composer/iTop
6
0
Fork 0
mirror of https://github.com/Combodo/iTop.git synced 2026-03-05 09:04:19 +01:00
Code Issues Packages Projects Releases Wiki Activity

PPortal web page improvements: protected update feature (class/attcodes explicitely restricted)

Browse Source 
SVN:trunk[1324]
This commit is contained in:
Romain Quetiez
2011-07-04 09:54:58 +00:00
parent 5ff5ea71de
commit c7fbe56423
2 changed files with 23 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
application/cmdbabstract.class.inc.php
View File

@@ -2156,9 +2156,9 @@ EOF
$aErrors = array();
if (!is_array($aAttList))
{
$sAttList = $this->FlattenZList(MetaModel::GetZListItems(get_class($this), 'details'));
$aAttList = $this->FlattenZList(MetaModel::GetZListItems(get_class($this), 'details'));
}
foreach($sAttList as $sAttCode)
foreach($aAttList as $sAttCode)
{
$oAttDef = MetaModel::GetAttributeDef(get_class($this), $sAttCode);

27
application/portalwebpage.class.inc.php
View File

@@ -561,9 +561,10 @@ EOF
/**
* Updates the object form POSTED arguments, and writes it into the DB (applies a stimuli if requested)
* @param DBObject $oObj The object to update
* $param array $aAttList If set, this will limit the list of updated attributes
* @return void
*/
public function DoUpdateObjectFromPostedForm(DBObject $oObj)
public function DoUpdateObjectFromPostedForm(DBObject $oObj, $aAttList = null)
{
$sTransactionId = utils::ReadPostedParam('transaction_id', '');
if (!utils::IsTransactionValid($sTransactionId))
@@ -573,10 +574,7 @@ EOF
$sClass = get_class($oObj);
// TODO - Secure this: specify the list of attributes that can be updated
// the list must correspond to the attributes proposed in the form
$oObj->UpdateObject(/* Form prefix */);
$oObj->UpdateObject('' /* form prefix */, $aAttList);
// Optional: apply a stimulus
//
@@ -606,7 +604,7 @@ EOF
* @param WebPage $oP The current page
* @return DBObject The found object, or throws an exception in case of failure
*/
public function FindObjectFromArgs()
public function FindObjectFromArgs($aAllowedClasses = null)
{
$sClass = utils::ReadParam('class', '');
$iId = utils::ReadParam('id', 0);
@@ -623,6 +621,23 @@ EOF
{
throw new Exception("Missing argument 'id'");
}
if(!is_null($aAllowedClasses))
{
$bAllowed = false;
foreach($aAllowedClasses as $sParentClass)
{
if (MetaModel::IsParentClass($sParentClass, $sClass))
{
$bAllowed = true;
}
}
if (!$bAllowed)
{
throw new Exception("Class '$sClass not allowed in this implementation'");
}
}
$oObj = MetaModel::GetObject($sClass, $iId, false);
if (!is_object($oObj))
{