From 66dcf0432c0242762b0fb469d2831f57560abc64 Mon Sep 17 00:00:00 2001 From: qronald Date: Mon, 22 May 2017 13:27:38 -0400 Subject: [PATCH 01/13] HOR-3279 --- workflow/engine/controllers/designer.php | 8 ++++++++ .../src/ProcessMaker/BusinessModel/Light/Tracker.php | 8 ++++---- .../src/ProcessMaker/Services/Api/Light/Tracker.php | 3 +-- 3 files changed, 13 insertions(+), 6 deletions(-) diff --git a/workflow/engine/controllers/designer.php b/workflow/engine/controllers/designer.php index 24d370c97..10e983a9e 100644 --- a/workflow/engine/controllers/designer.php +++ b/workflow/engine/controllers/designer.php @@ -29,6 +29,14 @@ class Designer extends Controller $client = $this->getClientCredentials(); if (isset($httpData->tracker_designer) && $httpData->tracker_designer == 1) { + try { + $response = \ProcessMaker\BusinessModel\Light\Tracker::authentication($_SESSION['CASE'], $_SESSION['PIN']); + } catch (\Exception $e) { + G::header('Location: /errors/error403.php'); + die(); + } + $httpData->prj_uid = $response['process']; + $httpData->app_uid = $response['app_uid']; $client["tracker_designer"] = 1; } diff --git a/workflow/engine/src/ProcessMaker/BusinessModel/Light/Tracker.php b/workflow/engine/src/ProcessMaker/BusinessModel/Light/Tracker.php index 7d5b87eed..bc6a5e4ef 100644 --- a/workflow/engine/src/ProcessMaker/BusinessModel/Light/Tracker.php +++ b/workflow/engine/src/ProcessMaker/BusinessModel/Light/Tracker.php @@ -13,14 +13,14 @@ class Tracker } /** - * authenticaction for case tracker + * Authentication for case tracker * - * @param $case numbre case - * @param $pin code pin access for case tracek + * @param int $case number case + * @param int $pin code pin access for case track * @return array * @throws \Exception */ - public function authentication($case, $pin) + public static function authentication($case, $pin) { $cases = new \Cases(); $response = array(); diff --git a/workflow/engine/src/ProcessMaker/Services/Api/Light/Tracker.php b/workflow/engine/src/ProcessMaker/Services/Api/Light/Tracker.php index 051c7d2f7..b723c2170 100644 --- a/workflow/engine/src/ProcessMaker/Services/Api/Light/Tracker.php +++ b/workflow/engine/src/ProcessMaker/Services/Api/Light/Tracker.php @@ -21,8 +21,7 @@ class Tracker extends Api public function Authentication($case, $pin) { try { - $oMobile = new \ProcessMaker\BusinessModel\Light\Tracker(); - $response = $oMobile->authentication($case, $pin); + $response = \ProcessMaker\BusinessModel\Light\Tracker::authentication($case, $pin); } catch (\Exception $e) { throw new RestException(Api::STAT_APP_EXCEPTION, $e->getMessage()); } From c0e80d1d32830ec07ec54b1ea0daf1b12bcf3d7b Mon Sep 17 00:00:00 2001 From: qronald Date: Tue, 23 May 2017 10:08:44 -0400 Subject: [PATCH 02/13] HOR-3281 --- .../engine/methods/groups/groups_Ajax.php | 23 +++++++++++-------- .../engine/templates/groups/groupsList.js | 22 +++++++++++------- 2 files changed, 28 insertions(+), 17 deletions(-) diff --git a/workflow/engine/methods/groups/groups_Ajax.php b/workflow/engine/methods/groups/groups_Ajax.php index b048b3162..867a575df 100644 --- a/workflow/engine/methods/groups/groups_Ajax.php +++ b/workflow/engine/methods/groups/groups_Ajax.php @@ -129,15 +129,20 @@ switch ($_POST['action']) { echo G::json_encode( $result ); break; case 'exitsGroupName': - require_once 'classes/model/Groupwf.php'; - G::LoadClass( 'Groupswf' ); - $oGroup = new Groupwf(); - $oCriteria = $oGroup->loadByGroupname( $_POST['GRP_NAME'] ); - $oDataset = GroupwfPeer::doSelectRS( $oCriteria ); - $oDataset->setFetchmode( ResultSet::FETCHMODE_ASSOC ); - $oDataset->next(); - $aRow = $oDataset->getRow(); - $response = ($aRow) ? 'true' : 'false'; + $groupName = strip_tags($_POST['GRP_NAME']); + if ($groupName) { + require_once 'classes/model/Groupwf.php'; + G::LoadClass('Groupswf'); + $oGroup = new Groupwf(); + $oCriteria = $oGroup->loadByGroupname($_POST['GRP_NAME']); + $oDataset = GroupwfPeer::doSelectRS($oCriteria); + $oDataset->setFetchmode(ResultSet::FETCHMODE_ASSOC); + $oDataset->next(); + $aRow = $oDataset->getRow(); + $response = ($aRow) ? \G::json_encode(['success' => true]) : \G::json_decode(['success' => false]); + } else { + $response = \G::json_encode(['success' => true, 'msg' => \G::LoadTranslation('ID_FIELD_INVALID')]); + } echo $response; break; case 'saveNewGroup': diff --git a/workflow/engine/templates/groups/groupsList.js b/workflow/engine/templates/groups/groupsList.js index c4cb48656..6833a45e8 100644 --- a/workflow/engine/templates/groups/groupsList.js +++ b/workflow/engine/templates/groups/groupsList.js @@ -182,7 +182,13 @@ Ext.onReady(function(){ text: _("ID_SAVE"), handler: function (btn, ev) { - if( newForm.getForm().findField('name').getValue().trim() == "") { + var reg = new RegExp(/(<([^>]+)>)/ig), + nameGroups = newForm.getForm().findField('name').getValue(); + if (reg.test(nameGroups)){ + Ext.Msg.alert(_('ID_WARNING'), _("ID_FIELD_INVALID", _("ID_GROUP_NAME"))); + newForm.getForm().findField('name').setValue(""); + return false; + } else if (nameGroups.trim() == "") { Ext.Msg.alert(_('ID_WARNING'), _("ID_FIELD_REQUIRED", _("ID_GROUP_NAME"))); newForm.getForm().findField('name').setValue(""); return false; @@ -434,8 +440,8 @@ CheckGroupName = function(grp_name, function_success, function_failure){ params: {action: 'exitsGroupName', GRP_NAME: grp_name}, success: function(resp, opt){ viewport.getEl().unmask(); - var checked = eval(resp.responseText); - (!checked) ? function_success() : function_failure(); + var response = JSON.parse(resp.responseText); + (!response.success) ? function_success() : function_failure(response.msg); }, failure: function(r,o) { viewport.getEl().unmask(); @@ -452,11 +458,11 @@ SaveNewGroupAction = function(){ }; //Show Duplicate Group Name Message -DuplicateGroupName = function(){ - Ext.getCmp("btnCreateSave").setDisabled(false); - Ext.getCmp("btnUpdateSave").setDisabled(false); - - PMExt.warning(_('ID_GROUPS'), _('ID_MSG_GROUP_NAME_EXISTS')); +DuplicateGroupName = function (msg) { + Ext.getCmp("btnCreateSave").setDisabled(false); + Ext.getCmp("btnUpdateSave").setDisabled(false); + newForm.getForm().findField('name').setValue(""); + PMExt.warning(_('ID_GROUPS'), msg ? msg : _('ID_MSG_GROUP_NAME_EXISTS')); }; //Save New Group From 7b8f3541994b3bad013387186bff9d33d3c74314 Mon Sep 17 00:00:00 2001 From: qronald Date: Tue, 23 May 2017 12:19:36 -0400 Subject: [PATCH 03/13] up observations --- workflow/engine/controllers/designer.php | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/workflow/engine/controllers/designer.php b/workflow/engine/controllers/designer.php index 10e983a9e..41259de0b 100644 --- a/workflow/engine/controllers/designer.php +++ b/workflow/engine/controllers/designer.php @@ -30,13 +30,17 @@ class Designer extends Controller if (isset($httpData->tracker_designer) && $httpData->tracker_designer == 1) { try { - $response = \ProcessMaker\BusinessModel\Light\Tracker::authentication($_SESSION['CASE'], $_SESSION['PIN']); + if(!isset($_SESSION['CASE']) && !isset($_SESSION['PIN'])){ + throw (new \Exception( + \G::LoadTranslation('ID_CASE_NOT_EXISTS') . "\n" . \G::LoadTranslation('ID_PIN_INVALID') + )); + } + \ProcessMaker\BusinessModel\Light\Tracker::authentication($_SESSION['CASE'], $_SESSION['PIN']); } catch (\Exception $e) { - G::header('Location: /errors/error403.php'); + Bootstrap::registerMonolog('CaseTracker', 400, $e->getMessage(), [], SYS_SYS, 'processmaker.log'); + \G::header('Location: /errors/error403.php'); die(); } - $httpData->prj_uid = $response['process']; - $httpData->app_uid = $response['app_uid']; $client["tracker_designer"] = 1; } From 48581193bf06fc5469590db7febebeadc5d27ba4 Mon Sep 17 00:00:00 2001 From: qronald Date: Tue, 23 May 2017 15:00:57 -0400 Subject: [PATCH 04/13] Psr-2 --- workflow/engine/controllers/designer.