Compare commits
9 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
0c1f060759 | ||
|
|
aad46ec80a | ||
|
|
f5e9f0610d | ||
|
|
14a5250cd7 | ||
|
|
6e6edef57d | ||
|
|
d3810db965 | ||
|
|
187a012284 | ||
|
|
b3d2662fd2 | ||
|
|
1189aecae9 |
@@ -1 +1 @@
|
||||
8.1.2
|
||||
8.2.1
|
||||
|
||||
@@ -69,6 +69,7 @@ declare(strict_types=1);
|
||||
namespace CoreLibs\ACL;
|
||||
|
||||
use CoreLibs\Check\Password;
|
||||
use CoreLibs\Convert\Json;
|
||||
|
||||
class Login
|
||||
{
|
||||
@@ -753,7 +754,10 @@ class Login
|
||||
// we have to get the themes in here too
|
||||
$q = "SELECT eu.edit_user_id, eu.username, eu.password, "
|
||||
. "eu.edit_group_id, "
|
||||
. "eg.name AS edit_group_name, admin, "
|
||||
. "eg.name AS edit_group_name, eu.admin, "
|
||||
// additinal acl lists
|
||||
. "eu.additional_acl AS user_additional_acl, "
|
||||
. "eg.additional_acl AS group_additional_acl, "
|
||||
// login error + locked
|
||||
. "eu.login_error_count, eu.login_error_date_last, "
|
||||
. "eu.login_error_date_first, eu.strict, eu.locked, "
|
||||
@@ -901,8 +905,10 @@ class Login
|
||||
$_SESSION['GROUP_NAME'] = $res['edit_group_name'];
|
||||
$_SESSION['USER_ACL_LEVEL'] = $res['user_level'];
|
||||
$_SESSION['USER_ACL_TYPE'] = $res['user_type'];
|
||||
$_SESSION['USER_ADDITIONAL_ACL'] = Json::jsonConvertToArray($res['user_additional_acl']);
|
||||
$_SESSION['GROUP_ACL_LEVEL'] = $res['group_level'];
|
||||
$_SESSION['GROUP_ACL_TYPE'] = $res['group_type'];
|
||||
$_SESSION['GROUP_ADDITIONAL_ACL'] = Json::jsonConvertToArray($res['group_additional_acl']);
|
||||
// deprecated TEMPLATE setting
|
||||
$_SESSION['TEMPLATE'] = $res['template'] ? $res['template'] : '';
|
||||
$_SESSION['HEADER_COLOR'] = !empty($res['second_header_color']) ?
|
||||
@@ -1021,7 +1027,8 @@ class Login
|
||||
$_SESSION['PAGES'] = $pages;
|
||||
$_SESSION['PAGES_ACL_LEVEL'] = $pages_acl;
|
||||
// load the edit_access user rights
|
||||
$q = "SELECT ea.edit_access_id, level, type, ea.name, ea.color, ea.uid, edit_default "
|
||||
$q = "SELECT ea.edit_access_id, level, type, ea.name, "
|
||||
. "ea.color, ea.uid, edit_default, ea.additional_acl "
|
||||
. "FROM edit_access_user eau, edit_access_right ear, edit_access ea "
|
||||
. "WHERE eau.edit_access_id = ea.edit_access_id "
|
||||
. "AND eau.edit_access_right_id = ear.edit_access_right_id "
|
||||
@@ -1048,6 +1055,7 @@ class Login
|
||||
'uid' => $res['uid'],
|
||||
'color' => $res['color'],
|
||||
'default' => $res['edit_default'],
|
||||
'additional_acl' => Json::jsonConvertToArray($res['additional_acl']),
|
||||
'data' => $ea_data
|
||||
];
|
||||
// set the default unit
|
||||
@@ -1122,6 +1130,11 @@ class Login
|
||||
// username (login), group name
|
||||
$this->acl['user_name'] = $_SESSION['USER_NAME'];
|
||||
$this->acl['group_name'] = $_SESSION['GROUP_NAME'];
|
||||
// set additional acl
|
||||
$this->acl['additional_acl'] = [
|
||||
'user' => $_SESSION['USER_ADDITIONAL_ACL'],
|
||||
'group' => $_SESSION['GROUP_ADDITIONAL_ACL'],
|
||||
];
|
||||
// we start with the default acl
|
||||
$this->acl['base'] = $this->default_acl_level;
|
||||
|
||||
@@ -1184,7 +1197,8 @@ class Login
|
||||
'uid' => $unit['uid'],
|
||||
'level' => $this->default_acl_list[$this->acl['unit'][$ea_id]]['name'] ?? -1,
|
||||
'default' => $unit['default'],
|
||||
'data' => $unit['data']
|
||||
'data' => $unit['data'],
|
||||
'additional_acl' => $unit['additional_acl']
