Implement authorizaiton for admin/config sections

Use committee members for authorization Add auth required checks in all admin/config sections
2005-02-16 22:50:43 +00:00 · 2005-02-16 22:50:43 +00:00 · 3deae5e029
commit 3deae5e029
parent adb2e50578
17 changed files with 147 additions and 3 deletions
--- a/admin/committees.php
+++ b/admin/committees.php
@ -23,6 +23,8 @@
 ?>
 <?
 require("../common.inc.php");
+ auth_required('admin');
+
 send_header("Administration - Committee Management");
 ?>

--- a/admin/index.php
+++ b/admin/index.php
@ -23,6 +23,7 @@
 ?>
 <?
 require("../common.inc.php");
+ auth_required('admin');
 send_header("Administration");
 echo error(i18n("Note: this section will normally be password protected.  It is left open for now for debugging and testing purposes"));

--- a/admin/registration.php
+++ b/admin/registration.php
@ -23,6 +23,7 @@
 ?>
 <?
 require("../common.inc.php");
+ auth_required('admin');
 send_header("Administration - Participant Registration");
 echo "<a href=\"index.php\">&lt;&lt; ".i18n("Back to Administration")."</a><br />";
 echo "<br />";
--- a/admin/registration_list.php
+++ b/admin/registration_list.php
@ -23,6 +23,7 @@
 ?>
 <?
 require("../common.inc.php");
+ auth_required('admin');
 require("../register_participants.inc.php");

 send_header("Participant Registration - List and Statistics");
--- a/admin/registration_receivedforms.php
+++ b/admin/registration_receivedforms.php
@ -23,6 +23,7 @@
 ?>
 <?
 require("../common.inc.php");
+ auth_required('admin');
 require("../register_participants.inc.php");

 send_header("Participant Registration - Received Forms");
--- a/admin/reports.php
+++ b/admin/reports.php
@ -23,6 +23,7 @@
 ?>
 <?
 require("../common.inc.php");
+ auth_required('admin');
 send_header("Administration - Reports");
 echo "<a href=\"index.php\">&lt;&lt; ".i18n("Back to Administration")."</a><br />";
 echo "<br />";
--- a/admin/reports_checkin.php
+++ b/admin/reports_checkin.php
@ -23,6 +23,7 @@
 ?>
 <?
 require("../common.inc.php");
+ auth_required('admin');
 require("../lpdf.php");

 $catq=mysql_query("SELECT * FROM projectcategories WHERE year='".$config['FAIRYEAR']."' AND id='".$_GET['cat']."'");
--- a/committee_auth.php
+++ b/committee_auth.php
@ -0,0 +1,45 @@
+<?
+
+$accesscache=array();
+
+function auth_has_access($access="")
+{
+	global $accesscache;
+
+	if(in_array($access,$accesscache))
+	{
+		if($accesscache[$access]=='Y') return true;
+		else return false;
+	}
+	else
+	{
+		$q=mysql_query("SELECT access_admin, access_config, access_super FROM committees_members WHERE email='".$_SESSION['email']."' AND id='".$_SESSION['committee_member_id']."' AND deleted='N'"); 
+
+		$r=mysql_fetch_object($q);
+		$accesscache['admin']=$r->access_admin;
+		$accesscache['config']=$r->access_config;
+		$accesscache['super']=$r->access_super;
+		
+		switch($access)
+		{
+			case "config": if($r->access_config=='Y') return true; 	break;
+			case "admin": if($r->access_admin=='Y') return true; break;
+			case "super": if($r->access_super=='Y') return true; break;
+			default:
+				return false;
+				break;	
+		}
+	}
+	return false;
+
+}
+
+function auth_required($access="")
+{
+	global $config;
+
+	if(!auth_has_access($access))
+		header("Location: ".$config['SFIABDIRECTORY']."/committee_login.php");
+}
+
+?>
--- a/committee_login.php
+++ b/committee_login.php
@ -0,0 +1,61 @@
+<?
+ require("common.inc.php");
+
+ if($_POST['action']=="login" )
+ {
+ 	if($_POST['pass'] && $_POST['email'])
+	{
+		$q=mysql_query("SELECT * FROM committees_members WHERE email='".$_POST['email']."' AND password='".$_POST['pass']."' AND deleted='N'");
+		if(mysql_num_rows($q)==1)
+		{
+			$r=mysql_fetch_object($q);
+			$_SESSION['email']=$r->email;
+			$_SESSION['committee_member_id']=$r->id;
+			send_header("Committee Login");
+			echo happy(i18n("Successfully logged in"));
+			echo i18n("Use the menu on the left to access the committee pages");
+		}
+		else
+		{
+			send_header("Committee Login");
+			echo error(i18n("Invalid Email/Password"));
+		}
+
+	}
+	else
+	{
+		send_header("Committee Login");
+		echo error(i18n("Email/Password missing"));
+	}
+ }
+ else if($_GET['action']=="logout")
+ {
+ 	unset($_SESSION['email']);
+	unset($_SESSION['committee_member_id']);
+	send_header("Committee Login");
+	echo notice(i18n("You have been successfully logged out"));
+ }
+ else
+ {
+
+	send_header("Committee Login");
+
+	?>
+	 <form method="post" action="committee_login.php">
+	 <input type="hidden" name="action" value="login" />
+	 <table><tr><td>
+	 <?=i18n("Email")?>:</td><td><input type="text" name="email" size="20" />
+	 </td></tr>
+	 <tr><td>
+	 <?=i18n("Password")?>:</td><td><input type="password" size="20" name="pass" />
+	 </td></tr>
+	 <tr><td colspan=2>
+	 <input type="submit" value="Login" />
+	 </td></tr>
+	 </table>
+	 </form>
+<?
+ }
+
+ send_footer();
+?>
--- a/common.inc.php
+++ b/common.inc.php
@ -22,7 +22,8 @@
 */
 ?>
 <?
-require("config.inc.php");
+require_once("config.inc.php");
+require_once("committee_auth.php");
 mysql_connect($DBHOST,$DBUSER,$DBPASS);
 mysql_select_db($DBNAME);

