diff --git a/gulliver/bin/tasks/templates/pluginClass.tpl b/gulliver/bin/tasks/templates/pluginClass.tpl index 1cc103337..64e9de169 100644 --- a/gulliver/bin/tasks/templates/pluginClass.tpl +++ b/gulliver/bin/tasks/templates/pluginClass.tpl @@ -83,7 +83,6 @@ $_DBArray['users'] = $aUsers; $_SESSION['_DBArray'] = $_DBArray; -; $oCriteria = new Criteria('dbarray'); $oCriteria->setDBArrayTable('users'); $oCriteria->addDescendingOrderByColumn('USR_USERNAME'); diff --git a/gulliver/bin/tasks/templates/pluginMainFile.tpl b/gulliver/bin/tasks/templates/pluginMainFile.tpl index 0128ee1dc..b1b438ca3 100644 --- a/gulliver/bin/tasks/templates/pluginMainFile.tpl +++ b/gulliver/bin/tasks/templates/pluginMainFile.tpl @@ -1,5 +1,4 @@ userCanAccess("PM_CASES"))!=1) return $RBAC_Response; /* Includes */ -; -; /* GET , POST & $_SESSION Vars */ $conf = new Configurations(); diff --git a/gulliver/bin/tasks/templates/pluginStep.tpl b/gulliver/bin/tasks/templates/pluginStep.tpl index 9626e1149..0dae49698 100644 --- a/gulliver/bin/tasks/templates/pluginStep.tpl +++ b/gulliver/bin/tasks/templates/pluginStep.tpl @@ -1,5 +1,4 @@ setDBArrayTable('user'); //$c->add ( 'user.age', 122 , Criteria::GREATER_EQUAL ); diff --git a/gulliver/bin/tasks/templates/skinPluginMainClass.tpl b/gulliver/bin/tasks/templates/skinPluginMainClass.tpl index 5f16a8bb0..a2ff85666 100644 --- a/gulliver/bin/tasks/templates/skinPluginMainClass.tpl +++ b/gulliver/bin/tasks/templates/skinPluginMainClass.tpl @@ -4,8 +4,6 @@ * */ -; - class {className}Plugin extends PMPlugin { function {className}Plugin($sNamespace, $sFilename = null) { diff --git a/gulliver/bin/tasks/templates/sysGeneric.php.tpl b/gulliver/bin/tasks/templates/sysGeneric.php.tpl index f004d854c..abe03b7fd 100644 --- a/gulliver/bin/tasks/templates/sysGeneric.php.tpl +++ b/gulliver/bin/tasks/templates/sysGeneric.php.tpl @@ -198,7 +198,7 @@ $docuroot = explode ( PATH_SEP , $_SERVER['DOCUMENT_ROOT'] ); //***************** Plugins ************************** -; + // //here we are loading all plugins registered // //the singleton has a list of enabled plugins diff --git a/gulliver/bin/tasks/templates/usersList.php.tpl b/gulliver/bin/tasks/templates/usersList.php.tpl index 38bd54af5..4983ba6c5 100644 --- a/gulliver/bin/tasks/templates/usersList.php.tpl +++ b/gulliver/bin/tasks/templates/usersList.php.tpl @@ -21,7 +21,7 @@ $G_ID_SUB_MENU_SELECTED = 'USERS'; $_DBArray['user'] = $rows; $_SESSION['_DBArray'] = $_DBArray; -; + $c = new Criteria ('dbarray'); $c->setDBArrayTable('user'); diff --git a/gulliver/bin/tasks/templates/welcome.php.tpl b/gulliver/bin/tasks/templates/welcome.php.tpl index bf7a94c94..b5e180c61 100644 --- a/gulliver/bin/tasks/templates/welcome.php.tpl +++ b/gulliver/bin/tasks/templates/welcome.php.tpl @@ -23,7 +23,6 @@ $_DBArray['user'] = $rows; $_SESSION['_DBArray'] = $_DBArray; //krumo ( $_DBArray ); -; $c = new Criteria ('dbarray'); $c->setDBArrayTable('user'); //$c->add ( 'user.age', 122 , Criteria::GREATER_EQUAL ); diff --git a/gulliver/js/grid/core/grid.js b/gulliver/js/grid/core/grid.js index b386a0120..f1e4eebd7 100644 --- a/gulliver/js/grid/core/grid.js +++ b/gulliver/js/grid/core/grid.js @@ -563,6 +563,7 @@ var G_Grid = function(oForm, sGridName){ case 'textarea': //TEXTAREA aObjects = oNewRow.getElementsByTagName('td')[i].getElementsByTagName('textarea'); if (aObjects){ + aObjects[0].value = ''; aObjects[0].className = "module_app_input___gray"; newID = aObjects[0].id.replace(/\[1\]/g, '\[' + currentRow + '\]'); diff --git a/gulliver/methods/errors/block.php b/gulliver/methods/errors/block.php index 19b4a3106..05dd1aebe 100644 --- a/gulliver/methods/errors/block.php +++ b/gulliver/methods/errors/block.php @@ -3,7 +3,7 @@ if (function_exists("http_response_code")) { http_response_code(200); } -$http = (isset($_SERVER["HTTPS"]) && $_SERVER["HTTPS"] == "on") ? "https" : "http"; +$http = G::is_https() ? "https" : "http"; $host = $_SERVER["SERVER_NAME"] . (($_SERVER["SERVER_PORT"] != "80") ? ":" . $_SERVER["SERVER_PORT"] : ""); $urlLogin = $http . "://" . $host . "/sys/en/neoclassic/login/login"; diff --git a/gulliver/methods/errors/error403.php b/gulliver/methods/errors/error403.php index c47080475..bc91e6f9d 100644 --- a/gulliver/methods/errors/error403.php +++ b/gulliver/methods/errors/error403.php @@ -1,6 +1,6 @@ sQuoteCharacter . $sTable . $this->sQuoteCharacter . - ' ADD PRIMARY KEY (' . $this->sQuoteCharacter . $sColumn . $this->sQuoteCharacter . ')' . $this->sEndLine; - }*/ + if (isset( $aParameters['PrimaryKey'] ) && $aParameters['PrimaryKey']) { + $sSQL .