diff --git a/gulliver/system/class.inputfilter.php b/gulliver/system/class.inputfilter.php index 8dcc433c1..ec1054abe 100644 --- a/gulliver/system/class.inputfilter.php +++ b/gulliver/system/class.inputfilter.php @@ -349,15 +349,15 @@ class InputFilter return $source; } - /** - * @author Chris Tobin - * @author Daniel Morris - * @access protected - * @param String $source - * @param Resource $connection - An open MySQL connection - * @return String $source - * @todo We need to review this method, because the sended string is unescaped - */ + /** + * @author Chris Tobin + * @author Daniel Morris + * @access protected + * @param String $source + * @param Resource $connection - An open MySQL connection + * @return String $source + * @todo We need to review this method, because the sended string is unescaped + */ public function escapeString($string, &$connection) { return mysqli_real_escape_string($connection, $string); diff --git a/gulliver/system/class.rbac.php b/gulliver/system/class.rbac.php index 560aa7f2c..a00462966 100644 --- a/gulliver/system/class.rbac.php +++ b/gulliver/system/class.rbac.php @@ -1316,6 +1316,33 @@ class RBAC return $this->rolesObj->loadById($rolUid); } + /** + * Get Role code + * + * @access public + * + * @param string $role + * + * @return string + */ + public function getRoleCodeValid($role) + { + $roleCode = ''; + + if (!empty($role)) { + if ($this->verifyByCode($role)) { + //If is a valid ROL_CODE + $roleCode = $role; + } else { + //We will to check by ROL_UID + $roleInfo = $this->loadById($role); + $roleCode = !empty($roleInfo['ROL_CODE']) ? $roleInfo['ROL_CODE'] : ''; + } + } + + return $roleCode; + } + /** * this function gets the user's roles * diff --git a/workflow/engine/classes/Applications.php b/workflow/engine/classes/Applications.php index 6d1f7e4e8..af0b1630a 100644 --- a/workflow/engine/classes/Applications.php +++ b/workflow/engine/classes/Applications.php @@ -51,6 +51,7 @@ class Applications $limit = (int)$inputFilter->validateInput($limit, 'int'); $search = $inputFilter->escapeUsingConnection($search, $con); $process = (int)$inputFilter->validateInput($process, 'int'); + //$status doesn't require sanitization $dir = in_array($dir, ['ASC', 'DESC']) ? $dir :'DESC'; $sort = $inputFilter->escapeUsingConnection($sort, $con); diff --git a/workflow/engine/classes/WsBase.php b/workflow/engine/classes/WsBase.php index 55ea4de2b..1d4da5708 100644 --- a/workflow/engine/classes/WsBase.php +++ b/workflow/engine/classes/WsBase.php @@ -1105,7 +1105,7 @@ class WsBase * @param string dueDate : Optional parameter. The expiration date must be a string in the format "yyyy-mm-dd". * @param string status : Optional parameter. The user's status, such as "ACTIVE", "INACTIVE" or "VACATION". * - * @return $result will return an object + * @return object|array */ public function createUser( $userName, @@ -1142,7 +1142,6 @@ class WsBase } $mktimeDueDate = 0; - if (!empty($dueDate) && $dueDate != 'null' && $dueDate) { if (!preg_match("/^(\d{4})-(\d{2})-(\d{2})$/", $dueDate, $arrayMatch)) { $result = new WsCreateUserResponse(-1, G::loadTranslation("ID_INVALID_DATA") . " $dueDate", null); @@ -1172,22 +1171,13 @@ class WsBase $status = "ACTIVE"; } - $arrayRole = $RBAC->loadById($role); - $strRole = null; + $strRole = $RBAC->getRoleCodeValid($role); + if (empty($strRole)) { + $data = []; + $data["ROLE"] = $role; + $result = new WsCreateUserResponse(6, G::loadTranslation("ID_INVALID_ROLE", SYS_LANG, $data), null); - if (is_array($arrayRole)) { - $strRole = $arrayRole["ROL_CODE"]; - } else { - $strRole = $role; - - if ($RBAC->verifyByCode($role) == 0) { - $data = []; - $data["ROLE"] = $role; - - $result = new WsCreateUserResponse(6, G::loadTranslation("ID_INVALID_ROLE", SYS_LANG, $data), null); - - return $result; - } + return $result; } if (strlen($password) > 20) { @@ -1253,12 +1243,12 @@ class WsBase $res = new WsResponse(0, G::loadTranslation("ID_USER_CREATED_SUCCESSFULLY", SYS_LANG, $data)); - $result = array( + $result = [ "status_code" => $res->status_code, "message" => $res->message, "userUID" => $userUid, "timestamp" => $res->timestamp - ); + ]; return $result; } catch (Exception $e) { @@ -1278,12 +1268,11 @@ class WsBase * @param string email : Optional parameter. The user's email address. * @param string dueDate : Optional parameter. The expiration date must be a string in the format "yyyy-mm-dd". * @param string status : Optional parameter. The user's status, such as "ACTIVE", "INACTIVE" or "VACATION". - * @param string role : Optional parameter. The user's role, such - * as "PROCESSMAKER_ADMIN" or "PROCESSMAKER_OPERATOR". + * @param string role : Optional parameter. The user's role, such as "PROCESSMAKER_ADMIN" or "PROCESSMAKER_OPERATOR". * @param string password : Optional parameter. The user's password such as "Be@gle2" (It will be automatically - * encrypted with an MD5 hash). + * encrypted with an MD5 hash). * - * @return $result will return an object + * @return object|array */ public function updateUser( $userUid, @@ -1347,25 +1336,13 @@ class WsBase } } - $strRole = null; + $strRole = $RBAC->getRoleCodeValid($role); + if (empty($strRole)) { + $data = []; + $data["ROLE"] = $role; + $result = new WsCreateUserResponse(6, G::loadTranslation("ID_INVALID_ROLE", SYS_LANG, $data), null); - if (!empty($role)) { - $arrayRole = $RBAC->loadById($role); - - if (is_array($arrayRole)) { - $strRole = $arrayRole["ROL_CODE"]; - } else { - $strRole = $role; - - if ($RBAC->verifyByCode($role) == 0) { - $data = []; - $data["ROLE"] = $role; - - $result = new WsResponse(6, G::LoadTranslation("ID_INVALID_ROLE", SYS_LANG, $data)); - - return $result; - } - } + return $result; } if (!empty($password) && strlen($password) > 20) { @@ -1438,11 +1415,12 @@ class WsBase //Response $res = new WsResponse(0, G::LoadTranslation("ID_UPDATED_SUCCESSFULLY")); - $result = array( + + $result = [ "status_code" => $res->status_code, "message" => $res->message, "timestamp" => $res->timestamp - ); + ]; return $result; } catch (Exception $e) {