fernando/luos
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

PMCORE-4204

Browse Source
This commit is contained in:
Julio Cesar Laura Avendaño
2023-03-24 17:55:53 +00:00
parent 0506805783
commit 10839b0b84
21 changed files with 192 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
workflow/engine/controllers/adminProxy.php
View File

@@ -3,33 +3,10 @@
use Illuminate\Support\Facades\Cache;
use PHPMailer\PHPMailer\SMTP;
use ProcessMaker\Core\System;
use ProcessMaker\Exception\RBACException;
use ProcessMaker\Plugins\PluginRegistry;
use ProcessMaker\Validation\ValidationUploadedFiles;
/**
* adminProxy.php
*
* ProcessMaker Open Source Edition
* Copyright (C) 2004 - 2008 Colosa Inc.23
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as
* published by the Free Software Foundation, either version 3 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
* For more information, contact Colosa Inc, 2566 Le Jeune Rd.,
* Coral Gables, FL, 33134, USA, or email info@colosa.com.
*
*/
class adminProxy extends HttpProxyController
{
const hashunlink = 'unlink';
@@ -787,6 +764,14 @@ class adminProxy extends HttpProxyController
*/
public function getListImage($httpData)
{
// Include global object RBAC
global $RBAC;
// Check if the current user have the correct permissions to access to this resource, if not throws a RBAC Exception with code 403
if ($RBAC->userCanAccess('PM_SETUP') !== 1 || $RBAC->userCanAccess('PM_SETUP_LOGO') !== 1) {
throw new RBACException('ID_ACCESS_DENIED', 403);
}
$uplogo = PATH_TPL . 'setup' . PATH_SEP . 'uplogo.html';
$width = "100%";
$upload = new ReplacementLogo();

9
workflow/engine/controllers/pmTablesProxy.php
View File

@@ -3,6 +3,7 @@
use Illuminate\Support\Facades\Log;
use ProcessMaker\BusinessModel\DynaForm;
use ProcessMaker\Core\System;
use ProcessMaker\Exception\RBACException;
use ProcessMaker\Model\AdditionalTables as AdditionalTablesModel;
use ProcessMaker\Model\Dynaform as DynaformModel;
use ProcessMaker\Model\ProcessVariables;
@@ -26,6 +27,14 @@ class pmTablesProxy extends HttpProxyController
*/
public function getList($httpData)
{
// Include global object RBAC
global $RBAC;
// Check if the current user have the correct permissions to access to this resource, if not throws a RBAC Exception with code 403
if ($RBAC->userCanAccess('PM_FACTORY') !== 1 && ($RBAC->userCanAccess('PM_SETUP') !== 1 || $RBAC->userCanAccess('PM_SETUP_PM_TABLES') !== 1)) {
throw new RBACException('ID_ACCESS_DENIED', 403);
}
$configurations = new Configurations();
$processMap = new ProcessMap();

17
workflow/engine/controllers/strategicDashboard.php
View File

@@ -1,6 +1,7 @@
<?php
use ProcessMaker\Core\System;
use ProcessMaker\Exception\RBACException;
/**
* StrategicDashboard controller
@@ -125,6 +126,14 @@ class StrategicDashboard extends Controller
public function dashboardList()
{
// Include global object RBAC
global $RBAC;
// Check if the current user have the correct permissions to access to this resource, if not throws a RBAC Exception with code 403
if ($RBAC->userCanAccess('PM_SETUP') !== 1 || $RBAC->userCanAccess('PM_SETUP_DASHBOARDS') !== 1) {
throw new RBACException('ID_ACCESS_DENIED', 403);
}
try {
$this->includeExtJS('strategicDashboard/dashboardList');
if (isset($_SESSION['__StrategicDashboard_ERROR__'])) {
@@ -183,6 +192,14 @@ class StrategicDashboard extends Controller
public function viewDashboard()
{
// Include global object RBAC
global $RBAC;
// Check if the current user have the correct permissions to access to this resource, if not throws a RBAC Exception with code 403
if ($RBAC->userCanAccess('PM_DASHBOARD') !== 1) {
throw new RBACException('ID_ACCESS_DENIED', 403);
}
try {
if (isset($_SESSION['__StrategicDashboard_ERROR__'])) {
$this->setJSVar('__StrategicDashboard_ERROR__', $_SESSION['__StrategicDashboard_ERROR__']);

8
workflow/engine/methods/actionsByEmail/ActionByEmail.php
View File

@@ -1,4 +1,12 @@
<?php
use ProcessMaker\Exception\RBACException;
// Check if the current user have the correct permissions to access to this resource, if not throws a RBAC Exception with code 403
if ($RBAC->userCanAccess('PM_SETUP') !== 1 || $RBAC->userCanAccess('PM_SETUP_LOGS') !== 1) {
throw new RBACException('ID_ACCESS_DENIED', 403);
}
$oHeadPublisher->addExtJsScript('actionsByEmail/report', false); //adding a javascript file .js
G::RenderPage('publish', 'extJs');

