PM-3376 "REST endpoint PUT users, groups,..." SOLVED

> Code Isuue: 0018011: Security hole:REST endpoints for users,groups,departments & roles do not check if logged-in user has PM_USERS permission in role > Solution: Se agrega validacion en el siguiente Endpoint cuando se utiliza el servicio REST, el mismo mostrara un mensaje indicando que el usuario no esta autorizado para realizar la accion.
2015-09-04 16:51:19 -04:00
parent 1ff106ed23
commit 45eb00d3c0
5 changed files with 97 additions and 54 deletions
--- a/rbac/engine/classes/model/Roles.php
+++ b/rbac/engine/classes/model/Roles.php
@@ -269,7 +269,11 @@ class Roles extends BaseRoles {
                $con->commit();
                $this->setRolName($rol_name);
                $status = $fields['ROL_STATUS'] = 1 ? 'ACTIVE' : 'INACTIVE';
-                G::auditLog("UpdateRole", "Role Name: ".$rol_name." - Role ID: (".$fields['ROL_UID'].") - Role Code: ".$fields['ROL_CODE']." - Role Status: ".$status);
+
+                $rolCode = (isset($fields["ROL_CODE"]))? "- Role Code: " . $fields["ROL_CODE"] : "";
+
+                G::auditLog("UpdateRole", "Role Name: " . $rol_name . " - Role ID: (".$fields['ROL_UID'].") " . $rolCode . " - Role Status: ".$status);
+
                return $result;
            } else {
                $con->rollback();
--- a/workflow/engine/src/ProcessMaker/Services/Api/Department.php
+++ b/workflow/engine/src/ProcessMaker/Services/Api/Department.php
@@ -16,13 +16,30 @@ use \Luracast\Restler\RestException;
 class Department extends Api
 {
    /**
-     * @access public
-     * @author Brayan Pereyra (Cochalo) <brayan@colosa.com>
-     * @copyright Colosa - Bolivia
+     * Constructor of the class
+     *
+     * return void
+     */
+    public function __construct()
+    {
+        try {
+            $user = new \ProcessMaker\BusinessModel\User();
+
+            $usrUid = $this->getUserId();
+
+            if (!$user->checkPermission($usrUid, "PM_USERS")) {
+                throw new \Exception(\G::LoadTranslation("ID_USER_NOT_HAVE_PERMISSION", array($usrUid)));
+            }
+        } catch (\Exception $e) {
+            throw new RestException(Api::STAT_APP_EXCEPTION, $e->getMessage());
+        }
+    }
+
+    /**
+     * @url GET
     *
     * @return array
     *
-     * @url GET
     */
    public function doGetDepartments()
    {
@@ -36,15 +53,12 @@ class Department extends Api
    }

    /**
-     * @param string $dep_uid {@min 1}{@max 32}
+     * @url GET /:dep_uid/assigned-user
     *
-     * @access public
-     * @author Brayan Pereyra (Cochalo) <brayan@colosa.com>
-     * @copyright Colosa - Bolivia
+     * @param string $dep_uid {@min 1}{@max 32}
     *
     * @return array
     *
-     * @url GET /:dep_uid/assigned-user
     */
    public function doGetAssignedUser($dep_uid)
    {
@@ -58,18 +72,15 @@ class Department extends Api
    }

    /**
+     * @url GET /:dep_uid/available-user
+     *
     * @param string $dep_uid {@min 1}{@max 32}
     * @param string $start   {@from path}
     * @param string $limit   {@from path}
     * @param string $search  {@from path}
     *
-     * @access public
-     * @author Brayan Pereyra (Cochalo) <brayan@colosa.com>
-     * @copyright Colosa - Bolivia
-     *
     * @return array
     *
-     * @url GET /:dep_uid/available-user
     */
    public function doGetAvailableUser($dep_uid, $start = 0, $limit = 0, $search = '')
    {
@@ -89,6 +100,7 @@ class Department extends Api
     * @param array  $request_data
     *
     * @status 201
+     *
     */
    public function doPostAssignUser($dep_uid, array $request_data)
    {
@@ -102,16 +114,13 @@ class Department extends Api
    }

    /**
+     * @url PUT /:dep_uid/unassign-user/:usr_uid
+     *
     * @param string $dep_uid {@min 1}{@max 32}
     * @param string $usr_uid {@min 1}{@max 32}
     *
-     * @access public
-     * @author Brayan Pereyra (Cochalo) <brayan@colosa.com>
-     * @copyright Colosa - Bolivia
-     *
     * @return array
     *
-     * @url PUT /:dep_uid/unassign-user/:usr_uid
     */
    public function doPutUnassignUser($dep_uid, $usr_uid)
    {
@@ -125,16 +134,13 @@ class Department extends Api
    }

    /**
+     * @url PUT /:dep_uid/set-manager/:usr_uid
+     *
     * @param string $dep_uid {@min 1}{@max 32}
     * @param string $usr_uid {@min 1}{@max 32}
     *
-     * @access public
-     * @author Brayan Pereyra (Cochalo) <brayan@colosa.com>
-     * @copyright Colosa - Bolivia
-     *
     * @return array
     *
-     * @url PUT /:dep_uid/set-manager/:usr_uid
     */
    public function doPutSetManager($dep_uid, $usr_uid)
    {
@@ -148,15 +154,12 @@ class Department extends Api
    }

