fernando/luos
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'master' of bitbucket.org:colosa/processmaker into CONSOLIDATED

Browse Source
This commit is contained in:
Brayan Pereyra
2015-03-23 14:45:52 -04:00
parent 60184faa5d 4256226ad4
commit a446bb6eac
543 changed files with 41770 additions and 1325 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
workflow/engine/methods/appFolder/appFolderAjax.php
View File

@@ -1,4 +1,9 @@
<?php
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_POST = $filter->xssFilterHard($_POST);
$_GET = $filter->xssFilterHard($_GET);
$_REQUEST = $filter->xssFilterHard($_REQUEST);
if (! isset ($_SESSION ['USER_LOGGED'])) {
$res ['success'] = false;
$res ['error'] = G::LoadTranslation('ID_LOGIN_AGAIN');

14
workflow/engine/methods/cases/ajaxListener.php
View File

@@ -33,6 +33,12 @@
//require_once 'classes/model/AppDelay.php';
//require_once 'classes/model/Process.php';
//require_once 'classes/model/Task.php';
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_REQUEST = $filter->xssFilterHard($_REQUEST);
$_POST = $filter->xssFilterHard($_POST);
if(isset($_REQUEST['action']) && $_REQUEST['action'] == "verifySession" ) {
if (!isset($_SESSION['USER_LOGGED'])) {
$response = new stdclass();
@@ -852,11 +858,11 @@ class Ajax
$Fields["APP_DATA"]["__DYNAFORM_OPTIONS"]["NEXT_STEP"] = "#";
$Fields["APP_DATA"]["__DYNAFORM_OPTIONS"]["NEXT_ACTION"] = "return false;";
G::LoadClass('pmDynaform');
$a = new pmDynaform($_REQUEST['DYN_UID'], $Fields['APP_DATA']);
$FieldsPmDynaform["PRO_UID"] = $_SESSION['PROCESS'];
$FieldsPmDynaform["CURRENT_DYNAFORM"] = $_REQUEST['DYN_UID'];
$a = new pmDynaform($FieldsPmDynaform);
if ($a->isResponsive()) {
$a->app_data["PROCESS"] = $_SESSION['PROCESS'];
$a->app_data["SYS_SYS"] = SYS_SYS;
$a->printView((!isset($_SESSION["PM_RUN_OUTSIDE_MAIN_APP"])) ? "true" : "false", $_SESSION['APPLICATION']);
$a->printView();
} else {
$G_PUBLISH->AddContent("dynaform", "xmlform", $_SESSION["PROCESS"] . "/" . $_POST["DYN_UID"], "", $Fields["APP_DATA"], "", "", "view");
}

8
workflow/engine/methods/cases/caseMessageHistory_Ajax.php
View File

@@ -21,6 +21,10 @@
* For more information, contact Colosa Inc, 2566 Le Jeune Rd.,
* Coral Gables, FL, 33134, USA, or email info@colosa.com.
*/
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_POST = $filter->xssFilterHard($_POST);
$_REQUEST = $filter->xssFilterHard($_REQUEST);
$arrayToTranslation = array(
"TRIGGER" => G::LoadTranslation("ID_TRIGGER_DB"),
@@ -31,11 +35,11 @@ $actionAjax = isset( $_REQUEST['actionAjax'] ) ? $_REQUEST['actionAjax'] : null;
if ($actionAjax == 'messageHistoryGridList_JXP') {
if (!isset($_REQUEST['start'])) {
if (!isset($_REQUEST['start']) || $_REQUEST['start'] =='') {
$_REQUEST['start'] = 0;
}
if (!isset($_REQUEST['limit'])) {
if (!isset($_REQUEST['limit']) || $_REQUEST['limit'] =='') {
$_REQUEST['limit'] = 20;
}

22
workflow/engine/methods/cases/casesHistoryDynaformPage_Ajax.php
View File

@@ -21,6 +21,13 @@
* For more information, contact Colosa Inc, 2566 Le Jeune Rd.,
* Coral Gables, FL, 33134, USA, or email info@colosa.com.
*/
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_GET = $filter->xssFilterHard($_GET);
$_POST = $filter->xssFilterHard($_POST);
$_REQUEST = $filter->xssFilterHard($_REQUEST);
$_SESSION = $filter->xssFilterHard($_SESSION);
$actionAjax = isset( $_REQUEST['actionAjax'] ) ? $_REQUEST['actionAjax'] : null;
@@ -383,11 +390,12 @@ if ($actionAjax == 'dynaformChangeLogViewHistory') {
$Fields['APP_DATA']['__DYNAFORM_OPTIONS']['NEXT_STEP'] = '#';
$Fields['APP_DATA']['__DYNAFORM_OPTIONS']['NEXT_ACTION'] = 'return false;';
G::LoadClass('pmDynaform');
$a = new pmDynaform($_GET['DYN_UID'], $Fields['APP_DATA']);
$FieldsPmDynaform = $Fields;
$FieldsPmDynaform["PRO_UID"] = $_SESSION['PROCESS'];
$FieldsPmDynaform["CURRENT_DYNAFORM"] = $_GET['DYN_UID'];
$a = new pmDynaform($FieldsPmDynaform);
if ($a->isResponsive()) {
$a->app_data["PROCESS"] = $_SESSION['PROCESS'];
$a->app_data["SYS_SYS"] = SYS_SYS;
$a->printView((!isset($_SESSION["PM_RUN_OUTSIDE_MAIN_APP"])) ? "true" : "false", $_SESSION['APPLICATION']);
$a->printView();
} else {
$G_PUBLISH->AddContent('dynaform', 'xmlform', $_SESSION['PROCESS'] . '/' . $_POST['DYN_UID'], '', $Fields['APP_DATA'], '', '', 'view');
}
@@ -474,9 +482,11 @@ if ($actionAjax == 'historyDynaformGridPreview') {
$_SESSION['CURRENT_DYN_UID'] = $_POST['DYN_UID'];
$_SESSION['DYN_UID_PRINT'] = $_POST['DYN_UID'];
G::LoadClass('pmDynaform');
$a = new pmDynaform($_GET['DYN_UID'], $Fields['APP_DATA']);
$FieldsPmDynaform = $Fields;
$FieldsPmDynaform["CURRENT_DYNAFORM"] = $_GET['DYN_UID'];
$a = new pmDynaform($FieldsPmDynaform);
if ($a->isResponsive()) {
$a->printView((!isset($_SESSION["PM_RUN_OUTSIDE_MAIN_APP"])) ? "true" : "false", $_SESSION['APPLICATION']);
$a->printView();
} else {
$G_PUBLISH->AddContent('dynaform', 'xmlform', $_SESSION['PROCESS'] . '/' . $_POST['DYN_UID'], '', $Fields['APP_DATA'], '', '', 'view');
}

1
workflow/engine/methods/cases/casesListExtJs.php
View File

@@ -213,7 +213,6 @@ $menuPerms = $menuPerms . ($RBAC->userCanAccess( 'PM_REASSIGNCASE' ) == 1) ? 'R'
$oHeadPublisher->assign( '___p34315105', $menuPerms ); // user menu permissions
G::LoadClass( 'configuration' );
$c = new Configurations();
//$oHeadPublisher->addExtJsScript('cases/caseUtils', true);
$oHeadPublisher->addExtJsScript( 'app/main', true );
$oHeadPublisher->addExtJsScript( 'cases/casesList', false ); //adding a javascript file .js

8
workflow/engine/methods/cases/casesList_Ajax.php
View File

@@ -40,6 +40,12 @@ require_once ("classes/model/AdditionalTables.php");
require_once ("classes/model/AppDelay.php");*/
G::LoadClass( 'case' );
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_POST = $filter->xssFilterHard($_POST);
$_REQUEST = $filter->xssFilterHard($_REQUEST);
$_SESSION = $filter->xssFilterHard($_SESSION);
$actionAjax = isset( $_REQUEST['actionAjax'] ) ? $_REQUEST['actionAjax'] : null;
function filterUserListArray($users = array(), $filter = '')
@@ -216,6 +222,7 @@ if ($actionAjax == "getUsersToReassign") {
G::LoadClass( 'tasks' );
$task = new Task();
$tasks = $task->load($_SESSION['TASK']);
$result = new stdclass();
$result->data = $case->getUsersToReassign( $_SESSION['TASK'], $_SESSION['USER_LOGGED'], $tasks['PRO_UID'] );
print G::json_encode( $result );
}
@@ -240,6 +247,7 @@ if ($actionAjax == 'reassignCase') {
//print_r($caseData);
$data['APP_NUMBER'] = $caseData['APP_NUMBER'];
$data['USER'] = $userData['USR_LASTNAME'] . ' ' . $userData['USR_FIRSTNAME']; //TODO change with the farmated username from environment conf
$result = new stdclass();
$result->status = 0;
$result->msg = G::LoadTranslation( 'ID_REASSIGNMENT_SUCCESS', SYS_LANG, $data );
} catch (Exception $e) {

11
workflow/engine/methods/cases/casesStartPage_Ajax.php
View File

@@ -1,4 +1,9 @@
<?php
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_POST = $filter->xssFilterHard($_POST);
$_REQUEST = $filter->xssFilterHard($_REQUEST);
$_SESSION = $filter->xssFilterHard($_SESSION);
if (!isset($_SESSION['USER_LOGGED'])) {
$res = new stdclass();
$res->message = G::LoadTranslation('ID_LOGIN_AGAIN');
@@ -215,6 +220,11 @@ function lookinginforContentProcess ($sproUid)
function startCase ()
{
G::LoadClass( 'case' );
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_POST = $filter->xssFilterHard($_POST);
$_REQUEST = $filter->xssFilterHard($_REQUEST);
$_SESSION = $filter->xssFilterHard($_SESSION);
/* GET , POST & $_SESSION Vars */
/* unset any variable, because we are starting a new case */
@@ -241,6 +251,7 @@ function startCase ()
lookinginforContentProcess( $_POST['processId'] );
$aData = $oCase->startCase( $_REQUEST['taskId'], $_SESSION['USER_LOGGED'] );
$aData = $filter->xssFilterHard($aData);
$_SESSION['APPLICATION'] = $aData['APPLICATION'];
$_SESSION['INDEX'] = $aData['INDEX'];