= ' PRIMARY KEY'; + } + if (isset( $aParameters['Unique'] ) && $aParameters['Unique']) { + $sSQL .= ' UNIQUE'; + } + + //we need to check the property AI if (isset( $aParameters['AI'] )) { if ($aParameters['AI'] == 1) { $sSQL .= ' AUTO_INCREMENT'; diff --git a/gulliver/system/class.dbMaintenance.php b/gulliver/system/class.dbMaintenance.php index 496fd6e1c..c61de7110 100644 --- a/gulliver/system/class.dbMaintenance.php +++ b/gulliver/system/class.dbMaintenance.php @@ -49,6 +49,7 @@ class DataBaseMaintenance protected $tmpDir; protected $outfile; protected $infile; + protected $isWindows; /** * __construct @@ -64,7 +65,7 @@ class DataBaseMaintenance $this->tmpDir = './'; $this->link = null; $this->dbName = null; - + $this->isWindows = strtoupper(substr(PHP_OS, 0, 3)) === 'WIN'; if (isset( $host ) && isset( $user ) && isset( $passwd )) { $this->host = $host; $this->user = $user; @@ -399,13 +400,22 @@ class DataBaseMaintenance */ function backupDataBase ($outfile) { + $password = escapeshellarg($this->passwd); + + //On Windows, escapeshellarg() instead replaces percent signs, exclamation + //marks (delayed variable substitution) and double quotes with spaces and + //adds double quotes around the string. + //See: http://php.net/manual/en/function.escapeshellarg.php + if ($this->isWindows) { + $password = $this->escapeshellargCustom($this->passwd); + } $aHost = explode(':', $this->host); $dbHost = $aHost[0]; if (isset($aHost[1])) { $dbPort = $aHost[1]; $command = 'mysqldump' . ' --user=' . $this->user - . ' --password=' . escapeshellarg($this->passwd) + . ' --password=' . $password . ' --host=' . $dbHost . ' --port=' . $dbPort . ' --opt' @@ -418,13 +428,60 @@ class DataBaseMaintenance . ' --user=' . $this->user . ' --opt' . ' --skip-comments' - . ' --password=' . escapeshellarg($this->passwd) + . ' --password=' . $password . ' ' . $this->dbName . ' > ' . $outfile; } shell_exec($command); } + /** + * string escapeshellargCustom ( string $arg , character $quotes) + * + * escapeshellarg() adds single quotes around a string and quotes/escapes any + * existing single quotes allowing you to pass a string directly to a shell + * function and having it be treated as a single safe argument. This function + * should be used to escape individual arguments to shell functions coming + * from user input. The shell functions include exec(), system() and the + * backtick operator. + * + * On Windows, escapeshellarg() instead replaces percent signs, exclamation + * marks (delayed variable substitution) and double quotes with spaces and + * adds double quotes around the string. + */ + private function escapeshellargCustom($string, $quotes = "") + { + if ($quotes === "") { + $quotes = $this->isWindows ? "\"" : "'"; + } + $n = strlen($string); + $special = ["!", "%", "\""]; + $substring = ""; + $result1 = []; + $result2 = []; + for ($i = 0; $i < $n; $i++) { + if (in_array($string[$i], $special, true)) { + $result2[] = $string[$i]; + $result1[] = $substring; + $substring = ""; + } else { + $substring = $substring . $string[$i]; + } + } + $result1[] = $substring; + //Rebuild the password string + $n = count($result1); + for ($i = 0; $i < $n; $i++) { + $result1[$i] = trim(escapeshellarg($result1[$i]), $quotes); + if (isset($result2[$i])) { + $result1[$i] = $result1[$i] . $result2[$i]; + } + } + //add simple quotes, see escapeshellarg function + $newString = $quotes . implode("", $result1) . $quotes; + return $newString; + } + /** * restoreFromSql * diff --git a/gulliver/system/class.g.php b/gulliver/system/class.g.php index e628699c6..be7d5ce26 100644 --- a/gulliver/system/class.g.php +++ b/gulliver/system/class.g.php @@ -187,7 +187,7 @@ class G * @param string $symbol * @return string */ - public function generate_password($length = 15, $availableSets = "luns", $symbol = "_-+=!@#$%*&,.") + public function generate_password($length = 15, $availableSets = "luns", $symbol = "_-$!") { $chars = ""; if (strpos($availableSets, "l") !