fernando/luos
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

HOR-2032

Browse Source 
[Mantis 21439] Input documents can be downloaded via its URL even if there is no valid session
This commit is contained in:
dheeyi william
2017-03-09 18:09:33 -04:00
parent 4a9dad1879
commit 2aa1abd7de
3 changed files with 69 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

63
workflow/engine/classes/model/AppDocument.php
View File

@@ -535,5 +535,68 @@ class AppDocument extends BaseAppDocument
$oAppDocument = AppDocumentPeer::retrieveByPK( $sAppDocUid, $iVersion );
return (is_object( $oAppDocument ) && get_class( $oAppDocument ) == 'AppDocument');
}
/**
* The user that uploaded an input document can download the same input file.
* A participated user or a supervisor must have the process permission "view" to be able to download the input document.
* If the user is a supervisor and had the input document assign, he can download the file too.
* @param $user
* @param $appDocUid
* @param $version
* @return bool
*/
public function checkPermissionsToDownload($user, $appDocUid, $version)
{
$oCriteria = new Criteria('workflow');
$oCriteria->addSelectColumn(AppDocumentPeer::APP_UID);
$oCriteria->addJoin(AppDocumentPeer::DOC_UID, InputDocumentPeer::INP_DOC_UID, Criteria::LEFT_JOIN);
$oCriteria->add(AppDocumentPeer::USR_UID, $user);
$oCriteria->add(AppDocumentPeer::APP_DOC_UID, $appDocUid);
$oCriteria->add(AppDocumentPeer::DOC_VERSION, $version);
$oCriteria->setLimit(1);
$dataset = AppDocumentPeer::doSelectRS($oCriteria);
$dataset->setFetchmode(ResultSet::FETCHMODE_ASSOC);
$dataset->next();
if ($dataset->getRow()) {
return true;
} else {
$oCriteria = new Criteria("workflow");
$oCriteria->addSelectColumn(AppDocumentPeer::APP_UID);
$oCriteria->addSelectColumn(AppDocumentPeer::DOC_UID);
$oCriteria->addSelectColumn(InputDocumentPeer::PRO_UID);
$oCriteria->addJoin(AppDocumentPeer::DOC_UID, InputDocumentPeer::INP_DOC_UID, Criteria::LEFT_JOIN);
$oCriteria->add(AppDocumentPeer::APP_DOC_UID, $appDocUid);
$oCriteria->add(AppDocumentPeer::DOC_VERSION, $version);
$oCriteria->setLimit(1);
$dataset = AppDocumentPeer::doSelectRS($oCriteria);
$dataset->setFetchmode(ResultSet::FETCHMODE_ASSOC);
$dataset->next();
$row = $dataset->getRow();
$cases = new \ProcessMaker\BusinessModel\Cases();
$userAuthorization = $cases->userAuthorization(
$user,
$row['PRO_UID'],
$row['APP_UID'],
array(),
array('INPUT_DOCUMENTS' => 'VIEW')
);
if ($userAuthorization['objectPermissions']['INPUT_DOCUMENTS'][0] == $appDocUid) {
return true;
}
if ($userAuthorization['supervisor']) {
$criteria = new Criteria("workflow");
$criteria->addSelectColumn(StepSupervisorPeer::STEP_UID);
$criteria->add(StepSupervisorPeer::STEP_TYPE_OBJ, "INPUT_DOCUMENT", \Criteria::EQUAL);
$criteria->add(StepSupervisorPeer::STEP_UID_OBJ, $row['DOC_UID'], \Criteria::EQUAL);
$rsCriteria = StepSupervisorPeer::doSelectRS($criteria);
if ($rsCriteria->next()) {
return true;
}
}
}
return false;
}
}

6
workflow/engine/methods/cases/cases_ShowDocument.php
View File

@@ -51,6 +51,12 @@ if (isset($_REQUEST['actionAjax']) && $_REQUEST['actionAjax'] == "verifySession"
//a = Case UID
$oAppDocument = new AppDocument();
if (!$oAppDocument->checkPermissionsToDownload($_SESSION['USER_LOGGED'], $_GET['a'], $_GET['v'])) {
G::header('Location: /errors/error403.php');
die();
}
if (! isset( $_GET['v'] )) {
//Load last version of the document
$docVersion = $oAppDocument->getLastAppDocVersion( $_GET['a'] );

1
workflow/public_html/sysGeneric.php
View File

@@ -949,7 +949,6 @@ if (! defined( 'EXECUTE_BY_CRON' )) {
$noLoginFiles[] = 'ajaxListener';
$noLoginFiles[] = 'cases_Step';
$noLoginFiles[] = 'cases_ShowOutputDocument';
$noLoginFiles[] = 'cases_ShowDocument';
$noLoginFiles[] = 'cases_CatchExecute';
$noLoginFiles[] = 'cases_SaveData';
$noLoginFiles[] = 'cases_Derivate';