From 79fcf4ca0e9877e7346c2e98502fece51b903b6e Mon Sep 17 00:00:00 2001 From: Roland Gruber Date: Sun, 22 Jul 2012 10:37:01 +0000 Subject: [PATCH] better tool protection --- lam/HISTORY | 7 ++++++- lam/lib/security.inc | 17 ++++++++++++++++- lam/templates/masscreate.php | 2 ++ lam/templates/ou_edit.php | 2 ++ lam/templates/pdfedit/pdfmain.php | 4 +++- lam/templates/profedit/profilemain.php | 4 +++- lam/templates/schema/schema.php | 4 +++- lam/templates/serverInfo.php | 4 +++- lam/templates/tests/index.php | 4 +++- lam/templates/tests/lamdaemonTest.php | 4 +++- lam/templates/tests/schemaTest.php | 2 ++ 11 files changed, 46 insertions(+), 8 deletions(-) diff --git a/lam/HISTORY b/lam/HISTORY index f9234e5b..5085ef70 100644 --- a/lam/HISTORY +++ b/lam/HISTORY @@ -1,4 +1,9 @@ -July 2012 +September 2012 3.9 + - fixed bugs + -> Hidden tools are still shown in the "Tools" page (3546092) + + +19.07.2012 3.8 - quick (un)lock for users - allow to disable tools - LAM Pro: diff --git a/lam/lib/security.inc b/lam/lib/security.inc index 0d73606d..f64a7eb7 100644 --- a/lam/lib/security.inc +++ b/lam/lib/security.inc @@ -3,7 +3,7 @@ $Id$ This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/) - Copyright (C) 2006 - 2010 Roland Gruber + Copyright (C) 2006 - 2012 Roland Gruber This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -291,4 +291,19 @@ function checkPasswordStrength($password) { return true; } +/** + * Checks if the given tool is active. + * Otherwise, an error message is logged and the execution is stopped (die()). + * + * @param String $tool tool class name (e.g. toolFileUpload) + */ +function checkIfToolIsActive($tool) { + $toolSettings = $_SESSION['config']->getToolSettings(); + // check if hidden by config + if (isset($toolSettings['tool_hide_' . $tool]) && ($toolSettings['tool_hide_' . $tool] == 'true')) { + logNewMessage(LOG_ERR, 'Unauthorized access to tool ' . $tool . ' denied.'); + die(); + } +} + ?> \ No newline at end of file diff --git a/lam/templates/masscreate.php b/lam/templates/masscreate.php index 4623eaf3..a8daa6d0 100644 --- a/lam/templates/masscreate.php +++ b/lam/templates/masscreate.php @@ -46,6 +46,8 @@ startSecureSession(); // die if no write access if (!checkIfWriteAccessIsAllowed()) die(); +checkIfToolIsActive('toolFileUpload'); + // Redirect to startpage if user is not loged in if (!isset($_SESSION['loggedIn']) || ($_SESSION['loggedIn'] !== true)) { metaRefresh("login.php"); diff --git a/lam/templates/ou_edit.php b/lam/templates/ou_edit.php index 1872feac..68cbe564 100644 --- a/lam/templates/ou_edit.php +++ b/lam/templates/ou_edit.php @@ -43,6 +43,8 @@ startSecureSession(); // die if no write access if (!checkIfWriteAccessIsAllowed()) die(); +checkIfToolIsActive('toolOUEditor'); + setlanguage(); $types = $_SESSION['config']->get_ActiveTypes(); diff --git a/lam/templates/pdfedit/pdfmain.php b/lam/templates/pdfedit/pdfmain.php index 4f699d4b..a7cd6045 100644 --- a/lam/templates/pdfedit/pdfmain.php +++ b/lam/templates/pdfedit/pdfmain.php @@ -4,7 +4,7 @@ $Id$ This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/) Copyright (C) 2003 - 2006 Michael Duergner - 2005 - 2011 Roland Gruber + 2005 - 2012 Roland Gruber This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -47,6 +47,8 @@ startSecureSession(); // die if no write access if (!checkIfWriteAccessIsAllowed()) die(); +checkIfToolIsActive('toolPDFEditor'); + setlanguage(); // Unset pdf structure definitions in