From 08bb16e3f9135d8d52e121a05bd3f2807b82d95a Mon Sep 17 00:00:00 2001
From: dheeyi <dheeyi@gmail.com>
Date: Wed, 26 Aug 2015 15:34:02 -0400
Subject: [PATCH] PM-3208 0017920: Security hole: Any user can get and set
 variables in any case with REST GET/PUT /cases/{app_uid}/variables

---
 .../src/ProcessMaker/BusinessModel/Cases.php  | 42 ++++++++++++++++++-
 .../src/ProcessMaker/Services/Api/Cases.php   |  6 ++-
 2 files changed, 44 insertions(+), 4 deletions(-)

diff --git a/workflow/engine/src/ProcessMaker/BusinessModel/Cases.php b/workflow/engine/src/ProcessMaker/BusinessModel/Cases.php
index 33f4e3a00..cf04b20e0 100644
--- a/workflow/engine/src/ProcessMaker/BusinessModel/Cases.php
+++ b/workflow/engine/src/ProcessMaker/BusinessModel/Cases.php
@@ -1455,15 +1455,34 @@ class Cases
      *
      * @access public
      * @param string $app_uid, Uid for case
+     * @param string $usr_uid, Uid for user
      * @return array
      *
      * @author Brayan Pereyra (Cochalo) <brayan@colosa.com>
      * @copyright Colosa - Bolivia
      */
-    public function getCaseVariables($app_uid)
+    public function getCaseVariables($app_uid, $usr_uid)
     {
         Validator::isString($app_uid, '$app_uid');
         Validator::appUid($app_uid, '$app_uid');
+        Validator::isString($usr_uid, '$usr_uid');
+        Validator::usrUid($usr_uid, '$usr_uid');
+
+        $appCacheView = new \AppCacheView();
+        $isProcessSupervisor = $appCacheView->getProUidSupervisor($usr_uid);
+        $criteria = new \Criteria("workflow");
+        $criteria->addSelectColumn(\AppDelegationPeer::APP_UID);
+        $criteria->add(\AppDelegationPeer::APP_UID, $app_uid, \Criteria::EQUAL);
+        $criteria->add(\AppDelegationPeer::USR_UID, $usr_uid, \Criteria::EQUAL);
+        $criteria->add(
+            $criteria->getNewCriterion(\AppDelegationPeer::USR_UID, $usr_uid, \Criteria::EQUAL)->addOr(
+            $criteria->getNewCriterion(\AppDelegationPeer::PRO_UID, $isProcessSupervisor, \Criteria::IN))
+        );
+        $rsCriteria = \AppDelegationPeer::doSelectRS($criteria);
+
+        if (!$rsCriteria->next()) {
+            throw (new \Exception(\G::LoadTranslation("ID_NO_PERMISSION_NO_PARTICIPATED", array($usr_uid))));
+        }
 
         $case = new \Cases();
         $fields = $case->loadCase($app_uid);
@@ -1477,15 +1496,34 @@ class Cases
      * @param string $app_uid, Uid for case
      * @param array $app_data, Data for case variables
      * @param string $dyn_uid, Uid for dynaform
+     * @param string $usr_uid, Uid for user
      *
      * @author Brayan Pereyra (Cochalo) <brayan@colosa.com>
      * @copyright Colosa - Bolivia
      */
-    public function setCaseVariables($app_uid, $app_data, $dyn_uid = null)
+    public function setCaseVariables($app_uid, $app_data, $dyn_uid = null, $usr_uid)
     {
         Validator::isString($app_uid, '$app_uid');
         Validator::appUid($app_uid, '$app_uid');
         Validator::isArray($app_data, '$app_data');
+        Validator::isString($usr_uid, '$usr_uid');
+        Validator::usrUid($usr_uid, '$usr_uid');
+
+        $appCacheView = new \AppCacheView();
+        $isProcessSupervisor = $appCacheView->getProUidSupervisor($usr_uid);
+        $criteria = new \Criteria("workflow");
+        $criteria->addSelectColumn(\AppDelegationPeer::APP_UID);
+        $criteria->add(\AppDelegationPeer::APP_UID, $app_uid, \Criteria::EQUAL);
+        $criteria->add(\AppDelegationPeer::USR_UID, $usr_uid, \Criteria::EQUAL);
+        $criteria->add(
+            $criteria->getNewCriterion(\AppDelegationPeer::USR_UID, $usr_uid, \Criteria::EQUAL)->addOr(
+            $criteria->getNewCriterion(\AppDelegationPeer::PRO_UID, $isProcessSupervisor, \Criteria::IN))
+        );
+        $rsCriteria = \AppDelegationPeer::doSelectRS($criteria);
+
+        if (!$rsCriteria->next()) {
+            throw (new \Exception(\G::LoadTranslation("ID_NO_PERMISSION_NO_PARTICIPATED", array($usr_uid))));
+        }
 
         $case = new \Cases();
         $fields = $case->loadCase($app_uid);
diff --git a/workflow/engine/src/ProcessMaker/Services/Api/Cases.php b/workflow/engine/src/ProcessMaker/Services/Api/Cases.php
index 6a65fc7b4..42460d18b 100644
--- a/workflow/engine/src/ProcessMaker/Services/Api/Cases.php
+++ b/workflow/engine/src/ProcessMaker/Services/Api/Cases.php
@@ -830,8 +830,9 @@ class Cases extends Api
     public function doGetCaseVariables($app_uid)
     {
         try {
+            $usr_uid = $this->getUserId();
             $cases = new \ProcessMaker\BusinessModel\Cases();
-            $response = $cases->getCaseVariables($app_uid);
+            $response = $cases->getCaseVariables($app_uid, $usr_uid);
             return $response;
         } catch (\Exception $e) {
             throw (new RestException(Api::STAT_APP_EXCEPTION, $e->getMessage()));
@@ -853,8 +854,9 @@ class Cases extends Api
     public function doPutCaseVariables($app_uid, $request_data, $dyn_uid = '')
     {
         try {
+            $usr_uid = $this->getUserId();
             $cases = new \ProcessMaker\BusinessModel\Cases();
-            $cases->setCaseVariables($app_uid, $request_data, $dyn_uid);
+            $cases->setCaseVariables($app_uid, $request_data, $dyn_uid, $usr_uid);
         } catch (\Exception $e) {
             throw (new RestException(Api::STAT_APP_EXCEPTION, $e->getMessage()));
         }