[SUCS Devel] site r620 - branches/sucs-site/components

imranh at sucs.org imranh at sucs.org
Thu Dec 25 20:19:33 GMT 2014


Author: imranh
Date: 2014-12-25 20:19:31 +0000 (Thu, 25 Dec 2014)
New Revision: 620

Modified:
   branches/sucs-site/components/menu.php
Log:
Security. Menu items that have a non null permission value in the menu table will now only be visiable to people with that permission, unlike before where it kinda half worked and everybody could see everything.

Modified: branches/sucs-site/components/menu.php
===================================================================
--- branches/sucs-site/components/menu.php	2014-12-25 15:05:10 UTC (rev 619)
+++ branches/sucs-site/components/menu.php	2014-12-25 20:19:31 UTC (rev 620)
@@ -7,7 +7,7 @@
 
 function translate($word) {
 	global $language, $DB;
-	
+
 	if ($language['code']!="en") {
 		$query=$DB->GetRow("select title, title".$language['db']." from menu where title='".$word."'");
 		if ($query['title'.$language['db']]!="") return $query['title'.$language['db']];
@@ -60,9 +60,25 @@
 $menu = parseMenu($res);
 
 // this needs to choose the actual current one
-$res = $DB->GetAll("select * from menu where parent=".getPageID($pagename)." order by menuorder");
-if (count($res)>0) {
-	$submenu = parseMenu($res);
+// subpages/submenu items can have permissions attached to them as well!
+
+$query2  = "select * from menu where parent=";
+$query2 .= "'";
+$query2 .= getPageID($pagename);
+$query2 .= "'";
+$query2 .= " and (permission is NULL";
+
+if ($session->loggedin) $query2 .= " or permission='users'";
+
+foreach ($session->groups as $group => $value) {
+        $query2 .= " or permission='$group'";
+        }
+
+$query2 .= ") order by menuorder";
+
+$res2 = $DB->GetAll($query2);
+if (count($res2)>0) {
+	$submenu = parseMenu($res2);
 	$menu[translate($pagename)] = $submenu;
 }
 




More information about the Devel mailing list