#132 Different checking of module access rights

XOOPS_2.2
closed
XOOPS 2.1.x (9)
5
2014-12-25
2005-09-14
No

Hi,

I have upgraded to Xoops 2.2 recently. I have come
across a problem with accessing the xfmod module (part
of myXoopsForge). Basically access denied problem.

I have found that the problematic code causing this is
the checkAccess() method in /kernel/module.php. The
existing code is trying to figure out the current
directory based on presence of xoops-version.php. If
it's present, it concludes that the module's scripts
are being accessed. If it's found in the parent
directory, it concludes that a script in admin
subdirectory is being accessed.

The xfmod module does not follow the expected two-level
directory hierarchy.

Here is what I changed to fix the problem:

/
* check user's access to the module


* @return bool

/
function checkAccess() {
global $xoopsUser, $xoopsOption;
$groupperm_handler =&
xoops_gethandler('groupperm');
$groups = $xoopsUser ? $xoopsUser->getGroups()
: XOOPS_GROUP_ANONYMOUS;
//schalmn:
/
if (file_exists('./xoops_version.php')) {
$right = 'module_read';
}
elseif (file_exists('../xoops_version.php')) {
$xoopsOption['pagetype'] = "admin";
$right = 'module_admin';
}
else {
return true;
}

/

    $path_parts = pathinfo($_SERVER['PHP_SELF']);
    $pattern =

'/^.\/'.$this->getVar('dirname').'\/admin/';
$match = preg_match($pattern,
$path_parts['dirname']);
// does the directory path contain
'
/dirname/admin'?
if ( ($match != false) && ($match > 0) ) {
$xoopsOption['pagetype'] = "admin";
$right = 'module_admin';
}
else {
$right = 'module_read';
}
//end

    return $groupperm_handler->checkRight($right,

$this->getVar( 'mid' ), $groups );
}

Should I provide a diff output too or it's ok like this?

My environment:

Xoops 2.2
Apache 2.0.46
PHP 4.3.2
MySQL 3.23.58
Red Hat Enterprise Linux AS 3.4

Best regards,

Martin

Discussion

  • Jan Pedersen

    Jan Pedersen - 2005-09-29

    Logged In: YES
    user_id=841117

    Fixed in CVS and waiting for review before merging to the trunk.

     
  • Jan Pedersen

    Jan Pedersen - 2005-09-29

    Logged In: YES
    user_id=841117

    Sorry - counter-order.

    Files inside modules should only be accessed in the module's
    root (frontside) and module root/admin (admin pages)

    That's how it has been and that is something we want to keep.
    You are welcome to contact me for a discussion on how you
    can solve your problem, though.

     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

JavaScript is required for this form.





No, thanks