mirror/opensourcepos
1
0
Fork 0
mirror of https://github.com/opensourcepos/opensourcepos.git synced 2026-01-06 00:17:54 -05:00
Code Issues Packages Projects Releases Wiki Activity

XSS clean Messages, tidied up Home, Login, No_access and Secure_area, removed unused Controllers (#39)

Browse Source
This commit is contained in:
FrancescoUK
2016-06-04 16:42:54 +01:00
parent b11377041d
commit da96edf304
7 changed files with 56 additions and 271 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
application/controllers/Barcode.php
View File

@@ -1,16 +0,0 @@
<?php
require_once ("Secure_area.php");
class Barcode extends Secure_area
{
function __construct()
{
parent::__construct();
}
function index()
{
$this->load->view('barcode');
}
}
?>

4
application/controllers/Home.php
View File

@@ -8,12 +8,12 @@ class Home extends Secure_area
parent::__construct();
}
function index()
public function index()
{
$this->load->view("home");
}
function logout()
public function logout()
{
$this->Employee->logout();
}

192
application/controllers/Languagecheck.php
View File

@@ -1,192 +0,0 @@
<?php if (!defined('BASEPATH')) exit('No direct script access allowed');
// ---------------------------------------------------------------------
class Languagecheck extends CI_Controller {
/*
* use this language as comparison reference.
* this should be the one that is complete.
*/
private $reference = 'english';
private $lang_path = 'language';
// -----------------------------------------------------------------
/*
* controller constructor
*/
function Languagecheck()
{
parent::Controller();
}
// -----------------------------------------------------------------
/*
* use remap to capture all calls to this controller
*/
function _remap()
{
// load the required helpers
$this->load->helper('directory');
// for simplicity, we don't use views
$this->output('h1', 'Open Source Point of Sale - Language file checking and validation');
// determine the language file path
if ( ! is_dir($this->lang_path) )
{
$this->lang_path = APPPATH . $this->lang_path;
if ( ! is_dir($this->lang_path) )
{
$this->output('h2', 'Defined language path "'.$this->lang_path.'" not found!', TRUE);
exit;
}
}
// fetch the languages directory map
$languages = directory_map( $this->lang_path, TRUE );
// is our reference language present?
if ( ! in_array($this->reference, $languages ) )
{
$this->output('h2', 'Reference language "'.$this->reference.'" not found!', TRUE);
exit;
}
// load the list of language files for the reference language
$references = directory_map( $this->lang_path . '/' . $this->reference, TRUE );
// now process the list
foreach( $references as $reference )
{
// skip non-language files in the language directory
if ( strpos($reference, '_lang.php') === FALSE )
{
continue;
}
// process it
$this->output('h2', 'Processing '.$this->reference . ' &raquo; ' .$reference);
// load the language file
include $this->lang_path . '/' . $this->reference . '/' . $reference;
// did the file contain any language strings?
if ( empty($lang) )
{
// language file was empty or not properly defined
$this->output('h3', 'Language file doesn\'t contain any language strings. Skipping file!', TRUE);
continue;
}
// store the loaded language strings
$lang_ref = $lang;
unset($lang);
// now loop through the available languages
foreach ( $languages as $language )
{
// skip the reference language
if ( $language == $this->reference )
{
continue;
}
// language file to check
$file = $this->lang_path . '/' . $language . '/' . $reference;
// check if the language file exists for this language
if ( ! file_exists( $file ) )
{
// file not found
$this->output('h3', 'Language file doesn\'t exist for the language '.$language.'!', TRUE);
}
else
{
// load the file to compare
include $file;
// did the file contain any language strings?
if ( empty($lang) )
{
// language file was empty or not properly defined
$this->output('h3', 'Language file for the language '.$language.' doesn\'t contain any language strings!', TRUE);
}
else
{
// start comparing
$this->output('h3', 'Comparing with the '.$language.' version:');
// assume all goes well
$failures = 0;
// start comparing language keys
foreach( $lang_ref as $key => $value )
{
if ( ! isset($lang[$key]) )
{
// report the missing key
$this->output('', 'Missing language string "'.$key.'"', TRUE);
// increment the failure counter
$failures++;
}
}
if ( ! $failures )
{
$this->output('', 'The two language files have matching strings.');
}
}
// make sure the lang array is deleted before the next check
if ( isset($lang) )
{
unset($lang);
}
}
}
}
$this->output('h2', 'Language file checking and validation completed');
}
// -----------------------------------------------------------------
private function output($type = '', $line = '', $highlight = FALSE)
{
switch ($type)
{
case 'h1':
$html = "<h1>{line}</h1>\n<hr />\n";
break;
case 'h2':
$html = "<h2>{line}</h2>\n";
break;
case 'h3':
$html = "<h3>&nbsp;&nbsp;&nbsp;{line}</h3>\n";
break;
default:
$html = "&nbsp;&nbsp;&nbsp;&nbsp;&raquo;&nbsp;{line}<br />";
break;
}
if ( $highlight )
{
$line = '<span style="color:red;font-weight:bold;">' . $line . '</span>';
}
echo str_replace('{line}', $line, $html);
}
// -----------------------------------------------------------------
}
/* End of file languagecheck.php */
/* Location: ./application/controllers/languagecheck.php */

