Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

API Require ADMIN for ?showtemplate=1

  • Loading branch information...
commit d969e29d000c75d3ce2b16c50949a79afdeb4bdd 1 parent 79eacb2
@chillu chillu authored
Showing with 9 additions and 1 deletion.
  1. +8 −0 docs/en/changelogs/3.0.4.md
  2. +1 −1  view/SSViewer.php
View
8 docs/en/changelogs/3.0.4.md
@@ -3,6 +3,14 @@
## Overview
* Changed `dev/tests/setdb` and `dev/tests/startsession` from session to cookie storage.
+ * Require ADMIN permissions for `?showtemplate=1`
+
+## Details
+
+### Require ADMIN permissions for `?showtemplate=1`
+
+Avoids information leakage of compiled template data,
+which might expose some of the internal template logic.
## Upgrading
View
2  view/SSViewer.php
@@ -821,7 +821,7 @@ public function includeRequirements($incl = true) {
* @return string - The result of executing the template
*/
protected function includeGeneratedTemplate($cacheFile, $item, $overlay, $underlay) {
- if(isset($_GET['showtemplate']) && $_GET['showtemplate']) {
+ if(isset($_GET['showtemplate']) && $_GET['showtemplate'] && Permission::check('ADMIN')) {
$lines = file($cacheFile);
echo "<h2>Template: $cacheFile</h2>";
echo "<pre>";
Please sign in to comment.
Something went wrong with that request. Please try again.