From 928759f66366dc82d55e892324e52f565b2676e0 Mon Sep 17 00:00:00 2001 From: "Marco A. Nina Mena" Date: Mon, 7 Aug 2017 08:37:04 -0400 Subject: [PATCH 1/6] HOR-3432 ProcessMaker User Privilege Escalation - Add validation user access with PM_USERS --- workflow/engine/methods/roles/roles_Ajax.php | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/workflow/engine/methods/roles/roles_Ajax.php b/workflow/engine/methods/roles/roles_Ajax.php index b13937140..19e6fa8f7 100644 --- a/workflow/engine/methods/roles/roles_Ajax.php +++ b/workflow/engine/methods/roles/roles_Ajax.php @@ -21,6 +21,20 @@ * For more information, contact Colosa Inc, 2566 Le Jeune Rd., * Coral Gables, FL, 33134, USA, or email info@colosa.com. */ +global $RBAC; +switch ($RBAC->userCanAccess( 'PM_USERS' )) { + case - 2: + G::SendTemporalMessage( 'ID_USER_HAVENT_RIGHTS_SYSTEM', 'error', 'labels' ); + G::header( 'location: ../login/login' ); + die(); + break; + case - 1: + case - 3: + G::SendTemporalMessage( 'ID_USER_HAVENT_RIGHTS_PAGE', 'error', 'labels' ); + G::header( 'location: ../login/login' ); + die(); + break; +} $REQUEST = (isset( $_GET['request'] )) ? $_GET['request'] : $_POST['request']; From a0c0bcf6e6bd96bee3fdfa7a715b29ba1b1a63d7 Mon Sep 17 00:00:00 2001 From: "Marco A. Nina Mena" Date: Mon, 7 Aug 2017 11:58:16 -0400 Subject: [PATCH 2/6] Change method of throw --- workflow/engine/methods/roles/roles_Ajax.php | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/workflow/engine/methods/roles/roles_Ajax.php b/workflow/engine/methods/roles/roles_Ajax.php index 19e6fa8f7..d3ad0ab43 100644 --- a/workflow/engine/methods/roles/roles_Ajax.php +++ b/workflow/engine/methods/roles/roles_Ajax.php @@ -21,18 +21,16 @@ * For more information, contact Colosa Inc, 2566 Le Jeune Rd., * Coral Gables, FL, 33134, USA, or email info@colosa.com. */ +use ProcessMaker\Exception\RBACException; + global $RBAC; -switch ($RBAC->userCanAccess( 'PM_USERS' )) { - case - 2: - G::SendTemporalMessage( 'ID_USER_HAVENT_RIGHTS_SYSTEM', 'error', 'labels' ); - G::header( 'location: ../login/login' ); - die(); +switch ($RBAC->userCanAccess('PM_USERS')) { + case -2: + throw new RBACException('ID_USER_HAVENT_RIGHTS_SYSTEM', -2); break; - case - 1: - case - 3: - G::SendTemporalMessage( 'ID_USER_HAVENT_RIGHTS_PAGE', 'error', 'labels' ); - G::header( 'location: ../login/login' ); - die(); + case -1: + case -3: + throw new RBACException('ID_USER_HAVENT_RIGHTS_PAGE', -1); break; } From 15031808c58d9e606784ba44beb0b692a0e0edae Mon Sep 17 00:00:00 2001 From: "Marco A. Nina Mena" Date: Mon, 7 Aug 2017 08:37:04 -0400 Subject: [PATCH 3/6] HOR-3432 ProcessMaker User Privilege Escalation - Add validation user access with PM_USERS --- workflow/engine/methods/roles/roles_Ajax.php | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/workflow/engine/methods/roles/roles_Ajax.php b/workflow/engine/methods/roles/roles_Ajax.php index b13937140..19e6fa8f7 100644 --- a/workflow/engine/methods/roles/roles_Ajax.php +++ b/workflow/engine/methods/roles/roles_Ajax.php @@ -21,6 +21,20 @@ * For more information, contact Colosa Inc, 2566 Le Jeune Rd., * Coral Gables, FL, 33134, USA, or email info@colosa.com. */ +global $RBAC; +switch ($RBAC->userCanAccess( 'PM_USERS' )) { + case - 2: + G::SendTemporalMessage( 'ID_USER_HAVENT_RIGHTS_SYSTEM', 'error', 'labels' ); + G::header( 'location: ../login/login' ); + die(); + break; + case - 1: + case - 3: + G::SendTemporalMessage( 'ID_USER_HAVENT_RIGHTS_PAGE', 'error', 'labels' ); + G::header( 'location: ../login/login' ); + die(); + break; +} $REQUEST = (isset( $_GET['request'] )) ? $_GET['request'] : $_POST['request']; From 573300f245617f3f110bdc035d51fc69baff3097 Mon Sep 17 00:00:00 2001 From: "Marco A. Nina Mena" Date: Mon, 7 Aug 2017 11:58:16 -0400 Subject: [PATCH 4/6] Change method of throw --- workflow/engine/methods/roles/roles_Ajax.php | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/workflow/engine/methods/roles/roles_Ajax.php b/workflow/engine/methods/roles/roles_Ajax.php index 19e6fa8f7..d3ad0ab43 100644 --- a/workflow/engine/methods/roles/roles_Ajax.php +++ b/workflow/engine/methods/roles/roles_Ajax.php @@ -21,18 +21,16 @@ * For more information, contact Colosa Inc, 2566 Le Jeune Rd., * Coral Gables, FL, 33134, USA, or email info@colosa.com. */ +use ProcessMaker\Exception\RBACException; + global $RBAC; -switch ($RBAC->userCanAccess( 