From c2b4d0592f7745e10e7f5db23dbd4104422dffc7 Mon Sep 17 00:00:00 2001 From: hickert Date: Thu, 1 Apr 2010 13:12:08 +0000 Subject: [PATCH] Updated FAX report ACLs. git-svn-id: https://oss.gonicus.de/repositories/gosa/trunk@17460 594d385d-05f5-0310-b6e9-bd551577e9d8 --- gosa-plugins/gofax/html/getfax.php | 44 ++++++++++++++++++++---------- 1 file changed, 30 insertions(+), 14 deletions(-) diff --git a/gosa-plugins/gofax/html/getfax.php b/gosa-plugins/gofax/html/getfax.php index fc44a225a..0b2255efa 100644 --- a/gosa-plugins/gofax/html/getfax.php +++ b/gosa-plugins/gofax/html/getfax.php @@ -29,19 +29,12 @@ session::set('errorsAlreadyPosted',array()); /* Logged in? Simple security check */ if (!session::is_set('ui')){ - new log("security","faxreport/faxreport","",array(),"Error: getfax.php called without session") ; - header ("Location: index.php"); + new log("security","users/viewFaxEntries","",array(),"Error: getfax.php called without session") ; + header ("Location: ../../index.php"); exit; } $ui= session::is_set("ui"); -/* User object present? */ -if (!session::is_set('fuserfilter')){ - new log("security","faxreport/faxreport","",array(),"getfax.php called without propper session data") ; - header ("Location: index.php"); - exit; -} - /* Get loaded servers */ foreach (array("FAX_SERVER", "FAX_LOGIN", "FAX_PASSWORD") as $val){ if (session::is_set($val)){ @@ -51,6 +44,8 @@ foreach (array("FAX_SERVER", "FAX_LOGIN", "FAX_PASSWORD") as $val){ /* Load fax entry */ $config= session::get('config'); +restore_error_handler(); + $cfg= $config->data['SERVERS']['FAX']; $link = mysql_pconnect($cfg['SERVER'], $cfg['LOGIN'], $cfg['PASSWORD']) or die(_("Could not connect to database server!")); @@ -62,18 +57,16 @@ mysql_select_db("gofax") or die(_("Could not select database!")); $query = "SELECT id,uid FROM faxlog WHERE id = '".validate(stripcslashes($_GET['id']))."'"; $result = mysql_query($query) or die(_("Database query failed!")); $line = mysql_fetch_array($result, MYSQL_ASSOC); -if (!preg_match ("/'".$line["uid"]."'/", session::get('fuserfilter'))){ - die ("No permissions to view fax!"); -} -$query = "SELECT id,fax_data FROM faxdata WHERE id = '". - validate(stripcslashes($_GET['id']))."'"; +$query = "SELECT id,fax_data FROM faxdata WHERE id = '".validate(stripcslashes($_GET['id']))."'"; $result = mysql_query($query) or die(_("Database query failed!")); /* Load pic */ $data = mysql_result ($result, 0, "fax_data"); mysql_close ($link); + + if (!isset($_GET['download'])){ /* display picture */ @@ -142,6 +135,29 @@ if (!isset($_GET['download'])){ } +// Get ALL valid FAX-Accounts and their dns, this allows us to perform correct +// permissions checks later. +$filter= "(&(objectClass=gosaAccount)(!(objectClass=gosaUserTemplate))(objectClass=goFaxAccount)(uid=*))"; +$tmp= get_list($filter, "users/viewFaxEntries", $config->current['BASE'], + array("uid"), GL_SUBSEARCH | GL_NO_ACL_CHECK); +$uidToDN = array(); +$uid = $line['uid']; +foreach($tmp as $attrs){ + $uidToDN[$attrs['uid'][0]] = $attrs['dn']; +} + +// Detect dn to check for +$dn = $config->current['BASE']; +if(isset($uidToDN[$uid])){ + $dn = $uidToDN[$uid]; +} + +// We do not have any ACLs for this entry, so continue. +$ui = session::get('ui'); +$acls = $ui->get_permissions($dn,"users/viewFaxEntries","detailedView"); +if(!preg_match("/r/",$acls)){ + $data = file_get_contents("../../images/lists/locked.png"); +} /* print the tiff image and close the connection */ echo "$data"; -- 2.30.2