gnh1201/seeddms-code
1
0
Fork 0
mirror of https://git.code.sf.net/p/seeddms/code synced 2025-02-06 15:14:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge branch 'seeddms-5.1.x' into seeddms-6.0.x

Browse Source
This commit is contained in:
Uwe Steinmann 2021-06-16 14:28:33 +02:00
commit e91a66af21
7 changed files with 45 additions and 50 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
CHANGELOG
View File

@ -218,6 +218,7 @@
- issue warning if document cannot be approved/reviewed anymore, because it has - issue warning if document cannot be approved/reviewed anymore, because it has
expired expired
- much better form validation based on jquery validation - much better form validation based on jquery validation
- secure unlocking/locking of a documents with form token to prevent CSRF attacks
-------------------------------------------------------------------------------- --------------------------------------------------------------------------------
Changes in version 5.1.22 Changes in version 5.1.22

49
op/op.Ajax.php
View File

@ -587,40 +587,45 @@ switch($command) {
case 'tooglelockdocument': /* {{{ */ case 'tooglelockdocument': /* {{{ */
if($user) { if($user) {
$document = $dms->getDocument($_REQUEST['id']); if(checkFormKey('tooglelockdocument', 'GET')) {
if($document) { $document = $dms->getDocument($_REQUEST['id']);
if ($document->getAccessMode($user) >= M_READWRITE) { if($document) {
if ($document->isLocked()) { if ($document->getAccessMode($user) >= M_READWRITE) {
$lockingUser = $document->getLockingUser(); if ($document->isLocked()) {
if (($lockingUser->getID() == $user->getID()) || ($document->getAccessMode($user) == M_ALL)) { $lockingUser = $document->getLockingUser();
if (!$document->setLocked(false)) { if (($lockingUser->getID() == $user->getID()) || ($document->getAccessMode($user) == M_ALL)) {
header('Content-Type: application/json'); if (!$document->setLocked(false)) {
echo json_encode(array('success'=>false, 'message'=>'Error unlocking document', 'data'=>'')); header('Content-Type: application/json');
echo json_encode(array('success'=>false, 'message'=>'Error unlocking document', 'data'=>''));
} else {
header('Content-Type: application/json');
echo json_encode(array('success'=>true, 'message'=>getMLText('splash_document_unlocked'), 'data'=>''));
}
} else { } else {
header('Content-Type: application/json'); header('Content-Type: application/json');
echo json_encode(array('success'=>true, 'message'=>getMLText('splash_document_unlocked'), 'data'=>'')); echo json_encode(array('success'=>false, 'message'=>getMLText('access_denied'), 'data'=>''));
} }
} else { } else {
header('Content-Type: application/json'); if (!$document->setLocked($user)) {
echo json_encode(array('success'=>false, 'message'=>getMLText('access_denied'), 'data'=>'')); header('Content-Type: application/json');
echo json_encode(array('success'=>false, 'message'=>'Error locking document', 'data'=>''));
} else {
header('Content-Type: application/json');
echo json_encode(array('success'=>true, 'message'=>getMLText('splash_document_locked'), 'data'=>''));
add_log_line();
}
} }
} else { } else {
if (!$document->setLocked($user)) { header('Content-Type: application/json');
header('Content-Type: application/json'); echo json_encode(array('success'=>false, 'message'=>getMLText('access_denied'), 'data'=>''));
echo json_encode(array('success'=>false, 'message'=>'Error locking document', 'data'=>''));
} else {
header('Content-Type: application/json');
echo json_encode(array('success'=>true, 'message'=>getMLText('splash_document_locked'), 'data'=>''));
add_log_line();
}
} }
} else { } else {
header('Content-Type: application/json'); header('Content-Type: application/json');
echo json_encode(array('success'=>false, 'message'=>getMLText('access_denied'), 'data'=>'')); echo json_encode(array('success'=>false, 'message'=>getMLText('invalid_doc_id'), 'data'=>''));
} }
} else { } else {
header('Content-Type: application/json'); header('Content-Type: application/json');
echo json_encode(array('success'=>false, 'message'=>getMLText('invalid_doc_id'), 'data'=>'')); echo json_encode(array('success'=>false, 'message'=>getMLText('invalid_request_token'), 'data'=>''));
} }
} }
break; /* }}} */ break; /* }}} */

