PMC-398
This commit is contained in:
Julio Cesar Laura Avendaño
@@ -4211,21 +4211,37 @@ class ProcessMap
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
public function downloadFile($sProcessUID, $sMainDirectory, $sCurrentDirectory, $sFile)
|
/**
|
||||||
|
* Stream a file from "mailTemplates" or "public" directory thats belongs to a process
|
||||||
|
*
|
||||||
|
* @param string $processUid
|
||||||
|
* @param string $mainDirectory
|
||||||
|
* @param string $currentDirectory
|
||||||
|
* @param string $file
|
||||||
|
*/
|
||||||
|
public function downloadFile($processUid, $mainDirectory, $currentDirectory, $file)
|
||||||
{
|
{
|
||||||
switch ($sMainDirectory) {
|
// Validate directory and file requested
|
||||||
|
$filter = new InputFilter();
|
||||||
|
$currentDirectory = $filter->validatePath($currentDirectory);
|
||||||
|
$file = $filter->validatePath($file);
|
||||||
|
|
||||||
|
// Validate the main directory
|
||||||
|
switch ($mainDirectory) {
|
||||||
case 'mailTemplates':
|
case 'mailTemplates':
|
||||||
$sDirectory = PATH_DATA_MAILTEMPLATES . $sProcessUID . PATH_SEP . ($sCurrentDirectory != '' ? $sCurrentDirectory . PATH_SEP : '');
|
$sDirectory = PATH_DATA_MAILTEMPLATES . $processUid . PATH_SEP . ($currentDirectory != '' ? $currentDirectory . PATH_SEP : '');
|
||||||
break;
|
break;
|
||||||
case 'public':
|
case 'public':
|
||||||
$sDirectory = PATH_DATA_PUBLIC . $sProcessUID . PATH_SEP . ($sCurrentDirectory != '' ? $sCurrentDirectory . PATH_SEP : '');
|
$sDirectory = PATH_DATA_PUBLIC . $processUid . PATH_SEP . ($currentDirectory != '' ? $currentDirectory . PATH_SEP : '');
|
||||||
break;
|
break;
|
||||||
default:
|
default:
|
||||||
die();
|
die();
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
if (file_exists($sDirectory . $sFile)) {
|
|
||||||
G::streamFile($sDirectory . $sFile, true);
|
// Stream the file if path exists
|
||||||
|
if (file_exists($sDirectory . $file)) {
|
||||||
|
G::streamFile($sDirectory . $file, true);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -1,28 +1,22 @@
|
|||||||
<?php
|
<?php
|
||||||
|
|
||||||
/**
|
|
||||||
* processes_Ajax.php
|
|
||||||
*
|
|
||||||
* ProcessMaker Open Source Edition
|
|
||||||
* Copyright (C) 2004 - 2008 Colosa Inc.23
|
|
||||||
*
|
|
||||||
* This program is free software: you can redistribute it and/or modify
|
|
||||||
* it under the terms of the GNU Affero General Public License as
|
|
||||||
* published by the Free Software Foundation, either version 3 of the
|
|
||||||
* License, or (at your option) any later version.
|
|
||||||
*
|
|
||||||
* This program is distributed in the hope that it will be useful,
|
|
||||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
||||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
||||||
* GNU Affero General Public License for more details.
|
|
||||||
*
|
|
||||||
* You should have received a copy of the GNU Affero General Public License
|
|
||||||
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
||||||
*
|
|
||||||
* For more information, contact Colosa Inc, 2566 Le Jeune Rd.,
|
|
||||||
* Coral Gables, FL, 33134, USA, or email info@colosa.com.
