From 3deae5e02902e190d46e6945052bca25fa49c931 Mon Sep 17 00:00:00 2001
From: james <james>
Date: Wed, 16 Feb 2005 22:50:43 +0000
Subject: [PATCH] Implement authorizaiton for admin/config sections Use
 committee members for authorization Add auth required checks in all
 admin/config sections

---
 admin/committees.php                 |  2 +
 admin/index.php                      |  1 +
 admin/registration.php               |  1 +
 admin/registration_list.php          |  1 +
 admin/registration_receivedforms.php |  1 +
 admin/reports.php                    |  1 +
 admin/reports_checkin.php            |  1 +
 committee_auth.php                   | 45 ++++++++++++++++++++
 committee_login.php                  | 61 ++++++++++++++++++++++++++++
 common.inc.php                       | 27 ++++++++++--
 config/categories.php                |  2 +
 config/dates.php                     |  1 +
 config/divisions.php                 |  1 +
 config/images.php                    |  1 +
 config/index.php                     |  2 +
 config/subdivisions.php              |  1 +
 config/variables.php                 |  1 +
 17 files changed, 147 insertions(+), 3 deletions(-)
 create mode 100644 committee_auth.php
 create mode 100644 committee_login.php

diff --git a/admin/committees.php b/admin/committees.php
index f0f0e35..dedd40f 100644
--- a/admin/committees.php
+++ b/admin/committees.php
@@ -23,6 +23,8 @@
 ?>
 <?
  require("../common.inc.php");
+ auth_required('admin');
+
  send_header("Administration - Committee Management");
 ?>
 
diff --git a/admin/index.php b/admin/index.php
index 2320fb5..414b32b 100644
--- a/admin/index.php
+++ b/admin/index.php
@@ -23,6 +23,7 @@
 ?>
 <?
  require("../common.inc.php");
+ auth_required('admin');
  send_header("Administration");
  echo error(i18n("Note: this section will normally be password protected.  It is left open for now for debugging and testing purposes"));
 
diff --git a/admin/registration.php b/admin/registration.php
index 5ed5bb5..0cfc7b0 100644
--- a/admin/registration.php
+++ b/admin/registration.php
@@ -23,6 +23,7 @@
 ?>
 <?
  require("../common.inc.php");
+ auth_required('admin');
  send_header("Administration - Participant Registration");
  echo "<a href=\"index.php\">&lt;&lt; ".i18n("Back to Administration")."</a><br />";
  echo "<br />";
diff --git a/admin/registration_list.php b/admin/registration_list.php
index f0f200a..b1617d0 100644
--- a/admin/registration_list.php
+++ b/admin/registration_list.php
@@ -23,6 +23,7 @@
 ?>
 <?
  require("../common.inc.php");
+ auth_required('admin');
  require("../register_participants.inc.php");
 
  send_header("Participant Registration - List and Statistics");
diff --git a/admin/registration_receivedforms.php b/admin/registration_receivedforms.php
index df98005..89c4d1c 100644
--- a/admin/registration_receivedforms.php
+++ b/admin/registration_receivedforms.php
@@ -23,6 +23,7 @@
 ?>
 <?
  require("../common.inc.php");
+ auth_required('admin');
  require("../register_participants.inc.php");
 
  send_header("Participant Registration - Received Forms");
diff --git a/admin/reports.php b/admin/reports.php
index 3988c47..05a9a24 100644
--- a/admin/reports.php
+++ b/admin/reports.php
@@ -23,6 +23,7 @@
 ?>
 <?
  require("../common.inc.php");
+ auth_required('admin');
  send_header("Administration - Reports");
  echo "<a href=\"index.php\">&lt;&lt; ".i18n("Back to Administration")."</a><br />";
  echo "<br />";
diff --git a/admin/reports_checkin.php b/admin/reports_checkin.php
index 6d8f36a..282c605 100644
--- a/admin/reports_checkin.php
+++ b/admin/reports_checkin.php
@@ -23,6 +23,7 @@
 ?>
 <?
  require("../common.inc.php");
+ auth_required('admin');
  require("../lpdf.php");
 