4
workflow/engine/methods/cases/casesStreamingFile.php
View File

@@ -24,8 +24,8 @@ if ($actionAjax == "streaming") {
$file = \G::getPathFromFileUID($oAppDocument->Fields['APP_UID'], $sAppDocUid);
$realPath = PATH_DOCUMENT . $app_uid . '/' . $file[0] . $file[1] . '_' . $iDocVersion . '.' . $ext;
$realPath1 = PATH_DOCUMENT . $app_uid . '/' . $file[0] . $file[1] . '.' . $ext;
$realPath = PATH_DOCUMENT . G::getPathFromUID($app_uid) . '/' . $file[0] . $file[1] . '_' . $iDocVersion . '.' . $ext;
$realPath1 = PATH_DOCUMENT . G::getPathFromUID($app_uid) . '/' . $file[0] . $file[1] . '.' . $ext;
if (file_exists( $realPath )) {
$finfo = finfo_open(FILEINFO_MIME_TYPE);

19
workflow/engine/methods/cases/cases_Ajax.php
View File

@@ -1,4 +1,11 @@
<?php
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_GET = $filter->xssFilterHard($_GET);
$_POST = $filter->xssFilterHard($_POST);
$_REQUEST = $filter->xssFilterHard($_REQUEST);
$_SESSION = $filter->xssFilterHard($_SESSION);
if (!isset($_SESSION['USER_LOGGED'])) {
$response = new stdclass();
$response->message = G::LoadTranslation('ID_LOGIN_AGAIN');
@@ -243,12 +250,16 @@ switch (($_POST['action']) ? $_POST['action'] : $_REQUEST['action']) {
G::RenderPage( 'publish', 'raw' );
break;
case 'showUsers':
$_POST['TAS_ASSIGN_TYPE'] = $filter->xssFilterHard($_POST['TAS_ASSIGN_TYPE']);
switch ($_POST['TAS_ASSIGN_TYPE']) {
// switch verify $_POST['TAS_ASSIGN_TYPE']
case 'BALANCED':
$_POST['USR_UID'] = $filter->xssFilterHard($_POST['USR_UID']);
G::LoadClass( 'user' );
$oUser = new User( new DBConnection() );
$oUser->load( $_POST['USR_UID'] );
$oUser->Fields['USR_FIRSTNAME'] = $filter->xssFilterHard($oUser->Fields['USR_FIRSTNAME']);
$oUser->Fields['USR_LASTNAME'] = $filter->xssFilterHard($oUser->Fields['USR_LASTNAME']);
echo $oUser->Fields['USR_FIRSTNAME'] . ' ' . $oUser->Fields['USR_LASTNAME'] . '<input type="hidden" name="form[TASKS][1][USR_UID]" id="form[TASKS][1][USR_UID]" value="' . $_POST['USR_UID'] . '">';
break;
case 'MANUAL':
@@ -300,6 +311,8 @@ switch (($_POST['action']) ? $_POST['action'] : $_REQUEST['action']) {
echo $sAux;
break;
case 'EVALUATE':
$_POST['TAS_ASSIGN_VARIABLE'] = $filter->xssFilterHard($_POST['TAS_ASSIGN_VARIABLE']);
$_SESSION['APPLICATION'] = $filter->xssFilterHard($_SESSION['APPLICATION']);
G::LoadClass( 'application' );
$oApplication = new Application( new DBConnection() );
$oApplication->load( $_SESSION['APPLICATION'] );
@@ -315,7 +328,8 @@ switch (($_POST['action']) ? $_POST['action'] : $_REQUEST['action']) {
$oUser->load( $sUser );
echo $oUser->Fields['USR_FIRSTNAME'] . ' ' . $oUser->Fields['USR_LASTNAME'] . '<input type="hidden" name="form[TASKS][1][USR_UID]" id="form[TASKS][1][USR_UID]" value="' . $sUser . '">';
} else {
echo '<strong>Error: </strong>' . $_POST['TAS_ASSIGN_VARIABLE'] . ' ' . G::LoadTranslation( 'ID_EMPTY' );
$ID_EMPTY = $filter->xssFilterHard(G::LoadTranslation( 'ID_EMPTY' ));
echo '<strong>Error: </strong>' . $_POST['TAS_ASSIGN_VARIABLE'] . ' ' . $ID_EMPTY;
echo '<input type="hidden" name="_ERROR_" id="_ERROR_" value="">';
}
break;
@@ -447,6 +461,9 @@ switch (($_POST['action']) ? $_POST['action'] : $_REQUEST['action']) {
$cases->reassignCase( $_SESSION['APPLICATION'], $_SESSION['INDEX'], $_SESSION['USER_LOGGED'], $_POST['USR_UID'], $_POST['THETYPE'] );
break;
case 'toRevisePanel':
$_POST['APP_UID'] = $filter->xssFilterHard($_POST['APP_UID']);
$_POST['DEL_INDEX'] = $filter->xssFilterHard($_POST['DEL_INDEX']);
$_GET['APP_UID'] = $_POST['APP_UID'];
$_GET['DEL_INDEX'] = $_POST['DEL_INDEX'];
$G_PUBLISH = new Publisher();

19
workflow/engine/methods/cases/cases_Step.php
View File

@@ -130,7 +130,13 @@ if (isset( $oProcessFieds['PRO_DEBUG'] ) && $oProcessFieds['PRO_DEBUG']) {
}
//cleaning debug variables
if (! isset( $_GET['breakpoint'] )) {
$flagExecuteBeforeTriggers = !isset($_GET["breakpoint"]);
if (isset($_GET["TYPE"]) && $_GET["TYPE"] == "OUTPUT_DOCUMENT" && isset($_GET["ACTION"]) && $_GET["ACTION"] != "GENERATE") {
$flagExecuteBeforeTriggers = false;
}
if ($flagExecuteBeforeTriggers) {
if (isset( $_SESSION['TRIGGER_DEBUG']['info'] )) {
unset( $_SESSION['TRIGGER_DEBUG']['info'] );
}
@@ -269,11 +275,14 @@ try {
$_SESSION['CURRENT_DYN_UID'] = $_GET['UID'];
G::LoadClass('pmDynaform');
$a = new pmDynaform($_GET['UID'], $Fields['APP_DATA']);
$FieldsPmDynaform = $Fields;
$FieldsPmDynaform["PM_RUN_OUTSIDE_MAIN_APP"] = (!isset($_SESSION["PM_RUN_OUTSIDE_MAIN_APP"])) ? "true" : "false";
$FieldsPmDynaform["STEP_MODE"] = $oStep->getStepMode();
$FieldsPmDynaform["PRO_SHOW_MESSAGE"] = $noShowTitle;
$FieldsPmDynaform["TRIGGER_DEBUG"] = $_SESSION['TRIGGER_DEBUG']['ISSET'];
$a = new pmDynaform($FieldsPmDynaform);
if ($a->isResponsive()) {
$a->app_data["PRO_SHOW_MESSAGE"] = $noShowTitle;
$a->app_data["TRIGGER_DEBUG"] = $_SESSION['TRIGGER_DEBUG']['ISSET'];
$a->printEdit((!isset($_SESSION["PM_RUN_OUTSIDE_MAIN_APP"])) ? "true" : "false", $_SESSION['APPLICATION'], $array, $oStep->getStepMode());
$a->printEdit();
} else {
$G_PUBLISH->AddContent('dynaform', 'xmlform', $_SESSION['PROCESS'] . '/' . $_GET['UID'], '', $Fields['APP_DATA'], 'cases_SaveData?UID=' . $_GET['UID'] . '&APP_UID=' . $_SESSION['APPLICATION'], '', (strtolower($oStep->getStepMode()) != 'edit' ? strtolower($oStep->getStepMode()) : ''));
}

6
workflow/engine/methods/cases/cases_StepToRevise.php
View File

@@ -23,6 +23,9 @@
*/
// die("first");
/* Permissions */
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_GET = $filter->xssFilterHard($_GET,"url");
switch ($RBAC->userCanAccess( 'PM_SUPERVISOR' )) {
case - 2:
G::SendTemporalMessage( 'ID_USER_HAVENT_RIGHTS_SYSTEM', 'error', 'labels' );
@@ -35,8 +38,9 @@ switch ($RBAC->userCanAccess( 'PM_SUPERVISOR' )) {
die();
break;
}
$_SESSION = $filter->xssFilterHard($_SESSION,"url");
if ((int) $_SESSION['INDEX'] < 1) {
$_SERVER['HTTP_REFERER'] = $filter->xssFilterHard($_SERVER['HTTP_REFERER']);
G::SendTemporalMessage( 'ID_USER_HAVENT_RIGHTS_PAGE', 'error', 'labels' );
G::header( 'location: ' . $_SERVER['HTTP_REFERER'] );
die();

6
workflow/engine/methods/cases/cases_StepToReviseInputs.php
View File

@@ -23,6 +23,9 @@
*/
//die("second");
/* Permissions */
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_GET = $filter->xssFilterHard($_GET,"url");
switch ($RBAC->userCanAccess( 'PM_SUPERVISOR' )) {
case - 2:
G::SendTemporalMessage( 'ID_USER_HAVENT_RIGHTS_SYSTEM', 'error', 'labels' );
@@ -35,8 +38,9 @@ switch ($RBAC->userCanAccess( 'PM_SUPERVISOR' )) {
die();
break;
}
$_SESSION = $filter->xssFilterHard($_SESSION,"url");
if ((int) $_SESSION['INDEX'] < 1) {
$_SERVER['HTTP_REFERER'] = $filter->xssFilterHard($_SERVER['HTTP_REFERER']);
G::SendTemporalMessage( 'ID_USER_HAVENT_RIGHTS_PAGE', 'error', 'labels' );
G::header( 'location: ' . $_SERVER['HTTP_REFERER'] );
die();

