Method security checking

This commit is contained in:
Deon George 2013-05-15 15:39:04 +10:00
parent c0ba6d4e98
commit e81eb7a446
2 changed files with 10 additions and 17 deletions

View File

@ -185,18 +185,12 @@ class Auth_OSB extends Auth_ORM {
$uo = $this->get_user();
// If we are not a valid user object, then we are not logged in
if (is_object($uo) AND ($uo instanceof Model_Account) AND $uo->loaded()) {
if (Config::sitemode() == Kohana::DEVELOPMENT)
SystemMessage::add(array('title'=>'Debug','type'=>'debug','body'=>Debug::vars(array('user'=>$uo->username,'r'=>$role))));
if (! empty($role) AND Request::current()->mmo()) {
if (is_object($uo) AND ($uo instanceof Model_Account) AND $uo->loaded())
if (! empty($role)) {
if (($x = Request::current()->mmo()) instanceof Model)
// If the role has the authorisation to run the method
$gmo = ORM::factory('Group_Method')
->where('method_id','=',Request::current()->mmo()->id);
foreach ($gmo->find_all() as $gm)
// $gm->group->id == 0 means all users.
if ($gm->group->id == 0 OR $uo->has_any('group',$gm->group->list_childgrps(TRUE))) {
foreach ($x->group->find_all() as $go)
if ($go->id == 0 OR $uo->has_any('group',$go->list_childgrps(TRUE))) {
$status = TRUE;
break;
}
@ -204,7 +198,6 @@ class Auth_OSB extends Auth_ORM {
// There is no role, so the method should be allowed to run as anonymous
} else
$status = TRUE;
}
return $status;
}

View File

@ -45,7 +45,7 @@ class Request extends Kohana_Request {
$method = strtolower($this->_directory ? sprintf('%s_%s',$this->_directory,$this->_action) : $this->_action);
// Get the method number
$mmo = ORM::factory('Module_Method',array('module_id'=>$mo->id,'name'=>$method));
$mmo = $mo->module_method->where('name','=',$method)->find();
if ($mmo->loaded())
$result = $mmo;