$now.' BETWEEN `publ_start` AND `publ_end`) OR ';
81
		$sql .=       '('.$now.' > `publ_start` AND `publ_end`=0) ';
82
		$sql .=       'AND `section_id`='.$section_id;
83
		return ($database->get_one($sql) != false);
84
	}
108 85
	// Check if there is at least one active section on this page
109 86
	function page_is_active($page)
110 87
    {
111 88
		global $database;
112
		$has_active_sections = false;
113
		$page_id = $page['page_id'];
114 89
		$now = time();
115
		$query_sections = $database->query("SELECT publ_start,publ_end FROM ".TABLE_PREFIX."sections WHERE page_id = '$page_id'");
116
		if($query_sections->numRows() != 0)
117
        {
118
			while($section = $query_sections->fetchRow())
119
            {
120
				if($now<$section['publ_end'] && ($now>$section['publ_start'] || $section['publ_start']==0) || $now>$section['publ_start'] && $section['publ_end']==0)
121
                {
122
					$has_active_sections = true;
123
					break;
124
				}
125
			}
126
		}
127
		return($has_active_sections);
90
		$sql  = 'SELECT COUNT(*) FROM `'.TABLE_PREFIX.'sections` ';
91
		$sql .= 'WHERE ('.$now.' BETWEEN `publ_start` AND `publ_end`) OR ';
92
		$sql .=       '('.$now.' > `publ_start` AND `publ_end`=0) ';
93
		$sql .=       'AND `page_id`='.(int)$page['page_id'];
94
		return ($database->get_one($sql) != false);
128 95
	}
129 96

  
130 97
	// Check whether we should show a page or not (for front-end)
131 98
	function show_page($page)
132 99
    {
133
		if($this->page_is_visible($page) && $this->page_is_active($page))
134
        {
135
			return true;
136
		} else {
137
			return false;
100
		if( !is_array($page) )
101
		{
102
			$sql  = 'SELECT `page_id`, `visibility`, `viewing_groups`, `viewing_users` ';
103
			$sql .= 'FROM `'.TABLE_PREFIX.'pages` WHERE `page_id`='.(int)$page;
104
			if( ($res_pages = $database->query($sql))!= null )
105
			{
106
				if( !($page = $res_pages->fetchRow()) ) { return false; }
107
			}
138 108
		}
109
		return ($this->page_is_visible($page) && $this->page_is_active($page));
139 110
	}
140 111

  
141 112
	// Check if the user is already authenticated or not
142 113
	function is_authenticated() {
143
		if(isset($_SESSION['USER_ID']) AND $_SESSION['USER_ID'] != "" AND is_numeric($_SESSION['USER_ID']))
114
		if(isset($_SESSION['USER_ID']) && $_SESSION['USER_ID'] != "" && is_numeric($_SESSION['USER_ID']))
144 115
        {
145 116
			return true;
146 117
		} else {
......
176 147

  
177 148
	function page_link($link){
178 149
		// Check for :// in the link (used in URL's) as well as mailto:
179
		if(strstr($link, '://') == '' AND substr($link, 0, 7) != 'mailto:') {
150
		if(strstr($link, '://') == '' && substr($link, 0, 7) != 'mailto:') {
180 151
			return WB_URL.PAGES_DIRECTORY.$link.PAGE_EXTENSION;
181 152
		} else {
182 153
			return $link;
......
185 156
	
186 157
	// Get POST data
187 158
	function get_post($field) {
188
		if(isset($_POST[$field])) {
189
			return $_POST[$field];
190
		} else {
191
			return null;
192
		}
159
        return isset($_POST[$field]) ? $_POST[$field] : null;
193 160
	}
194 161

  
195 162
	// Get POST data and escape it
......
200 167
	
201 168
	// Get GET data
202 169
	function get_get($field) {
203
		if(isset($_GET[$field])) {
204
			return $_GET[$field];
205
		} else {
206
			return null;
207
		}
170
        return isset($_GET[$field]) ? $_GET[$field] : null;
208 171
	}
209 172

