From e0dcd86f5a97b9a8e9f030697218f37f8b141ac0 Mon Sep 17 00:00:00 2001 From: Uwe Steinmann Date: Wed, 2 Aug 2017 06:46:44 +0200 Subject: [PATCH 1/4] add optional version number to mayEditOnline() --- inc/inc.ClassAccessOperation.php | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/inc/inc.ClassAccessOperation.php b/inc/inc.ClassAccessOperation.php index f93a4f4f1..80840eb5c 100644 --- a/inc/inc.ClassAccessOperation.php +++ b/inc/inc.ClassAccessOperation.php @@ -54,9 +54,12 @@ class SeedDMS_AccessOperation { * document may delete versions. The admin may even delete a version * even if is disallowed in the settings. */ - function mayEditVersion() { /* {{{ */ + function mayEditVersion($vno=0) { /* {{{ */ if(get_class($this->obj) == 'SeedDMS_Core_Document') { - $version = $this->obj->getLatestContent(); + if($vno) + $version = $this->obj->getContentByVersion($vno); + else + $version = $this->obj->getLatestContent(); if (!isset($this->settings->_editOnlineFileTypes) || !is_array($this->settings->_editOnlineFileTypes) || !in_array(strtolower($version->getFileType()), $this->settings->_editOnlineFileTypes)) return false; if ($this->obj->getAccessMode($this->user) == M_ALL || $this->user->isAdmin()) { From 76508cb52b0b5b80cb568c11dee70b36ddf2c827 Mon Sep 17 00:00:00 2001 From: Uwe Steinmann Date: Wed, 2 Aug 2017 06:47:48 +0200 Subject: [PATCH 2/4] check with SeedDMS_AccessOperation for allowed operation --- out/out.EditAttributes.php | 3 +++ out/out.EditComment.php | 3 +++ out/out.EditOnline.php | 4 ++++ out/out.OverrideContentStatus.php | 10 +++------- out/out.RemoveVersion.php | 3 +++ out/out.SetReviewersApprovers.php | 10 +++------- out/out.SetWorkflow.php | 3 +++ 7 files changed, 22 insertions(+), 14 deletions(-) diff --git a/out/out.EditAttributes.php b/out/out.EditAttributes.php index 717768728..b7e72e6c7 100644 --- a/out/out.EditAttributes.php +++ b/out/out.EditAttributes.php @@ -46,6 +46,9 @@ $folder = $document->getFolder(); /* Create object for checking access to certain operations */ $accessop = new SeedDMS_AccessOperation($document, $user, $settings); +if(!$accessop->mayEditAttributes()) { + UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("access_denied")); +} $attrdefs = $dms->getAllAttributeDefinitions(array(SeedDMS_Core_AttributeDefinition::objtype_documentcontent, SeedDMS_Core_AttributeDefinition::objtype_all)); diff --git a/out/out.EditComment.php b/out/out.EditComment.php index c39a223b2..d91f130ce 100644 --- a/out/out.EditComment.php +++ b/out/out.EditComment.php @@ -51,6 +51,9 @@ $folder = $document->getFolder(); /* Create object for checking access to certain operations */ $accessop = new SeedDMS_AccessOperation($document, $user, $settings); +if(!$accessop->mayEditComment()) { + UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("access_denied")); +} $tmp = explode('.', basename($_SERVER['SCRIPT_FILENAME'])); $view = UI::factory($theme, $tmp[1], array('dms'=>$dms, 'user'=>$user)); diff --git a/out/out.EditOnline.php b/out/out.EditOnline.php index f2433e71d..84f73f155 100644 --- a/out/out.EditOnline.php +++ b/out/out.EditOnline.php @@ -53,6 +53,7 @@ if(isset($_GET["version"])) { $lc = $document->getLatestContent(); } else { + $version = 0; $content = $document->getLatestContent(); $lc = $document->getLatestContent(); } @@ -74,6 +75,9 @@ if (!isset($settings->_editOnlineFileTypes) || !is_array($settings->_editOnlineF /* Create object for checking access to certain operations */ $accessop = new SeedDMS_AccessOperation($dms, $user, $settings); +if(!$accessop->mayEditVersion($version)) { + UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("access_denied")); +} $folder = $document->getFolder(); diff --git a/out/out.OverrideContentStatus.php b/out/out.OverrideContentStatus.php index 6798f6e98..ad4863016 100644 --- a/out/out.OverrideContentStatus.php +++ b/out/out.OverrideContentStatus.php @@ -50,17 +50,13 @@ if (!is_object($content)) { UI::exitError(getMLText("document_title", array("documentname" => htmlspecialchars($document->getName()))),getMLText("invalid_version")); } -$overallStatus = $content->getStatus(); - -// status change control -if ($overallStatus["status"] == S_REJECTED || $overallStatus["status"] == S_EXPIRED || $overallStatus["status"] == S_DRAFT_REV || $overallStatus["status"] == S_DRAFT_APP ) { - UI::exitError(getMLText("document_title", array("documentname" => htmlspecialchars($document->getName()))),getMLText("cannot_change_final_states")); -} - $folder = $document->getFolder(); /* Create object for checking access to certain operations */ $accessop = new SeedDMS_AccessOperation($document, $user, $settings); +if(!