|
|
||||||
*/
|
|
||||||
try {
|
try {
|
||||||
|
// Validate the access to the actions of this file
|
||||||
|
if (!empty($_REQUEST['action']) && $_REQUEST['action'] == 'load') {
|
||||||
|
// Validate if exists the session variable "PROCESS", this action is requested from case tracker and running cases
|
||||||
|
$cannotAccess = empty($_SESSION['PROCESS']);
|
||||||
|
} else {
|
||||||
|
// Validate PM_FACTORY permission
|
||||||
|
global $RBAC;
|
||||||
|
$cannotAccess = $RBAC->userCanAccess('PM_FACTORY') !== 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
if ($cannotAccess) {
|
||||||
|
G::SendTemporalMessage( 'ID_USER_HAVENT_RIGHTS_PAGE', 'error', 'labels' );
|
||||||
|
G::header( 'Location: ../login/login' );
|
||||||
|
die();
|
||||||
|
}
|
||||||
|
|
||||||
$filter = new InputFilter();
|
$filter = new InputFilter();
|
||||||
$_GET = $filter->xssFilterHard($_GET);
|
$_GET = $filter->xssFilterHard($_GET);
|
||||||
$_POST = $filter->xssFilterHard($_POST);
|
$_POST = $filter->xssFilterHard($_POST);
|
||||||
@@ -693,41 +687,38 @@ try {
|
|||||||
$_REQUEST['filename'] = $filter->xssFilterHard($_REQUEST['filename']);
|
$_REQUEST['filename'] = $filter->xssFilterHard($_REQUEST['filename']);
|
||||||
global $G_PUBLISH;
|
global $G_PUBLISH;
|
||||||
$G_PUBLISH = new Publisher();
|
$G_PUBLISH = new Publisher();
|
||||||
global $RBAC;
|
$app = new Processes();
|
||||||
if ($RBAC->userCanAccess('PM_FACTORY') == 1) {
|
if (!$app->processExists($_REQUEST['pro_uid'])) {
|
||||||
$app = new Processes();
|
echo G::LoadTranslation('ID_PROCESS_UID_NOT_DEFINED');
|
||||||
if (!$app->processExists($_REQUEST['pro_uid'])) {
|
die;
|
||||||
echo G::LoadTranslation('ID_PROCESS_UID_NOT_DEFINED');
|
|
||||||
die;
|
|
||||||
}
|
|
||||||
|
|
||||||
$sDir = "";
|
|
||||||
if (isset($_REQUEST['MAIN_DIRECTORY'])) {
|
|
||||||
$_REQUEST['MAIN_DIRECTORY'] = $filter->xssFilterHard($_REQUEST['MAIN_DIRECTORY']);
|
|
||||||
$sDir = $_REQUEST['MAIN_DIRECTORY'];
|
|
||||||
}
|
|
||||||
switch ($sDir) {
|
|
||||||
case 'mailTemplates':
|
|
||||||
$sDirectory = PATH_DATA_MAILTEMPLATES . $_REQUEST['pro_uid'] . PATH_SEP . $_REQUEST['filename'];
|
|
||||||
G::auditLog('ProcessFileManager', 'Save template (' . $_REQUEST['filename'] . ') in process "' . $resultProcess['PRO_TITLE'] . '"');
|
|
||||||
break;
|
|
||||||
case 'public':
|
|
||||||
$sDirectory = PATH_DATA_PUBLIC . $_REQUEST['pro_uid'] . PATH_SEP . $_REQUEST['filename'];
|
|
||||||
G::auditLog('ProcessFileManager', 'Save public template (' . $_REQUEST['filename'] . ') in process "' . $resultProcess['PRO_TITLE'] . '"');
|
|
||||||
break;
|
|
||||||
default:
|
|
||||||
$sDirectory = PATH_DATA_MAILTEMPLATES . $_REQUEST['pro_uid'] . PATH_SEP . $_REQUEST['filename'];
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
$fp = fopen($sDirectory, 'w');
|
|
||||||
$content = stripslashes($_REQUEST['fcontent']);
|
|
||||||
$content = str_replace("@amp@", "&", $content);
|
|
||||||
$content = base64_decode($content);
|
|
||||||
fwrite($fp, $content);
|
|
||||||
fclose($fp);
|
|
||||||
$sDirectory = $filter->xssFilterHard($sDirectory);
|
|
||||||
echo 'saved: ' . $sDirectory;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
$sDir = "";
|
||||||
|
if (isset($_REQUEST['MAIN_DIRECTORY'])) {
|
||||||
|
$_REQUEST['MAIN_DIRECTORY'] = $filter->xssFilterHard($_REQUEST['MAIN_DIRECTORY']);
|
||||||
|
$sDir = $_REQUEST['MAIN_DIRECTORY'];
|
||||||
|
}
|
||||||
|
switch ($sDir) {
|
||||||
|
case 'mailTemplates':
|
||||||
|
$sDirectory = PATH_DATA_MAILTEMPLATES . $_REQUEST['pro_uid'] . PATH_SEP . $_REQUEST['filename'];
