Skip to content

Commit

Permalink
Security System Fixes:
Browse files Browse the repository at this point in the history 
* Add/Edit Label icon showing next to Type: when no permission.
* Implemented security into tokens:
http://docs.phpsurveyor.org/tiki-index.php?page=Survey+Security+Settings

git-svn-id: file:///Users/Shitiz/Downloads/lssvn/source/phpsurveyor@2518 b72ed6b6-b9f8-46b5-92b4-906544132732
  • Loading branch information
David Olivier committed Mar 7, 2007
1 parent 9c22191 commit 928b97d
Show file tree
Hide file tree
Showing 2 changed files with 74 additions and 53 deletions.
7 changes: 5 additions & 2 deletions admin/html.php
View file
Expand Up @@ -561,7 +561,10 @@
. "<img src='$imagefiles/saved.png' title='' align='left' name='BrowseSaved' alt='".$clang->gT("View Saved but not submitted Responses")."' /></a>"
. "\t\t\t\t\t<img src='$imagefiles/seperator.gif' alt='' align='left' border='0' hspace='0' />\n";
}
$surveysummary .="<a href=\"#\" onclick=\"window.open('$scriptname?action=tokens&amp;sid=$surveyid', '_top')\""
}
if ($activated == "Y" && ($sumrows5['browse_response'] || $sumrows5['export'] || $sumrows5['activate_survey']))
{
$surveysummary .="<a href=\"#\" onclick=\"window.open('$scriptname?action=tokens&amp;sid=$surveyid', '_top')\""
. "onmouseout=\"hideTooltip()\""
. "onmouseover=\"showTooltip(event,'".$clang->gT("Activate/Edit Tokens for this Survey", "js")."');return false\">" .
"<img src='$imagefiles/tokens.png' title='' align='left' name='TokensControl' alt='".$clang->gT("Activate/Edit Tokens for this Survey")."' /></a>\n" ;
Expand Down Expand Up @@ -1200,7 +1203,7 @@
$qtypes = getqtypelist("", "array"); //qtypes = array(type code=>type description)
$questionsummary .= "\t<tr $qshowstyle id='surveydetails34'><td align='right' valign='top'><strong>"
.$clang->gT("Type:")."</strong></td>\n\t<td>{$qtypes[$qrrow['type']]}";
if ($qrrow['type'] == "F" ||$qrrow['type'] == "H")
if (($qrrow['type'] == "F" ||$qrrow['type'] == "H") && $sumrows5['define_questions'])
{
$questionsummary .= " (LID: {$qrrow['lid']}) "
. "<input align='top' type='image' src='$imagefiles/labelssmall.png' title='"
Expand Down
120 changes: 69 additions & 51 deletions admin/tokens.php
View file
Expand Up @@ -48,11 +48,14 @@
if (!isset($limit)) {$limit=returnglobal('limit');}
if (!isset($start)) {$start=returnglobal('start');}
if (!isset($searchstring)) {$searchstring=returnglobal('searchstring');}

include_once("login_check.php");
$tokenoutput='';

if ($subaction == "export") //EXPORT FEATURE SUBMITTED BY PIETERJAN HEYSE
$sumquery5 = "SELECT b.* FROM {$dbprefix}surveys AS a INNER JOIN {$dbprefix}surveys_rights AS b ON a.sid = b.sid WHERE a.sid=$surveyid AND b.uid = ".$_SESSION['loginID']; //Getting rights for this survey and user
$sumresult5 = db_execute_assoc($sumquery5);
$sumrows5 = $sumresult5->FetchRow();

if ($subaction == "export" && $sumrows5['export']) //EXPORT FEATURE SUBMITTED BY PIETERJAN HEYSE
{

header("Content-Disposition: attachment; filename=tokens_".$surveyid.".csv");
Expand Down Expand Up @@ -87,7 +90,7 @@
exit;
}

