Improved dbinstall.php to avoid potential corruption of rights.

[timetracker.git] / WEB-INF / lib / common.lib.php

diff --git a/WEB-INF/lib/common.lib.php b/WEB-INF/lib/common.lib.php
index 27c43de3f4a2dd745afc755b06f461a965c70cc8..e9f9332777963d8f90a659915f2db8aeada6ba5d 100644 (file)
--- a/WEB-INF/lib/common.lib.php
+++ b/WEB-INF/lib/common.lib.php
@@ -28,10 +28,10 @@
 
 // import() function loads a class.
 function import($class_name) {
-           $libs = array(
-                       dirname($_SERVER["SCRIPT_FILENAME"]),
-                       LIBRARY_DIR
-               );
+  $libs = array(
+    dirname($_SERVER["SCRIPT_FILENAME"]),
+    LIBRARY_DIR
+  );
 
            $pos = strpos($class_name, ".");
         if (!($pos === false)) {
@@ -122,7 +122,6 @@ function import($class_name) {
                        die($mdb2->getMessage());
                        }
 
-                       $mdb2->setOption('debug', true);
                        $mdb2->setFetchMode(MDB2_FETCHMODE_ASSOC);
                        
                        $GLOBALS["_MDB2_CONNECTION"] = $mdb2;
@@ -131,13 +130,6 @@ function import($class_name) {
        }
 
 
-       function closeConnection() {
-               if (isset($GLOBALS["_DB_CONNECTION"])) {
-                       $GLOBALS["_DB_CONNECTION"]->close();
-                       unset($GLOBALS["_DB_CONNECTION"]);
-               }
-       }
-
 // time_to_decimal converts a time string such as 1:15 to its decimal representation such as 1.25 or 1,25.
 function time_to_decimal($val) {
   global $user;
@@ -316,6 +308,23 @@ function ttValidCronSpec($val)
   return true;
 }
 
+// ttValidCondition is used to check user input to validate a notification condition.
+function ttValidCondition($val, $emptyValid = true)
+{
+  $val = trim($val);
+  if (strlen($val) == 0)
+    return ($emptyValid ? true : false);
+
+  // String must not be XSS evil (to insert JavaScript).
+  if (stristr($val, '<script>') || stristr($val, '<script '))
+    return false;
+
+  if (!preg_match("/^count\s?>\s?\d+$/", $val))
+    return false;
+
+  return true;
+}
+
 // ttAccessCheck is used to check whether user is allowed to proceed. This function is used
 // as an initial check on all publicly available pages.
 function ttAccessCheck($required_rights)
@@ -330,8 +339,30 @@ function ttAccessCheck($required_rights)
   }
   
   // Check rights.
-  if (!($required_rights & $user->rights))
+  if (!($required_rights & $user->rights_mask))
     return false;
     
   return true;
 }
+
+// ttAccessAllowed checks whether user is allowed access to a particular page.
+// This function is a replacement for ttAccessCheck above as part of roles revamp.
+// To be used as an initial check on all publicly available pages
+// (except login.php and register.php where we don't have to check).
+function ttAccessAllowed($required_right)
+{
+  global $auth;
+  global $user;
+
+  // Redirect to login page if user is not authenticated.
+  if (!$auth->isAuthenticated()) {
+    header('Location: login.php');
+    exit();
+  }
+
+  // Check if user has the right.
+  if (in_array($required_right, $user->rights))
+    return true;
+
+  return false;
+}