You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 

260 lines
7.7 KiB

<?php
class security_functions
{
var $conn;
var $lang;
var $tblprefix;
//defalt constructor which first checks if page is accessable.
function security_functions($dbf,$page_type,$language)
{
//pre: $dbf must be a db_functions object and $page_type must be a string
//post: denies access to page and stops php processing
//$page_type will be either: Public, Admin, Sales Clerk or Report Viewer.
//$usertype will be either: Admin, Sales Clerk or Report Viewer.
//Their must be a session present in order to execute authoization.
//sets class variables.
$this->conn=$dbf->conn;
$this->lang=$language;
$this->tblprefix=$dbf->tblprefix;
if(isset($_SESSION['session_user_id']))
{
$user_id=$_SESSION['session_user_id'];
$tablename="$this->tblprefix".'users';
$result = mysql_query("SELECT * FROM $tablename WHERE id=\"$user_id\"",$this->conn);
//echo "$result";
$row = mysql_fetch_assoc($result);
$usertype= $row['type'];
//echo "stupid";
//If the page is not public or the user is not an Admin, investigation must continue.
if($page_type!='Public' or $usertype!='Admin')
{
if($usertype!='Admin' and $usertype!='Sales Clerk' and $usertype!='Report Viewer')
{
//makes sure $usertype is not anything but Admin, Sales Clerk, Report Viewer
echo "{$this->lang->attemptedSecurityBreech}";
exit();
}
elseif($page_type!='Public' and $page_type!='Admin' and $page_type!='Sales Clerk' and $page_type!='Report Viewer')
{
//makes sure $page_type is not anything but Public, Admin, Sales Clerk or Report Viewer.
echo "{$this->lang->attemptedSecurityBreech}";
exit();
}
elseif($usertype!='Admin' and $page_type=='Admin')
{
//if page is only intented for Admins but the user is not an admin, access is denied.
echo "{$this->lang->mustBeAdmin}";
exit();
}
elseif(($usertype=='Sales Clerk') and $page_type =='Report Viewer')
{
//Page is only intented for Report Viewers and Admins.
echo "{$this->lang->mustBeReportOrAdmin}";
exit();
}
elseif(($usertype=='Report Viewer') and $page_type =='Sales Clerk')
{
//Page is only intented for Sales Clerks and Admins.
echo "{$this->lang->mustBeSalesClerkOrAdmin}";
exit();
}
}
}
/*if(!$this->isLoggedIn()){
header("location: ../login.php");
exit();
}
if(!$this->isOpen()){
header("location: ../books/openshop.php");
exit();
}*/
}
function isLoggedIn()
{
//returns boolean based on if user is logged in.
if(isset($_SESSION['session_user_id']))
{
$user_id=$_SESSION['session_user_id'];
$tablename="$this->tblprefix".'users';
$result = mysql_query ("SELECT * FROM $tablename WHERE id=\"$user_id\"",$this->conn);
$num = @mysql_num_rows($result);
if($num> 0)
{
return true;
}
else
{
return false;
}
}
return false;
}
function checkLogin($username,$password)
{
//pre: $username and $password must be strings. ($password is encrypted)
//post: returns boolean based on if their login was succesfull.
$tablename="$this->tblprefix".'users';
$result = mysql_query ("SELECT * FROM $tablename WHERE username=\"$username\" and password=\"$password\"",$this->conn);
$num = @mysql_num_rows($result);
if($num > 0)
{
return true;
}
return false;
}
function closeSale()
{
//deletes sessions vars
unset($_SESSION['items_in_sale']);
unset($_SESSION['current_sale_customer_id']);
unset($_SESSION['current_sale_customer_id']);
unset($_SESSION['current_customer_search']);
}
function checkMembership($userID)
{
global $cfg_membershipID;
// Construct the join query
$memquery = "SELECT sales.id, sales_items.sale_id, sales_items.item_id, DATE_ADD( sales.date, INTERVAL 1 YEAR ) AS expires
FROM sales, sales_items
WHERE sales.id = sales_items.sale_id
AND sales_items.item_id=$cfg_membershipID
AND sales.customer_id=$userID
ORDER BY sales.date DESC
LIMIT 1;";
//"SELECT sales.id, sales_items.sale_id, sales_items.item_id, DATE_ADD(sales.date, INTERVAL 1 YEAR) as expires ".