if ($subaction == "delete" ) {$_SESSION['metaHeader']="<meta http-equiv=\"refresh\" content=\"1;URL={$scriptname}?action=tokens&amp;subaction=browse&amp;sid={$_GET['sid']}&amp;start=$start&amp;limit=$limit&amp;order=$order\" />";}
if ($subaction == "delete" && ($sumrows5['edit_survey_property'] || $sumrows5['activate_survey'])) {$_SESSION['metaHeader']="<meta http-equiv=\"refresh\" content=\"1;URL={$scriptname}?action=tokens&amp;subaction=browse&amp;sid={$_GET['sid']}&amp;start=$start&amp;limit=$limit&amp;order=$order\" />";}
//Show Help
$tokenoutput .= "<script type='text/javascript'>\n"
."<!--\n"
Expand Down Expand Up @@ -159,7 +162,7 @@
$tkquery = "SELECT * FROM ".db_table_name("tokens_$surveyid");
if (!$tkresult = $connect->Execute($tkquery)) //If the query fails, assume no tokens table exists
{
if (isset($_GET['createtable']) && $_GET['createtable']=="Y")
if (isset($_GET['createtable']) && $_GET['createtable']=="Y" && ($sumrows5['edit_survey_property'] || $sumrows5['activate_survey']))
{
$createtokentable=
"tid int I NOTNULL AUTO PRIMARY,\n "
Expand Down Expand Up @@ -197,7 +200,7 @@
."</td></tr></table>\n";
return;
}
elseif (returnglobal('restoretable') == "Y" && returnglobal('oldtable'))
elseif (returnglobal('restoretable') == "Y" && returnglobal('oldtable') && ($sumrows5['edit_survey_property'] || $sumrows5['activate_survey']))
{
#TODO: make the table rename use datadict
$query = "RENAME TABLE ".db_quote_id(returnglobal('oldtable'))." TO ".db_table_name("tokens_$surveyid");
Expand Down Expand Up @@ -230,16 +233,19 @@
$tokenoutput .= "\t<tr>\n"
."\t\t<td align='center'>\n"
."\t\t\t<br /><font color='red'><strong>".$clang->gT("Warning")."</strong></font><br />\n"
."\t\t\t<strong>".$clang->gT("Tokens have not been initialised for this survey.")."</strong><br /><br />\n"
."\t\t\t".$clang->gT("If you initialise tokens for this survey, the survey will only be accessible to users who have been assigned a token.")
."\t\t\t<br /><br />\n"
."\t\t\t".$clang->gT("Do you want to create a tokens table for this survey?");
$tokenoutput .= "<br /><br />\n";
."\t\t\t<strong>".$clang->gT("Tokens have not been initialised for this survey.")."</strong><br /><br />\n";
if ($sumrows5['edit_survey_property'] || $sumrows5['activate_survey'])
{
$tokenoutput .= "\t\t\t".$clang->gT("If you initialise tokens for this survey, the survey will only be accessible to users who have been assigned a token.")
."\t\t\t<br /><br />\n"
."\t\t\t".$clang->gT("Do you want to create a tokens table for this survey?");
$tokenoutput .= "<br /><br />\n";
$tokenoutput .= "\t\t\t<input type='submit' value='"
.$clang->gT("Initialise Tokens")."' onClick=\"window.open('$scriptname?action=tokens&amp;sid=$surveyid&amp;createtable=Y', '_top')\"><br />\n";
}
$tokenoutput .= "\t\t\t<input type='submit' value='"
.$clang->gT("Initialise Tokens")."' onClick=\"window.open('$scriptname?action=tokens&amp;sid=$surveyid&amp;createtable=Y', '_top')\"><br />\n"
."\t\t\t<input type='submit' value='"
.$clang->gT("Main Admin Screen")."' onClick=\"window.open('$homeurl/admin.php?sid=$surveyid', '_top')\"><br /><br />\n";
if ($tcount>0)
if ($tcount>0 && ($sumrows5['edit_survey_property'] || $sumrows5['activate_survey']))
{
$tokenoutput .= "<table width='350' border='0' align='center' style='border: 1px solid #555555' cellpadding='1' cellspacing='0'><tr>\n"
."<td bgcolor='#666666'><font color='white' size='1'>Restore Options:\n"
Expand Down Expand Up @@ -293,18 +299,26 @@
."onmouseover=\"showTooltip(event,'".$clang->gT("Display Tokens", "js")."');return false\">" .
"<img name='ViewAllButton' src='$imagefiles/document.png' title='' align='left' ></a>\n"
."\t\t\t<img src='$imagefiles/blank.gif' alt='' width='20' border='0' hspace='0' align='left'>\n"
."\t\t\t<img src='$imagefiles/seperator.gif' alt='' border='0' hspace='0' align='left'>\n"
."\t\t\t<a href=\"#\" onClick=\"window.open('$scriptname?action=tokens&amp;sid=$surveyid&amp;subaction=addnew', '_top')\" onmouseout=\"hideTooltip()\"" .
