Changeset 4006:4de7ea99ccac

Timestamp:

07/09/19 13:10:33 (6 years ago)

Author:

franck <carnet.franck.paul@…>

Branch:

default

Message:

If context cannot be conserved when switching blog, test dashboard access permission before killing the session

Files:

• admin/index.php (modified) (1 diff)
• inc/admin/lib.dc.page.php (modified) (3 diffs)

admin/index.php

@@ -29 +29 @@
 }
 
-dcPage::check('usage,contentadmin');
+dcPage::check('usage,contentadmin', true);
 
 if ($core->plugins->disableDepModules($core->adminurl->get('admin.home', []))) {

inc/admin/lib.dc.page.php

@@ -24 +24 @@
 
     # Auth check
-    public static function check($permissions)
+    public static function check($permissions, $home = false)
     {
         $core = self::getCore();
@@ -32 +32 @@
         }
 
+        // Check if dashboard is not the current page et if it is granted for the user
+        if (!$home && $core->blog && $core->auth->check('usage,contentadmin', $core->blog->id)) {
+            // Go back to the dashboard
+            http::redirect(DC_ADMIN_URL);
+        }
+
         if (session_id()) {
             $core->session->destroy();
@@ -39 +45 @@
 
     # Check super admin
-    public static function checkSuper()
+    public static function checkSuper($home = false)
     {
         $core = self::getCore();
 
         if (!$core->auth->isSuperAdmin()) {
+            // Check if dashboard is not the current page et if it is granted for the user
+            if (!$home && $core->blog && $core->auth->check('usage,contentadmin', $core->blog->id)) {
+                // Go back to the dashboard
+                http::redirect(DC_ADMIN_URL);
+            }
+
             if (session_id()) {
                 $core->session->destroy();