BUG-14986 Authorization Bypass via Forceful Browsing IMPROVEMENT

workflow/engine/controllers/admin.php

@@ -15,6 +15,8 @@ class Admin extends Controller
 
     public function system ()
     {
+        global $RBAC;
+        $RBAC->requirePermissions( 'PM_SETUP' );
         require_once PATH_CONTROLLERS . 'main.php';
         G::loadClass( 'system' );
         $skinsList = System::getSkingList();
@@ -60,6 +62,8 @@ class Admin extends Controller
 
     public function uxList ()
     {
+        global $RBAC;
+        $RBAC->requirePermissions( 'PM_SETUP' );
         require_once PATH_CONTROLLERS . 'adminProxy.php';
         $this->includeExtJS( 'admin/uxUsersList' );
         G::LoadClass( 'configuration' );

workflow/engine/controllers/dashboard.php

@@ -16,6 +16,12 @@ class Dashboard extends Controller
     // Class constructor
     public function __construct ()
     {
+        global $RBAC;
+        if ($RBAC->userCanAccess('PM_DASHBOARD') != 1) {
+            G::SendTemporalMessage('ID_USER_HAVENT_RIGHTS_PAGE', 'error', 'labels');
+            G::header( 'location: login/login' );
+            exit(0);
+        }
         G::LoadClass( 'pmDashlet' );
         $this->pmDashlet = new PMDashlet();
     }

workflow/engine/methods/cases/cases_Scheduler_Log.php

@@ -22,9 +22,11 @@
  * For more information, contact Colosa Inc, 2566 Le Jeune Rd.,
  * Coral Gables, FL, 33134, USA, or email info@colosa.com.
  */
+global $RBAC;
 if (($RBAC_Response = $RBAC->userCanAccess( "PM_LOGIN" )) != 1) {
     return $RBAC_Response;
 }
+$RBAC->requirePermissions( 'PM_SETUP' );
 
 $G_PUBLISH = new Publisher();
 G::LoadClass( 'configuration' );

workflow/engine/methods/processes/mainInit.php

@@ -23,6 +23,8 @@
  */
 
 //$oHeadPublisher = & headPublisher::getSingleton();
+global $RBAC;
+$RBAC->requirePermissions( 'PM_FACTORY' );
 
 G::loadClass( 'configuration' );
 $conf = new Configurations();

workflow/engine/methods/setup/appCacheViewConf.php

@@ -1,4 +1,6 @@
 <?php
+global $RBAC;
+$RBAC->requirePermissions( 'PM_SETUP' );
 //  header('Pragma: no-cache');
 //  header('Cache-Control: no-store, no-cache, must-revalidate');
 

workflow/engine/methods/setup/clearCompiled.php

@@ -21,6 +21,8 @@
  * For more information, contact Colosa Inc, 2566 Le Jeune Rd.,
  * Coral Gables, FL, 33134, USA, or email info@colosa.com.
  */
+global $RBAC;
+$RBAC->requirePermissions( 'PM_SETUP' );
 
 $oHeadPublisher = & headPublisher::getSingleton();
 $oHeadPublisher->addExtJsScript( 'setup/clearCompiled', true ); //adding a javascript file .js

workflow/engine/methods/setup/environmentSettings.php

@@ -1,4 +1,7 @@
 <?php
+global $RBAC;
+$RBAC->requirePermissions( 'PM_SETUP' );
+
 G::loadClass( 'configuration' );
 $c = new Configurations();
 $oHeadPublisher = & headPublisher::getSingleton();

workflow/engine/methods/setup/loginSettings.php

@@ -21,6 +21,9 @@
  * For more information, contact Colosa Inc, 2566 Le Jeune Rd.,
  * Coral Gables, FL, 33134, USA, or email info@colosa.com.
  */
+global $RBAC;
+$RBAC->requirePermissions( 'PM_SETUP' );
+ 
 G::loadClass( 'configuration' );
 $oConf = new Configurations();
 

workflow/engine/methods/setup/pluginsMain.php

@@ -21,6 +21,8 @@
  * For more information, contact Colosa Inc, 2566 Le Jeune Rd.,
  * Coral Gables, FL, 33134, USA, or email info@colosa.com.
  */
+global $RBAC;
+$RBAC->requirePermissions( 'PM_SETUP' );
 
 $headPublisher = & headPublisher::getSingleton();
 $headPublisher->addExtJsScript( 'setup/pluginsMain', false );

workflow/engine/methods/setup/processHeartBeatConfig.php

@@ -21,6 +21,9 @@
  * For more information, contact Colosa Inc, 2566 Le Jeune Rd.,
  * Coral Gables, FL, 33134, USA, or email info@colosa.com.
  */
+global $RBAC;
+$RBAC->requirePermissions( 'PM_SETUP' );
+
 $oHeadPublisher = & headPublisher::getSingleton();
 G::LoadClass( 'serverConfiguration' );
 $oServerConf = & serverConf::getSingleton();

workflow/engine/methods/setup/systemInfo.php

@@ -1,4 +1,7 @@
 <?php
+global $RBAC;
+$RBAC->requirePermissions( 'PM_SETUP' );
+
 $option = (isset($_GET["option"]))? $_GET["option"] : null;
 
 switch ($option) {