Skip to content

Commit

Permalink
Updating rule input is not a token protected action
Browse files Browse the repository at this point in the history
  • Loading branch information
@slusarz
slusarz committed Nov 4, 2013
1 parent 7689d5c commit d363fd2
Show file tree
Hide file tree
Showing 3 changed files with 126 additions and 134 deletions.
2 changes: 1 addition & 1 deletion ingo/lib/Api.php
View file
Expand Up @@ -61,7 +61,7 @@ public function links()

$links = array(
// @since 3.2.0
'newEmailFilter' => strval(Ingo_Basic_Rule::url()) . '&actionID=rule_update&field[0]=From&match[0]=is&value[0]=|email|',
'newEmailFilter' => strval(Ingo_Basic_Rule::url()) . '&field[0]=From&match[0]=is&value[0]=|email|',
'showFilters' => strval(Ingo_Basic_Filters::url())
);

Expand Down
256 changes: 124 additions & 132 deletions ingo/lib/Basic/Rule.php
View file
Expand Up @@ -40,6 +40,11 @@ protected function _init()
Ingo_Basic_Filters::url()->redirect();
}

if (!Ingo::hasSharePermission(Horde_Perms::EDIT)) {
$notification->push(_("You do not have permission to edit filter rules."), 'horde.error');
Ingo_Basic_Filters::url()->redirect();
}

/* Load the Ingo_Script:: driver. */
$ingo_script = $injector->getInstance('Ingo_Factory_Script')->create(Ingo::RULE_FILTER);

Expand All @@ -60,170 +65,140 @@ protected function _init()
/* Token checking. */
$actionID = $this->_checkToken(array(
'rule_save',
'rule_update',
'rule_delete'
));

/* Run through action handlers. */
switch ($actionID) {
case 'rule_save':
case 'rule_update':
case 'rule_delete':
$rule = array(
'id' => $this->vars->id,
'name' => $this->vars->name,
'combine' => $this->vars->combine,
'conditions' => array()
);
/* Update the current rules before performing any action. */
$rule = array(
'action' => $this->vars->action,
'combine' => $this->vars->combine,
'conditions' => array(),
'flags' => 0,
'id' => $this->vars->id,
'name' => $this->vars->name,
'stop' => $this->vars->stop
);

if ($ingo_script->hasFeature('case_sensitive')) {
$casesensitive = $this->vars->case;
}

if ($ingo_script->hasFeature('case_sensitive')) {
$casesensitive = $this->vars->case;
foreach (array_filter($this->vars->field) as $key => $val) {
$condition = array();
$f_label = null;

if ($val == Ingo::USER_HEADER) {
$condition['field'] = empty($this->vars->userheader[$key])
? ''
: $this->vars->userheader[$key];
$condition['type'] = Ingo_Storage::TYPE_HEADER;
} elseif (!isset($ingo_fields[$val])) {
$condition['field'] = $val;
$condition['type'] = Ingo_Storage::TYPE_HEADER;
} else {
$condition['field'] = $val;
$f_label = $ingo_fields[$val]['label'];
$condition['type'] = $ingo_fields[$val]['type'];
}

$valid = true;
foreach (array_filter($this->vars->field) as $key => $val) {
$condition = array();
$f_label = null;

if ($val == Ingo::USER_HEADER) {
$condition['field'] = empty($this->vars->userheader[$key])
? ''
: $this->vars->userheader[$key];
$condition['type'] = Ingo_Storage::TYPE_HEADER;
} elseif (!isset($ingo_fields[$val])) {
$condition['field'] = $val;
$condition['type'] = Ingo_Storage::TYPE_HEADER;
} else {
$condition['field'] = $val;
$f_label = $ingo_fields[$val]['label'];
$condition['type'] = $ingo_fields[$val]['type'];
}
$condition['match'] = isset($this->vars->match[$key])
? $this->vars->match[$key]
: '';
$condition['match'] = isset($this->vars->match[$key])
? $this->vars->match[$key]
: '';

if (($actionID == 'rule_save') &&
empty($this->vars->value[$key]) &&
!in_array($condition['match'], array('exists', 'not exist'))) {
$notification->push(sprintf(_("You cannot create empty conditions. Please fill in a value for \"%s\"."), is_null($f_label) ? $condition['field'] : $f_label), 'horde.error');
$valid = false;
}
if (($actionID == 'rule_save') &&
empty($this->vars->value[$key]) &&
!in_array($condition['match'], array('exists', 'not exist'))) {
$notification->push(sprintf(_("You cannot create empty conditions. Please fill in a value for \"%s\"."), is_null($f_label) ? $condition['field'] : $f_label), 'horde.error');
$actionID = null;
}

$condition['value'] = isset($this->vars->value[$key])
? $this->vars->value[$key]
: '';
$condition['value'] = isset($this->vars->value[$key])
? $this->vars->value[$key]
: '';

if (isset($casesensitive)) {
$condition['case'] = isset($casesensitive[$key])
? $casesensitive[$key]
: '';
}
$rule['conditions'][] = $condition;
if (isset($casesensitive)) {
$condition['case'] = isset($casesensitive[$key])
? $casesensitive[$key]
: '';
}
$rule['conditions'][] = $condition;
}