== false) { @@ -1825,6 +1825,14 @@ class G $arrayGrid = array_unique($arrayGrid); + //Given the set: 'valueOne', 'valueOneTwo', where the second string + //contains the first string, this causes the larger string to take + //the second, resulting in a delimitation error, to avoid this problem + //we first search the string larger size. + usort($arrayGrid, function($a, $b) { + return strlen($b) - strlen($a); + }); + foreach ($arrayGrid as $index => $value) { if($value !== "") { $grdName = $value; @@ -2912,6 +2920,16 @@ class G return (bool) preg_match( '/^[0-9A-Za-z]{14,}/', $uid ); } + /** + * Verify if the input string is a valid UID of size 32 + * @param string $uid + * @return boolean + */ + public static function verifyUniqueID32($uid) + { + return (bool) preg_match('/^[0-9A-Za-z]{32,32}$/', $uid); + } + /** * is_utf8 * @@ -2921,11 +2939,10 @@ class G */ public function is_utf8 ($string) { - if (is_array( $string )) { - $enc = implode( '', $string ); - return @! ((ord( $enc[0] ) != 239) && (ord( $enc[1] ) != 187) && (ord( $enc[2] ) != 191)); + if (preg_match('//u', $string)) { + return true; } else { - return (utf8_encode( utf8_decode( $string ) ) == $string); + return false; } } @@ -5422,6 +5439,12 @@ class G } /** + * This function save history about some actions in the file audit.log + * The data is used in the Audit Log functionality + * + * @param string $actionToLog + * @param string $valueToLog + * @return void */ public static function auditLog($actionToLog, $valueToLog = "") { @@ -5430,13 +5453,25 @@ class G $sflag = $conf->getConfiguration('AUDIT_LOG', 'log'); $sflagAudit = $sflag == 'true' ? true : false; $ipClient = G::getIpAddress(); + $userUid = 'Unknow User'; + $fullName = '-'; /*----------------------------------********---------------------------------*/ $licensedFeatures = PMLicensedFeatures::getSingleton(); if ($sflagAudit && $licensedFeatures->verifyfeature('vtSeHNhT0JnSmo1bTluUVlTYUxUbUFSVStEeXVqc1pEUG5EeXc0MGd2Q3ErYz0=')) { - $username = isset($_SESSION['USER_LOGGED']) && $_SESSION['USER_LOGGED'] != '' ? $_SESSION['USER_LOGGED'] : 'Unknow User'; - $fullname = isset($_SESSION['USR_FULLNAME']) && $_SESSION['USR_FULLNAME'] != '' ? $_SESSION['USR_FULLNAME'] : '-'; - G::log("|". $workspace ."|". $ipClient ."|". $username . "|" . $fullname ."|" . $actionToLog . "|" . $valueToLog, PATH_DATA, "audit.log"); + if (isset($_SESSION['USER_LOGGED']) && $_SESSION['USER_LOGGED'] != '') { + $userUid = $_SESSION['USER_LOGGED']; + } else { + //Get the usrUid related to the accessToken + $userUid = \ProcessMaker\Services\OAuth2\Server::getUserId(); + if (!empty($userUid)) { + $oUserLogged = new \Users(); + $user = $oUserLogged->loadDetails($userUid); + $fullName = $user['USR_FULLNAME']; + } + } + $fullName = isset($_SESSION['USR_FULLNAME']) && $_SESSION['USR_FULLNAME'] != '' ? $_SESSION['USR_FULLNAME'] : $fullName; + G::log("|". $workspace ."|". $ipClient ."|". $userUid . "|" . $fullName ."|" . $actionToLog . "|" . $valueToLog, PATH_DATA, "audit.log"); } /*----------------------------------********---------------------------------*/ } diff --git a/gulliver/system/class.menu.php b/gulliver/system/class.menu.php index 82ce5fa03..e539f2417 100644 --- a/gulliver/system/class.menu.php +++ b/gulliver/system/class.menu.php @@ -283,7 +283,7 @@ class Menu */ public function DisableOptionId($id) { - if (array_search($id, $this->Id)) { + if (array_search($id, $this->Id) !== FALSE) { $this->Enabled[array_search($id, $this->Id)] = 0; } } diff --git a/gulliver/system/class.monologProvider.php b/gulliver/system/class.monologProvider.php index f0b519211..9840834cb 100644 --- a/gulliver/system/class.monologProvider.php +++ b/gulliver/system/class.monologProvider.php @@ -106,11 +106,13 @@ class MonologProvider break; case 400://ERROR $this->registerLogger->addError($message, $context); + break; case 500://CRITICAL $this->registerLogger->addCritical($message, $context); break; case 550://ALERT $this->registerLogger->addAlert($message, $context); + break; case 600://EMERGENCY $this->registerLogger->addEmergency($message, $context); break; diff --git a/gulliver/system/class.rbac.php b/gulliver/system/class.rbac.php index c4749221e..f5da6a354 100644 --- a/gulliver/system/class.rbac.php +++ b/gulliver/system/class.rbac.php @@ -70,6 +70,7 @@ class RBAC public $singleSignOn = false; private static $instance = null; + public $authorizedActions = array(); public function __construct () { diff --git a/workflow/engine/classes/Calendar.php b/workflow/engine/classes/Calendar.php index 2f788a442..fe49aca98 100644 --- a/workflow/engine/classes/Calendar.php +++ b/workflow/engine/classes/Calendar.php @@ -828,7 +828,7 @@ class Calendar extends CalendarDefinition $newDate = $onlyDate; $hoursDuration -= (float)($secondRes/3600); } else { - $newDate = date('Y-m-d H:i:s', strtotime('+' . (((float)$hoursDuration)*3600) . ' seconds', strtotime($newDate))); + $newDate = date('Y-m-d H:i:s', strtotime('+' . round((((float)$hoursDuration)*3600), 5) . ' seconds', strtotime($newDate))); $hoursDuration = 0; } } diff --git a/workflow/engine/controllers/pmTables.php b/workflow/engine/controllers/pmTables.php index 4d1099d80..5ed01b43d 100644 --- a/workflow/engine/controllers/pmTables.php +++ b/workflow/engine/controllers/pmTables.php @@ -152,6 +152,11 @@ class pmTables extends Controller $sFileName = $httpData->f; $realPath = $PUBLIC_ROOT_PATH . $sFileName; + + if ($this->isValidFileToBeStreamed($sFileName) === false) { + throw new Exception("You are trying to access an unauthorized resource."); + } + G::streamFile( $realPath, true ); unlink( $realPath ); } @@ -206,5 +211,32 @@ class pmTables extends Controller $tableSize = $tableSize - 8; // Prefix PMT_ return $tableSize; } + + /** + * Validates if the file with the $fileName is a valid one, + * that is, it must be a file without relative references that + * can open a door to get some unauthorized system file and + * must have one of the valid file extensions. + * + * @param $fileName, emporal file name that will be streamed + * @return bool + */ + private function isValidFileToBeStreamed($fileName) + { + $result = true; + $validExtensionsForExporting = ['csv', 'pmt']; + + $pathInfo = pathinfo($fileName); + + if ($pathInfo['dirname'] !== '.') { + $result = false; + } + + if (!in_array($pathInfo['extension'], $validExtensionsForExporting)) { + $result = false; + } + + return $result; + } } diff --git a/workflow/engine/methods/services/soap.php b/workflow/engine/methods/services/soap.php deleted file mode 100644 index e21b64939..000000000 --- a/workflow/engine/methods/services/soap.php +++ /dev/null @@ -1,413 +0,0 @@ -login( $params->userid, $params->password ); - return $res->getPayloadArray(); -} - -function ProcessList ($params) -{ - $x = ifPermission( $params->sessionId, 'PM_FACTORY' ); - //if you are not an admin user, then this function will return only - //your valid process - if ($x == 0) { - $oSessions = new Sessions(); - $session = $oSessions->getSessionUser( $params->sessionId ); - $userId = $session['USR_UID']; - - $ws = new wsBase(); - $res = $ws->processListVerified( $userId ); - return $res; - } - - $ws = new wsBase(); - $res = $ws->processList(); - return array ("processes" => $res - ); -} - -function RoleList ($params) -{ - $x = ifPermission( $params->sessionId, 'PM_USERS' ); - if ($x == 0) { - $result[] = array ('guid' => 24,'name' => G::LoadTranslation('ID_NOT_PRIVILEGES')); - return $result; - } - - $ws = new wsBase(); - $res = $ws->roleList(); - return array ("roles" => $res - ); -} - -function GroupList ($params) -{ - $x = ifPermission( $params->sessionId, 'PM_USERS' ); - if ($x == 0) { - $result[] = array ('guid' => 24,'name' => G::LoadTranslation('ID_NOT_PRIVILEGES')); - return $result; - } - - $ws = new wsBase(); - $res = $ws->groupList(); - return array ("groups" => $res - ); -} - -function CaseList ($params) -{ - ifSessionExpiredBreakThis( $params->sessionId ); - $x = ifPermission( $params->sessionId, 'PM_CASES' ); - if ($x == 0) { - return new wsResponse( 9, G::LoadTranslation('ID_SESSION_EXPIRED') ); - } - - $oSessions = new Sessions(); - $session = $oSessions->getSessionUser( $params->sessionId ); - $userId = $session['USR_UID']; - - $ws = new wsBase(); - $res = $ws->caseList( $userId ); - return array ("cases" => $res - ); -} - -function UserList ($params) -{ - $x = ifPermission( $params->sessionId, 'PM_USERS' ); - if ($x == 0) { - $result[] = array ('guid' => 24,'name' => G::LoadTranslation('ID_NOT_PRIVILEGES') ); - return $result; - } - - $ws = new wsBase(); - $res = $ws->userList(); - return array ("users" => $res - ); -} - -function SendMessage ($params) -{ - ifSessionExpiredBreakThis( $params->sessionId ); - $x = ifPermission( $params->sessionId, 'PM_CASES' ); - if ($x == 0) { - $result = new wsResponse( 24, G::LoadTranslation('ID_NOT_PRIVILEGES') ); - return $result; - } - $ws = new wsBase(); - $res = $ws->sendMessage( $params->caseId, $params->from, $params->to, $params->cc, $params->bcc, $params->subject, $params->template ); - return $res->getPayloadArray(); -} - -function getCaseInfo ($params) -{ - ifSessionExpiredBreakThis( $params->sessionId ); - $x = ifPermission( $params->sessionId, 'PM_CASES' ); - if ($x == 0) { - $result = new wsResponse( 24, "You do not have privileges" ); - return $result; - } - $ws = new wsBase(); - $res = $ws->getCaseInfo( $params->caseId, $params->delIndex ); - return $res; -} - -function SendVariables ($params) -{ - - $filter = new InputFilter(); - ifSessionExpiredBreakThis( $params->sessionId ); - $x = ifPermission( $params->sessionId, 'PM_CASES' ); - if ($x == 0) { - $result = new wsResponse( 24, G::LoadTranslation('ID_NOT_PRIVILEGES') ); - return $result; - } - $ws = new wsBase(); - $variables = $params->variables; - if (is_object( $variables )) { - $Fields[$variables->name] = $variables->value; - } - - if (is_array( $variables )) { - foreach ($variables as $key => $val) { - $name = $val->name; - $value = $val->value; - $val->name = $filter->validateInput($val->name); - $val->value = $filter->validateInput($val->value); - eval( '$Fields[ ' . $val->name . ' ]= $val->value ;' ); - } - } - $params->variables = $Fields; - $res = $ws->sendVariables( $params->caseId, $params->variables ); - return $res->getPayloadArray(); -} - -function GetVariables ($params) -{ - ifSessionExpiredBreakThis( $params->sessionId ); - $x = ifPermission( $params->sessionId, 'PM_CASES' ); - if ($x == 0) { - $result = new wsResponse( 24, G::LoadTranslation('ID_NOT_PRIVILEGES') ); - return $result; - } - - $ws = new wsBase(); - - $res = $ws->getVariables( $params->caseId, $params->variables ); - return array ("variables" => $res - ); -} - -function DerivateCase ($params) -{ - ifSessionExpiredBreakThis( $params->sessionId ); - $x = ifPermission( $params->sessionId, 'PM_CASES' ); - if ($x == 0) { - $result = new wsResponse( 24, G::LoadTranslation('ID_NOT_PRIVILEGES') ); - return $result; - } - - $oSession = new Sessions(); - $user = $oSession->getSessionUser( $params->sessionId ); - - $ws = new wsBase(); - $res = $ws->derivateCase( $user['USR_UID'], $params->caseId, $params->delIndex ); - return $res; - - //return $res->getPayloadArray ( ); -} - -function executeTrigger ($params) -{ - ifSessionExpiredBreakThis( $params->sessionId ); - $x = ifPermission( $params->sessionId, 'PM_CASES' ); - if ($x == 0) { - $result = new wsResponse( 24, G::LoadTranslation('ID_NOT_PRIVILEGES') ); - return $result; - } - - $oSession = new Sessions(); - $user = $oSession->getSessionUser( $params->sessionId ); - - $ws = new wsBase(); - $delIndex = (isset( $params->delIndex )) ? $params->delIndex : 1; - $res = $ws->executeTrigger( $user['USR_UID'], $params->caseId, $params->triggerIndex, $delIndex ); - return $res->getPayloadArray(); -} - -function NewCaseImpersonate ($params) -{ - $filter = new InputFilter(); - ifSessionExpiredBreakThis( $params->sessionId ); - $x = ifPermission( $params->sessionId, 'PM_CASES' ); - if ($x == 0) { - $result = new wsResponse( 24, G::LoadTranslation('ID_NOT_PRIVILEGES') ); - return $result; - } - $ws = new wsBase(); - $variables = $params->variables; - foreach ($variables as $key => $val) { - $name = $val->name; - $value = $val->value; - $val->name = $filter->validateInput($val->name); - $val->value = $filter->validateInput($val->value); - eval( '$Fields[ ' . $val->name . ' ]= $val->value ;' ); - } - $params->variables = $Fields; - $res = $ws->newCaseImpersonate( $params->processId, $params->userId, $params->variables ); - return $res->getPayloadArray(); -} - -function NewCase ($params) -{ - $filter = new InputFilter(); - ifSessionExpiredBreakThis( $params->sessionId ); - $x = ifPermission( $params->sessionId, 'PM_CASES' ); - if ($x == 0) { - $result = new wsResponse( 24, G::LoadTranslation('ID_NOT_PRIVILEGES') ); - return $result; - } - - $oSessions = new Sessions(); - $session = $oSessions->getSessionUser( $params->sessionId ); - $userId = $session['USR_UID']; - $variables = $params->variables; - - if (! isset( $params->variables )) { - $variables = array (); - $Fields = array (); - } else { - if (is_object( $variables )) { - /*foreach ( $variables as $key=>$val ) { - $name = $val->name; - $value = $val->value; - $Fields[ $val->name ]= $val->value ; - }*/ - $Fields[$variables->name] = $variables->value; - } - - if (is_array( $variables )) { - foreach ($variables as $key => $val) { - $name = $val->name; - $value = $val->value; - if (! is_object( $val->value )) { - $val->name = $filter->validateInput($val->name); - $val->value = $filter->validateInput($val->value); - eval( '$Fields[ ' . $val->name . ' ]= $val->value ;' ); - } else { - if (is_array( $val->value->item )) { - $i = 1; - foreach ($val->value->item as $key1 => $val1) { - if (isset( $val1->value )) { - if (is_array( $val1->value->item )) { - foreach ($val1->value->item as $key2 => $val2) { - $Fields[$val->name][$i][$val2->key] = $val2->value; - } - } - } - $i ++; - } - } - } - } - } - } - - $params->variables = $Fields; - //$result = new wsResponse (900, print_r($params->variables,1)); - //return $result; - $ws = new wsBase(); - $res = $ws->newCase( $params->processId, $userId, $params->taskId, $params->variables ); - return $res; -} - -function AssignUserToGroup ($params) -{ - ifSessionExpiredBreakThis( $params->sessionId ); - $x = ifPermission( $params->sessionId, 'PM_USERS' ); - if ($x == 0) { - $result = new wsResponse( 24, G::LoadTranslation('ID_NOT_PRIVILEGES') ); - return $result; - } - $sessions = new Sessions(); - $user = $sessions->getSessionUser( $params->sessionId ); - if (! is_array( $user )) { - return new wsResponse( 3, G::LoadTranslation('ID_USER_NOT_REGISTERED_SYSTEM') ); - } - - $ws = new wsBase(); - $res = $ws->assignUserToGroup( $params->userId, $params->groupId ); - return $res->getPayloadArray(); -} - -function CreateUser ($params) -{ - ifSessionExpiredBreakThis( $params->sessionId ); - $x = ifPermission( $params->sessionId, 'PM_USERS' ); - if ($x == 0) { - $result = new wsResponse( 24, G::LoadTranslation('ID_NOT_PRIVILEGES') ); - return $result; - } - $ws = new wsBase(); - $res = $ws->createUser( $params->userId, $params->firstname, $params->lastname, $params->email, $params->role, $params->password ); - return $res->getPayloadArray(); -} - -function TaskList ($params) -{ - $x = ifPermission( $params->sessionId, 'PM_CASES' ); - if ($x == 0) { - $result[] = array ('guid' => 24,'name' => G::LoadTranslation('ID_NOT_PRIVILEGES') ); - return $result; - } - - $ws = new wsBase(); - $oSessions = new Sessions(); - $session = $oSessions->getSessionUser( $params->sessionId ); - $userId = $session['USR_UID']; - $res = $ws->taskList( $userId ); - return array ("tasks" => $res - ); -} - -function TaskCase ($params) -{ - ifSessionExpiredBreakThis( $params->sessionId ); - $x = ifPermission( $params->sessionId, 'PM_CASES' ); - if ($x == 0) { - $result[] = array ('guid' => 24,'name' => G::LoadTranslation('ID_NOT_PRIVILEGES') ); - return $result; - } - - $ws = new wsBase(); - $res = $ws->taskCase( $params->caseId ); - return array ("taskCases" => $res - ); -} - -function ReassignCase ($params) -{ - ifSessionExpiredBreakThis( $params->sessionId ); - - $ws = new wsBase(); - $res = $ws->reassignCase( $params->sessionId, $params->caseId, $params->delIndex, $params->userIdSource, $params->userIdTarget ); - return $res; -} - -function ifSessionExpiredBreakThis ($sessionId) -{ #added By Erik AO in datetime 26.06.2008 10:00:00 - - $oSessions = new Sessions(); - $session = $oSessions->verifySession( $sessionId ); - if ($session == '') { - return new wsResponse( 9, G::LoadTranslation('ID_SESSION_EXPIRED') ); - } -} - -function ifPermission ($sessionId, $permission) -{ - global $RBAC; - $RBAC->initRBAC(); - $oSession = new Sessions(); - $user = $oSession->getSessionUser( $sessionId ); - - $oRBAC = RBAC::getSingleton(); - $oRBAC->loadUserRolePermission( $oRBAC->sSystem, $user['USR_UID'] ); - $aPermissions = $oRBAC->aUserInfo[$oRBAC->sSystem]['PERMISSIONS']; - $sw = 0; - foreach ($aPermissions as $aPermission) { - if ($aPermission['PER_CODE'] == $permission) { - $sw = 1; - } - } - return $sw; -} -$server = new SoapServer( $wsdl ); -$server->addFunction( "Login" ); -$server->addFunction( "ProcessList" ); -$server->addFunction( "CaseList" ); -$server->addFunction( "RoleList" ); -$server->addFunction( "GroupList" ); -$server->addFunction( "UserList" ); -$server->addFunction( "SendMessage" ); -$server->addFunction( "SendVariables" ); -$server->addFunction( "GetVariables" ); -$server->addFunction( "DerivateCase" ); -$server->addFunction( "executeTrigger" ); -$server->addFunction( "NewCaseImpersonate" ); -$server->addFunction( "NewCase" ); -$server->addFunction( "AssignUserToGroup" ); -$server->addFunction( "CreateUser" ); -$server->addFunction( "getCaseInfo" ); -$server->addFunction( "TaskList" ); -$server->addFunction( "TaskCase" ); -$server->addFunction( "ReassignCase" ); - -$server->handle(); - diff --git a/workflow/engine/methods/services/soap2.php b/workflow/engine/methods/services/soap2.php index d0ca027ad..758c21e2a 100644 --- a/workflow/engine/methods/services/soap2.php +++ b/workflow/engine/methods/services/soap2.php @@ -654,83 +654,57 @@ function NewCaseImpersonate ($params) return $res; } -function NewCase ($params) +/** + * Begins a new case under the name of the logged-in user. + * Where the parameter value is: + * - string sessionId: The ID of the session, which is obtained during login. + * - string processId: The ID of the process where the case should start, which + * can be obtained with processList(). + * - string taskId: The ID of the task where the case should start. This will + * generally be the first task in a process, which can be obtained with taskList(). + * - array variables: An array of variableStruct objects which contain information + * to start the case. This array has the following format. + * + * @param object $params + * + * @return object + */ +function NewCase($params) { - $filter = new InputFilter(); + $parseSoapVariableVame = new ParseSoapVariableName(); - $vsResult = isValidSession( $params->sessionId ); + $vsResult = isValidSession($params->sessionId); if ($vsResult->status_code !== 0) { return $vsResult; } - if (ifPermission( $params->sessionId, "PM_CASES" ) == 0) { - $result = new wsResponse( 2, G::LoadTranslation('ID_NOT_PRIVILEGES') ); + if (ifPermission($params->sessionId, 'PM_CASES') == 0) { + $result = new wsResponse(2, G::LoadTranslation('ID_NOT_PRIVILEGES')); return $result; } $oSession = new Sessions(); - $session = $oSession->getSessionUser( $params->sessionId ); - $userId = $session["USR_UID"]; + $session = $oSession->getSessionUser($params->sessionId); + $userId = $session['USR_UID']; $variables = $params->variables; - /* this code is for previous version of ws, and apparently this will work for grids inside the variables.. - if (!isset($params->variables) ) { - $variables = array(); - $field = array(); - } - else { - if ( is_object ($variables) ) { - $field[ $variables->name ]= $variables->value ; - } + $field = array(); - if ( is_array ( $variables) ) { - foreach ( $variables as $key=>$val ) { - $name = $val->name; - $value = $val->value; - if (!is_object($val->value)) - { - eval('$field[ ' . $val->name . ' ]= $val->value ;'); - } - else - { - if (is_array($val->value->item)) { - $i = 1; - foreach ($val->value->item as $key1 => $val1) { - if (isset($val1->value)) { - if (is_array($val1->value->item)) { - foreach ($val1->value->item as $key2 => $val2) { - $field[$val->name][$i][$val2->key] = $val2->value; - } - } - } - $i++; - } - } - } - } - } - } - */ - - $variables = $params->variables; - - $field = array (); - - if ($variables->name === "__POST_VARIABLES__") { + if (is_object($variables) && $variables->name === '__POST_VARIABLES__') { $field = G::json_decode($variables->value, true); $variables = null; } - if (is_object( $variables )) { + if (is_object($variables)) { $field[$variables->name] = $variables->value; } - if (is_array( $variables )) { - foreach ($variables as $key => $val) { - if (! is_object( $val->value )) { - @eval( "\$field[" . $val->name . "]= \$val->value;" ); + if (is_array($variables)) { + foreach ($variables as $val) { + if (!is_object($val->value)) { + $parseSoapVariableVame->buildVariableName($field, $val->name, $val->value); } } } @@ -739,10 +713,10 @@ function NewCase ($params) $ws = new wsBase(); - $res = $ws->newCase($params->processId, $userId, $params->taskId, $params->variables, (isset($params->executeTriggers))? (int)($params->executeTriggers) : 0); + $res = $ws->newCase($params->processId, $userId, $params->taskId, $params->variables, (isset($params->executeTriggers)) ? (int) ($params->executeTriggers) : 0); // we need to register the case id for a stored session variable. like a normal Session. - $oSession->registerGlobal( "APPLICATION", $res->caseId ); + $oSession->registerGlobal('APPLICATION', $res->caseId); return $res; } diff --git a/workflow/engine/methods/services/wsdl.php b/workflow/engine/methods/services/wsdl.php deleted file mode 100644 index 96956029e..000000000 --- a/workflow/engine/methods/services/wsdl.php +++ /dev/null @@ -1,13 +0,0 @@ -. - * - * For more information, contact Colosa Inc, 2566 Le Jeune Rd., - * Coral Gables, FL, 33134, USA, or email info@colosa.com. - */ - -if ($RBAC->userCanAccess( 'PM_SETUP' ) != 1 && $RBAC->userCanAccess( 'PM_FACTORY' ) != 1) { - G::SendTemporalMessage( 'ID_USER_HAVENT_RIGHTS_PAGE', 'error', 'labels' ); - //G::header('location: ../login/login'); - die(); -} - -$G_MAIN_MENU = 'processmaker'; -//$G_SUB_MENU = 'setup'; -$G_ID_MENU_SELECTED = 'SETUP'; -//$G_ID_SUB_MENU_SELECTED = 'WEBSERVICES'; - - -if (! extension_loaded( 'soap' )) { - $G_PUBLISH = new Publisher(); - $G_PUBLISH->AddContent( 'xmlform', 'xmlform', 'setup/wsMessage' ); - G::RenderPage( "publish" ); -} else { - $G_PUBLISH = new Publisher(); - $G_PUBLISH->AddContent( 'view', 'setup/webServicesTree' ); - $G_PUBLISH->AddContent( 'smarty', 'groups/groups_usersList', '', '', array () ); - - G::RenderPage( "publish-treeview", 'blank' ); -} - -$link_Edit = G::encryptlink( 'webServicesSetup' ); -$link_List = G::encryptlink( 'webServicesList' ); - -?> - \ No newline at end of file diff --git a/workflow/engine/methods/setup/webServicesList.php b/workflow/engine/methods/setup/webServicesList.php deleted file mode 100644 index 652f8188a..000000000 --- a/workflow/engine/methods/setup/webServicesList.php +++ /dev/null @@ -1,36 +0,0 @@ -. - * - * For more information, contact Colosa Inc, 2566 Le Jeune Rd., - * Coral Gables, FL, 33134, USA, or email info@colosa.com. - */ -if ($RBAC->userCanAccess( 'PM_SETUP' ) != 1 && $RBAC->userCanAccess( 'PM_FACTORY' ) != 1) { - G::SendTemporalMessage( 'ID_USER_HAVENT_RIGHTS_PAGE', 'error', 'labels' ); - //G::header('location: ../login/login'); - die(); -} - -//G::genericForceLogin( 'WF_MYINFO' , 'login/noViewPage', $urlLogin = 'login/login' ); - - -$G_PUBLISH = new Publisher(); -$G_PUBLISH->AddContent( 'view', 'setup/webServicesTree' ); -G::RenderPage( "publish-raw", "raw" ); - diff --git a/workflow/engine/src/ProcessMaker/Util/ParseSoapVariableName.php b/workflow/engine/src/ProcessMaker/Util/ParseSoapVariableName.php new file mode 100644 index 000000000..3e74af0d3 --- /dev/null +++ b/workflow/engine/src/ProcessMaker/Util/ParseSoapVariableName.php @@ -0,0 +1,80 @@ +isValidVariableName($name)) { + $context = \Bootstrap::getDefaultContextLog(); + $context['action'] = 'soap2'; + $context['exception'] = 'Invalid param: '.G::json_encode($name); + \Bootstrap::registerMonolog('soap2', 400, 'NewCase', $context, $context['workspace'], 'processmaker.log'); + + return; + } + + $brackets = $this->searchBrackets($name); + if (empty($brackets)) { + $field[$name] = $value; + } else { + $current = &$field; + foreach ($brackets as $extension) { + if (!isset($current[$extension])) { + $current[$extension] = []; + } + $current = &$current[$extension]; + } + $current = $value; + } + } + + /** + * Analysis of string representing the depth of the array, represented by a + * valid index name and brackets as separators. + * + * @param type $string + * + * @return array + */ + private function searchBrackets($string) + { + $stringClean = str_replace(' ', '', $string); + $explode = explode('][', $stringClean); + + return $explode; + } + + /** + * Verify if the index name of the array is valid. + * + * @param string $name + * + * @return bool + */ + public function isValidVariableName($name) + { + if (is_string($name) === true) { + if (preg_match("/^[0-9a-zA-Z\_\[\]]+$/", $name)) { + return true; + } + } + + return false; + } +} + diff --git a/workflow/engine/templates/pmTables/export.js b/workflow/engine/templates/pmTables/export.js index 8d8c064db..bbd9f5b5c 100644 --- a/workflow/engine/templates/pmTables/export.js +++ b/workflow/engine/templates/pmTables/export.js @@ -72,7 +72,11 @@ Export.configure = function() e.stopEvent(); var index = Export.targetGrid.getView().findRowIndex(t); var record = Export.targetGrid.store.getAt(index); - + + if (record.data['_SCHEMA'] !== true) { + return false; + } + if(record.data['PRO_UID']) { PMExt.info(_('ID_INFO'), _('ID_REPORT_TABLES_DATA_EXPORT_NOT_ALLOWED')); return false; @@ -210,6 +214,10 @@ Ext.ux.grid.CheckColumn.prototype ={ var index = this.grid.getView().findRowIndex(t); var record = this.grid.store.getAt(index); record.set(this.dataIndex, !record.data[this.dataIndex]); + + //if schema check is selected/unselected, + //the data column is always initialized to unchecked + record.set('_DATA', false); } },