diff options
| author | steckbrief <steckbrief@chefmail.de> | 2016-09-19 12:48:23 +0200 |
|---|---|---|
| committer | steckbrief <steckbrief@chefmail.de> | 2016-09-19 12:48:23 +0200 |
| commit | 9caf7e3c4588b9e5f3c4471e0ba6597a49a44941 (patch) | |
| tree | bac76b52ca253c34e6df5a6c8c9f473fd583e508 /include/access_check.inc.php | |
| parent | 55e712bc4307d4d7bc5304eb8c8a949474b367cc (diff) | |
add access check to i.php for every file request
Diffstat (limited to 'include/access_check.inc.php')
| -rw-r--r-- | include/access_check.inc.php | 41 |
1 files changed, 41 insertions, 0 deletions
diff --git a/include/access_check.inc.php b/include/access_check.inc.php new file mode 100644 index 000000000..26f77afa9 --- /dev/null +++ b/include/access_check.inc.php @@ -0,0 +1,41 @@ +<?php +function doError($code, $str) { + set_status_header($code); + echo $str ; + exit(); +} + +/** + * exits if there is no access. + */ +function checkAccess() { + global $page; + + $picid = ''; + $query = 'SELECT id FROM '.IMAGES_TABLE.' WHERE path=\''.$page['src_location'].'\';'; + $result = pwg_query($query); + if (!is_object($result)) { + header('Location:'.$_SERVER['PHP_SELF'].'?'.$_SERVER['QUERY_STRING']); + } + if (($row = pwg_db_fetch_assoc($result))) { + if (isset($row['id'])) { + $picid = $row['id']; + } else { + doError(404, 'Requested id not found'); + } + } else { + doError(404, 'Requested id not found'); + } + + $query = 'SELECT id FROM '.CATEGORIES_TABLE.' INNER JOIN '.IMAGE_CATEGORY_TABLE.' ON category_id = id WHERE image_id = '.$picid.' '.get_sql_condition_FandF( + array( + 'forbidden_categories' => 'category_id', + 'forbidden_images' => 'image_id', + ), + ' AND' + ).' + LIMIT 1;'; + if (pwg_db_num_rows(pwg_query($query)) < 1) { + doError(401, 'Access denied'); + } +}
\ No newline at end of file |