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/workflow/engine/controllers/designer.php b/workflow/engine/controllers/designer.php index 41259de0b..f80d6c52f 100644 --- a/workflow/engine/controllers/designer.php +++ b/workflow/engine/controllers/designer.php @@ -30,7 +30,7 @@ class Designer extends Controller if (isset($httpData->tracker_designer) && $httpData->tracker_designer == 1) { try { - if(!isset($_SESSION['CASE']) && !isset($_SESSION['PIN'])){ + if (!isset($_SESSION['CASE']) && !isset($_SESSION['PIN'])) { throw (new \Exception( \G::LoadTranslation('ID_CASE_NOT_EXISTS') . "\n" . \G::LoadTranslation('ID_PIN_INVALID') )); From 2b2d27ff0a892fa4c9af4b8cefaaf07005d820e7 Mon Sep 17 00:00:00 2001 From: Paula Quispe Date: Fri, 19 May 2017 16:31:27 -0400 Subject: [PATCH 05/13] HOR-3276 --- gulliver/system/class.rbac.php | 51 +++ .../engine/classes/model/ObjectPermission.php | 34 ++ workflow/engine/methods/users/users_Ajax.php | 305 +++--------------- .../BusinessModel/ProcessSupervisor.php | 33 ++ .../src/ProcessMaker/BusinessModel/User.php | 158 +++++++++ 5 files changed, 324 insertions(+), 257 deletions(-) diff --git a/gulliver/system/class.rbac.php b/gulliver/system/class.rbac.php index 257539841..a9f5719a4 100644 --- a/gulliver/system/class.rbac.php +++ b/gulliver/system/class.rbac.php @@ -70,9 +70,31 @@ class RBAC public $singleSignOn = false; private static $instance = null; + public $authorizedActions = array(); public function __construct () { + $this->authorizedActions = array( + 'users_Ajax.php' => array( + 'availableUsers' => array('PM_FACTORY'), + 'assign' => array('PM_FACTORY'), + 'ofToAssign' => array('PM_FACTORY'), + 'usersGroup' => array('PM_FACTORY'), + 'canDeleteUser' => array('PM_USERS'), + 'deleteUser' => array('PM_USERS'), + 'changeUserStatus' => array('PM_USERS'), + 'availableGroups' => array('PM_USERS'), + 'assignedGroups' => array('PM_USERS'), + 'assignGroupsToUserMultiple' => array('PM_USERS'), + 'deleteGroupsToUserMultiple' => array('PM_USERS'), + 'authSources' => array('PM_USERS'), + 'loadAuthSourceByUID' => array('PM_USERS'), + 'updateAuthServices' => array('PM_USERS'), + 'usersList' => array('PM_USERS'), + 'summaryUserData' => array('PM_USERS'), + 'verifyIfUserAssignedAsSupervisor' => array('PM_USERS'), + ) + ); } /** @@ -1443,5 +1465,34 @@ class RBAC } } } + /** + * This function verify if the user allows to the file with a specific action + * If the action is not defined in the authorizedActions we give the allow + * @param string $file + * @param string $action + * + * @return void + */ + public function allows($file, $action) + { + $access = true; + $permissions = isset($this->authorizedActions[$file][$action]) ? $this->authorizedActions[$file][$action] : array(); + $totalPermissions = count($permissions); + $countAccess = 0; + foreach ($permissions as $key => $value) { + if ($this->userCanAccess($value) == 1) { + $countAccess++; + } + } + //Check if the user has all permissions that needed + if ($countAccess !== $totalPermissions) { + $access = false; + } + + if (!$access) { + G::header('Location: /errors/error403.php'); + die(); + } + } } diff --git a/workflow/engine/classes/model/ObjectPermission.php b/workflow/engine/classes/model/ObjectPermission.php index 1319e6456..b483918db 100644 --- a/workflow/engine/classes/model/ObjectPermission.php +++ b/workflow/engine/classes/model/ObjectPermission.php @@ -409,5 +409,39 @@ class ObjectPermission extends BaseObjectPermission } return $result; } + + /** + * Verify if the user has a objectPermission for some process + * + * @param string $usrUid the uid of the user + * @param int $typeRelation + * + * @return array + */ + public function objectPermissionPerUser($usrUid, $typeRelation = 1) + { + $criteria = new Criteria("workflow"); + $criteria->addSelectColumn(ObjectPermissionPeer::USR_UID); + $criteria->addSelectColumn(ObjectPermissionPeer::PRO_UID); + $criteria->add(ObjectPermissionPeer::OP_USER_RELATION, $typeRelation, Criteria::EQUAL); + $criteria->add(ObjectPermissionPeer::USR_UID, $usrUid, Criteria::EQUAL); + $doSelectRS = ObjectPermissionPeer::doSelectRS($criteria); + $doSelectRS->setFetchmode(ResultSet::FETCHMODE_ASSOC); + $doSelectRS->next(); + $objectPermision = $doSelectRS->getRow(); + $data = array(); + if (isset($objectPermision["USR_UID"])) { + $criteria = new Criteria("workflow"); + $criteria->addSelectColumn(ProcessPeer::PRO_TITLE); + $criteria->add(ProcessPeer::PRO_UID, $objectPermision["PRO_UID"], Criteria::EQUAL); + $doSelectRS = ProcessPeer::doSelectRS($criteria); + $doSelectRS->setFetchmode(ResultSet::FETCHMODE_ASSOC); + $doSelectRS->next(); + $content = $doSelectRS->getRow(); + $data['PRO_TITLE'] = $content["PRO_TITLE"]; + $data['PRO_UID'] = $objectPermision["PRO_UID"]; + } + return $data; + } } diff --git a/workflow/engine/methods/users/users_Ajax.php b/workflow/engine/methods/users/users_Ajax.php index 5052db1cb..cad63cff6 100644 --- a/workflow/engine/methods/users/users_Ajax.php +++ b/workflow/engine/methods/users/users_Ajax.php @@ -1,34 +1,6 @@ . - * - * For more information, contact Colosa Inc, 2566 Le Jeune Rd., - * Coral Gables, FL, 33134, USA, or email info@colosa.com. - */ try { - G::LoadSystem('inputfilter'); - $filter = new InputFilter(); - $_GET = $filter->xssFilterHard($_GET); - $_POST = $filter->xssFilterHard($_POST); - $_REQUEST = $filter->xssFilterHard($_REQUEST); - global $RBAC; switch ($RBAC->userCanAccess('PM_LOGIN')) { case - 2: @@ -47,38 +19,15 @@ try { $_POST = $_POST['form']; } if (isset($_REQUEST['function'])) { - //$value= $_POST['function']; $value = get_ajax_value('function'); } else { - //$value= $_POST['functions']; $value = get_ajax_value('functions'); } + + $RBAC->allows(basename(__FILE__), $value); switch ($value) { - case 'verifyUsername': - //print_r($_POST); die; - $_POST['sOriginalUsername'] = get_ajax_value('sOriginalUsername'); - $_POST['sUsername'] = get_ajax_value('sUsername'); - if ($_POST['sOriginalUsername'] == $_POST['sUsername']) { - echo '0'; - } else { - require_once 'classes/model/Users.php'; - G::LoadClass('Users'); - $oUser = new Users(); - $oCriteria = $oUser->loadByUsername($_POST['sUsername']); - $oDataset = UsersPeer::doSelectRs($oCriteria, Propel::getDbConnection('workflow_ro')); - $oDataset->setFetchmode(ResultSet::FETCHMODE_ASSOC); - $oDataset->next(); - $aRow = $oDataset->getRow(); - //print_r($aRow); die; - //if (!$aRow) - if (!is_array($aRow)) { - echo '0'; - } else { - echo '1'; - } - } - break; case 'availableUsers': + //Classic process: list of users to assign in the task G::LoadClass('processMap'); $oProcessMap = new ProcessMap(); global $G_PUBLISH; @@ -87,6 +36,7 @@ try { G::RenderPage('publish', 'raw'); break; case 'assign': + //Classic process: assign users and groups in the task G::LoadClass('tasks'); $oTasks = new Tasks(); switch ((int) $_POST['TU_RELATION']) { @@ -103,6 +53,7 @@ try { } break; case 'ofToAssign': + //Classic process: remove users and groups related a task G::LoadClass('tasks'); $oTasks = new Tasks(); switch ((int) $_POST['TU_RELATION']) { @@ -117,36 +68,11 @@ try { } break; case 'changeView': + //Classic process: set variable for users and groups Ad hoc $_SESSION['iType'] = $_POST['TU_TYPE']; break; - case 'deleteGroup': - G::LoadClass('groups'); - $oGroup = new Groups(); - $oGroup->removeUserOfGroup($_POST['GRP_UID'], $_POST['USR_UID']); - $_GET['sUserUID'] = $_POST['USR_UID']; - $G_PUBLISH = new Publisher(); - $G_PUBLISH->AddContent('view', 'users/users_Tree'); - G::RenderPage('publish', 'raw'); - break; - case 'showUserGroupInterface': - $_GET['sUserUID'] = $_POST['sUserUID']; - $G_PUBLISH = new Publisher(); - $G_PUBLISH->AddContent('view', 'users/users_AssignGroup'); - G::RenderPage('publish', 'raw'); - break; - case 'showUserGroups': - $_GET['sUserUID'] = $_POST['sUserUID']; - $G_PUBLISH = new Publisher(); - $G_PUBLISH->AddContent('view', 'users/users_Tree'); - G::RenderPage('publish', 'raw'); - break; - case 'assignUserToGroup': - G::LoadClass('groups'); - $oGroup = new Groups(); - $oGroup->addUserToGroup($_POST['GRP_UID'], $_POST['USR_UID']); - echo '

