[SUCS Devel] site r620 - branches/sucs-site/components
imranh at sucs.org
imranh at sucs.org
Thu Dec 25 20:19:33 GMT 2014
Author: imranh
Date: 2014-12-25 20:19:31 +0000 (Thu, 25 Dec 2014)
New Revision: 620
Modified:
branches/sucs-site/components/menu.php
Log:
Security. Menu items that have a non null permission value in the menu table will now only be visiable to people with that permission, unlike before where it kinda half worked and everybody could see everything.
Modified: branches/sucs-site/components/menu.php
===================================================================
--- branches/sucs-site/components/menu.php 2014-12-25 15:05:10 UTC (rev 619)
+++ branches/sucs-site/components/menu.php 2014-12-25 20:19:31 UTC (rev 620)
@@ -7,7 +7,7 @@
function translate($word) {
global $language, $DB;
-
+
if ($language['code']!="en") {
$query=$DB->GetRow("select title, title".$language['db']." from menu where title='".$word."'");
if ($query['title'.$language['db']]!="") return $query['title'.$language['db']];
@@ -60,9 +60,25 @@
$menu = parseMenu($res);
// this needs to choose the actual current one
-$res = $DB->GetAll("select * from menu where parent=".getPageID($pagename)." order by menuorder");
-if (count($res)>0) {
- $submenu = parseMenu($res);
+// subpages/submenu items can have permissions attached to them as well!
+
+$query2 = "select * from menu where parent=";
+$query2 .= "'";
+$query2 .= getPageID($pagename);
+$query2 .= "'";
+$query2 .= " and (permission is NULL";
+
+if ($session->loggedin) $query2 .= " or permission='users'";
+
+foreach ($session->groups as $group => $value) {
+ $query2 .= " or permission='$group'";
+ }
+
+$query2 .= ") order by menuorder";
+
+$res2 = $DB->GetAll($query2);
+if (count($res2)>0) {
+ $submenu = parseMenu($res2);
$menu[translate($pagename)] = $submenu;
}
More information about the Devel
mailing list