Implemented security in import.php

SVN:trunk[834]
2026-04-23 18:48:51 +02:00 · 2010-09-13 09:30:56 +00:00
parent 6b78832b00
commit 6d0bc6d2c7
7 changed files with 87 additions and 18 deletions
--- a/webservices/import.php
+++ b/webservices/import.php
@@ -179,6 +179,7 @@ if (false && utils::IsModeCLI())
 }
 else
 {
+	$_SESSION['login_mode'] = 'basic';
 	require_once('../application/loginwebpage.class.inc.php');
 	LoginWebPage::DoLogin(); // Check user rights and prompt if needed

@@ -247,6 +248,15 @@ try
 		$bSimulate = false;
 	}

+	//////////////////////////////////////////////////
+	//
+	// Security
+	//
+	if (!UserRights::IsActionAllowed($sClass, UR_ACTION_BULK_MODIFY))
+	{
+		throw new SecurityException(Dict::Format('UI:Error:BulkModifyNotAllowedOn_Class', $sClass));
+	}
+
 	//////////////////////////////////////////////////
 	//
 	// Parse first line, check attributes, analyse the request
@@ -339,12 +349,6 @@ try
 		$sReconcKeys = implode(',', $aReconcSpec);
 	}

-if (false)
-{
-echo "Reconciliation keys<pre class=\"vardump\">";
-print_r($sReconcKeys);
-throw new BulkLoadException("testing");
-}
 	// Interpret the list of reconciliation keys
 	//
 	$aFinalReconcilKeys = array();
@@ -438,7 +442,7 @@ throw new BulkLoadException("testing");
 		{
 			$sMoreInfo = 'Web Service (CSV)';
 		}
-		$oMyChange->Set("userinfo", $sUserString.' '.$sMoreInfo);
+		$oMyChange->Set("userinfo", $sUserString.', '.$sMoreInfo);
 		$iChangeId = $oMyChange->DBInsert();
 	}

@@ -614,6 +618,10 @@ catch(BulkLoadException $e)
 {
 	$oP->add_comment($e->getMessage());		
 }
+catch(SecurityException $e)
+{
+	$oP->add_comment($e->getMessage());		
+}
 catch(Exception $e)
 {
 	$oP->add_comment((string)$e);