5
workflow/engine/methods/cases/cases_StepToReviseOutputs.php
View File

@@ -23,6 +23,9 @@
*/
/* Permissions */
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_GET = $filter->xssFilterHard($_GET,"url");
switch ($RBAC->userCanAccess( 'PM_SUPERVISOR' )) {
case - 2:
G::SendTemporalMessage( 'ID_USER_HAVENT_RIGHTS_SYSTEM', 'error', 'labels' );
@@ -35,7 +38,7 @@ switch ($RBAC->userCanAccess( 'PM_SUPERVISOR' )) {
die();
break;
}
$_SESSION = $filter->xssFilterHard($_SESSION,"url");
/* Includes */
G::LoadClass( 'case' );

5
workflow/engine/methods/cases/cases_ToReviseOutputDocView.php
View File

@@ -23,6 +23,9 @@
*/
/* Permissions */
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_GET = $filter->xssFilterHard($_GET,"url");
switch ($RBAC->userCanAccess( 'PM_SUPERVISOR' )) {
case - 2:
G::SendTemporalMessage( 'ID_USER_HAVENT_RIGHTS_SYSTEM', 'error', 'labels' );
@@ -35,7 +38,7 @@ switch ($RBAC->userCanAccess( 'PM_SUPERVISOR' )) {
die();
break;
}
$_SESSION = $filter->xssFilterHard($_SESSION,"url");
/* Includes */
G::LoadClass( 'case' );

3
workflow/engine/methods/cases/cases_generatePMTable.php
View File

@@ -4,6 +4,9 @@
* and open the template in the editor.
*/
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_POST = $filter->xssFilterHard($_POST);
require_once ("classes/model/AdditionalTables.php");
require_once ("classes/model/Fields.php");
// passing the parameters

78
workflow/engine/methods/cases/main_init.php
View File

@@ -80,9 +80,49 @@ if ($oServerConf->isRtl( SYS_LANG )) {
$regionTreePanel = 'west';
$regionDebug = 'east';
}
$urlProxy = 'casesMenuLoader?action=getAllCounters&r=';
/*----------------------------------********---------------------------------*/
$urlProxy = '/api/1.0/' . SYS_SYS . '/system/counters-lists?r=';
$clientId = 'x-pm-local-client';
$client = getClientCredentials($clientId);
$authCode = getAuthorizationCode($client);
$debug = false; //System::isDebugMode();
$loader = Maveriks\Util\ClassLoader::getInstance();
$loader->add(PATH_TRUNK . 'vendor/bshaffer/oauth2-server-php/src/', "OAuth2");
$request = array(
'grant_type' => 'authorization_code',
'code' => $authCode
);
$server = array(
'REQUEST_METHOD' => 'POST'
);
$headers = array(
"PHP_AUTH_USER" => $client['CLIENT_ID'],
"PHP_AUTH_PW" => $client['CLIENT_SECRET'],
"Content-Type" => "multipart/form-data;",
"Authorization" => "Basic " . base64_encode($client['CLIENT_ID'] . ":" . $client['CLIENT_SECRET'])
);
$request = new \OAuth2\Request(array(), $request, array(), array(), array(), $server, null, $headers);
$oauthServer = new \ProcessMaker\Services\OAuth2\Server();
$response = $oauthServer->postToken($request, true);
$clientToken = $response->getParameters();
$clientToken["client_id"] = $client['CLIENT_ID'];
$clientToken["client_secret"] = $client['CLIENT_SECRET'];
/*----------------------------------********---------------------------------*/
$oHeadPublisher->assign( 'regionTreePanel', $regionTreePanel );
$oHeadPublisher->assign( 'regionDebug', $regionDebug );
$oHeadPublisher->assign( "defaultOption", $defaultOption ); //User menu permissions
$oHeadPublisher->assign( 'urlProxy', $urlProxy ); //sending the urlProxy to make
/*----------------------------------********---------------------------------*/
$oHeadPublisher->assign( 'credentials', $clientToken );
/*----------------------------------********---------------------------------*/
$oHeadPublisher->assign( "_nodeId", isset( $confDefaultOption ) ? $confDefaultOption : "PM_USERS" ); //User menu permissions
$oHeadPublisher->assign( "FORMATS", $conf->getFormats() );
@@ -90,3 +130,41 @@ $_SESSION["current_ux"] = "NORMAL";
G::RenderPage( "publish", "extJs" );
/*----------------------------------********---------------------------------*/
function getClientCredentials($clientId)
{
$oauthQuery = new ProcessMaker\Services\OAuth2\PmPdo(getDsn());
return $oauthQuery->getClientDetails($clientId);
}
function getDsn()
{
list($host, $port) = strpos(DB_HOST, ':') !== false ? explode(':', DB_HOST) : array(DB_HOST, '');
$port = empty($port) ? '' : ";port=$port";
$dsn = DB_ADAPTER.':host='.$host.';dbname='.DB_NAME.$port;
return array('dsn' => $dsn, 'username' => DB_USER, 'password' => DB_PASS);
}
function getAuthorizationCode($client)
{
\ProcessMaker\Services\OAuth2\Server::setDatabaseSource(getDsn());
\ProcessMaker\Services\OAuth2\Server::setPmClientId($client['CLIENT_ID']);
$oauthServer = new \ProcessMaker\Services\OAuth2\Server();
$userId = $_SESSION['USER_LOGGED'];
$authorize = true;
$_GET = array_merge($_GET, array(
'response_type' => 'code',
'client_id' => $client['CLIENT_ID'],
'scope' => implode(' ', $oauthServer->getScope())
));
$response = $oauthServer->postAuthorize($authorize, $userId, true);
$code = substr($response->getHttpHeader('Location'), strpos($response->getHttpHeader('Location'), 'code=')+5, 40);
return $code;
}
/*----------------------------------********---------------------------------*/

2
workflow/engine/methods/cases/pmDynaform.php
View File

@@ -2,5 +2,5 @@
$DYN_UID = $_GET["dyn_uid"];
G::LoadClass('pmDynaform');
$a = new pmDynaform($DYN_UID);
$a = new pmDynaform(array("CURRENT_DYNAFORM" => $DYN_UID));
$a->printPmDynaform();

6
workflow/engine/methods/cases/proxyCasesList.php
View File

@@ -1,4 +1,10 @@
<?php
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_GET = $filter->xssFilterHard($_GET);
$_REQUEST = $filter->xssFilterHard($_REQUEST);
$_SESSION['USER_LOGGED'] = $filter->xssFilterHard($_SESSION['USER_LOGGED']);
if (!isset($_SESSION['USER_LOGGED'])) {
$responseObject = new stdclass();
$responseObject->error = G::LoadTranslation('ID_LOGIN_AGAIN');

33
workflow/engine/methods/cases/proxyPMTablesFieldList.php
View File

@@ -502,6 +502,8 @@ function fieldReset($translation)
function fieldComplete($translation)
{
G::LoadSystem('inputfilter');
$filter = new InputFilter();
global $action;
$arrayField = getDefaultFields($action, $translation);
@@ -509,10 +511,15 @@ function fieldComplete($translation)
//Get values from JSON request
$first = G::json_decode((isset($_POST["first"]))? $_POST["first"] : G::json_encode(array()));
$first = $filter->xssFilterHard($first);
$second = G::json_decode((isset($_POST["second"]))? $_POST["second"] : G::json_encode(array()));
$second = $filter->xssFilterHard($second);
$pmtable = (isset($_POST["pmtable"]))? $_POST["pmtable"] : "";
$pmtable = $filter->xssFilterHard($pmtable);
$rowsperpage = (isset($_POST["rowsperpage"]))? $_POST["rowsperpage"] : $arrayConfig["rowsperpage"];
$rowsperpage = $filter->xssFilterHard($rowsperpage);
$dateformat = (isset($_POST["dateformat"]) && !empty($_POST["dateformat"]))? $_POST["dateformat"] : $arrayConfig["dateformat"];
$dateformat = $filter->xssFilterHard($dateformat);
//Complete fields
foreach ($first as $index1 => $value1) {
@@ -560,17 +567,24 @@ function fieldComplete($translation)
function fieldLabelReset($translation)
{
G::LoadSystem('inputfilter');
$filter = new InputFilter();
global $action;
$arrayField = getDefaultFields($action, $translation);
$arrayConfig = getDefaultConfig($action, $translation);
//Get values from JSON request
$first = G::json_decode((isset($_POST["first"]))? $_POST["first"] : G::json_encode(array()));
$second = G::json_decode((isset($_POST["second"]))? $_POST["second"] : G::json_encode(array()));
$pmtable = (isset($_POST["pmtable"]))? $_POST["pmtable"] : "";
$first = G::json_decode((isset($_POST["first"]))? $_POST["first"] : G::json_encode(array()));
$first = $filter->xssFilterHard($first);
$second = G::json_decode((isset($_POST["second"]))? $_POST["second"] : G::json_encode(array()));
$second = $filter->xssFilterHard($second);
$pmtable = (isset($_POST["pmtable"]))? $_POST["pmtable"] : "";
$pmtable = $filter->xssFilterHard($pmtable);
$rowsperpage = (isset($_POST["rowsperpage"]))? $_POST["rowsperpage"] : $arrayConfig["rowsperpage"];
$rowsperpage = $filter->xssFilterHard($rowsperpage);
$dateformat = (isset($_POST["dateformat"]) && !empty($_POST["dateformat"]))? $_POST["dateformat"] : $arrayConfig["dateformat"];
$dateformat = $filter->xssFilterHard($dateformat);
//Reset label's fields
foreach ($second as $index1 => $value1) {
@@ -592,6 +606,8 @@ function fieldLabelReset($translation)
function fieldSave()
{
G::LoadSystem('inputfilter');
$filter = new InputFilter();
global $conf;
global $action;
@@ -599,11 +615,15 @@ function fieldSave()
$arrayConfig = getDefaultConfig($action, 0);
//Get values from JSON request
$first = G::json_decode((isset($_POST["first"]))? $_POST["first"] : G::json_encode(array()));
$second = G::json_decode((isset($_POST["second"]))? $_POST["second"] : G::json_encode(array()));
$pmtable = (isset($_POST["pmtable"]))? $_POST["pmtable"] : "";
$first = G::json_decode((isset($_POST["first"]))? $_POST["first"] : G::json_encode(array()));
$first = $filter->xssFilterHard($first);
$second = G::json_decode((isset($_POST["second"]))? $_POST["second"] : G::json_encode(array()));
$pmtable = (isset($_POST["pmtable"]))? $_POST["pmtable"] : "";
$pmtable = $filter->xssFilterHard($pmtable);
$rowsperpage = (isset($_POST["rowsperpage"]))? $_POST["rowsperpage"] : $arrayConfig["rowsperpage"];
$rowsperpage = $filter->xssFilterHard($rowsperpage);
$dateformat = (isset($_POST["dateformat"]) && !empty($_POST["dateformat"]))? $_POST["dateformat"] : $arrayConfig["dateformat"];
$dateformat = $filter->xssFilterHard($dateformat);
//Adding the key fields to second array
//Required fields for AppCacheView.php - addPMFieldsToCriteria()
@@ -744,6 +764,7 @@ function xgetFieldsFromPMTable($tabUid)
$oCriteria->addSelectColumn ( FieldsPeer::FLD_INDEX );
$oCriteria->add (FieldsPeer::ADD_TAB_UID, $tabUid , CRITERIA::EQUAL );
$oCriteria->add (FieldsPeer::FLD_NAME, 'APP_UID' , CRITERIA::NOT_EQUAL );
$oCriteria->addAnd (FieldsPeer::FLD_NAME, 'APP_NUMBER' , CRITERIA::NOT_EQUAL );
$oCriteria->addDescendingOrderByColumn('FLD_INDEX');
$oDataset = FieldsPeer::doSelectRS($oCriteria);
$oDataset->setFetchmode(ResultSet::FETCHMODE_ASSOC);