"onmouseover=\"showTooltip(event,'".$clang->gT("Add new token entry", "js")."');return false\">" .
"<img name='AddNewButton' src='$imagefiles/add.png' title='' align='left' ></a>\n"
."\t\t\t<a href=\"#\" onClick=\"window.open('$scriptname?action=tokens&amp;sid=$surveyid&amp;subaction=import', '_top')\" onmouseout=\"hideTooltip()\" ".
"onmouseover=\"showTooltip(event,'".$clang->gT("Import Tokens from CSV File", "js")."');return false\"> <img name='ImportButton' src='$imagefiles/importcsv.png' title='' align='left'></a>"
."\t\t\t<a href=\"#\" onClick=\"window.open('$scriptname?action=tokens&amp;sid=$surveyid&amp;subaction=importldap', '_top')\" onmouseout=\"hideTooltip()\" ".
"onmouseover=\"showTooltip(event,'".$clang->gT("Import Tokens from LDAP Query", "js")."');return false\"> <img name='ImportLdapButton' src='$imagefiles/importldap.png' title='' align='left'></a>"
."\t\t\t<a href=\"#\" onClick=\"window.open('$scriptname?action=tokens&amp;sid=$surveyid&amp;subaction=export', '_top')\" onmouseout=\"hideTooltip()\"" .
."\t\t\t<img src='$imagefiles/seperator.gif' alt='' border='0' hspace='0' align='left'>\n";
if ($sumrows5['edit_survey_property'] || $sumrows5['activate_survey'])
{
$tokenoutput .= "\t\t\t<a href=\"#\" onClick=\"window.open('$scriptname?action=tokens&amp;sid=$surveyid&amp;subaction=addnew', '_top')\" onmouseout=\"hideTooltip()\"" .
"onmouseover=\"showTooltip(event,'".$clang->gT("Add new token entry", "js")."');return false\">" .
"<img name='AddNewButton' src='$imagefiles/add.png' title='' align='left' ></a>\n"
."\t\t\t<a href=\"#\" onClick=\"window.open('$scriptname?action=tokens&amp;sid=$surveyid&amp;subaction=import', '_top')\" onmouseout=\"hideTooltip()\" ".
"onmouseover=\"showTooltip(event,'".$clang->gT("Import Tokens from CSV File", "js")."');return false\"> <img name='ImportButton' src='$imagefiles/importcsv.png' title='' align='left'></a>"
."\t\t\t<a href=\"#\" onClick=\"window.open('$scriptname?action=tokens&amp;sid=$surveyid&amp;subaction=importldap', '_top')\" onmouseout=\"hideTooltip()\" ".
"onmouseover=\"showTooltip(event,'".$clang->gT("Import Tokens from LDAP Query", "js")."');return false\"> <img name='ImportLdapButton' src='$imagefiles/importldap.png' title='' align='left'></a>";
}
if ($sumrows5['export'])
{
$tokenoutput .= "\t\t\t<a href=\"#\" onClick=\"window.open('$scriptname?action=tokens&amp;sid=$surveyid&amp;subaction=export', '_top')\" onmouseout=\"hideTooltip()\"" .
"onmouseover=\"showTooltip(event,'".$clang->gT("Export Tokens to CSV file", "js")."');return false\">".
"<img name='ExportButton' src='$imagefiles/exportcsv.png' align='left' ></a>\n"
."\t\t\t<img src='$imagefiles/seperator.gif' alt='' border='0' hspace='0' align='left'>\n"
"<img name='ExportButton' src='$imagefiles/exportcsv.png' align='left' ></a>\n";
}
if ($sumrows5['edit_survey_property'] || $sumrows5['activate_survey'])
{
$tokenoutput .= "\t\t\t<img src='$imagefiles/seperator.gif' alt='' border='0' hspace='0' align='left'>\n"
."\t\t\t<a href=\"#\" onClick=\"window.open('$scriptname?action=tokens&amp;sid=$surveyid&amp;subaction=email', '_top')\" onmouseout=\"hideTooltip()\" onmouseover=\"showTooltip(event,'".$clang->gT("Send email invitation", "js")."');return false\">" .
"<img name='InviteButton' src='$imagefiles/invite.png' title='' align='left'></a>\n"
."\t\t\t<a href=\"#\" onClick=\"window.open('$scriptname?action=tokens&amp;sid=$surveyid&amp;subaction=remind', '_top')\" onmouseout=\"hideTooltip()\" onmouseover=\"showTooltip(event,'".$clang->gT("Send email reminder", "js")."');return false\">" .
Expand All @@ -315,8 +329,10 @@
."\t\t\t<img src='$imagefiles/seperator.gif' alt='' border='0' hspace='0' align='left'>\n"
."\t\t\t<a href=\"#\" onClick=\"window.open('$scriptname?action=tokens&amp;sid=$surveyid&amp;subaction=kill', '_top')\" onmouseout=\"hideTooltip()\" onmouseover=\"showTooltip(event,'".$clang->gT("Drop tokens table", "js")."');return false\">" .
"<img name='DeleteTokensButton' src='$imagefiles/delete.png' title='' align='left' ></a>\n"
."\t\t</td>\n"
."\t</tr>\n";
."\t\t</td>\n";
}

