Merge pull request #2467 from marcoAntonioNina/BUG-14986

BUG-14986 Authorization Bypass via Forceful Browsing IMPROVEMENT
2014-06-24 14:19:32 -04:00
parent 6ef94d6cb2 2cdd7c1a02
commit c6f926ef83
11 changed files with 32 additions and 0 deletions
--- a/workflow/engine/methods/cases/cases_Scheduler_Log.php
+++ b/workflow/engine/methods/cases/cases_Scheduler_Log.php
@@ -22,9 +22,11 @@
 * For more information, contact Colosa Inc, 2566 Le Jeune Rd.,
 * Coral Gables, FL, 33134, USA, or email info@colosa.com.
 */
+global $RBAC;
 if (($RBAC_Response = $RBAC->userCanAccess( "PM_LOGIN" )) != 1) {
    return $RBAC_Response;
 }
+$RBAC->requirePermissions( 'PM_SETUP' );

 $G_PUBLISH = new Publisher();
 G::LoadClass( 'configuration' );
--- a/workflow/engine/methods/processes/mainInit.php
+++ b/workflow/engine/methods/processes/mainInit.php
@@ -23,6 +23,8 @@
 */

 //$oHeadPublisher = & headPublisher::getSingleton();
+global $RBAC;
+$RBAC->requirePermissions( 'PM_FACTORY' );

 G::loadClass( 'configuration' );
 $conf = new Configurations();
--- a/workflow/engine/methods/setup/appCacheViewConf.php
+++ b/workflow/engine/methods/setup/appCacheViewConf.php
@@ -1,4 +1,6 @@
 <?php
+global $RBAC;
+$RBAC->requirePermissions( 'PM_SETUP' );
 //  header('Pragma: no-cache');
 //  header('Cache-Control: no-store, no-cache, must-revalidate');

--- a/workflow/engine/methods/setup/clearCompiled.php
+++ b/workflow/engine/methods/setup/clearCompiled.php
@@ -21,6 +21,8 @@
 * For more information, contact Colosa Inc, 2566 Le Jeune Rd.,
 * Coral Gables, FL, 33134, USA, or email info@colosa.com.
 */
+global $RBAC;
+$RBAC->requirePermissions( 'PM_SETUP' );

 $oHeadPublisher = & headPublisher::getSingleton();
 $oHeadPublisher->addExtJsScript( 'setup/clearCompiled', true ); //adding a javascript file .js
--- a/workflow/engine/methods/setup/environmentSettings.php
+++ b/workflow/engine/methods/setup/environmentSettings.php
@@ -1,4 +1,7 @@
 <?php
+global $RBAC;
+$RBAC->requirePermissions( 'PM_SETUP' );
+
 G::loadClass( 'configuration' );
 $c = new Configurations();
 $oHeadPublisher = & headPublisher::getSingleton();
--- a/workflow/engine/methods/setup/loginSettings.php
+++ b/workflow/engine/methods/setup/loginSettings.php
@@ -21,6 +21,9 @@
 * For more information, contact Colosa Inc, 2566 Le Jeune Rd.,
 * Coral Gables, FL, 33134, USA, or email info@colosa.com.
 */
+global $RBAC;
+$RBAC->requirePermissions( 'PM_SETUP' );
+ 
 G::loadClass( 'configuration' );
 $oConf = new Configurations();

--- a/workflow/engine/methods/setup/pluginsMain.php
+++ b/workflow/engine/methods/setup/pluginsMain.php
@@ -21,6 +21,8 @@
 * For more information, contact Colosa Inc, 2566 Le Jeune Rd.,
 * Coral Gables, FL, 33134, USA, or email info@colosa.com.
 */
+global $RBAC;
+$RBAC->requirePermissions( 'PM_SETUP' );

 $headPublisher = & headPublisher::getSingleton();
 $headPublisher->addExtJsScript( 'setup/pluginsMain', false );
--- a/workflow/engine/methods/setup/processHeartBeatConfig.php
+++ b/workflow/engine/methods/setup/processHeartBeatConfig.php
@@ -21,6 +21,9 @@
 * For more information, contact Colosa Inc, 2566 Le Jeune Rd.,
 * Coral Gables, FL, 33134, USA, or email info@colosa.com.
 */
+global $RBAC;
+$RBAC->requirePermissions( 'PM_SETUP' );
+
 $oHeadPublisher = & headPublisher::getSingleton();
 G::LoadClass( 'serverConfiguration' );
 $oServerConf = & serverConf::getSingleton();
--- a/workflow/engine/methods/setup/systemInfo.php
+++ b/workflow/engine/methods/setup/systemInfo.php
@@ -1,4 +1,7 @@
 <?php
+global $RBAC;
+$RBAC->requirePermissions( 'PM_SETUP' );
+
 $option = (isset($_GET["option"]))? $_GET["option"] : null;

 switch ($option) {