Assorted Security improvements
这个提交包含在:
Peter Goodhall
父节点
7450c14836
当前提交
a22c0cb149
共有 6 个文件被更改,包括 58 次插入 和 13 次删除
|
|
@ -7,6 +7,14 @@
|
|||
*/
|
||||
|
||||
class Awards extends CI_Controller {
|
||||
|
||||
function __construct()
|
||||
{
|
||||
parent::__construct();
|
||||
|
||||
$this->load->model('user_model');
|
||||
if(!$this->user_model->authorize(2)) { $this->session->set_flashdata('notice', 'You\'re not allowed to do that!'); redirect('dashboard'); }
|
||||
}
|
||||
|
||||
public function index()
|
||||
{
|
||||
|
|
|
|||
|
|
@ -1,7 +1,14 @@
|
|||
<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');
|
||||
|
||||
class Backup extends CI_Controller {
|
||||
function __construct()
|
||||
{
|
||||
parent::__construct();
|
||||
|
||||
$this->load->model('user_model');
|
||||
if(!$this->user_model->authorize(2)) { $this->session->set_flashdata('notice', 'You\'re not allowed to do that!'); redirect('dashboard'); }
|
||||
}
|
||||
|
||||
/* User Facing Links to Backup URLs */
|
||||
public function index()
|
||||
{
|
||||
|
|
|
|||
|
|
@ -8,6 +8,15 @@
|
|||
|
||||
class Lookup extends CI_Controller {
|
||||
|
||||
|
||||
function __construct()
|
||||
{
|
||||
parent::__construct();
|
||||
|
||||
$this->load->model('user_model');
|
||||
if(!$this->user_model->authorize(2)) { $this->session->set_flashdata('notice', 'You\'re not allowed to do that!'); redirect('dashboard'); }
|
||||
}
|
||||
|
||||
public function index()
|
||||
{
|
||||
|
||||
|
|
|
|||
|
|
@ -2,6 +2,15 @@
|
|||
|
||||
class Notes extends CI_Controller {
|
||||
|
||||
function __construct()
|
||||
{
|
||||
parent::__construct();
|
||||
|
||||
$this->load->model('user_model');
|
||||
if(!$this->user_model->authorize(2)) { $this->session->set_flashdata('notice', 'You\'re not allowed to do that!'); redirect('dashboard'); }
|
||||
}
|
||||
|
||||
|
||||
/* Displays all notes in a list */
|
||||
public function index()
|
||||
{
|
||||
|
|
|
|||
|
|
@ -236,21 +236,21 @@ class User extends CI_Controller {
|
|||
switch($this->user_model->edit($this->input->post())) {
|
||||
// Check for errors
|
||||
case EUSERNAMEEXISTS:
|
||||
$data['username_error'] = 'Username <b>'.$this->input->post('user_name').'</b> already in use!';
|
||||
$data['username_error'] = 'Username <b>'.$this->input->post('user_name', true).'</b> already in use!';
|
||||
break;
|
||||
case EEMAILEXISTS:
|
||||
$data['email_error'] = 'E-mail address <b>'.$this->input->post('user_email').'</b> already in use!';
|
||||
$data['email_error'] = 'E-mail address <b>'.$this->input->post('user_email', true).'</b> already in use!';
|
||||
break;
|
||||
case EPASSWORDINVALID:
|
||||
$data['password_error'] = 'Invalid password!';
|
||||
break;
|
||||
// All okay, return to user screen
|
||||
case OK:
|
||||
if($this->session->userdata('user_id') == $this->input->post('id')) {
|
||||
$this->session->set_flashdata('notice', 'User '.$this->input->post('user_name').' edited');
|
||||
if($this->session->userdata('user_id') == $this->input->post('id', true)) {
|
||||
$this->session->set_flashdata('notice', 'User '.$this->input->post('user_name', true).' edited');
|
||||
redirect('user/profile');
|
||||
} else {
|
||||
$this->session->set_flashdata('notice', 'User '.$this->input->post('user_name').' edited');
|
||||
$this->session->set_flashdata('notice', 'User '.$this->input->post('user_name', true).' edited');
|
||||
redirect('user');
|
||||
}
|
||||
return;
|
||||
|
|
|
|||
|
|
@ -22,15 +22,21 @@ class User_Model extends CI_Model {
|
|||
// FUNCTION: object get($username)
|
||||
// Retrieve a user
|
||||
function get($username) {
|
||||
$this->db->where('user_name', $username);
|
||||
// Clean ID
|
||||
$clean_username = $this->security->xss_clean($username);
|
||||
|
||||
$this->db->where('user_name', $clean_username);
|
||||
$r = $this->db->get($this->config->item('auth_table'));
|
||||
return $r;
|
||||
}
|
||||
}
|
||||
|
||||
// FUNCTION: object get_by_id($id)
|
||||
// Retrieve a user by user ID
|
||||
function get_by_id($id) {
|
||||
$this->db->where('user_id', $id);
|
||||
// Clean ID
|
||||
$clean_id = $this->security->xss_clean($id);
|
||||
|
||||
$this->db->where('user_id', $clean_id);
|
||||
$r = $this->db->get($this->config->item('auth_table'));
|
||||
return $r;
|
||||
}
|
||||
|
|
@ -38,7 +44,10 @@ class User_Model extends CI_Model {
|
|||
// FUNCTION: object get_by_email($email)
|
||||
// Retrieve a user by email address
|
||||
function get_by_email($email) {
|
||||
$this->db->where('user_email', $email);
|
||||
|
||||
$clean_email = $this->security->xss_clean($email);
|
||||
|
||||
$this->db->where('user_email', $clean_email);
|
||||
$r = $this->db->get($this->config->item('auth_table'));
|
||||
return $r;
|
||||
}
|
||||
|
|
@ -46,7 +55,8 @@ class User_Model extends CI_Model {
|
|||
// FUNCTION: bool exists($username)
|
||||
// Check if a user exists (by username)
|
||||
function exists($username) {
|
||||
if($this->get($username)->num_rows() == 0) {
|
||||
$clean_username = $this->security->xss_clean($username);
|
||||
if($this->get($clean_username)->num_rows() == 0) {
|
||||
return 0;
|
||||
} else {
|
||||
return 1;
|
||||
|
|
@ -56,7 +66,9 @@ class User_Model extends CI_Model {
|
|||
// FUNCTION: bool exists_by_id($id)
|
||||
// Check if a user exists (by user ID)
|
||||
function exists_by_id($id) {
|
||||
if($this->get_by_id($id)->num_rows() == 0) {
|
||||
$clean_id = $this->security->xss_clean($id);
|
||||
|
||||
if($this->get_by_id($clean_id)->num_rows() == 0) {
|
||||
return 0;
|
||||
} else {
|
||||
return 1;
|
||||
|
|
@ -196,8 +208,8 @@ class User_Model extends CI_Model {
|
|||
// This is really just a wrapper around User_Model::authenticate
|
||||
function login() {
|
||||
|
||||
$username = $this->input->post('user_name');
|
||||
$password = $this->input->post('user_password');
|
||||
$username = $this->input->post('user_name', true);
|
||||
$password = $this->input->post('user_password', true);
|
||||
|
||||
return $this->authenticate($username, $password);
|
||||
}
|
||||
|
|
|
|||
正在加载…
在新工单中引用