Phoca Tree module not checking for access rights

Phoca Download - download manager
Post Reply
istani123
Phoca Newbie
Phoca Newbie
Posts: 4
Joined: 09 Sep 2009, 15:48

Phoca Tree module not checking for access rights

Post by istani123 »

The Phoca Download Tree module shows all categories, no matter if a user has access to them or not.

For example, if some of the download categories is for registered users only... all visitors will be able to see it in the Tree...they don't have access to see it... but still it is visible in the tree... which may not be wanted (such as my case :-)

Is there a quick fix for this?
Top
codejunkie
Phoca Professional
Phoca Professional
Posts: 167
Joined: 11 Apr 2009, 01:30
Contact:
Contact codejunkie

Re: Phoca Tree module not checking for access rights

Post by codejunkie »

My guess is the SQL statement does not have a check on access rights. This would need to be added. Unfortunately, I do not have the correct SQL statement to add at this time.
Download Phoca Download Menu Module for listing Sections or Categories.
Top
User avatar
Jan
Phoca Hero
Phoca Hero
Posts: 48739
Joined: 10 Nov 2007, 18:23
Location: Czech Republic
Contact:
Contact Jan

Re: Phoca Tree module not checking for access rights

Post by Jan »

Yes, this is missed. I will fix it for next version. Thank you for this info.

Jan
If you find Phoca extensions useful, please support the project
Top
codejunkie
Phoca Professional
Phoca Professional
Posts: 167
Joined: 11 Apr 2009, 01:30
Contact:
Contact codejunkie

Re: Phoca Tree module not checking for access rights

Post by codejunkie »

You might try replacing the main mod_phocadownload_tree.php file located in the /modules/mod_phocadownload_tree folder with this code. I have done minimal testing on it, but have added access checks on the SQL statements.

I would recommend renaming the original php file before uploading this file to your server.

Code: Select all

<?php
/*
 * @package Joomla 1.5
 * @copyright Copyright (C) 2005 Open Source Matters. All rights reserved.
 * @license http://www.gnu.org/copyleft/gpl.html GNU/GPL, see LICENSE.php
 *
 * @module Phoca - Phoca Module
 * @copyright Copyright (C) Jan Pavelka www.phoca.cz
 * @license http://www.gnu.org/copyleft/gpl.html GNU/GPL
 * @based on javascript: dTree 2.05 www.destroydrop.com/javascript/tree/
 * @copyright (c) 2002-2003 Geir Landrö
 */
defined('_JEXEC') or die('Restricted access');// no direct access
if (!JComponentHelper::isEnabled('com_phocadownload', true)) {
	return JError::raiseError(JText::_('Phoca Download Error'), JText::_('Phoca Download is not installed on your system'));
}
$user 		= &JFactory::getUser();
$db 		= &JFactory::getDBO();
$menu 		= &JSite::getMenu();
$document	= &JFactory::getDocument();
		
// Start CSS
$document->addStyleSheet(JURI::base(true).'/modules/mod_phocadownload_tree/assets/dtree.css');
$document->addScript( JURI::base(true) . '/modules/mod_phocadownload_tree/assets/dtree.js' );
$imgPath = JURI::base(true) . '/modules/mod_phocadownload_tree/assets/';

//Unique id for more modules
$treeId = "d".uniqid( "tree_" );

// Current category info
$id 	= JRequest::getVar( 'id', 0, '', 'int' );
$option = JRequest::getVar( 'option', 0, '', 'string' );
$view 	= JRequest::getVar( 'view', 0, '', 'string' );


// Params
$hide_categories = $params->get( 'hide_categories', '');
$hide_sections = $params->get( 'hide_sections', '' );

$hideSecArray	= explode( ';', trim($hide_sections) );
$hideSecSql		= '';
if (is_array($hideSecArray)) {
	foreach ($hideSecArray as $value) {
		$hideSecSql .= ' AND s.id != '. (int) trim($value) .' ';
	}
}

$hideCatArray	= explode( ';', trim($hide_categories) );
$hideCatSql		= '';
if (is_array($hideCatArray)) {
	foreach ($hideCatArray as $value) {
		$hideCatSql .= ' AND cc.id != '. (int) trim($value) .' ';
	}
}
// Add Access check - codejunkie 2009-10-07
$aid 		= $user->get('aid', 0);

