mirror of
https://git.code.sf.net/p/seeddms/code
synced 2025-02-06 07:04:57 +00:00
more access checking
This commit is contained in:
Uwe Steinmann
parent
0c260f286b
commit
e8a50e3101
|
|
@ -29,6 +29,11 @@ require_once("inc/inc.DBInit.php");
|
|||
require_once("inc/inc.ClassUI.php");
|
||||
require_once("inc/inc.Authentication.php");
|
||||
|
||||
$accessop = new SeedDMS_AccessOperation($dms, $user, $settings);
|
||||
if (!$accessop->check_controller_access('LockDocument', $_POST)) {
|
||||
UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("access_denied"));
|
||||
}
|
||||
|
||||
/* Check if the form data comes from a trusted request */
|
||||
if(!checkFormKey('lockdocument', 'GET')) {
|
||||
UI::exitError(getMLText("document_title"), getMLText("invalid_request_token"));
|
||||
|
|
|
|||
|
|
@ -33,6 +33,11 @@ if(!checkFormKey('movedocument', 'GET')) {
|
|||
UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_request_token"))),getMLText("invalid_request_token"));
|
||||
}
|
||||
|
||||
$accessop = new SeedDMS_AccessOperation($dms, $user, $settings);
|
||||
if (!$accessop->check_controller_access('MoveDocument', $_POST)) {
|
||||
UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("access_denied"));
|
||||
}
|
||||
|
||||
if (!isset($_GET["documentid"]) || !is_numeric($_GET["documentid"]) || intval($_GET["documentid"])<1) {
|
||||
UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("invalid_doc_id"));
|
||||
}
|
||||
|
|
|
|||
|
|
@ -30,6 +30,10 @@ include("../inc/inc.Authentication.php");
|
|||
|
||||
$tmp = explode('.', basename($_SERVER['SCRIPT_FILENAME']));
|
||||
$controller = Controller::factory($tmp[1], array('dms'=>$dms, 'user'=>$user));
|
||||
$accessop = new SeedDMS_AccessOperation($dms, $user, $settings);
|
||||
if (!$accessop->check_controller_access($controller, $_POST)) {
|
||||
UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("access_denied"));
|
||||
}
|
||||
|
||||
/* Check if the form data comes from a trusted request */
|
||||
if(!checkFormKey('removedocument')) {
|
||||
|
|
|
|||
|
|
@ -28,6 +28,11 @@ include("../inc/inc.DBInit.php");
|
|||
include("../inc/inc.ClassUI.php");
|
||||
include("../inc/inc.Authentication.php");
|
||||
|
||||
$accessop = new SeedDMS_AccessOperation($dms, $user, $settings);
|
||||
if (!$accessop->check_controller_access('UnlockDocument', $_POST)) {
|
||||
UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("access_denied"));
|
||||
}
|
||||
|
||||
/* Check if the form data comes from a trusted request */
|
||||
if(!checkFormKey('unlockdocument', 'GET')) {
|
||||
UI::exitError(getMLText("document_title"), getMLText("invalid_request_token"));
|
||||
|
|
|
|||
|
|
@ -30,6 +30,10 @@ include("../inc/inc.ClassController.php");
|
|||
|
||||
$tmp = explode('.', basename($_SERVER['SCRIPT_FILENAME']));
|
||||
$controller = Controller::factory($tmp[1], array('dms'=>$dms, 'user'=>$user));
|
||||
$accessop = new SeedDMS_AccessOperation($dms, $user, $settings);
|
||||
if (!$accessop->check_controller_access($controller, $_POST)) {
|
||||
UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("access_denied"));
|
||||
}
|
||||
|
||||
/* Check if the form data comes from a trusted request */
|
||||
if(!checkFormKey('updatedocument')) {
|
||||
|
|
|
|||
|
|
@ -798,9 +798,17 @@ background-image: linear-gradient(to bottom, #882222, #111111);;
|
|||
$menuitems['update_document'] = array('link'=>"../out/out.UpdateDocument".$docid, 'label'=>getMLText('update_document'));
|
||||
if($accessobject->check_controller_access('LockDocument'))
|
||||
$menuitems['lock_document'] = array('link'=>"../op/op.LockDocument".$docid."&formtoken=".createFormKey('lockdocument'), 'label'=>getMLText('lock_document'));
|
||||
if($document->isCheckedOut())
|
||||
$menuitems['checkin_document'] = array('link'=>"../out/out.CheckInDocument".$docid, 'label'=>getMLText('checkin_document'));
