Changeset 727 for trunk/phpbms/report

Timestamp:

01/07/10 11:16:05 (2 years ago)

Author:

brieb

Message:

• Added more rights look ups to certain pages
• Fixed several path disclosure errors

Files:

• trunk/phpbms/report/report_class.php (modified) (1 diff)

trunk/phpbms/report/report_class.php

@@ -115 +115 @@
         $this->tabledefUUID = mysql_real_escape_string($tabledefUUID);
 
-        if($reportUUID)
-            $this->retrieveReportSettings();
+        $this->checkRights();
+
+        $this->retrieveReportSettings();
 
     }//end function init
 
+
+    /**
+     * function checkRight
+     *
+     * Checks report record and current user to make sure they have rights to run this report
+     */
+     function checkRights(){
+
+        $querystatement = "
+            SELECT
+                `roleid`
+            FROM
+                `reports`
+            WHERE
+                `uuid` = '".$this->reportUUID."'
+        ";
+
+        $queryresult = $this->db->query($querystatement);
+
+        if($this->db->numRows($queryresult)){
+
+            $therecord = $this->db->fetchArray($queryresult);
+
+            if(!hasRights($therecord["roleid"]))
+                goURL(APP_PATH."noaccess.php");
+
+        } else
+            $error = new appError(500, "Bad report uuid");
+
+     }//end function checkRights
 
     /**