  
210 173
	// Get SESSION data
211 174
	function get_session($field) {
212
		if(isset($_SESSION[$field])) {
213
			return $_SESSION[$field];
214
		} else {
215
			return null;
216
		}
175
        return isset($_SESSION[$field]) ? $_SESSION[$field] : null;
217 176
	}
218 177

  
219 178
	// Get SERVER data
220 179
	function get_server($field) {
221
		if(isset($_SERVER[$field])) {
222
			return $_SERVER[$field];
223
		} else {
224
			return null;
225
		}
180
        return isset($_SERVER[$field]) ? $_SERVER[$field] : null;
226 181
	}
227 182

  
228 183
	// Get the current users id
......
230 185
		return $_SESSION['USER_ID'];
231 186
	}
232 187

  
233
	// Get the current users group id
188
	// Get the current users group id (deprecated)
234 189
	function get_group_id() {
235 190
		return $_SESSION['GROUP_ID'];
236 191
	}
237 192

  
238 193
	// Get the current users group ids
239 194
	function get_groups_id() {
240
		return explode(",", $_SESSION['GROUPS_ID']);
195
	    return explode(",", isset($_SESSION['GROUPS_ID']) ? $_SESSION['GROUPS_ID'] : '');
241 196
	}
242 197

  
243 198
	// Get the current users group name
......
257 212

  
258 213
	// Get the current users display name
259 214
	function get_display_name() {
260
		return ($_SESSION['DISPLAY_NAME']);
215
		return $_SESSION['DISPLAY_NAME'];
261 216
	}
262 217

  
263 218
	// Get the current users email address
......
272 227

  
273 228
	// Get the current users timezone
274 229
	function get_timezone() {
275
		if(!isset($_SESSION['USE_DEFAULT_TIMEZONE'])) {
276
			return $_SESSION['TIMEZONE'];
277
		} else {
278
			return '-72000';
279
		}
230
        return  !isset($_SESSION['USE_DEFAULT_TIMEZONE']) ? $_SESSION['TIMEZONE'] : '-72000';
280 231
	}
281
/*  */
282
	// Validate supplied email address
283
	function validate_email($email) {
284
		if(preg_match('/^([0-9a-zA-Z]+[-._+&])*[0-9a-zA-Z]+@([-0-9a-zA-Z]+[.])+[a-zA-Z]{2,6}$/', $email)) {
285
		return true;
286
		} else {
287
			return false;
232

  
233
/* ****************
234
 * check if one or more group_ids are in both group_lists
235
 *
236
 * @access public
237
 * @param mixed $groups_list1: an array or a coma seperated list of group-ids
238
 * @param mixed $groups_list2: an array or a coma seperated list of group-ids
239
 * @param array &$matches: an array-var whitch will return possible matches
240
 * @return bool: true there is a match, otherwise false
241
 */
242
	function is_group_match( $groups_list1 = '', $groups_list2 = '', &$matches = null )
243
	{
244
		if( $groups_list1 == '' ) { return false; }
245
		if( $groups_list2 == '' ) { return false; }
246
		if( !is_array($groups_list1) )
247
		{
248
			$groups_list1 = explode(',', $groups_list1);
288 249
		}
250
		if( !is_array($groups_list2) )
251
		{
252
			$groups_list2 = explode(',', $groups_list2);
253
		}
254
		$matches = array_intersect( $groups_list1, $groups_list2);
255
		return ( sizeof($matches) != 0 );
289 256
	}
290 257

  
258
/* ****************
259
 * check if current user is member of at least one of given groups
260
 * ADMIN (uid=1) always is treated like a member of any groups
261
 *
262
 * @access public
263
 * @param mixed $groups_list: an array or a coma seperated list of group-ids
264
 * @return bool: true if current user is member of one of this groups, otherwise false
265
 */
266
	function ami_group_member( $groups_list = '' )
267
	{
268
		if( $this->get_user_id() == 1 ) { return true; }
269
		return $this->is_group_match( $groups_list, $this->get_groups_id() );
270
	}
291 271