16
workflow/engine/methods/cases/proxyPMTablesList.php
View File

@@ -1,12 +1,22 @@
<?php
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_SESSION['USER_LOGGED'] = $filter->xssFilterHard($_SESSION['USER_LOGGED']);
$callback = isset($_POST['callback']) ? $_POST['callback'] : 'stcCallback1001';
$dir = isset($_POST['dir']) ? $_POST['dir'] : 'DESC';
$sort = isset($_POST['sort']) ? $_POST['sort'] : '';
$query = isset($_POST['query']) ? $_POST['query'] : '';
$callback = $filter->xssFilterHard($callback);
$dir = isset($_POST['dir']) ? $_POST['dir'] : 'DESC';
$dir = $filter->xssFilterHard($dir);
$sort = isset($_POST['sort']) ? $_POST['sort'] : '';
$sort = $filter->xssFilterHard($sort);
$query = isset($_POST['query']) ? $_POST['query'] : '';
$query = $filter->xssFilterHard($query);
$option = '';
if ( isset($_GET['t'] ) ) {
$option = $_GET['t'];
$option = $filter->xssFilterHard($option);
}
try {

9
workflow/engine/methods/cases/proxyPMTablesSaveFields.php
View File

@@ -5,12 +5,21 @@
* and open the template in the editor.
*/
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$callback = isset($_POST['callback']) ? $_POST['callback'] : 'stcCallback1001';
$callback = $filter->xssFilterHard($callback);
$dir = isset($_POST['dir']) ? $_POST['dir'] : 'DESC';
$dir = $filter->xssFilterHard($dir);
$sort = isset($_POST['sort']) ? $_POST['sort'] : '';
$sort = $filter->xssFilterHard($sort);
$query = isset($_POST['query']) ? $_POST['query'] : '';
$query = $filter->xssFilterHard($query);
$tabUid = isset($_POST['table']) ? $_POST['table'] : '';
$tabUid = $filter->xssFilterHard($tabUid);
$action = isset($_POST['action']) ? $_POST['action'] : 'todo';
$action = $filter->xssFilterHard($action);
try {
G::LoadClass("BasePeer" );

7
workflow/engine/methods/cases/proxyProcessList.php
View File

@@ -1,4 +1,11 @@
<?php
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_POST = $filter->xssFilterHard($_POST);
$_SESSION['USER_LOGGED'] = $filter->xssFilterHard($_SESSION['USER_LOGGED']);
$_GET['t'] = $filter->xssFilterHard($_GET['t']);
$callback = isset( $_POST['callback'] ) ? $_POST['callback'] : 'stcCallback1001';
$dir = isset( $_POST['dir'] ) ? $_POST['dir'] : 'DESC';
$sort = isset( $_POST['sort'] ) ? $_POST['sort'] : '';

32
workflow/engine/methods/controls/varsAjax.php
View File

@@ -22,11 +22,19 @@
* Coral Gables, FL, 33134, USA, or email info@colosa.com.
*
*/
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_POST = $filter->xssFilterHard($_POST);
$_REQUEST = $filter->xssFilterHard($_REQUEST);
$_SERVER["QUERY_STRING"] = isset($_SERVER["QUERY_STRING"])?$_SERVER["QUERY_STRING"]:'';
$_REQUEST["sProcess"] = isset($_REQUEST["sProcess"])?$_REQUEST["sProcess"]:'';
$_REQUEST["sFieldName"] = isset($_REQUEST["sFieldName"])?$_REQUEST["sFieldName"]:'';
$_REQUEST['sSymbol']= isset($_REQUEST["sSymbol"])?$_REQUEST["sSymbol"]:'';
$_SERVER["QUERY_STRING"] = $filter->xssFilterHard($_SERVER["QUERY_STRING"]);
$html = '<form action="uploader.php?'.$_SERVER["QUERY_STRING"].'&q=upload" onLoad="onLoad()" method="post" enctype="multipart/form-data" onsubmit="">';
$html .= '<div id="d_variables">';
$html .= '<table width="90%" align="center">';
@@ -40,24 +48,24 @@ $html .= '</tr>';
$html .= '<tr>';
$html .= '<td width="50%">';
$html .= '<label for="type_label">'.G::LoadTranslation('ID_TINY_TYPE_VARIABLE').'</label>';
$html .= '<label for="type_label">'.$filter->xssFilterHard(G::LoadTranslation('ID_TINY_TYPE_VARIABLE')).'</label>';
$html .= '</td>';
$html .= '<td width="25%">';
$html .= '<label for="prefix_label">'.G::LoadTranslation('ID_PREFIX').'</label>';
$html .= '<label for="prefix_label">'.$filter->xssFilterHard(G::LoadTranslation('ID_PREFIX')).'</label>';
$html .= '</td>';
$html .= '<td width="25%">';
$html .= '<label for="variables_label">'.G::LoadTranslation( 'ID_SEARCH').'</label>';
$html .= '<label for="variables_label">'.$filter->xssFilterHard(G::LoadTranslation( 'ID_SEARCH')).'</label>';
$html .= '</td>';
$html .= '</tr>';
$html .= '<tr>';
$html .= '<td width="25%">';
$html .= '<select name="type_variables" id="type_variables">';
$html .= '<option value="all">'.G::LoadTranslation( 'ID_TINY_ALL_VARIABLES' ).'</option>';
$html .= '<option value="system">'.G::LoadTranslation( 'ID_TINY_SYSTEM_VARIABLES' ).'</option>';
$html .= '<option value="process">'.G::LoadTranslation( 'ID_TINY_PROCESS_VARIABLES' ).'</option>';
$html .= '<option value="all">'.$filter->xssFilterHard(G::LoadTranslation( 'ID_TINY_ALL_VARIABLES' )).'</option>';
$html .= '<option value="system">'.$filter->xssFilterHard(G::LoadTranslation( 'ID_TINY_SYSTEM_VARIABLES' )).'</option>';
$html .= '<option value="process">'.$filter->xssFilterHard(G::LoadTranslation( 'ID_TINY_PROCESS_VARIABLES' )).'</option>';
$html .= '</select> &nbsp;&nbsp;&nbsp;&nbsp;';
$html .= '</td>';
@@ -79,7 +87,7 @@ $html .= '<input type="text" id="search" size="15">';
$html .= '</td>';
$html .= '</tr>';
$html .= '<tr>';
$html .= '<tr><td><label for="prefix_label">'.G::LoadTranslation( 'ID_VARIABLES' ).'</label></td></tr>';
$html .= '<tr><td><label for="prefix_label">'.$filter->xssFilterHard(G::LoadTranslation( 'ID_VARIABLES' )).'</label></td></tr>';
$html .= '<tr>';
$html .= '<td colspan="3">';
@@ -114,19 +122,19 @@ $html .= '</div>';
$html .= '<br>';
$html .= '<table border="1" width="90%" align="center">';
$html .= '<tr width="40%">';
$html .= '<td>'.G::LoadTranslation('ID_RESULT').'</td>';
$html .= '<td>'.$filter->xssFilterHard(G::LoadTranslation('ID_RESULT')).'</td>';
$html .= '<td><span id="selectedVariableLabel">@@SYS_LANG</span></td>';
$html .= '</tr>';
$html .= '<tr width="60%">';
$html .= '<td>'.G::LoadTranslation('ID_DESCRIPTION').'</td>';
$html .= '<td><span id="desc_variables">'.G::LoadTranslation('ID_SYSTEM').'</span></td>';
$html .= '<td>'.$filter->xssFilterHard(G::LoadTranslation('ID_DESCRIPTION')).'</td>';
$html .= '<td><span id="desc_variables">'.$filter->xssFilterHard(G::LoadTranslation('ID_SYSTEM')).'</span></td>';
$html .= '</tr>';
$html .= '</table>';
$html .= '</div>';
$html .= '<br>';
$html .= '<table width="90%" align="center">';
$html .= '<tr><td>';
$html .= '<label for="desc_prefix">*<span id="desc_prefix">' . G::LoadTranslation( 'ID_TO_STRING' ) . '</span></label>';
$html .= '<label for="desc_prefix">*<span id="desc_prefix">'.$filter->xssFilterHard(G::LoadTranslation( 'ID_TO_STRING' )).'</span></label>';
$html .= '</td></tr>';
$html .= '</div>';
@@ -147,4 +155,4 @@ if (isset($_REQUEST['displayOption'])) {
echo $html;
G::RenderPage( 'publish', $display );
G::RenderPage( 'publish', $display );

