From 29c55eb41568e6de2f231d07fa0eac0280600a2f Mon Sep 17 00:00:00 2001 From: Sergiusz Paprzycki Date: Sun, 6 Sep 2015 22:40:08 +0100 Subject: [PATCH 1/3] Leaflet module now checks device permissions --- html/includes/common/worldmap.inc.php | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/html/includes/common/worldmap.inc.php b/html/includes/common/worldmap.inc.php index f6ba921a4c..03a3b96030 100644 --- a/html/includes/common/worldmap.inc.php +++ b/html/includes/common/worldmap.inc.php @@ -51,7 +51,26 @@ var greenMarker = L.AwesomeMarkers.icon({ }); '; -foreach (dbFetchRows("SELECT `device_id`,`hostname`,`os`,`status`,`lat`,`lng` FROM `devices` LEFT JOIN `locations` ON `devices`.`location`=`locations`.`location` WHERE `disabled`=0 AND `ignore`=0 AND `lat` != '' AND `lng` != '' ORDER BY `status` ASC, `hostname`") as $map_devices) { +// Checking user permissions +if (is_admin() || is_read()) { +// Admin or global read-only - show all devices + $sql = "SELECT `device_id`,`hostname`,`os`,`status`,`lat`,`lng` FROM `devices` + LEFT JOIN `locations` ON `devices`.`location`=`locations`.`location` + WHERE `disabled`=0 AND `ignore`=0 AND `lat` != '' AND `lng` != '' + ORDER BY `status` ASC, `hostname`"; +} +else { +// Normal user - grab devices that user has permissions to + $sql = "SELECT `devices`.`device_id` as `device_id`,`hostname`,`os`,`status`,`lat`,`lng` + FROM `devices_perms`, `devices` + LEFT JOIN `locations` ON `devices`.`location`=`locations`.`location` + WHERE `disabled`=0 AND `ignore`=0 AND `lat` != '' AND `lng` != '' + AND `devices`.`device_id` = `devices_perms`.`device_id` + AND `devices_perms`.`user_id` = '".$_SESSION['user_id']."' + ORDER BY `status` ASC, `hostname`"; +} +// Slightly modified foreach - grabbing SQL query string from above +foreach (dbFetchRows($sql) as $map_devices) { $icon = 'greenMarker'; if ($map_devices['status'] == 0) { $icon = 'redMarker'; From d568830df35518974c4bdef61767c66f3f822f67 Mon Sep 17 00:00:00 2001 From: Sergiusz Paprzycki Date: Sun, 6 Sep 2015 23:14:52 +0100 Subject: [PATCH 2/3] Leaflet map permissions check #1855 --- html/includes/common/worldmap.inc.php | 1 - 1 file changed, 1 deletion(-) diff --git a/html/includes/common/worldmap.inc.php b/html/includes/common/worldmap.inc.php index 03a3b96030..7feae55a5d 100644 --- a/html/includes/common/worldmap.inc.php +++ b/html/includes/common/worldmap.inc.php @@ -69,7 +69,6 @@ else { AND `devices_perms`.`user_id` = '".$_SESSION['user_id']."' ORDER BY `status` ASC, `hostname`"; } -// Slightly modified foreach - grabbing SQL query string from above foreach (dbFetchRows($sql) as $map_devices) { $icon = 'greenMarker'; if ($map_devices['status'] == 0) { From a54dcd76ab764b5389fba8434e0d04ebab5ae146 Mon Sep 17 00:00:00 2001 From: Sergiusz Paprzycki Date: Mon, 7 Sep 2015 15:45:27 +0100 Subject: [PATCH 3/3] Leaflet map permissions check #1855; SQL/query modified as requested --- html/includes/common/worldmap.inc.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/html/includes/common/worldmap.inc.php b/html/includes/common/worldmap.inc.php index 7feae55a5d..dea7224e73 100644 --- a/html/includes/common/worldmap.inc.php +++ b/html/includes/common/worldmap.inc.php @@ -66,10 +66,10 @@ else { LEFT JOIN `locations` ON `devices`.`location`=`locations`.`location` WHERE `disabled`=0 AND `ignore`=0 AND `lat` != '' AND `lng` != '' AND `devices`.`device_id` = `devices_perms`.`device_id` - AND `devices_perms`.`user_id` = '".$_SESSION['user_id']."' + AND `devices_perms`.`user_id` = ? ORDER BY `status` ASC, `hostname`"; } -foreach (dbFetchRows($sql) as $map_devices) { +foreach (dbFetchRows($sql, array($_SESSION['user_id'])) as $map_devices) { $icon = 'greenMarker'; if ($map_devices['status'] == 0) { $icon = 'redMarker';