  
292 272
/* ****************
273
 * check if current user has permissions of at least one of given permissions
274
 * ADMIN (uid=1) always is treated like a member of any groups
275
 *
276
 * @access public
277
 * @param string $name: a string with the name
278
 * @param string $type: a string to define system, module or template, default is module
279
 * @return bool: true if current user has permission of one of this permission, otherwise false
280
 */
281
	function has_permission( $name, $type = 'system' )
282
	{
283
		if(is_array($name) && is_array($type))
284
		{
285
			return sizeof(array_intersect($name, $type));
286

  
287
		} elseif(is_string($name) && is_string($type))
288
		{
289
			$type_permissions = $this->get_session(strtoupper($type).'_PERMISSIONS');
290
			if( ($type == 'system') )
291
			{
292
				return is_numeric(array_search($name, $type_permissions));
293
			} else {
294
			// Set permissions var
295
				return !is_numeric(array_search($name, $type_permissions));
296
			}
297
		}
298
		return false;
299
	}
300

  
301
/* ****************
293 302
 * set one or more bit in a integer value
294 303
 *
295 304
 * @access public
......
328 337
		return (($value & $bits2test) == $bits2test);
329 338
	}
330 339

  
331
/*
340

  
332 341
	// Validate supplied email address
333 342
	function validate_email($email) {
334
		if(function_exists('idn_to_ascii')){ // use pear if available
335
			$email = idn_to_ascii($email);
336
		}else {
337
			require_once(WB_PATH.'/include/idna_convert/idna_convert.class.php');
338
			$IDN = new idna_convert();
339
			$email = $IDN->encode($email);
340
			unset($IDN);
343
		if(preg_match('/^([0-9a-zA-Z]+[-._+&])*[0-9a-zA-Z]+@([-0-9a-zA-Z]+[.])+[a-zA-Z]{2,6}$/', $email)) {
344
		return true;
345
		} else {
346
			return false;
341 347
		}
342
		return !(filter_var($email, FILTER_VALIDATE_EMAIL) == false);
343 348
	}
344
*/
349

  
345 350
	// Print a success message which then automatically redirects the user to another page
346
	function print_success( $message, $redirect = 'index.php' ) {
351
	function print_success( $message, $redirect = 'index.php', $auto_footer = true ) {
347 352
	    global $TEXT;
348
	    // fetch redirect timer for sucess messages from settings table
349
	    $redirect_timer = ((defined( 'REDIRECT_TIMER' )) && (REDIRECT_TIMER >= 1500)) ? REDIRECT_TIMER : 0;
350 353
	    // add template variables
351 354
	    $tpl = new Template( THEME_PATH.'/templates' );
352 355
	    $tpl->set_file( 'page', 'success.htt' );
353 356
	    $tpl->set_block( 'page', 'main_block', 'main' );
357
	    $tpl->set_var( 'NEXT', $TEXT['NEXT'] );
358
	    $tpl->set_var( 'BACK', $TEXT['BACK'] );
359
 	    $tpl->set_var( 'MESSAGE', $message );
360
 	    $tpl->set_var( 'THEME_URL', THEME_URL );
361

  
354 362
	    $tpl->set_block( 'main_block', 'show_redirect_block', 'show_redirect' );
355
	    $tpl->set_var( 'MESSAGE', $message );
356 363
	    $tpl->set_var( 'REDIRECT', $redirect );
357
	    $tpl->set_var( 'REDIRECT_TIMER', $redirect_timer );
358
	    $tpl->set_var( 'NEXT', $TEXT['NEXT'] );
359
	    $tpl->set_var( 'BACK', $TEXT['BACK'] );
360
	    if ($redirect_timer == 0) {
364