8
application/controllers/Login.php
View File

@@ -6,7 +6,7 @@ class Login extends CI_Controller
parent::__construct();
}
function index()
public function index()
{
if($this->Employee->is_logged_in())
{
@@ -28,7 +28,7 @@ class Login extends CI_Controller
}
}
function login_check($username)
public function login_check($username)
{
$password = $this->input->post('password');
@@ -36,10 +36,10 @@ class Login extends CI_Controller
{
$this->form_validation->set_message('login_check', $this->lang->line('login_invalid_username_and_password'));
return false;
return FALSE;
}
return true;
return TRUE;
}
}
?>

48
application/controllers/Messages.php
View File

@@ -1,6 +1,6 @@
<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');
<?php
require_once ("Secure_area.php");
class Messages extends Secure_area
{
function __construct()
@@ -10,55 +10,63 @@ class Messages extends Secure_area
public function index()
{
$data['controller_name'] = $this->get_controller_name();
$this->load->view('messages/sms');
}
function view($person_id=-1)
public function view($person_id = -1)
{
$data['person_info'] = $this->Person->get_info($person_id);
$info = $this->Person->get_info($person_id);
foreach(get_object_vars($info) as $property => $value)
{
$info->$property = $this->security->xss_clean($value);
}
$data['person_info'] = $info;
$this->load->view('messages/form_sms', $data);
}
function send()
public function send()
{
$username = $this->config->item('msg_uid');
$password = $this->config->item('msg_pwd');
$phone = $this->input->post('phone');
$message = $this->input->post('message');
$username = $this->config->item('msg_uid');
$password = $this->config->item('msg_pwd');
$phone = $this->input->post('phone');
$message = $this->input->post('message');
$originator = $this->config->item('msg_src');
$response = $this->sms->sendSMS($username, $password, $phone, $message, $originator);
$phone = $this->security->xss_clean($phone);
if($response)
{
echo json_encode(array('success'=>true, 'message'=>$this->lang->line('messages_successfully_sent') . ' ' . $phone));
echo json_encode(array('success' => TRUE, 'message' => $this->lang->line('messages_successfully_sent') . ' ' . $phone));
}
else
{
echo json_encode(array('success'=>false, 'message'=>$this->lang->line('messages_unsuccessfully_sent') . ' ' . $phone));
echo json_encode(array('success' => FALSE, 'message' => $this->lang->line('messages_unsuccessfully_sent') . ' ' . $phone));
}
}
function send_form($person_id=-1)
public function send_form($person_id = -1)
{
$username = $this->config->item('msg_uid');
$password = $this->config->item('msg_pwd');
$phone = $this->input->post('phone');
$message = $this->input->post('message');
$username = $this->config->item('msg_uid');
$password = $this->config->item('msg_pwd');
$phone = $this->input->post('phone');
$message = $this->input->post('message');
$originator = $this->config->item('msg_src');
$response = $this->sms->sendSMS($username, $password, $phone, $message, $originator);
$phone = $this->security->xss_clean($phone);
$person_id = $this->security->xss_clean($person_id);
if($response)
{
echo json_encode(array('success'=>true, 'message'=>$this->lang->line('messages_successfully_sent') . ' ' . $phone, 'person_id'=>$person_id));
echo json_encode(array('success' => TRUE, 'message' => $this->lang->line('messages_successfully_sent') . ' ' . $phone, 'person_id' => $person_id));
}
else
{
echo json_encode(array('success'=>false, 'message'=>$this->lang->line('messages_unsuccessfully_sent') . ' ' . $phone, 'person_id'=>-1));
echo json_encode(array('success' => FALSE, 'message' => $this->lang->line('messages_unsuccessfully_sent') . ' ' . $phone, 'person_id' => -1));
}
}
}

