Skip to content

Commit

Permalink
2.1.27
Browse files Browse the repository at this point in the history 
Fix for #1727, #1729 and #1733
  • Loading branch information
LAUMAILLE committed Apr 20, 2017
1 parent b318f22 commit a7ff938
Show file tree
Hide file tree
Showing 5 changed files with 65 additions and 20 deletions.
4 changes: 4 additions & 0 deletions changelog.md
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,8 @@
2.1.27
#1733 Copy Item doesn't work if copy from public to public folders
#1729 Protection against bigger data than database field size
#1727 Cannot edit or delete entry in the Personal folder

Secure fixes
Session increase time feature is now increasing with the expected user session duration
Default language cannot be changed fix
Expand Down
17 changes: 6 additions & 11 deletions items.load.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1259,15 +1259,15 @@ function AfficherDetailsItem(id, salt_key_required, expired_item, restricted, di
page : "items",
key : "<?php echo $_SESSION['key'];?>"
},
function(data) {
function(data_raw) {
//decrypt data
try {
data = prepareExchangedData(data , "decode", "<?php echo $_SESSION['key'];?>");
data = prepareExchangedData(data_raw , "decode", "<?php echo $_SESSION['key'];?>");
} catch (e) {
// error
$("#div_loading").hide();
$("#request_ongoing").val("");
$("#div_dialog_message_text").html("An error appears. Answer from Server cannot be parsed!<br /><br />Returned data:<br />"+data);
$("#div_dialog_message_text").html("An error appears. Answer from Server cannot be parsed!<br /><br />Returned data:<br />"+data_raw);
$("#div_dialog_message").show();
return;
}
Expand Down Expand Up @@ -1857,8 +1857,7 @@ function open_edit_item_div(restricted_to_roles)
{
// is user read only and it is not a personal folder
if (
($('#recherche_group_pf').val() == 0 && $("#user_is_read_only").length && $("#user_is_read_only").val() == "1") ||
$("#access_level").val() === "1" || $("#access_level").val() === "2" || $("#access_level").val() === "3"
($('#recherche_group_pf').val() === "0" && $("#user_is_read_only").length && $("#user_is_read_only").val() === "1") && ($("#access_level").val() === "1" || $("#access_level").val() === "2" || $("#access_level").val() === "3")
) {
displayMessage("<?php echo $LANG['error_not_allowed_to'];?>");
return false;
Expand Down Expand Up @@ -2600,12 +2599,8 @@ function(data) {
},
function(data) {
//check if format error
if (data[0].error == "no_item") {
$("#copy_item_to_folder_show_error").html(data[1].error_text).show();
} else if (data[0].error == "not_allowed") {
$("#copy_item_to_folder_show_error").html(data[1].error_text).show();
} else if (data[0].error == "no_psk") {
$("#copy_item_to_folder_show_error").html(data[1].error_text).show();
if (data[0].error !== "") {
$("#copy_item_to_folder_show_error").html(data[1].error_text).show(1).delay(2000).fadeOut(1000);
}
//if OK
if (data[0].status == "ok") {
Expand Down
2 changes: 1 addition & 1 deletion items.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -896,7 +896,6 @@
// DIALOG TO WHAT FOLDER COPYING ITEM
echo '
<div id="div_copy_item_to_folder" style="display:none;">
<div id="copy_item_to_folder_show_error" style="text-align:center;margin:2px;display:none;" class="ui-state-error ui-corner-all"></div>
<h2 id="div_copy_item_to_folder_item"></h2>
<div style="text-align:center;">
<div>'.$LANG['item_copy_to_folder'].'</div>
Expand All @@ -906,6 +905,7 @@
'</select>
</div>
</div>
<div id="copy_item_to_folder_show_error" style="text-align:center;margin:2px;display:none; padding:3px;" class="ui-state-error ui-corner-all"></div>
<div style="height:20px;text-align:center;margin:2px;" id="copy_item_info" class=""></div>
</div>';
// DIALOG FOR HISTORY OF ITEM
Expand Down
12 changes: 6 additions & 6 deletions sources/import.queries.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -271,9 +271,9 @@ function sanitiseString($str, $crLFReplacement) {
'description' => $item[4],
'pw' => $encrypt['string'],
'pw_iv' => $encrypt['iv'],
'url' => $item[3],
'url' => substr($item[3], 0, 500),
'id_tree' => $_POST['folder'],
'login' => $item[1],
'login' => substr($item[1], 0, 200),
'anyone_can_modify' => $_POST['import_csv_anyone_can_modify'] == "true" ? 1 : 0
)
);
Expand Down Expand Up @@ -318,7 +318,7 @@ function sanitiseString($str, $crLFReplacement) {
'description' => $item[4],
'id_tree' => $_POST['folder'],
'perso' => $personalFolder == 0 ? 0 : 1,
'login' => $item[1],
'login' => substr($item[1], 0, 500),
'folder' => $data_fld['title'],
'author' => $_SESSION['user_id'],
'timestamp' => time(),
Expand Down Expand Up @@ -867,9 +867,9 @@ function recursiveKeepassXML($xmlRoot, $xmlLevel = 0)
'description' => stripslashes(str_replace($lineEndSeparator, '<br />', $item[KP_NOTES])),
'pw' => $encrypt['string'],
'pw_iv' => $encrypt['iv'],
'url' => stripslashes($item[KP_URL]),
'url' => substr(stripslashes($item[KP_URL]), 0, 500),
'id_tree' => $folderId,
'login' => stripslashes($item[KP_USERNAME]),
'login' => substr(stripslashes($item[KP_USERNAME]), 0, 500),
'anyone_can_modify' => $_POST['import_kps_anyone_can_modify'] == "true" ? 1 : 0
)
);
Expand Down Expand Up @@ -909,7 +909,7 @@ function recursiveKeepassXML($xmlRoot, $xmlLevel = 0)
'description' => stripslashes(str_replace($lineEndSeparator, '<br />', $item[KP_NOTES])),
'id_tree' => $folderId,
'perso' => $personalFolder == 0 ? 0 : 1,
'login' => stripslashes($item[KP_USERNAME]),
'login' => substr(stripslashes($item[KP_USERNAME]), 0, 500),
'folder' => $data['title'],
'author' => $_SESSION['user_id'],
'timestamp' => time()
Expand Down
50 changes: 48 additions & 2 deletions sources/items.queries.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1046,6 +1046,24 @@