'PM_USERS' )) { - case - 2: - G::SendTemporalMessage( 'ID_USER_HAVENT_RIGHTS_SYSTEM', 'error', 'labels' ); - G::header( 'location: ../login/login' ); - die(); +switch ($RBAC->userCanAccess('PM_USERS')) { + case -2: + throw new RBACException('ID_USER_HAVENT_RIGHTS_SYSTEM', -2); break; - case - 1: - case - 3: - G::SendTemporalMessage( 'ID_USER_HAVENT_RIGHTS_PAGE', 'error', 'labels' ); - G::header( 'location: ../login/login' ); - die(); + case -1: + case -3: + throw new RBACException('ID_USER_HAVENT_RIGHTS_PAGE', -1); break; } From 2eedfdbfb540cfe963e711294fa88cab4b9187f1 Mon Sep 17 00:00:00 2001 From: Paula Quispe Date: Thu, 10 Aug 2017 11:35:13 -0400 Subject: [PATCH 5/6] HOR-3658 --- gulliver/system/class.bootstrap.php | 85 +++++++++++++++++++++++++++++ 1 file changed, 85 insertions(+) diff --git a/gulliver/system/class.bootstrap.php b/gulliver/system/class.bootstrap.php index 267c84725..2b74c2fc9 100644 --- a/gulliver/system/class.bootstrap.php +++ b/gulliver/system/class.bootstrap.php @@ -14,6 +14,27 @@ class Bootstrap //below here only approved methods + /** + * @deprecated + */ + public static function autoloadClass($class) + { + } + + /** + * @deprecated + */ + public static function registerClass($className, $includePath) + { + } + + /** + * @deprecated + */ + public static function registerDir($name, $dir) + { + } + /* * these functions still under revision */ @@ -22,6 +43,12 @@ class Bootstrap { return PmSystem::getSystemConfiguration($globalIniFile, $wsIniFile, $wsName); } + /** + * @deprecated + */ + public static function registerSystemClasses() + { + } //below this line, still not approved methods @@ -122,6 +149,19 @@ class Bootstrap $smarty->display($template); } + /** + * Load Gulliver Classes + * + * @author Fernando Ontiveros Lira + * @access public + * @param string $strClass + * @return void + * @deprecated + */ + public static function LoadSystem($strClass) + { + } + /** * Get the temporal directory path on differents O.S. * i.e. /temp -> linux, C:/Temp -> win @@ -411,6 +451,34 @@ class Bootstrap return $content; } + /** + * If the class is not defined by the aplication, it + * attempt to load the class from gulliver.system + * + * @author Fernando Ontiveros Lira , David S. Callizaya + * @access public + * @param string $strClass + * @return void + * @deprecated + */ + public static function LoadClass($strClass) + { + } + + /** + * Loads a Class. + * If the class is not defined by the aplication, it + * attempt to load the class from gulliver.system + * + * @author Fernando Ontiveros Lira , David S. Callizaya + * @access public + * @param string $strClass + * @return void + * @deprecated + */ + public static function LoadThirdParty($sPath, $sFile) + { + } /** * Function LoadTranslationObject @@ -1948,6 +2016,16 @@ class Bootstrap return $result; } + /** + * + * @param unknown_type $model + * @return unknown + * @deprecated + */ + public function getModel($model) + { + } + /** * Create an encrypted unique identifier based on $id and the selected scope id. * @@ -2427,6 +2505,13 @@ class Bootstrap return strtoupper(PHP_OS) == "LINUX"; } + /** + * @deprecated + */ + public static function initVendors() + { + } + public static function parseIniFile($filename) { $data = @parse_ini_file($filename, true); From fa2938a811a62fcd58ed820b2f84f1aa037bc263 Mon Sep 17 00:00:00 2001 From: Paula Quispe Date: Thu, 10 Aug 2017 12:35:35 -0400 Subject: [PATCH 6/6] Deprecated functions --- gulliver/system/class.bootstrap.php | 42 +++++++---------------------- gulliver/system/class.g.php | 38 +++++--------------------- 2 files changed, 15 insertions(+), 65 deletions(-) diff --git a/gulliver/system/class.bootstrap.php b/gulliver/system/class.bootstrap.php index 2b74c2fc9..b70b2bcef 100644 --- a/gulliver/system/class.bootstrap.php +++ b/gulliver/system/class.bootstrap.php @@ -15,21 +15,21 @@ class Bootstrap //below here only approved methods /** - * @deprecated + * @deprecated 3.2.2, We keep this function only for backwards compatibility because is used in the plugin manager */ public static function autoloadClass($class) { } /** - * @deprecated + * @deprecated 3.2.2, We keep this function only for backwards compatibility because is used in the plugin manager */ public static function registerClass($className, $includePath) { } /** - * @deprecated + * @deprecated 3.2.2, We keep this function only for