PM-3376 "REST endpoint PUT users, groups,..." SOLVED

> Code Isuue: 0018011: Security hole:REST endpoints for users,groups,departments & roles do not check if logged-in user has PM_USERS permission in role > Solution: Se agrega validacion en el siguiente Endpoint cuando se utiliza el servicio REST, el mismo mostrara un mensaje indicando que el usuario no esta autorizado para realizar la accion.
2015-09-04 16:51:19 -04:00
parent 1ff106ed23
commit 45eb00d3c0
5 changed files with 97 additions and 54 deletions
--- a/workflow/engine/src/ProcessMaker/Services/Api/User.php
+++ b/workflow/engine/src/ProcessMaker/Services/Api/User.php
@@ -11,6 +11,26 @@ use \Luracast\Restler\RestException;
 */
 class User extends Api
 {
+    /**
+     * Constructor of the class
+     *
+     * return void
+     */
+    public function __construct()
+    {
+        try {
+            $user = new \ProcessMaker\BusinessModel\User();
+
+            $usrUid = $this->getUserId();
+
+            if (!$user->checkPermission($usrUid, "PM_USERS")) {
+                throw new \Exception(\G::LoadTranslation("ID_USER_NOT_HAVE_PERMISSION", array($usrUid)));
+            }
+        } catch (\Exception $e) {
+            throw new RestException(Api::STAT_APP_EXCEPTION, $e->getMessage());
+        }
+    }
+
    /**
     * @url GET
     * @param string $filter