This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "FusionForge".
The branch, Branch_5_3 has been updated
via c8feb47efac7512da400c8cfc00f84b9148dce93 (commit)
from 3cd50a674693e1dce6fe57b8b601e285954018b1 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
https://scm.fusionforge.org/anonscm/gitweb/?p=fusionforge/fusionforge.git;a=commitdiff;h=c8feb47efac7512da400c8cfc00f84b9148dce93
commit c8feb47efac7512da400c8cfc00f84b9148dce93
Author: Roland Mas <[email protected]>
Date: Wed Dec 7 12:14:41 2016 +0100
Added missing authorization checks to SOAP API
diff --git a/src/common/include/Group.class.php
b/src/common/include/Group.class.php
index 3d05e8a..c846975 100644
--- a/src/common/include/Group.class.php
+++ b/src/common/include/Group.class.php
@@ -157,6 +157,16 @@ function group_get_object_by_publicname($groupname) {
return group_get_object(db_result($res, 0, 'group_id'), $res);
}
+function filter_groups_by_read_access($grps) {
+ $filteredgrps = array();
+ foreach ($grps as $g) {
+ if (forge_check_perm ('project_read', $g->getID())) {
+ $filteredgrps[] = $g;
+ }
+ }
+ return $filteredgrps;
+}
+
/**
* get_public_active_projects_asc() - Get a list of rows for public active
projects (initially in trove/full_list)
*
diff --git a/src/common/include/User.class.php
b/src/common/include/User.class.php
index 1e28848..28398f9 100644
--- a/src/common/include/User.class.php
+++ b/src/common/include/User.class.php
@@ -190,6 +190,16 @@ function &user_get_all_users() {
return user_get_objects (util_result_column_to_array($res,0)) ;
}
+function filter_users_by_read_access($users) {
+ $filteredusers = array();
+ foreach ($users as $u) {
+ if ($u->getID() == user_getid() ||
forge_check_global_perm('forge_admin')) {
+ $filteredusers[] = $u;
+ }
+ }
+ return $filteredusers;
+}
+
class GFUser extends Error {
/**
* Associative array of data from db.
diff --git a/src/www/soap/common/group.php b/src/www/soap/common/group.php
index b49ee0c..f96b6ae 100644
--- a/src/www/soap/common/group.php
+++ b/src/www/soap/common/group.php
@@ -336,7 +336,7 @@ function &getGroups($session_ser,$group_ids) {
$inputArgs = $inputArgs.':'.$group_ids[$i];
}
- $grps = group_get_objects($group_ids);
+ $grps = filter_groups_by_read_access(group_get_objects($group_ids));
if (!$grps) {
return new soap_fault ('2001','group','Could Not Get Projects
by Id'.$inputArgs,$feedback);
}
@@ -346,7 +346,7 @@ function &getGroups($session_ser,$group_ids) {
function &getGroupsByName($session_ser,$group_names) {
session_continue($session_ser);
- $grps = group_get_objects_by_name($group_names);
+ $grps =
filter_groups_by_read_access(group_get_objects_by_name($group_names));
if (!$grps) {
return new soap_fault ('2002','group','Could Not Get Projects
by Name','Could Not Get Projects by Name');
}
@@ -371,7 +371,7 @@ function getGroupByStatus($session_ser, $status) {
continue_session($session_ser);
$res = db_query_params('SELECT group_id FROM groups WHERE status=$1',
array($status));
- $grps = group_get_objects(util_result_column_to_array($res,0));
+ $grps =
filter_groups_by_read_access(group_get_objects(util_result_column_to_array($res,0)));
if ($grps < 0) {
return new soap_fault ('2004','group','Could Not Get Projects
by Status','Could Not Get Projects by Status');
@@ -413,6 +413,10 @@ function updateGroup($session_ser, $group_id, $is_public,
$is_template, $status,
$group = group_get_object($group_id);
$error_msg = '';
+ if (!forge_check_global_perm('forge_admin')) {
+ return new soap_fault ('2007','group','Permission denied',
'Permission denied');
+ }
+
if (!$group->setStatus(session_get_user(), $status)) {
$error_msg .= $group->getErrorMessage();
}
diff --git a/src/www/soap/common/user.php b/src/www/soap/common/user.php
index 03ec611..1d65044 100644
--- a/src/www/soap/common/user.php
+++ b/src/www/soap/common/user.php
@@ -187,23 +187,23 @@ $server->register(
//get user objects for array of user_ids
function &getUsers($session_ser,$user_ids) {
continue_session($session_ser);
- $usrs = user_get_objects($user_ids);
- if (!$usrs) {
+ $users = filter_users_by_read_access(user_get_objects($user_ids));
+ if (!$users) {
return new soap_fault ('3001','user','Could Not Get Users By
Id','Could Not Get Users By Id');
}
- return users_to_soap($usrs);
+ return users_to_soap($users);
}
//get active user objects
function getActiveUsers($session_ser) {
continue_session($session_ser);
- $usrs =& user_get_active_users();
- if (!$usrs) {
