N°1328 Fix CSV import : check if user has rights on imported class

pgoiffon · pgoiffon · commit eb77b7a2473d · 2018-04-03T13:36:27.000Z
git-svn-id: http://svn.code.sf.net/p/itop/code/trunk@5597 a333f486-631f-4898-b8df-5754b55c2be0
diff --git a/pages/csvimport.php b/pages/csvimport.php
@@ -192,6 +192,13 @@ function DisplaySynchroBanner(WebPage $oP, $sClass, $iCount)
 	 */
 	function ProcessCSVData(WebPage $oPage, $bSimulate = true)
 	{
+		$sClassName = utils::ReadParam('class_name', '', false, 'class');
+		// Class access right check for the import
+		if (UserRights::IsActionAllowed($sClassName, UR_ACTION_MODIFY) == UR_ALLOWED_NO)
+		{
+			throw new CoreException(Dict::S('UI:ActionNotAllowed'));
+		}
+
 		$aResult = array();
 		$sCSVData = utils::ReadParam('csvdata', '', false, 'raw_data');
 		$sCSVDataTruncated = utils::ReadParam('csvdata_truncated', '', false, 'raw_data');
@@ -203,7 +210,6 @@ function ProcessCSVData(WebPage $oPage, $bSimulate = true)
 		{
 			$iSkippedLines = utils::ReadParam('nb_skipped_lines', '0');
 		}
-		$sClassName = utils::ReadParam('class_name', '', false, 'class');
 		$aFieldsMapping = utils::ReadParam('field', array(), false, 'raw_data');
 		$aSearchFields = utils::ReadParam('search_field', array(), false, 'field_name');
 		$iCurrentStep = $bSimulate ? 4 : 5;