4
workflow/engine/methods/controls/varsAjaxByType.php
View File

@@ -35,6 +35,10 @@
*/
G::LoadClass( 'xmlfield_InputPM' );
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_POST = $filter->xssFilterHard($_POST);
$aFields = getDynaformsVars( $_POST['sProcess'], true, isset( $_POST['bIncMulSelFields'] ) ? $_POST['bIncMulSelFields'] : 0 );
$aType = $_POST['type'];

5
workflow/engine/methods/dbConnections/dbConnectionsAjax.php
View File

@@ -30,6 +30,11 @@
* @Param var action from POST request
*/
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_POST = $filter->xssFilterHard($_POST);
$_SESSION = $filter->xssFilterHard($_SESSION);
if (isset( $_POST['action'] ) || isset( $_POST['function'] )) {
$action = (isset( $_POST['action'] )) ? $_POST['action'] : $_POST['function'];
} else {

7
workflow/engine/methods/departments/departments_Ajax.php
View File

@@ -23,6 +23,11 @@
* Coral Gables, FL, 33134, USA, or email info@colosa.com.
*/
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_POST = $filter->xssFilterHard($_POST);
$_REQUEST = $filter->xssFilterHard($_REQUEST);
function LookForChildren ($parent, $level, $aDepUsers)
{
G::LoadClass( 'configuration' );
@@ -362,7 +367,7 @@ switch ($_POST['action']) {
$dep_manager = $_POST['USR_UID'];
$dep_uid = $_POST['DEP_UID'];
$editDepartment['DEP_UID'] = $dep_uid;
$editDepartment['DEP_MANAGER'] = $dep_manager;
$editDepartment['DEP_MANAGER'] = (!isset($_POST['NO_DEP_MANAGER'])? $dep_manager : '');
$oDept = new Department();
$oDept->update( $editDepartment );
$oDept->updateDepartmentManager( $dep_uid );

10
workflow/engine/methods/dynaforms/dynaforms_Editor.php
View File

@@ -21,6 +21,12 @@
* For more information, contact Colosa Inc, 2566 Le Jeune Rd.,
* Coral Gables, FL, 33134, USA, or email info@colosa.com.
*/
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_POST = $filter->xssFilterHard($_POST);
$_GET = $filter->xssFilterHard($_GET);
if (($RBAC_Response = $RBAC->userCanAccess( "PM_FACTORY" )) != 1) {
return $RBAC_Response;
}
@@ -38,6 +44,9 @@ $G_SUB_MENU = 'processes';
$G_ID_MENU_SELECTED = 'PROCESSES';
$G_ID_SUB_MENU_SELECTED = 'FIELDS';
$_GET['PRO_UID'] = $filter->xssFilterHard($_GET['PRO_UID']);
$_GET['DYN_UID'] = $filter->xssFilterHard($_GET['DYN_UID']);
$PRO_UID = isset( $_GET['PRO_UID'] ) ? $_GET['PRO_UID'] : '0';
$DYN_UID = (isset( $_GET['DYN_UID'] )) ? urldecode( $_GET['DYN_UID'] ) : '0';
$_SESSION['PROCESS'] = $_GET['PRO_UID'];
@@ -50,6 +59,7 @@ if ($process->exists( $PRO_UID )) {
$process->load( $PRO_UID );
} else {
//TODO
$PRO_UID = $filter->xssFilterHard($PRO_UID);
print ("$PRO_UID doesn't exist, continue? yes") ;
}

4
workflow/engine/methods/dynaforms/dynaforms_checkDependentFields.php
View File

@@ -28,6 +28,10 @@
* also the functionality of dependent fields in grids doesn't depends in this
* file so this is somewhat expendable.
*/
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_POST = $filter->xssFilterHard($_POST);
function subDependencies ($k, &$G_FORM, &$aux, $grid = '')
{
$myDependentFields = '';

5
workflow/engine/methods/dynaforms/fieldsHandlerAjax.php
View File

@@ -25,6 +25,9 @@
* @Date Aug 26th, 2009
*/
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_POST = $filter->xssFilterHard($_POST);
$request = $_POST['request'];
switch ($request) {
@@ -32,6 +35,7 @@ switch ($request) {
if (isset( $_POST['items'] )) {
$items = $_POST['items'];
$tmpfilename = $_SESSION['Current_Dynafom']['Parameters']['FILE'];
$tmpfilename = $filter->xssFilterHard($tmpfilename);
G::LoadSystem( 'dynaformhandler' );
$o = new dynaFormHandler( PATH_DYNAFORM . "{$tmpfilename}.xml" );
@@ -53,6 +57,7 @@ switch ($request) {
break;
case 'saveHidden':
$tmpfilename = $_SESSION['Current_Dynafom']['Parameters']['FILE'];
$tmpfilename = $filter->xssFilterHard($tmpfilename);
G::LoadSystem( 'dynaformhandler' );
$o = new dynaFormHandler( PATH_DYNAFORM . "{$tmpfilename}.xml" );
$hidden_items = Array ();

3
workflow/engine/methods/dynaforms/test.php
View File

@@ -51,8 +51,11 @@ for ($r = 1; $r < 10; $r ++) {
</select> <input type="submit" value="Send" />
</form>
<?php
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$test = $_POST['form']['test'];
if ($test) {
$test = $filter->xssFilterHard($test);
foreach ($test as $t) {
echo 'You selected ', $t, '<br />';
}

16
workflow/engine/methods/install/r.php
View File

@@ -1,3 +1,19 @@
<?php
G::LoadSystem('inputfilter');
$filter = new InputFilter();
if(isset($_GET['srv'])) {
$_GET['srv'] = $filter->xssFilterHard($_GET['srv']);
}
if(isset($_GET['usr'])) {
$_GET['usr'] = $filter->xssFilterHard($_GET['usr']);
}
if(isset($_GET['pass'])) {
$_GET['pass'] = $filter->xssFilterHard($_GET['pass']);
}
if(isset($_GET['gen'])) {
$_GET['gen'] = $filter->xssFilterHard($_GET['gen']);
}
?>
<form action="r">
Server: <input type="text" name="srv"
value="<?php echo isset($_GET['srv'])?$_GET['srv']:'';?>"> User: <input

14
workflow/engine/methods/outputdocs/outputdocs_Ajax.php
View File

@@ -1,4 +1,7 @@
<?php
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_REQUEST = $filter->xssFilterHard($_REQUEST);
$action = isset( $_REQUEST['action'] ) ? $_REQUEST['action'] :'';
@@ -9,6 +12,7 @@ if ($action == '') {
switch ($action) {
case 'setTemplateFile':
$_FILES = $filter->xssFilterHard($_FILES);
//print_r($_FILES);
$_SESSION['outpudocs_tmpFile'] = PATH_DATA . $_FILES['templateFile']['name'];
// file_put_contents($_FILES['templateFile']['name'], file_get_contents($_FILES['templateFile']['tmp_name']));
@@ -21,6 +25,7 @@ switch ($action) {
break;
case 'getTemplateFile':
$_SESSION['outpudocs_tmpFile'] = $filter->xssFilterHard($_SESSION['outpudocs_tmpFile']);
$aExtensions = array ("exe","com","dll","ocx","fon","ttf","doc","xls","mdb","rtf","bin","jpeg","jpg","jif","jfif","gif","tif","tiff","png","bmp","pdf","aac","mp3","mp3pro","vorbis","realaudio","vqf","wma","aiff","flac","wav","midi","mka","ogg","jpeg","ilbm","tar","zip","rar","arj","gzip","bzip2","afio","kgb","gz","asf","avi","mov","iff","ogg","ogm","mkv","3gp"
);
$sFileName = strtolower( $_SESSION['outpudocs_tmpFile'] );
@@ -28,11 +33,15 @@ switch ($action) {
$searchPos = strpos( $strRev, '.' );
$pos = (strlen( $sFileName ) - 1) - $searchPos;
$sExtension = substr( $sFileName, $pos + 1, strlen( $sFileName ) );
if (! in_array( $sExtension, $aExtensions ))
echo $content = file_get_contents( $_SESSION['outpudocs_tmpFile'] );
if (! in_array( $sExtension, $aExtensions )) {
$content = file_get_contents( $_SESSION['outpudocs_tmpFile'] );
$content = $filter->xssFilterHard($content);
echo $content;
}
break;
case 'loadTemplateContent':
$_POST = $filter->xssFilterHard($_POST);
require_once 'classes/model/OutputDocument.php';
$ooutputDocument = new OutputDocument();
if (isset( $_POST['OUT_DOC_UID'] )) {
@@ -43,6 +52,7 @@ switch ($action) {
break;
case 'lookForNameOutput':
$_POST = $filter->xssFilterHard($_POST);
require_once ('classes/model/Content.php');
require_once ("classes/model/OutputDocument.php");