' . G::LoadTranslation('ID_MSG_ASSIGN_DONE') . '

'; - break; case 'usersGroup': + //Classic process: list of users in a group related a task G::LoadClass('groups'); $oGroup = new Groups(); $aGroup = $oGroup->getUsersOfGroup($_POST['GRP_UID']); @@ -154,29 +80,8 @@ try { echo $aValues['USR_FIRSTNAME'] . ' ' . $aValues['USR_LASTNAME'] . '
'; } break; - - //This case is used to check if any of the user group has as role 'PROCESSMAKER_ADMIN', - case 'usersAdminGroupExtJS': - G::LoadClass('groups'); - $oGroup = new Groups(); - $aGroup = $oGroup->getUsersOfGroup($_POST['GRP_UID']); - $responseUser = 'false'; - $usersAdmin = ''; - foreach ($aGroup as $iIndex => $aValues) { - if ($aValues['USR_ROLE'] == 'PROCESSMAKER_ADMIN') { - $responseUser = 'true'; - $usersAdmin .= $aValues['USR_FIRSTNAME'] . ' ' . $aValues['USR_LASTNAME'] . ', '; - } - } - $usersAdmin = substr($usersAdmin, 0, - 2); - - $result = new stdClass(); - $result->reponse = $responseUser; - $result->users = $usersAdmin; - - echo G::json_encode($result); - break; case 'canDeleteUser': + //Check before delete a user G::LoadClass('case'); $oProcessMap = new Cases(); $USR_UID = $_POST['uUID']; @@ -198,44 +103,31 @@ try { echo $response; break; case 'deleteUser': - $UID = $_POST['USR_UID']; - - //process permissions - $criteria = new Criteria("workflow"); - $criteria->addSelectColumn(ObjectPermissionPeer::USR_UID); - $criteria->addSelectColumn(ObjectPermissionPeer::PRO_UID); - $criteria->add(ObjectPermissionPeer::OP_USER_RELATION, 1, Criteria::EQUAL); - $criteria->add(ObjectPermissionPeer::USR_UID, $UID, Criteria::EQUAL); - $doSelectRS = DynaformPeer::doSelectRS($criteria); - $doSelectRS->setFetchmode(ResultSet::FETCHMODE_ASSOC); - $doSelectRS->next(); - $objectPermision = $doSelectRS->getRow(); - if (isset($objectPermision["USR_UID"])) { - $criteria = new Criteria("workflow"); - $criteria->addSelectColumn(ProcessPeer::PRO_TITLE); - $criteria->add(ProcessPeer::PRO_UID, $objectPermision["PRO_UID"], Criteria::EQUAL); - $doSelectRS = ProcessPeer::doSelectRS($criteria); - $doSelectRS->setFetchmode(ResultSet::FETCHMODE_ASSOC); - $doSelectRS->next(); - $content = $doSelectRS->getRow(); + //Check if the user was defined in a process permissions + $oObjectPermission = new ObjectPermission(); + $aProcess = $oObjectPermission->objectPermissionPerUser($_POST['USR_UID'], 1); + if (count($aProcess) > 0) { echo G::json_encode(array( "status" => 'ERROR', - "message" => G::LoadTranslation('ID_USER_CANT_BE_DELETED_FOR_THE_PROCESS', array('processTitle' => isset($content["PRO_TITLE"]) ? $content["PRO_TITLE"] : $objectPermision['PRO_UID'])) + "message" => G::LoadTranslation('ID_USER_CANT_BE_DELETED_FOR_THE_PROCESS', array('processTitle' => isset($aProcess["PRO_TITLE"]) ? $aProcess["PRO_TITLE"] : $aProcess['PRO_UID'])) )); break; } + //Remove from tasks G::LoadClass('tasks'); $oTasks = new Tasks(); $oTasks->ofToAssignUserOfAllTasks($UID); + + //Remove from groups G::LoadClass('groups'); $oGroups = new Groups(); $oGroups->removeUserOfAllGroups($UID); - $RBAC->changeUserStatus($UID, 'CLOSED'); - $_GET['USR_USERNAME'] = ''; - $RBAC->updateUser(array('USR_UID' => $UID, 'USR_USERNAME' => $_GET['USR_USERNAME'] - ), ''); + + //Update the table Users require_once 'classes/model/Users.php'; + $RBAC->changeUserStatus($UID, 'CLOSED'); + $RBAC->updateUser(array('USR_UID' => $UID,'USR_USERNAME' => ''), ''); $oUser = new Users(); $aFields = $oUser->load($UID); $aFields['USR_STATUS'] = 'CLOSED'; @@ -252,13 +144,13 @@ try { //Delete users as supervisor $criteria = new Criteria("workflow"); - $criteria->add(ProcessUserPeer::USR_UID, $UID, Criteria::EQUAL); $criteria->add(ProcessUserPeer::PU_TYPE, "SUPERVISOR", Criteria::EQUAL); ProcessUserPeer::doDelete($criteria); G::auditLog("DeleteUser", "User Name: ". $userName." User ID: (".$UID.") "); break; case 'changeUserStatus': + //When the user change the status: ACTIVE, INACTIVE, VACATION $response = new stdclass(); if (isset($_REQUEST['USR_UID']) && isset($_REQUEST['NEW_USR_STATUS'])) { $RBAC->changeUserStatus($_REQUEST['USR_UID'], ($_REQUEST['NEW_USR_STATUS'] == 'ACTIVE' ? 1 : 0)); @@ -278,6 +170,7 @@ try { die(G::json_encode($response)); break; case 'availableGroups': + //Get the available groups for assign to user G::LoadClass('groups'); $filter = (isset($_POST['textFilter'])) ? $_POST['textFilter'] : ''; $groups = new Groups(); @@ -291,6 +184,7 @@ try { echo '{groups: ' . G::json_encode($arr) . '}'; break; case 'assignedGroups': + //Get the groups related to user G::LoadClass('groups'); $filter = (isset($_POST['textFilter'])) ? $_POST['textFilter'] : ''; $groups = new Groups(); @@ -304,6 +198,7 @@ try { echo '{groups: ' . G::json_encode($arr) . '}'; break; case 'assignGroupsToUserMultiple': + //Assign user in a group $USR_UID = $_POST['USR_UID']; $gUIDs = explode(',', $_POST['GRP_UID']); G::LoadClass('groups'); @@ -313,6 +208,7 @@ try { } break; case 'deleteGroupsToUserMultiple': + //Remove a user from a group $USR_UID = $_POST['USR_UID']; $gUIDs = explode(',', $_POST['GRP_UID']); G::LoadClass('groups'); @@ -322,6 +218,7 @@ try { } break; case 'authSources': + //Get the authentication information $criteria = $RBAC->getAllAuthSources(); $objects = AuthenticationSourcePeer::doSelectRS($criteria); $objects->setFetchmode(ResultSet::FETCHMODE_ASSOC); @@ -336,22 +233,19 @@ try { } $started = Array(); $started['AUTH_SOURCE_UID'] = '00000000000000000000000000000000'; - //$started['AUTH_SOURCE_NAME'] = 'ProcessMaker'; - //$started['AUTH_SOURCE_TYPE'] = 'MYSQL'; $started['AUTH_SOURCE_SHOW'] = 'ProcessMaker (MYSQL)'; $arr[] = $started; while ($objects->next()) { $row = $objects->getRow(); $aux = Array(); $aux['AUTH_SOURCE_UID'] = $row['AUTH_SOURCE_UID']; - //$aux['AUTH_SOURCE_NAME'] = $row['AUTH_SOURCE_NAME']; - //$aux['AUTH_SOURCE_TYPE'] = $row['AUTH_SOURCE_TYPE']; $aux['AUTH_SOURCE_SHOW'] = $row['AUTH_SOURCE_NAME'] . ' (' . $row['AUTH_SOURCE_PROVIDER'] . ')'; $arr[] = $aux; } echo '{sources: ' . G::json_encode($arr) . '}'; break; case 'loadAuthSourceByUID': + //Get the authentication source assignment require_once 'classes/model/Users.php'; $oCriteria = $RBAC->load($_POST['uUID']); $UID_AUTH = $oCriteria['UID_AUTH_SOURCE']; @@ -373,6 +267,7 @@ try { echo G::json_encode($res); break; case 'updateAuthServices': + //Update the information related to user's autentication $aData = $RBAC->load($_POST['usr_uid']); unset($aData['USR_ROLE']); $auth_uid = $_POST['auth_source']; @@ -393,127 +288,31 @@ try { $aData['USR_AUTH_USER_DN'] = $auth_dn; } $RBAC->updateUser($aData); - G::auditLog("AssignAuthenticationSource", "User Name: ".$aData['USR_USERNAME'].' User ID: ('.$aData['USR_UID'].') assign to '.$aData['USR_AUTH_TYPE']); + G::auditLog( + "AssignAuthenticationSource", + "User Name: ".$aData['USR_USERNAME'].' User ID: ('.$aData['USR_UID'].') assign to '.$aData['USR_AUTH_TYPE'] + ); echo '{success: true}'; break; case 'usersList': - require_once 'classes/model/Users.php'; - require_once 'classes/model/LoginLog.php'; - require_once 'classes/model/Department.php'; - require_once 'classes/model/AppCacheView.php'; - require_once PATH_RBAC . 