checking user privileges from another PHP page

7 posts / 0 new

Tue, 2016-08-02 14:46

holmesg

How can we check user privileges from another PHP page?

From a completely separate (non-CWIS) PHP page, we want to check if the user is logged in to CWIS, and check the privileges.

Tried this (after first getting a good $path variable to CWIS root):

# set up operating environment

require_once($path . "/include/StartUp.php");

# set UI for logged-in user (or default UI if not logged in)

$AF->ActiveUserInterface(GetActiveUI());

if ($G_User->HasPriv(PRIV_SYSADMIN)) {

echo 'You do have sufficient permissions to browse the server.';

} else {

echo 'You do not have sufficient permissions to browse the server.';

die();

}

But this is failing; getting this:

PHP Fatal error: Class 'SystemConfiguration' not found in /public_html/include/EnvSetup.php on line 113

Even tried monkeying to get the base dir right in StartUp.php:

if (strpos($page, 'ourcustomphppage') === false)

{

chdir(dirname(__FILE__)."/..");

} else {

chdir(dirname(__FILE__)."/../../../..");

}

But even getting that right we still get the error.

Can you advise, how we can get a reference to the user in a non-CWIS page and check the user privs?

Wed, 2016-08-03 11:16

ealmasy

Re: checking user privileges from another PHP page

I think what you posted should work. We run code all the time in-house that initializes the environment with nothing more than:

require_once("include/StartUp.php");

(or whatever the correct path is to get to StartUp.php), and then proceeds to do almost anything you can do in normal CWIS code.

It looks like what's happening is that PHP's class autoloading is failing. Could you add the following line after require_once($path."/include/StartUp.php), and post the output?

echo var_dump(spl_autoload_functions());

Thu, 2016-08-04 10:08

holmesg

Re: checking user privileges from another PHP page

The output is:

array(1) { [0]=> string(10) "__autoload" }

Thu, 2016-08-04 10:28

(Reply to #3) #4

ealmasy

Re: checking user privileges from another PHP page

Okay, so that means that ApplicationFramework's class autoloading is not being connected at all.

What version of CWIS are you running, and what version of PHP?

Thu, 2016-08-04 10:47

(Reply to #4) #5

holmesg

Re: checking user privileges from another PHP page

CWIS Version 3.2.0

PHP Version 5.5.34

What we're trying to do is to integrate CKFinder into CKEditor. We've done that, but also there's a security layer (due to file upload).

CKFinder has a function in its code which basically consists of "insert your security code here". If the function returns true, CKFinder works, if the function returns false, it doesn't.

The function in question is in /ckfinder/config.php.

$config['authentication'] = function () {

/* we had added this part

if ($G_User->HasPriv(PRIV_SYSADMIN)) {

error_log('imagebrowser - enough permission');

return true;

} else {

error_log('imagebrowser - not enough permission');

return false;

}

//horrifically insecure

return true;

}

At first we put the CWIS include right inside that function. We have since moved it back up the chain to /ckfinder/core/connector/php/connector.php but it didn't change the outcome.

CKFinder itself seems to use autoloading, generated by Composer. I don't grok this autoloading stuff yet, so I'm not sure, but it may be changing the environment somehow sufficiently to make the CWIS autoloading fail?

But no, that can't be it, since the CKFinder autoloading is happening after the CWIS include.

<?php

* CKFinder

* ========

* http://cksource.com/ckfinder

* The software, this file and its contents are subject to the CKFinder

* License. Please read the license.txt file before using, installing, copying,

* modifying or distribute this file or part of its contents. The contents of

* this file is part of the Source Code of CKFinder.

#BEGIN CWIS STUFF

// this is what we hope to get working - use CWIS privs for security --

$path = getcwd();

$path = str_replace("/lib/CKEditor/ckfinder/core/connector/php", "", $path);

# set up operating environment

require_once($path . "/include/StartUp.php");

echo var_dump(spl_autoload_functions());

#END CWIS STUFF

require_once __DIR__ . '/vendor/autoload.php';

use CKSource\CKFinder\CKFinder;

$ckfinder = new CKFinder(__DIR__ . '/../../../config.php');

$ckfinder->run();

Thu, 2016-08-04 14:40

(Reply to #5) #6

ealmasy

Re: checking user privileges from another PHP page

CKFinder definitely has its own array of added complexities, but I don't see any reason offhand why the above shouldn't work.

I'd suggest copying the two files in the attached zipfile into lib/ScoutLib in the CWIS directory tree, and see if that helps. It's the very latest version of ApplicationFramework, with a newer class autoloading mechanism.

Attachments:

ScoutLib_ApplicationFramework_160804a.zip

Wed, 2016-08-10 13:54

(Reply to #6) #7

holmesg

Re: checking user privileges from another PHP page

Thank you. I copied those files into lib/ScoutLib.

Got it working now!