$accessop->mayOverwriteStatus()) { + UI::exitError(getMLText("document_title", array("documentname" => htmlspecialchars($document->getName()))),getMLText("cannot_change_final_states")); +} $tmp = explode('.', basename($_SERVER['SCRIPT_FILENAME'])); $view = UI::factory($theme, $tmp[1], array('dms'=>$dms, 'user'=>$user)); diff --git a/out/out.RemoveVersion.php b/out/out.RemoveVersion.php index c8958f642..eaa99db3e 100644 --- a/out/out.RemoveVersion.php +++ b/out/out.RemoveVersion.php @@ -60,6 +60,9 @@ $folder = $document->getFolder(); /* Create object for checking access to certain operations */ $accessop = new SeedDMS_AccessOperation($document, $user, $settings); +if(!$accessop->mayRemoveVersion()) { + UI::exitError(getMLText("document_title", array("documentname" => htmlspecialchars($document->getName()))),getMLText("access_denied")); +} $tmp = explode('.', basename($_SERVER['SCRIPT_FILENAME'])); $view = UI::factory($theme, $tmp[1], array('dms'=>$dms, 'user'=>$user)); diff --git a/out/out.SetReviewersApprovers.php b/out/out.SetReviewersApprovers.php index 02c5e09f5..ef3cac583 100644 --- a/out/out.SetReviewersApprovers.php +++ b/out/out.SetReviewersApprovers.php @@ -53,17 +53,13 @@ if(!$settings->_enableVersionModification) { UI::exitError(getMLText("document_title", array("documentname" => htmlspecialchars($document->getName()))),getMLText("no_version_modification")); } -// control for document state. Must correspond to check in -// SeedDMS_AccessOperation::maySetReviewersApprovers() -$overallStatus = $content->getStatus(); -if ($overallStatus["status"]!=S_DRAFT_REV && $overallStatus["status"]!=S_DRAFT_APP) { - UI::exitError(getMLText("document_title", array("documentname" => htmlspecialchars($document->getName()))),getMLText("cannot_assign_invalid_state")); -} - $folder = $document->getFolder(); /* Create object for checking access to certain operations */ $accessop = new SeedDMS_AccessOperation($document, $user, $settings); +if(!$accessop->maySetReviewersApprovers()) { + UI::exitError(getMLText("document_title", array("documentname" => htmlspecialchars($document->getName()))),getMLText("cannot_assign_invalid_state")); +} $tmp = explode('.', basename($_SERVER['SCRIPT_FILENAME'])); $view = UI::factory($theme, $tmp[1], array('dms'=>$dms, 'user'=>$user)); diff --git a/out/out.SetWorkflow.php b/out/out.SetWorkflow.php index d2473afd0..caee4499d 100644 --- a/out/out.SetWorkflow.php +++ b/out/out.SetWorkflow.php @@ -51,6 +51,9 @@ $folder = $document->getFolder(); /* Create object for checking access to certain operations */ $accessop = new SeedDMS_AccessOperation($document, $user, $settings); +if(!$accessop->maySetWorkflow()) { + UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("access_denied")); +} $tmp = explode('.', basename($_SERVER['SCRIPT_FILENAME'])); $view = UI::factory($theme, $tmp[1], array('dms'=>$dms, 'user'=>$user)); From b974ee0df270c02aff8e09cd023c2e94250dc3b0 Mon Sep 17 00:00:00 2001 From: Uwe Steinmann Date: Wed, 2 Aug 2017 06:49:01 +0200 Subject: [PATCH 3/4] add entry for 4.3.36 --- CHANGELOG | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG b/CHANGELOG index 01824e3e0..a322092d9 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -8,6 +8,8 @@ - remove empty lines at end of view/bootstrap/class.*.php files (Closes #329) - make sure contentDir ends with DIRECTORY_SEPARATOR (Closes #323) - minor improvements of installation +- better checking in out/*.php for allowed operation (e.g. EditOnline, + RemoveVersion, SetReviewersApprovers, ...) -------------------------------------------------------------------------------- Changes in version 4.3.35 From 0c3355ed9dc587d7d1492a60bc84763784acc203 Mon Sep 17 00:00:00 2001 From: Uwe Steinmann Date: Wed, 2 Aug 2017 07:04:46 +0200 Subject: [PATCH 4/4] no extra check enableVersionModificaton is done by maySetReviewersApprovers() --- out/out.SetReviewersApprovers.php | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/out/out.SetReviewersApprovers.php b/out/out.SetReviewersApprovers.php index ef3cac583..a05d428ca 100644 --- a/out/out.SetReviewersApprovers.php +++ b/out/out.SetReviewersApprovers.php @@ -49,16 +49,12 @@ if (!is_object($content)) { UI::exitError(getMLText("document_title", array("documentname" => htmlspecialchars($document->getName()))),getMLText("invalid_version")); } -if(!$settings->_enableVersionModification) { - UI::exitError(getMLText("document_title", array("documentname" => htmlspecialchars($document->getName()))),getMLText("no_version_modification")); -} - $folder = $document->getFolder(); /* Create object for checking access to certain operations */ $accessop = new SeedDMS_AccessOperation($document, $user, $settings); if(!$accessop->maySetReviewersApprovers()) { - UI::exitError(getMLText("document_title", array("documentname" => htmlspecialchars($document->getName()))),getMLText("cannot_assign_invalid_state")); + UI::exitError(getMLText("document_title", array("documentname" => htmlspecialchars($document->getName()))),getMLText("no_version_modification")); } $tmp = explode('.', basename($_SERVER['SCRIPT_FILENAME']));