diff --git a/core/test.class.inc.php b/core/test.class.inc.php index 34455dde8..437dcafc0 100644 --- a/core/test.class.inc.php +++ b/core/test.class.inc.php @@ -218,6 +218,7 @@ abstract class TestWebServices extends TestHandler static protected function DoPostRequestAuth($sRelativeUrl, $aData, $sLogin = 'admin', $sPassword = 'admin', $sOptionnalHeaders = null) { $aDataAndAuth = $aData; +// To be changed to use basic authentication $aDataAndAuth['operation'] = 'login'; $aDataAndAuth['auth_user'] = $sLogin; $aDataAndAuth['auth_pwd'] = $sPassword; diff --git a/dictionaries/dictionary.itop.ui.php b/dictionaries/dictionary.itop.ui.php index 1843b9f3b..16cd28c60 100644 --- a/dictionaries/dictionary.itop.ui.php +++ b/dictionaries/dictionary.itop.ui.php @@ -383,6 +383,7 @@ Dict::Add('EN US', 'English', 'English', array( 'UI:Error:ObjectsAlreadyDeleted' => 'Error: objects have already been deleted!', 'UI:Error:BulkDeleteNotAllowedOn_Class' => 'You are not allowed to perform a bulk delete of objects of class %1$s', 'UI:Error:DeleteNotAllowedOn_Class' => 'You are not allowed to delete objects of class %1$s', + 'UI:Error:BulkModifyNotAllowedOn_Class' => 'You are not allowed to perform a bulk update of objects of class %1$s', 'UI:Error:ObjectAlreadyCloned' => 'Error: the object has already been cloned!', 'UI:Error:ObjectAlreadyCreated' => 'Error: the object has already been created!', 'UI:Error:Invalid_Stimulus_On_Object_In_State' => 'Error: invalid stimulus "%1$s" on object %2$s in state "%3$s".', diff --git a/dictionaries/es_cr.dictionary.itop.ui.php b/dictionaries/es_cr.dictionary.itop.ui.php index 983a83910..b76596c44 100644 --- a/dictionaries/es_cr.dictionary.itop.ui.php +++ b/dictionaries/es_cr.dictionary.itop.ui.php @@ -392,6 +392,7 @@ Dict::Add('ES CR', 'Spanish', 'Español, Castellano', array( 'UI:Error:ObjectsAlreadyDeleted' => 'Error: objects have already been deleted!', 'UI:Error:BulkDeleteNotAllowedOn_Class' => 'You are not allowed to perform a bulk delete of objects of class %1$s', 'UI:Error:DeleteNotAllowedOn_Class' => 'You are not allowed to delete objects of class %1$s', + 'UI:Error:BulkModifyNotAllowedOn_Class' => 'You are not allowed to perform a bulk update of objects of class %1$s', 'UI:Error:ObjectAlreadyCloned' => 'Error: the object has already been cloned!', 'UI:Error:ObjectAlreadyCreated' => 'Error: the object has already been created!', 'UI:Error:Invalid_Stimulus_On_Object_In_State' => 'Error: invalid stimulus "%1$s" on object %2$s in state "%3$s".', diff --git a/dictionaries/fr.dictionary.itop.ui.php b/dictionaries/fr.dictionary.itop.ui.php index 5521f4572..363f3cedb 100644 --- a/dictionaries/fr.dictionary.itop.ui.php +++ b/dictionaries/fr.dictionary.itop.ui.php @@ -385,6 +385,7 @@ Dict::Add('FR FR', 'French', 'Français', array( 'UI:Error:ObjectsAlreadyDeleted' => 'Erreur: les objets ont déjà été supprimés !', 'UI:Error:BulkDeleteNotAllowedOn_Class' => 'Vous n\'êtes pas autorisé à faire une suppression massive sur les objets de type %1$s', 'UI:Error:DeleteNotAllowedOn_Class' => 'Vous n\'êtes pas autorisé supprimer des objets de type %1$s', + 'UI:Error:BulkModifyNotAllowedOn_Class' => 'Vous n\'êtes pas autorisé à faire une modification massive sur les objets de type %1$s', 'UI:Error:ObjectAlreadyCloned' => 'Erreur: l\'objet a déjà été dupliqué !', 'UI:Error:ObjectAlreadyCreated' => 'Erreur: l\'objet a déjà été créé !', 'UI:Error:Invalid_Stimulus_On_Object_In_State' => 'Erreur: le stimulus "%1$s" n\'est pas valide pour l\'objet %2$s dans l\'état "%3$s".', diff --git a/pages/UI.php b/pages/UI.php