dev-chiefworks
213 lines
7.3 KiB
PHP
213 lines
7.3 KiB
PHP
<?php
|
|
defined( 'BASEPATH' ) OR exit( 'No direct script access allowed' );
|
|
/*
|
|
* ------------------------------------------------------
|
|
* Load the global functions
|
|
* ------------------------------------------------------
|
|
*/
|
|
// require_once(BASEPATH.'core/Common.php');
|
|
|
|
/*
|
|
* ------------------------------------------------------
|
|
* Instantiate the routing class and set the routing
|
|
* ------------------------------------------------------
|
|
*/
|
|
$RTR =& load_class( 'Router', 'core', isset( $routing ) ? $routing : null );
|
|
$conn_id = $CI->load->database('savvy_replica', TRUE)->conn_id;
|
|
$username = isset( $_SESSION['username'] ) ? $_SESSION['username'] : null;
|
|
$_class = strtolower( $class );
|
|
$_method = strtolower( $method );
|
|
|
|
function get_whitelist( $username ) {
|
|
global $conn_id;
|
|
$result = null;
|
|
|
|
$q = "SELECT LOWER(acl.class_name) AS class_name,
|
|
LOWER(acl.method_name) AS method_name
|
|
FROM bko_acl acl
|
|
JOIN bko_acl_permission_level acl_p_l ON acl_p_l.bko_acl_id = acl.id
|
|
JOIN bko_permission_level p_l ON p_l.plevel = acl_p_l.plevel
|
|
JOIN bko_users usr ON usr.plevel = p_l.plevel
|
|
WHERE usr.username = '{$username}'
|
|
ORDER BY acl.class_name";
|
|
|
|
$r = pg_query( $conn_id, $q );
|
|
|
|
$r = pg_fetch_all( $r ) ? pg_fetch_all( $r ) : [];
|
|
|
|
return array_group_by( $r, 'class_name' );
|
|
}
|
|
|
|
function get_whitelist_extra( $username ) {
|
|
global $conn_id;
|
|
$result = null;
|
|
|
|
$q = "SELECT LOWER(acl.class_name) AS class_name,
|
|
LOWER(acl.method_name) AS method_name,
|
|
LOWER(acl_wl_e.parameter_name) AS parameter_name,
|
|
LOWER(acl_wl_e.parameter_value) AS parameter_value
|
|
FROM bko_acl acl
|
|
LEFT JOIN bko_acl_whitelist acl_wl ON acl_wl.bko_acl_id = acl.id
|
|
LEFT JOIN bko_acl_whitelist_extra acl_wl_e ON acl_wl_e.bko_acl_whitelist_id = acl_wl.id
|
|
JOIN bko_acl_permission_level acl_p_l ON acl_p_l.bko_acl_id = acl.id
|
|
JOIN bko_permission_level p_l ON p_l.plevel = acl_p_l.plevel
|
|
JOIN bko_users usr ON usr.plevel = p_l.plevel
|
|
WHERE usr.username = '{$username}'
|
|
ORDER BY acl.class_name,
|
|
acl.method_name,
|
|
acl_wl_e.parameter_name,
|
|
acl_wl_e.parameter_value";
|
|
|
|
$r = pg_query( $conn_id, $q );
|
|
|
|
$r = pg_fetch_all( $r ) ? pg_fetch_all( $r ) : [];
|
|
|
|
return array_group_by( $r, 'class_name', 'method_name', 'parameter_name' );
|
|
}
|
|
|
|
/**
|
|
* https://github.com/jakezatecky/array_group_by
|
|
*/
|
|
function array_group_by( array $array, $key ) {
|
|
if ( ! is_string( $key ) && ! is_int( $key ) && ! is_float( $key ) && ! is_callable( $key ) ) {
|
|
trigger_error( 'array_group_by(): The key should be a string, an integer, or a callback', E_USER_ERROR );
|
|
|
|
return null;
|
|
}
|
|
$func = ( ! is_string( $key ) && is_callable( $key ) ? $key : null );
|
|
$_key = $key;
|
|
// Load the new array, splitting by the target key
|
|
$grouped = [];
|
|
|
|
$num_args = func_num_args();
|
|
|
|
foreach ( $array as $value ) {
|
|
$key = null;
|
|
if ( is_callable( $func ) ) {
|
|
$key = call_user_func( $func, $value );
|
|
} elseif ( is_object( $value ) && property_exists( $value, $_key ) ) {
|
|
$key = $value->{$_key};
|
|
} elseif ( isset( $value[ $_key ] ) ) {
|
|
$key = $value[ $_key ];
|
|
}
|
|
if ( $key === null ) {
|
|
continue;
|
|
}
|
|
|
|
if ( $num_args !== 2 ) {
|
|
$grouped[ $key ][] = $value;
|
|
continue;
|
|
}
|
|
|
|
if ( count( $value ) !== 2 ) {
|
|
$grouped[ $key ][] = $value[ $_key ];
|
|
continue;
|
|
}
|
|
|
|
foreach ( $value as $col_name => $col_val ) {
|
|
if ( $col_name === $_key ) {
|
|
continue;
|
|
}
|
|
$grouped[ $key ][] = $value[ $col_name ];
|
|
}
|
|
|
|
}
|
|
// Recursively build a nested grouping if more parameters are supplied
|
|
// Each grouped array value is grouped according to the next sequential key