'model/Roles.php'; - global $RBAC; + //Get the list of users + //Read the configurations related to enviroments G::LoadClass('configuration'); $co = new Configurations(); $config = $co->getConfiguration('usersList', 'pageSize', '', $_SESSION['USER_LOGGED']); $limit_size = isset($config['pageSize']) ? $config['pageSize'] : 20; - $start = isset($_REQUEST['start']) ? $_REQUEST['start'] : 0; $limit = isset($_REQUEST['limit']) ? $_REQUEST['limit'] : $limit_size; + $start = isset($_REQUEST['start']) ? $_REQUEST['start'] : 0; $filter = isset($_REQUEST['textFilter']) ? $_REQUEST['textFilter'] : ''; - $auths = isset($_REQUEST['auths']) ? $_REQUEST['auths'] : ''; + $authSource = isset($_REQUEST['auths']) ? $_REQUEST['auths'] : ''; $sort = isset($_REQUEST['sort']) ? $_REQUEST['sort'] : ''; $dir = isset($_REQUEST['dir']) ? $_REQUEST['dir'] : 'ASC'; - $aUsers = Array(); - if ($auths != '') { - $aUsers = $RBAC->getListUsersByAuthSource($auths); - } - $oCriteria = new Criteria('workflow'); - $oCriteria->addSelectColumn('COUNT(*) AS CNT'); - if ($filter != '') { - $cc = $oCriteria->getNewCriterion(UsersPeer::USR_USERNAME, '%' . $filter . '%', Criteria::LIKE)->addOr($oCriteria->getNewCriterion(UsersPeer::USR_FIRSTNAME, '%' . $filter . '%', Criteria::LIKE)->addOr($oCriteria->getNewCriterion(UsersPeer::USR_LASTNAME, '%' . $filter . '%', Criteria::LIKE)->addOr($oCriteria->getNewCriterion(UsersPeer::USR_EMAIL, '%' . $filter . '%', Criteria::LIKE)))); - $oCriteria->add($cc); - } - $oCriteria->add(UsersPeer::USR_STATUS, array('CLOSED'), Criteria::NOT_IN); - if ($auths != '') { - $totalRows = sizeof($aUsers); - } else { - $oDataset = UsersPeer::DoSelectRs($oCriteria); - $oDataset->setFetchmode(ResultSet::FETCHMODE_ASSOC); - $oDataset->next(); - $row = $oDataset->getRow(); - $totalRows = $row['CNT']; - } - $oCriteria->clearSelectColumns(); - $oCriteria->addSelectColumn(UsersPeer::USR_UID); - $oCriteria->addSelectColumn(UsersPeer::USR_USERNAME); - $oCriteria->addSelectColumn(UsersPeer::USR_FIRSTNAME); - $oCriteria->addSelectColumn(UsersPeer::USR_LASTNAME); - $oCriteria->addSelectColumn(UsersPeer::USR_EMAIL); - $oCriteria->addSelectColumn(UsersPeer::USR_ROLE); - $oCriteria->addSelectColumn(UsersPeer::USR_DUE_DATE); - $oCriteria->addSelectColumn(UsersPeer::USR_STATUS); - $oCriteria->addSelectColumn(UsersPeer::USR_UX); - $oCriteria->addSelectColumn(UsersPeer::DEP_UID); - $oCriteria->addSelectColumn(UsersPeer::USR_LAST_LOGIN); - $oCriteria->addAsColumn('LAST_LOGIN', 0); - $oCriteria->addAsColumn('DEP_TITLE', 0); - $oCriteria->addAsColumn('TOTAL_CASES', 0); - $oCriteria->addAsColumn('DUE_DATE_OK', 1); - $sep = "'"; - $oCriteria->add(UsersPeer::USR_STATUS, array('CLOSED'), Criteria::NOT_IN); - if ($filter != '') { - $cc = $oCriteria->getNewCriterion(UsersPeer::USR_USERNAME, '%' . $filter . '%', Criteria::LIKE)->addOr($oCriteria->getNewCriterion(UsersPeer::USR_FIRSTNAME, '%' . $filter . '%', Criteria::LIKE)->addOr($oCriteria->getNewCriterion(UsersPeer::USR_LASTNAME, '%' . $filter . '%', Criteria::LIKE)->addOr($oCriteria->getNewCriterion(UsersPeer::USR_EMAIL, '%' . $filter . '%', Criteria::LIKE)))); - $oCriteria->add($cc); - } - if (sizeof($aUsers) > 0) { - $oCriteria->add(UsersPeer::USR_UID, $aUsers, Criteria::IN); - } elseif ($totalRows == 0 && $auths != '') { - $oCriteria->add(UsersPeer::USR_UID, '', Criteria::IN); - } - if ($sort != '') { - if ($dir == 'ASC') { - $oCriteria->addAscendingOrderByColumn($sort); - } else { - $oCriteria->addDescendingOrderByColumn($sort); - } - } - $oCriteria->setOffset($start); - $oCriteria->setLimit($limit); - $oDataset = UsersPeer::DoSelectRs($oCriteria); - $oDataset->setFetchmode(ResultSet::FETCHMODE_ASSOC); - $Department = new Department(); - $aDepart = $Department->getAllDepartmentsByUser(); - $aAuthSources = $RBAC->getAllAuthSourcesByUser(); - require_once PATH_CONTROLLERS . 'adminProxy.php'; - $uxList = adminProxy::getUxTypesList(); - - $oRoles = new Roles(); - $oParticipated = new ListParticipatedLast(); - $oAppCache = new AppCacheView(); - $rows = Array(); - $uRole = Array(); - while ($oDataset->next()) { - $row = $oDataset->getRow(); - - try { - $uRole = $oRoles->loadByCode($row['USR_ROLE']); - } catch (exception $oError) { - $uRole['ROL_NAME'] = G::loadTranslation('ID_DELETED'); - } - /*----------------------------------********---------------------------------*/ - if (true) { - $total = $oParticipated->getCountList($row['USR_UID']); - } else { - /*----------------------------------********---------------------------------*/ - $total = $oAppCache->getListCounters('sent', $row['USR_UID'], false); - /*----------------------------------********---------------------------------*/ - } - /*----------------------------------********---------------------------------*/ - $row['USR_ROLE_ID'] = $row['USR_ROLE']; - $row['USR_ROLE'] = isset($uRole['ROL_NAME']) ? ($uRole['ROL_NAME'] != '' ? $uRole['ROL_NAME'] : $uRole['ROL_CODE']) : $uRole['ROL_CODE']; - - $row['DUE_DATE_OK'] = (date('Y-m-d') > date('Y-m-d', strtotime($row['USR_DUE_DATE']))) ? 0 : 1; - $row['LAST_LOGIN'] = isset($row['USR_LAST_LOGIN']) ? \ProcessMaker\Util\DateTime::convertUtcToTimeZone($row['USR_LAST_LOGIN']) : ''; - $row['TOTAL_CASES'] = $total; - $row['DEP_TITLE'] = isset($aDepart[$row['USR_UID']]) ? $aDepart[$row['USR_UID']] : ''; - $row['USR_UX'] = isset($uxList[$row['USR_UX']]) ? $uxList[$row['USR_UX']] : $uxList['NORMAL']; - $row['USR_AUTH_SOURCE'] = isset($aAuthSources[$row['USR_UID']]) ? $aAuthSources[$row['USR_UID']] : 'ProcessMaker (MYSQL)'; - - $rows[] = $row; - } - - echo '{users: ' . G::json_encode($rows) . ', total_users: ' . $totalRows . '}'; + //Get all list of users with the additional information related to department, role, authentication, cases + $oUser = new \ProcessMaker\BusinessModel\User(); + $oDatasetUsers = $oUser->getAllUsersWithAuthSource($authSource, $filter, $sort, $start, $limit, $dir); + $rows = $oUser->getAdditionalInfoFromUsers($oDatasetUsers); + echo '{users: ' . G::json_encode($rows['data']) . ', total_users: ' . $rows['totalCount'] . '}'; break; case 'updatePageSize': G::LoadClass('configuration'); @@ -527,6 +326,7 @@ try { echo '{success: true}'; break; case 'summaryUserData': + //Get all information for the summary require_once 'classes/model/Users.php'; require_once 'classes/model/Department.php'; require_once 'classes/model/AppCacheView.php'; @@ -568,25 +368,16 @@ try { break; case "verifyIfUserAssignedAsSupervisor": + //Before delete we check if is supervisor + $supervisor = new \ProcessMaker\BusinessModel\ProcessSupervisor(); + $isSupervisor = $supervisor->isUserSupervisor($_POST["supervisorUserUid"]); $supervisorUserUid = $_POST["supervisorUserUid"]; - $message = "OK"; - - $criteria = new Criteria("workflow"); - - $criteria->addSelectColumn(ProcessUserPeer::PU_UID); - $criteria->add(ProcessUserPeer::USR_UID, $supervisorUserUid, Criteria::EQUAL); - $criteria->add(ProcessUserPeer::PU_TYPE, "SUPERVISOR", Criteria::EQUAL); - - $rsCriteria = ProcessUserPeer::doSelectRS($criteria); - $rsCriteria->setFetchmode(ResultSet::FETCHMODE_ASSOC); - - if ($rsCriteria->next()) { - $message = "ERROR"; + $message = 'OK'; + if ($isSupervisor) { + $message = 'ERROR'; } - $response = array(); $response["result"] = $message; - echo G::json_encode($response); break; } diff --git a/workflow/engine/src/ProcessMaker/BusinessModel/ProcessSupervisor.php b/workflow/engine/src/ProcessMaker/BusinessModel/ProcessSupervisor.php index 2ed4d6d34..9d1ac7ece 100644 --- a/workflow/engine/src/ProcessMaker/BusinessModel/ProcessSupervisor.php +++ b/workflow/engine/src/ProcessMaker/BusinessModel/ProcessSupervisor.php @@ -1461,4 +1461,37 @@ class ProcessSupervisor