fernando/luos
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/feature/HOR-3559' into feature/HOR-3629

Browse Source
This commit is contained in:
Ronald Quenta
2017-08-09 08:13:09 -04:00
parent 14e81863d2 b839a247d9
commit c6142eafe5
9 changed files with 701 additions and 584 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
gulliver/system/class.g.php
View File

@@ -1989,7 +1989,7 @@ class G
*
* @return void
*/
public function SendTemporalMessage ($msgID, $strType, $sType = 'LABEL', $time = null, $width = null, $customLabels = null)
public static function SendTemporalMessage ($msgID, $strType, $sType = 'LABEL', $time = null, $width = null, $customLabels = null)
{
if (isset( $width )) {
$_SESSION['G_MESSAGE_WIDTH'] = $width;

11
gulliver/system/class.rbac.php
View File

@@ -25,6 +25,9 @@
* Coral Gables, FL, 33134, USA, or email info@colosa.com.
*
*/
use ProcessMaker\Exception\RBACException;
/**
* File: $Id$
*
@@ -148,8 +151,11 @@ class RBAC
),
'newSite.php' => array(
'newSite.php' => array('PM_SETUP_ADVANCE')
),
'emailsAjax.php' => array(
'MessageList' => array('PM_SETUP', 'PM_SETUP_LOGS'),
'updateStatusMessage' => array('PM_SETUP', 'PM_SETUP_LOGS'),
)
);
}
@@ -1546,8 +1552,7 @@ class RBAC
}
if (!$access) {
G::header('Location: /errors/error403.php');
die();
throw new RBACException('ID_ACCESS_DENIED', 403);
}
}
}

53
workflow/engine/classes/model/ListParticipatedLast.php
View File

@@ -49,19 +49,24 @@ class ListParticipatedLast extends BaseListParticipatedLast
$data['DEL_CURRENT_USR_FIRSTNAME'] = $aRow['USR_FIRSTNAME'];
$data['DEL_CURRENT_USR_LASTNAME'] = $aRow['USR_LASTNAME'];
$data['DEL_CURRENT_TAS_TITLE'] = $data['APP_TAS_TITLE'];
$currentInformation = array(
'DEL_CURRENT_USR_USERNAME' => $data['DEL_CURRENT_USR_USERNAME'],
'DEL_CURRENT_USR_FIRSTNAME' => $data['DEL_CURRENT_USR_FIRSTNAME'],
'DEL_CURRENT_USR_LASTNAME' => $data['DEL_CURRENT_USR_LASTNAME'],
'DEL_CURRENT_TAS_TITLE' => $data['APP_TAS_TITLE']
);
}
} else {
$getData['USR_UID'] = $data['USR_UID_CURRENT'];
$getData['APP_UID'] = $data['APP_UID'];
$row = $this->getRowFromList($getData);
if (is_array($row) && sizeof($row)) {
$set = array(
$currentInformation = array(
'DEL_CURRENT_USR_USERNAME' => '',
'DEL_CURRENT_USR_FIRSTNAME' => '',
'DEL_CURRENT_USR_LASTNAME' => '',
'APP_TAS_TITLE' => $data['APP_TAS_TITLE'],
'DEL_CURRENT_TAS_TITLE' => $data['APP_TAS_TITLE'], );
$this->updateCurrentUser($row, $set);
'DEL_CURRENT_TAS_TITLE' => $data['APP_TAS_TITLE']
);
}
}
@@ -84,6 +89,9 @@ class ListParticipatedLast extends BaseListParticipatedLast
if (!empty($data['APP_STATUS'])) {
$data['APP_STATUS_ID'] = Application::$app_status_values[$data['APP_STATUS']];
}
//We will update the current information
$this->updateCurrentInfoByAppUid($data['APP_UID'], $currentInformation);
$con = Propel::getConnection(ListParticipatedLastPeer::DATABASE_NAME);
try {
$this->fromArray($data, BasePeer::TYPE_FIELDNAME);
@@ -103,6 +111,27 @@ class ListParticipatedLast extends BaseListParticipatedLast
}
}
/**
* This function update the row related to the appUid with the current information
* @param string $appUid
* @param array $currentInformation
* @return void
*/
private function updateCurrentInfoByAppUid($appUid, $currentInformation)
{
//Update - WHERE
$criteriaWhere = new Criteria('workflow');
$criteriaWhere->add(ListParticipatedLastPeer::APP_UID, $appUid, Criteria::EQUAL);
//Update - SET
$criteriaSet = new Criteria('workflow');
$criteriaSet->add(ListParticipatedLastPeer::DEL_CURRENT_USR_USERNAME, $currentInformation['DEL_CURRENT_USR_USERNAME']);
$criteriaSet->add(ListParticipatedLastPeer::DEL_CURRENT_USR_FIRSTNAME, $currentInformation['DEL_CURRENT_USR_FIRSTNAME']);
$criteriaSet->add(ListParticipatedLastPeer::DEL_CURRENT_USR_LASTNAME, $currentInformation['DEL_CURRENT_USR_LASTNAME']);
$criteriaSet->add(ListParticipatedLastPeer::DEL_CURRENT_TAS_TITLE, $currentInformation['DEL_CURRENT_TAS_TITLE']);
BasePeer::doUpdate($criteriaWhere, $criteriaSet, Propel::getConnection('workflow'));
}
/**
* Update List Participated History Table.
*
@@ -448,22 +477,6 @@ class ListParticipatedLast extends BaseListParticipatedLast
return false;
}
public function updateCurrentUser($where, $set)
{
$con = Propel::getConnection('workflow');
//Update - WHERE
$criteriaWhere = new Criteria('workflow');
$criteriaWhere->add(ListParticipatedLastPeer::APP_UID, $where['APP_UID'], Criteria::EQUAL);
$criteriaWhere->add(ListParticipatedLastPeer::USR_UID, $where['USR_UID'], Criteria::EQUAL);
$criteriaWhere->add(ListParticipatedLastPeer::DEL_INDEX, $where['DEL_INDEX'], Criteria::EQUAL);
//Update - SET
$criteriaSet = new Criteria('workflow');
foreach ($set as $k => $v) {
eval('$criteriaSet->add( ListParticipatedLastPeer::'.$k.',$v, Criteria::EQUAL);');
}
BasePeer::doUpdate($criteriaWhere, $criteriaSet, $con);
}
/**
* Returns the number of cases of a user.
*

