claunia/qemudb
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

objectManager: Prevent changing variables prior to permission checks in form

Browse Source 
processing
This commit is contained in:
Alexander Nicolaysen Sørnes
2007-10-24 10:59:22 +02:00
committed by Chris Morgan
parent 070df9daca
commit b6f1f22192
1 changed files with 11 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
include/objectManager.php
View File

@@ -519,14 +519,17 @@ class ObjectManager
$this->checkMethods(array("delete", "canEdit")); $this->checkMethods(array("delete", "canEdit"));
$oObject = $this->getObject(); $oObject = $this->getObject();
$oOriginalObject = new $this->sClass($this->iId); /* Prevent possible security hole if users change key
variables, making the permission checks run on
the wrong criteria */
if(!$oObject->objectGetId()) if(!$oOriginalObject->objectGetId())
{ {
addmsg("No id defined", "red"); addmsg("No id defined", "red");
return FALSE; return FALSE;
} }
if(!$oObject->canEdit()) if(!$oOriginalObject->canEdit())
{ {
addmsg("You don’t have permission to delete this entry", "red"); addmsg("You don’t have permission to delete this entry", "red");
return FALSE; return FALSE;
@@ -923,6 +926,9 @@ class ObjectManager
$this->iId = $this->getIdFromInput($aClean); $this->iId = $this->getIdFromInput($aClean);
$oObject = new $this->sClass($this->iId); $oObject = new $this->sClass($this->iId);
$oOriginalObject = new $this->sClass($this->iId); /* Prevent possible security hole if users change key
variables, making the permission checks run on
the wrong criteria */
/* If it isn't implemented, that means there is no default text */ /* If it isn't implemented, that means there is no default text */
if(method_exists(new $this->sClass, "getDefaultReply")) if(method_exists(new $this->sClass, "getDefaultReply"))
@@ -968,13 +974,13 @@ class ObjectManager
// otherwise we should create the entry in the 'else' case // otherwise we should create the entry in the 'else' case
if($this->iId) if($this->iId)
{ {
if(!$oObject->canEdit()) if(!$oOriginalObject->canEdit())
return FALSE; return FALSE;
if($this->bIsRejected) if($this->bIsRejected)
$oObject->ReQueue(); $oObject->ReQueue();
if($this->bIsQueue && !$oObject->mustBeQueued()) if($this->bIsQueue && !$oOriginalObject->mustBeQueued())
$oObject->unQueue(); $oObject->unQueue();
$oObject->update(); $oObject->update();
@@ -987,7 +993,7 @@ class ObjectManager
break; break;
case "Reject": case "Reject":
if(!$oObject->canEdit()) if(!$oOriginalObject->canEdit())
return FALSE; return FALSE;
$oObject->reject(); $oObject->reject();