index 9668b103a..c47b5b6a9 100644 --- a/pages/UI.php +++ b/pages/UI.php @@ -993,7 +993,7 @@ try } if (!UserRights::IsActionAllowed($sClass, UR_ACTION_BULK_DELETE, DBObjectSet::FromArray($sClass, $aObjects))) { - throw new SecurityException(Dict::S('UI:Error:BulkDeleteNotAllowedOn_Class'), $sClass); + throw new SecurityException(Dict::Format('UI:Error:BulkDeleteNotAllowedOn_Class', $sClass)); } $oP->set_title(Dict::S('UI:BulkDeletePageTitle')); DeleteObjects($oP, $sClass, $aObjects, ($operation == 'bulk_delete_confirmed')); @@ -1008,7 +1008,7 @@ try if (!UserRights::IsActionAllowed($sClass, UR_ACTION_MODIFY, DBObjectSet::FromObject($oObj))) { - throw new SecurityException(Dict::S('UI:Error:DeleteNotAllowedOn_Class'), $sClass); + throw new SecurityException(Dict::Format('UI:Error:DeleteNotAllowedOn_Class', $sClass)); } DeleteObjects($oP, $sClass, array($oObj), ($operation == 'delete_confirmed')); break; diff --git a/pages/testlist.inc.php b/pages/testlist.inc.php index fef0f683e..55c8872d5 100644 --- a/pages/testlist.inc.php +++ b/pages/testlist.inc.php @@ -1226,7 +1226,10 @@ class TestImportREST extends TestWebServices $aGetParamReport[] = $sArg.'='.$sValue; } $sGetParams = implode('&', $aGetParams); - $sRes = self::DoPostRequestAuth('../webservices/import.php?'.$sGetParams, $aPostData); + $sLogin = isset($aLoadSpec['login']) ? $aLoadSpec['login'] : 'admin'; + $sPassword = isset($aLoadSpec['password']) ? $aLoadSpec['password'] : 'admin'; + + $sRes = self::DoPostRequestAuth('../webservices/import.php?'.$sGetParams, $aPostData, $sLogin, $sPassword); $sArguments = implode('
', $aGetParamReport); @@ -1240,15 +1243,15 @@ class TestImportREST extends TestWebServices } echo "
\n"; - echo "
\n"; + echo "
\n"; echo " $sArguments\n"; echo "
\n"; - echo "
\n"; + echo "
\n"; echo " 
$sCsvDataViewable
\n"; echo "
\n"; echo "
\n"; - echo "
$sRes
\n"; + echo "
$sRes
\n"; echo "
\n"; } @@ -1259,12 +1262,16 @@ class TestImportREST extends TestWebServices $aLoads = array( array( 'desc' => 'Missing class', + 'login' => 'admin', + 'password' => 'admin', 'args' => array( ), 'csvdata' => "xxx", ), array( 'desc' => 'Wrong class', + 'login' => 'admin', + 'password' => 'admin', 'args' => array( 'class' => 'toto', ), @@ -1272,6 +1279,8 @@ class TestImportREST extends TestWebServices ), array( 'desc' => 'Wrong output type', + 'login' => 'admin', + 'password' => 'admin', 'args' => array( 'class' => 'NetworkDevice', 'output' => 'onthefly', @@ -1280,6 +1289,8 @@ class TestImportREST extends TestWebServices ), array( 'desc' => 'Wrong report level', + 'login' => 'admin', + 'password' => 'admin', 'args' => array( 'class' => 'NetworkDevice', 'reportlevel' => 'errors|ouarnings|changed', @@ -1288,6 +1299,8 @@ class TestImportREST extends TestWebServices ), array( 'desc' => 'Weird format, working anyhow...', + 'login' => 'admin', + 'password' => 'admin', 'args' => array( 'class' => 'Server', 'output' => 'details', @@ -1302,6 +1315,8 @@ class TestImportREST extends TestWebServices ), array( 'desc' => 'Load an organization', + 'login' => 'admin', + 'password' => 'admin', 'args' => array( 'class' => 'Organization', 'output' => 'details', @@ -1311,6 +1326,8 @@ class TestImportREST extends TestWebServices ), array( 'desc' => 'Load a location', + 'login' => 'admin', + 'password' => 'admin', 'args' => array( 'class' => 'Location', 'output' => 'details', @@ -1320,6 +1337,8 @@ class TestImportREST extends TestWebServices ), array( 'desc' => 'Load a person', + 'login' => 'admin', + 'password' => 'admin', 'args' => array( 'class' => 'Person', 