fernando/luos
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

PM-3376 "REST endpoint PUT users, groups,..." SOLVED

Browse Source 
> Code Isuue:
  0018011: Security hole:REST endpoints for users,groups,departments & roles do not check if logged-in user has PM_USERS permission in role
> Solution:
  Se agrega validacion en el siguiente Endpoint cuando se utiliza el servicio REST, el mismo mostrara un mensaje indicando
  que el usuario no esta autorizado para realizar la accion.
This commit is contained in:
Luis Fernando Saisa Lopez
2015-09-04 16:51:19 -04:00
parent 1ff106ed23
commit 45eb00d3c0
5 changed files with 97 additions and 54 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
rbac/engine/classes/model/Roles.php
View File

@@ -269,7 +269,11 @@ class Roles extends BaseRoles {
$con->commit(); $con->commit();
$this->setRolName($rol_name); $this->setRolName($rol_name);
$status = $fields['ROL_STATUS'] = 1 ? 'ACTIVE' : 'INACTIVE'; $status = $fields['ROL_STATUS'] = 1 ? 'ACTIVE' : 'INACTIVE';
G::auditLog("UpdateRole", "Role Name: ".$rol_name." - Role ID: (".$fields['ROL_UID'].") - Role Code: ".$fields['ROL_CODE']." - Role Status: ".$status);
$rolCode = (isset($fields["ROL_CODE"]))? "- Role Code: " . $fields["ROL_CODE"] : "";
G::auditLog("UpdateRole", "Role Name: " . $rol_name . " - Role ID: (".$fields['ROL_UID'].") " . $rolCode . " - Role Status: ".$status);
return $result; return $result;
} else { } else {
$con->rollback(); $con->rollback();

97
workflow/engine/src/ProcessMaker/Services/Api/Department.php
View File

@@ -16,13 +16,30 @@ use \Luracast\Restler\RestException;
class Department extends Api class Department extends Api
{ {
/** /**
* @access public * Constructor of the class
* @author Brayan Pereyra (Cochalo) <brayan@colosa.com> *
* @copyright Colosa - Bolivia * return void
*/
public function __construct()
{
try {
$user = new \ProcessMaker\BusinessModel\User();
$usrUid = $this->getUserId();
if (!$user->checkPermission($usrUid, "PM_USERS")) {
throw new \Exception(\G::LoadTranslation("ID_USER_NOT_HAVE_PERMISSION", array($usrUid)));
}
} catch (\Exception $e) {
throw new RestException(Api::STAT_APP_EXCEPTION, $e->getMessage());
}
}
/**
* @url GET
* *
* @return array * @return array
* *
* @url GET
*/ */
public function doGetDepartments() public function doGetDepartments()
{ {
@@ -36,15 +53,12 @@ class Department extends Api
} }
/** /**
* @param string $dep_uid {@min 1}{@max 32} * @url GET /:dep_uid/assigned-user
* *
* @access public * @param string $dep_uid {@min 1}{@max 32}
* @author Brayan Pereyra (Cochalo) <brayan@colosa.com>
* @copyright Colosa - Bolivia
* *
* @return array * @return array
* *
* @url GET /:dep_uid/assigned-user
*/ */
public function doGetAssignedUser($dep_uid) public function doGetAssignedUser($dep_uid)
{ {
@@ -58,18 +72,15 @@ class Department extends Api
} }
/** /**
* @param string $dep_uid {@min 1}{@max 32} * @url GET /:dep_uid/available-user
* @param string $start {@from path}
* @param string $limit {@from path}
* @param string $search {@from path}
* *
* @access public * @param string $dep_uid {@min 1}{@max 32}
* @author Brayan Pereyra (Cochalo) <brayan@colosa.com> * @param string $start {@from path}
* @copyright Colosa - Bolivia * @param string $limit {@from path}
* @param string $search {@from path}
* *
* @return array * @return array
* *
* @url GET /:dep_uid/available-user
*/ */
public function doGetAvailableUser($dep_uid, $start = 0, $limit = 0, $search = '') public function doGetAvailableUser($dep_uid, $start = 0, $limit = 0, $search = '')
{ {
@@ -89,6 +100,7 @@ class Department extends Api
* @param array $request_data * @param array $request_data
* *
* @status 201 * @status 201
*
*/ */
public function doPostAssignUser($dep_uid, array $request_data) public function doPostAssignUser($dep_uid, array $request_data)
{ {
@@ -102,16 +114,13 @@ class Department extends Api
} }
/** /**
* @url PUT /:dep_uid/unassign-user/:usr_uid
*
* @param string $dep_uid {@min 1}{@max 32} * @param string $dep_uid {@min 1}{@max 32}
* @param string $usr_uid {@min 1}{@max 32} * @param string $usr_uid {@min 1}{@max 32}
* *
* @access public
* @author Brayan Pereyra (Cochalo) <brayan@colosa.com>
* @copyright Colosa - Bolivia
*
* @return array * @return array
* *
* @url PUT /:dep_uid/unassign-user/:usr_uid
*/ */
public function doPutUnassignUser($dep_uid, $usr_uid) public function doPutUnassignUser($dep_uid, $usr_uid)
{ {
@@ -125,16 +134,13 @@ class Department extends Api
} }
/** /**
* @url PUT /:dep_uid/set-manager/:usr_uid
*
* @param string $dep_uid {@min 1}{@max 32} * @param string $dep_uid {@min 1}{@max 32}
* @param string $usr_uid {@min 1}{@max 32} * @param string $usr_uid {@min 1}{@max 32}
* *
* @access public
* @author Brayan Pereyra (Cochalo) <brayan@colosa.com>
* @copyright Colosa - Bolivia
*
* @return array * @return array
* *
* @url PUT /:dep_uid/set-manager/:usr_uid
*/ */
public function doPutSetManager($dep_uid, $usr_uid) public function doPutSetManager($dep_uid, $usr_uid)
{ {
@@ -148,15 +154,12 @@ class Department extends Api
} }
/** /**
* @param string $dep_uid {@min 1}{@max 32} * @url GET /:dep_uid
* *
* @access public * @param string $dep_uid {@min 1}{@max 32}
* @author Brayan Pereyra (Cochalo) <brayan@colosa.com>
* @copyright Colosa - Bolivia
* *
* @return array * @return array
* *
* @url GET /:dep_uid
*/ */
public function doGetDepartment($dep_uid) public function doGetDepartment($dep_uid)
{ {
@@ -170,17 +173,15 @@ class Department extends Api
} }
/** /**
* @url POST
*
* @param array $request_data * @param array $request_data
* @param string $dep_title {@from body} {@min 1} * @param string $dep_title {@from body} {@min 1}
* *
* @access public
* @author Brayan Pereyra (Cochalo) <brayan@colosa.com>
* @copyright Colosa - Bolivia
*
* @return array * @return array
* *
* @url POST
* @status 201 * @status 201
*
*/ */
public function doPost($request_data, $dep_title) public function doPost($request_data, $dep_title)
{ {
@@ -194,17 +195,11 @@ class Department extends Api
} }
/** /**
* @param string $dep_uid {@min 1}{@max 32}
*
* @param array $request_data
*
* @access public
* @author Brayan Pereyra (Cochalo) <brayan@colosa.com>
* @copyright Colosa - Bolivia
*
* @return array
*
* @url PUT /:dep_uid * @url PUT /:dep_uid
*
* @param string $dep_uid {@min 1}{@max 32}
* @param array $request_data
*
*/ */
public function doPut($dep_uid, $request_data) public function doPut($dep_uid, $request_data)
{ {
@@ -212,22 +207,18 @@ class Department extends Api
$request_data['dep_uid'] = $dep_uid; $request_data['dep_uid'] = $dep_uid;
$oDepartment = new \ProcessMaker\BusinessModel\Department(); $oDepartment = new \ProcessMaker\BusinessModel\Department();
$response = $oDepartment->saveDepartment($request_data, false); $response = $oDepartment->saveDepartment($request_data, false);
return $response;
} catch (\Exception $e) { } catch (\Exception $e) {
throw (new RestException(Api::STAT_APP_EXCEPTION, $e->getMessage())); throw (new RestException(Api::STAT_APP_EXCEPTION, $e->getMessage()));
} }
} }
/** /**
* @param string $dep_uid {@min 1}{@max 32} * @url DELETE /:dep_uid
* *
* @access public * @param string $dep_uid {@min 1}{@max 32}
* @author Brayan Pereyra (Cochalo) <brayan@colosa.com>
* @copyright Colosa - Bolivia
* *
* @return array * @return array
* *
* @url DELETE /:dep_uid
*/ */
public function doDelete($dep_uid) public function doDelete($dep_uid)
{ {

