mirror of
https://git.code.sf.net/p/seeddms/code
synced 2025-02-11 09:35:00 +00:00
add csrf protection, check if target is equal source folder
This commit is contained in:
Uwe Steinmann
parent
64152e0d0b
commit
c5694c21b4
|
|
@ -20,6 +20,7 @@
|
|||
|
||||
include("../inc/inc.Settings.php");
|
||||
include("../inc/inc.LogInit.php");
|
||||
include("../inc/inc.Utils.php");
|
||||
include("../inc/inc.Language.php");
|
||||
include("../inc/inc.Init.php");
|
||||
include("../inc/inc.Extension.php");
|
||||
|
|
@ -27,6 +28,11 @@ include("../inc/inc.DBInit.php");
|
|||
include("../inc/inc.ClassUI.php");
|
||||
include("../inc/inc.Authentication.php");
|
||||
|
||||
/* Check if the form data comes from a trusted request */
|
||||
if(!checkFormKey('movedocument', 'GET')) {
|
||||
UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_request_token"))),getMLText("invalid_request_token"));
|
||||
}
|
||||
|
||||
if (!isset($_GET["documentid"]) || !is_numeric($_GET["documentid"]) || intval($_GET["documentid"])<1) {
|
||||
UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("invalid_doc_id"));
|
||||
}
|
||||
|
|
@ -62,46 +68,48 @@ if($document->isLocked()) {
|
|||
}
|
||||
}
|
||||
|
||||
if ($targetid == $oldFolder->getID()) {
|
||||
UI::exitError(getMLText("document_title", array("documentname" => htmlspecialchars($document->getName()))),getMLText("target_equals_source_folder"));
|
||||
}
|
||||
|
||||
/* Check if name already exists in the folder */
|
||||
if(!$settings->_enableDuplicateDocNames) {
|
||||
if($targetFolder->hasDocumentByName($document->getName())) {
|
||||
UI::exitError(getMLText("folder_title", array("documentname" => htmlspecialchars($document->getName()))),getMLText("document_duplicate_name"));
|
||||
UI::exitError(getMLText("document_title", array("documentname" => htmlspecialchars($document->getName()))),getMLText("document_duplicate_name"));
|
||||
}
|
||||
}
|
||||
|
||||
if ($targetid != $oldFolder->getID()) {
|
||||
if ($document->setFolder($targetFolder)) {
|
||||
// Send notification to subscribers.
|
||||
if($notifier) {
|
||||
$nl1 = $oldFolder->getNotifyList();
|
||||
$nl2 = $document->getNotifyList();
|
||||
$nl3 = $targetFolder->getNotifyList();
|
||||
$nl = array(
|
||||
'users'=>array_unique(array_merge($nl1['users'], $nl2['users'], $nl3['users']), SORT_REGULAR),
|
||||
'groups'=>array_unique(array_merge($nl1['groups'], $nl2['groups'], $nl3['groups']), SORT_REGULAR)
|
||||
);
|
||||
$subject = "document_moved_email_subject";
|
||||
$message = "document_moved_email_body";
|
||||
$params = array();
|
||||
$params['name'] = $document->getName();
|
||||
$params['old_folder_path'] = $oldFolder->getFolderPathPlain();
|
||||
$params['new_folder_path'] = $targetFolder->getFolderPathPlain();
|
||||
$params['username'] = $user->getFullName();
|
||||
$params['url'] = getBaseUrl().$settings->_httpRoot."out/out.ViewDocument.php?documentid=".$document->getID();
|
||||
$params['sitename'] = $settings->_siteName;
|
||||
$params['http_root'] = $settings->_httpRoot;
|
||||
$notifier->toList($user, $nl["users"], $subject, $message, $params);
|
||||
foreach ($nl["groups"] as $grp) {
|
||||
$notifier->toGroup($user, $grp, $subject, $message, $params);
|
||||
}
|
||||
// if user is not owner send notification to owner
|
||||
if ($document->setFolder($targetFolder)) {
|
||||
// Send notification to subscribers.
