fernando/luos
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merged in bugfix/PMCORE-4204 (pull request #8726)

Browse Source 
PMCORE-4204
This commit is contained in:
Julio Cesar Laura Avendaño
2023-03-24 19:02:50 +00:00
parent 0506805783 10839b0b84
commit 7bd5aa53c3
21 changed files with 192 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
gulliver/system/class.controller.php
View File

@@ -1,10 +1,11 @@
<?php <?php
use ProcessMaker\Exception\RBACException;
/** /**
* Controller Class * Controller Class
* Implementing MVC Pattern * Implementing MVC Pattern
* *
* @author Erik Amaru Ortiz <erik@colosa.com, aortiz.erik@gmail.com>
* @package gulliver.system * @package gulliver.system
* @access private * @access private
*/ */
@@ -129,6 +130,8 @@ class Controller
if ($this->responseType == 'json') { if ($this->responseType == 'json') {
print G::json_encode($result); print G::json_encode($result);
} }
} catch (RBACException $e) {
throw $e;
} catch (Exception $e) { } catch (Exception $e) {
$result = new StdClass(); $result = new StdClass();
if ($this->responseType != 'json') { if ($this->responseType != 'json') {

17
gulliver/system/class.httpProxyController.php
View File

@@ -1,9 +1,10 @@
<?php <?php
use ProcessMaker\Exception\RBACException;
/** /**
* HttpProxyController * HttpProxyController
* *
* @author Erik Amaru Ortiz <erik@colosa.com, aortiz.erik@gmail.com>
* @package gulliver.system * @package gulliver.system
* @access private * @access private
*/ */
@@ -39,7 +40,6 @@ class HttpProxyController
*/ */
public function __set($name, $value) public function __set($name, $value)
{ {
//echo "Setting '$name' to '$value'\n";
$this->__data__[$name] = $value; $this->__data__[$name] = $value;
} }
@@ -51,18 +51,9 @@ class HttpProxyController
*/ */
public function __get($name) public function __get($name)
{ {
//echo "Getting '$name'\n";
if (array_key_exists($name, $this->__data__)) { if (array_key_exists($name, $this->__data__)) {
return $this->__data__[$name]; return $this->__data__[$name];
} }
/*$trace = debug_backtrace();
trigger_error(
'Undefined property via __get(): ' . $name .
' in ' . $trace[0]['file'] .
' on line ' . $trace[0]['line'],
E_USER_NOTICE);
return null;*/
} }
/** /**
@@ -72,7 +63,6 @@ class HttpProxyController
*/ */
public function __isset($name) public function __isset($name)
{ {
//echo "Is '$name' set?\n";
return isset($this->__data__[$name]); return isset($this->__data__[$name]);
} }
@@ -105,6 +95,9 @@ class HttpProxyController
if (! $result) { if (! $result) {
$result = $this->__data__; $result = $this->__data__;
} }
} catch (RBACException $e) {
// If is a RBAC exception bubble up...
throw $e;
} catch (Exception $e) { } catch (Exception $e) {
$result->success = false; $result->success = false;
$result->message = $result->msg = $e->getMessage(); $result->message = $result->msg = $e->getMessage();

33
workflow/engine/controllers/adminProxy.php
View File

@@ -3,33 +3,10 @@
use Illuminate\Support\Facades\Cache; use Illuminate\Support\Facades\Cache;
use PHPMailer\PHPMailer\SMTP; use PHPMailer\PHPMailer\SMTP;
use ProcessMaker\Core\System; use ProcessMaker\Core\System;
use ProcessMaker\Exception\RBACException;
use ProcessMaker\Plugins\PluginRegistry; use ProcessMaker\Plugins\PluginRegistry;
use ProcessMaker\Validation\ValidationUploadedFiles; use ProcessMaker\Validation\ValidationUploadedFiles;
/**
* adminProxy.php
*
* ProcessMaker Open Source Edition
* Copyright (C) 2004 - 2008 Colosa Inc.23
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as
* published by the Free Software Foundation, either version 3 of the
* License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
* For more information, contact Colosa Inc, 2566 Le Jeune Rd.,
* Coral Gables, FL, 33134, USA, or email info@colosa.com.
*
*/
class adminProxy extends HttpProxyController class adminProxy extends HttpProxyController
{ {
const hashunlink = 'unlink'; const hashunlink = 'unlink';
@@ -787,6 +764,14 @@ class adminProxy extends HttpProxyController
*/ */
public function getListImage($httpData) public function getListImage($httpData)
{ {
// Include global object RBAC
global $RBAC;
// Check if the current user have the correct permissions to access to this resource, if not throws a RBAC Exception with code 403
if ($RBAC->userCanAccess('PM_SETUP') !== 1 || $RBAC->userCanAccess('PM_SETUP_LOGO') !== 1) {
throw new RBACException('ID_ACCESS_DENIED', 403);
}
$uplogo = PATH_TPL . 'setup' . PATH_SEP . 'uplogo.html'; $uplogo = PATH_TPL . 'setup' . PATH_SEP . 'uplogo.html';
$width = "100%"; $width = "100%";
$upload = new ReplacementLogo(); $upload = new ReplacementLogo();

