Skip to content

Commit

Permalink
Fixed #11004: [security] Unauthorized access to certain admin pages b…
Browse files Browse the repository at this point in the history 
…y restricted admins
  • Loading branch information
@c-schmitz
c-schmitz committed Apr 22, 2016
1 parent 14002a6 commit f28ff15
Show file tree
Hide file tree
Showing 3 changed files with 8 additions and 17 deletions.
17 changes: 4 additions & 13 deletions application/controllers/admin/globalsettings.php
View file
Expand Up @@ -26,8 +26,10 @@ function __construct($controller, $id)
{
parent::__construct($controller, $id);

if (!Permission::model()->hasGlobalPermission('settings','read')) {
die();
if (! Permission::model()->hasGlobalPermission('settings', 'read') )
{
Yii::app()->session['flashmessage'] =gT('Access denied!');
$this->getController()->redirect(App()->createUrl("/admin"));
}
}

Expand All @@ -39,11 +41,6 @@ function __construct($controller, $id)
*/
public function index()
{
if (! Permission::model()->hasGlobalPermission('settings', 'view') )
{
Yii::app()->session['flashmessage'] =gT('Access denied!');
$this->getController()->redirect(App()->createUrl("/admin"));
}
if (!empty($_POST['action'])) {
$this->_saveSettings();
}
Expand All @@ -52,12 +49,6 @@ public function index()

public function showphpinfo()
{
if (! Permission::model()->hasGlobalPermission('settings', 'view') )
{
Yii::app()->session['flashmessage'] =gT('Access denied!');
$this->getController()->redirect(App()->createUrl("/admin"));
}

if (!Yii::app()->getConfig('demoMode')) {
phpinfo();
}
Expand Down
6 changes: 3 additions & 3 deletions application/controllers/admin/homepagesettings.php
View file
Expand Up @@ -31,12 +31,12 @@ public function __construct($controller, $id)
*/
public function view($id)
{
if (! Permission::model()->hasGlobalPermission('settings', 'view') )
if (!Permission::model()->hasGlobalPermission('settings', 'read') )
{
Yii::app()->session['flashmessage'] =gT('Access denied!');
$this->getController()->redirect(App()->createUrl("/admin"));
}
$this->_renderWrappedTemplate('homepagesettings', 'view', array(
$this->_renderWrappedTemplate('homepagesettings', 'read', array(
'model'=>$this->loadModel($id),
));
}
Expand Down Expand Up @@ -151,7 +151,7 @@ public function delete($id)
*/
public function index()
{
if (! Permission::model()->hasGlobalPermission('settings', 'view') )
if (! Permission::model()->hasGlobalPermission('settings', 'read') )
{
Yii::app()->session['flashmessage'] =gT('Access denied!');
$this->getController()->redirect(App()->createUrl("/admin"));
Expand Down
2 changes: 1 addition & 1 deletion application/controllers/admin/usergroups.php
View file
Expand Up @@ -262,7 +262,7 @@ function edit($ugid)
*/
public function index($ugid = false, $header = false)
{
if(!Permission::model()->hasGlobalPermission('usergroups','view'))
if(!Permission::model()->hasGlobalPermission('usergroups','read'))
{
Yii::app()->session['flashmessage'] =gT('Access denied!');
$this->getController()->redirect(App()->createUrl("/admin"));
Expand Down

0 comments on commit f28ff15

Please sign in to comment.