Skip to content
Permalink
Browse files
sec(App) validate CSRF on Execute Functions. Add permission access an…
…d eliminate warning
  • Loading branch information
joebordes committed Aug 14, 2021
1 parent 42369cf commit daca071bf9450f6f23a3ecf3acc8780d878c5545
Showing with 18 additions and 9 deletions.
  1. +18 −9 modules/Vtiger/ExecuteFunctions.php
@@ -230,6 +230,7 @@
die();
break;
case 'delImage':
Vtiger_Request::validateRequest();
include_once 'include/utils/DelImage.php';
$id = vtlib_purify($_REQUEST['recordid']);
$id = preg_replace('/[^0-9]/', '', $id);
@@ -275,13 +276,15 @@
$term = vtlib_purify($data['term']);
$retvals = getGlobalSearch($term, $searchin, $limit, $current_user);
$ret = array();
foreach ($retvals['data'] as $value) {
$ret[] = array(
'crmid' => $value['crmid'],
'crmmodule' => $value['crmmodule'],
'query_string' => $value['query_string'],
'total' => $retvals['total']
) + $value['crmfields'];
if (!empty($retvals['data'])) {
foreach ($retvals['data'] as $value) {
$ret[] = array(
'crmid' => $value['crmid'],
'crmmodule' => $value['crmmodule'],
'query_string' => $value['query_string'],
'total' => $retvals['total']
) + $value['crmfields'];
}
}
break;
case 'getRelatedListInfo':
@@ -317,12 +320,14 @@
}
break;
case 'setSetting':
Vtiger_Request::validateRequest();
$skey = vtlib_purify($_REQUEST['skey']);
$svalue = vtlib_purify($_REQUEST['svalue']);
coreBOS_Settings::setSetting($skey, $svalue);
$ret = '';
break;
case 'delSetting':
Vtiger_Request::validateRequest();
$skey = vtlib_purify($_REQUEST['skey']);
coreBOS_Settings::delSetting($skey);
$ret = '';
@@ -384,8 +389,11 @@
break;
case 'getImageInfoFor':
$id = vtlib_purify($_REQUEST['record']);
require_once 'include/Webservices/getRecordImages.php';
$imageinfo = cbws_getrecordimageinfo($id, $current_user);
$imageinfo = array();
if (isPermitted(getSalesEntityType($id), 'DetailView', $id)=='yes') {
require_once 'include/Webservices/getRecordImages.php';
$imageinfo = cbws_getrecordimageinfo($id, $current_user);
}
header('Content-Type: application/json');
if ((int)$imageinfo['results'] > 0) {
$ret = $imageinfo;
@@ -401,6 +409,7 @@
}
break;
case 'setNewPassword':
Vtiger_Request::validateRequest();
require_once 'modules/Users/Users.php';
require_once 'include/utils/UserInfoUtil.php';
$userid = vtlib_purify($_REQUEST['record']);

0 comments on commit daca071

Please sign in to comment.