throw $e; } } + /** + * Check if the user is supervisor for some process + * + * @param string $userUid Unique id of User + * + * @return bool Return + */ + public function isUserSupervisor($userUid) + { + //Check if the user is defined as supervisor + $criteria = new \Criteria('workflow'); + $criteria->add(\ProcessUserPeer::USR_UID, $userUid, \Criteria::EQUAL); + $criteria->add(\ProcessUserPeer::PU_TYPE, 'SUPERVISOR', \Criteria::EQUAL); + $rsCriteria = \ProcessUserPeer::doSelectRS($criteria); + $rsCriteria->setFetchmode(\ResultSet::FETCHMODE_ASSOC); + + if ($rsCriteria->next()) { + return true; + } + //Check if the user is in a group defined as supervisor + $criteria = new \Criteria('workflow'); + $criteria->addSelectColumn(\ProcessUserPeer::USR_UID); + $criteria->addJoin(\ProcessUserPeer::USR_UID, \GroupUserPeer::GRP_UID, \Criteria::LEFT_JOIN); + $criteria->add(\ProcessUserPeer::PU_TYPE, 'GROUP_SUPERVISOR', \Criteria::EQUAL); + $criteria->add(\GroupUserPeer::USR_UID, $userUid, \Criteria::EQUAL); + $rsCriteria = \ProcessUserPeer::doSelectRS($criteria); + $rsCriteria->setFetchmode(\ResultSet::FETCHMODE_ASSOC); + + if ($rsCriteria->next()) { + return true; + } + return false; + } } diff --git a/workflow/engine/src/ProcessMaker/BusinessModel/User.php b/workflow/engine/src/ProcessMaker/BusinessModel/User.php index 6fdb70486..4122751af 100644 --- a/workflow/engine/src/ProcessMaker/BusinessModel/User.php +++ b/workflow/engine/src/ProcessMaker/BusinessModel/User.php @@ -1540,5 +1540,163 @@ class User throw $e; } } + /** + * This function get the list of users + * + * @param string $authSource, authentication source + * @param string $filter + * @param string $sort + * @param integer $start + * @param integer $limit + * @param string $dir related to order the column + * + * @return void + */ + public function getAllUsersWithAuthSource( + $authSource = '', + $filter = '', + $sort = '', + $start = 0, + $limit = 20, + $dir = 'ASC' + ) + { + global $RBAC; + $aUsers = array(); + if ($authSource != '') { + $aUsers = $RBAC->getListUsersByAuthSource($authSource); + } + $oCriteria = new \Criteria('workflow'); + $oCriteria->addSelectColumn('COUNT(*) AS CNT'); + if ($filter != '') { + $cc = $oCriteria->getNewCriterion(\UsersPeer::USR_USERNAME, '%' . $filter . '%', \Criteria::LIKE) + ->addOr($oCriteria->getNewCriterion(\UsersPeer::USR_FIRSTNAME, '%' . $filter . '%', \Criteria::LIKE) + ->addOr($oCriteria->getNewCriterion(\UsersPeer::USR_LASTNAME, '%' . $filter . '%', \Criteria::LIKE) + ->addOr($oCriteria->getNewCriterion(\UsersPeer::USR_EMAIL, '%' . $filter . '%', \Criteria::LIKE)))); + $oCriteria->add($cc); + } + $oCriteria->add(\UsersPeer::USR_STATUS, array('CLOSED'), \Criteria::NOT_IN); + + if ($authSource != '') { + $totalRows = sizeof($aUsers); + } else { + $oDataset = \UsersPeer::DoSelectRs($oCriteria); + $oDataset->setFetchmode(\ResultSet::FETCHMODE_ASSOC); + $oDataset->next(); + $row = $oDataset->getRow(); + $totalRows = $row['CNT']; + } + $oCriteria->clearSelectColumns(); + $oCriteria->addSelectColumn(\UsersPeer::USR_UID); + $oCriteria->addSelectColumn(\UsersPeer::USR_USERNAME); + $oCriteria->addSelectColumn(\UsersPeer::USR_FIRSTNAME); + $oCriteria->addSelectColumn(\UsersPeer::USR_LASTNAME); + $oCriteria->addSelectColumn(\UsersPeer::USR_EMAIL); + $oCriteria->addSelectColumn(\UsersPeer::USR_ROLE); + $oCriteria->addSelectColumn(\UsersPeer::USR_DUE_DATE); + $oCriteria->addSelectColumn(\UsersPeer::USR_STATUS); + $oCriteria->addSelectColumn(\UsersPeer::USR_UX); + $oCriteria->addSelectColumn(\UsersPeer::DEP_UID); + $oCriteria->addSelectColumn(\UsersPeer::USR_LAST_LOGIN); + $oCriteria->addAsColumn('LAST_LOGIN', 0); + $oCriteria->addAsColumn('DEP_TITLE', 0); + $oCriteria->addAsColumn('TOTAL_CASES', 0); + $oCriteria->addAsColumn('DUE_DATE_OK', 1); + $sep = "'"; + $oCriteria->add(\UsersPeer::USR_STATUS, array('CLOSED'), \Criteria::NOT_IN); + if ($filter != '') { + $cc = $oCriteria->getNewCriterion(\UsersPeer::USR_USERNAME, '%' . $filter . '%', \Criteria::LIKE) + ->addOr($oCriteria->getNewCriterion(\UsersPeer::USR_FIRSTNAME, '%' . $filter . '%', \Criteria::LIKE) + ->addOr($oCriteria->getNewCriterion(\UsersPeer::USR_LASTNAME, '%' . $filter . '%', \Criteria::LIKE) + ->addOr($oCriteria->getNewCriterion(\UsersPeer::USR_EMAIL, '%' . $filter . '%', \Criteria::LIKE)))); + $oCriteria->add($cc); + } + if (sizeof($aUsers) > 0) { + $oCriteria->add(\UsersPeer::USR_UID, $aUsers, \Criteria::IN); + } elseif ($totalRows == 0 && $authSource != '') { + $oCriteria->add(\UsersPeer::USR_UID, '', \Criteria::IN); + } + if ($sort != '') { + if ($dir == 'ASC') { + $oCriteria->addAscendingOrderByColumn($sort); + } else { + $oCriteria->addDescendingOrderByColumn($sort); + } + } + $oCriteria->setOffset($start); + $oCriteria->setLimit($limit); + $oDataset = \UsersPeer::DoSelectRs($oCriteria); + $oDataset->setFetchmode(\ResultSet::FETCHMODE_ASSOC); + + return $oDataset; + } + /** + * This function get additional information related to the user + * Information about the department, rol, cases, authentication + * + * @param criteria $oDatasetUsers, criteria for search users + * + * @return array $dataUsers array of users with the additional information + */ + public function getAdditionalInfoFromUsers($oDatasetUsers) + { + global $RBAC; + //Get the information about the department + $Department = new \Department(); + $aDepart = $Department->getAllDepartmentsByUser(); + + //Get the authentication sources + $aAuthSources = $RBAC->getAllAuthSourcesByUser(); + + //Get roles + $oRoles = new \Roles(); + + //Get cases + $oParticipated = new \ListParticipatedLast(); + $oAppCache = new \AppCacheView(); + + $rows = array(); + $uRole = array(); + $totalRows = 0; + $dataUsers = array(); + while ($oDatasetUsers->next()) { + $totalRows++; + $row = $oDatasetUsers->getRow(); + + //Add the role information related to the user + try { + $uRole = $oRoles->loadByCode($row['USR_ROLE']); + } catch (\exception $oError) { + $uRole['ROL_NAME'] = G::loadTranslation('ID_DELETED'); + } + $row['USR_ROLE_ID'] = $row['USR_ROLE']; + $row['USR_ROLE'] = isset($uRole['ROL_NAME']) ? ($uRole['ROL_NAME'] != '' ? $uRole['ROL_NAME'] : $uRole['ROL_CODE']) : $uRole['ROL_CODE']; + + /*----------------------------------********---------------------------------*/ + if (true) { + $total = $oParticipated->getCountList($row['USR_UID']); + } else { + /*----------------------------------********---------------------------------*/ + $total = $oAppCache->getListCounters('sent', $row['USR_UID'], false); + /*----------------------------------********---------------------------------*/ + } + /*----------------------------------********---------------------------------*/ + $row['TOTAL_CASES'] = $total; + + $row['DUE_DATE_OK'] = (date('Y-m-d') > date('Y-m-d', strtotime($row['USR_DUE_DATE']))) ? 