composer/iTop
6
0
Fork 0
mirror of https://github.com/Combodo/iTop.git synced 2026-02-13 07:24:13 +01:00
Code Issues Packages Projects Releases Wiki Activity

N°2323 - Fix calls to ajax endpoints

Browse Source 
(cherry picked from commit c723d19e01)
This commit is contained in:
Eric
2019-06-17 15:47:37 +02:00
parent f1e4d94499
commit 5102b113ed
2 changed files with 16 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
pages/ajax.document.php
View File

@@ -54,7 +54,7 @@ try
{
case 'download_document':
// Fixing security hole from bug N°1227, disabling by default attachment from legacy portal.
$sRequestedPortalId = ((MetaModel::GetConfig()->Get('disable_attachments_download_legacy_portal') === true) && ($sClass === 'Attachment')) ? 'backoffice' : null;
$sRequestedPortalId = (MetaModel::GetConfig()->Get('disable_attachments_download_legacy_portal') === true) ? 'backoffice' : null;
LoginWebPage::DoLoginEx($sRequestedPortalId, false);
$id = utils::ReadParam('id', '');
$sField = utils::ReadParam('field', '');

17
pages/ajax.render.php
View File

@@ -51,13 +51,26 @@ try
require_once(APPROOT.'/application/user.preferences.class.inc.php');
require_once(APPROOT.'/application/loginwebpage.class.inc.php');
LoginWebPage::DoLoginEx(null /* any portal */, false);
$operation = utils::ReadParam('operation', '');
// Only allow export functions to portal users
switch ($operation)
{
case 'export_build':
case 'export_cancel':
case 'export_download':
$sRequestedPortalId = null;
break;
default:
$sRequestedPortalId = (MetaModel::GetConfig()->Get('disable_attachments_download_legacy_portal') === true) ? 'backoffice' : null;
}
LoginWebPage::DoLoginEx($sRequestedPortalId, false);
$oPage = new ajax_page("");
$oPage->no_cache();
$operation = utils::ReadParam('operation', '');
$sFilter = utils::ReadParam('filter', '', false, 'raw_data');
$sEncoding = utils::ReadParam('encoding', 'serialize');
$sClass = utils::ReadParam('class', 'MissingAjaxParam', false, 'class');