9
workflow/engine/controllers/pmTablesProxy.php
View File

@@ -3,6 +3,7 @@
use Illuminate\Support\Facades\Log; use Illuminate\Support\Facades\Log;
use ProcessMaker\BusinessModel\DynaForm; use ProcessMaker\BusinessModel\DynaForm;
use ProcessMaker\Core\System; use ProcessMaker\Core\System;
use ProcessMaker\Exception\RBACException;
use ProcessMaker\Model\AdditionalTables as AdditionalTablesModel; use ProcessMaker\Model\AdditionalTables as AdditionalTablesModel;
use ProcessMaker\Model\Dynaform as DynaformModel; use ProcessMaker\Model\Dynaform as DynaformModel;
use ProcessMaker\Model\ProcessVariables; use ProcessMaker\Model\ProcessVariables;
@@ -26,6 +27,14 @@ class pmTablesProxy extends HttpProxyController
*/ */
public function getList($httpData) public function getList($httpData)
{ {
// Include global object RBAC
global $RBAC;
// Check if the current user have the correct permissions to access to this resource, if not throws a RBAC Exception with code 403
if ($RBAC->userCanAccess('PM_FACTORY') !== 1 && ($RBAC->userCanAccess('PM_SETUP') !== 1 || $RBAC->userCanAccess('PM_SETUP_PM_TABLES') !== 1)) {
throw new RBACException('ID_ACCESS_DENIED', 403);
}
$configurations = new Configurations(); $configurations = new Configurations();
$processMap = new ProcessMap(); $processMap = new ProcessMap();

17
workflow/engine/controllers/strategicDashboard.php
View File

@@ -1,6 +1,7 @@
<?php <?php
use ProcessMaker\Core\System; use ProcessMaker\Core\System;
use ProcessMaker\Exception\RBACException;
/** /**
* StrategicDashboard controller * StrategicDashboard controller
@@ -125,6 +126,14 @@ class StrategicDashboard extends Controller
public function dashboardList() public function dashboardList()
{ {
// Include global object RBAC
global $RBAC;
// Check if the current user have the correct permissions to access to this resource, if not throws a RBAC Exception with code 403
if ($RBAC->userCanAccess('PM_SETUP') !== 1 || $RBAC->userCanAccess('PM_SETUP_DASHBOARDS') !== 1) {
throw new RBACException('ID_ACCESS_DENIED', 403);
}
try { try {
$this->includeExtJS('strategicDashboard/dashboardList'); $this->includeExtJS('strategicDashboard/dashboardList');
if (isset($_SESSION['__StrategicDashboard_ERROR__'])) { if (isset($_SESSION['__StrategicDashboard_ERROR__'])) {
@@ -183,6 +192,14 @@ class StrategicDashboard extends Controller
public function viewDashboard() public function viewDashboard()
{ {
// Include global object RBAC
global $RBAC;
// Check if the current user have the correct permissions to access to this resource, if not throws a RBAC Exception with code 403
if ($RBAC->userCanAccess('PM_DASHBOARD') !== 1) {
throw new RBACException('ID_ACCESS_DENIED', 403);
}
try { try {
if (isset($_SESSION['__StrategicDashboard_ERROR__'])) { if (isset($_SESSION['__StrategicDashboard_ERROR__'])) {
$this->setJSVar('__StrategicDashboard_ERROR__', $_SESSION['__StrategicDashboard_ERROR__']); $this->setJSVar('__StrategicDashboard_ERROR__', $_SESSION['__StrategicDashboard_ERROR__']);