|
|
if ( $num_args > 2 ) {
|
|
$args = func_get_args();
|
|
foreach ( $grouped as $key => $value ) {
|
|
$params = array_merge( [ $value ], array_slice( $args, 2, $num_args ) );
|
|
$grouped[ $key ] = call_user_func_array( 'array_group_by', $params );
|
|
}
|
|
}
|
|
|
|
return $grouped;
|
|
}
|
|
|
|
$security_patch_whitelist = get_whitelist( $username );
|
|
$security_patch_whitelist_extra = get_whitelist_extra( $username );
|
|
|
|
function load_bko_users_members_access( $conn_id, $username ) {
|
|
$result = [];
|
|
$q = "SELECT * FROM bko_users_members_access WHERE bko_user_id=(SELECT id FROM bko_users WHERE username='" . pg_escape_string( $username ) . "')";
|
|
$r = pg_query( $conn_id, $q );
|
|
if ( $r && pg_num_rows( $r ) ) {
|
|
$result = [];
|
|
while ( $f = pg_fetch_assoc( $r ) ) {
|
|
$result[ $f["member_id"] ] = $f["flags"];
|
|
}
|
|
}
|
|
|
|
return [ $result, (is_array( $result ) && count( $result ))? implode( ",", array_keys( $result ) ) : "" ];
|
|
}
|
|
|
|
function security_patch_block_path( $RTR, $class, $method ) {
|
|
global $security_patch_whitelist_extra;
|
|
$str = $class . '/' . $method;
|
|
if ( array_key_exists( $class, $security_patch_whitelist_extra ) ) {
|
|
if ( array_key_exists( $method, $security_patch_whitelist_extra[ $class ] ) ) {
|
|
$s_p_w_e_data = $security_patch_whitelist_extra[ $class ];
|
|
if ( array_key_exists( 'proc', $_GET ) ) {
|
|
$str .= '/' . $_GET['proc'];
|
|
}
|
|
if ( array_key_exists( 'action_name', $_GET ) ) {
|
|
$str .= '/' . $_GET['action_name'];
|
|
}
|
|
}
|
|
}
|
|
error_log( $str );
|
|
show_404( $RTR->directory . $class . '/' . $method );
|
|
}
|
|
|
|
/*
|
|
if ( array_key_exists( 'backoffice_id', $_SESSION ) && $_SESSION['backoffice_id'] === $username ) {
|
|
|
|
list( $bko_users_members_access, $bko_users_members_access_list ) = load_bko_users_members_access( $CI->db->conn_id, $_SESSION["username"] );
|
|
foreach ( $_GET as $key => $val ) {
|
|
if ( $key == 'member_id' && ! array_key_exists( $val, $bko_users_members_access ) ) {
|
|
$_GET[ $key ] = null;
|
|
}
|
|
}
|
|
foreach ( $_POST as $key => $val ) {
|
|
if ( $key == 'member_id' && ! array_key_exists( $val, $bko_users_members_access ) ) {
|
|
$_POST[ $key ] = null;
|
|
}
|
|
}
|
|
if ( ! array_key_exists( $_class, $security_patch_whitelist ) ) {
|
|
security_patch_block_path( $RTR, $_class, $_method );
|
|
}
|
|
if ( ! in_array( $_method, $security_patch_whitelist[ $_class ] ) ) {
|
|
security_patch_block_path( $RTR, $_class, $_method );
|
|
}
|
|
if ( array_key_exists( 'proc', $_GET ) ) {
|
|
if ( ! array_key_exists( $_class, $security_patch_whitelist_extra ) ) {
|
|
security_patch_block_path( $RTR, $_class, $_method );
|
|
}
|
|
if ( ! array_key_exists( $_method, $security_patch_whitelist_extra[ $_class ] ) ) {
|
|
security_patch_block_path( $RTR, $_class, $_method );
|
|
}
|
|
if ( ! array_key_exists( 'proc', $security_patch_whitelist_extra[ $_class ][ $_method ] ) ) {
|
|
security_patch_block_path( $RTR, $_class, $_method );
|
|
}
|
|
if ( ! in_array( $_GET['proc'], $security_patch_whitelist_extra[ $_class ][ $_method ]['proc'] ) ) {
|
|
security_patch_block_path( $RTR, $_class, $_method );
|
|
}
|
|
}
|
|
if ( array_key_exists( 'action_name', $_GET ) ) {
|
|
if ( ! array_key_exists( $_class, $security_patch_whitelist_extra ) ) {
|
|
security_patch_block_path( $RTR, $_class, $_method );
|
|
}
|
|
if ( ! array_key_exists( $_method, $security_patch_whitelist_extra[ $_class ] ) ) {
|
|
security_patch_block_path( $RTR, $_class, $_method );
|
|
}
|
|
if ( ! array_key_exists( 'action_name', $security_patch_whitelist_extra[ $_class ][ $_method ] ) ) {
|
|
security_patch_block_path( $RTR, $_class, $_method );
|
|
}
|
|
if ( ! in_array( $_GET['action_name'], $security_patch_whitelist_extra[ $_class ][ $_method ]['action_name'] ) ) {
|
|
security_patch_block_path( $RTR, $_class, $_method );
|
|
}
|
|
}
|
|
}
|
|
*/
|