backwards compatibility because is used in the plugin manager */ public static function registerDir($name, $dir) { @@ -44,7 +44,7 @@ class Bootstrap return PmSystem::getSystemConfiguration($globalIniFile, $wsIniFile, $wsName); } /** - * @deprecated + * @deprecated 3.2.2, We keep this function only for backwards compatibility because is used in the plugin manager */ public static function registerSystemClasses() { @@ -150,13 +150,7 @@ class Bootstrap } /** - * Load Gulliver Classes - * - * @author Fernando Ontiveros Lira - * @access public - * @param string $strClass - * @return void - * @deprecated + * @deprecated 3.2.2, We keep this function only for backwards compatibility because is used in the plugin manager */ public static function LoadSystem($strClass) { @@ -452,29 +446,14 @@ class Bootstrap return $content; } /** - * If the class is not defined by the aplication, it - * attempt to load the class from gulliver.system - * - * @author Fernando Ontiveros Lira , David S. Callizaya - * @access public - * @param string $strClass - * @return void - * @deprecated + * @deprecated 3.2.2, We keep this function only for backwards compatibility because is used in the plugin manager */ public static function LoadClass($strClass) { } /** - * Loads a Class. - * If the class is not defined by the aplication, it - * attempt to load the class from gulliver.system - * - * @author Fernando Ontiveros Lira , David S. Callizaya - * @access public - * @param string $strClass - * @return void - * @deprecated + * @deprecated 3.2.2, We keep this function only for backwards compatibility because is used in the plugin manager */ public static function LoadThirdParty($sPath, $sFile) { @@ -2017,10 +1996,7 @@ class Bootstrap } /** - * - * @param unknown_type $model - * @return unknown - * @deprecated + * @deprecated 3.2.2, We keep this function only for backwards compatibility because is used in the plugin manager */ public function getModel($model) { @@ -2506,7 +2482,7 @@ class Bootstrap } /** - * @deprecated + * @deprecated 3.2.2, We keep this function only for backwards compatibility because is used in the plugin manager */ public static function initVendors() { diff --git a/gulliver/system/class.g.php b/gulliver/system/class.g.php index 435eca3e4..692d2274e 100644 --- a/gulliver/system/class.g.php +++ b/gulliver/system/class.g.php @@ -44,11 +44,7 @@ class G public static $httpHost; /** - * Load Gulliver Classes - * @access public - * @param string $strClass - * @return void - * @deprecated 08-04-2017 + * @deprecated 3.2.2, We keep this function only for backwards compatibility because is used in the plugin manager */ public static function LoadSystem($strClass) { @@ -56,11 +52,7 @@ class G } /** - * Load System Classes - * @access public - * @param string $strClass - * @return void - * @deprecated 08-04-2017 + * @deprecated 3.2.2, We keep this function only for backwards compatibility because is used in the plugin manager */ public function LoadSystemExist($strClass) { @@ -68,11 +60,7 @@ class G } /** - * Include javascript files - * @access public - * @param string $strClass - * @return void - * @deprecated 08-04-2017 + * @deprecated 3.2.2, We keep this function only for backwards compatibility because is used in the plugin manager */ public function LoadInclude($strClass) { @@ -80,11 +68,7 @@ class G } /** - * public function LoadClassRBAC - * @access public - * @param string $strClass - * @return void - * @deprecated 08-04-2017 + * @deprecated 3.2.2, We keep this function only for backwards compatibility because is used in the plugin manager */ public function LoadClassRBAC($strClass) { @@ -92,12 +76,7 @@ class G } /** - * If the class is not defined by the aplication, it - * attempt to load the class from gulliver.system - * @access public - * @param string $strClass - * @return void - * @deprecated 08-04-2017 + * @deprecated 3.2.2, We keep this function only for backwards compatibility because is used in the plugin manager */ public static function LoadClass($strClass) { @@ -105,12 +84,7 @@ class G } /** - * public function LoadThirdParty - * @access public - * @param string $sPath - * @param string $sFile - * @return void - * @deprecated 08-04-2017 + * @deprecated 3.2.2, We keep this function only for backwards compatibility because is used in the plugin manager */ public static function LoadThirdParty($sPath, $sFile) {