Implement authorizaiton for admin/config sections

Use committee members for authorization Add auth required checks in all admin/config sections
2005-02-16 22:50:43 +00:00 · 2005-02-16 22:50:43 +00:00 · 3deae5e029
commit 3deae5e029
parent adb2e50578
17 changed files with 147 additions and 3 deletions
--- a/admin/committees.php
+++ b/admin/committees.php
@ -23,6 +23,8 @@
 ?>
 <?
 require("../common.inc.php");
 auth_required('admin');
 send_header("Administration - Committee Management");
 ?>
--- a/admin/index.php
+++ b/admin/index.php
@ -23,6 +23,7 @@
 ?>
 <?
 require("../common.inc.php");
 auth_required('admin');
 send_header("Administration");
 echo error(i18n("Note: this section will normally be password protected.  It is left open for now for debugging and testing purposes"));
--- a/admin/registration.php
+++ b/admin/registration.php
@ -23,6 +23,7 @@
 ?>
 <?
 require("../common.inc.php");
 auth_required('admin');
 send_header("Administration - Participant Registration");
 echo "<a href=\"index.php\">&lt;&lt; ".i18n("Back to Administration")."</a><br />";
 echo "<br />";
--- a/admin/registration_list.php
+++ b/admin/registration_list.php
@ -23,6 +23,7 @@
 ?>
 <?
 require("../common.inc.php");
 auth_required('admin');
 require("../register_participants.inc.php");
 send_header("Participant Registration - List and Statistics");
--- a/admin/registration_receivedforms.php
+++ b/admin/registration_receivedforms.php
@ -23,6 +23,7 @@
 ?>
 <?
 require("../common.inc.php");
 auth_required('admin');
 require("../register_participants.inc.php");
 send_header("Participant Registration - Received Forms");
--- a/admin/reports.php
+++ b/admin/reports.php
@ -23,6 +23,7 @@
 ?>
 <?
 require("../common.inc.php");
 auth_required('admin');
 send_header("Administration - Reports");
 echo "<a href=\"index.php\">&lt;&lt; ".i18n("Back to Administration")."</a><br />";
 echo "<br />";
--- a/admin/reports_checkin.php
+++ b/admin/reports_checkin.php
@ -23,6 +23,7 @@
 ?>
 <?
 require("../common.inc.php");
 auth_required('admin');
 require("../lpdf.php");
 $catq=mysql_query("SELECT * FROM projectcategories WHERE year='".$config['FAIRYEAR']."' AND id='".$_GET['cat']."'");
--- a/committee_auth.php
+++ b/committee_auth.php
@ -0,0 +1,45 @@
 <?
 $accesscache=array();
 function auth_has_access($access="")
 {
 	global $accesscache;
 	if(in_array($access,$accesscache))
 	{
 		if($accesscache[$access]=='Y') return true;
 		else return false;
 	}
 	else
 	{
 		$q=mysql_query("SELECT access_admin, access_config, access_super FROM committees_members WHERE email='".$_SESSION['email']."' AND id='".$_SESSION['committee_member_id']."' AND deleted='N'"); 
 		$r=mysql_fetch_object($q);
 		$accesscache['admin']=$r->access_admin;
 		$accesscache['config']=$r->access_config;
 		$accesscache['super']=$r->access_super;
 		switch($access)
 		{
 			case "config": if($r->access_config=='Y') return true; 	break;
 			case "admin": if($r->access_admin=='Y') return true; break;
 			case "super": if($r->access_super=='Y') return true; break;
 			default:
 				return false;
 				break;	
 		}
 	}
 	return false;
 }
 function auth_required($access="")
 {
 	global $config;
 	if(!auth_has_access($access))
 		header("Location: ".$config['SFIABDIRECTORY']."/committee_login.php");
 }
 ?>
--- a/committee_login.php
+++ b/committee_login.php
@ -0,0 +1,61 @@
 <?
 require("common.inc.php");
 if($_POST['action']=="login" )
 {
 	if($_POST['pass'] && $_POST['email'])
 	{
 		$q=mysql_query("SELECT * FROM committees_members WHERE email='".$_POST['email']."' AND password='".$_POST['pass']."' AND deleted='N'");
 		if(mysql_num_rows($q)==1)
 		{
 			$r=mysql_fetch_object($q);
 			$_SESSION['email']=$r->email;
 			$_SESSION['committee_member_id']=$r->id;
 			send_header("Committee Login");
 			echo happy(i18n("Successfully logged in"));
 			echo i18n("Use the menu on the left to access the committee pages");
 		}
 		else
 		{
 			send_header("Committee Login");
 			echo error(i18n("Invalid Email/Password"));
 		}
 	}
 	else
 	{
 		send_header("Committee Login");
 		echo error(i18n("Email/Password missing"));
 	}
 }
 else if($_GET['action']=="logout")
 {
 	unset($_SESSION['email']);
 	unset($_SESSION['committee_member_id']);
 	send_header("Committee Login");
 	echo notice(i18n("You have been successfully logged out"));
 }
 else
 {
 	send_header("Committee Login");
 	?>
 	 <form method="post" action="committee_login.php">
 	 <input type="hidden" name="action" value="login" />
 	 <table><tr><td>
 	 <?=i18n("Email")?>:</td><td><input type="text" name="email" size="20" />
 	 </td></tr>
 	 <tr><td>
 	 <?=i18n("Password")?>:</td><td><input type="password" size="20" name="pass" />
 	 </td></tr>
 	 <tr><td colspan=2>
 	 <input type="submit" value="Login" />
 	 </td></tr>
 	 </table>
 	 </form>
 <?
