Skip to content
Permalink
Browse files Browse the repository at this point in the history
Merge pull request from GHSA-xp3x-3h8q-c386
Improper access control
  • Loading branch information
matks committed Jun 29, 2020
2 parents 30b6a7b + f3da110 commit 8833d95
Show file tree
Hide file tree
Showing 9 changed files with 239 additions and 195 deletions.
63 changes: 35 additions & 28 deletions admin-dev/themes/new-theme/js/components/module-card.js
Expand Up @@ -249,43 +249,50 @@ export default class ModuleCard {
}).done(function (result) {
if (typeof result === undefined) {
$.growl.error({message: "No answer received from server"});
} else {
var moduleTechName = Object.keys(result)[0];
return;
}

if (result[moduleTechName].status === false) {
if (typeof result[moduleTechName].confirmation_subject !== 'undefined') {
self._confirmPrestaTrust(result[moduleTechName]);
}
if (typeof result.status !== 'undefined' && result.status === false) {
$.growl.error({message: result.msg});
return;
}

$.growl.error({message: result[moduleTechName].msg});
} else {
$.growl.notice({message: result[moduleTechName].msg});
var moduleTechName = Object.keys(result)[0];

var alteredSelector = self._getModuleItemSelector().replace('.', '');
var mainElement = null;
if (result[moduleTechName].status === false) {
if (typeof result[moduleTechName].confirmation_subject !== 'undefined') {
self._confirmPrestaTrust(result[moduleTechName]);
}

if (action == "uninstall") {
mainElement = jqElementObj.closest('.' + alteredSelector);
mainElement.remove();
$.growl.error({message: result[moduleTechName].msg});
return;
}

BOEvent.emitEvent("Module Uninstalled", "CustomEvent");
} else if (action == "disable") {
mainElement = jqElementObj.closest('.' + alteredSelector);
mainElement.addClass(alteredSelector + '-isNotActive');
mainElement.attr('data-active', '0');
$.growl.notice({message: result[moduleTechName].msg});

BOEvent.emitEvent("Module Disabled", "CustomEvent");
} else if (action == "enable") {
mainElement = jqElementObj.closest('.' + alteredSelector);
mainElement.removeClass(alteredSelector + '-isNotActive');
mainElement.attr('data-active', '1');
var alteredSelector = self._getModuleItemSelector().replace('.', '');
var mainElement = null;

BOEvent.emitEvent("Module Enabled", "CustomEvent");
}
if (action == "uninstall") {
mainElement = jqElementObj.closest('.' + alteredSelector);
mainElement.remove();

jqElementObj.replaceWith(result[moduleTechName].action_menu_html);
}
BOEvent.emitEvent("Module Uninstalled", "CustomEvent");
} else if (action == "disable") {
mainElement = jqElementObj.closest('.' + alteredSelector);
mainElement.addClass(alteredSelector + '-isNotActive');
mainElement.attr('data-active', '0');

BOEvent.emitEvent("Module Disabled", "CustomEvent");
} else if (action == "enable") {
mainElement = jqElementObj.closest('.' + alteredSelector);
mainElement.removeClass(alteredSelector + '-isNotActive');
mainElement.attr('data-active', '1');

BOEvent.emitEvent("Module Enabled", "CustomEvent");
}

jqElementObj.replaceWith(result[moduleTechName].action_menu_html);
}).fail(function() {
const moduleItem = jqElementObj.closest('module-item-list');
const techName = moduleItem.data('techName');
Expand Down
296 changes: 148 additions & 148 deletions admin-dev/themes/new-theme/package-lock.json

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion admin-dev/themes/new-theme/public/module.bundle.js

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion admin-dev/themes/new-theme/public/module_card.bundle.js

Large diffs are not rendered by default.

5 changes: 1 addition & 4 deletions classes/controller/AdminController.php
Expand Up @@ -536,10 +536,7 @@ public function __construct($forceControllerName = '', $default_theme_name = 'de
}

// Check if logged on Addons
$this->logged_on_addons = false;
if (isset($this->context->cookie->username_addons, $this->context->cookie->password_addons) && !empty($this->context->cookie->username_addons) && !empty($this->context->cookie->password_addons)) {
$this->logged_on_addons = true;
}
$this->logged_on_addons = !empty($this->context->cookie->username_addons) && !empty($this->context->cookie->password_addons);

// Set context mode
if (defined('_PS_HOST_MODE_') && _PS_HOST_MODE_) {
Expand Down
5 changes: 5 additions & 0 deletions controllers/admin/AdminCarriersController.php
Expand Up @@ -492,6 +492,11 @@ public function postProcess()
}
parent::postProcess();
} elseif (isset($_GET['isFree' . $this->table])) {
if (!$this->access('edit')) {
$this->errors[] = $this->trans('You do not have permission to edit this.', [], 'Admin.Notifications.Error');
return;
}