$tokenoutput .= "\t</tr>\n";

// SEE HOW MANY RECORDS ARE IN THE TOKEN TABLE
$tkcount = $tkresult->RecordCount();
Expand Down Expand Up @@ -362,31 +378,31 @@
#############################################################################################
// NOW FOR VARIOUS ACTIONS:

if ($subaction == "deleteall")
if ($subaction == "deleteall" && ($sumrows5['edit_survey_property'] || $sumrows5['activate_survey']))
{
$query="DELETE FROM ".db_table_name("tokens_$surveyid");
$result=$connect->Execute($query) or die ("Couldn't update sent field<br />$query<br />".htmlspecialchars($connect->ErrorMsg()));
$tokenoutput .= "<tr><td bgcolor='silver' align='center'><strong><font color='green'>".$clang->gT("All token entries have been deleted.")."</font></strong></td></tr>\n";
$subaction="";
}

if ($subaction == "clearinvites")
if ($subaction == "clearinvites" && ($sumrows5['edit_survey_property'] || $sumrows5['activate_survey']))
{
$query="UPDATE ".db_table_name("tokens_$surveyid")." SET sent='N'";
$result=$connect->Execute($query) or die ("Couldn't update sent field<br />$query<br />".htmlspecialchars($connect->ErrorMsg()));
$tokenoutput .= "<tr><td bgcolor='silver' align='center'><strong><font color='green'>".$clang->gT("All invite entries have been set to 'Not Invited'.")."</font></strong></td></tr>\n";
$subaction="";
}

if ($subaction == "cleartokens")
if ($subaction == "cleartokens" && ($sumrows5['edit_survey_property'] || $sumrows5['activate_survey']))
{
$query="UPDATE ".db_table_name("tokens_$surveyid")." SET token=''";
$result=$connect->Execute($query) or die("Couldn't reset the tokens field<br />$query<br />".htmlspecialchars($connect->ErrorMsg()));
$tokenoutput .= "<tr><td align='center' bgcolor='silver'><strong><font color='green'>".$clang->gT("All unique token numbers have been removed.")."</font></strong></td></tr>\n";
$subaction="";
}

if ($subaction == "updatedb" && $surveyid)
if ($subaction == "updatedb" && $surveyid && ($sumrows5['edit_survey_property'] || $sumrows5['activate_survey']))
{
$query = "ALTER TABLE `tokens_$surveyid`\n"
. "ADD `attribute_1` varchar(100) NULL,\n"
Expand All @@ -404,7 +420,7 @@
}
}