20
workflow/engine/src/ProcessMaker/Services/Api/Group.php
View File

@@ -11,6 +11,26 @@ use \Luracast\Restler\RestException;
*/ */
class Group extends Api class Group extends Api
{ {
/**
* Constructor of the class
*
* return void
*/
public function __construct()
{
try {
$user = new \ProcessMaker\BusinessModel\User();
$usrUid = $this->getUserId();
if (!$user->checkPermission($usrUid, "PM_USERS")) {
throw new \Exception(\G::LoadTranslation("ID_USER_NOT_HAVE_PERMISSION", array($usrUid)));
}
} catch (\Exception $e) {
throw new RestException(Api::STAT_APP_EXCEPTION, $e->getMessage());
}
}
/** /**
* @url GET * @url GET
*/ */

8
workflow/engine/src/ProcessMaker/Services/Api/Role.php
View File

@@ -21,6 +21,14 @@ class Role extends Api
public function __construct() public function __construct()
{ {
try { try {
$user = new \ProcessMaker\BusinessModel\User();
$usrUid = $this->getUserId();
if (!$user->checkPermission($usrUid, "PM_USERS")) {
throw new \Exception(\G::LoadTranslation("ID_USER_NOT_HAVE_PERMISSION", array($usrUid)));
}
$this->role = new \ProcessMaker\BusinessModel\Role(); $this->role = new \ProcessMaker\BusinessModel\Role();
$this->role->setFormatFieldNameInUppercase(false); $this->role->setFormatFieldNameInUppercase(false);

20
workflow/engine/src/ProcessMaker/Services/Api/User.php
View File

@@ -11,6 +11,26 @@ use \Luracast\Restler\RestException;
*/ */
class User extends Api class User extends Api
{ {
/**
* Constructor of the class
*
* return void
*/
public function __construct()
{
try {
$user = new \ProcessMaker\BusinessModel\User();
$usrUid = $this->getUserId();
if (!$user->checkPermission($usrUid, "PM_USERS")) {
throw new \Exception(\G::LoadTranslation("ID_USER_NOT_HAVE_PERMISSION", array($usrUid)));
}
} catch (\Exception $e) {
throw new RestException(Api::STAT_APP_EXCEPTION, $e->getMessage());
}
}
/** /**
* @url GET * @url GET
* @param string $filter * @param string $filter