8
workflow/engine/methods/actionsByEmail/ActionByEmail.php
View File

@@ -1,4 +1,12 @@
<?php <?php
use ProcessMaker\Exception\RBACException;
// Check if the current user have the correct permissions to access to this resource, if not throws a RBAC Exception with code 403
if ($RBAC->userCanAccess('PM_SETUP') !== 1 || $RBAC->userCanAccess('PM_SETUP_LOGS') !== 1) {
throw new RBACException('ID_ACCESS_DENIED', 403);
}
$oHeadPublisher->addExtJsScript('actionsByEmail/report', false); //adding a javascript file .js $oHeadPublisher->addExtJsScript('actionsByEmail/report', false); //adding a javascript file .js
G::RenderPage('publish', 'extJs'); G::RenderPage('publish', 'extJs');

8
workflow/engine/methods/actionsByEmail/actionsByEmailAjax.php
View File

@@ -1,4 +1,12 @@
<?php <?php
use ProcessMaker\Exception\RBACException;
// Check if the current user have the correct permissions to access to this resource, if not throws a RBAC Exception with code 403
if ($RBAC->userCanAccess('PM_SETUP') !== 1) {
throw new RBACException('ID_ACCESS_DENIED', 403);
}
// General Validations // General Validations
if (!isset($_REQUEST['action'])) { if (!isset($_REQUEST['action'])) {
$_REQUEST['action'] = ''; $_REQUEST['action'] = '';

10
workflow/engine/methods/authenticationSources/index.php
View File

@@ -1,5 +1,15 @@
<?php <?php
use ProcessMaker\Exception\RBACException;
// Include global object RBAC
global $RBAC;
// Check if the current user have the correct permissions to access to this resource, if not throws a RBAC Exception with code 403
if ($RBAC->userCanAccess('PM_USERS') !== 1 || $RBAC->userCanAccess('PM_SETUP_USERS_AUTHENTICATION_SOURCES') !== 1) {
throw new RBACException('ID_ACCESS_DENIED', 403);
}
global $G_PUBLISH; global $G_PUBLISH;
$G_PUBLISH = new Publisher(); $G_PUBLISH = new Publisher();
try { try {

9
workflow/engine/methods/enterprise/addonsStore.php
View File

@@ -1,6 +1,15 @@
<?php <?php
use ProcessMaker\Core\System; use ProcessMaker\Core\System;
use ProcessMaker\Exception\RBACException;
// Include global object RBAC
global $RBAC;
// Check if the current user have the correct permissions to access to this resource, if not throws a RBAC Exception with code 403
if ($RBAC->userCanAccess('PM_SETUP_ADVANCE') !== 1 || $RBAC->userCanAccess('PM_SETUP_PLUGINS') !== 1) {
throw new RBACException('ID_ACCESS_DENIED', 403);
}
AddonsStore::checkLicenseStore(); AddonsStore::checkLicenseStore();

9
workflow/engine/methods/enterprise/addonsStoreAction.php
View File

@@ -1,10 +1,19 @@
<?php <?php
use ProcessMaker\Core\System; use ProcessMaker\Core\System;
use ProcessMaker\Exception\RBACException;
use ProcessMaker\Plugins\PluginRegistry; use ProcessMaker\Plugins\PluginRegistry;
use ProcessMaker\Validation\ExceptionRestApi; use ProcessMaker\Validation\ExceptionRestApi;
use ProcessMaker\Validation\ValidationUploadedFiles; use ProcessMaker\Validation\ValidationUploadedFiles;
// Include global object RBAC
global $RBAC;
// Check if the current user have the correct permissions to access to this resource, if not throws a RBAC Exception with code 403
if ($RBAC->userCanAccess('PM_SETUP_ADVANCE') !== 1 || $RBAC->userCanAccess('PM_SETUP_PLUGINS') !== 1) {
throw new RBACException('ID_ACCESS_DENIED', 403);
}
function runBgProcessmaker($task, $log) function runBgProcessmaker($task, $log)
{ {
require_once(PATH_CORE . "bin/tasks/cliAddons.php"); require_once(PATH_CORE . "bin/tasks/cliAddons.php");

9
workflow/engine/methods/enterprise/processMakerAjax.php
View File

@@ -1,6 +1,15 @@
<?php <?php
use ProcessMaker\Core\System; use ProcessMaker\Core\System;
use ProcessMaker\Exception\RBACException;
// Include global object RBAC
global $RBAC;
// Check if the current user have the correct permissions to access to this resource, if not throws a RBAC Exception with code 403
if ($RBAC->userCanAccess('PM_SETUP_ADVANCE') !== 1) {
throw new RBACException('ID_ACCESS_DENIED', 403);
}
ini_set("max_execution_time", 0); ini_set("max_execution_time", 0);

