From 81cb759667d72463c9142193b589d1cf1033d34c Mon Sep 17 00:00:00 2001 From: Deon George Date: Wed, 15 May 2013 15:39:04 +1000 Subject: [PATCH] Method security checking --- application/classes/Auth/OSB.php | 25 +++++++++---------------- application/classes/Request.php | 2 +- 2 files changed, 10 insertions(+), 17 deletions(-) diff --git a/application/classes/Auth/OSB.php b/application/classes/Auth/OSB.php index 73de132e..9e87c5b6 100644 --- a/application/classes/Auth/OSB.php +++ b/application/classes/Auth/OSB.php @@ -185,26 +185,19 @@ class Auth_OSB extends Auth_ORM { $uo = $this->get_user(); // If we are not a valid user object, then we are not logged in - if (is_object($uo) AND ($uo instanceof Model_Account) AND $uo->loaded()) { - if (Config::sitemode() == Kohana::DEVELOPMENT) - SystemMessage::add(array('title'=>'Debug','type'=>'debug','body'=>Debug::vars(array('user'=>$uo->username,'r'=>$role)))); - - if (! empty($role) AND Request::current()->mmo()) { - // If the role has the authorisation to run the method - $gmo = ORM::factory('Group_Method') - ->where('method_id','=',Request::current()->mmo()->id); - - foreach ($gmo->find_all() as $gm) - // $gm->group->id == 0 means all users. - if ($gm->group->id == 0 OR $uo->has_any('group',$gm->group->list_childgrps(TRUE))) { - $status = TRUE; - break; - } + if (is_object($uo) AND ($uo instanceof Model_Account) AND $uo->loaded()) + if (! empty($role)) { + if (($x = Request::current()->mmo()) instanceof Model) + // If the role has the authorisation to run the method + foreach ($x->group->find_all() as $go) + if ($go->id == 0 OR $uo->has_any('group',$go->list_childgrps(TRUE))) { + $status = TRUE; + break; + } // There is no role, so the method should be allowed to run as anonymous } else $status = TRUE; - } return $status; } diff --git a/application/classes/Request.php b/application/classes/Request.php index 9b9e3716..cd3bc653 100644 --- a/application/classes/Request.php +++ b/application/classes/Request.php @@ -45,7 +45,7 @@ class Request extends Kohana_Request { $method = strtolower($this->_directory ? sprintf('%s_%s',$this->_directory,$this->_action) : $this->_action); // Get the method number - $mmo = ORM::factory('Module_Method',array('module_id'=>$mo->id,'name'=>$method)); + $mmo = $mo->module_method->where('name','=',$method)->find(); if ($mmo->loaded()) $result = $mmo;