5
op/op.LockDocument.php
View File

@ -29,6 +29,11 @@ require_once("inc/inc.DBInit.php");
require_once("inc/inc.ClassUI.php"); require_once("inc/inc.ClassUI.php");
require_once("inc/inc.Authentication.php"); require_once("inc/inc.Authentication.php");
/* Check if the form data comes from a trusted request */
if(!checkFormKey('lockdocument', 'GET')) {
UI::exitError(getMLText("document_title"), getMLText("invalid_request_token"));
}
if (!isset($_GET["documentid"]) || !is_numeric($_GET["documentid"]) || intval($_GET["documentid"])<1) { if (!isset($_GET["documentid"]) || !is_numeric($_GET["documentid"]) || intval($_GET["documentid"])<1) {
UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("invalid_doc_id")); UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("invalid_doc_id"));
} }

5
op/op.UnlockDocument.php
View File

@ -28,6 +28,11 @@ include("../inc/inc.DBInit.php");
include("../inc/inc.ClassUI.php"); include("../inc/inc.ClassUI.php");
include("../inc/inc.Authentication.php"); include("../inc/inc.Authentication.php");
/* Check if the form data comes from a trusted request */
if(!checkFormKey('unlockdocument', 'GET')) {
UI::exitError(getMLText("document_title"), getMLText("invalid_request_token"));
}
if (!isset($_GET["documentid"]) || !is_numeric($_GET["documentid"]) || intval($_GET["documentid"])<1) { if (!isset($_GET["documentid"]) || !is_numeric($_GET["documentid"]) || intval($_GET["documentid"])<1) {
UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("invalid_doc_id")); UI::exitError(getMLText("document_title", array("documentname" => getMLText("invalid_doc_id"))),getMLText("invalid_doc_id"));
} }

