PM-3376 "REST endpoint PUT users, groups,..." SOLVED

> Code Isuue:
  0018011: Security hole:REST endpoints for users,groups,departments & roles do not check if logged-in user has PM_USERS permission in role
> Solution:
  Se agrega validacion en el siguiente Endpoint cuando se utiliza el servicio REST, el mismo mostrara un mensaje indicando
  que el usuario no esta autorizado para realizar la accion.

rbac/engine/classes/model/Roles.php

@@ -269,7 +269,11 @@ class Roles extends BaseRoles {
                 $con->commit();
                 $this->setRolName($rol_name);
                 $status = $fields['ROL_STATUS'] = 1 ? 'ACTIVE' : 'INACTIVE';
-                G::auditLog("UpdateRole", "Role Name: ".$rol_name." - Role ID: (".$fields['ROL_UID'].") - Role Code: ".$fields['ROL_CODE']." - Role Status: ".$status);
+
+                $rolCode = (isset($fields["ROL_CODE"]))? "- Role Code: " . $fields["ROL_CODE"] : "";
+
+                G::auditLog("UpdateRole", "Role Name: " . $rol_name . " - Role ID: (".$fields['ROL_UID'].") " . $rolCode . " - Role Status: ".$status);
+
                 return $result;
             } else {
                 $con->rollback();

workflow/engine/src/ProcessMaker/Services/Api/Department.php

@@ -16,13 +16,30 @@ use \Luracast\Restler\RestException;
 class Department extends Api
 {
     /**
-     * @access public
+     * Constructor of the class
-     * @author Brayan Pereyra (Cochalo) <brayan@colosa.com>
+     *
-     * @copyright Colosa - Bolivia
+     * return void
+     */
+    public function __construct()
+    {
+        try {
+            $user = new \ProcessMaker\BusinessModel\User();
+
+            $usrUid = $this->getUserId();
+
+            if (!$user->checkPermission($usrUid, "PM_USERS")) {
+                throw new \Exception(\G::LoadTranslation("ID_USER_NOT_HAVE_PERMISSION", array($usrUid)));
+            }
+        } catch (\Exception $e) {
+            throw new RestException(Api::STAT_APP_EXCEPTION, $e->getMessage());
+        }
+    }
+
+    /**
+     * @url GET
      *
      * @return array
      *
-     * @url GET
      */
     public function doGetDepartments()
     {
@@ -36,15 +53,12 @@ class Department extends Api
     }
 
     /**
-     * @param string $dep_uid {@min 1}{@max 32}
+     * @url GET /:dep_uid/assigned-user
      *
-     * @access public
+     * @param string $dep_uid {@min 1}{@max 32}
-     * @author Brayan Pereyra (Cochalo) <brayan@colosa.com>
-     * @copyright Colosa - Bolivia
      *
      * @return array
      *
-     * @url GET /:dep_uid/assigned-user
      */
     public function doGetAssignedUser($dep_uid)
     {
@@ -58,18 +72,15 @@ class Department extends Api
     }
 
     /**
+     * @url GET /:dep_uid/available-user
+     *
      * @param string $dep_uid {@min 1}{@max 32}
      * @param string $start   {@from path}
      * @param string $limit   {@from path}
      * @param string $search  {@from path}
      *
-     * @access public
-     * @author Brayan Pereyra (Cochalo) <brayan@colosa.com>
-     * @copyright Colosa - Bolivia
-     *
      * @return array
      *
-     * @url GET /:dep_uid/available-user
      */
     public function doGetAvailableUser($dep_uid, $start = 0, $limit = 0, $search = '')
     {
@@ -89,6 +100,7 @@ class Department extends Api
      * @param array  $request_data
      *
      * @status 201
+     *
      */
     public function doPostAssignUser($dep_uid, array $request_data)
     {
@@ -102,16 +114,13 @@ class Department extends Api
     }
 
     /**
+     * @url PUT /:dep_uid/unassign-user/:usr_uid
+     *
      * @param string $dep_uid {@min 1}{@max 32}
      * @param string $usr_uid {@min 1}{@max 32}
      *
-     * @access public
-     * @author Brayan Pereyra (Cochalo) <brayan@colosa.com>
-     * @copyright Colosa - Bolivia
-     *
      * @return array
      *
-     * @url PUT /:dep_uid/unassign-user/:usr_uid
      */
     public function doPutUnassignUser($dep_uid, $usr_uid)
     {
@@ -125,16 +134,13 @@ class Department extends Api
     }
 
     /**
+     * @url PUT /:dep_uid/set-manager/:usr_uid
+     *
      * @param string $dep_uid {@min 1}{@max 32}
      * @param string $usr_uid {@min 1}{@max 32}
      *
-     * @access public
-     * @author Brayan Pereyra (Cochalo) <brayan@colosa.com>
-     * @copyright Colosa - Bolivia
-     *
      * @return array
      *
-     * @url PUT /:dep_uid/set-manager/:usr_uid
      */
     public function doPutSetManager($dep_uid, $usr_uid)
     {
@@ -148,15 +154,12 @@ class Department extends Api
     }
 