63
workflow/engine/methods/processes/processes_Ajax.php
View File

@@ -38,6 +38,13 @@ try {
break;
} */
//$oJSON = new Services_JSON();
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_GET = $filter->xssFilterHard($_GET);
$_POST = $filter->xssFilterHard($_POST);
$_REQUEST = $filter->xssFilterHard($_REQUEST);
//$_SESSION = $filter->xssFilterHard($_SESSION);
if (isset($_REQUEST['data'])) {
if($_REQUEST['action']=="addText"||$_REQUEST['action']=="updateText") {
@@ -52,22 +59,22 @@ try {
//$oData = $oJSON->decode( stripslashes( $_REQUEST['data'] ) );
$sOutput = '';
$sTask = '';
if(array_key_exists('pro_uid', $oDataAux) || array_key_exists('uid', $oDataAux) || array_key_exists('PRO_UID', $oDataAux) || array_key_exists('UID', $oDataAux)) {
if(array_key_exists('pro_uid', $oDataAux) || array_key_exists('PRO_UID', $oDataAux)) {
if(array_key_exists('pro_uid', $oDataAux)) {
$proUid = $oDataAux['pro_uid'];
} else {
$proUid = $oDataAux['PRO_UID'];
$proUid = $oDataAux['PRO_UID'];
}
} else {
$proUid = $oDataAux['uid'];
$uidAux = $proUid;
}
G::LoadClass('processes');
$infoProcess = new Processes();
if(!$infoProcess->processExists($proUid)) {
$oSL = new SwimlanesElements();
if($oSL->swimlanesElementsExists($proUid)) {
@@ -83,11 +90,11 @@ try {
$rs->next();
$row = $rs->getRow();
$proUid = $row['PRO_UID'];
}
}
}
$resultProcess = $infoProcess->getProcessRow($proUid);
$resultProcess = $infoProcess->getProcessRow($proUid);
} else {
if(array_key_exists('PU_UID', $oDataAux)) {
if(array_key_exists('PU_UID', $oDataAux)) {
$c = new Criteria('workflow');
$c->clearSelectColumns();
$c->addSelectColumn(ProcessUserPeer::PRO_UID);
@@ -98,14 +105,14 @@ try {
$oDataset->next();
$row = $oDataset->getRow();
$userSupervisor = $row['USR_UID'];
G::LoadClass('processes');
$infoProcess = new Processes();
$resultProcess = $infoProcess->getProcessRow($row['PRO_UID']);
$resultProcess = $infoProcess->getProcessRow($row['PRO_UID']);
}
}
}
if(isset($_REQUEST['pro_uid']) && !empty($_REQUEST['pro_uid']) || isset($_REQUEST['PRO_UID']) && !empty($_REQUEST['PRO_UID'])) {
if(isset($_REQUEST['pro_uid']) && !empty($_REQUEST['pro_uid'])) {
$proUid = $_REQUEST['pro_uid'];
@@ -114,21 +121,27 @@ try {
}
G::LoadClass('processes');
$infoProcess = new Processes();
$resultProcess = $infoProcess->getProcessRow($proUid);
$resultProcess = $infoProcess->getProcessRow($proUid);
}
if(isset($proUid) && $proUid != "") {
$valuesProcess['PRO_UID'] = $proUid;
$valuesProcess['PRO_UPDATE_DATE'] = date("Y-m-d H:i:s");
G::LoadClass('processes');
G::LoadClass("processes");
$infoProcess = new Processes();
$resultProcess = $infoProcess->updateProcessRow($valuesProcess);
$resultProcess = $infoProcess->getProcessRow($proUid);
if (!in_array($_REQUEST["action"], array("load"))) {
$infoProcess->updateProcessRow(array(
"PRO_UID" => $proUid,
"PRO_UPDATE_DATE" => date("Y-m-d H:i:s")
));
}
$resultProcess = $infoProcess->getProcessRow($proUid);
}
//G::LoadClass( 'processMap' );
$oProcessMap = new processMap(new DBConnection());
switch ($_REQUEST['action']) {
case 'load':
$_SESSION['PROCESS'] = $oData->uid;
@@ -345,7 +358,7 @@ try {
} else {
switch ($oData->type) {
case 0:
$oData->type = 'SEQUENTIAL';
$oData->type = 'SEQUENTIAL';
break;
case 1:
$oData->type = 'SELECT';
@@ -363,7 +376,7 @@ try {
$oData->type = 'SEC-JOIN';
break;
case 8:
$oData->type = 'DISCRIMINATOR';
$oData->type = 'DISCRIMINATOR';
break;
}
$oProcessMap->newPattern($oData->pro_uid, $oData->tas_uid, $oData->next_task, $oData->type);
@@ -384,7 +397,7 @@ try {
$taskNextInfo=$oTaskNextNewPattern->load($oData->next_task);
$titleNextTask=$taskNextInfo['TAS_TITLE'];
} else {
$titleNextTask=G::LoadTranslation("ID_END_OF_PROCESS");
$titleNextTask=G::LoadTranslation("ID_END_OF_PROCESS");
}
if ($titleNextTask=='') {
G::auditLog("DerivationRule",'PROCESS NAME : '.$titleProcess.' : '.$oData->pro_uid.' Routing rule : END OF PROCESS Task Name -> '.$titleTask.' : '.$oData->tas_uid);
@@ -735,6 +748,8 @@ try {
// G::RenderPage( 'publish', 'blank' );
break;
case 'saveFile':
$_REQUEST['pro_uid'] = $filter->xssFilterHard($_REQUEST['pro_uid']);
$_REQUEST['filename'] = $filter->xssFilterHard($_REQUEST['filename']);
global $G_PUBLISH;
$G_PUBLISH = new Publisher();
global $RBAC;
@@ -748,6 +763,7 @@ try {
$sDir = "";
if (isset($_REQUEST['MAIN_DIRECTORY'])) {
$_REQUEST['MAIN_DIRECTORY'] = $filter->xssFilterHard($_REQUEST['MAIN_DIRECTORY']);
$sDir = $_REQUEST['MAIN_DIRECTORY'];
}
switch ($sDir) {
@@ -769,6 +785,7 @@ try {
$content = base64_decode($content);
fwrite($fp, $content);
fclose($fp);
$sDirectory = $filter->xssFilterHard($sDirectory);
echo 'saved: ' . $sDirectory;
}
break;
@@ -824,8 +841,10 @@ try {
*
*/
case 'getVariablePrefix':
$_REQUEST['prefix'] = $filter->xssFilterHard($_REQUEST['prefix']);
$_REQUEST['prefix'] = $_REQUEST['prefix'] != null ? $_REQUEST['prefix'] : 'ID_TO_STRING';
echo G::LoadTranslation($_REQUEST['prefix']);
$prefix = $filter->xssFilterHard(G::LoadTranslation($_REQUEST['prefix']));
echo G::LoadTranslation($prefix);
break;
/**
* return an array with all Variables of Grid type

5
workflow/engine/methods/processes/processes_Import_Bpmn.php
View File

@@ -1,12 +1,17 @@
<?php
ini_set("max_execution_time", 0);
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_FILES = $filter->xssFilterHard($_FILES);
$_SESSION['USER_LOGGED'] = $filter->xssFilterHard($_SESSION['USER_LOGGED']);
if (isset($_FILES["PROCESS_FILENAME"]) &&
pathinfo($_FILES["PROCESS_FILENAME"]["name"], PATHINFO_EXTENSION) == "bpmn"
) {
try {
$createMode = $_REQUEST["createMode"];
$createMode = $filter->xssFilterHard($createMode);
$name = pathinfo($_FILES["PROCESS_FILENAME"]["name"], PATHINFO_FILENAME);
$data = array(
"type" => "bpmnProject",

3
workflow/engine/methods/processes/processes_checkProperties.php
View File

@@ -45,7 +45,10 @@ if ($access != 1) {
}
}
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$form = $_POST['form'];
$form = $filter->xssFilterHard($form);
//$tasUid = $form['TASKS'];
$tasUid = $form['TAS_PARENT'];

3
workflow/engine/methods/roles/data_rolesList.php
View File

@@ -24,6 +24,9 @@
require_once (PATH_RBAC . "model/RolesPeer.php");
G::LoadClass( 'ArrayPeer' );
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_POST = $filter->xssFilterHard($_POST);
isset( $_POST['textFilter'] ) ? $filter = $_POST['textFilter'] : $filter = '';

4
workflow/engine/methods/roles/data_rolesPermissions.php
View File

@@ -22,6 +22,10 @@
* Coral Gables, FL, 33134, USA, or email info@colosa.com.
*/
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_GET = $filter->xssFilterHard($_GET);
$_REQUEST = $filter->xssFilterHard($_REQUEST);
$ROL_UID = $_GET['rUID'];
$TYPE_DATA = $_GET["type"];

