[feladat @ 84]
authorrejo
Tue, 10 Jul 2007 21:24:06 +0000
changeset 37 b785e54690ce
parent 36 4ec5ab29f634
child 38 cf767482333a
[feladat @ 84] Bugfix. The function zone_count() now also counts zones an owner has only partial access to, not just those zones the owner has full access to. This fixes just the count, the zones a user has partial access to are not (yet!) shown in the "list zones" page. Bugfix. In the zone listing the "edit" button is now show for users with access level 1. Untill now they were presented an overview of the zones they could change, but there was no link for them to actually edit the zone. Bugfix. Some of the buttons in the "edit zone" interface that are of no use to a user with access level 1 have been hidden. Bugfix. Make sure a user with access level 1 with only partial access to a zone cannot add new records to that zone. Only the zone owner should be able to add new record. Bugfix. If a user with access level 1 edits a record in a zone he has only partial access to, an error was shown because of call to a non- existing function in the PEAR:MDB2. This bug was most likely introduced while migrating from PEAR:DB to PEAR:MDB2. Bugfix. A user with access level 1 was able to delete all records of a zone he has only partial access to. Some additional checks have been added. Bugfix. If a user with accees level 1 has partial access to one or more zones starting with a certain character, but did not own at least one entire zone starting with the same character, the character wasn't clickable in the "list zone" page. Interface. If no record or zone id is given for delete_record.php or delete_domain.php, don't just die but echo a nice message. The i18n files have not yet been updated to reflect this change. Interface. If no master IP is given in delete_supermaster.php, don't just die but echo a nice message. The i18n files have not yet been updated to reflect this change. [All fixes by Peter Beernink.]
add_record.php
delete_domain.php
delete_record.php
delete_supermaster.php
edit.php
edit_record.php
inc/record.inc.php
inc/toolkit.inc.php
list_zones.php
--- a/add_record.php	Mon Jul 02 23:01:18 2007 +0000
+++ b/add_record.php	Tue Jul 10 21:24:06 2007 +0000
@@ -2,6 +2,11 @@
 
 require_once("inc/toolkit.inc.php");
 
+$xsid = (isset($_GET['id'])) ? $_GET['id'] : $_POST['zoneid'];
+if ((!level(5)) && ((!xs($xsid) || ($_SESSION[$xsid.'_ispartial'])))) {
+	error(ERR_RECORD_ACCESS_DENIED);
+}
+
 if ($_POST["commit"]) {
         $ret = add_record($_POST["zoneid"], $_POST["name"], $_POST["type"], $_POST["content"], $_POST["ttl"], $_POST["prio"]);
         if ($ret != '1') {
--- a/delete_domain.php	Mon Jul 02 23:01:18 2007 +0000
+++ b/delete_domain.php	Tue Jul 10 21:24:06 2007 +0000
@@ -45,6 +45,6 @@
         include_once("inc/header.inc.php");
 } else {
         include_once("inc/header.inc.php");
-        die("Nothing to do!");
+        echo _("Nothing to do!");
 }
 include_once("inc/footer.inc.php");
--- a/delete_record.php	Mon Jul 02 23:01:18 2007 +0000
+++ b/delete_record.php	Tue Jul 10 21:24:06 2007 +0000
@@ -3,6 +3,17 @@
 require_once("inc/toolkit.inc.php");
 
 if ($_GET["id"]) {
+	// check if we have access to the given id
+	$zoneId = recid_to_domid($_GET['id']);
+	if ((!level(5)) && (!xs($zoneId))) {
+    		error(ERR_RECORD_ACCESS_DENIED);
+	}
+	if ((!level(5)) && ($_SESSION[$zoneId.'_ispartial'] == 1)) {
+		$checkPartial = $db->queryOne("SELECT id FROM record_owners WHERE record_id='".$_GET["id"]."' AND user_id='".$_SESSION["userid"]."' LIMIT 1");
+		if (empty($checkPartial)) {
+			error(ERR_RECORD_ACCESS_DENIED);
+		}
+	}
         if ($_GET["confirm"] == '0') {
                 clean_page("edit.php?id=".$_GET["domain"]);
         } elseif ($_GET["confirm"] == '1') {
@@ -25,6 +36,6 @@
         <?
 } else {
         include_once("inc/header.inc.php");
-        die("Nothing to do!");
+        echo _("Nothing to do!");
 }
 include_once("inc/footer.inc.php");
--- a/delete_supermaster.php	Mon Jul 02 23:01:18 2007 +0000
+++ b/delete_supermaster.php	Tue Jul 10 21:24:06 2007 +0000
@@ -27,6 +27,6 @@
         <?
 } else {
         include_once("inc/header.inc.php");
-        die("Nothing to do!");
+        echo _("Nothing to do!");
 }
 include_once("inc/footer.inc.php");
--- a/edit.php	Mon Jul 02 23:01:18 2007 +0000
+++ b/edit.php	Tue Jul 10 21:24:06 2007 +0000
@@ -92,7 +92,6 @@
 	  </tr>
 <?
 	}
-}
   ?>
           <tr>
   	   <form method="post" action="edit.php?id=<? echo $_GET['id']?>">
@@ -123,8 +122,6 @@
 	</div> <? // eo div meta-left ?>
  