if (!$subaction)
if (!$subaction && ($sumrows5['edit_survey_property'] || $sumrows5['activate_survey']))
{
$tokenoutput .= "\t<tr bgcolor='#555555'><td colspan='2' height='4'><font size='1' face='verdana' color='white'><strong>"
.$clang->gT("Token Database Administration Options").":</strong></font></td></tr>\n"
Expand Down Expand Up @@ -575,14 +591,16 @@
{
$tokenoutput .= "\t\t<td>$brow[$a]</td>\n";
}
$tokenoutput .= "\t\t<td align='left'>\n"
."\t\t\t<input style='height: 16; width: 16px; font-size: 8; font-family: verdana' type='submit' value='E' title='"
.$clang->gT("Edit Token Entry")."' onClick=\"window.open('$scriptname?action=tokens&amp;sid=$surveyid&amp;subaction=edit&amp;tid=".$brow['tid']."', '_top')\" />"
."<input style='height: 16; width: 16px; font-size: 8; font-family: verdana' type='submit' value='D' title='"
.$clang->gT("Delete Token Entry")."' onClick=\"window.open('$scriptname?action=tokens&amp;sid=$surveyid&amp;subaction=delete&amp;tid=".$brow['tid']."&amp;limit=$limit&amp;start=$start&amp;order=$order', '_top')\" />";

if (($brow['completed'] == "N" || $brow['completed'] == "") &&$brow['token']) {$tokenoutput .= "<input style='height: 16; width: 16px; font-size: 8; font-family: verdana' type='submit' value='S' title='".$clang->gT("Do Survey")."' onClick=\"window.open('$publicurl/index.php?sid=$surveyid&amp;token=".trim($brow['token'])."', '_blank')\" />\n";}
$tokenoutput .= "\n\t\t</td>\n";
if ($sumrows5['edit_survey_property'] || $sumrows5['activate_survey'])
{
$tokenoutput .= "\t\t<td align='left'>\n"
."\t\t\t<input style='height: 16; width: 16px; font-size: 8; font-family: verdana' type='submit' value='E' title='"
.$clang->gT("Edit Token Entry")."' onClick=\"window.open('$scriptname?action=tokens&amp;sid=$surveyid&amp;subaction=edit&amp;tid=".$brow['tid']."', '_top')\" />"
."<input style='height: 16; width: 16px; font-size: 8; font-family: verdana' type='submit' value='D' title='"
.$clang->gT("Delete Token Entry")."' onClick=\"window.open('$scriptname?action=tokens&amp;sid=$surveyid&amp;subaction=delete&amp;tid=".$brow['tid']."&amp;limit=$limit&amp;start=$start&amp;order=$order', '_top')\" />";
if (($brow['completed'] == "N" || $brow['completed'] == "") &&$brow['token']) {$tokenoutput .= "<input style='height: 16; width: 16px; font-size: 8; font-family: verdana' type='submit' value='S' title='".$clang->gT("Do Survey")."' onClick=\"window.open('$publicurl/index.php?sid=$surveyid&amp;token=".trim($brow['token'])."', '_blank')\" />\n";}
$tokenoutput .= "\n\t\t</td>\n";
}
if ($brow['completed'] != "N" && $brow['completed']!="" && $surveyprivate == "N")
{
$tokenoutput .= "\t\t<form action='$homeurl/$scriptname?action=browse' method='post' target='_blank'>\n"
Expand Down Expand Up @@ -642,7 +660,7 @@
."</td></tr></table>\n";
}

if ($subaction == "kill")
if ($subaction == "kill" && ($sumrows5['edit_survey_property'] || $sumrows5['activate_survey']))
{
$date = date('YmdHi');
$tokenoutput .= "\t<tr bgcolor='#555555'><td colspan='2' height='4' align='center'>"
Expand Down Expand Up @@ -680,7 +698,7 @@
}


if ($subaction == "email")
if ($subaction == "email" && ($sumrows5['edit_survey_property'] || $sumrows5['activate_survey']))
{
$tokenoutput .= "\t<tr bgcolor='#555555'>\n\t\t<td colspan='2' height='4'>"
."<font size='1' face='verdana' color='white'><strong>"
Expand Down Expand Up @@ -828,7 +846,7 @@
}


if ($subaction == "remind")
if ($subaction == "remind" && ($sumrows5['edit_survey_property'] || $sumrows5['activate_survey']))
{
$tokenoutput .= "\t<tr bgcolor='#555555'><td colspan='2' height='4'><font size='1' face='verdana' color='white'><strong>"
.$clang->gT("Email Reminder").":</strong></font></td></tr>\n"
Expand Down Expand Up @@ -992,7 +1010,7 @@
$tokenoutput .= "</td></tr></table>\n";
}

