Skip to content
This repository has been archived by the owner on Nov 3, 2023. It is now read-only.

Commit

Permalink
Better permission check for toggleSubpalette (see #4427)
Browse files Browse the repository at this point in the history
  • Loading branch information
leofeyer committed Jun 12, 2012
1 parent 5d3dd72 commit 2bf4fc3
Showing 1 changed file with 10 additions and 0 deletions.
10 changes: 10 additions & 0 deletions system/modules/backend/Ajax.php
Original file line number Diff line number Diff line change
Expand Up @@ -297,6 +297,16 @@ public function executePostActions(DataContainer $dc)

// Toggle subpalettes
case 'toggleSubpalette':
$this->import('BackendUser', 'User');

// Check whether the field is a selector field and allowed for regular users (see #4427)
if (!is_array($GLOBALS['TL_DCA'][$dc->table]['palettes']['__selector__']) || !in_array($this->Input->post('field'), $GLOBALS['TL_DCA'][$dc->table]['palettes']['__selector__']) || ($GLOBALS['TL_DCA'][$dc->table]['fields'][$this->Input->post('field')]['exclude'] && !$this->User->hasAccess($dc->table . '::' . $this->Input->post('field'), 'alexf')))
{
$this->log('Field "' . $this->Input->post('field') . '" is not an allowed selector field (possible SQL injection attempt)', 'Ajax executePostActions()', TL_ERROR);
header('HTTP/1.1 400 Bad Request');
die('Bad Request');
}

if ($dc instanceof DC_Table)
{
if ($this->Input->get('act') == 'editAll')
Expand Down

0 comments on commit 2bf4fc3

Please sign in to comment.