32
workflow/engine/controllers/pmTables.php
View File

@@ -152,6 +152,11 @@ class pmTables extends Controller
$sFileName = $httpData->f;
$realPath = $PUBLIC_ROOT_PATH . $sFileName;
if ($this->isValidFileToBeStreamed($sFileName) === false) {
throw new Exception("You are trying to access an unauthorized resource.");
}
G::streamFile( $realPath, true );
unlink( $realPath );
}
@@ -206,5 +211,32 @@ class pmTables extends Controller
$tableSize = $tableSize - 8; // Prefix PMT_
return $tableSize;
}
/**
* Validates if the file with the $fileName is a valid one,
* that is, it must be a file without relative references that
* can open a door to get some unauthorized system file and
* must have one of the valid file extensions.
*
* @param $fileName, emporal file name that will be streamed
* @return bool
*/
private function isValidFileToBeStreamed($fileName)
{
$result = true;
$validExtensionsForExporting = ['csv', 'pmt'];
$pathInfo = pathinfo($fileName);
if ($pathInfo['dirname'] !== '.') {
$result = false;
}
if (!in_array($pathInfo['extension'], $validExtensionsForExporting)) {
$result = false;
}
return $result;
}
}

21
workflow/engine/methods/login/login.php
View File

@@ -36,10 +36,23 @@ if ($browserSupported==false){
/*----------------------------------********---------------------------------*/
$aFields = array();
if (!isset($_GET['u'])) {
$aFields['URL'] = '';
} else {
$aFields['URL'] = htmlspecialchars(addslashes(stripslashes(strip_tags(trim(urldecode($_GET['u']))))));
//Validated redirect url
$aFields['URL'] = '';
if (!empty($_GET['u'])) {
//clean url with protocols
$flagUrl = true;
//Most used protocols
$protocols = ['https://', 'http://', 'ftp://', 'sftp://','smb://', 'file:', 'mailto:'];
foreach ($protocols as $protocol) {
if (strpos($_GET['u'], $protocol) !== false) {
$_GET['u'] = '';
$flagUrl = false;
break;
}
}
if ($flagUrl) {
$aFields['URL'] = htmlspecialchars(addslashes(stripslashes(strip_tags(trim(urldecode($_GET['u']))))));
}
}
if (!isset($_SESSION['G_MESSAGE'])) {

