Method security checking

This commit is contained in:
Deon George 2013-05-15 15:39:04 +10:00
parent 067af280af
commit 81cb759667
2 changed files with 10 additions and 17 deletions

View File

@ -185,26 +185,19 @@ class Auth_OSB extends Auth_ORM {
$uo = $this->get_user(); $uo = $this->get_user();
// If we are not a valid user object, then we are not logged in // If we are not a valid user object, then we are not logged in
if (is_object($uo) AND ($uo instanceof Model_Account) AND $uo->loaded()) { if (is_object($uo) AND ($uo instanceof Model_Account) AND $uo->loaded())
if (Config::sitemode() == Kohana::DEVELOPMENT) if (! empty($role)) {
SystemMessage::add(array('title'=>'Debug','type'=>'debug','body'=>Debug::vars(array('user'=>$uo->username,'r'=>$role)))); if (($x = Request::current()->mmo()) instanceof Model)
// If the role has the authorisation to run the method
if (! empty($role) AND Request::current()->mmo()) { foreach ($x->group->find_all() as $go)
// If the role has the authorisation to run the method if ($go->id == 0 OR $uo->has_any('group',$go->list_childgrps(TRUE))) {
$gmo = ORM::factory('Group_Method') $status = TRUE;
->where('method_id','=',Request::current()->mmo()->id); break;
}
foreach ($gmo->find_all() as $gm)
// $gm->group->id == 0 means all users.
if ($gm->group->id == 0 OR $uo->has_any('group',$gm->group->list_childgrps(TRUE))) {
$status = TRUE;
break;
}
// There is no role, so the method should be allowed to run as anonymous // There is no role, so the method should be allowed to run as anonymous
} else } else
$status = TRUE; $status = TRUE;
}
return $status; return $status;
} }

View File

@ -45,7 +45,7 @@ class Request extends Kohana_Request {
$method = strtolower($this->_directory ? sprintf('%s_%s',$this->_directory,$this->_action) : $this->_action); $method = strtolower($this->_directory ? sprintf('%s_%s',$this->_directory,$this->_action) : $this->_action);
// Get the method number // Get the method number
$mmo = ORM::factory('Module_Method',array('module_id'=>$mo->id,'name'=>$method)); $mmo = $mo->module_method->where('name','=',$method)->find();
if ($mmo->loaded()) if ($mmo->loaded())
$result = $mmo; $result = $mmo;