  
365
	    if (REDIRECT_TIMER == -1)
366
		{
361 367
	        $tpl->set_block( 'show_redirect', '' );
362
	    }
363
	    else {
368
	    } else {
369
		    $tpl->set_var( 'REDIRECT_TIMER', REDIRECT_TIMER );
364 370
	        $tpl->parse( 'show_redirect', 'show_redirect_block', true );
365 371
	    }
366 372
	    $tpl->parse( 'main', 'main_block', false );
367 373
	    $tpl->pparse( 'output', 'page' );
374
		if ( $auto_footer == true )
375
		{
376
			if ( method_exists($this, "print_footer") )
377
			{
378
				$this->print_footer();
379
			}
380
		}
381
		exit();
368 382
	}
369 383

  
370 384
	// Print an error message
371
	function print_error($message, $link = 'index.php', $auto_footer = true) {
385
	function print_error($message, $link = 'index.php', $auto_footer = true )
386
	{
372 387
		global $TEXT;
373 388
		$success_template = new Template(THEME_PATH.'/templates');
374 389
		$success_template->set_file('page', 'error.htt');
......
376 391
		$success_template->set_var('MESSAGE', $message);
377 392
		$success_template->set_var('LINK', $link);
378 393
		$success_template->set_var('BACK', $TEXT['BACK']);
394
 	    $success_template->set_var( 'THEME_URL', THEME_URL );
379 395
		$success_template->parse('main', 'main_block', false);
380 396
		$success_template->pparse('output', 'page');
381 397
		if ( $auto_footer == true ) {
......
385 401
		}
386 402
		exit();
387 403
	}
404
/*
405
 * @param string $message: the message to format
406
 * @param string $status:  ('ok' / 'error' / '') status defines the apereance of the box
407
 * @return string: the html-formatted message (using template 'message.htt')
408
 */
409
	public function format_message($message, $status = 'ok')
410
	{
411
		$id = uniqid('x');
412
		$tpl = new Template(THEME_PATH.'/templates');
413
		$tpl->set_file('page', 'message.htt');
414
		$tpl->set_block('page', 'main_block', 'main');
415
		$tpl->set_var('MESSAGE', $message);
416
 	    $tpl->set_var( 'THEME_URL', THEME_URL );
417
		$tpl->set_var( 'ID', $id );
418
		if($status == 'ok' || $status == 'error' || $status = 'warning')
419
		{
420
			$tpl->set_var('BOX_STATUS', ' box-'.$status);
421
		}else
422
		{
423
			$tpl->set_var('BOX_STATUS', '');
424
		}
425
		$tpl->set_var('STATUS', $status);
426
		if(!defined('REDIRECT_TIMER') ) { define('REDIRECT_TIMER', -1); }
427
		$retval = '';
428
		if( $status != 'error' )
429
		{
430
			switch(REDIRECT_TIMER):
431
				case 0: // do not show message
432
					unset($tpl);
433
					break;
434
				case -1: // show message permanently
435
					$tpl->parse('main', 'main_block', false);
436
					$retval = $tpl->finish($tpl->parse('output', 'page', false));
437
					unset($tpl);
438
					break;
439
				default: // hide message after REDIRECTOR_TIMER milliseconds
440
					$retval = '<script type="text/javascript">/* <![CDATA[ */ function '.$id.'_hide() {'.
441
							  'document.getElementById(\''.$id.'\').style.display = \'none\';}'.
442
							  'window.setTimeout(\''.$id.'_hide()\', '.REDIRECT_TIMER.');/* ]]> */ </script>';
443
					$tpl->parse('main', 'main_block', false);
444
					$retval = $tpl->finish($tpl->parse('output', 'page', false)).$retval;
445
					unset($tpl);
446
			endswitch;
447
		}else
448
		{
449
			$tpl->parse('main', 'main_block', false);
450
			$retval = $tpl->finish($tpl->parse('output', 'page', false)).$retval;
451
			unset($tpl);
452
		}
453
		return $retval;
454
	}
455
/*
456
 * @param string $type: 'locked'(default)  or 'new'
457
 * @return void: terminates application
458
 * @description: 'locked' >> Show maintenance screen and terminate, if system is locked
459
 *               'new' >> Show 'new site under construction'(former print_under_construction)
460
 */
461
	public function ShowMaintainScreen($type = 'locked')
462
	{
463
		global $database, $MESSAGE;
464
		$CHECK_BACK = $MESSAGE['GENERIC_PLEASE_CHECK_BACK_SOON'];
465
		$BE_PATIENT = '';
466
		$LANGUAGE   = strtolower((isset($_SESSION['LANGUAGE']) ? $_SESSION['LANGUAGE'] : LANGUAGE ));
388 467

