Menu
▾
▴
#132 Different checking of module access rights
Hi,
I have upgraded to Xoops 2.2 recently. I have come
across a problem with accessing the xfmod module (part
of myXoopsForge). Basically access denied problem.
I have found that the problematic code causing this is
the checkAccess() method in /kernel/module.php. The
existing code is trying to figure out the current
directory based on presence of xoops-version.php. If
it's present, it concludes that the module's scripts
are being accessed. If it's found in the parent
directory, it concludes that a script in admin
subdirectory is being accessed.
The xfmod module does not follow the expected two-level
directory hierarchy.
Here is what I changed to fix the problem:
/
* check user's access to the module
* @return bool
/
function checkAccess() {
global $xoopsUser, $xoopsOption;
$groupperm_handler =&
xoops_gethandler('groupperm');
$groups = $xoopsUser ? $xoopsUser->getGroups()
: XOOPS_GROUP_ANONYMOUS;
//schalmn:
/
if (file_exists('./xoops_version.php')) {
$right = 'module_read';
}
elseif (file_exists('../xoops_version.php')) {
$xoopsOption['pagetype'] = "admin";
$right = 'module_admin';
}
else {
return true;
}
/
$path_parts = pathinfo($_SERVER['PHP_SELF']);
$pattern =
'/^.\/'.$this->getVar('dirname').'\/admin/';
$match = preg_match($pattern,
$path_parts['dirname']);
// does the directory path contain
'/dirname/admin'?
if ( ($match != false) && ($match > 0) ) {
$xoopsOption['pagetype'] = "admin";
$right = 'module_admin';
}
else {
$right = 'module_read';
}
//end
return $groupperm_handler->checkRight($right,
$this->getVar( 'mid' ), $groups );
}
Should I provide a diff output too or it's ok like this?
My environment:
Xoops 2.2
Apache 2.0.46
PHP 4.3.2
MySQL 3.23.58
Red Hat Enterprise Linux AS 3.4
Best regards,
Martin
Logged In: YES
user_id=841117
Fixed in CVS and waiting for review before merging to the trunk.
Logged In: YES
user_id=841117
Sorry - counter-order.
Files inside modules should only be accessed in the module's
root (frontside) and module root/admin (admin pages)
That's how it has been and that is something we want to keep.
You are welcome to contact me for a discussion on how you
can solve your problem, though.