|
||||
];
|
||||
// set default
|
||||
if (!empty($unit['default'])) {
|
||||
|
||||
@@ -279,8 +279,20 @@ class IO
|
||||
public const NO_CACHE = 3;
|
||||
/** @var string default hash type */
|
||||
public const ERROR_HASH_TYPE = 'adler32';
|
||||
/**
|
||||
* @var string regex for params: only stand alone $number allowed
|
||||
* never allowed to start with '
|
||||
* must be after space/tab, =, (
|
||||
*/
|
||||
public const REGEX_PARAMS = '/[^\'][\s(=](\$[0-9]{1,})/';
|
||||
/** @var string regex to get returning with matches at position 1 */
|
||||
public const REGEX_RETURNING = '/\s+returning\s+(.+\s*(?:.+\s*)+);?$/i';
|
||||
// REGEX_SELECT
|
||||
// REGEX_UPDATE
|
||||
// REGEX INSERT
|
||||
// REGEX_INSERT_UPDATE_DELETE
|
||||
// REGEX_FROM_TABLE
|
||||
// REGEX_INSERT_UPDATE_DELETE_TABLE
|
||||
|
||||
// recommend to set private/protected and only allow setting via method
|
||||
// can bet set from outside
|
||||
@@ -1017,7 +1029,7 @@ class IO
|
||||
{
|
||||
// search for $1, $2, in the query and push it into the control array
|
||||
// skip counts for same eg $1, $1, $2 = 2 and not 3
|
||||
preg_match_all('/(\$[0-9]{1,})/', $query, $match);
|
||||
preg_match_all(self::REGEX_PARAMS, $query, $match);
|
||||
$placeholder_count = count(array_unique($match[1]));
|
||||
if ($params_count != $placeholder_count) {
|
||||
$this->__dbError(
|
||||
@@ -1134,7 +1146,7 @@ class IO
|
||||
$this->params
|
||||
),
|
||||
'__dbPrepareExec',
|
||||
($this->params === [] ? 'Q' : 'Qp'),
|
||||
($this->params === [] ? 'Q' : 'Qp')
|
||||
);
|
||||
}
|
||||
// import protection, hash needed
|
||||
@@ -1154,7 +1166,15 @@ class IO
|
||||
$this->query_called[$query_hash] > $this->MAX_QUERY_CALL
|
||||
) {
|
||||
$this->__dbError(30, false, $this->query);
|
||||
$this->__dbDebug('db', $this->query, 'dbExec', 'Q[nc]');
|
||||
$this->__dbDebug(
|
||||
'db',
|
||||
$this->__dbDebugPrepare(
|
||||
$this->query,
|
||||
$this->params
|
||||
),
|
||||
'dbExec',
|
||||
($this->params === [] ? 'Q[nc]' : 'Qp[nc]')
|
||||
);
|
||||
return false;
|
||||
}
|
||||
$this->query_called[$query_hash] ++;
|
||||
@@ -1933,6 +1953,18 @@ class IO
|
||||
// check if params count matches
|
||||
// checks if the params count given matches the expected count
|
||||
if ($this->__dbCheckQueryParams($query, count($params)) === false) {
|
||||
// in case we got an error print out query
|
||||
if ($this->db_debug) {
|
||||
$this->__dbDebug(
|
||||
'db',
|
||||
$this->__dbDebugPrepare(
|
||||
$this->query,
|
||||
$this->params
|
||||
),
|
||||
'dbReturn',
|
||||
($this->params === [] ? 'Q[e]' : 'Qp[e]')
|
||||
);
|
||||
}
|
||||
return false;
|
||||
}
|
||||
// set first call to false
|
||||
@@ -1956,7 +1988,15 @@ class IO
|
||||
$this->cursor_ext[$query_hash]['log'][] = 'No cursor';
|
||||
// for DEBUG, print out each query executed
|
||||
if ($this->db_debug) {
|
||||
$this->__dbDebug('db', $this->cursor_ext[$query_hash]['query'], 'dbReturn', 'Q');
|
||||
$this->__dbDebug(
|
||||
'db',
|
||||
$this->__dbDebugPrepare(
|
||||
$this->cursor_ext[$query_hash]['query'],
|
||||
$this->cursor_ext[$query_hash]['params']
|
||||
),
|
||||
'dbReturn',
|
||||
($this->cursor_ext[$query_hash]['params'] === [] ? 'Q' : 'Qp'),
|
||||
);
|
||||
}
|
||||
// if no DB Handler try to reconnect
|
||||
if (!$this->dbh) {
|
||||
@@ -1985,7 +2025,15 @@ class IO
|
||||
// if still no cursor ...