 }
 send_footer();
 ?>
--- a/common.inc.php
+++ b/common.inc.php
@ -22,7 +22,8 @@
 */
 ?>
 <?
-require("config.inc.php");
+require_once("config.inc.php");
 require_once("committee_auth.php");
 mysql_connect($DBHOST,$DBUSER,$DBPASS);
 mysql_select_db($DBNAME);
@ -224,8 +225,28 @@ echo "<h1>".i18n($config['fairname'])."</h1>";
 </ul>
 <br />
 <ul class="mainnav">
-<li><a href="<?=$config['SFIABDIRECTORY']?>/admin/"><?=i18n("Fair Administration")?></a></li>
+<?
-<li><a href="<?=$config['SFIABDIRECTORY']?>/config/"><?=i18n("SFIAB Configuration")?></a></li>
+if(auth_has_access("admin") || auth_has_access("config") || auth_has_access("super"))
 {
 	if(auth_has_access("admin")){ ?>
 		<li><a href="<?=$config['SFIABDIRECTORY']?>/admin/"><?=i18n("Fair Administration")?></a></li>
 <? } 
 	if(auth_has_access("config")){ ?>
 		<li><a href="<?=$config['SFIABDIRECTORY']?>/config/"><?=i18n("SFIAB Configuration")?></a></li>
 <? } 
 ?>
 	<li><a href="<?=$config['SFIABDIRECTORY']?>/committee_login.php?action=logout"><?=i18n("Committee Logout")?></a></li>
 <?
 }
 else
 {
 ?>
 	<li><a href="<?=$config['SFIABDIRECTORY']?>/committee_login.php"><?=i18n("Committee Login")?></a></li>
 <?
 }
 ?>
 </ul>
 <div class="aligncenter">
--- a/config/categories.php
+++ b/config/categories.php
@ -23,6 +23,8 @@
 ?>
 <?
 require("../common.inc.php");
 auth_required('config');
 send_header("Configuration - Categories and Divisions");
 echo "<a href=\"index.php\">&lt;&lt; ".i18n("Back to Configuration")."</a><br />";
--- a/config/dates.php
+++ b/config/dates.php
@ -23,6 +23,7 @@
 ?>
 <?
 require("../common.inc.php");
 auth_required('config');
 send_header("Configuration - Dates");
 echo "<a href=\"index.php\">&lt;&lt; ".i18n("Back to Configuration")."</a><br />";
--- a/config/divisions.php
+++ b/config/divisions.php
@ -23,6 +23,7 @@
 ?>
 <?
 require("../common.inc.php");
 auth_required('config');
 send_header("Configuration - Project Divisions");
 echo "<a href=\"index.php\">&lt;&lt; ".i18n("Back to Configuration")."</a><br />";
--- a/config/images.php
+++ b/config/images.php
@ -23,6 +23,7 @@
 ?>
 <?
 require("../common.inc.php");
 auth_required('config');
 send_header("Configuration - Images");
 echo "<a href=\"index.php\">&lt;&lt; ".i18n("Back to Configuration")."</a><br />";
--- a/config/index.php
+++ b/config/index.php
@ -23,6 +23,8 @@
 ?>
 <?
 require("../common.inc.php");
 auth_required('config');
 send_header("Configuration");
 echo error(i18n("Note: this section will normally be password protected.  It is left open for now for debugging and testing purposes"));
--- a/config/subdivisions.php
+++ b/config/subdivisions.php
@ -23,6 +23,7 @@
 ?>
 <?
 require("../common.inc.php");
 auth_required('config');
 send_header("Configuration - Project Sub-Divisions");
 echo "<a href=\"index.php\">&lt;&lt; ".i18n("Back to Configuration")."</a><br />";
--- a/config/variables.php
+++ b/config/variables.php
@ -23,6 +23,7 @@
 ?>
 <?
 require("../common.inc.php");
 auth_required('config');
 send_header("Configuration - Variables");
 echo "<a href=\"index.php\">&lt;&lt; ".i18n("Back to Configuration")."</a><br />";