143
workflow/engine/methods/mails/emailsAjax.php
View File

@@ -1,26 +1,34 @@
<?php
use ProcessMaker\Plugins\PluginRegistry;
use ProcessMaker\Exception\RBACException;
$req = (isset($_POST['request']))? $_POST['request']:((isset($_REQUEST['request']))? $_REQUEST['request'] : 'No hayyy tal');
$req = (isset($_REQUEST['request']) ? $_REQUEST['request'] : '');
require_once 'classes/model/Content.php';
require_once 'classes/model/AppMessage.php';
require_once 'classes/model/AppDelegation.php';
require_once 'classes/model/Application.php';
/** @var RBAC $RBAC */
global $RBAC;
switch ($RBAC->userCanAccess('PM_LOGIN')) {
case -2:
throw new RBACException('ID_USER_HAVENT_RIGHTS_SYSTEM', -2);
break;
case -1:
throw new RBACException('ID_USER_HAVENT_RIGHTS_PAGE', -1);
break;
}
$RBAC->allows(basename(__FILE__), $req);
switch($req){
switch ($req) {
case 'MessageList':
$start = (isset($_REQUEST['start']))? $_REQUEST['start'] : '0';
$limit = (isset($_REQUEST['limit']))? $_REQUEST['limit'] : '25';
$proUid = (isset($_REQUEST['process']))? $_REQUEST['process'] : '';
$eventype = (isset($_REQUEST['type']))? $_REQUEST['type'] : '';
$emailStatus = (isset($_REQUEST['status']))? $_REQUEST['status'] : '';
$sort = isset($_REQUEST['sort']) ? $_REQUEST['sort'] : '';
$dir = isset($_REQUEST['dir']) ? $_REQUEST['dir'] : 'ASC';
$dateFrom = isset( $_POST["dateFrom"] ) ? substr( $_POST["dateFrom"], 0, 10 ) : "";
$dateTo = isset( $_POST["dateTo"] ) ? substr( $_POST["dateTo"], 0, 10 ) : "";
$filterBy = (isset($_REQUEST['filterBy']))? $_REQUEST['filterBy'] : 'ALL';
$start = (isset($_REQUEST['start'])) ? $_REQUEST['start'] : '0';
$limit = (isset($_REQUEST['limit'])) ? $_REQUEST['limit'] : '25';
$proUid = (isset($_REQUEST['process'])) ? $_REQUEST['process'] : '';
$eventype = (isset($_REQUEST['type'])) ? $_REQUEST['type'] : '';
$emailStatus = (isset($_REQUEST['status'])) ? $_REQUEST['status'] : '';
$sort = isset($_REQUEST['sort']) ? $_REQUEST['sort'] : '';
$dir = isset($_REQUEST['dir']) ? $_REQUEST['dir'] : 'ASC';
$dateFrom = isset($_POST["dateFrom"]) ? substr($_POST["dateFrom"], 0, 10) : "";
$dateTo = isset($_POST["dateTo"]) ? substr($_POST["dateTo"], 0, 10) : "";
$filterBy = (isset($_REQUEST['filterBy'])) ? $_REQUEST['filterBy'] : 'ALL';
$response = new stdclass();
$response->status = 'OK';
@@ -31,10 +39,10 @@ switch($req){
$criteria->addJoin(AppMessagePeer::APP_UID, ApplicationPeer::APP_UID, Criteria::LEFT_JOIN);
if ($emailStatus != '') {
$criteria->add( AppMessagePeer::APP_MSG_STATUS, $emailStatus);
$criteria->add(AppMessagePeer::APP_MSG_STATUS, $emailStatus);
}
if ($proUid != '') {
$criteria->add( ApplicationPeer::PRO_UID, $proUid);
$criteria->add(ApplicationPeer::PRO_UID, $proUid);
}
$arrayType = [];
@@ -74,14 +82,14 @@ switch($req){
$dateTo = $dateTo . " 23:59:59";
}
$criteria->add( $criteria->getNewCriterion( AppMessagePeer::APP_MSG_DATE, $dateFrom, Criteria::GREATER_EQUAL )->addAnd( $criteria->getNewCriterion( AppMessagePeer::APP_MSG_DATE, $dateTo, Criteria::LESS_EQUAL ) ) );
$criteria->add($criteria->getNewCriterion(AppMessagePeer::APP_MSG_DATE, $dateFrom, Criteria::GREATER_EQUAL)->addAnd($criteria->getNewCriterion(AppMessagePeer::APP_MSG_DATE, $dateTo, Criteria::LESS_EQUAL)));
} else {
$dateFrom = $dateFrom . " 00:00:00";
$criteria->add( AppMessagePeer::APP_MSG_DATE, $dateFrom, Criteria::GREATER_EQUAL );
$criteria->add(AppMessagePeer::APP_MSG_DATE, $dateFrom, Criteria::GREATER_EQUAL);
}
} elseif ($dateTo != "") {
$dateTo = $dateTo . " 23:59:59";
$criteria->add( AppMessagePeer::APP_MSG_DATE, $dateTo, Criteria::LESS_EQUAL );
$criteria->add(AppMessagePeer::APP_MSG_DATE, $dateTo, Criteria::LESS_EQUAL);
}
//Number records total
@@ -119,10 +127,10 @@ switch($req){
$criteria->addSelectColumn(ProcessPeer::PRO_TITLE);
if ($emailStatus != '') {
$criteria->add( AppMessagePeer::APP_MSG_STATUS, $emailStatus);
$criteria->add(AppMessagePeer::APP_MSG_STATUS, $emailStatus);
}
if ($proUid != '') {
$criteria->add( ApplicationPeer::PRO_UID, $proUid);
$criteria->add(ApplicationPeer::PRO_UID, $proUid);
}
switch ($filterBy) {
@@ -153,24 +161,27 @@ switch($req){
$dateTo = $dateTo . " 23:59:59";
}