|
||||
if (!$this->cursor_ext[$query_hash]['cursor']) {
|
||||
if ($this->db_debug) {
|
||||
$this->__dbDebug('db', $this->cursor_ext[$query_hash]['query'], 'dbReturn', 'Q');
|
||||
$this->__dbDebug(
|
||||
'db',
|
||||
$this->__dbDebugPrepare(
|
||||
$this->cursor_ext[$query_hash]['query'],
|
||||
$this->cursor_ext[$query_hash]['params']
|
||||
),
|
||||
'dbReturn',
|
||||
($this->cursor_ext[$query_hash]['params'] === [] ? 'Q[e]' : 'Qp[e]'),
|
||||
);
|
||||
}
|
||||
// internal error handling
|
||||
$this->__dbError(13, $this->cursor_ext[$query_hash]['cursor']);
|
||||
@@ -2288,10 +2336,6 @@ class IO
|
||||
$this->__dbError(17, false, $query);
|
||||
return false;
|
||||
}
|
||||
// checks if the params count given matches the expected count
|
||||
if ($this->__dbCheckQueryParams($query, count($params)) === false) {
|
||||
return false;
|
||||
}
|
||||
$cursor = $this->dbExecParams($query, $params);
|
||||
if ($cursor === false) {
|
||||
return false;
|
||||
@@ -2336,10 +2380,6 @@ class IO
|
||||
$this->__dbError(17, false, $query);
|
||||
return false;
|
||||
}
|
||||
// checks if the params count given matches the expected count
|
||||
if ($this->__dbCheckQueryParams($query, count($params)) === false) {
|
||||
return false;
|
||||
}
|
||||
$cursor = $this->dbExecParams($query, $params);
|
||||
if ($cursor === false) {
|
||||
return false;
|
||||
@@ -2588,7 +2628,7 @@ class IO
|
||||
$match = [];
|
||||
// search for $1, $2, in the query and push it into the control array
|
||||
// skip counts for same eg $1, $1, $2 = 2 and not 3
|
||||
preg_match_all('/(\$[0-9]{1,})/', $query, $match);
|
||||
preg_match_all(self::REGEX_PARAMS, $query, $match);
|
||||
$this->prepare_cursor[$stm_name]['count'] = count(array_unique($match[1]));
|
||||
$this->prepare_cursor[$stm_name]['query'] = $query;
|
||||
$result = $this->db_functions->__dbPrepare($stm_name, $query);
|
||||
@@ -2649,6 +2689,17 @@ class IO
|
||||
);
|
||||
return false;
|
||||
}
|
||||
if ($this->db_debug) {
|
||||
$this->__dbDebug(
|
||||
'db',
|
||||
$this->__dbDebugPrepare(
|
||||
$this->prepare_cursor[$stm_name]['query'],
|
||||
$data
|
||||
),
|
||||
'dbExecPrep',
|
||||
'Qpe'
|
||||
);
|
||||
}
|
||||
// if the count does not match
|
||||
if ($this->prepare_cursor[$stm_name]['count'] != count($data)) {
|
||||
$this->__dbError(
|
||||
@@ -2661,17 +2712,6 @@ class IO
|
||||
);
|
||||
return false;
|
||||
}
|
||||
if ($this->db_debug) {
|
||||
$this->__dbDebug(
|
||||
'db',
|
||||
$this->__dbDebugPrepare(
|
||||
$this->prepare_cursor[$stm_name]['query'],
|
||||
$data
|
||||
),
|
||||
'dbExecPrep',
|
||||
'Qp'
|
||||
);
|
||||
}
|
||||
$result = $this->db_functions->__dbExecute($stm_name, $data);
|
||||
if ($result === false) {
|
||||
$this->log->debug('ExecuteData', 'ERROR in STM[' . $stm_name . '|'
|
||||
|
||||
@@ -267,6 +267,8 @@ final class CoreLibsACLLoginTest extends TestCase
|
||||
'GROUP_ACL_LEVEL' => -1,
|
||||
'PAGES_ACL_LEVEL' => [],
|
||||
'USER_ACL_LEVEL' => -1,
|
||||
'USER_ADDITIONAL_ACL' => [],
|
||||
'GROUP_ADDITIONAL_ACL' => [],
|
||||
'UNIT_UID' => [
|
||||
'AdminAccess' => 1,
|
||||
],
|
||||
@@ -280,6 +282,7 @@ final class CoreLibsACLLoginTest extends TestCase
|
||||
'data' => [
|
||||
'test' => 'value',
|
||||
],
|
||||
'additional_acl' => []
|
||||
],
|
||||
],
|
||||
// 'UNIT_DEFAULT' => '',
|
||||
|
||||
Reference in New Issue
Block a user