This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "FusionForge".
The branch, 6.0 has been updated
via 51672ca99898201894e8bfb3df93e21d486971af (commit)
from 1e39eebe3e030804ffd7042793742bc6bc4f7805 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
https://scm.fusionforge.org/anonscm/gitweb/?p=fusionforge/fusionforge.git;a=commitdiff;h=51672ca99898201894e8bfb3df93e21d486971af
commit 51672ca99898201894e8bfb3df93e21d486971af
Author: Roland Mas <[email protected]>
Date: Wed Dec 7 12:14:41 2016 +0100
Added missing authorization checks to SOAP API
diff --git a/src/common/include/Group.class.php
b/src/common/include/Group.class.php
index 4518f23..ac446ff 100644
--- a/src/common/include/Group.class.php
+++ b/src/common/include/Group.class.php
@@ -158,6 +158,16 @@ function group_get_object_by_publicname($groupname) {
return group_get_object(db_result($res, 0, 'group_id'), $res);
}
+function filter_groups_by_read_access($grps) {
+ $filteredgrps = array();
+ foreach ($grps as $g) {
+ if (forge_check_perm ('project_read', $g->getID())) {
+ $filteredgrps[] = $g;
+ }
+ }
+ return $filteredgrps;
+}
+
/**
* get_public_active_projects_asc() - Get a list of rows for public active
projects (initially in trove/full_list)
*
diff --git a/src/common/include/User.class.php
b/src/common/include/User.class.php
index 9798467..607fffe 100644
--- a/src/common/include/User.class.php
+++ b/src/common/include/User.class.php
@@ -192,6 +192,17 @@ function &user_get_all_users() {
return user_get_objects (util_result_column_to_array($res,0)) ;
}
+
+function filter_users_by_read_access($users) {
+ $filteredusers = array();
+ foreach ($users as $u) {
+ if ($u->getID() == user_getid() ||
forge_check_global_perm('forge_admin')) {
+ $filteredusers[] = $u;
+ }
+ }
+ return $filteredusers;
+}
+
class GFUser extends FFError {
/**
* Associative array of data from db.
diff --git a/src/www/soap/common/group.php b/src/www/soap/common/group.php
index b6092ea..d5d24d5 100644
--- a/src/www/soap/common/group.php
+++ b/src/www/soap/common/group.php
@@ -336,7 +336,7 @@ function &getGroups($session_ser,$group_ids) {
$inputArgs = $inputArgs.':'.$group_ids[$i];
}
- $grps = group_get_objects($group_ids);
+ $grps = filter_groups_by_read_access(group_get_objects($group_ids));
if (!$grps) {
return new soap_fault ('2001','group','Could Not Get Projects
by Id'.$inputArgs,$feedback);
}
@@ -346,7 +346,7 @@ function &getGroups($session_ser,$group_ids) {
function &getGroupsByName($session_ser,$group_names) {
session_continue($session_ser);
- $grps = group_get_objects_by_name($group_names);
+ $grps =
filter_groups_by_read_access(group_get_objects_by_name($group_names));
if (!$grps) {
return new soap_fault ('2002','group','Could Not Get Projects
by Name','Could Not Get Projects by Name');
}
@@ -371,7 +371,7 @@ function getGroupByStatus($session_ser, $status) {
continue_session($session_ser);
$res = db_query_params('SELECT group_id FROM groups WHERE status=$1',
array($status));
- $grps = group_get_objects(util_result_column_to_array($res,0));
+ $grps =
filter_groups_by_read_access(group_get_objects(util_result_column_to_array($res,0)));
if ($grps < 0) {
return new soap_fault ('2004','group','Could Not Get Projects
by Status','Could Not Get Projects by Status');
@@ -413,6 +413,10 @@ function updateGroup($session_ser, $group_id, $is_public,
$is_template, $status,
$group = group_get_object($group_id);
$error_msg = '';
+ if (!forge_check_global_perm('forge_admin')) {
+ return new soap_fault ('2007','group','Permission denied',
'Permission denied');
+ }
+
if (!$group->setStatus(session_get_user(), $status)) {
$error_msg .= $group->getErrorMessage();
}
diff --git a/src/www/soap/common/user.php b/src/www/soap/common/user.php
index dace5c4..fab6f8c 100644
--- a/src/www/soap/common/user.php
+++ b/src/www/soap/common/user.php
@@ -187,7 +187,7 @@ $server->register(
//get user objects for array of user_ids
function &getUsers($session_ser,$user_ids) {
continue_session($session_ser);
- $users = user_get_objects($user_ids);
+ $users = filter_users_by_read_access(user_get_objects($user_ids));
if (!$users) {
return new soap_fault ('3001','user','Could Not Get Users By
Id','Could Not Get Users By Id');
}
@@ -198,7 +198,7 @@ function &getUsers($session_ser,$user_ids) {
//get active user objects
function getActiveUsers($session_ser) {
continue_session($session_ser);