$criteria->add( $criteria->getNewCriterion( AppMessagePeer::APP_MSG_DATE, $dateFrom, Criteria::GREATER_EQUAL )->addAnd( $criteria->getNewCriterion( AppMessagePeer::APP_MSG_DATE, $dateTo, Criteria::LESS_EQUAL ) ) );
$criteria->add($criteria->getNewCriterion(AppMessagePeer::APP_MSG_DATE, $dateFrom, Criteria::GREATER_EQUAL)->addAnd($criteria->getNewCriterion(AppMessagePeer::APP_MSG_DATE, $dateTo, Criteria::LESS_EQUAL)));
} else {
$dateFrom = $dateFrom . " 00:00:00";
$criteria->add( AppMessagePeer::APP_MSG_DATE, $dateFrom, Criteria::GREATER_EQUAL );
$criteria->add(AppMessagePeer::APP_MSG_DATE, $dateFrom, Criteria::GREATER_EQUAL);
}
} elseif ($dateTo != "") {
$dateTo = $dateTo . " 23:59:59";
$criteria->add( AppMessagePeer::APP_MSG_DATE, $dateTo, Criteria::LESS_EQUAL );
$criteria->add(AppMessagePeer::APP_MSG_DATE, $dateTo, Criteria::LESS_EQUAL);
}
if ($sort != '') {
if (!in_array($sort, AppMessagePeer::getFieldNames(BasePeer::TYPE_FIELDNAME))) {
throw new Exception(G::LoadTranslation('ID_INVALID_VALUE_FOR', array('$sort')));
}
if ($dir == 'ASC') {
$criteria->addAscendingOrderByColumn($sort);
} else {
$criteria->addDescendingOrderByColumn($sort);
}
} else {
$oCriteria->addDescendingOrderByColumn(AppMessagePeer::APP_MSG_SEND_DATE );
$oCriteria->addDescendingOrderByColumn(AppMessagePeer::APP_MSG_SEND_DATE);
}
if ($limit != '') {
$criteria->setLimit($limit);
@@ -188,60 +199,60 @@ switch($req){
$index = 1;
$content = new Content();
$tasTitleDefault = G::LoadTranslation('ID_TASK_NOT_RELATED');
while ( $result->next() ) {
while ($result->next()) {
$row = $result->getRow();
$row['APP_MSG_FROM'] =htmlentities($row['APP_MSG_FROM'], ENT_QUOTES, "UTF-8");
$row['APP_MSG_STATUS'] = ucfirst ( $row['APP_MSG_STATUS']);
$row['APP_MSG_FROM'] = htmlentities($row['APP_MSG_FROM'], ENT_QUOTES, "UTF-8");
$row['APP_MSG_STATUS'] = ucfirst($row['APP_MSG_STATUS']);
switch ($filterBy) {
case 'CASES':
if ($row['DEL_INDEX'] != 0) {
$index = $row['DEL_INDEX'];
}
case 'CASES':
if ($row['DEL_INDEX'] != 0) {
$index = $row['DEL_INDEX'];
}
$criteria = new Criteria();
$criteria = new Criteria();
$criteria->addSelectColumn(AppCacheViewPeer::APP_TITLE);
$criteria->addSelectColumn(AppCacheViewPeer::APP_TAS_TITLE);
$criteria->add(AppCacheViewPeer::APP_UID, $row['APP_UID'], Criteria::EQUAL);
$criteria->add(AppCacheViewPeer::DEL_INDEX, $index, Criteria::EQUAL);
$criteria->addSelectColumn(AppCacheViewPeer::APP_TITLE);
$criteria->addSelectColumn(AppCacheViewPeer::APP_TAS_TITLE);
$criteria->add(AppCacheViewPeer::APP_UID, $row['APP_UID'], Criteria::EQUAL);
$criteria->add(AppCacheViewPeer::DEL_INDEX, $index, Criteria::EQUAL);
$resultCacheView = AppCacheViewPeer::doSelectRS($criteria);
$resultCacheView->setFetchmode(ResultSet::FETCHMODE_ASSOC);
$resultCacheView = AppCacheViewPeer::doSelectRS($criteria);
$resultCacheView->setFetchmode(ResultSet::FETCHMODE_ASSOC);
$row['APP_TITLE'] = '-';
$row['APP_TITLE'] = '-';
while ($resultCacheView->next()) {
$rowCacheView = $resultCacheView->getRow();
$row['APP_TITLE'] = $rowCacheView['APP_TITLE'];
$row['TAS_TITLE'] = $rowCacheView['APP_TAS_TITLE'];
}
while ($resultCacheView->next()) {
$rowCacheView = $resultCacheView->getRow();
$row['APP_TITLE'] = $rowCacheView['APP_TITLE'];
$row['TAS_TITLE'] = $rowCacheView['APP_TAS_TITLE'];
}
if ($row['DEL_INDEX'] == 0) {
$row['TAS_TITLE'] = $tasTitleDefault;
}
break;
case 'TEST':
$row['PRO_UID'] = '';
$row['APP_NUMBER'] = '';
$row['PRO_TITLE'] = '';
$row['APP_TITLE'] = '';
$row['TAS_TITLE'] = '';
break;
case 'EXTERNAL-REGISTRATION':
$row['PRO_UID'] = '';
$row['APP_NUMBER'] = '';
$row['PRO_TITLE'] = '';
$row['APP_TITLE'] = '';
$row['TAS_TITLE'] = '';
break;
if ($row['DEL_INDEX'] == 0) {
$row['TAS_TITLE'] = $tasTitleDefault;
}
break;
case 'TEST':
$row['PRO_UID'] = '';
$row['APP_NUMBER'] = '';
$row['PRO_TITLE'] = '';
$row['APP_TITLE'] = '';
$row['TAS_TITLE'] = '';
break;
case 'EXTERNAL-REGISTRATION':
$row['PRO_UID'] = '';
$row['APP_NUMBER'] = '';
$row['PRO_TITLE'] = '';
$row['APP_TITLE'] = '';
$row['TAS_TITLE'] = '';
break;
}
$data[] = $row;
}
$response = array();
$response['totalCount'] = $totalCount;
$response['data'] = $data;
$response['data'] = $data;
die(G::json_encode($response));
break;
case 'updateStatusMessage':