 $catq=mysql_query("SELECT * FROM projectcategories WHERE year='".$config['FAIRYEAR']."' AND id='".$_GET['cat']."'");
diff --git a/committee_auth.php b/committee_auth.php
new file mode 100644
index 0000000..d07ea55
--- /dev/null
+++ b/committee_auth.php
@@ -0,0 +1,45 @@
+<?
+
+$accesscache=array();
+
+function auth_has_access($access="")
+{
+	global $accesscache;
+
+	if(in_array($access,$accesscache))
+	{
+		if($accesscache[$access]=='Y') return true;
+		else return false;
+	}
+	else
+	{
+		$q=mysql_query("SELECT access_admin, access_config, access_super FROM committees_members WHERE email='".$_SESSION['email']."' AND id='".$_SESSION['committee_member_id']."' AND deleted='N'"); 
+
+		$r=mysql_fetch_object($q);
+		$accesscache['admin']=$r->access_admin;
+		$accesscache['config']=$r->access_config;
+		$accesscache['super']=$r->access_super;
+		
+		switch($access)
+		{
+			case "config": if($r->access_config=='Y') return true; 	break;
+			case "admin": if($r->access_admin=='Y') return true; break;
+			case "super": if($r->access_super=='Y') return true; break;
+			default:
+				return false;
+				break;	
+		}
+	}
+	return false;
+
+}
+
+function auth_required($access="")
+{
+	global $config;
+
+	if(!auth_has_access($access))
+		header("Location: ".$config['SFIABDIRECTORY']."/committee_login.php");
+}
+
+?>
diff --git a/committee_login.php b/committee_login.php
new file mode 100644
index 0000000..c2d76de
--- /dev/null
+++ b/committee_login.php
@@ -0,0 +1,61 @@
+<?
+ require("common.inc.php");
+
+ if($_POST['action']=="login" )
+ {
+ 	if($_POST['pass'] && $_POST['email'])
+	{
+		$q=mysql_query("SELECT * FROM committees_members WHERE email='".$_POST['email']."' AND password='".$_POST['pass']."' AND deleted='N'");
+		if(mysql_num_rows($q)==1)
+		{
+			$r=mysql_fetch_object($q);
+			$_SESSION['email']=$r->email;
+			$_SESSION['committee_member_id']=$r->id;
+			send_header("Committee Login");
+			echo happy(i18n("Successfully logged in"));
+			echo i18n("Use the menu on the left to access the committee pages");
+		}
+		else
+		{
+			send_header("Committee Login");
+			echo error(i18n("Invalid Email/Password"));
+		}
+
+	}
+	else
+	{
+		send_header("Committee Login");
+		echo error(i18n("Email/Password missing"));
+	}
+ }
+ else if($_GET['action']=="logout")
+ {
+ 	unset($_SESSION['email']);
+	unset($_SESSION['committee_member_id']);
+	send_header("Committee Login");
+	echo notice(i18n("You have been successfully logged out"));
+ }
+ else
+ {
+
+	send_header("Committee Login");
+
+	?>
+	 <form method="post" action="committee_login.php">
+	 <input type="hidden" name="action" value="login" />
+	 <table><tr><td>
+	 <?=i18n("Email")?>:</td><td><input type="text" name="email" size="20" />
+	 </td></tr>
+	 <tr><td>
+	 <?=i18n("Password")?>:</td><td><input type="password" size="20" name="pass" />
+	 </td></tr>
+	 <tr><td colspan=2>
+	 <input type="submit" value="Login" />
+	 </td></tr>
+	 </table>
+	 </form>
+<?
+ }
+
+ send_footer();
+?>
diff --git a/common.inc.php b/common.inc.php
index a0d433d..47c46b6 100644
--- a/common.inc.php
+++ b/common.inc.php
@@ -22,7 +22,8 @@
 */
 ?>
 <?
-require("config.inc.php");
+require_once("config.inc.php");
+require_once("committee_auth.php");
 mysql_connect($DBHOST,$DBUSER,$DBPASS);
 mysql_select_db($DBNAME);
 