'output' => 'details', @@ -1329,6 +1348,8 @@ class TestImportREST extends TestWebServices ), array( 'desc' => 'Load a person - wrong email format', + 'login' => 'admin', + 'password' => 'admin', 'args' => array( 'class' => 'Person', 'output' => 'details', @@ -1338,6 +1359,8 @@ class TestImportREST extends TestWebServices ), array( 'desc' => 'Load a team', + 'login' => 'admin', + 'password' => 'admin', 'args' => array( 'class' => 'Team', 'output' => 'details', @@ -1347,15 +1370,19 @@ class TestImportREST extends TestWebServices ), array( 'desc' => 'Load server', + 'login' => 'admin', + 'password' => 'admin', 'args' => array( 'class' => 'Server', 'output' => 'details', 'reconciliationkeys' => '', ), - 'csvdata' => "name;status;owner_name;location_name;os_family;os_version;management_ip;cpu;ram;brand;model;serial_number\nlocalhost.;production;Demo;Grenoble;Ubuntu 9.10;2.6.31-19-generic-#56-Ubuntu SMP Thu Jan 28 01:26:53 UTC 2010;16.16.230.232;Intel(R) Core(TM)2 Duo CPU T7100 @ 1.80GHz;2005;Hewlett-Packard;HP Compaq 6510b (GM108UC#ABF);CNU7370BNP", + 'csvdata' => "name;status;owner_name;location_name;location_id->org_name;os_family;os_version;management_ip;cpu;ram;brand;model;serial_number\nlocalhost.;production;Demo;Grenoble;Demo;Ubuntu 9.10;2.6.31-19-generic-#56-Ubuntu SMP Thu Jan 28 01:26:53 UTC 2010;16.16.230.232;Intel(R) Core(TM)2 Duo CPU T7100 @ 1.80GHz;2005;Hewlett-Packard;HP Compaq 6510b (GM108UC#ABF);CNU7370BNP", ), array( 'desc' => 'Load NW if', + 'login' => 'admin', + 'password' => 'admin', 'args' => array( 'class' => 'NetworkInterface', 'output' => 'details', @@ -1366,6 +1393,8 @@ class TestImportREST extends TestWebServices // Data Bruno array( 'desc' => 'Load NW devices from real life', + 'login' => 'admin', + 'password' => 'admin', 'args' => array( 'class' => 'NetworkDevice', 'output' => 'details', @@ -1377,6 +1406,8 @@ class TestImportREST extends TestWebServices ), array( 'desc' => 'Load NW ifs', + 'login' => 'admin', + 'password' => 'admin', 'args' => array( 'class' => 'NetworkInterface', 'output' => 'details', @@ -1389,6 +1420,8 @@ class TestImportREST extends TestWebServices ), array( 'desc' => 'The simplest data load', + 'login' => 'admin', + 'password' => 'admin', 'args' => array( 'class' => 'Location', 'output' => 'details', @@ -1397,6 +1430,8 @@ class TestImportREST extends TestWebServices ), array( 'desc' => 'The simplest data load + org', + 'login' => 'admin', + 'password' => 'admin', 'args' => array( 'class' => 'Location', 'output' => 'details', @@ -1405,6 +1440,8 @@ class TestImportREST extends TestWebServices ), array( 'desc' => 'The simplest data load + org (name)', + 'login' => 'admin', + 'password' => 'admin', 'args' => array( 'class' => 'Location', 'output' => 'details', @@ -1413,6 +1450,8 @@ class TestImportREST extends TestWebServices ), array( 'desc' => 'The simplest data load + org (code)', + 'login' => 'admin', + 'password' => 'admin', 'args' => array( 'class' => 'Location', 'output' => 'details', @@ -1421,6 +1460,8 @@ class TestImportREST extends TestWebServices ), array( 'desc' => 'Ouput: summary', + 'login' => 'admin', + 'password' => 'admin', 'args' => array( 'class' => 'Location', 'output' => 'summary', @@ -1429,6 +1470,8 @@ class TestImportREST extends TestWebServices ), array( 'desc' => 'Ouput: retcode', + 'login' => 'admin', + 'password' => 'admin', 'args' => array( 'class' => 'Location', 'output' => 'retcode', @@ -1437,23 +1480,29 @@ class TestImportREST extends TestWebServices ), array( 'desc' => 'Error in reconciliation list', + 'login' => 'admin', + 