8
workflow/engine/methods/actionsByEmail/actionsByEmailAjax.php
View File

@@ -1,4 +1,12 @@
<?php
use ProcessMaker\Exception\RBACException;
// Check if the current user have the correct permissions to access to this resource, if not throws a RBAC Exception with code 403
if ($RBAC->userCanAccess('PM_SETUP') !== 1) {
throw new RBACException('ID_ACCESS_DENIED', 403);
}
// General Validations
if (!isset($_REQUEST['action'])) {
$_REQUEST['action'] = '';

10
workflow/engine/methods/authenticationSources/index.php
View File

@@ -1,5 +1,15 @@
<?php
use ProcessMaker\Exception\RBACException;
// Include global object RBAC
global $RBAC;
// Check if the current user have the correct permissions to access to this resource, if not throws a RBAC Exception with code 403
if ($RBAC->userCanAccess('PM_USERS') !== 1 || $RBAC->userCanAccess('PM_SETUP_USERS_AUTHENTICATION_SOURCES') !== 1) {
throw new RBACException('ID_ACCESS_DENIED', 403);
}
global $G_PUBLISH;
$G_PUBLISH = new Publisher();
try {

9
workflow/engine/methods/enterprise/addonsStore.php
View File

@@ -1,6 +1,15 @@
<?php
use ProcessMaker\Core\System;
use ProcessMaker\Exception\RBACException;
// Include global object RBAC
global $RBAC;
// Check if the current user have the correct permissions to access to this resource, if not throws a RBAC Exception with code 403
if ($RBAC->userCanAccess('PM_SETUP_ADVANCE') !== 1 || $RBAC->userCanAccess('PM_SETUP_PLUGINS') !== 1) {
throw new RBACException('ID_ACCESS_DENIED', 403);
}
AddonsStore::checkLicenseStore();

9
workflow/engine/methods/enterprise/addonsStoreAction.php
View File

@@ -1,10 +1,19 @@
<?php
use ProcessMaker\Core\System;
use ProcessMaker\Exception\RBACException;
use ProcessMaker\Plugins\PluginRegistry;
use ProcessMaker\Validation\ExceptionRestApi;
use ProcessMaker\Validation\ValidationUploadedFiles;
// Include global object RBAC
global $RBAC;
// Check if the current user have the correct permissions to access to this resource, if not throws a RBAC Exception with code 403
if ($RBAC->userCanAccess('PM_SETUP_ADVANCE') !== 1 || $RBAC->userCanAccess('PM_SETUP_PLUGINS') !== 1) {
throw new RBACException('ID_ACCESS_DENIED', 403);
}
function runBgProcessmaker($task, $log)
{
require_once(PATH_CORE . "bin/tasks/cliAddons.php");

9
workflow/engine/methods/enterprise/processMakerAjax.php
View File

@@ -1,6 +1,15 @@
<?php
use ProcessMaker\Core\System;
use ProcessMaker\Exception\RBACException;
// Include global object RBAC
global $RBAC;
// Check if the current user have the correct permissions to access to this resource, if not throws a RBAC Exception with code 403
if ($RBAC->userCanAccess('PM_SETUP_ADVANCE') !== 1) {
throw new RBACException('ID_ACCESS_DENIED', 403);
}
ini_set("max_execution_time", 0);

11
workflow/engine/methods/events/eventsAjax.php
View File

@@ -1,5 +1,14 @@
<?php
//$req = $_POST['request'];
use ProcessMaker\Exception\RBACException;
// Include global object RBAC
global $RBAC;
// Check if the current user have the correct permissions to access to this resource, if not throws a RBAC Exception with code 403
if ($RBAC->userCanAccess('PM_SETUP') !== 1 || $RBAC->userCanAccess('PM_SETUP_LOGS') !== 1) {
throw new RBACException('ID_ACCESS_DENIED', 403);
}
$req = (isset($_POST['request']))? $_POST['request']:((isset($_REQUEST['request']))? $_REQUEST['request'] : 'No hayyy tal');
require_once 'classes/model/Content.php';

9
workflow/engine/methods/processes/processesList.php
View File

@@ -8,9 +8,18 @@
* @link https://wiki.processmaker.com/3.2/Processes
*/
use ProcessMaker\Exception\RBACException;
use ProcessMaker\Model\Process;
use ProcessMaker\Util\DateTime;
// Include global object RBAC
global $RBAC;
// Check if the current user have the correct permissions to access to this resource, if not throws a RBAC Exception with code 403
if ($RBAC->userCanAccess('PM_FACTORY') !== 1) {
throw new RBACException('ID_ACCESS_DENIED', 403);
}
require_once 'classes/model/Process.php';
$start = isset($_POST['start']) ? $_POST['start'] : 0;

9
workflow/engine/methods/scheduler/index.php
View File

@@ -1,6 +1,15 @@
<?php
use ProcessMaker\Core\System;
use ProcessMaker\Exception\RBACException;
// Include global object RBAC
global $RBAC;
// Check if the current user have the correct permissions to access to this resource, if not throws a RBAC Exception with code 403
if ($RBAC->userCanAccess('PM_TASK_SCHEDULER_ADMIN') !== 1) {
throw new RBACException('ID_ACCESS_DENIED', 403);
}
try {
global $G_PUBLISH;

