Skip to content

Commit

Permalink
Fixed issue #9032: Permissions not enforced on template editor
Browse files Browse the repository at this point in the history
  • Loading branch information
@c-schmitz
c-schmitz committed May 20, 2014
1 parent 1388097 commit 7d9436d
Show file tree
Hide file tree
Showing 3 changed files with 168 additions and 78 deletions.
45 changes: 44 additions & 1 deletion application/controllers/admin/templates.php
View file
Expand Up @@ -23,6 +23,17 @@
*/
class templates extends Survey_Common_Action
{

public function runWithParams($params)
{
if (!Permission::model()->hasGlobalPermission('templates','read'))
{
die('No permission');
}
parent::runWithParams($params);
}



/**
* Exports a template
Expand All @@ -33,7 +44,10 @@ class templates extends Survey_Common_Action
*/
public function templatezip($templatename)
{

if (!Permission::model()->hasGlobalPermission('templates','export'))
{
die('No permission');
}
$templatedir = getTemplatePath($templatename) . DIRECTORY_SEPARATOR;
$tempdir = Yii::app()->getConfig('tempdir');

Expand Down Expand Up @@ -81,6 +95,10 @@ public function tmp($id)
*/
public function upload()
{
if (!Permission::model()->hasGlobalPermission('templates','import'))
{
die('No permission');
}
$clang = $this->getController()->lang;
$aViewUrls = $this->_initialise('default', 'welcome', 'startpage.pstpl', FALSE);
$lid = returnGlobal('lid');
Expand Down Expand Up @@ -218,6 +236,11 @@ private function _templateFixes($templatename)
*/
public function uploadfile()
{
if (!Permission::model()->hasGlobalPermission('templates','import'))
{
die('No permission');
}

$clang = $this->getController()->lang;
$action = returnGlobal('action');
$editfile = returnGlobal('editfile');
Expand Down Expand Up @@ -380,6 +403,10 @@ public function fileredirect($templatename = '', $screenname = 'welcome', $editf
*/
public function templatefiledelete()
{
if (!Permission::model()->hasGlobalPermission('templates','update'))
{
die('No permission');
}
$clang = $this->getController()->lang;
if (returnGlobal('action') == "templatefiledelete") {
// This is where the temp file is
Expand All @@ -406,6 +433,10 @@ public function templatefiledelete()
*/
public function templaterename()
{
if (!Permission::model()->hasGlobalPermission('templates','update'))
{
die('No permission');
}
if (returnGlobal('action') == "templaterename" && returnGlobal('newname') && returnGlobal('copydir')) {
$clang = Yii::app()->lang;
$sOldName = sanitize_paranoid_string(returnGlobal('copydir'));
Expand Down Expand Up @@ -438,6 +469,10 @@ public function templaterename()
*/
public function templatecopy()
{
if (!Permission::model()->hasGlobalPermission('templates','create'))
{
die('No permission');
}
$clang = $this->getController()->lang;
$newname=sanitize_paranoid_string(Yii::app()->request->getPost("newname"));
$copydir=sanitize_paranoid_string(Yii::app()->request->getPost("copydir"));
Expand Down Expand Up @@ -481,6 +516,10 @@ public function templatecopy()
*/
public function delete($templatename)
{
if (!Permission::model()->hasGlobalPermission('templates','delete'))
{
die('No permission');
}
Yii::app()->loadHelper("admin/template");
if (is_template_editable($templatename) == true) {
$clang = $this->getController()->lang;
Expand Down Expand Up @@ -514,6 +553,10 @@ public function delete($templatename)
*/
public function templatesavechanges()
{
if (!Permission::model()->hasGlobalPermission('templates','update'))
{
die('No permission');
}
if (returnGlobal('changes')) {
$changedtext = returnGlobal('changes');
$changedtext = str_replace('<?', '', $changedtext);
Expand Down
125 changes: 76 additions & 49 deletions application/views/admin/templates/templateeditorbar_view.php
View file
Expand Up @@ -7,14 +7,14 @@
function copyprompt(text, defvalue, copydirectory, action)
{
if (newtemplatename=window.prompt(text, defvalue))
{
{
sendPost('<?php echo $this->createUrl('admin/templates/sa/template'); ?>'+action,'',new Array('action','newname','copydir'),new Array('template'+action,newtemplatename,copydirectory));
}
}

