composer/iTop
6
0
Fork 0
mirror of https://github.com/Combodo/iTop.git synced 2026-04-22 10:08:45 +02:00
Code Issues Packages Projects Releases Wiki Activity

N°1974 - Fix: Stimuli can be applied through URL even if the access rights are set to deny

Browse Source
This commit is contained in:
Eric
2019-02-20 16:11:49 +01:00
parent a89bca4626
commit 48f15d7781
3 changed files with 18 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
dictionaries/en.dictionary.itop.ui.php
View File

@@ -775,7 +775,7 @@ Dict::Add('EN US', 'English', 'English', array(
'UI:Title:DeletionOf_Object' => 'Deletion of %1$s',
'UI:Title:BulkDeletionOf_Count_ObjectsOf_Class' => 'Bulk deletion of %1$d objects of class %2$s',
'UI:Delete:NotAllowedToDelete' => 'You are not allowed to delete this object',
'UI:Delete:NotAllowedToUpdate_Fields' => 'You are not allowed to update the following field(s): %1$s',
'UI:Error:ActionNotAllowed' => 'You are not allowed to do this action',
'UI:Error:NotEnoughRightsToDelete' => 'This object could not be deleted because the current user do not have sufficient rights',
'UI:Error:CannotDeleteBecause' => 'This object could not be deleted because: %1$s',
'UI:Error:CannotDeleteBecauseOfDepencies' => 'This object could not be deleted because some manual operations must be performed prior to that',

1
dictionaries/fr.dictionary.itop.ui.php
View File

@@ -758,6 +758,7 @@ Dict::Add('FR FR', 'French', 'Français', array(
'UI:Title:BulkDeletionOf_Count_ObjectsOf_Class' => 'Suppression massive de %1$d objets de type %2$s',
'UI:Delete:NotAllowedToDelete' => 'Vous n\'êtes pas autorisé à supprimer cet objet',
'UI:Delete:NotAllowedToUpdate_Fields' => 'Vous n\'êtes pas autorisé à mettre à jour les champs suivants : %1$s',
'UI:Error:ActionNotAllowed' => 'Vous n\'êtes pas autorisé à effectuer cette action',
'UI:Error:NotEnoughRightsToDelete' => 'Cet objet ne peut pas être supprimé car l\'utilisateur courant n\'a pas les droits nécessaires.',
'UI:Error:CannotDeleteBecause' => 'Cet objet ne peut pas être effacé. Raison: %1$s',
'UI:Error:CannotDeleteBecauseOfDepencies' => 'Cet objet ne peut pas être supprimé, des opérations manuelles sont nécessaire avant sa suppression.',

17
pages/UI.php
View File

@@ -1497,7 +1497,15 @@ EOF
{
throw new ApplicationException(Dict::Format('UI:Error:3ParametersMissing', 'class', 'id', 'stimulus'));
}
$oObj = MetaModel::GetObject($sClass, $id, false);
$aStimuli = MetaModel::EnumStimuli($sClass);
if ((get_class($aStimuli[$sStimulus]) !== 'StimulusUserAction') || (UserRights::IsStimulusAllowed($sClass, $sStimulus) === UR_ALLOWED_NO))
{
$sUser = UserRights::GetUser();
IssueLog::Error("UI.php '$operation' : Stimulus '$sStimulus' not allowed ! data: user='$sUser', class='$sClass'");
throw new ApplicationException(Dict::S('UI:Error:ActionNotAllowed'));
}
$oObj = MetaModel::GetObject($sClass, $id, false);
if ($oObj != null)
{
$aPrefillFormParam = array( 'user' => $_SESSION["auth_user"],
@@ -1545,6 +1553,13 @@ EOF
$sMessage = Dict::S('UI:Error:ObjectAlreadyUpdated');
$sSeverity = 'info';
}
elseif ((get_class($aStimuli[$sStimulus]) !== 'StimulusUserAction') || (UserRights::IsStimulusAllowed($sClass, $sStimulus) === UR_ALLOWED_NO))
{
$sUser = UserRights::GetUser();
IssueLog::Error("UI.php '$operation' : Stimulus '$sStimulus' not allowed ! data: user='$sUser', class='$sClass'");
$sMessage = Dict::S('UI:Error:ActionNotAllowed');
$sSeverity = 'error';
}
else
{
$sActionLabel = $aStimuli[$sStimulus]->GetLabel();