composer/iTop
6
0
Fork 0
mirror of https://github.com/Combodo/iTop.git synced 2026-05-19 23:32:17 +02:00
Code Issues Packages Projects Releases Wiki Activity

Fixed a security hole: any user was allowed to edit users and profiles, and therefore could give himself admin rights - now, only admins are allowed to do that

Browse Source 
Also added a debugging capability: user rights shown for any object class, on demand in URP_Users::DisplayBareRelations()

SVN:code[178]
This commit is contained in:
Romain Quetiez
2009-09-17 15:50:28 +00:00
parent d299fd451a
commit c641161e17
2 changed files with 61 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

49
trunk/addons/userrights/userrightsprofile.class.inc.php
View File

@@ -78,7 +78,7 @@ class URP_Users extends UserRightsBaseClass
} }
} }
function DoShowGrantSumary($oPage) function DoShowGrantSumary($oPage, $sClassCategory)
{ {
$iUserId = $this->GetKey(); $iUserId = $this->GetKey();
if (UserRights::IsAdministrator($iUserId)) if (UserRights::IsAdministrator($iUserId))
@@ -89,17 +89,25 @@ class URP_Users extends UserRightsBaseClass
} }
$aDisplayData = array(); $aDisplayData = array();
foreach (MetaModel::GetClasses('bizmodel') as $sClass) foreach (MetaModel::GetClasses($sClassCategory) as $sClass)
{ {
$aStimuli = array(); $aClassStimuli = MetaModel::EnumStimuli($sClass);
foreach (MetaModel::EnumStimuli($sClass) as $sStimulusCode => $oStimulus) if (count($aClassStimuli) > 0)
{ {
if (UserRights::IsStimulusAllowed($sClass, $sStimulusCode, null, $iUserId)) $aStimuli = array();
foreach ($aClassStimuli as $sStimulusCode => $oStimulus)
{ {
$aStimuli[] = '<span title="'.$sStimulusCode.': '.htmlentities($oStimulus->Get('description')).'">'.htmlentities($oStimulus->Get('label')).'</span>'; if (UserRights::IsStimulusAllowed($sClass, $sStimulusCode, null, $iUserId))
{
$aStimuli[] = '<span title="'.$sStimulusCode.': '.htmlentities($oStimulus->Get('description')).'">'.htmlentities($oStimulus->Get('label')).'</span>';
}
} }
$sStimuli = implode(', ', $aStimuli);
}
else
{
$sStimuli = '<em title="no lifecycle has been defined for this class">n/a</em>';
} }
$sStimuli = implode(', ', $aStimuli);
$aDisplayData[] = array( $aDisplayData[] = array(
'class' => MetaModel::GetName($sClass), 'class' => MetaModel::GetName($sClass),
@@ -131,7 +139,22 @@ class URP_Users extends UserRightsBaseClass
$oPage->SetCurrentTabContainer('Related Objects'); $oPage->SetCurrentTabContainer('Related Objects');
$oPage->SetCurrentTab('Grants matrix'); $oPage->SetCurrentTab('Grants matrix');
$this->DoShowGrantSumary($oPage); $this->DoShowGrantSumary($oPage, 'bizmodel');
// debug
if (false)
{
$oPage->SetCurrentTab('More on user rigths (dev only)');
$oPage->add("<h3>User rights</h3>\n");
$this->DoShowGrantSumary($oPage, 'addon/userrights');
$oPage->add("<h3>Change log</h3>\n");
$this->DoShowGrantSumary($oPage, 'core/cmdb');
$oPage->add("<h3>Application</h3>\n");
$this->DoShowGrantSumary($oPage, 'application');
$oPage->add("<h3>GUI</h3>\n");
$this->DoShowGrantSumary($oPage, 'gui');
}
} }
} }
@@ -1008,8 +1031,6 @@ exit;
public function IsActionAllowed($iUserId, $sClass, $iActionCode, $oInstanceSet = null) public function IsActionAllowed($iUserId, $sClass, $iActionCode, $oInstanceSet = null)
{ {
if ($this->IsAdministrator($iUserId)) return true;
$oUser = $this->m_aUsers[$iUserId]; $oUser = $this->m_aUsers[$iUserId];
if (is_null($oInstanceSet)) if (is_null($oInstanceSet))
@@ -1051,8 +1072,6 @@ exit;
public function IsActionAllowedOnAttribute($iUserId, $sClass, $sAttCode, $iActionCode, $oInstanceSet = null) public function IsActionAllowedOnAttribute($iUserId, $sClass, $sAttCode, $iActionCode, $oInstanceSet = null)
{ {
if ($this->IsAdministrator($iUserId)) return true;
$oUser = $this->m_aUsers[$iUserId]; $oUser = $this->m_aUsers[$iUserId];
if (is_null($oInstanceSet)) if (is_null($oInstanceSet))
@@ -1134,8 +1153,6 @@ exit;
public function IsStimulusAllowed($iUserId, $sClass, $sStimulusCode, $oInstanceSet = null) public function IsStimulusAllowed($iUserId, $sClass, $sStimulusCode, $oInstanceSet = null)
{ {
if ($this->IsAdministrator($iUserId)) return true;
$oUser = $this->m_aUsers[$iUserId]; $oUser = $this->m_aUsers[$iUserId];
// Note: this code is VERY close to the code of IsActionAllowed() // Note: this code is VERY close to the code of IsActionAllowed()
@@ -1508,11 +1525,11 @@ class SetupITILProfiles
} }
protected static function DoCreateActionGrant($iProfile, $iAction, $sClass) protected static function DoCreateActionGrant($iProfile, $iAction, $sClass, $bPermission = true)
{ {
$oNewObj = MetaModel::NewObject("URP_ActionGrant"); $oNewObj = MetaModel::NewObject("URP_ActionGrant");
$oNewObj->Set('profileid', $iProfile); $oNewObj->Set('profileid', $iProfile);
$oNewObj->Set('permission', true); $oNewObj->Set('permission', $bPermission);
$oNewObj->Set('class', $sClass); $oNewObj->Set('class', $sClass);
$oNewObj->Set('action', self::$m_aActions[$iAction]); $oNewObj->Set('action', self::$m_aActions[$iAction]);
$iId = $oNewObj->DBInsertNoReload(); $iId = $oNewObj->DBInsertNoReload();