session if set diff --git a/lam/templates/profedit/profilemain.php b/lam/templates/profedit/profilemain.php index 41649f3c..4c1bb2c7 100644 --- a/lam/templates/profedit/profilemain.php +++ b/lam/templates/profedit/profilemain.php @@ -3,7 +3,7 @@ $Id$ This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/) - Copyright (C) 2003 - 2011 Roland Gruber + Copyright (C) 2003 - 2012 Roland Gruber This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -43,6 +43,8 @@ startSecureSession(); // die if no write access if (!checkIfWriteAccessIsAllowed()) die(); +checkIfToolIsActive('toolProfileEditor'); + setlanguage(); $types = $_SESSION['config']->get_ActiveTypes(); diff --git a/lam/templates/schema/schema.php b/lam/templates/schema/schema.php index ccdd93b0..44880e82 100644 --- a/lam/templates/schema/schema.php +++ b/lam/templates/schema/schema.php @@ -3,7 +3,7 @@ $Id$ Copyright (C) 2004 David Smith - modified to fit for LDAP Account Manager 2005 - 2010 Roland Gruber + modified to fit for LDAP Account Manager 2005 - 2012 Roland Gruber This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -43,6 +43,8 @@ require_once("../../lib/schema.inc"); // start session startSecureSession(); +checkIfToolIsActive('toolSchemaBrowser'); + setlanguage(); include '../main_header.php'; diff --git a/lam/templates/serverInfo.php b/lam/templates/serverInfo.php index 4d43593f..fe0d49a6 100644 --- a/lam/templates/serverInfo.php +++ b/lam/templates/serverInfo.php @@ -3,7 +3,7 @@ $Id$ This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/) - Copyright (C) 2009 - 2011 Roland Gruber + Copyright (C) 2009 - 2012 Roland Gruber This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -36,6 +36,8 @@ include_once("../lib/config.inc"); // start session startSecureSession(); +checkIfToolIsActive('toolServerInformation'); + setlanguage(); $namingContexts = ''; diff --git a/lam/templates/tests/index.php b/lam/templates/tests/index.php index 9a1b07ef..a5dbbc7c 100644 --- a/lam/templates/tests/index.php +++ b/lam/templates/tests/index.php @@ -3,7 +3,7 @@ $Id$ This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/) - Copyright (C) 2006 - 2010 Roland Gruber + Copyright (C) 2006 - 2012 Roland Gruber This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -39,6 +39,8 @@ startSecureSession(); // die if no write access if (!checkIfWriteAccessIsAllowed()) die(); +checkIfToolIsActive('toolTests'); + setlanguage(); include '../main_header.php'; diff --git a/lam/templates/tests/lamdaemonTest.php b/lam/templates/tests/lamdaemonTest.php index b1de526c..0328425a 100644 --- a/lam/templates/tests/lamdaemonTest.php +++ b/lam/templates/tests/lamdaemonTest.php @@ -3,7 +3,7 @@ $Id$ This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/) - Copyright (C) 2006 - 2010 Roland Gruber + Copyright (C) 2006 - 2012 Roland Gruber This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -40,6 +40,8 @@ startSecureSession(); // die if no write access if (!checkIfWriteAccessIsAllowed()) die(); +checkIfToolIsActive('toolTests'); + setlanguage(); include '../main_header.php'; diff --git a/lam/templates/tests/schemaTest.php b/lam/templates/tests/schemaTest.php index 400dc15e..44995db7 100644 --- a/lam/templates/tests/schemaTest.php +++ b/lam/templates/tests/schemaTest.php @@ -43,6 +43,8 @@ startSecureSession(); // die if no write access if (!checkIfWriteAccessIsAllowed()) die(); +checkIfToolIsActive('toolTests'); + setlanguage(); include '../main_header.php';