summaryrefslogtreecommitdiff
path: root/config/kernel/auth_check.php
diff options
context:
space:
mode:
Diffstat (limited to 'config/kernel/auth_check.php')
-rwxr-xr-xconfig/kernel/auth_check.php32
1 files changed, 32 insertions, 0 deletions
diff --git a/config/kernel/auth_check.php b/config/kernel/auth_check.php
new file mode 100755
index 0000000..15b7ebc
--- /dev/null
+++ b/config/kernel/auth_check.php
@@ -0,0 +1,32 @@
+<?php
+// Minimal session check - no framework bootstrap
+include 'auth_config.php';
+
+preg_match( '|/attachments/\d+/(\d+)/|', $_SERVER['REQUEST_URI'], $matches );
+
+if( !empty( $matches[1] ) ) {
+ $contentId = (int)$matches[1];
+ try {
+ $pdo = new PDO( $gBitDbHost, $gBitDbUser, $gBitDbPassword );
+
+ // get the role restriction for this content, if any
+ $stmt = $pdo->prepare( "SELECT ROLE_ID FROM LIBERTY_CONTENT_ROLE_MAP WHERE CONTENT_ID = ?" );
+ $stmt->execute( [$contentId] );
+ $requiredRoleId = $stmt->fetchColumn();
+
+ if( $requiredRoleId === false ) {
+ // no restriction - public content
+ http_response_code( 200 );
+ } elseif( in_array( (int)$requiredRoleId, $_SESSION['user_role'] ?? [] ) ) {
+ http_response_code( 200 );
+ } else {
+ http_response_code( 403 );
+ }
+ } catch( PDOException $e ) {
+ http_response_code( 403 );
+ }
+ exit;
+}
+
+// no content_id in URI - nothing to restrict
+http_response_code( 200 ); \ No newline at end of file
generated by cgit v1.3 (git 2.53.0) at 2026-06-29 21:44:37 +0000