@ -224,8 +225,28 @@ echo "<h1>".i18n($config['fairname'])."</h1>";
 </ul>
 <br />
 <ul class="mainnav">
-<li><a href="<?=$config['SFIABDIRECTORY']?>/admin/"><?=i18n("Fair Administration")?></a></li>
-<li><a href="<?=$config['SFIABDIRECTORY']?>/config/"><?=i18n("SFIAB Configuration")?></a></li>
+<?
+if(auth_has_access("admin") || auth_has_access("config") || auth_has_access("super"))
+{
+	if(auth_has_access("admin")){ ?>
+		<li><a href="<?=$config['SFIABDIRECTORY']?>/admin/"><?=i18n("Fair Administration")?></a></li>
+<? } 
+	if(auth_has_access("config")){ ?>
+		<li><a href="<?=$config['SFIABDIRECTORY']?>/config/"><?=i18n("SFIAB Configuration")?></a></li>
+<? } 
+
+?>
+	<li><a href="<?=$config['SFIABDIRECTORY']?>/committee_login.php?action=logout"><?=i18n("Committee Logout")?></a></li>
+<?
+
+}
+else
+{
+?>
+	<li><a href="<?=$config['SFIABDIRECTORY']?>/committee_login.php"><?=i18n("Committee Login")?></a></li>
+<?
+}
+?>
 </ul>

 <div class="aligncenter">
--- a/config/categories.php
+++ b/config/categories.php
@ -23,6 +23,8 @@
 ?>
 <?
 require("../common.inc.php");
+ auth_required('config');
+
 send_header("Configuration - Categories and Divisions");
 echo "<a href=\"index.php\">&lt;&lt; ".i18n("Back to Configuration")."</a><br />";

--- a/config/dates.php
+++ b/config/dates.php
@ -23,6 +23,7 @@
 ?>
 <?
 require("../common.inc.php");
+ auth_required('config');
 send_header("Configuration - Dates");
 echo "<a href=\"index.php\">&lt;&lt; ".i18n("Back to Configuration")."</a><br />";

--- a/config/divisions.php
+++ b/config/divisions.php
@ -23,6 +23,7 @@
 ?>
 <?
 require("../common.inc.php");
+ auth_required('config');
 send_header("Configuration - Project Divisions");
 echo "<a href=\"index.php\">&lt;&lt; ".i18n("Back to Configuration")."</a><br />";

--- a/config/images.php
+++ b/config/images.php
@ -23,6 +23,7 @@
 ?>
 <?
 require("../common.inc.php");
+ auth_required('config');
 send_header("Configuration - Images");
 echo "<a href=\"index.php\">&lt;&lt; ".i18n("Back to Configuration")."</a><br />";

--- a/config/index.php
+++ b/config/index.php
@ -23,6 +23,8 @@
 ?>
 <?
 require("../common.inc.php");
+ auth_required('config');
+
 send_header("Configuration");
 echo error(i18n("Note: this section will normally be password protected.  It is left open for now for debugging and testing purposes"));

--- a/config/subdivisions.php
+++ b/config/subdivisions.php
@ -23,6 +23,7 @@
 ?>
 <?
 require("../common.inc.php");
+ auth_required('config');
 send_header("Configuration - Project Sub-Divisions");
 echo "<a href=\"index.php\">&lt;&lt; ".i18n("Back to Configuration")."</a><br />";

--- a/config/variables.php
+++ b/config/variables.php
@ -23,6 +23,7 @@
 ?>
 <?
 require("../common.inc.php");
+ auth_required('config');
 send_header("Configuration - Variables");
 echo "<a href=\"index.php\">&lt;&lt; ".i18n("Back to Configuration")."</a><br />";