--- docman.php	2002/07/28 14:16:04	1.17
+++ docman.php	2002/07/28 16:24:54	1.18
@@ -20,7 +20,7 @@
 //////////////////////////////////////////////////////////////////
 // CONFIGURATION OPTIONS
 
-// 	error_reporting(4) ;		// how verbose ?
+ 	error_reporting(E_ALL) ;		// how verbose ?
 
 	// from where to include auth_*.php modules?
 	$gblIncDir = "/data/docman2";
@@ -84,7 +84,7 @@
 	LoadLanguage($HTTP_SERVER_VARS["HTTP_ACCEPT_LANGUAGE"]);
 
 	// for security and configuration
-	$realm=$HTTP_SERVER_VARS[HTTP_HOST];
+	$realm=$HTTP_SERVER_VARS["HTTP_HOST"];
 
 	$fsDocumentRoot = dirname($HTTP_SERVER_VARS[SCRIPT_FILENAME]);
 	if ($fsDocumentRoot == "") Error("Configuration error","Can't get SCRIPT_FILENAME from your web server. Please set <tt>\$fsDocumentRoot</tt> in <tt>\$</tt>",1);
@@ -138,7 +138,9 @@
 	} else {
 		$url .= md5($gblLogin.$gblPasswd);
 	}
-	if (isset($gblLogin) && $gblLogin != "" && ($gblPasswd == "" || !isset($gblPasswd))) {
+	if ( (  (isset($gblLogin) && $gblLogin != "") ||
+		(!isset($gblLogin) || $gblLogin == "")
+	     ) && ($gblPasswd == "" || !isset($gblPasswd))) {
 		$url_title="login";
 		$url .= "&force_login=1";
 	} else {
@@ -582,9 +584,17 @@
 	
 	$self     = $HTTP_SERVER_VARS["PHP_SELF"] ;
 
-	$fsDir = $fsRoot.$relDir."/";	// current directory
+	$relDir = chopsl($relDir)."/";
+	$fsDir = $fsRoot.$relDir;	// current directory
 
-	if (!is_dir($fsDir)) Error("Dir not found",$relDir,1) ; 
+	if (!is_dir($fsDir)) Error("Dir not found","Directory <tt>$relDir<tt> not found on filesystem at <tt>$fsDir</tt>",1) ; 
+
+	global $debug;
+	$debug .= "[$gblLogin|$relDir] before >";
+
+	if (! check_perm($relDir,(trperm_b | trperm_r)))
+		Error("Access denied","User <tt>$gblLogin</tt> tried to access <tt>$relDir</tt> without valid trustee.",1);
+	$debug .= "< afeter";
 
 	$hide_items=",$gblHide,";
 
@@ -1400,11 +1410,22 @@
 	global $trustees;
 	$perm[allow] = 0;
 	$perm[deny] = 0;
+
+global $debug;
+$debug .= "<br>check_trustee $path ... ";
+
 	$path_arr=explode("/",$path);
-	$path = "/";
+	$tmppath = "/";
 	while (count($path_arr)) {
-		if (substr($path,strlen($path)-1,1) != "/") $path.="/";
-		$tr = $trustees[$path];
+		$tmppath.=array_shift($path_arr);
+$debug.= ">> $tmppath ";
+		if (substr($tmppath,strlen($tmppath)-1,1) != "/") $tmppath.="/";
+		$tr = $trustees[$tmppath];
+
+		# clear one level flag
+		$perm[allow] &= ~trperm_one_level;
+		$perm[deny] &= ~trperm_one_level;
+
 		if (isset($tr)) {
 			// first apply trustee for all
 			if (isset($tr['*'])) {
@@ -1425,12 +1446,12 @@
 				$perm = unroll_perm($user,$tr[$user],$user, $perm);
 				unset($tr[$user]);
 			}
-		$path.=array_shift($path_arr);
 		}
+$debug.="d:".display_trustee($perm[deny])." a:".display_trustee($perm[allow])." ";
 
 	}
-#print "<br>user: $user path: $path perm: ";
-#print "d: $perm[deny] (".display_trustee($perm[deny]).") a: $perm[allow] (".display_trustee($perm[allow]).")<Br>\n";
+$debug.="<br>check_trustee: user: $user path: $path==$tmppath perm: ";
+$debug.="d: $perm[deny] (".display_trustee($perm[deny]).") a: $perm[allow] (".display_trustee($perm[allow]).")<Br>\n";
 	return $perm;
 }
 
@@ -1445,9 +1466,9 @@
 	$return = ! $HAVE_TRUSTEE;
 	if ($HAVE_TRUSTEE) {
 		$perm = check_trustee($gblLogin,$path);
-$debug.=" d: $perm[deny] (".display_trustee($perm[deny]).") a: $perm[allow] (".display_trustee($perm[allow]).") perm: $trperm";
+$debug.=" d: $perm[deny] (".display_trustee($perm[deny]).") a: $perm[allow] (".display_trustee($perm[allow]).") perm to have: $trperm (".display_trustee($trperm).")";
 		if ($perm[deny] & $trperm) $return=0;
-		elseif ($perm[allow] & $trperm) $return=1;
+		elseif (($perm[allow] & $trperm) == $trperm) $return=1;
 	}
 $debug.=" return: $return<br>\n";
 	return($return);
@@ -1543,6 +1564,10 @@
 		Error("Configuration error","Can't find user handling module at <tt>$gblIncDir/htusers/$gblUsers.php</tt> ! Please fix <tt>$realm_config</tt>");
 	}
 
+	// take additional login vars
+	$relogin = $HTTP_GET_VARS[relogin];
+	$force_login = $HTTP_GET_VARS[force_login];
+
 	// if no password, or empty password logout
 	if (
 		isset($gblLogin) && (
@@ -1567,15 +1592,12 @@
 	// get ACL informations
 	$HAVE_TRUSTEE = init_trustee();
 
-	// take additional login vars
-	$relogin = $HTTP_GET_VARS[relogin];
-	$force_login = $HTTP_GET_VARS[force_login];
-
-	if (strtolower($gblLogin) == "anonymous" || !isset($gblPasswd)) {
+	if (strtolower($gblLogin) == "anonymous" || !isset($gblLogin)) {
 		$perm = check_trustee("anonymous",$path);
 		// browsing must be explicitly allowed for root directory
 		// of repository for anonymous user to work!
 		if ($perm[allow] & trperm_b) {
+			$gblLogin = $gblPasswd = "anonymous";
 			$secHash = md5($gblLogin.$gblPasswd);
 			$gblUserName = "Anonymous user";
 		}
@@ -1628,6 +1650,8 @@
 	$fsDir = $gblFsRoot . $relDir ; // current directory
 	if ( !is_dir($fsDir) ) Error("Dir not found","Can't find <tt>$relDir</tt> which points to <tt>$fsDir</tt>",1) ;
 
+	if ($relDir == "") $relDir="/";
+
 	if (isset($HTTP_SERVER_VARS["HTTPS"]) && $HTTP_SERVER_VARS["HTTPS"] == "on") {
 		$webRoot  = "https://";
 	} else {