mirror of
https://github.com/EGroupware/egroupware.git
synced 2025-01-13 17:38:19 +01:00
$GLOBALS, using boinfolog->write(), and closed security-hole,
that non-admin users could call csv_import, if they new the url (check if user is allowed to run admin-app)
This commit is contained in:
Ralf Becker
parent
118c9a80dd
commit
116de14b92
@ -12,11 +12,24 @@
|
||||
|
||||
/* $Id$ */
|
||||
|
||||
$phpgw_info['flags']['currentapp'] = 'infolog';
|
||||
$phpgw_info['flags']['enable_contacts_class'] = True;
|
||||
$GLOBALS['phpgw_info']['flags'] = array(
|
||||
'currentapp' => 'infolog',
|
||||
'noheader' => True,
|
||||
'nonavbar' => True,
|
||||
'enable_contacts_class' => True
|
||||
);
|
||||
include("../header.inc.php");
|
||||
|
||||
$phpgw->infolog = createobject('infolog.uiinfolog');
|
||||
if (!isset($GLOBALS['phpgw_info']['user']['apps']['admin']) ||
|
||||
!$GLOBALS['phpgw_info']['user']['apps']['admin']) // no admin
|
||||
{
|
||||
Header('Location: ' . $GLOBALS['phpgw']->link('/home.php'));
|
||||
$GLOBALS['phpgw']->common->phpgw_exit();
|
||||
}
|
||||
$GLOBALS['phpgw']->common->phpgw_header();
|
||||
echo parse_navbar();
|
||||
|
||||
$infolog = createobject('infolog.uiinfolog');
|
||||
|
||||
$t = CreateObject('phpgwapi.Template',PHPGW_APP_TPL); // $t->unknows = 'keep'; $t->debug = 1;
|
||||
$t->set_file(array('import' => 'csv_import.tpl'));
|
||||
@ -26,14 +39,14 @@
|
||||
$t->set_block('import','ffooter','ffooterhandle');
|
||||
$t->set_block('import','imported','importedhandle');
|
||||
|
||||
// $t->set_var("navbar_bg",$phpgw_info["theme"]["navbar_bg"]);
|
||||
// $t->set_var("navbar_text",$phpgw_info["theme"]["navbar_text"]);
|
||||
// $t->set_var("navbar_bg",$GLOBALS['phpgw_info']["theme"]["navbar_bg"]);
|
||||
// $t->set_var("navbar_text",$GLOBALS['phpgw_info']["theme"]["navbar_text"]);
|
||||
|
||||
if ($action == 'download' && (!$fieldsep || !$csvfile || !($fp=fopen($csvfile,"r")))) {
|
||||
$action = '';
|
||||
}
|
||||
$t->set_var("action_url",$phpgw->link("/infolog/csv_import.php"));
|
||||
$t->set_var( $phpgw->infolog->setStyleSheet( ));
|
||||
$t->set_var("action_url",$GLOBALS['phpgw']->link("/infolog/csv_import.php"));
|
||||
$t->set_var( $infolog->setStyleSheet( ));
|
||||
$t->set_var("lang_info_action",lang("InfoLog - Import CSV-File"));
|
||||
|
||||
$PSep = '||'; // Pattern-Separator, separats the pattern-replacement-pairs in trans
|
||||
@ -83,14 +96,14 @@ function cat_id( $cats )
|
||||
if (isset($cat2id[$cat])) {
|
||||
$ids[$cat] = $cat2id[$cat]; // cat is in cache
|
||||
} else {
|
||||
if (!is_object($phpgw->categories)) {
|
||||
$phpgw->categories = createobject('phpgwapi.categories');
|
||||
if (!is_object($GLOBALS['phpgw']->categories)) {
|
||||
$GLOBALS['phpgw']->categories = createobject('phpgwapi.categories');
|
||||
}
|
||||
if ($id = $phpgw->categories->name2id( $cat )) { // cat exists
|
||||
if ($id = $GLOBALS['phpgw']->categories->name2id( $cat )) { // cat exists
|
||||
$cat2id[$cat] = $ids[$cat] = $id;
|
||||
} else { // create new cat
|
||||
$phpgw->categories->add( $cat,0,$cat,'','public',0);
|
||||
$cat2id[$cat] = $ids[$cat] = $phpgw->categories->name2id( $cat );
|
||||
$GLOBALS['phpgw']->categories->add( $cat,0,$cat,'','public',0);
|
||||
$cat2id[$cat] = $ids[$cat] = $GLOBALS['phpgw']->categories->name2id( $cat );
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -164,7 +177,7 @@ function cat_id( $cats )
|
||||
|
||||
$info_name_options = "<option value=\"\">none\n";
|
||||
while (list($field,$name) = each($info_names)) {
|
||||
$info_name_options .= "<option value=\"$field\">".$phpgw->strip_html($name)."\n";
|
||||
$info_name_options .= "<option value=\"$field\">".$GLOBALS['phpgw']->strip_html($name)."\n";
|
||||
}
|
||||
$csv_fields = fgetcsv($fp,8000,$fieldsep);
|
||||
$csv_fields[] = 'no CSV 1'; // eg. for static assignments
|
||||
@ -189,7 +202,7 @@ function cat_id( $cats )
|
||||
$t->set_var('max',200);
|
||||
$t->parse('ffooterhandle','ffooter');
|
||||
fclose($fp);
|
||||
$old = $csvfile; $csvfile = $phpgw_info['server']['temp_dir'].'/info_log_import_'.basename($csvfile);
|
||||
$old = $csvfile; $csvfile = $GLOBALS['phpgw_info']['server']['temp_dir'].'/info_log_import_'.basename($csvfile);
|
||||
rename($old,$csvfile);
|
||||
$hiddenvars .= '<input type="hidden" name="csvfile" value="'.$csvfile.'">';
|
||||
$help_on_trans = "<a name='help'><b>How to use Translation's</b><p>".
|
||||
@ -307,7 +320,7 @@ function cat_id( $cats )
|
||||
if (!isset($values['datecreated'])) $values['datecreated'] = $values['startdate'];
|
||||
|
||||
if (!$debug) {
|
||||
$phpgw->infolog->write($values);
|
||||
$infolog->bo->write($values);
|
||||
}
|
||||
}
|
||||
$log .= "\t</tr>\n</table>\n";
|
||||
@ -321,6 +334,6 @@ function cat_id( $cats )
|
||||
}
|
||||
$t->set_var('hiddenvars',$hiddenvars);
|
||||
$t->pfp('out','import',True);
|
||||
$phpgw->common->phpgw_footer();
|
||||
$GLOBALS['phpgw']->common->phpgw_footer();
|
||||
|
||||
?>
|
||||
|
||||
Loading…
Reference in New Issue
Block a user