if ($subaction == "tokenify")
if ($subaction == "tokenify" && ($sumrows5['edit_survey_property'] || $sumrows5['activate_survey']))
{
$tokenoutput .= "\t<tr bgcolor='#555555'><td colspan='2' height='4'><font size='1' face='verdana' color='white'><strong>".$clang->gT("Create Tokens").":</strong></font></td></tr>\n";
$tokenoutput .= "\t<tr><td align='center'><br />\n";
Expand Down Expand Up @@ -1035,7 +1053,7 @@
}


if ($subaction == "delete")
if ($subaction == "delete" && ($sumrows5['edit_survey_property'] || $sumrows5['activate_survey']))
{
$dlquery = "DELETE FROM ".db_table_name("tokens_$surveyid")." WHERE tid={$_GET['tid']}";
$dlresult = $connect->Execute($dlquery) or die ("Couldn't delete record {$_GET['tid']}<br />".htmlspecialchars($connect->ErrorMsg()));
Expand All @@ -1047,7 +1065,7 @@
."\t</td></tr></table>\n";
}

if ($subaction == "edit" || $subaction == "addnew")
if (($subaction == "edit" || $subaction == "addnew") && ($sumrows5['edit_survey_property'] || $sumrows5['activate_survey']))
{
if ($subaction == "edit")
{
Expand Down Expand Up @@ -1177,7 +1195,7 @@
}


if ($subaction == "updatetoken")
if ($subaction == "updatetoken" && ($sumrows5['edit_survey_property'] || $sumrows5['activate_survey']))
{
$tokenoutput .= "\t<tr bgcolor='#555555'><td colspan='2' height='4'><font size='1' face='verdana' color='white'><strong>"
.$clang->gT("Add or Edit Token")."</strong></td></tr>\n"
Expand Down Expand Up @@ -1209,7 +1227,7 @@
."\t</td></tr></table>\n";
}

if ($subaction == "inserttoken")
if ($subaction == "inserttoken" && ($sumrows5['edit_survey_property'] || $sumrows5['activate_survey']))
{
$tokenoutput .= "\t<tr bgcolor='#555555'><td colspan='2' height='4'><font size='1' face='verdana' color='white'><strong>"
.$clang->gT("Add or Edit Token")."</strong></td></tr>\n"
Expand All @@ -1236,7 +1254,7 @@
."\t</td></tr></table>\n";
}

if ($subaction == "import")
if ($subaction == "import" && ($sumrows5['edit_survey_property'] || $sumrows5['activate_survey']))
{
$tokenoutput .= "\t<tr bgcolor='#555555'><td colspan='2' height='4'>"
."<font size='1' face='verdana' color='white'><strong>"
Expand All @@ -1254,7 +1272,7 @@
."</td></tr></table>\n";
}

if ($subaction == "importldap")
if ($subaction == "importldap" && ($sumrows5['edit_survey_property'] || $sumrows5['activate_survey']))
{
$tokenoutput .= "\t<tr bgcolor='#555555'><td colspan='2' height='4'>"
."<font size='1' face='verdana' color='white'><strong>"
Expand All @@ -1272,7 +1290,7 @@
."</td></tr></table>\n";
}

if ($subaction == "upload")
if ($subaction == "upload" && ($sumrows5['edit_survey_property'] || $sumrows5['activate_survey']))
{
$tokenoutput .= "\t<tr bgcolor='#555555'><td colspan='2' height='4'><font size='1' face='verdana' color='white'><strong>"
.$clang->gT("Upload CSV File")."</strong></td></tr>\n"
Expand Down Expand Up @@ -1364,7 +1382,7 @@
$tokenoutput .= "\t\t\t</td></tr></table>\n";
}

if ($subaction == "uploadldap") {
if ($subaction == "uploadldap" && ($sumrows5['edit_survey_property'] || $sumrows5['activate_survey'])) {
$tokenoutput .= "\t<tr bgcolor='#555555'><td colspan='2' height='4'><font size='1' face='verdana' color='white'><strong>"
.$clang->gT("Uploading LDAP Query")."</strong></td></tr>\n"
."\t<tr><td align='center'>\n";
Expand Down

0 comments on commit 928b97d

Please sign in to comment.