|
||||||
|
G::auditLog('ProcessFileManager', 'Save template (' . $_REQUEST['filename'] . ') in process "' . $resultProcess['PRO_TITLE'] . '"');
|
||||||
|
break;
|
||||||
|
case 'public':
|
||||||
|
$sDirectory = PATH_DATA_PUBLIC . $_REQUEST['pro_uid'] . PATH_SEP . $_REQUEST['filename'];
|
||||||
|
G::auditLog('ProcessFileManager', 'Save public template (' . $_REQUEST['filename'] . ') in process "' . $resultProcess['PRO_TITLE'] . '"');
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
$sDirectory = PATH_DATA_MAILTEMPLATES . $_REQUEST['pro_uid'] . PATH_SEP . $_REQUEST['filename'];
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
$fp = fopen($sDirectory, 'w');
|
||||||
|
$content = stripslashes($_REQUEST['fcontent']);
|
||||||
|
$content = str_replace("@amp@", "&", $content);
|
||||||
|
$content = base64_decode($content);
|
||||||
|
fwrite($fp, $content);
|
||||||
|
fclose($fp);
|
||||||
|
$sDirectory = $filter->xssFilterHard($sDirectory);
|
||||||
|
echo 'saved: ' . $sDirectory;
|
||||||
break;
|
break;
|
||||||
case 'getSessid':
|
case 'getSessid':
|
||||||
if (isset($_SESSION['USER_LOGGED'])) {
|
if (isset($_SESSION['USER_LOGGED'])) {
|
||||||
|
|||||||
@@ -4,14 +4,11 @@ $RBAC->allows(basename(__FILE__), $_GET['MAIN_DIRECTORY']);
|
|||||||
|
|
||||||
$mainDirectory = !empty($_GET['MAIN_DIRECTORY']) ? $_GET['MAIN_DIRECTORY'] : '';
|
$mainDirectory = !empty($_GET['MAIN_DIRECTORY']) ? $_GET['MAIN_DIRECTORY'] : '';
|
||||||
$proUid = !empty($_GET['PRO_UID']) ? $_GET['PRO_UID'] : '';
|
$proUid = !empty($_GET['PRO_UID']) ? $_GET['PRO_UID'] : '';
|
||||||
$currentDirectory = !empty($_GET['CURRENT_DIRECTORY']) ? realpath($_GET['CURRENT_DIRECTORY']) . PATH_SEP : '';
|
$currentDirectory = !empty($_GET['CURRENT_DIRECTORY']) ? $_GET['CURRENT_DIRECTORY'] . PATH_SEP : '';
|
||||||
$file = !empty($_GET['FILE']) ? realpath($_GET['FILE']) : '';
|
$file = !empty($_GET['FILE']) ? $_GET['FILE'] : '';
|
||||||
$extension = (!empty($_GET['sFilextension']) && $_GET['sFilextension'] === 'javascript') ? '.js' : '';
|
$extension = (!empty($_GET['sFilextension']) && $_GET['sFilextension'] === 'javascript') ? '.js' : '';
|
||||||
|
|
||||||
//validated process exists, return throw if not exists.
|
// Validate the main directory
|
||||||
$process = new Process();
|
|
||||||
$process->load($proUid);
|
|
||||||
|
|
||||||
switch ($mainDirectory) {
|
switch ($mainDirectory) {
|
||||||
case 'mailTemplates':
|
case 'mailTemplates':
|
||||||
$directory = PATH_DATA_MAILTEMPLATES;
|
$directory = PATH_DATA_MAILTEMPLATES;
|
||||||
@@ -24,9 +21,20 @@ switch ($mainDirectory) {
|
|||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Validate if process exists, an exception is throwed if not exists
|
||||||
|
$process = new Process();
|
||||||
|
$process->load($proUid);
|
||||||
|
|
||||||
|
// Validate directory and file requested
|
||||||
|
$filter = new InputFilter();
|
||||||
|
$currentDirectory = $filter->validatePath($currentDirectory);
|
||||||
|
$file = $filter->validatePath($file);
|
||||||
|
|
||||||
|
// Build requested path
|
||||||
$directory .= $proUid . PATH_SEP . $currentDirectory;
|
$directory .= $proUid . PATH_SEP . $currentDirectory;
|
||||||
$file .= $extension;
|
$file .= $extension;
|
||||||
|
|
||||||
|
// Stream the file if path exists
|
||||||
if (file_exists($directory . $file)) {
|
if (file_exists($directory . $file)) {
|
||||||
G::streamFile($directory . $file, true);
|
G::streamFile($directory . $file, true);
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user