//"FROM sales, sales_items "."WHERE sales.id = sales_items.sale_id AND sales_items.item_id = '$cfg_membershipID' AND sales.customer_id = '$userID'";
$memresult = mysql_query($memquery) or die(mysql_error());
if(mysql_num_rows($memresult) < 1){
return false;
}
// Get expiry date
$today = date('Y-m-d');
$row = mysql_fetch_array($memresult);
$expires = $row['expires'];
if($row[item_id] == "1" && $expires >= $today){
return true;
}else{
return false;
}
}
function checkWaiver($userID)
{
// If Membership is ok, check waiver
$waiverresult = mysql_query("SELECT waiver FROM customers WHERE id='$userID'");
if (!$waiverresult) { die("Query to check on status of liability waiver failed"); }
while ($waiverrow = mysql_fetch_array($waiverresult)) {
if ($waiverrow[waiver] == 0 || $waiverrow[waiver] == ""){ return false; } else { return true; }
}
}
function signinMember($userID, $intime, $activity)
{
global $cfg_reqmembership;
$isinresult = mysql_query("SELECT userID FROM visits WHERE endout IS NULL");
if (!$isinresult) { die("Query to show fields from table failed"); }
while($isinrow = mysql_fetch_array($isinresult)){
if($userID == "$isinrow[userID]"){
die("<b>Bike Error!! User is already signed in...</b>");
}
}
// MAKE SURE THEY'VE PAID THEIR MEMBERSHIP (IF REQUIRED BY CONFIG FILE)
if($cfg_reqmembership == "1" && !$this->checkMembership($userID)){
echo "Membership not paid or expired!<br /><a href=\"../home.php\">Go Home --&gt;</a>";
die('');
}
// Have you been a naughty schoolchild and not signed your waiver? PUNISH!
if(!$this->checkWaiver($userID)){
echo "Waiver not signed. Sign waiver, or no shop access you naughty boy!<br /><a href=\"../home.php\">Go Home --&gt;</a>";
die('');
}
// ADD IT TO THE VISITS DATABASE
$in = mktime($_POST[hour], $_POST[minute], 0, $_POST[month], $_POST[day], $_POST[year]);
$tdin = date('Y-m-d H:i:s');
//$activity = $_POST[activity];
if($userID){
$query = "INSERT INTO `visits` (`userID` ,`intime` ,`activity`) VALUES ('$userID', '$tdin', '$activity')";
// echo "IT FJDSFDSA $query";
mysql_query($query);
}
}
function isOpen()
{
//include("settings.php");
//echo "must open = $cfg_company";
//if($cfg_mustOpen == "yes"){
//echo "$this->conn";
//return false;
//}
//return false;
//$tablename="$this->tblprefix".'users';
//$result = mysql_query("SELECT * FROM $tablename WHERE id=\"$user_id\"",$this->conn);
/*$today = date("Y-m-d");
$le = mysql_query("SELECT event, date FROM books WHERE event='1' OR event='2' ORDER BY listID DESC LIMIT 1", $this->conn);
//$le = mysql_query("SELECT * FROM books");//, $this->conn) or die(mysql_error());// WHERE event='1' OR event='2' ORDER BY listID DESC LIMIT 1", $this->conn);
$lastevent = mysql_fetch_assoc($le);
if(!$lastevent || $lastevent['event'] == 2 || $lastevent[date] != $today){// || !mysql_num_rows(mysql_query("SELECT * FROM books WHERE date='$today' AND event='1'"))){
return false;
}*/return true;
//}
return true;
}
function isMechanicHere()
{
return mysql_fetch_array(mysql_query("SELECT userID FROM visits WHERE endout IS NULL AND activity='Mechanic'"));
}
function vaildMailman ($host)
{
$valid = @fsockopen("$host", 80, $errno, $errstr, 30);
if ($valid) return TRUE;
}
}
?>