$(document).ready(function(){
$("#importtemplatefile").submit(function(){

filename = $("#upload_file").val();
if(filename==""){
return false; // False click
Expand All @@ -23,21 +23,21 @@ function copyprompt(text, defvalue, copydirectory, action)
var lastdotpos=-1;
var ext='';
if ((lastdotpos=filename.lastIndexOf('.')) < 0)
{
{
alert('<?php $clang->eT('This file type is not allowed to be uploaded.','js'); ?>');
return false;
}
else
{
{
ext = ',' + filename.substr(lastdotpos+1) + ',';
ext = ext.toLowerCase();
if (allowedtypes.indexOf(ext) < 0)
{
{
alert('<?php $clang->eT('This file type is not allowed to be uploaded.','js'); ?>');
return false;
}
else
{
{
return true;
}
}
Expand All @@ -56,58 +56,79 @@ function copyprompt(text, defvalue, copydirectory, action)
<img src='<?php echo $sImageURL; ?>separator.gif' class='separator' alt='' />

<?php
if (!is_template_editable($templatename))
{ ?>
if (!is_template_editable($templatename))
{ ?>
<div class="menubar-right" style='padding-left:15px;padding-top:5px;'><span style='font-size:10px; font-weight: bold;'><?php $clang->eT('Note: This is a standard template.');?><br />
<?php printf($clang->gT('If you want to edit it %s please copy it first%s.'),"<a href='#' title=\"".$clang->gT("Copy Template")."\""
." onclick=\"javascript: copyprompt('".$clang->gT("Please enter the name for the copied template:")."', '".$clang->gT("copy_of_")."$templatename', '$templatename', 'copy')\">",'</a>'); ?></span></div>
<?php printf($clang->gT('If you want to edit it %s please copy it first%s.'),"<a href='#' title=\"".$clang->gT("Copy Template")."\""
." onclick=\"javascript: copyprompt('".$clang->gT("Please enter the name for the copied template:")."', '".$clang->gT("copy_of_")."$templatename', '$templatename', 'copy')\">",'</a>'); ?></span></div>
<?php
} ?>
<?php if(is_writable($tempdir) && is_writable($usertemplaterootdir))
{?>
<?php if (function_exists("zip_open")) {?>
<a href='<?php echo $this->createUrl('admin/templates/sa/upload'); ?>'>
<img src='<?php echo $sImageURL; ?>import.png' alt='<?php $clang->eT("Import template"); ?>' title='' /></a>
<?php }else{ ?>
<img src='<?php echo $sImageURL; ?>import_disabled.png' alt='<?php $clang->eT("zip library not supported by PHP, Import ZIP Disabled"); ?>' /></a>
<?php } ?>
<a href='<?php echo $this->createUrl('admin/templates/sa/templatezip/templatename/' . $templatename) ?>'>
<img src='<?php echo $sImageURL; ?>export.png' alt='<?php $clang->eT("Export Template"); ?>' /></a>
<img src='<?php echo $sImageURL; ?>separator.gif' class='separator' alt='' />
<a href='#' onclick="javascript: copyprompt('<?php $clang->eT("Please enter the name for the copied template:"); ?>', '<?php echo $clang->gT("copy_of_")."$templatename"; ?>', '<?php echo $templatename; ?>', 'copy')">
<img src='<?php echo $sImageURL; ?>copy.png' alt='<?php $clang->eT("Copy Template"); ?>' /></a>
<?php
{?>
<?php