962
workflow/engine/src/ProcessMaker/BusinessModel/User.php
View File

File diff suppressed because it is too large Load Diff

59
workflow/engine/src/ProcessMaker/Exception/RBACException.php Normal file
View File

@@ -0,0 +1,59 @@
<?php
namespace ProcessMaker\Exception;
use G;
/**
* Class PMException
* @package ProcessMaker\Exception
*/
class RBACException extends \Exception
{
const PM_LOGIN = '../login/login';
const PM_403 = '/errors/error403.php';
/**
* RBACException constructor.
* @param string $message
* @param null $code
*/
public function __construct($message, $code=NULL)
{
parent::__construct($message, $code);
}
/**
* Displays the entire exception as a string
* @return string
*/
public function __toString()
{
switch ($this->getCode()) {
case -1:
G::SendTemporalMessage($this->getMessage(), 'error', 'labels');
$message = self::PM_LOGIN;
break;
case -2:
G::SendTemporalMessage($this->getMessage(), 'error', 'labels');
$message = self::PM_LOGIN;
break;
case 403:
$message = self::PM_403;
break;
default:
$message = self::PM_LOGIN;
break;
}
return $message;
}
/**
* Returns the path to which to redirect
* @return $this
*/
public function getPath()
{
return $this;
}
}

2
workflow/public_html/app.php
View File

@@ -53,6 +53,8 @@ try {
break;
}
} catch (ProcessMaker\Exception\RBACException $e) {
G::header('location: ' . $e->getPath());
} catch (Exception $e) {
$view = new Maveriks\Pattern\Mvc\PhtmlView($rootDir . "framework/src/templates/Exception.phtml");
$view->set("message", $e->getMessage());