+ $users = filter_users_by_read_access(user_get_active_users());
+ if (!$users) {
return new soap_fault ('3001','getActiveUsers','Could Not Get
Forge Users','Could Not Get Forge Users');
}
- return users_to_soap($usrs);
+ return users_to_soap($users);
}
//[Yosu] getGroupUsers (session_ser, group_id)
@@ -212,7 +212,10 @@ function getGroupUsers($session_ser, $group_id) {
$group = group_get_object($group_id);
- if (!$group || !is_object($group)) {
+ if (!forge_check_perm ('project_read', $group_id)) {
+ $errMsg = 'Permission denied';
+ return new soap_fault ('3002','getGroupUsers',$errMsg,$errMsg);
+ } elseif (!$group || !is_object($group)) {
$errMsg = 'Could not get group: '.$group->getErrorMessage();
return new soap_fault ('3002','getGroupUsers',$errMsg,$errMsg);
} elseif ($group->isError()) {
@@ -231,7 +234,7 @@ function getGroupUsers($session_ser, $group_id) {
//get user objects for array of unix_names
function getUsersByName($session_ser,$user_names) {
continue_session($session_ser);
- $usrs = user_get_objects_by_name($user_names);
+ $usrs =
filter_users_by_read_access(user_get_objects_by_name($user_names));
if (!$usrs) {
return new soap_fault ('3002','user','Could Not Get Users By
Name','Could Not Get Users By Name');
}
@@ -257,7 +260,7 @@ function
addUser($unix_name,$firstname,$lastname,$password1,$password2,$email,
function updateUser
($session_ser,$user_id,$firstname,$lastname,$language_id,$timezone,$mail_site,$mail_va,$use_ratings,$jabber_address,$jabber_only,$theme_id,$address,$address2,$phone,$fax,$title,$ccode){
continue_session($session_ser);
$user = user_get_object($user_id);
- if (!$user || !is_object($user)) {
+ if (!$user || !is_object($user) || !($u->getID() == user_getid() ||
forge_check_global_perm('forge_admin'))) {
return new soap_fault ('updateUser','Could Not Get User','Could
Not Get User');
}
@@ -272,7 +275,7 @@ function updateUser
($session_ser,$user_id,$firstname,$lastname,$language_id,$ti
function deleteUser ($session_ser,$user_id){
continue_session($session_ser);
$user = user_get_object($user_id);
- if (!$user || !is_object($user)) {
+ if (!$user || !is_object($user) ||
!forge_check_global_perm('forge_admin')) {
return new soap_fault ('deleteUser','Could Not Get User','Could
Not Get User');
}elseif ($user->isError()){
return new soap_fault
('deleteUser',$user->getErrorMessage(),$user->getErrorMessage());
@@ -289,7 +292,7 @@ function deleteUser ($session_ser,$user_id){
function changeStatus ($session_ser,$user_id,$status){
continue_session($session_ser);
$user = user_get_object($user_id);
- if (!$user || !is_object($user)) {
+ if (!$user || !is_object($user) ||
!forge_check_global_perm('forge_admin')) {
return new soap_fault ('changeStatus','Could Not Get
User','Could Not Get User');
}elseif ($user->isError()){
return new soap_fault
('changeStatus',$user->getErrorMessage(),$user->getErrorMessage());
@@ -306,7 +309,7 @@ function changeStatus ($session_ser,$user_id,$status){
function changePassword ($session_ser,$user_id,$password){
continue_session($session_ser);
$user = user_get_object($user_id);
- if (!$user || !is_object($user)) {
+ if (!$user || !is_object($user) || !($u->getID() == user_getid() ||
forge_check_global_perm('forge_admin'))) {
return new soap_fault ('changePassword','Could Not Get
User','Could Not Get User');
}elseif ($user->isError()){
return new soap_fault
('changePassword',$user->getErrorMessage(),$user->getErrorMessage());
@@ -323,7 +326,7 @@ function changePassword ($session_ser,$user_id,$password){
function &userGetGroups($session_ser,$user_id) {
continue_session($session_ser);
$user = user_get_object($user_id);
- if (!$user) {
+ if (!$user || !is_object($user) || !($u->getID() == user_getid() ||
forge_check_global_perm('forge_admin'))) {
return new soap_fault ('3003','user','Could Not Get Users
Projects','Could Not Get Users Projects');
}
return groups_to_soap($user->getGroups());
-----------------------------------------------------------------------
Summary of changes:
src/common/include/Group.class.php | 10 ++++++++++
src/common/include/User.class.php | 10 ++++++++++
src/www/soap/common/group.php | 10 +++++++---
src/www/soap/common/user.php | 29 ++++++++++++++++-------------
4 files changed, 43 insertions(+), 16 deletions(-)
hooks/post-receive
--
FusionForge
_______________________________________________
Fusionforge-commits mailing list
[email protected]
http://lists.fusionforge.org/cgi-bin/mailman/listinfo/fusionforge-commits