11
workflow/engine/methods/events/eventsAjax.php
View File

@@ -1,5 +1,14 @@
<?php <?php
//$req = $_POST['request']; use ProcessMaker\Exception\RBACException;
// Include global object RBAC
global $RBAC;
// Check if the current user have the correct permissions to access to this resource, if not throws a RBAC Exception with code 403
if ($RBAC->userCanAccess('PM_SETUP') !== 1 || $RBAC->userCanAccess('PM_SETUP_LOGS') !== 1) {
throw new RBACException('ID_ACCESS_DENIED', 403);
}
$req = (isset($_POST['request']))? $_POST['request']:((isset($_REQUEST['request']))? $_REQUEST['request'] : 'No hayyy tal'); $req = (isset($_POST['request']))? $_POST['request']:((isset($_REQUEST['request']))? $_REQUEST['request'] : 'No hayyy tal');
require_once 'classes/model/Content.php'; require_once 'classes/model/Content.php';

9
workflow/engine/methods/processes/processesList.php
View File

@@ -8,9 +8,18 @@
* @link https://wiki.processmaker.com/3.2/Processes * @link https://wiki.processmaker.com/3.2/Processes
*/ */
use ProcessMaker\Exception\RBACException;
use ProcessMaker\Model\Process; use ProcessMaker\Model\Process;
use ProcessMaker\Util\DateTime; use ProcessMaker\Util\DateTime;
// Include global object RBAC
global $RBAC;
// Check if the current user have the correct permissions to access to this resource, if not throws a RBAC Exception with code 403
if ($RBAC->userCanAccess('PM_FACTORY') !== 1) {
throw new RBACException('ID_ACCESS_DENIED', 403);
}
require_once 'classes/model/Process.php'; require_once 'classes/model/Process.php';
$start = isset($_POST['start']) ? $_POST['start'] : 0; $start = isset($_POST['start']) ? $_POST['start'] : 0;

9
workflow/engine/methods/scheduler/index.php
View File

@@ -1,6 +1,15 @@
<?php <?php
use ProcessMaker\Core\System; use ProcessMaker\Core\System;
use ProcessMaker\Exception\RBACException;
// Include global object RBAC
global $RBAC;
// Check if the current user have the correct permissions to access to this resource, if not throws a RBAC Exception with code 403
if ($RBAC->userCanAccess('PM_TASK_SCHEDULER_ADMIN') !== 1) {
throw new RBACException('ID_ACCESS_DENIED', 403);
}
try { try {
global $G_PUBLISH; global $G_PUBLISH;

9
workflow/engine/methods/setup/appCacheViewAjax.php
View File

@@ -1,6 +1,15 @@
<?php <?php
use Processmaker\Core\System; use Processmaker\Core\System;
use ProcessMaker\Exception\RBACException;
// Include global object RBAC
global $RBAC;
// Check if the current user have the correct permissions to access to this resource, if not throws a RBAC Exception with code 403
if ($RBAC->userCanAccess('PM_SETUP_ADVANCE') !== 1 || $RBAC->userCanAccess('PM_SETUP_CASES_LIST_CACHE_BUILDER') !== 1) {
throw new RBACException('ID_ACCESS_DENIED', 403);
}
$filter = new InputFilter(); $filter = new InputFilter();
$_POST = $filter->xssFilterHard($_POST); $_POST = $filter->xssFilterHard($_POST);

9
workflow/engine/methods/setup/auditLogAjax.php
View File

@@ -1,7 +1,16 @@
<?php <?php
use ProcessMaker\Exception\RBACException;
use ProcessMaker\Log\AuditLog; use ProcessMaker\Log\AuditLog;
// Include global object RBAC
global $RBAC;
// Check if the current user have the correct permissions to access to this resource, if not throws a RBAC Exception with code 403
if ($RBAC->userCanAccess('PM_SETUP') !== 1 || $RBAC->userCanAccess('PM_SETUP_LOGS') !== 1) {
throw new RBACException('ID_ACCESS_DENIED', 403);
}
$auditLog = new AuditLog(); $auditLog = new AuditLog();
$auditLog->setUserLogged($_SESSION["USER_LOGGED"]); $auditLog->setUserLogged($_SESSION["USER_LOGGED"]);

