diff --git a/setup/ajax.dataloader.php b/setup/ajax.dataloader.php
index 381a3dcc6..0d03fc365 100644
--- a/setup/ajax.dataloader.php
+++ b/setup/ajax.dataloader.php
@@ -121,9 +121,11 @@ header("Expires: Fri, 17 Jul 1970 05:00:00 GMT"); // Date in the past
$sOperation = Utils::ReadParam('operation', '');
try
{
- if (is_file(utils::GetConfigFilePath()) && !is_writable(utils::GetConfigFilePath()))
+ $sAuthent = utils::ReadParam('authent', '', false, 'raw_data');
+ if (!file_exists(APPROOT.'data/setup/authent') || $sAuthent !== file_get_contents(APPROOT.'data/setup/authent'))
{
- throw new Exception('Setup operations are not allowed outside of the setup');
+ throw new SecurityException('Setup operations are not allowed outside of the setup');
+ SetupPage::log_error("Setup operations are not allowed outside of the setup");
}
switch($sOperation)
diff --git a/setup/setup.js b/setup/setup.js
index d81e013fe..1144936e9 100644
--- a/setup/setup.js
+++ b/setup/setup.js
@@ -2,8 +2,9 @@ function WizardAsyncAction(sActionCode, oParams, OnErrorFunction)
{
var sStepClass = $('#_class').val();
var sStepState = $('#_state').val();
+ var sAuthent = $('#authent_token').val();
- var oMap = { operation: 'async_action', step_class: sStepClass, step_state: sStepState, code: sActionCode, params: oParams };
+ var oMap = { operation: 'async_action', step_class: sStepClass, step_state: sStepState, code: sActionCode, authent : sAuthent, params: oParams };
var ErrorFn = OnErrorFunction;
$(document).ajaxError(function(event, request, settings) {
@@ -23,20 +24,20 @@ function WizardUpdateButtons()
{
if (CanMoveForward())
{
- $("#btn_next").removeAttr("disabled");
+ $("#btn_next").prop("disabled", false);
}
else
{
- $("#btn_next").attr("disabled", "disabled");
+ $("#btn_next").prop("disabled", true);
}
if (CanMoveBackward())
{
- $("#btn_back").removeAttr("disabled");
+ $("#btn_back").prop("disabled", false);
}
else
{
- $("#btn_back").attr("disabled", "disabled");
+ $("#btn_back").prop("disabled", true);
}
}
diff --git a/setup/wizardsteps.class.inc.php b/setup/wizardsteps.class.inc.php
index e2fb58cd6..cd75dfd6b 100644
--- a/setup/wizardsteps.class.inc.php
+++ b/setup/wizardsteps.class.inc.php
@@ -57,6 +57,13 @@ class WizStepWelcome extends WizardStep
public function ProcessParams($bMoveForward = true)
{
+ if (!file_exists(APPROOT.'data/setup'))
+ {
+ mkdir(APPROOT.'data/setup');
+ }
+ $sUID = hash('sha256', rand());
+ file_put_contents(APPROOT.'data/setup/authent', $sUID);
+ $this->oWizard->SetParameter('authent', $sUID);
return array('class' => 'WizStepInstallOrUpgrade', 'state' => '');
}
@@ -284,6 +291,8 @@ class WizStepInstallOrUpgrade extends WizardStep
$oPage->add('');
$oPage->add($sMySQLDumpMessage.'
'.$sMessage.' |
');
$oPage->add('');
+ $sAuthentToken = $this->oWizard->GetParameter('authent', '');
+ $oPage->add('');
//$oPage->add('');
$oPage->add_ready_script(
<<add('');
SetupUtils::DisplayDBParameters($oPage, true, $sDBServer, $sDBUser, $sDBPwd, $sDBName, $sDBPrefix, $sTlsEnabled,
$sTlsCA, $sNewDBName);
+ $sAuthentToken = $this->oWizard->GetParameter('authent', '');
+ $oPage->add('');
$oPage->add('
');
$sCreateDB = $this->oWizard->GetParameter('create_db', 'yes');
if ($sCreateDB == 'no')
{
- $oPage->add_ready_script('$("#existing_db").attr("checked", "checked");');
+ $oPage->add_ready_script('$("#existing_db").prop("checked", true);');
}
else
{
- $oPage->add_ready_script('$("#create_db").attr("checked", "checked");');
+ $oPage->add_ready_script('$("#create_db").prop("checked", true);');
}
}
@@ -984,6 +995,8 @@ class WizStepMiscParams extends WizardStep
$sChecked = ($sSampleData == 'no') ? 'checked ' : '';
$oPage->p('