gnh1201/seeddms-code
1
0
Fork 0
mirror of https://git.code.sf.net/p/seeddms/code synced 2025-02-06 15:14:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

more checking for access rights

Browse Source
This commit is contained in:
Uwe Steinmann 2019-11-25 09:36:32 +01:00
parent 0d4c970029
commit cbac16773d
5 changed files with 22 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
op/op.UnlockDocument.php
View File

@ -38,6 +38,11 @@ if (!is_object($document)) {
UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("invalid_doc_id"));
}
$accessop = new SeedDMS_AccessOperation($dms, $user, $settings);
if (!$accessop->check_controller_access('LockDocument', $_POST)) {
UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("access_denied"));
}
$folder = $document->getFolder();
$docPathHTML = getFolderPathHTML($folder, true). " / <a href=\"../out/out.ViewDocument.php?documentid=".$documentid."\">".$document->getName()."</a>";

4
out/out.RemoveDocument.php
View File

@ -43,6 +43,10 @@ if (!is_object($document)) {
UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("invalid_doc_id"));
}
if (!$accessop->check_view_access($view, $_GET)) {
UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("access_denied"));
}
if ($document->getAccessMode($user) < M_ALL) {
UI::exitError(getMLText("document_title", array("documentname" => htmlspecialchars($document->getName()))),getMLText("access_denied"));
}

4
out/out.SetExpires.php
View File

@ -44,6 +44,10 @@ if (!is_object($document)) {
UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("invalid_doc_id"));
}
if (!$accessop->check_view_access($view, $_GET)) {
UI::exitError(getMLText("document_title", array("documentname" => $document->getName())),getMLText("access_denied"));
}
if(!$accessop->maySetExpires($document)) {
UI::exitError(getMLText("document_title", array("documentname" => htmlspecialchars($document->getName()))),getMLText("access_denied"));
}

5
out/out.TransferDocument.php
View File

@ -32,8 +32,9 @@ require_once("inc/inc.Authentication.php");
$tmp = explode('.', basename($_SERVER['SCRIPT_FILENAME']));
$view = UI::factory($theme, $tmp[1], array('dms'=>$dms, 'user'=>$user));
if (!$user->isAdmin()) {
UI::exitError(getMLText("document"),getMLText("access_denied"));
$accessop = new SeedDMS_AccessOperation($dms, $user, $settings);
if (!$accessop->check_view_access($view, $_GET)) {
UI::exitError(getMLText("admin_tools"),getMLText("access_denied"), false, $isajax);
}
if (!isset($_GET["documentid"]) || !is_numeric($_GET["documentid"]) || intval($_GET["documentid"])<1) {

7
views/bootstrap/class.EditOnline.php
View File

@ -95,6 +95,7 @@ $(document).ready(function() {
$cachedir = $this->params['cachedir'];
$previewwidthlist = $this->params['previewWidthList'];
$previewwidthdetail = $this->params['previewWidthDetail'];
$accessobject = $this->params['accessobject'];
$set = 'markdown'; //default or markdown
$skin = 'simple'; // simple or markitup
@ -124,9 +125,13 @@ $this->contentHeading(getMLText("content"));
?>
</textarea>
<?php
echo $this->warningMsg(getMLText('edit_online_warning'));
if($accessobject->check_controller_access('EditOnline')) {
echo $this->warningMsg(getMLText('edit_online_warning'));
?>
<button id="update" type="submit" class="btn btn-primary"><i class="icon-save"></i> <?php printMLText("save"); ?></button>
<?php
}
?>
</form>
<?php
echo "</div>\n";