From c7fbe564239b008fcc99a7baafddc195d09bb5dc Mon Sep 17 00:00:00 2001 From: Romain Quetiez Date: Mon, 4 Jul 2011 09:54:58 +0000 Subject: [PATCH] PPortal web page improvements: protected update feature (class/attcodes explicitely restricted) SVN:trunk[1324] --- application/cmdbabstract.class.inc.php | 4 ++-- application/portalwebpage.class.inc.php | 27 +++++++++++++++++++------ 2 files changed, 23 insertions(+), 8 deletions(-) diff --git a/application/cmdbabstract.class.inc.php b/application/cmdbabstract.class.inc.php index 189d8921a..0621b96ff 100644 --- a/application/cmdbabstract.class.inc.php +++ b/application/cmdbabstract.class.inc.php @@ -2156,9 +2156,9 @@ EOF $aErrors = array(); if (!is_array($aAttList)) { - $sAttList = $this->FlattenZList(MetaModel::GetZListItems(get_class($this), 'details')); + $aAttList = $this->FlattenZList(MetaModel::GetZListItems(get_class($this), 'details')); } - foreach($sAttList as $sAttCode) + foreach($aAttList as $sAttCode) { $oAttDef = MetaModel::GetAttributeDef(get_class($this), $sAttCode); diff --git a/application/portalwebpage.class.inc.php b/application/portalwebpage.class.inc.php index 059913333..430543852 100644 --- a/application/portalwebpage.class.inc.php +++ b/application/portalwebpage.class.inc.php @@ -561,9 +561,10 @@ EOF /** * Updates the object form POSTED arguments, and writes it into the DB (applies a stimuli if requested) * @param DBObject $oObj The object to update + * $param array $aAttList If set, this will limit the list of updated attributes * @return void */ - public function DoUpdateObjectFromPostedForm(DBObject $oObj) + public function DoUpdateObjectFromPostedForm(DBObject $oObj, $aAttList = null) { $sTransactionId = utils::ReadPostedParam('transaction_id', ''); if (!utils::IsTransactionValid($sTransactionId)) @@ -573,10 +574,7 @@ EOF $sClass = get_class($oObj); - - // TODO - Secure this: specify the list of attributes that can be updated - // the list must correspond to the attributes proposed in the form - $oObj->UpdateObject(/* Form prefix */); + $oObj->UpdateObject('' /* form prefix */, $aAttList); // Optional: apply a stimulus // @@ -606,7 +604,7 @@ EOF * @param WebPage $oP The current page * @return DBObject The found object, or throws an exception in case of failure */ - public function FindObjectFromArgs() + public function FindObjectFromArgs($aAllowedClasses = null) { $sClass = utils::ReadParam('class', ''); $iId = utils::ReadParam('id', 0); @@ -623,6 +621,23 @@ EOF { throw new Exception("Missing argument 'id'"); } + + if(!is_null($aAllowedClasses)) + { + $bAllowed = false; + foreach($aAllowedClasses as $sParentClass) + { + if (MetaModel::IsParentClass($sParentClass, $sClass)) + { + $bAllowed = true; + } + } + if (!$bAllowed) + { + throw new Exception("Class '$sClass not allowed in this implementation'"); + } + } + $oObj = MetaModel::GetObject($sClass, $iId, false); if (!is_object($oObj)) {