Project

General

Profile

Download (2.45 KB)

Bug #9513 ยป priv-match-fixes.diff

Jim Pingle, 05/09/2019 03:44 PM

View differences:

src/etc/inc/auth_func.inc
30 30 

  		




  31
  31
  
    
function cmp_page_matches($page, & $matches, $fullwc = true) {

  		




  32
  32
  
    

  		




  
  33
  
    
	global $g;

  		




  33
  34
  
    
//	$dbg_matches = implode(",", $matches);

  		




  34
  35
  
    
//	log_error("debug: checking page {$page} match with {$dbg_matches}");

  		




  35
  36
  
    

  		




  ......




  37
  38
  
    
		return false;

  		




  38
  39
  
    
	}

  		




  39
  40
  
    

  		




  40
  
  
    
	/* skip any leading fwdslash */

  		




  41
  
  
    
	$test = strpos($page, "/");

  		




  42
  
  
    
	if ($test !== false && $test == 0) {

  		




  43
  
  
    
		$page = substr($page, 1);

  		




  
  41
  
    
	list($file, $query) = explode('?', $page);

  		




  
  42
  
    
	$file = realpath( $g['www_path'] . '/' . ltrim($file, '/'));

  		




  
  43
  
    
	if (empty($file)) {

  		




  
  44
  
    
		/* File does not exist, or other path shenanigans */

  		




  
  45
  
    
		return false;

  		




  44
  46
  
    
	}

  		




  
  47
  
    
	$page = str_replace($g['www_path'] . '/', '', $file);

  		




  
  48
  
    
	$page .= (!empty($query)) ? "?{$query}" : "";

  		




  45
  49
  
    

  		




  46
  50
  
    
	/* look for a match */

  		




  47
  51
  
    
	foreach ($matches as $match) {

  		












  

    
      src/etc/inc/priv/user.priv.inc
    
  





  21
  21
  
    
$priv_list['page-dashboard-all']['descr'] = gettext("Allow access to all pages required for the dashboard.");

  		




  22
  22
  
    
$priv_list['page-dashboard-all']['match'] = array();

  		




  23
  23
  
    
$priv_list['page-dashboard-all']['match'][] = "index.php*";

  		




  24
  
  
    
$priv_list['page-dashboard-all']['match'][] = "*.widget.php*";

  		




  
  24
  
    
$priv_list['page-dashboard-all']['match'][] = "widgets/widgets/*.widget.php*";

  		




  25
  25
  
    
$priv_list['page-dashboard-all']['match'][] = "graph.php*";

  		




  26
  26
  
    
$priv_list['page-dashboard-all']['match'][] = "graph_cpu.php*";

  		




  27
  27
  
    
$priv_list['page-dashboard-all']['match'][] = "getstats.php*";

  		




  ......




  32
  32
  
    
$priv_list['page-dashboard-widgets']['name'] = gettext("WebCfg - Dashboard widgets (direct access).");

  		




  33
  33
  
    
$priv_list['page-dashboard-widgets']['descr'] = gettext("Allow direct access to all Dashboard widget pages, required for some widgets using AJAX.");

  		




  34
  34
  
    
$priv_list['page-dashboard-widgets']['match'] = array();

  		




  35
  
  
    
$priv_list['page-dashboard-widgets']['match'][] = "*.widget.php*";

  		




  
  35
  
    
$priv_list['page-dashboard-widgets']['match'][] = "widgets/widgets/*.widget.php*";

  		




  36
  36
  
    

  		




  37
  37
  
    
$priv_list['user-config-readonly'] = array();

  		




  38
  38
  
    
$priv_list['user-config-readonly']['name']  = gettext("User - Config: Deny Config Write");

  		















  
    (1-1/1)