    /**
-     * @param string $dep_uid {@min 1}{@max 32}
+     * @url GET /:dep_uid
     *
-     * @access public
-     * @author Brayan Pereyra (Cochalo) <brayan@colosa.com>
-     * @copyright Colosa - Bolivia
+     * @param string $dep_uid {@min 1}{@max 32}
     *
     * @return array
     *
-     * @url GET /:dep_uid
     */
    public function doGetDepartment($dep_uid)
    {
@@ -170,17 +173,15 @@ class Department extends Api
    }

    /**
+     * @url POST
+     *
     * @param array $request_data
     * @param string $dep_title {@from body} {@min 1}
     *
-     * @access public
-     * @author Brayan Pereyra (Cochalo) <brayan@colosa.com>
-     * @copyright Colosa - Bolivia
-     *
     * @return array
     *
-     * @url POST
     * @status 201
+     *
     */
    public function doPost($request_data, $dep_title)
    {
@@ -194,17 +195,11 @@ class Department extends Api
    }

    /**
-     * @param string $dep_uid {@min 1}{@max 32}
+     * @url PUT /:dep_uid
     *
+     * @param string $dep_uid      {@min 1}{@max 32}
     * @param array  $request_data
     *
-     * @access public
-     * @author Brayan Pereyra (Cochalo) <brayan@colosa.com>
-     * @copyright Colosa - Bolivia
-     *
-     * @return array
-     *
-     * @url PUT /:dep_uid
     */
    public function doPut($dep_uid, $request_data)
    {
@@ -212,22 +207,18 @@ class Department extends Api
            $request_data['dep_uid'] = $dep_uid;
            $oDepartment = new \ProcessMaker\BusinessModel\Department();
            $response = $oDepartment->saveDepartment($request_data, false);
-            return $response;
        } catch (\Exception $e) {
            throw (new RestException(Api::STAT_APP_EXCEPTION, $e->getMessage()));
        }
    }

    /**
-     * @param string $dep_uid {@min 1}{@max 32}
+     * @url DELETE /:dep_uid
     *
-     * @access public
-     * @author Brayan Pereyra (Cochalo) <brayan@colosa.com>
-     * @copyright Colosa - Bolivia
+     * @param string $dep_uid {@min 1}{@max 32}
     *
     * @return array
     *
-     * @url DELETE /:dep_uid
     */
    public function doDelete($dep_uid)
    {
--- a/workflow/engine/src/ProcessMaker/Services/Api/Group.php
+++ b/workflow/engine/src/ProcessMaker/Services/Api/Group.php
@@ -11,6 +11,26 @@ use \Luracast\Restler\RestException;
 */
 class Group extends Api
 {
+    /**
+     * Constructor of the class
+     *
+     * return void
+     */
+    public function __construct()
+    {
+        try {
+            $user = new \ProcessMaker\BusinessModel\User();
+
+            $usrUid = $this->getUserId();
+
+            if (!$user->checkPermission($usrUid, "PM_USERS")) {
+                throw new \Exception(\G::LoadTranslation("ID_USER_NOT_HAVE_PERMISSION", array($usrUid)));
+            }
+        } catch (\Exception $e) {
+            throw new RestException(Api::STAT_APP_EXCEPTION, $e->getMessage());
+        }
+    }
+
    /**
     * @url GET
     */
--- a/workflow/engine/src/ProcessMaker/Services/Api/Role.php
+++ b/workflow/engine/src/ProcessMaker/Services/Api/Role.php
@@ -21,6 +21,14 @@ class Role extends Api
    public function __construct()
    {
        try {
+            $user = new \ProcessMaker\BusinessModel\User();
+
+            $usrUid = $this->getUserId();
+
+            if (!$user->checkPermission($usrUid, "PM_USERS")) {
+                throw new \Exception(\G::LoadTranslation("ID_USER_NOT_HAVE_PERMISSION", array($usrUid)));
+            }
+
            $this->role = new \ProcessMaker\BusinessModel\Role();

            $this->role->setFormatFieldNameInUppercase(false);
--- a/workflow/engine/src/ProcessMaker/Services/Api/User.php
+++ b/workflow/engine/src/ProcessMaker/Services/Api/User.php
@@ -11,6 +11,26 @@ use \Luracast\Restler\RestException;
 */
 class User extends Api
 {
+    /**
+     * Constructor of the class
+     *
+     * return void
+     */
+    public function __construct()
+    {
+        try {
+            $user = new \ProcessMaker\BusinessModel\User();
+
+            $usrUid = $this->getUserId();
+
+            if (!$user->checkPermission($usrUid, "PM_USERS")) {
+                throw new \Exception(\G::LoadTranslation("ID_USER_NOT_HAVE_PERMISSION", array($usrUid)));
+            }
+        } catch (\Exception $e) {
+            throw new RestException(Api::STAT_APP_EXCEPTION, $e->getMessage());
+        }
+    }
+
    /**
     * @url GET
     * @param string $filter