$rule['action'] = $this->vars->action;

switch ($ingo_storage->getActionInfo($this->vars->action)->type) {
case 'folder':
if ($actionID == 'rule_save') {
try {
$rule['action-value'] = Ingo::validateFolder($this->vars, 'actionvalue');
} catch (Ingo_Exception $e) {
$notification->push($e, 'horde.error');
$valid = false;
}
} else {
$rule['action-value'] = $this->vars->actionvalue;
if (!$this->vars->actionvalue &&
isset($this->vars->actionvalue_new)) {
$page_output->addInlineScript(array(
'IngoNewFolder.setNewFolder("actionvalue", ' . Horde_Serialize::serialize($this->vars->actionvalue_new, Horde_Serialize::JSON) . ')'
), true);
}
switch ($ingo_storage->getActionInfo($this->vars->action)->type) {
case 'folder':
if ($actionID == 'rule_save') {
try {
$rule['action-value'] = Ingo::validateFolder($this->vars, 'actionvalue');
} catch (Ingo_Exception $e) {
$notification->push($e, 'horde.error');
$actionID = null;
}
break;

default:
} else {
$rule['action-value'] = $this->vars->actionvalue;
break;
if (!$this->vars->actionvalue &&
isset($this->vars->actionvalue_new)) {
$page_output->addInlineScript(array(
'IngoNewFolder.setNewFolder("actionvalue", ' . Horde_Serialize::serialize($this->vars->actionvalue_new, Horde_Serialize::JSON) . ')'
), true);
}
}
break;

$rule['stop'] = $this->vars->stop;

$rule['flags'] = 0;
$flags = empty($this->vars->flags)
? array()
: $this->vars->flags;
foreach ($flags as $val) {
$rule['flags'] |= $val;
}
default:
$rule['action-value'] = $this->vars->actionvalue;
break;
}

/* Save the rule. */
switch ($actionID) {
case 'rule_save':
if (!$valid) {
break;
}
$flags = empty($this->vars->flags)
? array()
: $this->vars->flags;
foreach ($flags as $val) {
$rule['flags'] |= $val;
}

if (!Ingo::hasSharePermission(Horde_Perms::EDIT)) {
$notification->push(_("You do not have permission to edit filter rules."), 'horde.error');
break;
}
/* Run through action handlers. */
switch ($actionID) {
case 'rule_save':
if (empty($rule['conditions'])) {
$notification->push(_("You need to select at least one field to match."), 'horde.error');
break;
}

if (empty($rule['conditions'])) {
$notification->push(_("You need to select at least one field to match."), 'horde.error');
if (!isset($this->vars->edit)) {
if ($this->_assertMaxRules($perms, $filters)) {
break;
}
$filters->addRule($rule);
} else {
$filters->updateRule($rule, $this->vars->edit);
}

if (!isset($this->vars->edit)) {
if (($perms->hasAppPermission('max_rules') !== true) &&
($perms->hasAppPermission('max_rules') <= count($filters->getFilterList()))) {
Horde::permissionDeniedError(
'ingo',
'max_rules',
sprintf(_("You are not allowed to create more than %d rules."), $perms->hasAppPermission('max_rules'))
);
break;
}
$filters->addRule($rule);
} else {
$filters->updateRule($rule, $this->vars->edit);
}

$session->set('ingo', 'change', time());
$session->set('ingo', 'change', time());

$ingo_storage->store($filters);
$notification->push(_("Changes saved."), 'horde.success');
$ingo_storage->store($filters);
$notification->push(_("Changes saved."), 'horde.success');

if ($prefs->getValue('auto_update')) {
try {
Ingo::updateScript();
} catch (Ingo_Exception $e) {
$notification->push($e, 'horde.error');
}
if ($prefs->getValue('auto_update')) {
try {
Ingo::updateScript();
} catch (Ingo_Exception $e) {
$notification->push($e, 'horde.error');
}
}

Ingo_Basic_Filters::url()->redirect();
Ingo_Basic_Filters::url()->redirect();

case 'rule_delete':
if (isset($this->vars->conditionnumber)) {
unset($rule['conditions'][intval($this->vars->conditionnumber)]);
$rule['conditions'] = array_values($rule['conditions']);
}
break;
case 'rule_delete':
if (isset($this->vars->conditionnumber)) {
unset($rule['conditions'][intval($this->vars->conditionnumber)]);
$rule['conditions'] = array_values($rule['conditions']);
}
break;
}

if (!isset($rule)) {
if (!isset($this->vars->edit)) {
if (($perms->hasAppPermission('max_rules') !== true) &&
$perms->hasAppPermission('max_rules') <= count($filters->getFilterList())) {
Horde::permissionDeniedError(
'ingo',
'max_rules',
sprintf(_("You are not allowed to create more than %d rules."), $perms->hasAppPermission('max_rules'))
);
if ($this->_assertMaxRules($perms, $filters)) {
Ingo_Basic_Filters::url()->redirect();
}
$rule = $filters->getDefaultRule();
Expand Down Expand Up @@ -369,6 +344,23 @@ protected function _init()
$this->output = $view->render('rule');
}

/**
*/
protected function _assertMaxRules($perms, $filters)
{
if (($perms->hasAppPermission('max_rules') !== true) &&
($perms->hasAppPermission('max_rules') <= count($filters->getFilterList()))) {
Horde::permissionDeniedError(
'ingo',
'max_rules',
sprintf(_("You are not allowed to create more than %d rules."), $perms->hasAppPermission('max_rules'))
);
return true;
}

return false;
}

/**
*/
static public function url(array $opts = array())
Expand Down
2 changes: 1 addition & 1 deletion ingo/templates/basic/rule/rule.html.php
View file
@@ -1,5 +1,5 @@
<form method="post" id="rule" name="rule" action="<?php echo $this->formurl ?>">
<input type="hidden" name="actionID" id="actionID" value="rule_update" />
<input type="hidden" name="actionID" id="actionID" value="" />
<input type="hidden" name="conditionnumber" value="-1" />
<?php if (!is_null($this->edit)): ?>
<input type="hidden" name="edit" value="<?php echo $this->edit ?>" />
Expand Down

0 comments on commit d363fd2

Please sign in to comment.