gnh1201/seeddms-code
1
0
Fork 0
mirror of https://git.code.sf.net/p/seeddms/code synced 2025-02-06 15:14:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

check access on RemoveDocumentFile and EditDocumentFile

Browse Source
This commit is contained in:
Uwe Steinmann 2021-09-22 10:41:36 +02:00
parent 24ae96b9fa
commit 825ae7bfeb
3 changed files with 11 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
op/op.EditDocumentFile.php
View File

@ -32,6 +32,10 @@ include("../inc/inc.Authentication.php");
$tmp = explode('.', basename($_SERVER['SCRIPT_FILENAME']));
$controller = Controller::factory($tmp[1], array('dms'=>$dms, 'user'=>$user));
$accessop = new SeedDMS_AccessOperation($dms, $user, $settings);
if (!$accessop->check_controller_access($controller, $_POST)) {
UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("access_denied"));
}
/* Check if the form data comes from a trusted request */
if(!checkFormKey('editdocumentfile')) {

5
op/op.RemoveDocumentFile.php
View File

@ -26,6 +26,11 @@ include("../inc/inc.DBInit.php");
include("../inc/inc.ClassUI.php");
include("../inc/inc.Authentication.php");
$accessop = new SeedDMS_AccessOperation($dms, $user, $settings);
if (!$accessop->check_controller_access('RemoveDocumentFile', $_POST)) {
UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("access_denied"));
}
/* Check if the form data comes from a trusted request */
if(!checkFormKey('removedocumentfile')) {
UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_request_token"))),getMLText("invalid_request_token"));

4
views/bootstrap/class.ViewDocument.php
View File

@ -324,8 +324,8 @@ $(document).ready( function() {
} else print "<li><img class=\"mimeicon\" src=\"images/icons/".$this->getMimeIcon($file->getFileType())."\" title=\"".htmlspecialchars($file->getMimeType())."\">";
echo "</ul><ul class=\"unstyled actions\">";
if (($document->getAccessMode($user) == M_ALL)||($file->getUserID()==$user->getID())) {
print $this->html_link('RemoveDocumentFile', array('documentid'=>$document->getID(), 'fileid'=>$file->getID()), array(), '<i class="fa fa-remove"></i>'.getMLText("delete"), false, true, array('<li>', '</li>'));
print $this->html_link('EditDocumentFile', array('documentid'=>$document->getID(), 'fileid'=>$file->getID()), array(), '<i class="fa fa-edit"></i>'.getMLText("edit"), false, true, array('<li>', '</li>'));
print $this->html_link('RemoveDocumentFile', array('documentid'=>$document->getID(), 'fileid'=>$file->getID()), array(), '<i class="fa fa-remove"></i>'.getMLText("delete"), false, false, array('<li>', '</li>'));
print $this->html_link('EditDocumentFile', array('documentid'=>$document->getID(), 'fileid'=>$file->getID()), array(), '<i class="fa fa-edit"></i>'.getMLText("edit"), false, false, array('<li>', '</li>'));
}
print "</ul></td>";