Project

General

Profile

« Previous | Next » 

Revision 1384

Added by Dietmar over 13 years ago

Security fix in admin/pages

View differences:

save.php
17 17 
 */
18 18 

  		




  19
  19
  
    
// Get page & section id


  		




  20
  
  
    
if(!isset($_POST['page_id']) OR !is_numeric($_POST['page_id'])) {


  		




  
  20
  
    
if(!isset($_POST['page_id']) || !is_numeric($_POST['page_id'])) {


  		




  21
  21
  
    
	header("Location: index.php");


  		




  22
  22
  
    
	exit(0);


  		




  23
  23
  
    
} else {


  		




  24
  24
  
    
	$page_id = intval($_POST['page_id']);


  		




  25
  25
  
    
}


  		




  26
  
  
    
if(!isset($_POST['section_id']) OR !is_numeric($_POST['section_id'])) {


  		




  
  26
  
    
if(!isset($_POST['section_id']) || !is_numeric($_POST['section_id'])) {


  		




  27
  27
  
    
	header("Location: index.php");


  		




  28
  28
  
    
	exit(0);


  		




  29
  29
  
    
} else {


  		




  ......




  34
  34
  
    
require('../../config.php');


  		




  35
  35
  
    
require_once(WB_PATH.'/framework/class.admin.php');


  		




  36
  36
  
    
$admin = new admin('Pages', 'pages_modify');


  		




  
  37
  
    

  		




  37
  38
  
    
if (!$admin->checkFTAN())


  		




  38
  39
  
    
{


  		




  39
  
  
    
	$admin->print_error($MESSAGE['PAGES_NOT_SAVED'],'index.php');


  		




  
  40
  
    
	$admin->print_error($MESSAGE['GENERIC_SECURITY_ACCESS'],'index.php');


  		




  40
  41
  
    
	exit();


  		




  41
  42
  
    
}


  		




  42
  43
  
    

  		




  ......




  55
  56
  
    
        $in_old_group = TRUE;


  		




  56
  57
  
    
    }


  		




  57
  58
  
    
}


  		




  58
  
  
    
if((!$in_old_group) AND !is_numeric(array_search($admin->get_user_id(), $old_admin_users)))


  		




  
  59
  
    
if((!$in_old_group) && !is_numeric(array_search($admin->get_user_id(), $old_admin_users)))


  		




  59
  60
  
    
{


  		




  60
  61
  
    
	$admin->print_error($MESSAGE['PAGES']['INSUFFICIENT_PERMISSIONS']);


  		




  61
  62
  
    
}


  		












Also available in:  Unified diff