20
views/bootstrap/class.Bootstrap.php
View File

@ -794,14 +794,7 @@ background-image: linear-gradient(to bottom, #882222, #111111);;
if($accessobject->check_controller_access('UpdateDocument')) if($accessobject->check_controller_access('UpdateDocument'))
$menuitems['update_document'] = array('link'=>"../out/out.UpdateDocument".$docid, 'label'=>getMLText('update_document')); $menuitems['update_document'] = array('link'=>"../out/out.UpdateDocument".$docid, 'label'=>getMLText('update_document'));
if($accessobject->check_controller_access('LockDocument')) if($accessobject->check_controller_access('LockDocument'))
$menuitems['lock_document'] = array('link'=>"../op/op.LockDocument".$docid, 'label'=>getMLText('lock_document')); $menuitems['lock_document'] = array('link'=>"../op/op.LockDocument".$docid."&formtoken=".createFormKey('lockdocument'), 'label'=>getMLText('lock_document'));
if($document->isCheckedOut())
$menuitems['checkin_document'] = array('link'=>"../out/out.CheckInDocument".$docid, 'label'=>getMLText('checkin_document'));
else {
if($this->params['checkoutdir']) {
$menuitems['checkout_document'] = array('link'=>"../op/op.CheckOutDocument".$docid, 'label'=>getMLText('checkout_document'));
}
}
if($accessobject->check_controller_access('EditDocument')) if($accessobject->check_controller_access('EditDocument'))
$menuitems['edit_document_props'] = array('link'=>"../out/out.EditDocument".$docid , 'label'=>getMLText('edit_document_props')); $menuitems['edit_document_props'] = array('link'=>"../out/out.EditDocument".$docid , 'label'=>getMLText('edit_document_props'));
$menuitems['move_document'] = array('link'=>"../out/out.MoveDocument".$docid, 'label'=>getMLText('move_document')); $menuitems['move_document'] = array('link'=>"../out/out.MoveDocument".$docid, 'label'=>getMLText('move_document'));
@ -812,14 +805,7 @@ background-image: linear-gradient(to bottom, #882222, #111111);;
if($accessobject->check_controller_access('UpdateDocument')) if($accessobject->check_controller_access('UpdateDocument'))
$menuitems['update_document'] = array('link'=>"../out/out.UpdateDocument".$docid, 'label'=>getMLText('update_document')); $menuitems['update_document'] = array('link'=>"../out/out.UpdateDocument".$docid, 'label'=>getMLText('update_document'));
if($accessobject->check_controller_access('UnlockDocument')) if($accessobject->check_controller_access('UnlockDocument'))
$menuitems['unlock_document'] = array('link'=>"../op/op.UnlockDocument".$docid, 'label'=>getMLText('unlock_document')); $menuitems['unlock_document'] = array('link'=>"../op/op.UnlockDocument".$docid."&formtoken=".createFormKey('unlockdocument'), 'label'=>getMLText('unlock_document'));
if($document->isCheckedOut()) {
$menuitems['checkin_document'] = array('link'=>"../out/out.CheckInDocument".$docid, 'label'=>getMLText('checkin_document'));
} else {
if($this->params['checkoutdir']) {
$menuitems['checkout_document'] = array('link'=>"../op/op.CheckOutDocument".$docid, 'label'=>getMLText('checkout_document'));
}
}
if($accessobject->check_controller_access('EditDocument')) if($accessobject->check_controller_access('EditDocument'))
$menuitems['edit_document_props'] = array('link'=>"../out/out.EditDocument".$docid, 'label'=>getMLText('edit_document_props')); $menuitems['edit_document_props'] = array('link'=>"../out/out.EditDocument".$docid, 'label'=>getMLText('edit_document_props'));
$menuitems['move_document'] = array('link'=>"../out/out.MoveDocument".$docid, 'label'=>getMLText('move_document')); $menuitems['move_document'] = array('link'=>"../out/out.MoveDocument".$docid, 'label'=>getMLText('move_document'));
@ -2605,7 +2591,7 @@ $(function() {
$title = 'lock_document'; $title = 'lock_document';
} }
$content = ''; $content = '';
$content .= '<a class="lock-document-btn" rel="'.$docid.'" msg="'.getMLText($msg).'" title="'.getMLText($title).'"><i class="fa fa-'.$icon.'"></i></a>'; $content .= '<a class="lock-document-btn" rel="'.$docid.'" msg="'.getMLText($msg).'" title="'.getMLText($title).'" data-formtoken="'.createFormKey('tooglelockdocument').'"><i class="fa fa-'.$icon.'"></i></a>';
if($return) if($return)
return $content; return $content;
else else