|
||||
if($notifier) {
|
||||
$nl1 = $oldFolder->getNotifyList();
|
||||
$nl2 = $document->getNotifyList();
|
||||
$nl3 = $targetFolder->getNotifyList();
|
||||
$nl = array(
|
||||
'users'=>array_unique(array_merge($nl1['users'], $nl2['users'], $nl3['users']), SORT_REGULAR),
|
||||
'groups'=>array_unique(array_merge($nl1['groups'], $nl2['groups'], $nl3['groups']), SORT_REGULAR)
|
||||
);
|
||||
$subject = "document_moved_email_subject";
|
||||
$message = "document_moved_email_body";
|
||||
$params = array();
|
||||
$params['name'] = $document->getName();
|
||||
$params['old_folder_path'] = $oldFolder->getFolderPathPlain();
|
||||
$params['new_folder_path'] = $targetFolder->getFolderPathPlain();
|
||||
$params['username'] = $user->getFullName();
|
||||
$params['url'] = getBaseUrl().$settings->_httpRoot."out/out.ViewDocument.php?documentid=".$document->getID();
|
||||
$params['sitename'] = $settings->_siteName;
|
||||
$params['http_root'] = $settings->_httpRoot;
|
||||
$notifier->toList($user, $nl["users"], $subject, $message, $params);
|
||||
foreach ($nl["groups"] as $grp) {
|
||||
$notifier->toGroup($user, $grp, $subject, $message, $params);
|
||||
}
|
||||
// if user is not owner send notification to owner
|
||||
// if ($user->getID() != $document->getOwner()->getID())
|
||||
// $notifier->toIndividual($user, $document->getOwner(), $subject, $message, $params);
|
||||
}
|
||||
|
||||
} else {
|
||||
UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("error_occured"));
|
||||
}
|
||||
|
||||
} else {
|
||||
UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("error_occured"));
|
||||
}
|
||||
|
||||
add_log_line();
|
||||
|
|
|
|||
|
|
@ -20,6 +20,7 @@
|
|||
|
||||
include("../inc/inc.Settings.php");
|
||||
include("../inc/inc.LogInit.php");
|
||||
include("../inc/inc.Utils.php");
|
||||
include("../inc/inc.Language.php");
|
||||
include("../inc/inc.Init.php");
|
||||
include("../inc/inc.Extension.php");
|
||||
|
|
@ -27,6 +28,11 @@ include("../inc/inc.DBInit.php");
|
|||
include("../inc/inc.ClassUI.php");
|
||||
include("../inc/inc.Authentication.php");
|
||||
|
||||
/* Check if the form data comes from a trusted request */
|
||||
if(!checkFormKey('movefolder', 'GET')) {
|
||||
UI::exitError(getMLText("folder_title", array("foldername" => getMLText("invalid_request_token"))),getMLText("invalid_request_token"));
|
||||
}
|
||||
|
||||
if (!isset($_GET["folderid"]) || !is_numeric($_GET["folderid"]) || intval($_GET["folderid"])<1) {
|
||||
UI::exitError(getMLText("folder_title", array("foldername" => getMLText("invalid_folder_id"))),getMLText("invalid_folder_id"));
|
||||
}
|
||||
|
|
@ -52,6 +58,11 @@ if (!is_object($targetFolder)) {
|
|||
UI::exitError(getMLText("folder_title", array("foldername" => getMLText("invalid_folder_id"))),getMLText("invalid_folder_id"));
|
||||
}
|
||||
|
||||
$oldFolder = $folder->getParent();
|
||||
if ($targetid == $oldFolder->getID()) {
|
||||
UI::exitError(getMLText("folder_title", array("foldername" => htmlspecialchars($folder->getName()))),getMLText("target_equals_source_folder"));
|
||||
}
|
||||
|
||||
if($folder->isSubFolder($targetFolder)) {
|
||||
UI::exitError(getMLText("folder_title", array("foldername" => $folder->getName())),getMLText("invalid_target_folder"));
|
||||
}
|
||||
|
|
@ -67,7 +78,6 @@ if(!$settings->_enableDuplicateSubFolderNames) {
|
|||
}
|
||||
}
|
||||
|
||||
$oldFolder = $folder->getParent();
|
||||
if ($folder->setParent($targetFolder)) {
|
||||
// Send notification to subscribers.
|
||||
if($notifier) {
|
||||
|
|
|
|||
|
|
@ -52,6 +52,7 @@ class SeedDMS_View_MoveDocument extends SeedDMS_Bootstrap_Style {
|
|||
$this->contentContainerStart('warning');
|
||||
?>
|
||||
<form class="form-horizontal" action="../op/op.MoveDocument.php" name="form1">
|
||||
<?php echo createHiddenFieldWithKey('movedocument'); ?>
|
||||
<input type="hidden" name="documentid" value="<?php print $document->getID();?>">
|
||||
<?php
|
||||
$this->formField(getMLText("choose_target_folder"), $this->getFolderChooserHtml("form1", M_READWRITE, -1, $target));
|
||||
|
|
|
|||
|
|
@ -52,6 +52,7 @@ class SeedDMS_View_MoveFolder extends SeedDMS_Bootstrap_Style {
|
|||
|
||||
?>
|
||||
<form class="form-horizontal" action="../op/op.MoveFolder.php" name="form1">
|
||||
<?php echo createHiddenFieldWithKey('movefolder'); ?>
|
||||
<input type="hidden" name="folderid" value="<?php print $folder->getID();?>">
|
||||
<input type="hidden" name="showtree" value="<?php echo showtree();?>">
|
||||
<?php
|
||||
|
|
|
|||
Loading…
Reference in New Issue
Block a user