Since putting Jorp on SourceForge, I’ve constantly been making updates because I’ve been inundated with responses and suggestions from all kinds of people trying to help me out. Which is awesome.
The only downside is, I’m new to SourceForge so I’ve been making the bulk of my changes readily available on Subversion, and then eventually I get around to updating the .tar.gz on SourceForge. My point is, the absolute latest version of everything is almost always available on Subversion. The .tar.gz might be a little behind.
SO… this lovely guy from Spain with whom I have been exchanging e-mails brought to my attention that it was possible for anyone to delete projects with the execution of a single URL. I fixed the delete function (I think) and index.php. Here is the main chunk of what I changed.
...
else if ($page=='deleteProject') {
if (getUserLevel()=="1") {
deleteProject($y);
}
else {
echo "You do not have permission to perform this function. ";
}
}
else if ($page=='deleteTask') {
if (getUserLevel()=="1" || taskAuth($y)) {
deleteTask($y);
}
else {
echo "You do not have permission to perform this function. ";
}
}
...
For some reason, when the delete buttons were hit for a project or a task, I had them going through functions.php?x=deleteProject or deleteTask rather than index.php?x=deleteProject or deleteTask. This was redirecting the user to another page, first of all. Second of all, if anyone went to that link there would be no authorization check to see who was trying to delete the task or project. So I changed it to index.php and stuck this snippet of code in index.php to authorize the user before the function gets executed.
I changed the following files and they are all updated on Subversion:
- functions.php
- header.php
- index.php