// this item is now private
$is_perso = 1;
} else if ($originalRecord['perso'] === "0" && $dataDestination['personal_folder'] === "0") {
// decrypt and re-encrypt password
$decrypt = cryption(
$originalRecord['pw'],
"",
"decrypt"
);
$encrypt = cryption(
$decrypt['string'],
"",
"encrypt"
);

// reaffect pw
$originalRecord['pw'] = $encrypt['string'];

// is public item
$is_perso = 0;
} else {
$returnValues = '[{"error" : "case_not_managed"}, {"error_text" : "ERROR - case is not managed"}]';
echo $returnValues;
Expand Down Expand Up @@ -1084,7 +1102,7 @@
$newID
);
// Add attached itms
$rows = DB::query("SELECT * FROM ".prefix_table("files")." WHERE id_item=%i",$newID);
$rows = DB::query("SELECT * FROM ".prefix_table("files")." WHERE id_item=%i", $_POST['item_id']);
foreach ($rows as $record) {
DB::insert(
prefix_table('files'),
Expand All @@ -1098,6 +1116,34 @@
)
);
}

// Add specific restrictions
$rows = DB::query("SELECT * FROM ".prefix_table("restriction_to_roles")." WHERE item_id = %i", $_POST['item_id']);
foreach ($rows as $record) {
DB::insert(
prefix_table('restriction_to_roles'),
array(
'item_id' => $newID,
'role_id' => $record['role_id']
)
);
}

// Add Tags
$rows = DB::query("SELECT * FROM ".prefix_table("tags")." WHERE item_id = %i", $_POST['item_id']);
foreach ($rows as $record) {
DB::insert(
prefix_table('tags'),
array(
'item_id' => $newID,
'tag' => $record['tag']
)
);
}

// Add custom fields


// Add this duplicate in logs
logItems($newID, $originalRecord['label'], $_SESSION['user_id'], 'at_creation', $_SESSION['login']);
// Add the fact that item has been copied in logs
Expand Down Expand Up @@ -1283,7 +1329,7 @@
||
(isset($_SESSION['settings']['anyone_can_modify']) && $_SESSION['settings']['anyone_can_modify'] == 1 && $dataItem['anyone_can_modify'] == 1 && (in_array($dataItem['id_tree'], $_SESSION['groupes_visibles']) || $_SESSION['is_admin'] == 1) && $restrictionActive == false)
||
(isset($_POST['folder_id']) && in_array($_POST['id'], $_SESSION['list_folders_limited'][$_POST['folder_id']]))
(isset($_POST['folder_id']) && isset($_SESSION['list_folders_limited'][$_POST['folder_id']]) && in_array($_POST['id'], $_SESSION['list_folders_limited'][$_POST['folder_id']]))
) {
// Allow show details
$arrData['show_details'] = 1;
Expand Down

0 comments on commit a7ff938

Please sign in to comment.