$this->processIsFree();
} else {
// if deletion : removes the carrier from the warehouse/carrier association
Expand Down
9 changes: 9 additions & 0 deletions src/Adapter/Module/Module.php
Expand Up @@ -39,6 +39,15 @@
*/
class Module implements ModuleInterface
{
const ACTION_INSTALL = 'install';
const ACTION_UNINSTALL = 'uninstall';
const ACTION_ENABLE = 'enable';
const ACTION_DISABLE = 'disable';
const ACTION_ENABLE_MOBILE = 'enable_mobile';
const ACTION_DISABLE_MOBILE = 'disable_mobile';
const ACTION_RESET = 'reset';
const ACTION_UPGRADE = 'upgrade';

/** @var LegacyModule Module The instance of the legacy module */
public $instance = null;

Expand Down
49 changes: 36 additions & 13 deletions src/PrestaShopBundle/Controller/Admin/Improve/ModuleController.php
Expand Up @@ -30,6 +30,7 @@
use Exception;
use Module;
use PrestaShop\PrestaShop\Adapter\Module\AdminModuleDataProvider;
use PrestaShop\PrestaShop\Adapter\Module\Module as ModuleAdapter;
use PrestaShop\PrestaShop\Core\Addon\AddonListFilter;
use PrestaShop\PrestaShop\Core\Addon\AddonListFilterStatus;
use PrestaShop\PrestaShop\Core\Addon\AddonListFilterType;
Expand Down Expand Up @@ -58,7 +59,7 @@ class ModuleController extends ModuleAbstractController
const MAX_MODULES_DISPLAYED = 6;

/**
* @AdminSecurity("is_granted(['read', 'create', 'update', 'delete'], 'ADMINMODULESSF_')")
* @AdminSecurity("is_granted(['read'], 'ADMINMODULESSF_')")
*
* @return Response
*/
Expand Down Expand Up @@ -87,7 +88,7 @@ public function catalogAction()
/**
* Controller responsible for displaying "Catalog Module Grid" section of Module management pages with ajax.
*
* @AdminSecurity("is_granted(['read', 'create', 'update', 'delete'], 'ADMINMODULESSF_')")
* @AdminSecurity("is_granted(['read'], 'ADMINMODULESSF_')")
*
* @param Request $request
*
Expand Down Expand Up @@ -146,7 +147,7 @@ public function manageAction()
}

/**
* @AdminSecurity("is_granted(['read', 'create', 'update', 'delete'], 'ADMINMODULESSF_')")
* @AdminSecurity("is_granted(['read'], 'ADMINMODULESSF_')")
*
* @param Request $request
*
Expand Down Expand Up @@ -263,7 +264,7 @@ public function configureModuleAction($module_name)
}

/**
* @AdminSecurity("is_granted(['read', 'create', 'update', 'delete'], 'ADMINMODULESSF_')")
* @AdminSecurity("is_granted(['read'], 'ADMINMODULESSF_')")
*
* @param Request $request
*
Expand Down Expand Up @@ -353,14 +354,37 @@ public function refreshCatalogAction(Request $request)
*/
public function moduleAction(Request $request)
{
$deniedAccess = $this->checkPermissions(
[
PageVoter::LEVEL_READ,
PageVoter::LEVEL_UPDATE,
PageVoter::LEVEL_CREATE,
PageVoter::LEVEL_DELETE,
]
);
$action = $request->get('action');

switch ($action) {
case ModuleAdapter::ACTION_UPGRADE:
case ModuleAdapter::ACTION_RESET:
case ModuleAdapter::ACTION_ENABLE:
case ModuleAdapter::ACTION_DISABLE:
case ModuleAdapter::ACTION_ENABLE_MOBILE:
case ModuleAdapter::ACTION_DISABLE_MOBILE:
$deniedAccess = $this->checkPermissions(
[
PageVoter::LEVEL_UPDATE,
]
);
break;
case ModuleAdapter::ACTION_INSTALL:
$deniedAccess = $this->checkPermissions(
[
PageVoter::LEVEL_CREATE,
]
);
break;
case ModuleAdapter::ACTION_UNINSTALL:
$deniedAccess = $this->checkPermissions(
[
PageVoter::LEVEL_DELETE,
]
);
break;
}

if (null !== $deniedAccess) {
return $deniedAccess;
}
Expand All @@ -369,7 +393,6 @@ public function moduleAction(Request $request)
return $this->getDisabledFunctionalityResponse($request);
}

$action = $request->get('action');
$module = $request->get('module_name');
$moduleManager = $this->container->get('prestashop.module.manager');
$moduleManager->setActionParams($request->request->get('actionParams', []));
Expand Down
Expand Up @@ -27,6 +27,7 @@
namespace PrestaShopBundle\Controller\Api\Improve\Design;

use PrestaShopBundle\Controller\Api\ApiController;
use PrestaShopBundle\Security\Annotation\AdminSecurity;
use Symfony\Component\HttpFoundation\JsonResponse;
use Symfony\Component\HttpFoundation\Request;

Expand All @@ -35,6 +36,8 @@ class PositionsController extends ApiController
/**
* Update positions.
*
* @AdminSecurity("is_granted(['update'], request.get('_legacy_controller'))")
*
* @param Request $request
*
* @return JsonResponse
Expand Down

0 comments on commit 8833d95

Please sign in to comment.