- $users = user_get_active_users();
+ $users = filter_users_by_read_access(user_get_active_users());
if (!$users) {
return new soap_fault ('3001','getActiveUsers','Could Not Get
Forge Users','Could Not Get Forge Users');
}
@@ -212,7 +212,10 @@ function getGroupUsers($session_ser, $group_id) {
$group = group_get_object($group_id);
- if (!$group || !is_object($group)) {
+ if (!forge_check_perm ('project_read', $group_id)) {
+ $errMsg = 'Permission denied';
+ return new soap_fault ('3002','getGroupUsers',$errMsg,$errMsg);
+ } elseif (!$group || !is_object($group)) {
$errMsg = 'Could not get group: '.$group->getErrorMessage();
return new soap_fault ('3002','getGroupUsers',$errMsg,$errMsg);
} elseif ($group->isError()) {
@@ -231,7 +234,7 @@ function getGroupUsers($session_ser, $group_id) {
//get user objects for array of unix_names
function getUsersByName($session_ser,$user_names) {
continue_session($session_ser);
- $usrs = user_get_objects_by_name($user_names);
+ $usrs =
filter_users_by_read_access(user_get_objects_by_name($user_names));
if (!$usrs) {
return new soap_fault ('3002','user','Could Not Get Users By
Name','Could Not Get Users By Name');
}
@@ -257,7 +260,7 @@ function
addUser($unix_name,$firstname,$lastname,$password1,$password2,$email,
function updateUser
($session_ser,$user_id,$firstname,$lastname,$language_id,$timezone,$mail_site,$mail_va,$use_ratings,$jabber_address,$jabber_only,$theme_id,$address,$address2,$phone,$fax,$title,$ccode){
continue_session($session_ser);
$user = user_get_object($user_id);
- if (!$user || !is_object($user)) {
+ if (!$user || !is_object($user) || !($u->getID() == user_getid() ||
forge_check_global_perm('forge_admin'))) {
return new soap_fault ('updateUser','Could Not Get User','Could
Not Get User');
}
@@ -272,7 +275,7 @@ function updateUser
($session_ser,$user_id,$firstname,$lastname,$language_id,$ti
function deleteUser ($session_ser,$user_id){
continue_session($session_ser);
$user = user_get_object($user_id);
- if (!$user || !is_object($user)) {
+ if (!$user || !is_object($user) ||
!forge_check_global_perm('forge_admin')) {
return new soap_fault ('deleteUser','Could Not Get User','Could
Not Get User');
}elseif ($user->isError()){
return new soap_fault
('deleteUser',$user->getErrorMessage(),$user->getErrorMessage());
@@ -289,7 +292,7 @@ function deleteUser ($session_ser,$user_id){
function changeStatus ($session_ser,$user_id,$status){
continue_session($session_ser);
$user = user_get_object($user_id);
- if (!$user || !is_object($user)) {
+ if (!$user || !is_object($user) ||
!forge_check_global_perm('forge_admin')) {
return new soap_fault ('changeStatus','Could Not Get
User','Could Not Get User');
}elseif ($user->isError()){
return new soap_fault
('changeStatus',$user->getErrorMessage(),$user->getErrorMessage());
@@ -306,7 +309,7 @@ function changeStatus ($session_ser,$user_id,$status){
function changePassword ($session_ser,$user_id,$password){
continue_session($session_ser);
$user = user_get_object($user_id);
- if (!$user || !is_object($user)) {
+ if (!$user || !is_object($user) || !($u->getID() == user_getid() ||
forge_check_global_perm('forge_admin'))) {
return new soap_fault ('changePassword','Could Not Get
User','Could Not Get User');
}elseif ($user->isError()){
return new soap_fault
('changePassword',$user->getErrorMessage(),$user->getErrorMessage());
@@ -323,7 +326,7 @@ function changePassword ($session_ser,$user_id,$password){
function &userGetGroups($session_ser,$user_id) {
continue_session($session_ser);
$user = user_get_object($user_id);
- if (!$user) {
+ if (!$user || !is_object($user) || !($u->getID() == user_getid() ||
forge_check_global_perm('forge_admin'))) {
return new soap_fault ('3003','user','Could Not Get Users
Projects','Could Not Get Users Projects');
}
return groups_to_soap($user->getGroups());
-----------------------------------------------------------------------
Summary of changes:
src/common/include/Group.class.php | 10 ++++++++++
src/common/include/User.class.php | 11 +++++++++++
src/www/soap/common/group.php | 10 +++++++---
src/www/soap/common/user.php | 21 ++++++++++++---------
4 files changed, 40 insertions(+), 12 deletions(-)
hooks/post-receive
--
FusionForge
_______________________________________________
Fusionforge-commits mailing list
[email protected]
http://lists.fusionforge.org/cgi-bin/mailman/listinfo/fusionforge-commits