13
views/bootstrap4/class.Bootstrap4.php
View File

@ -707,7 +707,7 @@ background-image: linear-gradient(to bottom, #882222, #111111);;
if($accessobject->check_controller_access('UpdateDocument')) if($accessobject->check_controller_access('UpdateDocument'))
$menuitems['update_document'] = array('link'=>"../out/out.UpdateDocument".$docid, 'label'=>getMLText('update_document')); $menuitems['update_document'] = array('link'=>"../out/out.UpdateDocument".$docid, 'label'=>getMLText('update_document'));
if($accessobject->check_controller_access('LockDocument')) if($accessobject->check_controller_access('LockDocument'))
$menuitems['lock_document'] = array('link'=>"../op/op.LockDocument".$docid, 'label'=>getMLText('lock_document')); $menuitems['lock_document'] = array('link'=>"../op/op.LockDocument".$docid."&formtoken=".createFormKey('lockdocument'), 'label'=>getMLText('lock_document'));
if($document->isCheckedOut()) if($document->isCheckedOut())
$menuitems['checkin_document'] = array('link'=>"../out/out.CheckInDocument".$docid, 'label'=>getMLText('checkin_document')); $menuitems['checkin_document'] = array('link'=>"../out/out.CheckInDocument".$docid, 'label'=>getMLText('checkin_document'));
else { else {
@ -725,14 +725,7 @@ background-image: linear-gradient(to bottom, #882222, #111111);;
if($accessobject->check_controller_access('UpdateDocument')) if($accessobject->check_controller_access('UpdateDocument'))
$menuitems['update_document'] = array('link'=>"../out/out.UpdateDocument".$docid, 'label'=>getMLText('update_document')); $menuitems['update_document'] = array('link'=>"../out/out.UpdateDocument".$docid, 'label'=>getMLText('update_document'));
if($accessobject->check_controller_access('UnlockDocument')) if($accessobject->check_controller_access('UnlockDocument'))
$menuitems['unlock_document'] = array('link'=>"../op/op.UnlockDocument".$docid, 'label'=>getMLText('unlock_document')); $menuitems['unlock_document'] = array('link'=>"../op/op.UnlockDocument".$docid."&formtoken=".createFormKey('unlockdocument'), 'label'=>getMLText('unlock_document'));
if($document->isCheckedOut()) {
$menuitems['checkin_document'] = array('link'=>"../out/out.CheckInDocument".$docid, 'label'=>getMLText('checkin_document'));
} else {
if($this->params['checkoutdir']) {
$menuitems['checkout_document'] = array('link'=>"../op/op.CheckOutDocument".$docid, 'label'=>getMLText('checkout_document'));
}
}
if($accessobject->check_controller_access('EditDocument')) if($accessobject->check_controller_access('EditDocument'))
$menuitems['edit_document_props'] = array('link'=>"../out/out.EditDocument".$docid, 'label'=>getMLText('edit_document_props')); $menuitems['edit_document_props'] = array('link'=>"../out/out.EditDocument".$docid, 'label'=>getMLText('edit_document_props'));
$menuitems['move_document'] = array('link'=>"../out/out.MoveDocument".$docid, 'label'=>getMLText('move_document')); $menuitems['move_document'] = array('link'=>"../out/out.MoveDocument".$docid, 'label'=>getMLText('move_document'));
@ -2582,7 +2575,7 @@ $(function() {
$title = 'lock_document'; $title = 'lock_document';
} }
$content = ''; $content = '';
$content .= '<a class="lock-document-btn" rel="'.$docid.'" msg="'.getMLText($msg).'" title="'.getMLText($title).'"><i class="fa fa-'.$icon.'"></i></a>'; $content .= '<a class="lock-document-btn" rel="'.$docid.'" msg="'.getMLText($msg).'" title="'.getMLText($title).'" data-formtoken="'.createFormKey('tooglelockdocument').'"><i class="fa fa-'.$icon.'"></i></a>';
if($return) if($return)
return $content; return $content;
else else

2
views/bootstrap4/styles/application.js
View File

@ -389,7 +389,7 @@ $(document).ready( function() {
attr_msg = $(ev.currentTarget).attr('msg'); attr_msg = $(ev.currentTarget).attr('msg');
id = attr_rel; id = attr_rel;
$.get('../op/op.Ajax.php', $.get('../op/op.Ajax.php',
{ command: 'tooglelockdocument', id: id }, { command: 'tooglelockdocument', formtoken: $(ev.currentTarget).data('formtoken'), id: id },
function(data) { function(data) {
if(data.success) { if(data.success) {
//$("#table-row-document-"+id).html('Loading').load('../op/op.Ajax.php?command=view&view=documentlistrow&id='+id) //$("#table-row-document-"+id).html('Loading').load('../op/op.Ajax.php?command=view&view=documentlistrow&id='+id)