9
workflow/engine/methods/setup/appCacheViewAjax.php
View File

@@ -1,6 +1,15 @@
<?php
use Processmaker\Core\System;
use ProcessMaker\Exception\RBACException;
// Include global object RBAC
global $RBAC;
// Check if the current user have the correct permissions to access to this resource, if not throws a RBAC Exception with code 403
if ($RBAC->userCanAccess('PM_SETUP_ADVANCE') !== 1 || $RBAC->userCanAccess('PM_SETUP_CASES_LIST_CACHE_BUILDER') !== 1) {
throw new RBACException('ID_ACCESS_DENIED', 403);
}
$filter = new InputFilter();
$_POST = $filter->xssFilterHard($_POST);

9
workflow/engine/methods/setup/auditLogAjax.php
View File

@@ -1,7 +1,16 @@
<?php
use ProcessMaker\Exception\RBACException;
use ProcessMaker\Log\AuditLog;
// Include global object RBAC
global $RBAC;
// Check if the current user have the correct permissions to access to this resource, if not throws a RBAC Exception with code 403
if ($RBAC->userCanAccess('PM_SETUP') !== 1 || $RBAC->userCanAccess('PM_SETUP_LOGS') !== 1) {
throw new RBACException('ID_ACCESS_DENIED', 403);
}
$auditLog = new AuditLog();
$auditLog->setUserLogged($_SESSION["USER_LOGGED"]);

9
workflow/engine/methods/setup/cronAjax.php
View File

@@ -1,6 +1,15 @@
<?php
use ProcessMaker\BusinessModel\Files\Cron;
use ProcessMaker\Exception\RBACException;
// Include global object RBAC
global $RBAC;
// Check if the current user have the correct permissions to access to this resource, if not throws a RBAC Exception with code 403
if ($RBAC->userCanAccess('PM_SETUP') !== 1 || $RBAC->userCanAccess('PM_SETUP_LOGS') !== 1) {
throw new RBACException('ID_ACCESS_DENIED', 403);
}
$option = isset($_REQUEST["option"]) ? $_REQUEST["option"] : null;

16
workflow/engine/methods/setup/environmentSettingsAjax.php
View File

@@ -1,10 +1,14 @@
<?php
/**
*
* @author Erik A.O. <erik@colosa.com>
* @date Sept 13th, 2010
*
*/
use ProcessMaker\Exception\RBACException;
// Include global object RBAC
global $RBAC;
// Check if the current user have the correct permissions to access to this resource, if not throws a RBAC Exception with code 403
if ($RBAC->userCanAccess('PM_SETUP') !== 1 || $RBAC->userCanAccess('PM_SETUP_ENVIRONMENT') !== 1) {
throw new RBACException('ID_ACCESS_DENIED', 403);
}
$request = isset( $_POST["request"] ) ? $_POST["request"] : (isset( $_GET["request"] ) ? $_GET["request"] : null);
$result = new stdclass();

10
workflow/engine/methods/setup/language_Ajax.php
View File

@@ -1,5 +1,15 @@
<?php
use ProcessMaker\Exception\RBACException;
// Include global object RBAC
global $RBAC;
// Check if the current user have the correct permissions to access to this resource, if not throws a RBAC Exception with code 403
if ($RBAC->userCanAccess('PM_SETUP_ADVANCE') !== 1 || $RBAC->userCanAccess('PM_SETUP_LANGUAGE') !== 1) {
throw new RBACException('ID_ACCESS_DENIED', 403);
}
try {
$filter = new InputFilter();
$_POST = $filter->xssFilterHard($_POST);

11
workflow/engine/methods/setup/loginSettingsAjax.php
View File

@@ -1,4 +1,15 @@
<?php
use ProcessMaker\Exception\RBACException;
// Include global object RBAC
global $RBAC;
// Check if the current user have the correct permissions to access to this resource, if not throws a RBAC Exception with code 403
if ($RBAC->userCanAccess('PM_SETUP') !== 1 || $RBAC->userCanAccess('PM_SETUP_LOGIN') !== 1) {
throw new RBACException('ID_ACCESS_DENIED', 403);
}
$request = isset($_REQUEST['request']) ? $_REQUEST['request'] : null;
switch ($request) {

10
workflow/engine/methods/userExtendedAttributes/index.php
View File

@@ -1,10 +1,18 @@
<?php
use Illuminate\Support\Facades\DB;
use ProcessMaker\BusinessModel\Role;
use ProcessMaker\Exception\RBACException;
use ProcessMaker\Model\User;
use ProcessMaker\Model\UserExtendedAttributes;
// Include global object RBAC
global $RBAC;
// Check if the current user have the correct permissions to access to this resource, if not throws a RBAC Exception with code 403
if ($RBAC->userCanAccess('PM_USERS') !== 1) {
throw new RBACException('ID_ACCESS_DENIED', 403);
}
global $G_PUBLISH;
$G_PUBLISH = new Publisher();
try {