|
||||
else {
|
||||
if($this->params['checkoutdir']) {
|
||||
$menuitems['checkout_document'] = array('link'=>"../op/op.CheckOutDocument".$docid, 'label'=>getMLText('checkout_document'));
|
||||
}
|
||||
}
|
||||
if($accessobject->check_controller_access('EditDocument'))
|
||||
$menuitems['edit_document_props'] = array('link'=>"../out/out.EditDocument".$docid , 'label'=>getMLText('edit_document_props'));
|
||||
$menuitems['move_document'] = array('link'=>"../out/out.MoveDocument".$docid, 'label'=>getMLText('move_document'));
|
||||
if($accessobject->check_controller_access('MoveDocument'))
|
||||
$menuitems['move_document'] = array('link'=>"../out/out.MoveDocument".$docid, 'label'=>getMLText('move_document'));
|
||||
}
|
||||
else {
|
||||
$lockingUser = $document->getLockingUser();
|
||||
|
|
@ -811,7 +819,8 @@ background-image: linear-gradient(to bottom, #882222, #111111);;
|
|||
$menuitems['unlock_document'] = array('link'=>"../op/op.UnlockDocument".$docid."&formtoken=".createFormKey('unlockdocument'), 'label'=>getMLText('unlock_document'));
|
||||
if($accessobject->check_controller_access('EditDocument'))
|
||||
$menuitems['edit_document_props'] = array('link'=>"../out/out.EditDocument".$docid, 'label'=>getMLText('edit_document_props'));
|
||||
$menuitems['move_document'] = array('link'=>"../out/out.MoveDocument".$docid, 'label'=>getMLText('move_document'));
|
||||
if($accessobject->check_controller_access('MoveDocument'))
|
||||
$menuitems['move_document'] = array('link'=>"../out/out.MoveDocument".$docid, 'label'=>getMLText('move_document'));
|
||||
}
|
||||
}
|
||||
if($accessobject->maySetExpires($document)) {
|
||||
|
|
@ -825,7 +834,7 @@ background-image: linear-gradient(to bottom, #882222, #111111);;
|
|||
if ($accessobject->check_view_access('DocumentAccess'))
|
||||
$menuitems['edit_document_access'] = array('link'=>"../out/out.DocumentAccess". $docid, 'label'=>getMLText('edit_document_access'));
|
||||
}
|
||||
if ($accessMode >= M_READ) {
|
||||
if ($accessMode >= M_READ && !$this->params['user']->isGuest()) {
|
||||
if ($accessobject->check_view_access('DocumentNotify'))
|
||||
$menuitems['edit_existing_notify'] = array('link'=>"../out/out.DocumentNotify". $docid, 'label'=>getMLText('edit_existing_notify'));
|
||||
}
|
||||
|
|
@ -1604,6 +1613,7 @@ $(document).ready(function() {
|
|||
array(
|
||||
'target' => 'docChooser'.$formid,
|
||||
'remote' => "../out/out.DocumentChooser.php?form=".$formid."&folderid=".$folderid."&partialtree=".$partialtree,
|
||||
'class' => 'btn btn-secondary',
|
||||
'title' => getMLText('document').'…'
|
||||
));
|
||||
$content .= "</div>\n";
|
||||
|
|
@ -1668,6 +1678,7 @@ function folderSelected<?php echo $formid ?>(id, name) {
|
|||
array(
|
||||
'target' => 'folderChooser'.$formid,
|
||||
'remote' => "../out/out.FolderChooser.php?form=".$formid."&mode=".$accessMode."&exclude=".$exclude,
|
||||
'class' => 'btn btn-secondary',
|
||||
'title' => getMLText('folder').'…'
|
||||
));
|
||||
}
|
||||
|
|
@ -1740,6 +1751,7 @@ $(document).ready(function() {
|
|||
array(
|
||||
'target' => 'keywordChooser',
|
||||
'remote' => "../out/out.KeywordChooser.php?target=".$formName,
|
||||
'class' => 'btn btn-secondary',
|
||||
'title' => getMLText('keywords').'…'
|
||||
));
|
||||
$content .= '
|
||||
|
|
@ -1991,6 +2003,7 @@ $(document).ready(function() {
|
|||
array(
|
||||
'target' => 'dropfolderChooser',
|
||||
'remote' => "../out/out.DropFolderChooser.php?form=".$formName."&dropfolderfile=".urlencode($dropfolderfile)."&showfolders=".$showfolders,
|
||||
'class' => 'btn btn-secondary',
|
||||
'title' => ($showfolders ? getMLText("choose_target_folder"): getMLText("choose_target_file")).'…'
|
||||
));
|
||||
$content .= "</div>\n";
|
||||
|
|
|
|||
|
|