32
trunk/core/userrights.class.inc.php
View File

@@ -206,16 +206,28 @@ class UserRights
public static function GetFilter($sClass) public static function GetFilter($sClass)
{ {
if (!MetaModel::HasCategory($sClass, 'bizmodel')) return new DBObjectSearch($sClass);
if (!self::CheckLogin()) return false; if (!self::CheckLogin()) return false;
if (self::IsAdministrator()) return new DBObjectSearch($sClass);
// this module is forbidden for non admins
if (MetaModel::HasCategory($sClass, 'addon/userrights')) return false;
// the rest is allowed (#@# to be improved)
if (!MetaModel::HasCategory($sClass, 'bizmodel')) return new DBObjectSearch($sClass);
return self::$m_oAddOn->GetFilter(self::$m_iUserId, $sClass); return self::$m_oAddOn->GetFilter(self::$m_iUserId, $sClass);
} }
public static function IsActionAllowed($sClass, $iActionCode, /*dbObjectSet*/ $oInstanceSet = null, $iUserId = null) public static function IsActionAllowed($sClass, $iActionCode, /*dbObjectSet*/ $oInstanceSet = null, $iUserId = null)
{ {
if (!MetaModel::HasCategory($sClass, 'bizmodel')) return true;
if (!self::CheckLogin()) return false; if (!self::CheckLogin()) return false;
if (self::IsAdministrator($iUserId)) return true;
// this module is forbidden for non admins
if (MetaModel::HasCategory($sClass, 'addon/userrights')) return false;
// the rest is allowed (#@# to be improved)
if (!MetaModel::HasCategory($sClass, 'bizmodel')) return true;
if (is_null($iUserId)) if (is_null($iUserId))
{ {
@@ -229,8 +241,14 @@ class UserRights
public static function IsStimulusAllowed($sClass, $sStimulusCode, /*dbObjectSet*/ $oInstanceSet = null, $iUserId = null) public static function IsStimulusAllowed($sClass, $sStimulusCode, /*dbObjectSet*/ $oInstanceSet = null, $iUserId = null)
{ {
if (!MetaModel::HasCategory($sClass, 'bizmodel')) return true;
if (!self::CheckLogin()) return false; if (!self::CheckLogin()) return false;
if (self::IsAdministrator($iUserId)) return true;
// this module is forbidden for non admins
if (MetaModel::HasCategory($sClass, 'addon/userrights')) return false;
// the rest is allowed (#@# to be improved)
if (!MetaModel::HasCategory($sClass, 'bizmodel')) return true;
if (is_null($iUserId)) if (is_null($iUserId))
{ {
@@ -244,8 +262,14 @@ class UserRights
public static function IsActionAllowedOnAttribute($sClass, $sAttCode, $iActionCode, /*dbObjectSet*/ $oInstanceSet = null, $iUserId = null) public static function IsActionAllowedOnAttribute($sClass, $sAttCode, $iActionCode, /*dbObjectSet*/ $oInstanceSet = null, $iUserId = null)
{ {
if (!MetaModel::HasCategory($sClass, 'bizmodel')) return true;
if (!self::CheckLogin()) return false; if (!self::CheckLogin()) return false;
if (self::IsAdministrator($iUserId)) return true;
// this module is forbidden for non admins
if (MetaModel::HasCategory($sClass, 'addon/userrights')) return false;
// the rest is allowed (#@# to be improved)
if (!MetaModel::HasCategory($sClass, 'bizmodel')) return true;
if (is_null($iUserId)) if (is_null($iUserId))
{ {