gnh1201/seeddms-code
1
0
Fork 0
mirror of https://git.code.sf.net/p/seeddms/code synced 2025-05-29 04:57:20 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

secure locking/inlocking documents with security token

Browse Source
This commit is contained in:
Uwe Steinmann 2021-06-16 14:23:53 +02:00
parent 22c4649d27
commit a38f7fd408
6 changed files with 44 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
op/op.Ajax.php
View File

@ -575,40 +575,45 @@ switch($command) {
case 'tooglelockdocument': /* {{{ */
if($user) {
$document = $dms->getDocument($_REQUEST['id']);
if($document) {
if ($document->getAccessMode($user) >= M_READWRITE) {
if ($document->isLocked()) {
$lockingUser = $document->getLockingUser();
if (($lockingUser->getID() == $user->getID()) || ($document->getAccessMode($user) == M_ALL)) {
if (!$document->setLocked(false)) {
header('Content-Type: application/json');
echo json_encode(array('success'=>false, 'message'=>'Error unlocking document', 'data'=>''));
if(checkFormKey('tooglelockdocument', 'GET')) {
$document = $dms->getDocument($_REQUEST['id']);
if($document) {
if ($document->getAccessMode($user) >= M_READWRITE) {
if ($document->isLocked()) {
$lockingUser = $document->getLockingUser();
if (($lockingUser->getID() == $user->getID()) || ($document->getAccessMode($user) == M_ALL)) {
if (!$document->setLocked(false)) {
header('Content-Type: application/json');
echo json_encode(array('success'=>false, 'message'=>'Error unlocking document', 'data'=>''));
} else {
header('Content-Type: application/json');
echo json_encode(array('success'=>true, 'message'=>getMLText('splash_document_unlocked'), 'data'=>''));
}
} else {
header('Content-Type: application/json');
echo json_encode(array('success'=>true, 'message'=>getMLText('splash_document_unlocked'), 'data'=>''));
echo json_encode(array('success'=>false, 'message'=>getMLText('access_denied'), 'data'=>''));
}
} else {
header('Content-Type: application/json');
echo json_encode(array('success'=>false, 'message'=>getMLText('access_denied'), 'data'=>''));
if (!$document->setLocked($user)) {
header('Content-Type: application/json');
echo json_encode(array('success'=>false, 'message'=>'Error locking document', 'data'=>''));
} else {
header('Content-Type: application/json');
echo json_encode(array('success'=>true, 'message'=>getMLText('splash_document_locked'), 'data'=>''));
add_log_line();
}
}
} else {
if (!$document->setLocked($user)) {
header('Content-Type: application/json');
echo json_encode(array('success'=>false, 'message'=>'Error locking document', 'data'=>''));
} else {
header('Content-Type: application/json');
echo json_encode(array('success'=>true, 'message'=>getMLText('splash_document_locked'), 'data'=>''));
add_log_line();
}
header('Content-Type: application/json');
echo json_encode(array('success'=>false, 'message'=>getMLText('access_denied'), 'data'=>''));
}
} else {
header('Content-Type: application/json');
echo json_encode(array('success'=>false, 'message'=>getMLText('access_denied'), 'data'=>''));
echo json_encode(array('success'=>false, 'message'=>getMLText('invalid_doc_id'), 'data'=>''));
}
} else {
header('Content-Type: application/json');
echo json_encode(array('success'=>false, 'message'=>getMLText('invalid_doc_id'), 'data'=>''));
echo json_encode(array('success'=>false, 'message'=>getMLText('invalid_request_token'), 'data'=>''));
}
}
break; /* }}} */

5
op/op.LockDocument.php
View File

@ -29,6 +29,11 @@ require_once("inc/inc.DBInit.php");
require_once("inc/inc.ClassUI.php");
require_once("inc/inc.Authentication.php");
/* Check if the form data comes from a trusted request */
if(!checkFormKey('lockdocument', 'GET')) {
UI::exitError(getMLText("document_title"), getMLText("invalid_request_token"));
}
if (!isset($_GET["documentid"]) || !is_numeric($_GET["documentid"]) || intval($_GET["documentid"])<1) {
UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("invalid_doc_id"));
}

5
op/op.UnlockDocument.php
View File

@ -28,6 +28,11 @@ include("../inc/inc.DBInit.php");
include("../inc/inc.ClassUI.php");
include("../inc/inc.Authentication.php");
/* Check if the form data comes from a trusted request */
if(!checkFormKey('unlockdocument', 'GET')) {
UI::exitError(getMLText("document_title"), getMLText("invalid_request_token"));
}
if (!isset($_GET["documentid"]) || !is_numeric($_GET["documentid"]) || intval($_GET["documentid"])<1) {
UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("invalid_doc_id"));
}