if (Permission::model()->hasGlobalPermission('templates','import'))
{

if (function_exists("zip_open")) {?>
<a href='<?php echo $this->createUrl('admin/templates/sa/upload'); ?>'>
<img src='<?php echo $sImageURL; ?>import.png' alt='<?php $clang->eT("Import template"); ?>' title='' /></a>
<?php }else{ ?>
<img src='<?php echo $sImageURL; ?>import_disabled.png' alt='<?php $clang->eT("zip library not supported by PHP, Import ZIP Disabled"); ?>' /></a>
<?php }
}
else
{ ?>
if (Permission::model()->hasGlobalPermission('templates','export'))
{
?>
<a href='<?php echo $this->createUrl('admin/templates/sa/templatezip/templatename/' . $templatename) ?>'>
<img src='<?php echo $sImageURL; ?>export.png' alt='<?php $clang->eT("Export Template"); ?>' /></a>
<img src='<?php echo $sImageURL; ?>separator.gif' class='separator' alt='' />
<?php
if (Permission::model()->hasGlobalPermission('templates','create'))
{ ?>
<a href='#' onclick="javascript: copyprompt('<?php $clang->eT("Please enter the name for the copied template:"); ?>', '<?php echo $clang->gT("copy_of_")."$templatename"; ?>', '<?php echo $templatename; ?>', 'copy')">
<img src='<?php echo $sImageURL; ?>copy.png' alt='<?php $clang->eT("Copy Template"); ?>' /></a>
<?php
}
}
}
else
{

<img src='<?php echo $sImageURL; ?>import_disabled.png' alt='<?php echo $clang->gT("Import template").' - '.$clang->gT("Please change the directory permissions of the folders /tmp and /upload/templates in order to enable this option."); ?>' />
<img src='<?php echo $sImageURL; ?>export_disabled.png' alt='<?php echo $clang->gT("Export template").' - '.$clang->gT("Please change the directory permissions of the folders /tmp and /upload/templates in order to enable this option."); ?>' />
if (Permission::model()->hasGlobalPermission('templates','import'))
{ ?>
<img src='<?php echo $sImageURL; ?>import_disabled.png' alt='<?php echo $clang->gT("Import template").' - '.$clang->gT("Please change the directory permissions of the folders /tmp and /upload/templates in order to enable this option."); ?>' />
<?php }
if (Permission::model()->hasGlobalPermission('templates','export'))
{ ?>
<img src='<?php echo $sImageURL; ?>export_disabled.png' alt='<?php echo $clang->gT("Export template").' - '.$clang->gT("Please change the directory permissions of the folders /tmp and /upload/templates in order to enable this option."); ?>' />
<?php
} ?>
<img src='<?php echo $sImageURL; ?>separator.gif' class='separator' alt='' />
<img src='<?php echo $sImageURL; ?>copy_disabled.png' alt='<?php echo $clang->gT("Copy template").' - '.$clang->gT("Please change the directory permissions of the folders /tmp and /upload/templates in order to enable this option."); ?>' />
<?php
<?php
if (Permission::model()->hasGlobalPermission('templates','create'))
{ ?>
<img src='<?php echo $sImageURL; ?>copy_disabled.png' alt='<?php echo $clang->gT("Copy template").' - '.$clang->gT("Please change the directory permissions of the folders /tmp and /upload/templates in order to enable this option."); ?>' />
<?php
}
}

