Location: PHPKode > scripts > NConf > nconf-1.3.0-0/nconf/include/classes/class.NConf_PERMISSIONS.php
<?php
//!  NConf DEBUG class
/*!
*/
class NConf_PERMISSIONS{
    protected $group;
    protected $current_script;
    protected $url_check_status = FALSE;
    protected $debug = '';
    
    protected $requested_id_authorized = 'NOT TESTED';
    public $message = '';

    function __construct(){
        if ( isset($_SESSION["group"]) ){
            $this->group = $_SESSION["group"];
            
            # admin group has no limitations
            if ($_SESSION["group"] == GROUP_ADMIN){
                $this->url_check_status = TRUE;
            }
        }else{
            $this->group = GROUP_NOBODY;
        }
		
		# Helpers for debbuging
		$this->debug .= NConf_HTML::swap_content(NCONFDIR, "NCONFDIR");
		$this->debug .= NConf_HTML::swap_content($_SERVER["DOCUMENT_ROOT"], "DOCUMENT_ROOT");

        # define current script name ( includes path from webroot )
        $script_name = $_SERVER['SCRIPT_NAME'];
		
		# handle directory if not running directly on document root path
		$nconf_webroot_explode = explode($_SERVER["DOCUMENT_ROOT"], NCONFDIR);
		$this->debug .= NConf_HTML::swap_content($nconf_webroot_explode, "nconf_webroot_explode");
		$this->debug .= NConf_HTML::swap_content($_SERVER['SCRIPT_NAME'], "SERVER script_name");
		// TODO: check with different setups if now everything works as expected
		if ( !empty($nconf_webroot_explode[1]) ){
			# NConf does not run in webroot
			$nconf_webroot_path = $nconf_webroot_explode[1];
			
			# remove path from script name variable
			$script_name_explode = explode($nconf_webroot_path, $script_name);
			$this->debug .= NConf_HTML::swap_content($script_name_explode, "script_name_explode");
			
			$script_name = $script_name_explode[1];
		}
		
		# remove beginning slash and set to current_script
		$this->current_script = preg_replace('/^\//', '', $script_name);
		# This will be the script name which the permission system will check against.
        $this->debug .= NConf_HTML::text("<b>Current script name: </b>".$this->current_script);
        
        # if user is not in admin group, check if requested item is accessible for him
        if ( $this->group != GROUP_ADMIN AND !empty($_REQUEST["id"]) ) {
            $this->checkIdPermission($_REQUEST["id"]);
            if ($this->requested_id_authorized === FALSE){
                $this->message = "You are not authorized to access this item";
            }
        }
        # also apply check for multiple ids
        if ( $this->group != GROUP_ADMIN AND !empty($_REQUEST["ids"]) ) {
            $array_ids = explode(",", $_REQUEST["ids"]);
            foreach ($array_ids as $item_ID){
                $this->checkIdPermission($item_ID);
            }
            if ($this->requested_id_authorized === FALSE){
                $this->message = "You are not authorized to access one ore multiple items of your selection";
            }
        }
        # Item ID authorization check
        NConf_DEBUG::set('Checks if you are allowed to access the item', 'DEBUG', NConf_HTML::status_text("Item authorization", $this->requested_id_authorized) );
    }

    protected function checkIdPermission($ID) {
        # checks the requested id, its class should be accessible for the user, otherwise access will be denied.
        $class_id = db_templates("get_classid_of_item", $ID);
        $query = 'SELECT id_class
                    FROM ConfigClasses
                    WHERE nav_privs = "'.$this->group.'"
                        AND id_class = "'.$class_id.'"';
        $user_class_permissions = db_handler($query, "getOne", "Check if user has access to the class of the requested item");
        # set authorization
        # special behaviour for multiple ids (then its not allowed to set to true if already FALSE state was set)
        if ( !empty($user_class_permissions) AND $this->requested_id_authorized !== FALSE ){
            $this->requested_id_authorized = TRUE;
        }else{
            $this->requested_id_authorized = FALSE;
        }
    }

    public function checkPageAccess(){
        # URL check
        $debug = NConf_HTML::swap_content($this->debug, "URL ACL feedback", FALSE, TRUE);
        NConf_DEBUG::set($debug, 'DEBUG', NConf_HTML::status_text("URL ACL status", $this->url_check_status) );
        
        if ($this->url_check_status === FALSE){
            $this->message = "You don't have permission to access this page!";
        }
        
        return $this->url_check_status;
    }
    
    public function checkIdAuthorization(){
        return $this->requested_id_authorized;
    }
        

    public function setURL($URL, $REGEX_OPEN_END = TRUE, $GROUPS = array(), $REQUEST = array() ){
        # do not check if already allowed
        if ($this->url_check_status == TRUE) return;

        # check URL for passed attributes (should only be the scriptname)
        # the navigation links will need this handler
        # search for query part in URL
        # TODO: check if ampersand can be optimized on xmode views:
        # Array(
    	#	[class] => contact
    	#	[amp;xmode] => pikett
		# )
        # perhaps using $_SERVER['QUERY_STRING'] ?
        if ( strpos($URL, "?") !== FALSE ){
            $url_parsed = parse_url($URL);
            $this->debug .= NConf_HTML::swap_content($url_parsed, "ACL - Found query in URL : Parsing URL", FALSE, TRUE);

            # get request items
            parse_str($url_parsed["query"],$REQUEST);
            $this->debug .= NConf_HTML::swap_content($REQUEST, "ACL - fetched query and converted to REQUEST array", FALSE, TRUE);
            
            # override URL with correct scriptname
            $URL = $url_parsed["path"];
        }

        # check group permission
        if ( empty($GROUPS) OR in_array($this->group, $GROUPS) ){
            if ($REGEX_OPEN_END){
                if ( !preg_match('/^'.preg_quote($URL).'\w*/', $this->current_script) ){
                    return;
                }
            }else{
                if ( !preg_match('/^'.preg_quote($URL).'$/', $this->current_script) ){
                    return;
                }
            }
            $this->debug .=  NConf_HTML::text("URL matched: $URL", TRUE);

            # check for request limitations
            if ( !empty($REQUEST) ){
                # check if needed request items match
                $diff = array_diff($REQUEST, $_REQUEST);
                if ( !empty( $diff )  ){
                    # for debugging these could be grouped together
                    $this->debug .= NConf_HTML::swap_content($REQUEST, "REQUEST items do not match", FALSE, TRUE);
                    return;
                }else{
                    $this->debug .= NConf_HTML::swap_content($REQUEST, "REQUEST items matched", FALSE, TRUE);
                }
                //NConf_DEBUG::set($REQUEST, 'DEBUG', "REQUEST matched");
            }

            # all checks passed, URL is fine
            $this->url_check_status = TRUE;
            return;
        }

    }

}
?>
Return current item: NConf