Pastoid

Index: adminhandler.php
===================================================================
--- adminhandler.php	(revision 3096)
+++ adminhandler.php	(working copy)
@@ -48,6 +48,7 @@
 			die( _t( 'Permission denied.' ) );
 		}
 		//*/
+
 		$last_form_data = Session::get_set( 'last_form_data' ); // This was saved in the "if ( !$user )" above, UserHandler transferred it properly.
 		/* At this point, Controller has not created handler_vars, so we have to modify $_POST/$_GET. */
 		if ( isset( $last_form_data['post'] ) ) {
@@ -89,6 +90,13 @@
 		$this->theme->admin_page_url = ( $page == 'dashboard' ) ? URL::get( 'admin', 'page=' ) : URL::get( 'admin', 'page=' . $page );
 		$this->theme->page = $page;
 		$this->theme->admin_title = ucwords($page) . ( $type != '' ? ' ' . ucwords($type) : '' );
+
+		// Access check to see if the user is allowed the requested page
+		if( !$this->access_allowed( $page, $type ) ) {
+			$set = Session::get_set( "permissions" );
+			Utils::redirect( $set['current_page'] );
+		}
+
 		switch( $_SERVER['REQUEST_METHOD'] ) {
 			case 'POST':
 				// Let plugins try to handle the page
@@ -1162,7 +1170,6 @@
 
 	public function get_import()
 	{
-
 		$importer = isset( $_POST['importer'] ) ? $_POST['importer'] : '';
 		$stage = isset( $_POST['stage'] ) ? $_POST['stage'] : '';
 
@@ -2763,6 +2770,7 @@
 	 */
 	protected function get_main_menu( $theme )
 	{
+		$user = User::identify();
 		$page = ( isset( $this->handler_vars['page'] ) && !empty( $this->handler_vars['page'] ) ) ? $this->handler_vars['page'] : 'dashboard';
 
 		// These need to be replaced with submenus, but access to them is provided temporarily
@@ -2814,7 +2822,7 @@
 			'import' => array( 'url' => URL::get( 'admin', 'page=import' ), 'title' => _t( 'Import content from another blog' ), 'text' => _t( 'Import' ), 'hotkey' => 'I' ),
 			'users' => array( 'url' => URL::get( 'admin', 'page=users' ), 'title' => _t( 'View and manage users' ), 'text' => _t( 'Users' ), 'hotkey' => 'U' ),
 			'groups' => array( 'url' => URL::get( 'admin', 'page=groups' ), 'title' => _t( 'View and manage groups' ), 'text' => _t( 'Groups' ), 'hotkey' => 'G' ),
-			'logs' => array( 'url' => URL::get( 'admin', 'page=logs'), 'title' => _t( 'View system log messages' ), 'text' => _t( 'Logs' ), 'hotkey' => 'L') ,
+			'logs' => array( 'url' => URL::get( 'admin', 'page=logs'), 'title' => _t( 'View system log messages' ), 'text' => _t( 'Logs' ), 'hotkey' => 'L'),
 			'logout' => array( 'url' => URL::get( 'user', 'page=logout' ), 'title' => _t( 'Log out of the administration interface' ), 'text' => _t( 'Logout' ), 'hotkey' => 'X' ),
 		);
 
@@ -2834,7 +2842,6 @@
 				$mainmenus[$key]['selected'] = true;
 			}
 		}
-
 		$theme->assign( 'mainmenu', $mainmenus );
 	}
 
@@ -2992,5 +2999,39 @@
 		Stack::add( 'admin_header_javascript', Site::get_url('admin_theme') . "/js/media.js", 'media', 'jquery' );
 		Stack::add( 'admin_header_javascript', Site::get_url('admin_theme') . "/js/admin.js", 'admin', 'jquery' );
 	}
+
+	private function access_allowed( $page, $type )
+	{
+		$user = User::identify();
+		$result = TRUE;
+		switch( $page ) {
+			case 'publish':
+				break;
+			case 'posts':
+				break;
+			case 'comments':
+				break;
+			case 'dashboard':
+				Session::add_to_set( 'permissions', $this->theme->admin_page_url, 'current_page' );
+				$result = TRUE;
+				break;
+			default:
+				$token = 'manage_' . $page;
+				if( isset( $this->handler_vars['configure'] ) ) {
+					$token .= '_config';
+				}
+				if( !$user->can( $token ) ) {
+					Session::error( _t('Permission denied') );
+					$result = FALSE;
+				}
+				else {
+					Session::add_to_set( 'permissions', $this->theme->admin_page_url, 'current_page' );
+					$result = TRUE;
+				}
+				break;
+		}
+		return $result;
+
+	}
 }
 ?>
\ No newline at end of file