Dev: Better security in QuickMenu

LimeSurvey · May 10, 2016 · 6238bf9 · 6238bf9
1 parent 1b1b8c5
commit 6238bf9
Showing 1 changed file with 9 additions and 5 deletions.
diff --git a/application/core/plugins/QuickMenu/QuickMenu.php b/application/core/plugins/QuickMenu/QuickMenu.php
@@ -550,12 +550,16 @@ public function newDirectRequest()
             // you can get other params from the request object
             $request = $event->get('request');
 
-            //get the function name to call and use the method call_user_func
             $functionToCall = $event->get('function'); 
-            //$content = call_user_func(array($this,$functionToCall), $surveyId);
-            //set the content on the event
-            //$event->setContent($this, $content);
-            echo $this->$functionToCall($request);
+
+            if ($functionToCall == 'saveOrder')
+            {
+                echo $this->saveOrder($request);
+            }
+            else
+            {
+                throw new \CException("Invalid request: not supported method: " . $functionToCall);
+            }
         }
     }
 }