  
468
		$show_screen = false;
469
		if($type == 'locked')
470
		{
471
			$curr_user = (intval(isset($_SESSION['USER_ID']) ? $_SESSION['USER_ID'] : 0) ) ;
472
			if( (defined('SYSTEM_LOCKED') && (int)SYSTEM_LOCKED == 1) && ($curr_user != 1))
473
			{
474
				header($_SERVER['SERVER_PROTOCOL'].' 503 Service Unavailable');
475
	// first kick logged users out of the system
476
		// delete all remember keys from table 'user' except user_id=1
477
				$sql  = 'UPDATE `'.TABLE_PREFIX.'users` SET `remember_key`=\'\' ';
478
				$sql .= 'WHERE `user_id`<>1';
479
				$database->query($sql);
480
		// delete remember key-cookie if set
481
				if (isset($_COOKIE['REMEMBER_KEY'])) {
482
					setcookie('REMEMBER_KEY', '', time() - 3600, '/');
483
				}
484
		// overwrite session array
485
				$_SESSION = array();
486
		// delete session cookie if set
487
				if (ini_get("session.use_cookies")) {
488
					$params = session_get_cookie_params();
489
					setcookie(session_name(), '', time() - 42000, $params["path"],
490
						$params["domain"], $params["secure"], $params["httponly"]
491
					);
492
				}
493
		// delete the session itself
494
				session_destroy();
495
				$PAGE_TITLE = $MESSAGE['GENERIC_WEBSITE_LOCKED'];
496
				$BE_PATIENT = $MESSAGE['GENERIC_BE_PATIENT'];
497
				$PAGE_ICON  = WB_REL.'/negative';
498
				$show_screen = true;
499
			}
500
		}else
501
		{
502
			header($_SERVER['SERVER_PROTOCOL'].' 503 Service Unavailable');
503
			$PAGE_TITLE = $MESSAGE['GENERIC_WEBSITE_UNDER_CONSTRUCTION'];
504
			$PAGE_ICON  = WB_REL.'/positive';
505
			$show_screen = true;
506
		}
507
		if($show_screen)
508
		{
509
			if(file_exists(WB_PATH.'/maintenance.php'))
510
			{
511
				include(WB_PATH.'/maintenance.php');
512
			}else
513
			{
514
				echo $PAGE_TITLE.'<br />'.$MESSAGE['GENERIC_PLEASE_CHECK_BACK_SOON'];
515
			}
516
			flush();
517
			exit;
518
		}
519
	}
389 520
	// Validate send email
390 521
	function mail($fromaddress, $toaddress, $subject, $message, $fromname='') {
391
		/* 
522
		/*
392 523
			INTEGRATED OPEN SOURCE PHPMAILER CLASS FOR SMTP SUPPORT AND MORE
393 524
			SOME SERVICE PROVIDERS DO NOT SUPPORT SENDING MAIL VIA PHP AS IT DOES NOT PROVIDE SMTP AUTHENTICATION
394 525
			NEW WBMAILER CLASS IS ABLE TO SEND OUT MESSAGES USING SMTP WHICH RESOLVE THESE ISSUE (C. Sommer)
......
402 533
		$toaddress = preg_replace('/[\r\n]/', '', $toaddress);
403 534
		$subject = preg_replace('/[\r\n]/', '', $subject);
404 535
		$message_alt = $message;
405
		$message = preg_replace('/[\r\n]/', '<br \>', $message);
406
		
536
		$message = nl2br( str_replace('\r', '', $message) );
407 537
		// create PHPMailer object and define default settings
408 538
		$myMail = new wbmailer();
409 539

  
......
429 559
	}
430 560

  
431 561
}
432
?>

Also available in: Unified diff