@@ -224,8 +225,28 @@ echo "<h1>".i18n($config['fairname'])."</h1>";
 </ul>
 <br />
 <ul class="mainnav">
-<li><a href="<?=$config['SFIABDIRECTORY']?>/admin/"><?=i18n("Fair Administration")?></a></li>
-<li><a href="<?=$config['SFIABDIRECTORY']?>/config/"><?=i18n("SFIAB Configuration")?></a></li>
+<?
+if(auth_has_access("admin") || auth_has_access("config") || auth_has_access("super"))
+{
+	if(auth_has_access("admin")){ ?>
+		<li><a href="<?=$config['SFIABDIRECTORY']?>/admin/"><?=i18n("Fair Administration")?></a></li>
+<? } 
+	if(auth_has_access("config")){ ?>
+		<li><a href="<?=$config['SFIABDIRECTORY']?>/config/"><?=i18n("SFIAB Configuration")?></a></li>
+<? } 
+
+?>
+	<li><a href="<?=$config['SFIABDIRECTORY']?>/committee_login.php?action=logout"><?=i18n("Committee Logout")?></a></li>
+<?
+
+}
+else
+{
+?>
+	<li><a href="<?=$config['SFIABDIRECTORY']?>/committee_login.php"><?=i18n("Committee Login")?></a></li>
+<?
+}
+?>
 </ul>
 
 <div class="aligncenter">
diff --git a/config/categories.php b/config/categories.php
index 57bc435..8d447e0 100644
--- a/config/categories.php
+++ b/config/categories.php
@@ -23,6 +23,8 @@
 ?>
 <?
  require("../common.inc.php");
+ auth_required('config');
+
  send_header("Configuration - Categories and Divisions");
  echo "<a href=\"index.php\">&lt;&lt; ".i18n("Back to Configuration")."</a><br />";
 
diff --git a/config/dates.php b/config/dates.php
index 9e8cfff..387b222 100644
--- a/config/dates.php
+++ b/config/dates.php
@@ -23,6 +23,7 @@
 ?>
 <?
  require("../common.inc.php");
+ auth_required('config');
  send_header("Configuration - Dates");
  echo "<a href=\"index.php\">&lt;&lt; ".i18n("Back to Configuration")."</a><br />";
 
diff --git a/config/divisions.php b/config/divisions.php
index 4221218..74ae633 100644
--- a/config/divisions.php
+++ b/config/divisions.php
@@ -23,6 +23,7 @@
 ?>
 <?
  require("../common.inc.php");
+ auth_required('config');
  send_header("Configuration - Project Divisions");
  echo "<a href=\"index.php\">&lt;&lt; ".i18n("Back to Configuration")."</a><br />";
 
diff --git a/config/images.php b/config/images.php
index 95773c4..b83ee0f 100644
--- a/config/images.php
+++ b/config/images.php
@@ -23,6 +23,7 @@
 ?>
 <?
  require("../common.inc.php");
+ auth_required('config');
  send_header("Configuration - Images");
  echo "<a href=\"index.php\">&lt;&lt; ".i18n("Back to Configuration")."</a><br />";
 
diff --git a/config/index.php b/config/index.php
index 51e9a0b..c891fcf 100644
--- a/config/index.php
+++ b/config/index.php
@@ -23,6 +23,8 @@
 ?>
 <?
  require("../common.inc.php");
+ auth_required('config');
+
  send_header("Configuration");
  echo error(i18n("Note: this section will normally be password protected.  It is left open for now for debugging and testing purposes"));
 
diff --git a/config/subdivisions.php b/config/subdivisions.php
index b325473..e258088 100644
--- a/config/subdivisions.php
+++ b/config/subdivisions.php
@@ -23,6 +23,7 @@
 ?>
 <?
  require("../common.inc.php");
+ auth_required('config');
  send_header("Configuration - Project Sub-Divisions");
  echo "<a href=\"index.php\">&lt;&lt; ".i18n("Back to Configuration")."</a><br />";
 
diff --git a/config/variables.php b/config/variables.php
index 722bed0..6672518 100644
--- a/config/variables.php
+++ b/config/variables.php
@@ -23,6 +23,7 @@
 ?>
 <?
  require("../common.inc.php");
+ auth_required('config');
  send_header("Configuration - Variables");
  echo "<a href=\"index.php\">&lt;&lt; ".i18n("Back to Configuration")."</a><br />";