From 1054c949b43dc6d9def9c852a189591e1d6f1c3c Mon Sep 17 00:00:00 2001 From: jengo Date: Wed, 7 Feb 2001 15:27:19 +0000 Subject: [PATCH] Fixed session->update_session_info() should only be called if its for the current session --- addressbook/preferences.php | 2 +- calendar/preferences.php | 2 +- phpgwapi/inc/class.preferences.inc.php | 35 ++++++++++++++---------- phpgwapi/inc/class.sessions.inc.php | 37 ++++++++++++++++++++------ preferences/settings.php | 2 +- 5 files changed, 53 insertions(+), 25 deletions(-) diff --git a/addressbook/preferences.php b/addressbook/preferences.php index 7a234db387..2f1584d2d8 100644 --- a/addressbook/preferences.php +++ b/addressbook/preferences.php @@ -42,7 +42,7 @@ $phpgw->preferences->delete("addressbook","mainscreen_showbirthdays"); } - $phpgw->preferences->save_repository(); + $phpgw->preferences->save_repository(True); Header("Location: " . $phpgw->link($phpgw_info["server"]["webserver_url"] . "/preferences/index.php")); } } diff --git a/calendar/preferences.php b/calendar/preferences.php index 31ee7c4a97..98f5870231 100644 --- a/calendar/preferences.php +++ b/calendar/preferences.php @@ -26,7 +26,7 @@ } else { $phpgw->preferences->delete("calendar","mainscreen_showevents"); } - $phpgw->preferences->save_repository(); + $phpgw->preferences->save_repository(True); Header("Location: " . $phpgw->link($phpgw_info["server"]["webserver_url"] . "/preferences/index.php")); $phpgw->common->phpgw_exit(); diff --git a/phpgwapi/inc/class.preferences.inc.php b/phpgwapi/inc/class.preferences.inc.php index 439f540ece..6a3a4c783f 100644 --- a/phpgwapi/inc/class.preferences.inc.php +++ b/phpgwapi/inc/class.preferences.inc.php @@ -92,22 +92,29 @@ return $this->data; } - function save_repository() + function save_repository($update_session_info = False) { global $phpgw, $phpgw_info; - $this->db->lock("preferences"); - $this->db->query("delete from preferences where preference_owner='" . $this->account_id . "'",__LINE__,__FILE__); - if ($PHP_VERSION < "4.0.0") { - $pref_info = addslashes(serialize($this->data)); - } else { - $pref_info = serialize($this->data); + if (! $phpgw->acl->check("session_only_preferences",1,"preferences")) { + $this->db->lock("preferences"); + $this->db->query("delete from preferences where preference_owner='" . $this->account_id . "'",__LINE__,__FILE__); + + if ($PHP_VERSION < "4.0.0") { + $pref_info = addslashes(serialize($this->data)); + } else { + $pref_info = serialize($this->data); + } + + $this->db->query("insert into preferences (preference_owner,preference_value) values ('" + . $this->account_id . "','" . $pref_info . "')",__LINE__,__FILE__); + + $this->db->unlock(); + } + if ($update_session_info) { + $phpgw_info["user"]["preferences"] = $this->data; + $phpgw->session->update_session_info(); } - - $this->db->query("insert into preferences (preference_owner,preference_value) values ('" - . $this->account_id . "','" . $pref_info . "')",__LINE__,__FILE__); - - $this->db->unlock(); return $this->data; } @@ -124,9 +131,9 @@ { return $this->add($app_name,$var,$value); } - function commit() + function commit($update_session_info = False) { - return $this->save_repository(); + return $this->save_repository($update_session_info); } } //end of preferences class diff --git a/phpgwapi/inc/class.sessions.inc.php b/phpgwapi/inc/class.sessions.inc.php index ac902764a7..eab11f07f8 100644 --- a/phpgwapi/inc/class.sessions.inc.php +++ b/phpgwapi/inc/class.sessions.inc.php @@ -95,6 +95,7 @@ $phpgw_info["user"]["kp3"] = $this->kp3; $phpgw_info_flags = $phpgw_info["flags"]; $phpgw_info = $phpgw->crypto->decrypt($db->f("session_info")); + $this->data = $phpgw_info["user"]; $phpgw_info["flags"] = $phpgw_info_flags; $userid_array = explode("@",$db->f("session_lid")); $this->account_lid = $userid_array[0]; @@ -102,6 +103,7 @@ if ($userid_array[1] != $phpgw_info["user"]["domain"]) { return False; } + if (PHP_OS != "Windows" && (! $phpgw_info["user"]["session_ip"] || $phpgw_info["user"]["session_ip"] != $this->getuser_ip())){ return False; } @@ -130,6 +132,23 @@ . "'",__LINE__,__FILE__); } } + + function update_session_info() + { + global $phpgw, $phpgw_info; + $phpgw_info_temp = $phpgw_info; + $phpgw_info_temp["user"]["kp3"] = ""; + $phpgw_info_temp["flags"] = array(); + + //$this->read_repositories(); + if ($PHP_VERSION < "4.0.0") { + $info_string = addslashes($phpgw->crypto->encrypt($phpgw_info_temp)); + } else { + $info_string = $phpgw->crypto->encrypt($phpgw_info_temp); + } + $phpgw->db->query("update phpgw_sessions set session_info='$info_string' where session_id='" + . $this->sessionid . "'",__LINE__,__FILE__); + } function read_repositories() { @@ -138,10 +157,10 @@ $phpgw->accounts->accounts($this->account_id); $phpgw->preferences->preferences($this->account_id); $phpgw->applications->applications($this->account_id); - $phpgw_info["user"] = $phpgw->accounts->read_repository(); - $phpgw_info["user"]["acl"] = $phpgw->acl->read_repository(); + $phpgw_info["user"] = $phpgw->accounts->read_repository(); + $phpgw_info["user"]["acl"] = $phpgw->acl->read_repository(); $phpgw_info["user"]["preferences"] = $phpgw->preferences->read_repository(); - $phpgw_info["user"]["apps"] = $phpgw->applications->read_repository(); + $phpgw_info["user"]["apps"] = $phpgw->applications->read_repository(); @reset($phpgw_info["user"]["apps"]); $phpgw_info["user"]["domain"] = $this->account_domain; @@ -193,8 +212,8 @@ $phpgw->accounts->account_id = $this->account_id; $phpgw_info["user"] = $phpgw->accounts->read_repository(); - $this->sessionid = md5($phpgw->common->randomstring(10)); - $this->kp3 = md5($phpgw->common->randomstring(15)); + $this->sessionid = md5($phpgw->common->randomstring(10)); + $this->kp3 = md5($phpgw->common->randomstring(15)); $phpgw->common->key = $phpgw_info["server"]["encryptkey"]; $phpgw->common->key .= $this->sessionid; @@ -213,13 +232,15 @@ if ($this->account_domain == $phpgw_info["server"]["default_domain"]) { Setcookie("last_loginid", $this->account_lid ,time()+1209600); // For 2 weeks } else { - Setcookie("last_loginid", $login ,time()+1209600); // For 2 weeks + Setcookie("last_loginid", $login ,time()+1209600); // For 2 weeks } - unset ($phpgw_info["server"]["default_domain"]); // we kill this for security reasons + unset ($phpgw_info["server"]["default_domain"]); // we kill this for security reasons } + // Why are we double encrypting it ? + // If mcrypt is already installed, the entire session_info field is all ready encrypted. (jengo) $this->passwd = $phpgw->common->encrypt($passwd); - $this->read_repositories($this->account_id); + $this->read_repositories(); if ($PHP_VERSION < "4.0.0") { $info_string = addslashes($phpgw->crypto->encrypt($this->data)); diff --git a/preferences/settings.php b/preferences/settings.php index 5c052aa84e..abf6d91e72 100755 --- a/preferences/settings.php +++ b/preferences/settings.php @@ -242,7 +242,7 @@ } } - $phpgw->preferences->commit(); + $phpgw->preferences->commit(True); if ($phpgw_info["server"]["useframes"] != "never") { Header("Location: " . $phpgw->link($phpgw_info["server"]["webserver_url"] . "/preferences/index.php"));