1
0
mirror of https://github.com/e107inc/e107.git synced 2025-01-17 20:58:30 +01:00

Issue #5064 - Draft fix for user impersonation (getperms())

This commit is contained in:
camer0n 2023-09-08 14:18:06 -07:00
parent 1ef0cc3352
commit 44526b435c
5 changed files with 104 additions and 6 deletions

View File

@ -1317,8 +1317,17 @@ function check_class($var, $userclass = null, $uid = 0)
function getperms($arg, $ap = ADMINPERMS, $path = e_SELF)
{
// $ap = "4"; // Just for testing.
if(trim($ap) === '')
{
return false;
}
if(!deftrue('ADMIN') || trim($ap) === '')
if(deftrue('USE_NEW_GETPERMS')) // Add to e107_config.php.
{
return e107::getUser()->checkAdminPerms($arg,$ap,$path);
}
if(!deftrue('ADMIN'))
{
return false;
}
@ -1630,6 +1639,13 @@ function init_session()
define('USERJOINED', '');
define('e_CLASS_REGEXP', '(^|,)(253|254|250|251|0)(,|$)');
define('e_NOBODY_REGEXP', '(^|,)255(,|$)');
/* $user->set('user_id', 1);
$user->set('user_name','e107-cli');
$user->set('user_admin', 1);
$user->set('user_perms', '0');
$user->set('user_class', '');
$user->set('user_join', '');*/
return;
}

View File

@ -646,13 +646,70 @@ class e_user_model extends e_admin_model
}
/**
* @param $perm_str
* @param str $arg
* @param str $ap
* @param str $path
* @return bool
*/
final public function checkAdminPerms($perm_str)
final public function checkAdminPerms($arg, $ap = null, $path = null)
{
// FIXME - method to replace getperms()
return ($this->isAdmin() && getperms($perm_str, $this->getAdminPerms()));
if(!$this->isAdmin())
{
return false;
}
if($ap === null)
{
$ap = $this->getAdminPerms();
}
if($arg === 0) // Common-error avoidance with getperms(0)
{
$arg = '0';
}
if ($ap === '0' || $ap === '0.') // BC fix.
{
return true;
}
if ($arg === 'P' && !empty($path) && preg_match('#(.*?)/' .e107::getInstance()->getFolder('plugins'). '(.*?)/(.*?)#', $path, $matches))
{
$sql = e107::getDb('psql');
/* $id = e107::getPlug()->load($matches[2])->getId();
$arg = 'P'.$id;*/
if ($sql->select('plugin', 'plugin_id', "plugin_path = '".$matches[2]."' LIMIT 1 "))
{
$row = $sql->fetch();
$arg = 'P'.$row['plugin_id'];
}
}
$ap_array = explode('.',$ap);
if (in_array($arg,$ap_array,false))
{
return true;
}
if(strpos($arg, "|"))
{
$tmp = explode("|", $arg);
foreach($tmp as $val)
{
if(in_array($val,$ap_array))
{
return true;
}
}
}
return false;
//return ($this->isAdmin() && getperms($perm_str, $this->getAdminPerms()));
}
/**

View File

@ -10,7 +10,7 @@
if(!defined('e107_INIT')){ exit; }
if (!getperms("2"))
if (!getperms("2") && !e107::isCli())
{
e107::redirect();
exit;

View File

@ -10,9 +10,23 @@
class class2Test extends \Codeception\Test\Unit
{
public $usr;
/*protected function _before()
{
try
{
$this->usr = $this->make('e_user_model');
}
catch(Exception $e)
{
$this->fail( "Couldn't load e_user_model object");
}
e107::getUser()->load(1); // load user_id = 1.
}*/
function testLoadClass2()
{
@ -23,6 +37,11 @@
function testGetPerms()
{
// $this->markTestSkipped("Skipped - CLI mode changes behavior.");
// See class2.php Line 1643
$result = getperms('N', '5');
$this->assertFalse($result);
$result = getperms('N', '0');
$this->assertTrue($result);
@ -47,6 +66,12 @@
}
function testUserModel()
{
$result = e107::getUser();
var_dump($result);
}
function testCheckClass()

View File

@ -17,7 +17,7 @@
catch(Exception $e)
{
$this->assertTrue(false, $e->getMessage());
$this->fail( $e->getMessage());
}
}