0 : 1; + $row['LAST_LOGIN'] = isset($row['USR_LAST_LOGIN']) ? \ProcessMaker\Util\DateTime::convertUtcToTimeZone($row['USR_LAST_LOGIN']) : ''; + //Add the department information related to the user + $row['DEP_TITLE'] = isset($aDepart[$row['USR_UID']]) ? $aDepart[$row['USR_UID']] : ''; + //Add the authentication information related to the user + $row['USR_AUTH_SOURCE'] = isset($aAuthSources[$row['USR_UID']]) ? $aAuthSources[$row['USR_UID']] : 'ProcessMaker (MYSQL)'; + + $rows[] = $row; + } + $dataUsers['data'] = $rows; + $dataUsers['totalCount'] = $totalRows; + + return $dataUsers; + } + } From 10638029336c03e7c124e0c93846ea15eff5da5e Mon Sep 17 00:00:00 2001 From: qronald Date: Wed, 24 May 2017 08:39:04 -0400 Subject: [PATCH 06/13] up observations --- .../engine/methods/groups/groups_Ajax.php | 25 ++++++++----------- .../engine/templates/groups/groupsList.js | 22 ++++++---------- 2 files changed, 18 insertions(+), 29 deletions(-) diff --git a/workflow/engine/methods/groups/groups_Ajax.php b/workflow/engine/methods/groups/groups_Ajax.php index 867a575df..5a671195c 100644 --- a/workflow/engine/methods/groups/groups_Ajax.php +++ b/workflow/engine/methods/groups/groups_Ajax.php @@ -125,24 +125,19 @@ switch ($_POST['action']) { $result->success = true; $result->groups = $arrData; $result->total_groups = $data['totalCount']; - + G::header('Content-Type: application/json'); echo G::json_encode( $result ); break; case 'exitsGroupName': - $groupName = strip_tags($_POST['GRP_NAME']); - if ($groupName) { - require_once 'classes/model/Groupwf.php'; - G::LoadClass('Groupswf'); - $oGroup = new Groupwf(); - $oCriteria = $oGroup->loadByGroupname($_POST['GRP_NAME']); - $oDataset = GroupwfPeer::doSelectRS($oCriteria); - $oDataset->setFetchmode(ResultSet::FETCHMODE_ASSOC); - $oDataset->next(); - $aRow = $oDataset->getRow(); - $response = ($aRow) ? \G::json_encode(['success' => true]) : \G::json_decode(['success' => false]); - } else { - $response = \G::json_encode(['success' => true, 'msg' => \G::LoadTranslation('ID_FIELD_INVALID')]); - } + require_once 'classes/model/Groupwf.php'; + G::LoadClass( 'Groupswf' ); + $oGroup = new Groupwf(); + $oCriteria = $oGroup->loadByGroupname( $_POST['GRP_NAME'] ); + $oDataset = GroupwfPeer::doSelectRS( $oCriteria ); + $oDataset->setFetchmode( ResultSet::FETCHMODE_ASSOC ); + $oDataset->next(); + $aRow = $oDataset->getRow(); + $response = ($aRow) ? 'true' : 'false'; echo $response; break; case 'saveNewGroup': diff --git a/workflow/engine/templates/groups/groupsList.js b/workflow/engine/templates/groups/groupsList.js index 6833a45e8..c4cb48656 100644 --- a/workflow/engine/templates/groups/groupsList.js +++ b/workflow/engine/templates/groups/groupsList.js @@ -182,13 +182,7 @@ Ext.onReady(function(){ text: _("ID_SAVE"), handler: function (btn, ev) { - var reg = new RegExp(/(<([^>]+)>)/ig), - nameGroups = newForm.getForm().findField('name').getValue(); - if (reg.test(nameGroups)){ - Ext.Msg.alert(_('ID_WARNING'), _("ID_FIELD_INVALID", _("ID_GROUP_NAME"))); - newForm.getForm().findField('name').setValue(""); - return false; - } else if (nameGroups.trim() == "") { + if( newForm.getForm().findField('name').getValue().trim() == "") { Ext.Msg.alert(_('ID_WARNING'), _("ID_FIELD_REQUIRED", _("ID_GROUP_NAME"))); newForm.getForm().findField('name').setValue(""); return false; @@ -440,8 +434,8 @@ CheckGroupName = function(grp_name, function_success, function_failure){ params: {action: 'exitsGroupName', GRP_NAME: grp_name}, success: function(resp, opt){ viewport.getEl().unmask(); - var response = JSON.parse(resp.responseText); - (!response.success) ? function_success() : function_failure(response.msg); + var checked = eval(resp.responseText); + (!checked) ? function_success() : function_failure(); }, failure: function(r,o) { viewport.getEl().unmask(); @@ -458,11 +452,11 @@ SaveNewGroupAction = function(){ }; //Show Duplicate Group Name Message -DuplicateGroupName = function (msg) { - Ext.getCmp("btnCreateSave").setDisabled(false); - Ext.getCmp("btnUpdateSave").setDisabled(false); - newForm.getForm().findField('name').setValue(""); - PMExt.warning(_('ID_GROUPS'), msg ? msg : _('ID_MSG_GROUP_NAME_EXISTS')); +DuplicateGroupName = function(){ + Ext.getCmp("btnCreateSave").setDisabled(false); + Ext.getCmp("btnUpdateSave").setDisabled(false); + + PMExt.warning(_('ID_GROUPS'), _('ID_MSG_GROUP_NAME_EXISTS')); }; //Save New Group From 88da56ea9a653c8da472d788c670b3bdb7a44194 Mon Sep 17 00:00:00 2001 From: Paula Quispe Date: Tue, 23 May 2017 16:12:45 -0400 Subject: [PATCH 07/13] PR observations |:wq --- gulliver/system/class.rbac.php | 26 +++++++++++-------- .../BusinessModel/ProcessSupervisor.php | 2 +- 2 files changed, 16 insertions(+), 12 deletions(-) diff --git a/gulliver/system/class.rbac.php b/gulliver/system/class.rbac.php index a9f5719a4..381698f5f 100644 --- a/gulliver/system/class.rbac.php +++ b/gulliver/system/class.rbac.php @@ -78,6 +78,7 @@ class RBAC 'users_Ajax.php' => array( 'availableUsers' => array('PM_FACTORY'), 'assign' => array('PM_FACTORY'), + 'changeView' => array(), 'ofToAssign' => array('PM_FACTORY'), 'usersGroup' => array('PM_FACTORY'), 'canDeleteUser' => array('PM_USERS'), @@ -91,6 +92,7 @@ class RBAC 'loadAuthSourceByUID' => array('PM_USERS'), 'updateAuthServices' => array('PM_USERS'), 'usersList' => array('PM_USERS'), + 'updatePageSize' => array(), 'summaryUserData' => array('PM_USERS'), 'verifyIfUserAssignedAsSupervisor' => array('PM_USERS'), ) @@ -1475,18 +1477,20 @@ class RBAC */ public function allows($file, $action) { - $access = true; - $permissions = isset($this->authorizedActions[$file][$action]) ? $this->authorizedActions[$file][$action] : array(); - $totalPermissions = count($permissions); - $countAccess = 0; - foreach ($permissions as $key => $value) { - if ($this->userCanAccess($value) == 1) { - $countAccess++; + $access = false; + if (isset($this->authorizedActions[$file][$action])) { + $permissions = $this->authorizedActions[$file][$action]; + $totalPermissions = count($permissions); + $countAccess = 0; + foreach ($permissions as $key => $value) { + if ($this->userCanAccess($value) == 1) { + $countAccess++; + } + } + //Check if the user has all permissions that needed + if ($countAccess == $totalPermissions) { + $access = true; } - } - //Check if the user has all permissions that needed - if ($countAccess !== $totalPermissions) { - $access = false; } if (!$access) { diff --git a/workflow/engine/src/ProcessMaker/BusinessModel/ProcessSupervisor.php b/workflow/engine/src/ProcessMaker/BusinessModel/ProcessSupervisor.php index 9d1ac7ece..87503f43d 100644 --- a/workflow/engine/src/ProcessMaker/BusinessModel/ProcessSupervisor.php +++ b/workflow/engine/src/ProcessMaker/BusinessModel/ProcessSupervisor.php @@ -1478,7 +1478,7 @@ class ProcessSupervisor $rsCriteria->setFetchmode(\ResultSet::FETCHMODE_ASSOC); if ($rsCriteria->next()) { - return true; + return true; } //Check if the user is in a group defined as supervisor $criteria = new \Criteria('workflow'); From f3cc8e610edcb0d12f06fc215de1ae4286ae827c Mon Sep 17 00:00:00 2001 From: qronald Date: Wed, 24 May 2017 11:01:30 -0400 Subject: [PATCH 08/13] Adding new considerations in other ajax --- workflow/engine/methods/groups/groups_Ajax.php | 2 ++ 1 file changed, 2 insertions(+) diff --git a/workflow/engine/methods/groups/groups_Ajax.php b/workflow/engine/methods/groups/groups_Ajax.php index 5a671195c..fdfe52b53 100644 --- a/workflow/engine/methods/groups/groups_Ajax.php +++ b/workflow/engine/methods/groups/groups_Ajax.php @@ -253,6 +253,7 @@ switch ($_POST['action']) { while ($oDataset->next()) { $arrData[] = $oDataset->getRow(); } + G::header('Content-Type: application/json'); echo '{success: true, members: ' . G::json_encode( $arrData ) . ', total_users: ' . $totalRows . '}'; break; case 'availableMembers': @@ -321,6 +322,7 @@ switch ($_POST['action']) { while ($oDataset->next()) { $arrData[] = $oDataset->getRow(); } + G::header('Content-Type: application/json'); echo '{success: true, members: ' . G::json_encode( $arrData ) . ', total_users: ' . $totalRows . '}'; break; case 'assignUsersToGroupsMultiple': From a445056fbf3f313adc3233d2b51ba97edd6617ea Mon Sep 17 00:00:00 2001 From: Paula Quispe Date: Wed, 24 May 2017 15:19:33 -0400 Subject: [PATCH 09/13] HOR-3286 --- .../processes/processes_DownloadFile.php | 51 ++++--------------- workflow/engine/methods/setup/skin_Ajax.php | 23 ++++----- 2 files changed, 19 insertions(+), 55 deletions(-) diff --git a/workflow/engine/methods/processes/processes_DownloadFile.php