     /**
-     * @param string $dep_uid {@min 1}{@max 32}
+     * @url GET /:dep_uid
      *
-     * @access public
+     * @param string $dep_uid {@min 1}{@max 32}
-     * @author Brayan Pereyra (Cochalo) <brayan@colosa.com>
-     * @copyright Colosa - Bolivia
      *
      * @return array
      *
-     * @url GET /:dep_uid
      */
     public function doGetDepartment($dep_uid)
     {
@@ -170,17 +173,15 @@ class Department extends Api
     }
 
     /**
+     * @url POST
+     *
      * @param array $request_data
      * @param string $dep_title {@from body} {@min 1}
      *
-     * @access public
-     * @author Brayan Pereyra (Cochalo) <brayan@colosa.com>
-     * @copyright Colosa - Bolivia
-     *
      * @return array
      *
-     * @url POST
      * @status 201
+     *
      */
     public function doPost($request_data, $dep_title)
     {
@@ -194,17 +195,11 @@ class Department extends Api
     }
 
     /**
-     * @param string $dep_uid {@min 1}{@max 32}
+     * @url PUT /:dep_uid
      *
+     * @param string $dep_uid      {@min 1}{@max 32}
      * @param array  $request_data
      *
-     * @access public
-     * @author Brayan Pereyra (Cochalo) <brayan@colosa.com>
-     * @copyright Colosa - Bolivia
-     *
-     * @return array
-     *
-     * @url PUT /:dep_uid
      */
     public function doPut($dep_uid, $request_data)
     {
@@ -212,22 +207,18 @@ class Department extends Api
             $request_data['dep_uid'] = $dep_uid;
             $oDepartment = new \ProcessMaker\BusinessModel\Department();
             $response = $oDepartment->saveDepartment($request_data, false);
-            return $response;
         } catch (\Exception $e) {
             throw (new RestException(Api::STAT_APP_EXCEPTION, $e->getMessage()));
         }
     }
 
     /**
-     * @param string $dep_uid {@min 1}{@max 32}
+     * @url DELETE /:dep_uid
      *
-     * @access public
+     * @param string $dep_uid {@min 1}{@max 32}
-     * @author Brayan Pereyra (Cochalo) <brayan@colosa.com>
-     * @copyright Colosa - Bolivia
      *
      * @return array
      *
-     * @url DELETE /:dep_uid
      */
     public function doDelete($dep_uid)
     {

workflow/engine/src/ProcessMaker/Services/Api/Group.php

@@ -11,6 +11,26 @@ use \Luracast\Restler\RestException;
  */
 class Group extends Api
 {
+    /**
+     * Constructor of the class
+     *
+     * return void
+     */
+    public function __construct()
+    {
+        try {
+            $user = new \ProcessMaker\BusinessModel\User();
+
+            $usrUid = $this->getUserId();
+
+            if (!$user->checkPermission($usrUid, "PM_USERS")) {
+                throw new \Exception(\G::LoadTranslation("ID_USER_NOT_HAVE_PERMISSION", array($usrUid)));
+            }
+        } catch (\Exception $e) {
+            throw new RestException(Api::STAT_APP_EXCEPTION, $e->getMessage());
+        }
+    }
+
     /**
      * @url GET
      */

workflow/engine/src/ProcessMaker/Services/Api/Role.php

@@ -21,6 +21,14 @@ class Role extends Api
     public function __construct()
     {
         try {
+            $user = new \ProcessMaker\BusinessModel\User();
+
+            $usrUid = $this->getUserId();
+
+            if (!$user->checkPermission($usrUid, "PM_USERS")) {
+                throw new \Exception(\G::LoadTranslation("ID_USER_NOT_HAVE_PERMISSION", array($usrUid)));
+            }
+
             $this->role = new \ProcessMaker\BusinessModel\Role();
 
             $this->role->setFormatFieldNameInUppercase(false);

workflow/engine/src/ProcessMaker/Services/Api/User.php

@@ -11,6 +11,26 @@ use \Luracast\Restler\RestException;
  */
 class User extends Api
 {
+    /**
+     * Constructor of the class
+     *
+     * return void
+     */
+    public function __construct()
+    {
+        try {
+            $user = new \ProcessMaker\BusinessModel\User();
+
+            $usrUid = $this->getUserId();
+
+            if (!$user->checkPermission($usrUid, "PM_USERS")) {
+                throw new \Exception(\G::LoadTranslation("ID_USER_NOT_HAVE_PERMISSION", array($usrUid)));
+            }
+        } catch (\Exception $e) {
+            throw new RestException(Api::STAT_APP_EXCEPTION, $e->getMessage());
+        }
+    }
+
     /**
      * @url GET
      * @param string $filter