This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "FusionForge".
The branch, Branch_5_2 has been updated
via 0c9e20451396f4a95a48f777456fdb4f12d71ad9 (commit)
from 0e5efe9b2c0763e535a19752787b45746c1b285d (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
https://scm.fusionforge.org/anonscm/gitweb/?p=fusionforge/fusionforge.git;a=commitdiff;h=0c9e20451396f4a95a48f777456fdb4f12d71ad9
commit 0c9e20451396f4a95a48f777456fdb4f12d71ad9
Author: Roland Mas <[email protected]>
Date: Wed Dec 7 12:14:41 2016 +0100
Added missing authorization checks to SOAP API
diff --git a/src/common/include/Group.class.php
b/src/common/include/Group.class.php
index df97b6f..eb0441f 100644
--- a/src/common/include/Group.class.php
+++ b/src/common/include/Group.class.php
@@ -150,6 +150,16 @@ function &group_get_object_by_publicname($groupname) {
return group_get_object(db_result($res, 0, 'group_id'), $res);
}
+function filter_groups_by_read_access($grps) {
+ $filteredgrps = array();
+ foreach ($grps as $g) {
+ if (forge_check_perm ('project_read', $g->getID())) {
+ $filteredgrps[] = $g;
+ }
+ }
+ return $filteredgrps;
+}
+
class Group extends Error {
/**
* Associative array of data from db.
diff --git a/src/common/include/User.class.php
b/src/common/include/User.class.php
index b953707..f214fcc 100644
--- a/src/common/include/User.class.php
+++ b/src/common/include/User.class.php
@@ -166,6 +166,22 @@ function &user_get_active_users() {
return user_get_objects(util_result_column_to_array($res, 0));
}
+function &user_get_all_users() {
+ $res=db_query_params ('SELECT user_id FROM users',
+ array()) ;
+ return user_get_objects (util_result_column_to_array($res,0)) ;
+}
+
+function filter_users_by_read_access($users) {
+ $filteredusers = array();
+ foreach ($users as $u) {
+ if ($u->getID() == user_getid() ||
forge_check_global_perm('forge_admin')) {
+ $filteredusers[] = $u;
+ }
+ }
+ return $filteredusers;
+}
+
class GFUser extends Error {
/**
* Associative array of data from db.
diff --git a/src/www/soap/common/group.php b/src/www/soap/common/group.php
index 3cf9e8c..6994d67 100644
--- a/src/www/soap/common/group.php
+++ b/src/www/soap/common/group.php
@@ -89,7 +89,7 @@ function &getGroups($session_ser,$group_ids) {
$inputArgs = $inputArgs.':'.$group_ids[i];
}
- $grps = group_get_objects($group_ids);
+ $grps = filter_groups_by_read_access(group_get_objects($group_ids));
if (!$grps) {
return new soap_fault ('2001','group','Could Not Get Projects
by Id'.$inputArgs,$feedback);
}
@@ -99,7 +99,7 @@ function &getGroups($session_ser,$group_ids) {
function &getGroupsByName($session_ser,$group_names) {
session_continue($session_ser);
- $grps = group_get_objects_by_name($group_names);
+ $grps =
filter_groups_by_read_access(group_get_objects_by_name($group_names));
if (!$grps) {
return new soap_fault ('2002','group','Could Not Get Projects
by Name','Could Not Get Projects by Name');
}
diff --git a/src/www/soap/common/user.php b/src/www/soap/common/user.php
index 0b854cd..5a96513 100644
--- a/src/www/soap/common/user.php
+++ b/src/www/soap/common/user.php
@@ -168,18 +168,18 @@ $server->register(
//get user objects for array of user_ids
function &getUsers($session_ser,$user_ids) {
continue_session($session_ser);
- $usrs =& user_get_objects($user_ids);
- if (!$usrs) {
+ $users = filter_users_by_read_access(user_get_objects($user_ids));
+ if (!$users) {
return new soap_fault ('3001','user','Could Not Get Users By
Id','Could Not Get Users By Id');
}
- return users_to_soap($usrs);
+ return users_to_soap($users);
}
//get user objects for array of unix_names
function getUsersByName($session_ser,$user_names) {
continue_session($session_ser);
- $usrs =& user_get_objects_by_name($user_names);
+ $usrs =