b/workflow/engine/methods/processes/processes_DownloadFile.php index 7cd355876..f973b50e9 100644 --- a/workflow/engine/methods/processes/processes_DownloadFile.php +++ b/workflow/engine/methods/processes/processes_DownloadFile.php @@ -1,26 +1,5 @@ . - * - * For more information, contact Colosa Inc, 2566 Le Jeune Rd., - * Coral Gables, FL, 33134, USA, or email info@colosa.com. - */ +//$RBAC->allows(basename(__FILE__), 'downloadFileHash'); if (!isset($_GET["file_hash"])) { throw new Exception("Invalid Request, param 'file_hash' was not sent."); @@ -28,26 +7,16 @@ if (!isset($_GET["file_hash"])) { $httpStream = new \ProcessMaker\Util\IO\HttpStream(); $outputDir = PATH_DATA . "sites" . PATH_SEP . SYS_SYS . PATH_SEP . "files" . PATH_SEP . "output" . PATH_SEP; -$filename = urldecode(base64_decode($_GET["file_hash"])); -$fileExtension = pathinfo($outputDir . $filename, PATHINFO_EXTENSION); +$fileName = urldecode(base64_decode($_GET["file_hash"])); +$processFile = $outputDir . $fileName; -if (!file_exists($outputDir . $filename)) { - throw new Exception("Error, couldn't find request file: $filename"); +//Verify if the file related to process exist in the corresponding path +$fileInformation = pathinfo($processFile); +$processFile = $outputDir . $fileInformation['basename']; +if (!file_exists($processFile)) { + throw new Exception("Error, couldn't find request file: $fileName"); } - -$httpStream->loadFromFile($outputDir . $filename); +$fileExtension = $fileInformation['extension']; +$httpStream->loadFromFile($processFile); $httpStream->setHeader("Content-Type", "application/$fileExtension"); $httpStream->send(); - -// ************* DEPRECATED (it will be removed soon) ********************************* -//add more security, and catch any error or exception -//$sFileName = $_GET['p'] . '.pm'; -//$file = PATH_DOCUMENT . 'output' . PATH_SEP . $sFileName . 'tpm'; -//$filex = PATH_DOCUMENT . 'output' . PATH_SEP . $sFileName; -// -//if (file_exists( $file )) { -// rename( $file, $filex ); -//} -// -//$realPath = PATH_DOCUMENT . 'output' . PATH_SEP . $sFileName; -//G::streamFile( $realPath, true ); diff --git a/workflow/engine/methods/setup/skin_Ajax.php b/workflow/engine/methods/setup/skin_Ajax.php index 2f3fe89a8..fef91eeaf 100644 --- a/workflow/engine/methods/setup/skin_Ajax.php +++ b/workflow/engine/methods/setup/skin_Ajax.php @@ -1,8 +1,4 @@ xssFilterHard($_REQUEST); - if (! isset( $_REQUEST['action'] )) { $res['success'] = false; $res['error'] = $res['message'] = G::LoadTranslation('ID_REQUEST_ACTION'); @@ -17,8 +13,7 @@ if (! function_exists( $_REQUEST['action'] ) || !G::isUserFunction($_REQUEST['ac print G::json_encode( $res ); die(); } -$restrictedFunctions = array ('copy_skin_folder','addTarFolder' -); +$restrictedFunctions = array ('copy_skin_folder','addTarFolder'); if (in_array( $_REQUEST['action'], $restrictedFunctions )) { $res['success'] = false; $res['error'] = $res['message'] = G::LoadTranslation('ID_REQUEST_ACTION_NOT_EXIST'); @@ -26,9 +21,9 @@ if (in_array( $_REQUEST['action'], $restrictedFunctions )) { die(); } -$functionName = $_REQUEST['action']; +$functionName = $_REQUEST['action'];error_log($functionName); $functionParams = isset( $_REQUEST['params'] ) ? $_REQUEST['params'] : array (); - +//$RBAC->allows(basename(__FILE__), $functionName); $functionName(); function updatePageSize () @@ -166,7 +161,7 @@ function newSkin ($baseSkin = 'classic') $configFileFinal = PATH_CUSTOM_SKINS . $skinFolder . PATH_SEP . 'config.xml'; $xmlConfiguration = file_get_contents( $configFileOriginal ); - + $workspace = ($_REQUEST['workspace'] == 'global') ? '' : SYS_SYS; $xmlConfigurationObj = G::xmlParser($xmlConfiguration); @@ -356,9 +351,9 @@ function exportSkin ($skinToExport = "") $response['success'] = true; $response['message'] = $skinTar; G::auditLog("ExportSkin", "Skin Name: ".$skinName); - + $response = $filter->xssFilterHard($response); - + print_r( G::json_encode( $response ) ); } catch (Exception $e) { $response['success'] = false; @@ -374,7 +369,7 @@ function deleteSkin () $filter = new InputFilter(); try { $_REQUEST['SKIN_FOLDER_ID'] = $filter->xssFilterHard($_REQUEST['SKIN_FOLDER_ID']); - + if (! (isset( $_REQUEST['SKIN_FOLDER_ID'] ))) { throw (new Exception( G::LoadTranslation( 'ID_SKIN_FOLDER_REQUIRED' ) )); } @@ -400,9 +395,9 @@ function deleteSkin () function streamSkin () { - $skinTar = $_REQUEST['file']; + $skinTar = basename($_REQUEST['file']); $bDownload = true; - G::streamFile( $skinTar, $bDownload, basename( $skinTar ) ); + G::streamFile(PATH_CUSTOM_SKINS . $skinTar, $bDownload, $skinTar); @unlink( $fileTar ); } From 2f4c25778efd3b1983731444ca3b444e00613269 Mon Sep 17 00:00:00 2001 From: Paula Quispe Date: Tue, 30 May 2017 09:59:09 -0400 Subject: [PATCH 10/13] HOR-3286 --- gulliver/system/class.rbac.php | 17 ++++++++++++++++- .../processes/processes_DownloadFile.php | 2 +- workflow/engine/methods/setup/skin_Ajax.php | 4 ++-- 3 files changed, 19 insertions(+), 4 deletions(-) diff --git a/gulliver/system/class.rbac.php b/gulliver/system/class.rbac.php index 381698f5f..fc91bd04c 100644 --- a/gulliver/system/class.rbac.php +++ b/gulliver/system/class.rbac.php @@ -94,8 +94,23 @@ class RBAC 'usersList' => array('PM_USERS'), 'updatePageSize' => array(), 'summaryUserData' => array('PM_USERS'), - 'verifyIfUserAssignedAsSupervisor' => array('PM_USERS'), + 'verifyIfUserAssignedAsSupervisor' => array('PM_USERS') + ), + 'skin_Ajax.php' => array( + 'updatePageSize' => array(), + 'skinList' => array('PM_SETUP_SKIN'), + 'newSkin' => array('PM_SETUP_SKIN'), + 'importSkin' => array('PM_SETUP_SKIN'), + 'exportSkin' => array('PM_SETUP_SKIN'), + 'deleteSkin' => array('PM_SETUP_SKIN'), + 'addTarFolder' => array('PM_SETUP_SKIN'), + 'copy_skin_folder' => array('PM_SETUP_SKIN'), + 'deleteSkin' => array('PM_SETUP_SKIN') + ), + 'processes_DownloadFile.php' => array( + 'downloadFileHash' => array('PM_FACTORY') ) + ); } diff --git a/workflow/engine/methods/processes/processes_DownloadFile.php b/workflow/engine/methods/processes/processes_DownloadFile.php index f973b50e9..fee9c9c9b 100644 --- a/workflow/engine/methods/processes/processes_DownloadFile.php +++ b/workflow/engine/methods/processes/processes_DownloadFile.php @@ -1,5 +1,5 @@ allows(basename(__FILE__), 'downloadFileHash'); +$RBAC->allows(basename(__FILE__), 'downloadFileHash'); if (!isset($_GET["file_hash"])) { throw new Exception("Invalid Request, param 'file_hash' was not sent."); diff --git a/workflow/engine/methods/setup/skin_Ajax.php b/workflow/engine/methods/setup/skin_Ajax.php index fef91eeaf..065510958 100644 --- a/workflow/engine/methods/setup/skin_Ajax.php +++ b/workflow/engine/methods/setup/skin_Ajax.php @@ -21,9 +21,9 @@ if (in_array( $_REQUEST['action'], $restrictedFunctions )) { die(); } -$functionName = $_REQUEST['action'];error_log($functionName); +$functionName = $_REQUEST['action']; $functionParams = isset( $_REQUEST['params'] ) ? $_REQUEST['params'] : array (); -//$RBAC->allows(basename(__FILE__), $functionName); +$RBAC->allows(basename(__FILE__), $functionName); $functionName(); function updatePageSize () From 16f3afc6e7cb8d16dfb0cd0255615748832cae0e Mon Sep 17 00:00:00 2001 From: Paula Quispe Date: Wed, 31 May 2017 12:11:58 -0400 Subject: [PATCH 11/13] HOR-3313 --- .../translations/english/processmaker.en.po | 6 ++++++ workflow/engine/controllers/installer.php | 14 +++++++++++--- workflow/engine/data/mysql/insert.sql | 1 + workflow/engine/templates/installer/stopInstall.js | 2 +- 4 files changed, 19 insertions(+), 4 deletions(-) diff --git a/workflow/engine/content/translations/english/processmaker.en.po b/workflow/engine/content/translations/english/processmaker.en.po