 <?
-if (level(5))
-{
 	$domain_type=get_domain_type($_GET['id']);
 ?>
         <div id="meta-right">
--- a/edit_record.php	Mon Jul 02 23:01:18 2007 +0000
+++ b/edit_record.php	Tue Jul 10 21:24:06 2007 +0000
@@ -19,7 +19,7 @@
         clean_page("edit.php?id=".$_POST["domainid"]);
 } elseif($_SESSION["partial_".get_domain_name_from_id($_GET["domain"])] == 1)
 {
-    $checkPartial = $db->getOne("SELECT id FROM record_owners WHERE record_id='".$_GET["id"]."' AND user_id='".$_SESSION["userid"]."' LIMIT 1");
+    $checkPartial = $db->queryOne("SELECT id FROM record_owners WHERE record_id='".$_GET["id"]."' AND user_id='".$_SESSION["userid"]."' LIMIT 1");
     if (empty($checkPartial)) {
         error(ERR_RECORD_ACCESS_DENIED);
     }
--- a/inc/record.inc.php	Mon Jul 02 23:01:18 2007 +0000
+++ b/inc/record.inc.php	Tue Jul 10 21:24:06 2007 +0000
@@ -1006,7 +1006,20 @@
         global $db;
         if((!level(5) || !$userid) && !level(10) && !level(5))
         {
-                $add = " AND zones.owner=".$_SESSION["userid"];
+		// First select the zones for which we have ownership on one or more records.
+		$query = 'SELECT records.domain_id FROM records, record_owners WHERE user_id = '.$_SESSION['userid'].' AND records.id = record_owners.record_id';
+		$result = $db->query($query);
+		$zones = array();
+		if (!PEAR::isError($result)) {
+			$zones = $result->fetchCol();
+		}
+	
+                $add = " AND (zones.owner=".$_SESSION["userid"];
+		if (count($zones) > 0) {
+			$add .= ' OR zones.domain_id IN ('.implode(',', $zones).') '; 
+
+		}
+		$add .= ')';
         }
         else
         {
--- a/inc/toolkit.inc.php	Mon Jul 02 23:01:18 2007 +0000
+++ b/inc/toolkit.inc.php	Tue Jul 10 21:24:06 2007 +0000
@@ -136,7 +136,20 @@
         WHERE 1";
         if((!level(5) || !$userid) && !level(10) && !level(5))
         {
-                $sqlq .= " AND zones.owner=".$_SESSION["userid"];
+		// First select the zones for which we have ownership on one or more records.
+		$query = 'SELECT records.domain_id FROM records, record_owners WHERE user_id = '.$_SESSION['userid'].' AND records.id = record_owners.record_id';
+		$result = $db->query($query);
+		$zones = array();
+		if (!PEAR::isError($result)) {
+			$zones = $result->fetchCol();
+		}
+	
+                $sqlq .= " AND (zones.owner=".$_SESSION["userid"];
+		if (count($zones) > 0) {
+			$sqlq .= ' OR zones.domain_id IN ('.implode(',', $zones).') '; 
+
+		}
+		$sqlq .= ')';
         }
         $sqlq .= " AND substring(domains.name,1,1) REGEXP '^".$letter."' LIMIT 1";
         $result = $db->query($sqlq);
--- a/list_zones.php	Mon Jul 02 23:01:18 2007 +0000
+++ b/list_zones.php	Tue Jul 10 21:24:06 2007 +0000
@@ -56,25 +56,17 @@
 		?>
 		
     <tr>
+     <td>
+      <a href="edit.php?id=<? echo $c["id"] ?>"><img src="images/edit.gif" title="<? echo _('Edit zone') . " " . $c['name']; ?>" alt="[ <? echo _('Edit zone') . " " . $c['name']; ?> ]"></a>
 <?
 		if (level(5))
 		{
 ?>
-     <td>
-      <a href="edit.php?id=<? echo $c["id"] ?>"><img src="images/edit.gif" title="<? echo _('Edit zone') . " " . $c['name']; ?>" alt="[ <? echo _('Edit zone') . " " . $c['name']; ?> ]"></a>
       <a href="delete_domain.php?id=<? echo $c["id"] ?>"><img src="images/delete.gif" title="<? print _('Delete zone') . " " . $c['name']; ?>" alt="[<? echo _('Delete zone') . " " . $c['name']; ?>]"></a>
-     </td>
-<?
-		}
-		else
-		{
-?>
-     <td class="n">
-      &nbsp;
-     </td>
 <?
 		}
 ?>
+     </td>
      <td class="y"><? echo $c["name"] ?></td>
      <td class="y"><? echo strtolower(get_domain_type($c["id"])) ?></td>
      <td class="y"><? echo $c["numrec"] ?></td>