121
workflow/engine/methods/services/ActionsByEmail.php Normal file
View File

@@ -0,0 +1,121 @@
<?php
/*----------------------------------********---------------------------------*/
if (PMLicensedFeatures
::getSingleton()
->verifyfeature('zLhSk5TeEQrNFI2RXFEVktyUGpnczV1WEJNWVp6cjYxbTU3R29mVXVZNWhZQT0=')) {
// since all the request parameters using this script are encrypted
// using the URL_KEY the probability of injecting any kind of code using
// this entry point are only possible knowing the aforementioned key.
switch (G::decrypt(urldecode(utf8_encode($_REQUEST['ACTION'])), URL_KEY)) {
case 'processABE' :
$G_PUBLISH = new Publisher();
try {
// Validations
if (!isset($_REQUEST['APP_UID'])) {
$_REQUEST['APP_UID'] = '';
}
if (!isset($_REQUEST['DEL_INDEX'])) {
$_REQUEST['DEL_INDEX'] = '';
}
if ($_REQUEST['APP_UID'] == '') {
throw new Exception('The parameter APP_UID is empty.');
}
if ($_REQUEST['DEL_INDEX'] == '') {
throw new Exception('The parameter DEL_INDEX is empty.');
}
$_REQUEST['APP_UID'] = G::decrypt(urldecode(utf8_encode($_REQUEST['APP_UID'])), URL_KEY);
$_REQUEST['DEL_INDEX'] = G::decrypt(urldecode(utf8_encode($_REQUEST['DEL_INDEX'])), URL_KEY);
$_REQUEST['FIELD'] = G::decrypt(urldecode(utf8_encode($_REQUEST['FIELD'])), URL_KEY);
$_REQUEST['VALUE'] = G::decrypt(urldecode(utf8_encode($_REQUEST['VALUE'])), URL_KEY);
$_REQUEST['ABER'] = G::decrypt(urldecode(utf8_encode($_REQUEST['ABER'])), URL_KEY);
G::LoadClass('case');
$cases = new Cases();
$caseFieldsABE = $cases->loadCase($_REQUEST['APP_UID'], $_REQUEST['DEL_INDEX']);
if (is_null($caseFieldsABE['DEL_FINISH_DATE'])) {
$dataField = array();
$dataField[$_REQUEST['FIELD']] = $_REQUEST['VALUE'];
$caseFieldsABE ['APP_DATA'] = array_merge($caseFieldsABE ['APP_DATA'], $dataField);
$dataResponses = array();
$dataResponses['ABE_REQ_UID'] = $_REQUEST['ABER'];
$dataResponses['ABE_RES_CLIENT_IP'] = $_SERVER['REMOTE_ADDR'];
$dataResponses['ABE_RES_DATA'] = serialize($_REQUEST['VALUE']);
$dataResponses['ABE_RES_STATUS'] = 'PENDING';
$dataResponses['ABE_RES_MESSAGE'] = '';
try {
require_once 'classes/model/AbeResponses.php';
$abeAbeResponsesInstance = new AbeResponses();
$dataResponses['ABE_RES_UID'] = $abeAbeResponsesInstance->createOrUpdate($dataResponses);
} catch (Exception $error) {
throw $error;
}
$cases->updateCase($_REQUEST['APP_UID'], $caseFieldsABE);
G::LoadClass('wsBase');
$ws = new wsBase();
$result = $ws->derivateCase($caseFieldsABE['CURRENT_USER_UID'], $_REQUEST['APP_UID'], $_REQUEST['DEL_INDEX'], true);
$code = (is_array($result) ? $result['status_code'] : $result->status_code);
if ($code != 0) {
throw new Exception('An error occurred while the application was being processed.<br /><br />
Error code: ' . $result->status_code . '<br />
Error message: ' . $result->message . '<br /><br />');
}
// Update
$dataResponses['ABE_RES_STATUS'] = ($code == 0 ? 'SENT' : 'ERROR');
$dataResponses['ABE_RES_MESSAGE'] = ($code == 0 ? '-' : $result->message);
try {
$abeAbeResponsesInstance = new AbeResponses();
$abeAbeResponsesInstance->createOrUpdate($dataResponses);
} catch (Exception $error) {
throw $error;
}
$message = '<strong>The answer has been submited. Thank you</strong>';
//Save Cases Notes
G::LoadClass('actionsByEmailUtils');
$dataAbeRequests = loadAbeRequest($_REQUEST['ABER']);
$dataAbeConfiguration = loadAbeConfiguration($dataAbeRequests['ABE_UID']);
if ($dataAbeConfiguration['ABE_CASE_NOTE_IN_RESPONSE'] == 1) {
$response = new stdclass();
$response->usrUid = $caseFieldsABE['APP_DATA']['USER_LOGGED'];
$response->appUid = $_REQUEST['APP_UID'];
$response->noteText = "Check the information that was sent for the receiver: " . $dataAbeRequests['ABE_REQ_SENT_TO'];
postNote($response);
}
$dataAbeRequests['ABE_REQ_ANSWERED'] = 1;
$code == 0 ? uploadAbeRequest($dataAbeRequests) : '';
} else {
$message = '<strong>The response has already been sent.</strong>';
}
$G_PUBLISH->AddContent('xmlform', 'xmlform', 'login/showInfo', '', array('MESSAGE' => $message));
} catch (Exception $error) {
$G_PUBLISH->AddContent('xmlform', 'xmlform', 'login/showMessage', '', array('MESSAGE' => $error->getMessage() . 'Please contact to your system administrator.'));
}
G::RenderPage('publish', 'blank');
break;
}
}
/*----------------------------------********---------------------------------*/

6
workflow/engine/methods/services/Rest/CURLMessage.php
View File

@@ -122,7 +122,10 @@ abstract class CURLMessage
*/
public function displayResponse ()
{
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$error = curl_error( $this->ch );
$error = $filter->xssFilterHard($error);
$result = array ('header' => '','body' => '','curl_error' => '','http_code' => '','last_url' => ''
);
if ($error != "") {
@@ -130,12 +133,15 @@ abstract class CURLMessage
return $result;
}
$response = $this->output;
$response = $filter->xssFilterHard($response);
$header_size = curl_getinfo( $this->ch, CURLINFO_HEADER_SIZE );
$result['header'] = substr( $response, 0, $header_size );
$result['body'] = substr( $response, $header_size );
$result['http_code'] = curl_getinfo( $this->ch, CURLINFO_HTTP_CODE );
$result['last_url'] = curl_getinfo( $this->ch, CURLINFO_EFFECTIVE_URL );
$result = $filter->xssFilterHard($result);
$this->type = $filter->xssFilterHard($this->type);
echo $this->type . " Response: " . $response . "<BR>";
foreach ($result as $index => $data) {
if ($data != "") {

7
workflow/engine/methods/services/demoSoap.php
View File

@@ -61,12 +61,17 @@ a.krumo-name {
</style>
<?php
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_POST = $filter->xssFilterHard($_POST);
$_SESSION = $filter->xssFilterHard($_SESSION);
if (isset( $_POST["epr"] )) {
$_SESSION['END_POINT'] = $_POST["epr"];
}
$endpoint = isset( $_SESSION['END_POINT'] ) ? $_SESSION['END_POINT'] : 'http://sugar.opensource.colosa.net/soap.php';
$endpoint = $filter->xssFilterHard($endpoint);
$sessionId = isset( $_SESSION['SESSION_ID'] ) ? $_SESSION['SESSION_ID'] : '';
$sessionId = $filter->xssFilterHard($sessionId);
?>
<form method="post" action="">

2
workflow/engine/methods/services/login_getStarted.php
View File

@@ -42,7 +42,7 @@ $oTemplatePower->assign('USR_UID', $aUser['USR_UID']);
$oTemplatePower->assign('USR_FULLNAME', $aData['USR_FIRSTNAME'] . ' ' . $aData['USR_LASTNAME'] . ' (' . $aData['USR_USERNAME'] . ')');
*/
$userName = 'admin';
$userPass = 'The password introduced at the time of installing the application';
$userPass = 'The password introduced at the time of installing the application. (If you did not change the password by default is "admin")';
if(isset($_SESSION['NW_PASSWORD'])){
if($_SESSION['NW_PASSWORD'] != ''){
$userPass = $_SESSION['NW_PASSWORD'];

12
workflow/engine/methods/services/soap.php
View File

@@ -154,6 +154,8 @@ function getCaseInfo ($params)
function SendVariables ($params)
{
G::LoadSystem('inputfilter');
$filter = new InputFilter();
ifSessionExpiredBreakThis( $params->sessionId );
$x = ifPermission( $params->sessionId, 'PM_CASES' );
if ($x == 0) {
@@ -172,6 +174,8 @@ function SendVariables ($params)
foreach ($variables as $key => $val) {
$name = $val->name;
$value = $val->value;
$val->name = $filter->validateInput($val->name);
$val->value = $filter->validateInput($val->value);
eval( '$Fields[ ' . $val->name . ' ]= $val->value ;' );
}
}
@@ -241,6 +245,8 @@ function executeTrigger ($params)
function NewCaseImpersonate ($params)
{
G::LoadSystem('inputfilter');
$filter = new InputFilter();
ifSessionExpiredBreakThis( $params->sessionId );
$x = ifPermission( $params->sessionId, 'PM_CASES' );
if ($x == 0) {
@@ -254,6 +260,8 @@ function NewCaseImpersonate ($params)
foreach ($variables as $key => $val) {
$name = $val->name;
$value = $val->value;
$val->name = $filter->validateInput($val->name);
$val->value = $filter->validateInput($val->value);
eval( '$Fields[ ' . $val->name . ' ]= $val->value ;' );
}
$params->variables = $Fields;
@@ -265,6 +273,8 @@ function NewCase ($params)
{
G::LoadClass( 'wsBase' );
G::LoadClass( 'sessions' );
G::LoadSystem('inputfilter');
$filter = new InputFilter();
ifSessionExpiredBreakThis( $params->sessionId );
$x = ifPermission( $params->sessionId, 'PM_CASES' );
if ($x == 0) {
@@ -296,6 +306,8 @@ function NewCase ($params)
$name = $val->name;
$value = $val->value;
if (! is_object( $val->value )) {
$val->name = $filter->validateInput($val->name);
$val->value = $filter->validateInput($val->value);
eval( '$Fields[ ' . $val->name . ' ]= $val->value ;' );
} else {
if (is_array( $val->value->item )) {

4
workflow/engine/methods/services/soap2.php
View File

@@ -689,6 +689,8 @@ function NewCaseImpersonate ($params)
function NewCase ($params)
{
G::LoadClass( "sessions" );
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$vsResult = isValidSession( $params->sessionId );
@@ -757,6 +759,8 @@ function NewCase ($params)
if (is_array( $variables )) {
foreach ($variables as $key => $val) {
if (! is_object( $val->value )) {
$val->name = $filter->validateInput($val->name);
$val->value = $filter->validateInput($val->value);
eval( "\$field[" . $val->name . "]= \$val->value;" );
}
}