filter_users_by_read_access(user_get_objects_by_name($user_names));
if (!$usrs) {
return new soap_fault ('3002','user','Could Not Get Users By
Name','Could Not Get Users By Name');
}
@@ -204,8 +204,8 @@ function
addUser($unix_name,$firstname,$lastname,$password1,$password2,$email,
//update user object
function updateUser
($session_ser,$user_id,$firstname,$lastname,$language_id,$timezone,$mail_site,$mail_va,$use_ratings,$jabber_address,$jabber_only,$theme_id,$address,$address2,$phone,$fax,$title,$ccode){
continue_session($session_ser);
- $user =& user_get_object($user_id);
- if (!$user || !is_object($user)) {
+ $user = user_get_object($user_id);
+ if (!$user || !is_object($user) || !($u->getID() == user_getid() ||
forge_check_global_perm('forge_admin'))) {
return new soap_fault ('updateUser','Could Not Get User','Could
Not Get User');
}
@@ -219,8 +219,8 @@ function updateUser
($session_ser,$user_id,$firstname,$lastname,$language_id,$ti
//delete user object
function deleteUser ($session_ser,$user_id){
continue_session($session_ser);
- $user =& user_get_object($user_id);
- if (!$user || !is_object($user)) {
+ $user = user_get_object($user_id);
+ if (!$user || !is_object($user) ||
!forge_check_global_perm('forge_admin')) {
return new soap_fault ('deleteUser','Could Not Get User','Could
Not Get User');
}elseif ($user->isError()){
return new soap_fault
('deleteUser',$user->getErrorMessage(),$user->getErrorMessage());
@@ -236,8 +236,8 @@ function deleteUser ($session_ser,$user_id){
//change status user object
function changeStatus ($session_ser,$user_id,$status){
continue_session($session_ser);
- $user =& user_get_object($user_id);
- if (!$user || !is_object($user)) {
+ $user = user_get_object($user_id);
+ if (!$user || !is_object($user) ||
!forge_check_global_perm('forge_admin')) {
return new soap_fault ('changeStatus','Could Not Get
User','Could Not Get User');
}elseif ($user->isError()){
return new soap_fault
('changeStatus',$user->getErrorMessage(),$user->getErrorMessage());
@@ -253,8 +253,8 @@ function changeStatus ($session_ser,$user_id,$status){
//change password user object
function changePassword ($session_ser,$user_id,$password){
continue_session($session_ser);
- $user =& user_get_object($user_id);
- if (!$user || !is_object($user)) {
+ $user = user_get_object($user_id);
+ if (!$user || !is_object($user) || !($u->getID() == user_getid() ||
forge_check_global_perm('forge_admin'))) {
return new soap_fault ('changePassword','Could Not Get
User','Could Not Get User');
}elseif ($user->isError()){
return new soap_fault
('changePassword',$user->getErrorMessage(),$user->getErrorMessage());
@@ -270,8 +270,8 @@ function changePassword ($session_ser,$user_id,$password){
//get groups for user_id
function &userGetGroups($session_ser,$user_id) {
continue_session($session_ser);
- $user =& user_get_object($user_id);
- if (!$user) {
+ $user = user_get_object($user_id);
+ if (!$user || !is_object($user) || !($u->getID() == user_getid() ||
forge_check_global_perm('forge_admin'))) {
return new soap_fault ('3003','user','Could Not Get Users
Projects','Could Not Get Users Projects');
}
return groups_to_soap($user->getGroups());
-----------------------------------------------------------------------
Summary of changes:
src/common/include/Group.class.php | 10 ++++++++++
src/common/include/User.class.php | 16 ++++++++++++++++
src/www/soap/common/group.php | 4 ++--
src/www/soap/common/user.php | 28 ++++++++++++++--------------
4 files changed, 42 insertions(+), 16 deletions(-)
hooks/post-receive
--
FusionForge
_______________________________________________
Fusionforge-commits mailing list
[email protected]
http://lists.fusionforge.org/cgi-bin/mailman/listinfo/fusionforge-commits