6
views/bootstrap/class.Bootstrap.php
View File

@ -714,7 +714,7 @@ background-image: linear-gradient(to bottom, #882222, #111111);;
if($accessobject->check_controller_access('UpdateDocument'))
$menuitems['update_document'] = array('link'=>"../out/out.UpdateDocument".$docid, 'label'=>getMLText('update_document'));
if($accessobject->check_controller_access('LockDocument'))
$menuitems['lock_document'] = array('link'=>"../op/op.LockDocument".$docid, 'label'=>getMLText('lock_document'));
$menuitems['lock_document'] = array('link'=>"../op/op.LockDocument".$docid."&formtoken=".createFormKey('lockdocument'), 'label'=>getMLText('lock_document'));
if($accessobject->check_controller_access('EditDocument'))
$menuitems['edit_document_props'] = array('link'=>"../out/out.EditDocument".$docid , 'label'=>getMLText('edit_document_props'));
$menuitems['move_document'] = array('link'=>"../out/out.MoveDocument".$docid, 'label'=>getMLText('move_document'));
@ -725,7 +725,7 @@ background-image: linear-gradient(to bottom, #882222, #111111);;
if($accessobject->check_controller_access('UpdateDocument'))
$menuitems['update_document'] = array('link'=>"../out/out.UpdateDocument".$docid, 'label'=>getMLText('update_document'));
if($accessobject->check_controller_access('UnlockDocument'))
$menuitems['unlock_document'] = array('link'=>"../op/op.UnlockDocument".$docid, 'label'=>getMLText('unlock_document'));
$menuitems['unlock_document'] = array('link'=>"../op/op.UnlockDocument".$docid."&formtoken=".createFormKey('unlockdocument'), 'label'=>getMLText('unlock_document'));
if($accessobject->check_controller_access('EditDocument'))
$menuitems['edit_document_props'] = array('link'=>"../out/out.EditDocument".$docid, 'label'=>getMLText('edit_document_props'));
$menuitems['move_document'] = array('link'=>"../out/out.MoveDocument".$docid, 'label'=>getMLText('move_document'));
@ -2486,7 +2486,7 @@ $(function() {
$title = 'lock_document';
}
$content = '';
$content .= '<a class="lock-document-btn" rel="'.$docid.'" msg="'.getMLText($msg).'" title="'.getMLText($title).'"><i class="fa fa-'.$icon.'"></i></a>';
$content .= '<a class="lock-document-btn" rel="'.$docid.'" msg="'.getMLText($msg).'" title="'.getMLText($title).'" data-formtoken="'.createFormKey('tooglelockdocument').'"><i class="fa fa-'.$icon.'"></i></a>';
if($return)
return $content;
else

6
views/bootstrap4/class.Bootstrap4.php
View File

@ -703,7 +703,7 @@ background-image: linear-gradient(to bottom, #882222, #111111);;
if($accessobject->check_controller_access('UpdateDocument'))
$menuitems['update_document'] = array('link'=>"../out/out.UpdateDocument".$docid, 'label'=>getMLText('update_document'));
if($accessobject->check_controller_access('LockDocument'))
$menuitems['lock_document'] = array('link'=>"../op/op.LockDocument".$docid, 'label'=>getMLText('lock_document'));
$menuitems['lock_document'] = array('link'=>"../op/op.LockDocument".$docid."&formtoken=".createFormKey('lockdocument'), 'label'=>getMLText('lock_document'));
if($accessobject->check_controller_access('EditDocument'))
$menuitems['edit_document_props'] = array('link'=>"../out/out.EditDocument".$docid , 'label'=>getMLText('edit_document_props'));
$menuitems['move_document'] = array('link'=>"../out/out.MoveDocument".$docid, 'label'=>getMLText('move_document'));
@ -714,7 +714,7 @@ background-image: linear-gradient(to bottom, #882222, #111111);;
if($accessobject->check_controller_access('UpdateDocument'))
$menuitems['update_document'] = array('link'=>"../out/out.UpdateDocument".$docid, 'label'=>getMLText('update_document'));
if($accessobject->check_controller_access('UnlockDocument'))
$menuitems['unlock_document'] = array('link'=>"../op/op.UnlockDocument".$docid, 'label'=>getMLText('unlock_document'));
$menuitems['unlock_document'] = array('link'=>"../op/op.UnlockDocument".$docid."&formtoken=".createFormKey('unlockdocument'), 'label'=>getMLText('unlock_document'));
if($accessobject->check_controller_access('EditDocument'))
$menuitems['edit_document_props'] = array('link'=>"../out/out.EditDocument".$docid, 'label'=>getMLText('edit_document_props'));
$menuitems['move_document'] = array('link'=>"../out/out.MoveDocument".$docid, 'label'=>getMLText('move_document'));
@ -2539,7 +2539,7 @@ $(function() {
$title = 'lock_document';
}
$content = '';
$content .= '<a class="lock-document-btn" rel="'.$docid.'" msg="'.getMLText($msg).'" title="'.getMLText($title).'"><i class="fa fa-'.$icon.'"></i></a>';
$content .= '<a class="lock-document-btn" rel="'.$docid.'" msg="'.getMLText($msg).'" title="'.getMLText($title).'" data-formtoken="'.createFormKey('tooglelockdocument').'"><i class="fa fa-'.$icon.'"></i></a>';
if($return)
return $content;
else

2
views/bootstrap4/styles/application.js
View File

@ -389,7 +389,7 @@ $(document).ready( function() {
attr_msg = $(ev.currentTarget).attr('msg');
id = attr_rel;
$.get('../op/op.Ajax.php',
{ command: 'tooglelockdocument', id: id },
{ command: 'tooglelockdocument', formtoken: $(ev.currentTarget).data('formtoken'), id: id },
function(data) {
if(data.success) {
//$("#table-row-document-"+id).html('Loading').load('../op/op.Ajax.php?command=view&view=documentlistrow&id='+id)