38
workflow/engine/methods/setup/appCacheViewAjax.php
View File

@@ -1,6 +1,9 @@
<?php
require_once ('classes/model/AppCacheView.php');
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_POST = $filter->xssFilterHard($_POST);
$_GET = $filter->xssFilterHard($_GET);
$request = isset( $_POST['request'] ) ? $_POST['request'] : (isset( $_GET['request'] ) ? $_GET['request'] : null);
function testConnection($type, $server, $user, $passwd, $port = 'none', $dbName = "")
@@ -26,6 +29,8 @@ function testConnection($type, $server, $user, $passwd, $port = 'none', $dbName
G::LoadClass('net');
$Server = new NET($server);
G::LoadSystem('inputfilter');
$filter = new InputFilter();
if ($Server->getErrno() == 0) {
$Server->scannPort($port);
@@ -38,20 +43,29 @@ function testConnection($type, $server, $user, $passwd, $port = 'none', $dbName
if ($Server->errno == 0) {
$message = "";
$response = $Server->tryConnectServer($type);
$server = $filter->validateInput($server);
$user = $filter->validateInput($user);
$passwd = $filter->validateInput($passwd);
$connDatabase = @mysql_connect($server, $user, $passwd);
$dbNameTest = "PROCESSMAKERTESTDC";
$db = @mysql_query("CREATE DATABASE " . $dbNameTest, $connDatabase);
$dbNameTest = $filter->validateInput($dbNameTest, 'nosql');
$query = "CREATE DATABASE %s";
$query = $filter->preventSqlInjection($query, array($dbNameTest), $connDatabase);
$db = @mysql_query($query, $connDatabase);
$success = false;
if (!$db) {
$message = mysql_error();;
} else {
$usrTest = "wfrbtest";
$chkG = "GRANT ALL PRIVILEGES ON `" . $dbNameTest . "`.* TO " . $usrTest . "@'%' IDENTIFIED BY 'sample' WITH GRANT OPTION";
$chkG = "GRANT ALL PRIVILEGES ON `%s`.* TO %s@'%%' IDENTIFIED BY 'sample' WITH GRANT OPTION";
$chkG = $filter->preventSqlInjection($chkG, array($dbNameTest,$usrTest), $connDatabase);
$ch = @mysql_query($chkG, $connDatabase);
if (!$ch) {
$message = mysql_error();
} else {
$sqlCreateUser = "CREATE USER '" . $user . "_usertest'@'%' IDENTIFIED BY 'sample'";
$sqlCreateUser = "CREATE USER '%s'@'%%' IDENTIFIED BY '%s'";
$user = $filter->validateInput($user, 'nosql');
$sqlCreateUser = $filter->preventSqlInjection($sqlCreateUser, array($user."_usertest","sample"), $connDatabase);
$result = @mysql_query($sqlCreateUser, $connDatabase);
if (!$result) {
$message = mysql_error();
@@ -59,12 +73,20 @@ function testConnection($type, $server, $user, $passwd, $port = 'none', $dbName
$success = true;
$message = G::LoadTranslation('ID_SUCCESSFUL_CONNECTION');
}
$sqlDropUser = "DROP USER '" . $user . "_usertest'@'%'";
$sqlDropUser = "DROP USER '%s'@'%%'";
$user = $filter->validateInput($user, 'nosql');
$sqlDropUser = $filter->preventSqlInjection($sqlDropUser, array($user."_usertest"), $connDatabase);
@mysql_query($sqlDropUser, $connDatabase);
$sqlDropUser = "DROP USER %s@'%%'";
$usrTest = $filter->validateInput($usrTest, 'nosql');
$sqlDropUser = $filter->preventSqlInjection($sqlDropUser, array($usrTest), $connDatabase);
@mysql_query($sqlDropUser, $connDatabase);
@mysql_query("DROP USER " . $usrTest . "@'%'", $connDatabase);
}
@mysql_query("DROP DATABASE " . $dbNameTest, $connDatabase);
$sqlDropDb = "DROP DATABASE %s";
$dbNameTest = $filter->validateInput($dbNameTest, 'nosql');
$sqlDropDb = $filter->preventSqlInjection($sqlDropDb, array($dbNameTest), $connDatabase);
@mysql_query($sqlDropDb, $connDatabase);
}
return array($success, ($message != "")? $message : $Server->error);
} else {

7
workflow/engine/methods/setup/emails_Ajax.php
View File

@@ -21,6 +21,13 @@
* For more information, contact Colosa Inc, 2566 Le Jeune Rd.,
* Coral Gables, FL, 33134, USA, or email info@colosa.com.
*/
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_POST = $filter->xssFilterHard($_POST);
if(isset($_SERVER['SERVER_NAME'])) {
$_SERVER['SERVER_NAME'] = $filter->xssFilterHard($_SERVER['SERVER_NAME']);
}
global $RBAC;
$RBAC->requirePermissions( 'PM_SETUP_ADVANCE' );

25
workflow/engine/methods/setup/language_Ajax.php
View File

@@ -23,11 +23,16 @@
*/
try {
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_POST = $filter->xssFilterHard($_POST);
G::LoadInclude( 'ajax' );
if (isset( $_POST['form'] )) {
$_POST = $_POST['form'];
}
$_POST['function'] = get_ajax_value( 'function' );
$_POST['function'] = $filter->xssFilterHard($_POST['function']);
switch ($_POST['function']) {
case 'savePredetermined':
require_once "classes/model/Translation.php";
@@ -155,16 +160,16 @@ try {
if($locale != "en"){ //Default Lengage 'en'
if($locale != SYS_LANG){ //Current lenguage
//THERE IS NO ANY CASE STARTED FROM THES LANGUAGE
if ($aRow[0] == 0) { //so we can delete this language
try {
Content::removeLanguageContent( $locale );
$trn->removeTranslationEnvironment( $locale );
echo G::LoadTranslation( 'ID_LANGUAGE_DELETED_SUCCESSFULLY' );
} catch (Exception $e) {
echo $e->getMessage();
}
} else {
echo str_replace( '{0}', $aRow[0], G::LoadTranslation( 'ID_LANGUAGE_CANT_DELETE' ) );
if ($aRow[0] == 0) { //so we can delete this language
try {
Content::removeLanguageContent( $locale );
$trn->removeTranslationEnvironment( $locale );
echo G::LoadTranslation( 'ID_LANGUAGE_DELETED_SUCCESSFULLY' );
} catch (Exception $e) {
echo $e->getMessage();
}
} else {
echo str_replace( '{0}', $aRow[0], G::LoadTranslation( 'ID_LANGUAGE_CANT_DELETE' ) );
}
} else {
echo str_replace( '{0}', $aRow[0], G::LoadTranslation( 'ID_LANGUAGE_CANT_DELETE_CURRENTLY' ) );

7
workflow/engine/methods/setup/pluginsChange.php
View File

@@ -29,7 +29,10 @@ $pluginStatus = $_GET['status'];
$items = array ();
G::LoadClass( 'plugin' );
//here we are enabling or disabling the plugin and all related options registered.
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$path = PATH_PLUGINS . $pluginFile;
$path = $filter->validateInput($path, 'path');
$oPluginRegistry = & PMPluginRegistry::getSingleton();
@@ -69,7 +72,7 @@ if ($handle = opendir( PATH_PLUGINS )) {
}
/*----------------------------------********---------------------------------*/
//print "change to ENABLED";
require_once(PATH_PLUGINS . $pluginFile);
require_once($path);
$details = $oPluginRegistry->getPluginDetails($pluginFile);
$oPluginRegistry->enablePlugin($details->sNamespace);
$oPluginRegistry->setupPlugins(); //get and setup enabled plugins

6
workflow/engine/methods/setup/setup.php
View File

@@ -29,6 +29,12 @@
* @date Apr 5th, 2010
*/
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_GET['i18'] = $filter->xssFilterHard($_GET['i18']);
$_GET['newSite'] = $filter->xssFilterHard($_GET['newSite']);
$_GET['module'] = $filter->xssFilterHard($_GET['module']);
if (($RBAC_Response = $RBAC->userCanAccess( "PM_SETUP" )) != 1)
return $RBAC_Response;

10
workflow/engine/methods/setup/skin_Ajax.php
View File

@@ -1,4 +1,8 @@
<?php
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_REQUEST = $filter->xssFilterHard($_REQUEST);
if (! isset( $_REQUEST['action'] )) {
$res['success'] = false;
$res['error'] = $res['message'] = G::LoadTranslation('ID_REQUEST_ACTION');
@@ -162,7 +166,7 @@ function newSkin ($baseSkin = 'classic')
$configFileFinal = PATH_CUSTOM_SKINS . $skinFolder . PATH_SEP . 'config.xml';
$xmlConfiguration = file_get_contents( $configFileOriginal );
$workspace = ($_REQUEST['workspace'] == 'global') ? '' : SYS_SYS;
$xmlConfigurationObj = G::xmlParser($xmlConfiguration);
@@ -360,6 +364,10 @@ function exportSkin ($skinToExport = "")
function deleteSkin ()
{
try {
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_REQUEST['SKIN_FOLDER_ID'] = $filter->xssFilterHard($_REQUEST['SKIN_FOLDER_ID']);
if (! (isset( $_REQUEST['SKIN_FOLDER_ID'] ))) {
throw (new Exception( G::LoadTranslation( 'ID_SKIN_FOLDER_REQUIRED' ) ));
}

8
workflow/engine/methods/setup/webServicesAjax.php
View File

@@ -23,6 +23,10 @@
*/
ini_set( "soap.wsdl_cache_enabled", "0" ); // enabling WSDL cache
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_GET = $filter->xssFilterHard($_GET);
//$_SESSION = $filter->xssFilterHard($_SESSION);
G::LoadClass( 'ArrayPeer' );
if ($RBAC->userCanAccess( 'PM_SETUP' ) != 1 && $RBAC->userCanAccess( 'PM_FACTORY' ) != 1) {
@@ -38,6 +42,8 @@ if ($_POST['action'] == '') {
$_POST['action'] = (isset( $_GET['action'] )) ? $_GET['action'] : '';
}
$_POST = $filter->xssFilterHard($_POST);
switch ($_POST['action']) {
case 'showForm':
global $G_PUBLISH;
@@ -1504,7 +1510,7 @@ try {
die();
break;
default:
$_POST = $filter->xssFilterHard($_POST);
print_r( $_POST );
}
}

4
workflow/engine/methods/tracker/tracker_Ajax.php
View File

@@ -22,6 +22,10 @@
* Coral Gables, FL, 33134, USA, or email info@colosa.com.
*/
try {
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_POST = $filter->xssFilterHard($_POST);
if (isset( $_POST['form']['action'] )) {
$_POST['action'] = $_POST['form']['action'];
}

9
workflow/engine/methods/users/usersAjax.php
View File

@@ -1,4 +1,13 @@
<?php
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_POST = $filter->xssFilterHard($_POST);
if(isset($_SESSION['USER_LOGGED'])) {
$_SESSION['USER_LOGGED'] = $filter->xssFilterHard($_SESSION['USER_LOGGED']);
}
if(isset($_SESSION['USR_USERNAME'])) {
$_SESSION['USR_USERNAME'] = $filter->xssFilterHard($_SESSION['USR_USERNAME']);
}
global $RBAC;
$result = new StdClass();

6
workflow/engine/methods/users/users_Ajax.php
View File

@@ -23,6 +23,12 @@
* Coral Gables, FL, 33134, USA, or email info@colosa.com.
*/
try {
G::LoadSystem('inputfilter');
$filter = new InputFilter();
$_GET = $filter->xssFilterHard($_GET);
$_POST = $filter->xssFilterHard($_POST);
$_REQUEST = $filter->xssFilterHard($_REQUEST);
global $RBAC;
switch ($RBAC->userCanAccess('PM_LOGIN')) {
case - 2: