diff --git a/src/etc/inc/auth_func.inc b/src/etc/inc/auth_func.inc index 08775b131a..795ccdbdf1 100644 --- a/src/etc/inc/auth_func.inc +++ b/src/etc/inc/auth_func.inc @@ -30,6 +30,7 @@ function cmp_page_matches($page, & $matches, $fullwc = true) { + global $g; // $dbg_matches = implode(",", $matches); // log_error("debug: checking page {$page} match with {$dbg_matches}"); @@ -37,11 +38,14 @@ function cmp_page_matches($page, & $matches, $fullwc = true) { return false; } - /* skip any leading fwdslash */ - $test = strpos($page, "/"); - if ($test !== false && $test == 0) { - $page = substr($page, 1); + list($file, $query) = explode('?', $page); + $file = realpath( $g['www_path'] . '/' . ltrim($file, '/')); + if (empty($file)) { + /* File does not exist, or other path shenanigans */ + return false; } + $page = str_replace($g['www_path'] . '/', '', $file); + $page .= (!empty($query)) ? "?{$query}" : ""; /* look for a match */ foreach ($matches as $match) { diff --git a/src/etc/inc/priv/user.priv.inc b/src/etc/inc/priv/user.priv.inc index 02b5d8f4a8..6446777f5a 100644 --- a/src/etc/inc/priv/user.priv.inc +++ b/src/etc/inc/priv/user.priv.inc @@ -21,7 +21,7 @@ $priv_list['page-dashboard-all']['name'] = gettext("WebCfg - Dashboard (all)"); $priv_list['page-dashboard-all']['descr'] = gettext("Allow access to all pages required for the dashboard."); $priv_list['page-dashboard-all']['match'] = array(); $priv_list['page-dashboard-all']['match'][] = "index.php*"; -$priv_list['page-dashboard-all']['match'][] = "*.widget.php*"; +$priv_list['page-dashboard-all']['match'][] = "widgets/widgets/*.widget.php*"; $priv_list['page-dashboard-all']['match'][] = "graph.php*"; $priv_list['page-dashboard-all']['match'][] = "graph_cpu.php*"; $priv_list['page-dashboard-all']['match'][] = "getstats.php*"; @@ -32,7 +32,7 @@ $priv_list['page-dashboard-widgets'] = array(); $priv_list['page-dashboard-widgets']['name'] = gettext("WebCfg - Dashboard widgets (direct access)."); $priv_list['page-dashboard-widgets']['descr'] = gettext("Allow direct access to all Dashboard widget pages, required for some widgets using AJAX."); $priv_list['page-dashboard-widgets']['match'] = array(); -$priv_list['page-dashboard-widgets']['match'][] = "*.widget.php*"; +$priv_list['page-dashboard-widgets']['match'][] = "widgets/widgets/*.widget.php*"; $priv_list['user-config-readonly'] = array(); $priv_list['user-config-readonly']['name'] = gettext("User - Config: Deny Config Write");