aboutsummaryrefslogtreecommitdiffstats
path: root/include/access_check.inc.php
diff options
context:
space:
mode:
authorsteckbrief <steckbrief@chefmail.de>2016-09-19 12:48:23 +0200
committersteckbrief <steckbrief@chefmail.de>2016-09-19 12:48:23 +0200
commit9caf7e3c4588b9e5f3c4471e0ba6597a49a44941 (patch)
treebac76b52ca253c34e6df5a6c8c9f473fd583e508 /include/access_check.inc.php
parent55e712bc4307d4d7bc5304eb8c8a949474b367cc (diff)
add access check to i.php for every file request
Diffstat (limited to 'include/access_check.inc.php')
-rw-r--r--include/access_check.inc.php41
1 files changed, 41 insertions, 0 deletions
diff --git a/include/access_check.inc.php b/include/access_check.inc.php
new file mode 100644
index 000000000..26f77afa9
--- /dev/null
+++ b/include/access_check.inc.php
@@ -0,0 +1,41 @@
+<?php
+function doError($code, $str) {
+ set_status_header($code);
+ echo $str ;
+ exit();
+}
+
+/**
+ * exits if there is no access.
+ */
+function checkAccess() {
+ global $page;
+
+ $picid = '';
+ $query = 'SELECT id FROM '.IMAGES_TABLE.' WHERE path=\''.$page['src_location'].'\';';
+ $result = pwg_query($query);
+ if (!is_object($result)) {
+ header('Location:'.$_SERVER['PHP_SELF'].'?'.$_SERVER['QUERY_STRING']);
+ }
+ if (($row = pwg_db_fetch_assoc($result))) {
+ if (isset($row['id'])) {
+ $picid = $row['id'];
+ } else {
+ doError(404, 'Requested id not found');
+ }
+ } else {
+ doError(404, 'Requested id not found');
+ }
+
+ $query = 'SELECT id FROM '.CATEGORIES_TABLE.' INNER JOIN '.IMAGE_CATEGORY_TABLE.' ON category_id = id WHERE image_id = '.$picid.' '.get_sql_condition_FandF(
+ array(
+ 'forbidden_categories' => 'category_id',
+ 'forbidden_images' => 'image_id',
+ ),
+ ' AND'
+ ).'
+ LIMIT 1;';
+ if (pwg_db_num_rows(pwg_query($query)) < 1) {
+ doError(401, 'Access denied');
+ }
+} \ No newline at end of file