index 775a07bcb..51842f83f 100644 --- a/workflow/engine/content/translations/english/processmaker.en.po +++ b/workflow/engine/content/translations/english/processmaker.en.po @@ -15163,6 +15163,12 @@ msgstr "SYSTEM INSTALLATION FAILED" msgid "A problem occurred during the installation of the system. Please, uninstall the partial installation and try again." msgstr "A problem occurred during the installation of the system. Please, uninstall the partial installation and try again." +# TRANSLATION +# LABEL/ID_PROCESSMAKER_ALREADY_INSTALLED +#: LABEL/ID_PROCESSMAKER_ALREADY_INSTALLED +msgid "ProcessMaker is already installed." +msgstr "ProcessMaker is already installed." + # TRANSLATION # LABEL/ID_LICENSE_EMPTY #: LABEL/ID_LICENSE_EMPTY diff --git a/workflow/engine/controllers/installer.php b/workflow/engine/controllers/installer.php index dbe1b0572..36a2ebe3b 100644 --- a/workflow/engine/controllers/installer.php +++ b/workflow/engine/controllers/installer.php @@ -38,10 +38,18 @@ class Installer extends Controller public function index ($httpData) { + if (file_exists(FILE_PATHS_INSTALLED)) { + $this->setJSVar('messageError', G::LoadTranslation('ID_PROCESSMAKER_ALREADY_INSTALLED')); + $this->includeExtJS('installer/stopInstall'); + $this->setView('installer/mainStopInstall'); + G::RenderPage('publish', 'extJs'); + return; + } if ((strtoupper(substr(PHP_OS, 0, 3)) == 'WIN') && (file_exists($this->path_shared . 'partner.info'))) { - $this->includeExtJS( 'installer/stopInstall'); - $this->setView( 'installer/mainStopInstall' ); - G::RenderPage( 'publish', 'extJs' ); + $this->setJSVar('messageError', G::LoadTranslation('ID_NO_INSTALL')); + $this->includeExtJS('installer/stopInstall'); + $this->setView('installer/mainStopInstall'); + G::RenderPage('publish', 'extJs'); return; } diff --git a/workflow/engine/data/mysql/insert.sql b/workflow/engine/data/mysql/insert.sql index 43d8e21e7..2c3020c3c 100644 --- a/workflow/engine/data/mysql/insert.sql +++ b/workflow/engine/data/mysql/insert.sql @@ -4022,6 +4022,7 @@ INSERT INTO TRANSLATION (TRN_CATEGORY,TRN_ID,TRN_LANG,TRN_VALUE,TRN_UPDATE_DATE ( 'LABEL','ID_ROLE_NAME_NOT_EMPTY','en','The ''Name'' field can not be empty.','2014-01-15') , ( 'LABEL','ID_TITLE_NO_INSTALL','en','SYSTEM INSTALLATION FAILED','2014-01-15') , ( 'LABEL','ID_NO_INSTALL','en','A problem occurred during the installation of the system. Please, uninstall the partial installation and try again.','2014-01-15') , +( 'LABEL','ID_PROCESSMAKER_ALREADY_INSTALLED','en','ProcessMaker is already installed.','2017-05-31') , ( 'LABEL','ID_LICENSE_EMPTY','en','Can not find any license','2014-01-15') , ( 'LABEL','ID_ADD_LICENSE','en','Please add a new license','2014-01-15') , ( 'LABEL','ID_DEFAULT_CALENDAR','en','Default Calendar','2014-01-15') , diff --git a/workflow/engine/templates/installer/stopInstall.js b/workflow/engine/templates/installer/stopInstall.js index ff743d8a6..536fd07c3 100644 --- a/workflow/engine/templates/installer/stopInstall.js +++ b/workflow/engine/templates/installer/stopInstall.js @@ -9,7 +9,7 @@ Ext.onReady(function() { title : _('ID_TITLE_NO_INSTALL'), items:[ - {html: _('ID_NO_INSTALL')} + {html: messageError} ] }); }); From 34ed60d7921e1f29c965af1e11d5327b457a369a Mon Sep 17 00:00:00 2001 From: Paula Quispe Date: Thu, 1 Jun 2017 13:53:49 -0400 Subject: [PATCH 12/13] HOR-3327 --- gulliver/system/class.rbac.php | 18 +++++++ workflow/engine/controllers/processProxy.php | 53 +++----------------- 2 files changed, 24 insertions(+), 47 deletions(-) diff --git a/gulliver/system/class.rbac.php b/gulliver/system/class.rbac.php index fc91bd04c..d4dcf2913 100644 --- a/gulliver/system/class.rbac.php +++ b/gulliver/system/class.rbac.php @@ -109,6 +109,24 @@ class RBAC ), 'processes_DownloadFile.php' => array( 'downloadFileHash' => array('PM_FACTORY') + ), + 'processProxy.php' => array( + 'categoriesList' => array(), + 'getCategoriesList' => array(), + 'saveProcess' => array('PM_FACTORY'), + 'changeStatus' => array(), + 'changeDebugMode' => array(), + 'getUsers' => array(), + 'getGroups' => array(), + 'assignActorsTask' => array(), + 'removeActorsTask' => array(), + 'getActorsTask' => array(), + 'getProcessDetail' => array(), + 'getProperties' => array(), + 'saveProperties' => array(), + 'getCaledarList' => array(), + 'getPMVariables' => array(), + 'generateBpmn' => array() ) ); diff --git a/workflow/engine/controllers/processProxy.php b/workflow/engine/controllers/processProxy.php index 3e3607644..90cf66bd9 100644 --- a/workflow/engine/controllers/processProxy.php +++ b/workflow/engine/controllers/processProxy.php @@ -3,6 +3,12 @@ class ProcessProxy extends HttpProxyController { + public function call ($name) + { + global $RBAC; + $RBAC->allows(basename(__FILE__), $name); + parent::call($name); + } /** * get Process Categories List with defailt value (empty option) and -All- aoption */ @@ -50,53 +56,6 @@ class ProcessProxy extends HttpProxyController } $sProUid = $project->getUid(); - - -// require_once 'classes/model/Task.php'; -// G::LoadClass( 'processMap' ); -// $oProcessMap = new ProcessMap(); -// -// $httpData->PRO_TITLE = trim( $httpData->PRO_TITLE ); -// -// try { -// if (! isset( $httpData->PRO_UID )) { -// if (Process::existsByProTitle( $httpData->PRO_TITLE )) { -// $result = array ('success' => false,'msg' => G::LoadTranslation( 'ID_SAVE_PROCESS_ERROR' ),'errors' => array ('PRO_TITLE' => G::LoadTranslation( 'ID_PROCESSTITLE_ALREADY_EXISTS', SYS_LANG, Array ('PRO_TITLE' => $httpData->PRO_TITLE -// ) ) -// ) -// ); -// print G::json_encode( $result ); -// exit( 0 ); -// } -// -// $processData['USR_UID'] = $_SESSION['USER_LOGGED']; -// $processData['PRO_TITLE'] = $httpData->PRO_TITLE; -// $processData['PRO_DESCRIPTION'] = $httpData->PRO_DESCRIPTION; -// $processData['PRO_CATEGORY'] = $httpData->PRO_CATEGORY; -// -// $sProUid = $oProcessMap->createProcess( $processData ); -// -// //call pluginsx -// $oData['PRO_UID'] = $sProUid; -// $oData['PRO_TEMPLATE'] = isset( $httpData->PRO_TEMPLATE ) && $httpData->PRO_TEMPLATE != '' ? $httpData->PRO_TEMPLATE : ''; -// $oData['PROCESSMAP'] = $oProcessMap; -// -// $oPluginRegistry = & PMPluginRegistry::getSingleton(); -// $oPluginRegistry->executeTriggers( PM_NEW_PROCESS_SAVE, $oData ); -// -// } else { -// //$oProcessMap->updateProcess($_POST['form']); -// $sProUid = $httpData->PRO_UID; -// } -// -// //Save Calendar ID for this process -// if (isset( $httpData->PRO_CALENDAR )) { -// G::LoadClass( "calendar" ); -// $calendarObj = new Calendar(); -// $calendarObj->assignCalendarTo( $sProUid, $httpData->PRO_CALENDAR, 'PROCESS' ); -// } -// - $this->success = true; $this->PRO_UID = $sProUid; $this->msg = G::LoadTranslation( 'ID_CREATE_PROCESS_SUCCESS' ); From 3a26dce3a0b70af3a2e008eea1cb51761a0646ec Mon Sep 17 00:00:00 2001 From: qronald Date: Wed, 31 May 2017 14:28:37 -0400 Subject: [PATCH 13/13] HOR-3284 --- workflow/engine/src/ProcessMaker/BusinessModel/FilesManager.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/workflow/engine/src/ProcessMaker/BusinessModel/FilesManager.php b/workflow/engine/src/ProcessMaker/BusinessModel/FilesManager.php index 910c28eb0..6031bd8e8 100644 --- a/workflow/engine/src/ProcessMaker/BusinessModel/FilesManager.php +++ b/workflow/engine/src/ProcessMaker/BusinessModel/FilesManager.php @@ -152,7 +152,7 @@ class FilesManager { try { $aData['prf_path'] = rtrim($aData['prf_path'], '/') . '/'; - if (!$aData['prf_filename']) { + if (!$aData['prf_filename'] || strpbrk($aData['prf_filename'], "\\/?%*:|\"<>") !== false) { throw new \Exception(\G::LoadTranslation("ID_INVALID_VALUE_FOR", array('prf_filename'))); } $extention = strstr($aData['prf_filename'], '.');