if (is_template_editable($templatename))
if (is_template_editable($templatename))
{
if (Permission::model()->hasGlobalPermission('templates','update'))
{ ?>
<a href='#' onclick="javascript: copyprompt('<?php $clang->eT("Rename this template to:"); ?>', '<?php echo $templatename; ?>', '<?php echo $templatename; ?>', 'rename');">
<img src='<?php echo $sImageURL; ?>edit.png' alt='<?php $clang->eT("Rename this template"); ?>' /></a>
<a href='#' onclick='if (confirm("<?php $clang->eT("Are you sure you want to delete this template?", "js"); ?>")) window.open("<?php echo $this->createUrl('admin/templates/sa/delete/templatename/'.$templatename); ?>", "_top")' >
<img src='<?php echo $sImageURL; ?>delete.png' alt='<?php $clang->eT("Delete this template"); ?>'/></a>
<?php
<a href='#' onclick="javascript: copyprompt('<?php $clang->eT("Rename this template to:"); ?>', '<?php echo $templatename; ?>', '<?php echo $templatename; ?>', 'rename');">
<img src='<?php echo $sImageURL; ?>edit.png' alt='<?php $clang->eT("Rename this template"); ?>' /></a>
<?php
}
if (Permission::model()->hasGlobalPermission('templates','delete'))
{ ?>
<a href='#' onclick='if (confirm("<?php $clang->eT("Are you sure you want to delete this template?", "js"); ?>")) window.open("<?php echo $this->createUrl('admin/templates/sa/delete/templatename/'.$templatename); ?>", "_top")' >
<img src='<?php echo $sImageURL; ?>delete.png' alt='<?php $clang->eT("Delete this template"); ?>'/></a>
<?php
}
} ?>
<img src='<?php echo $sImageURL; ?>blank.gif' alt='' width='20' height='10' />
<?php
if(!is_writable($usertemplaterootdir))
{ ?>
<img src='<?php echo $sImageURL; ?>export_disabled.png' alt='<?php echo $clang->gT("Export template").' - '.sprintf($clang->gT("Please change the directory permissions of the folder %s in order to enable this option"),$tempdir); ?>' />
<img src='<?php echo $sImageURL; ?>import_disabled.png' alt='<?php echo $clang->gT("Import template").' - '.sprintf($clang->gT("Please change the directory permissions of the folder %s in order to enable this option"),$tempdir); ?>' title='' />
<img src='<?php echo $sImageURL; ?>separator.gif' class='separator' alt='' />
<a href='#' onclick="javascript: copyprompt('<?php $clang->eT("Please enter the name for the copied template:"); ?>', '<?php echo $clang->gT("copy_of_")."$templatename"; ?>', '<?php echo $templatename; ?>', 'copy')">
<img src='<?php echo $sImageURL; ?>copy.png' alt='<?php $clang->eT("Copy template"); ?>' /></a>
<?php
}?>


</div>
<div class='menubar-right'>
Expand All @@ -120,9 +141,15 @@ function copyprompt(text, defvalue, copydirectory, action)
<select class="listboxtemplates" id='listboxtemplates' name='screenname' onchange="javascript: window.open('<?php echo $this->createUrl("admin/templates/sa/screenredirect/editfile/".$editfile."/templatename/".$templatename); ?>/screenname/'+escape(this.value), '_top')">
<?php echo makeoptions($screens, "id", "name", HTMLEscape($screenname) ); ?>
</select>
<a href='#' onclick="javascript: copyprompt('<?php $clang->eT("Create new template called:"); ?>', '<?php $clang->eT("NewTemplate"); ?>', 'default', 'copy')">
<img src='<?php echo $sImageURL; ?>add.png' alt='<?php $clang->eT("Create new template"); ?>' /></a>
<img src='<?php echo $sImageURL; ?>separator.gif' class='separator' alt='' />
<?php
if (Permission::model()->hasGlobalPermission('templates','create'))
{ ?>
<a href='#' onclick="javascript: copyprompt('<?php $clang->eT("Create new template called:"); ?>', '<?php $clang->eT("NewTemplate"); ?>', 'default', 'copy')">
<img src='<?php echo $sImageURL; ?>add.png' alt='<?php $clang->eT("Create new template"); ?>' /></a>
<img src='<?php echo $sImageURL; ?>separator.gif' class='separator' alt='' />
<?php
}
?>
<a href="<?php echo $this->createUrl("admin/authentication/sa/logout"); ?>">
<img src='<?php echo $sImageURL; ?>logout.png' alt='<?php $clang->eT("Logout"); ?>' /></a>
<img src='<?php echo $sImageURL; ?>blank.gif' alt='' width='20' />
Expand Down

0 comments on commit 7d9436d

Please sign in to comment.