9
workflow/engine/methods/setup/cronAjax.php
View File

@@ -1,6 +1,15 @@
<?php <?php
use ProcessMaker\BusinessModel\Files\Cron; use ProcessMaker\BusinessModel\Files\Cron;
use ProcessMaker\Exception\RBACException;
// Include global object RBAC
global $RBAC;
// Check if the current user have the correct permissions to access to this resource, if not throws a RBAC Exception with code 403
if ($RBAC->userCanAccess('PM_SETUP') !== 1 || $RBAC->userCanAccess('PM_SETUP_LOGS') !== 1) {
throw new RBACException('ID_ACCESS_DENIED', 403);
}
$option = isset($_REQUEST["option"]) ? $_REQUEST["option"] : null; $option = isset($_REQUEST["option"]) ? $_REQUEST["option"] : null;

16
workflow/engine/methods/setup/environmentSettingsAjax.php
View File

@@ -1,10 +1,14 @@
<?php <?php
/**
* use ProcessMaker\Exception\RBACException;
* @author Erik A.O. <erik@colosa.com>
* @date Sept 13th, 2010 // Include global object RBAC
* global $RBAC;
*/
// Check if the current user have the correct permissions to access to this resource, if not throws a RBAC Exception with code 403
if ($RBAC->userCanAccess('PM_SETUP') !== 1 || $RBAC->userCanAccess('PM_SETUP_ENVIRONMENT') !== 1) {
throw new RBACException('ID_ACCESS_DENIED', 403);
}
$request = isset( $_POST["request"] ) ? $_POST["request"] : (isset( $_GET["request"] ) ? $_GET["request"] : null); $request = isset( $_POST["request"] ) ? $_POST["request"] : (isset( $_GET["request"] ) ? $_GET["request"] : null);
$result = new stdclass(); $result = new stdclass();

10
workflow/engine/methods/setup/language_Ajax.php
View File

@@ -1,5 +1,15 @@
<?php <?php
use ProcessMaker\Exception\RBACException;
// Include global object RBAC
global $RBAC;
// Check if the current user have the correct permissions to access to this resource, if not throws a RBAC Exception with code 403
if ($RBAC->userCanAccess('PM_SETUP_ADVANCE') !== 1 || $RBAC->userCanAccess('PM_SETUP_LANGUAGE') !== 1) {
throw new RBACException('ID_ACCESS_DENIED', 403);
}
try { try {
$filter = new InputFilter(); $filter = new InputFilter();
$_POST = $filter->xssFilterHard($_POST); $_POST = $filter->xssFilterHard($_POST);

11
workflow/engine/methods/setup/loginSettingsAjax.php
View File

@@ -1,4 +1,15 @@
<?php <?php
use ProcessMaker\Exception\RBACException;
// Include global object RBAC
global $RBAC;
// Check if the current user have the correct permissions to access to this resource, if not throws a RBAC Exception with code 403
if ($RBAC->userCanAccess('PM_SETUP') !== 1 || $RBAC->userCanAccess('PM_SETUP_LOGIN') !== 1) {
throw new RBACException('ID_ACCESS_DENIED', 403);
}
$request = isset($_REQUEST['request']) ? $_REQUEST['request'] : null; $request = isset($_REQUEST['request']) ? $_REQUEST['request'] : null;
switch ($request) { switch ($request) {

10
workflow/engine/methods/userExtendedAttributes/index.php
View File

@@ -1,10 +1,18 @@
<?php <?php
use Illuminate\Support\Facades\DB;
use ProcessMaker\BusinessModel\Role; use ProcessMaker\BusinessModel\Role;
use ProcessMaker\Exception\RBACException;
use ProcessMaker\Model\User; use ProcessMaker\Model\User;
use ProcessMaker\Model\UserExtendedAttributes; use ProcessMaker\Model\UserExtendedAttributes;
// Include global object RBAC
global $RBAC;
// Check if the current user have the correct permissions to access to this resource, if not throws a RBAC Exception with code 403
if ($RBAC->userCanAccess('PM_USERS') !== 1) {
throw new RBACException('ID_ACCESS_DENIED', 403);
}
global $G_PUBLISH; global $G_PUBLISH;
$G_PUBLISH = new Publisher(); $G_PUBLISH = new Publisher();
try { try {