@ -721,7 +721,8 @@ background-image: linear-gradient(to bottom, #882222, #111111);;
|
|||
}
|
||||
if($accessobject->check_controller_access('EditDocument'))
|
||||
$menuitems['edit_document_props'] = array('link'=>"../out/out.EditDocument".$docid , 'label'=>getMLText('edit_document_props'));
|
||||
$menuitems['move_document'] = array('link'=>"../out/out.MoveDocument".$docid, 'label'=>getMLText('move_document'));
|
||||
if($accessobject->check_controller_access('MoveDocument'))
|
||||
$menuitems['move_document'] = array('link'=>"../out/out.MoveDocument".$docid, 'label'=>getMLText('move_document'));
|
||||
}
|
||||
else {
|
||||
$lockingUser = $document->getLockingUser();
|
||||
|
|
@ -732,7 +733,8 @@ background-image: linear-gradient(to bottom, #882222, #111111);;
|
|||
$menuitems['unlock_document'] = array('link'=>"../op/op.UnlockDocument".$docid."&formtoken=".createFormKey('unlockdocument'), 'label'=>getMLText('unlock_document'));
|
||||
if($accessobject->check_controller_access('EditDocument'))
|
||||
$menuitems['edit_document_props'] = array('link'=>"../out/out.EditDocument".$docid, 'label'=>getMLText('edit_document_props'));
|
||||
$menuitems['move_document'] = array('link'=>"../out/out.MoveDocument".$docid, 'label'=>getMLText('move_document'));
|
||||
if($accessobject->check_controller_access('MoveDocument'))
|
||||
$menuitems['move_document'] = array('link'=>"../out/out.MoveDocument".$docid, 'label'=>getMLText('move_document'));
|
||||
}
|
||||
}
|
||||
if($accessobject->maySetExpires($document)) {
|
||||
|
|
@ -750,7 +752,7 @@ background-image: linear-gradient(to bottom, #882222, #111111);;
|
|||
if ($accessobject->check_view_access('DocumentNotify'))
|
||||
$menuitems['edit_existing_notify'] = array('link'=>"../out/out.DocumentNotify". $docid, 'label'=>getMLText('edit_existing_notify'));
|
||||
}
|
||||
if ($this->params['user']->isAdmin()) {
|
||||
if ($accessobject->check_view_access('TransferDocument')) {
|
||||
$menuitems['transfer_document'] = array('link'=>"../out/out.TransferDocument". $docid, 'label'=>getMLText('transfer_document'));
|
||||
}
|
||||
|
||||
|
|
@ -777,7 +779,7 @@ background-image: linear-gradient(to bottom, #882222, #111111);;
|
|||
$accessobject = $this->params['accessobject'];
|
||||
|
||||
$menuitems = array();
|
||||
if ($this->params['user']->isAdmin() || !$this->params['disableselfedit'])
|
||||
if ($accessobject->check_view_access('EditUserData') || !$this->params['disableselfedit'])
|
||||
$menuitems['edit_user_details'] = array('link'=>"../out/out.EditUserData.php", 'label'=>getMLText('edit_user_details'));
|
||||
|
||||
if (!$this->params['user']->isAdmin())
|
||||
|
|
@ -938,7 +940,7 @@ background-image: linear-gradient(to bottom, #882222, #111111);;
|
|||
echo "<li><a href=\"../out/out.CalendarOld.php?mode=w".$ds."\">".getMLText("week_view")."</a></li>\n";
|
||||
echo "<li><a href=\"../out/out.CalendarOld.php?mode=m".$ds."\">".getMLText("month_view")."</a></li>\n";
|
||||
echo "<li><a href=\"../out/out.CalendarOld.php?mode=y".$ds."\">".getMLText("year_view")."</a></li>\n";
|
||||
if (!$this->params['user']->isGuest())
|
||||
if($accessobject->check_view_access(array('AddEvent')))
|
||||
echo "<li><a href=\"../out/out.AddEvent.php\">".getMLText("add_event")."</a></li>\n";
|
||||
echo "</ul>\n";
|
||||
echo "</div>\n";
|
||||
|
|
@ -950,7 +952,7 @@ background-image: linear-gradient(to bottom, #882222, #111111);;
|
|||
$accessobject = $this->params['accessobject'];
|
||||
|
||||
$menuitems = array();
|
||||
if (!$this->params['user']->isGuest())
|
||||
if($accessobject->check_view_access(array('AddEvent')))
|
||||
$menuitems['addevent'] = array('link'=>"../out/out.AddEvent.php", 'label'=>getMLText('add_event'));
|
||||
|
||||
/* Check if hook exists because otherwise callHook() will override $menuitems */
|
||||
|
|
|
|||
Loading…
Reference in New Issue
Block a user