11
application/controllers/No_access.php
View File

@@ -6,11 +6,14 @@ class No_Access extends CI_Controller
parent::__construct();
}
function index($module_id='',$permission_id='')
public function index($module_id = '', $permission_id = '')
{
$data['module_name']=$this->Module->get_module_name($module_id);
$data['permission_id']=$permission_id;
$this->load->view('no_access',$data);
$data['module_name'] = $this->Module->get_module_name($module_id);
$data['permission_id'] = $permission_id;
$data = $this->security->xss_clean($data);
$this->load->view('no_access', $data);
}
}
?>

48
application/controllers/Secure_area.php
View File

@@ -7,59 +7,41 @@ class Secure_area extends CI_Controller
Controllers that are considered secure extend Secure_area, optionally a $module_id can
be set to also check if a user can access a particular module in the system.
*/
function __construct($module_id=null,$submodule_id=null)
function __construct($module_id = null, $submodule_id = null)
{
parent::__construct();
parent::__construct();
$this->load->model('Employee');
if(!$this->Employee->is_logged_in())
{
redirect('login');
}
$employee_id=$this->Employee->get_logged_in_employee_info()->person_id;
$employee_id = $this->Employee->get_logged_in_employee_info()->person_id;
if(!$this->Employee->has_module_grant($module_id,$employee_id) ||
(isset($submodule_id) && !$this->Employee->has_module_grant($submodule_id,$employee_id)))
{
redirect('no_access/'.$module_id.'/'.$submodule_id);
redirect('no_access/' . $module_id . '/' . $submodule_id);
}
//load up global data
$logged_in_employee_info=$this->Employee->get_logged_in_employee_info();
$data['allowed_modules']=$this->Module->get_allowed_modules($logged_in_employee_info->person_id);
$data['backup_allowed']=false;
$logged_in_employee_info = $this->Employee->get_logged_in_employee_info();
$data['allowed_modules'] = $this->Module->get_allowed_modules($logged_in_employee_info->person_id);
$data['backup_allowed'] = false;
foreach($data['allowed_modules']->result_array() as $module)
{
$data['backup_allowed']|=$module['module_id']==='config';
$data['backup_allowed'] |= $module['module_id'] === 'config';
}
$data['user_info']=$logged_in_employee_info;
$data['controller_name']=$module_id;
$this->controller_name=$module_id;
$data['user_info'] = $logged_in_employee_info;
$data['controller_name'] = $module_id;
$this->controller_name = $module_id;
$this->load->vars($data);
}
function get_controller_name()
public function get_controller_name()
{
return strtolower($this->controller_name);
}
function _initialize_pagination($object, $lines_per_page, $limit_from = 0, $total_rows = -1, $function='index', $filter='')
{
$this->load->library('pagination');
$config['base_url'] = site_url($this->get_controller_name() . "/$function/" . $filter);
$config['total_rows'] = $total_rows > -1 ? $total_rows : call_user_func(array($object, 'get_total_rows'));
$config['per_page'] = $lines_per_page;
$config['num_links'] = 2;
$config['last_link'] = $this->lang->line('common_last_page');
$config['first_link'] = $this->lang->line('common_first_page');
// page is calculated here instead of in pagination lib
$config['cur_page'] = $limit_from > 0 ? $limit_from : 0;
$config['page_query_string'] = FALSE;
$config['uri_segment'] = 0;
$this->pagination->initialize($config);
return $this->pagination->create_links();
}
}
?>