security checks to prevent unwanted changes

common.php

@@ -153,6 +153,14 @@
     // Check Function Availability
     //////////////////////////////////////////////////////////////////
 
+    function checkAccess() {
+        return file_exists(BASE_PATH . "/data/" . $_SESSION['user'] . '_acl.php')?false:true;
+    }
+    
+    //////////////////////////////////////////////////////////////////
+    // Check Function Availability
+    //////////////////////////////////////////////////////////////////
+
     function isAvailable($func) {
         if (ini_get('safe_mode')) return false;
         $disabled = ini_get('disable_functions');

components/project/controller.php

@@ -52,13 +52,15 @@
     //////////////////////////////////////////////////////////////////
 
     if($_GET['action']=='create'){
-        $Project->name = $_GET['project_name'];
-        // Git Clone?
-        if(!empty($_GET['git_repo'])){
-            $Project->gitrepo = $_GET['git_repo'];
-            $Project->gitbranch = $_GET['git_branch'];
+        if(checkAccess()) {
+            $Project->name = $_GET['project_name'];
+            // Git Clone?
+            if(!empty($_GET['git_repo'])){
+                $Project->gitrepo = $_GET['git_repo'];
+                $Project->gitbranch = $_GET['git_branch'];
+            }
+            $Project->Create();
         }
-        $Project->Create();
     }
 
     //////////////////////////////////////////////////////////////////
@@ -66,8 +68,10 @@
     //////////////////////////////////////////////////////////////////
 
     if($_GET['action']=='delete'){
-        $Project->path = $_GET['project_path'];
-        $Project->Delete();
+        if(checkAccess()) {
+            $Project->path = $_GET['project_path'];
+            $Project->Delete();
+        }
     }
 
     //////////////////////////////////////////////////////////////////

components/project/dialog.php

@@ -75,7 +75,7 @@
                     <th width="5">Open</th>
                     <th>Project Name</th>
                     <th>Path</th>
-                    <?php if(!$projects_assigned){ ?><th width="5">Delete</th><?php } ?>
+                    <?php if(checkAccess()){ ?><th width="5">Delete</th><?php } ?>
                 </tr>
             <?php
             
@@ -92,7 +92,7 @@
                     <td><?php echo($data['name']); ?></td>
                     <td>/<?php echo($data['path']); ?></td>
                     <?php
-                        if(!$projects_assigned){
+                        if(checkAccess()){
                             if($_SESSION['project'] == $data['path']){
                             ?>
                             <td><a onclick="codiad.message.error('Active Project Cannot Be Removed');" class="icon-block bigger-icon"></a></td>
@@ -111,7 +111,7 @@
             ?>
             </table>
             </div>
-            <?php if(!$projects_assigned){ ?><button class="btn-left" onclick="codiad.project.create();">New Project</button><?php } ?><button class="<?php if(!$projects_assigned){ echo('btn-right'); } ?>" onclick="codiad.modal.unload();return false;">Close</button>
+            <?php if(checkAccess()){ ?><button class="btn-left" onclick="codiad.project.create();">New Project</button><?php } ?><button class="<?php if(checkAccess()){ echo('btn-right'); } ?>" onclick="codiad.modal.unload();return false;">Close</button>
             <?php
             
             break;

components/user/controller.php

@@ -48,9 +48,11 @@
     //////////////////////////////////////////////////////////////////
 
     if($_GET['action']=='create'){
-        $User->username = User::CleanUsername( $_POST['username'] );
-        $User->password = $_POST['password'];
-        $User->Create();
+        if(checkAccess()) {
+            $User->username = User::CleanUsername( $_POST['username'] );
+            $User->password = $_POST['password'];
+            $User->Create();
+        }
     }
 
     //////////////////////////////////////////////////////////////////
@@ -58,8 +60,10 @@
     //////////////////////////////////////////////////////////////////
 
     if($_GET['action']=='delete'){
-        $User->username = $_GET['username'];
-        $User->Delete();
+        if(checkAccess()) {
+            $User->username = $_GET['username'];
+            $User->Delete();
+        }
     }
 
     //////////////////////////////////////////////////////////////////
@@ -67,9 +71,11 @@
     //////////////////////////////////////////////////////////////////
 
     if($_GET['action']=='project_access'){
-        $User->username = $_GET['username'];
-        $User->projects = $_POST['projects'];
-        $User->Project_Access();
+        if(checkAccess()) {
+            $User->username = $_GET['username'];
+            $User->projects = $_POST['projects'];
+            $User->Project_Access();
+        }
     }
 
     //////////////////////////////////////////////////////////////////
@@ -77,9 +83,11 @@
     //////////////////////////////////////////////////////////////////
 
     if($_GET['action']=='password'){
-        $User->username = $_POST['username'];
-        $User->password = $_POST['password'];
-        $User->Password();
+        if(checkAccess() || $_POST['username'] == $_SESSION['user']) {
+            $User->username = $_POST['username'];
+            $User->password = $_POST['password'];
+            $User->Password();
+        }
     }
 
     //////////////////////////////////////////////////////////////////

components/user/dialog.php

@@ -23,7 +23,7 @@
         case 'list':
             
             $projects_assigned = false;
-            if(file_exists(BASE_PATH . "/data/" . $_SESSION['user'] . '_acl.php')){ 
+            if(!checkAccess()){ 
             ?>
             <label>Restricted</label>
             <pre>You can not edit the user list</pre>