// All Sections - - - - - - -
$query = 'SELECT s.title AS text, s.id AS id, s.alias as alias, s.access as access,'
		. ' CASE WHEN CHAR_LENGTH(s.alias) THEN CONCAT_WS(\':\', s.id, s.alias) ELSE s.id END as secslug '
		. ' FROM #__phocadownload_sections AS s'
		. ' WHERE s.published = 1'
		. $hideSecSql
// Add Access check - codejunkie 2009-10-07
		. ' AND s.access <= ' . $aid
		. ' ORDER BY s.ordering';
$db->setQuery( $query );
$sections = $db->loadObjectList();

// All Categories - - - - -
$query = 'SELECT cc.title AS text, cc.id AS id, cc.parent_id as parentid, cc.section as section, cc.alias as alias, cc.access as access,'
		. ' CASE WHEN CHAR_LENGTH(cc.alias) THEN CONCAT_WS(\':\', cc.id, cc.alias) ELSE cc.id END as catslug '
		. ' FROM #__phocadownload_categories AS cc'
		. ' WHERE cc.published = 1'
		. $hideCatSql
// Add Access check - codejunkie 2009-10-07
		. ' AND cc.access <= ' . $aid
		. ' ORDER BY cc.ordering';
$db->setQuery( $query );
$categories = $db->loadObjectList();


// Link
// Set Itemid id, exists this link in Menu?
$menu 			= &JSite::getMenu();
$itemsSec	= $menu->getItems('link', 'index.php?option=com_phocadownload&view=sections');
if(isset($itemsSec[0])) {
	$itemId = $itemsSec[0]->id;
	$alias 	= '';
} else {
	$itemId = 0;
	$alias	= '';
}

// Tree
$i = 1;
$tree 		= array();
$newIdSec	= array();
$newIdCat	= array();
foreach ($sections as $keySec => $valueSec) {
	$link = JRoute::_('index.php?option=com_phocadownload&view=section&id='. $valueSec->secslug .'&Itemid='.$itemId);	
	$tree[] =  $treeId.'.add('.$i.',0,\''.addslashes($valueSec->text).'\',\''.$link.'\');'."\n";
	$newIdSec[$valueSec->id] = $i;
	$j = $i;$i++;
	foreach ($categories as $keyCat => $valueCat) {
		if ((int)$valueCat->section == (int)$valueSec->id) {
			$link = JRoute::_('index.php?option=com_phocadownload&view=category&id='. $valueCat->catslug .'&Itemid='.$itemId);
			$tree[] =  $treeId.'.add('.$i.','.$j.',\''.addslashes($valueCat->text).'\',\''.$link.'\');'."\n";
			$newIdCat[$valueCat->id] = $i;
			$i++;
		}
	}
}

// We added unique numbers to categories and sections (because section can have the same id as category we must to add other ids)
if ( $option == 'com_phocadownload' && $view == 'section' ) {
	if (isset($newIdSec[$id])) {
		$catAndSecId = (int)$newIdSec[$id];
	} else {
		$catAndSecId = 0;
	}
} else if ( $option == 'com_phocadownload' && $view == 'category' ) {
	if (isset($newIdCat[$id])) {
		$catAndSecId = (int)$newIdCat[$id];
	} else {
		$catAndSecId = 0;
	} 
} else {
	$catAndSecId = 0;
}

// Categories (Head)
$linkSections = JRoute::_('index.php?option=com_phocadownload&view=sections&Itemid='.$itemId);
// Create javascript code	
$jsTree = '';
foreach($tree as $key => $value) {
	$jsTree .= $value ;
}
//  Output
$output ='<div style="text-align:left;">';
$output.='<div class="dtree">';
$output.='<script type="text/javascript">'."\n";
$output.='<!--'."\n";
$output.=''."\n";
$output.=''.$treeId.' = new dTree2568(\''.$treeId.'\', \''.$imgPath.'\');'."\n";
$output.=''."\n";
$output.=''.$treeId.'.add(0,-1,\''.JText::_( 'Download' ).'\',\''.$linkSections.'\');'."\n";
$output.=$jsTree;
$output.=''."\n";
$output.='document.write('.$treeId.');'."\n";
$output.=''.$treeId.'.openTo('. (int) $catAndSecId.',\'true\');'. "\n";
$output.=''."\n";
$output.='//-->'."\n";
$output.='</script>';
$output.='</div></div>';

require(JModuleHelper::getLayoutPath('mod_phocadownload_tree'));
?>
Download Phoca Download Menu Module for listing Sections or Categories.
Top
istani123
Phoca Newbie
Phoca Newbie
Posts: 4
Joined: 09 Sep 2009, 15:48

Re: Phoca Tree module not checking for access rights

Post by istani123 »

It seems to be working. Thank you! :twisted:
Top
Post Reply

Return to “Phoca Download”