'password' => 'admin', 'args' => array( 'class' => 'Location', 'output' => 'details', 'reconciliationkeys' => 'org_id', ), - 'csvdata' => "name\nParis", + 'csvdata' => "org_name;name\nDemo;Paris", ), array( 'desc' => 'Error in attribute list that does not allow to compute reconciliation scheme', + 'login' => 'admin', + 'password' => 'admin', 'args' => array( 'class' => 'Location', 'output' => 'details', ), - 'csvdata' => "country\nFrance", + 'csvdata' => "org_name;country\nDemo;France", ), array( 'desc' => 'Error in attribute list - case A', + 'login' => 'admin', + 'password' => 'admin', 'args' => array( 'class' => 'Location', 'output' => 'details', @@ -1462,6 +1511,8 @@ class TestImportREST extends TestWebServices ), array( 'desc' => 'Error in attribute list - case B1 (key->attcode)', + 'login' => 'admin', + 'password' => 'admin', 'args' => array( 'class' => 'Location', 'output' => 'details', @@ -1470,6 +1521,8 @@ class TestImportREST extends TestWebServices ), array( 'desc' => 'Error in attribute list - case B2 (key->attcode)', + 'login' => 'admin', + 'password' => 'admin', 'args' => array( 'class' => 'Location', 'output' => 'details', @@ -1478,22 +1531,26 @@ class TestImportREST extends TestWebServices ), array( 'desc' => 'Always changing... special comment in change tracking', + 'login' => 'admin', + 'password' => 'admin', 'args' => array( 'class' => 'Location', 'output' => 'details', 'comment' => 'automated testing' ), - 'csvdata' => "name;address\nLe pantheon;Addresse bidon:".((string)microtime(true)), + 'csvdata' => "org_name;name;address\nDemo;Le pantheon;Addresse bidon:".((string)microtime(true)), ), array( 'desc' => 'Always changing... but "simulate"', + 'login' => 'admin', + 'password' => 'admin', 'args' => array( 'class' => 'Location', 'output' => 'details', 'simulate' => '1', 'comment' => 'SHOULD NEVER APPEAR IN THE HISTORY' ), - 'csvdata' => "name;address\nLe pantheon;restore address?", + 'csvdata' => "org_name;name;address\nDemo;Le pantheon;restore address?", ), ); diff --git a/webservices/import.php b/webservices/import.php index a0436130c..89998fb16 100644 --- a/webservices/import.php +++ b/webservices/import.php @@ -179,6 +179,7 @@ if (false && utils::IsModeCLI()) } else { + $_SESSION['login_mode'] = 'basic'; require_once('../application/loginwebpage.class.inc.php'); LoginWebPage::DoLogin(); // Check user rights and prompt if needed @@ -247,6 +248,15 @@ try $bSimulate = false; } + ////////////////////////////////////////////////// + // + // Security + // + if (!UserRights::IsActionAllowed($sClass, UR_ACTION_BULK_MODIFY)) + { + throw new SecurityException(Dict::Format('UI:Error:BulkModifyNotAllowedOn_Class', $sClass)); + } + ////////////////////////////////////////////////// // // Parse first line, check attributes, analyse the request @@ -339,12 +349,6 @@ try $sReconcKeys = implode(',', $aReconcSpec); } -if (false) -{ -echo "Reconciliation keys
";
-print_r($sReconcKeys);
-throw new BulkLoadException("testing");
-}
 	// Interpret the list of reconciliation keys
 	//
 	$aFinalReconcilKeys = array();
@@ -438,7 +442,7 @@ throw new BulkLoadException("testing");
 		{
 			$sMoreInfo = 'Web Service (CSV)';
 		}
-		$oMyChange->Set("userinfo", $sUserString.' '.$sMoreInfo);
+		$oMyChange->Set("userinfo", $sUserString.', '.$sMoreInfo);
 		$iChangeId = $oMyChange->DBInsert();
 	}
 
@@ -614,6 +618,10 @@ catch(BulkLoadException $e)
 {
 	$oP->add_comment($e->getMessage());		
 }
+catch(SecurityException $e)
+{
+	$oP->add_comment($e->getMessage());		
+}
 catch(Exception $e)
 {
 	$oP->add_comment((string)$e);