extern/egroupware_official
1
0
Fork 0
mirror of https://github.com/EGroupware/egroupware.git synced 2024-12-22 14:41:29 +01:00
Code Issues Packages Projects Releases Wiki Activity

* Api: Customfield selectboxes can read options from a PHP file in the VFS using @[path] ex: @/home/Default/selects.php

Browse Source
This commit is contained in:
nathan 2023-06-29 13:36:28 -06:00
parent 85cc2a33cd
commit 3cfdca0ae9
3 changed files with 7 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
admin/lang/egw_en.lang
View File

@ -351,7 +351,7 @@ document root (default) admin en Document root (default)
domainname admin en Domain name domainname admin en Domain name
down admin en Down down admin en Down
download csv admin en Download CSV download csv admin en Download CSV
each value is a line like id[=label], or use @path to read options from a file in egroupware directory admin en each value is a line like id[=label], or use @path to read options from a file in EGroupware directory each value is a line like id[=label], or use @path to read options from a file in egroupware directory admin en each value is a line like id[=label], or use @path to read options from a file in the VFS
each value is a line like label=[javascript] admin en each value is a line like label=[javascript] each value is a line like label=[javascript] admin en each value is a line like label=[javascript]
edit account admin en Edit account edit account admin en Edit account
edit application admin en Edit application edit application admin en Edit application

3
api/js/etemplate/et2_extension_nextmatch.ts
View File

@ -4194,8 +4194,7 @@ export class et2_nextmatch_customfields extends et2_customfields_list implements
field.type == 'select-account' ? 'et2-nextmatch-header-account' : "et2-nextmatch-header-filter", field.type == 'select-account' ? 'et2-nextmatch-header-account' : "et2-nextmatch-header-filter",
{ {
id: cf_id, id: cf_id,
empty_label: field.label, empty_label: field.label
select_options: field.values
}, },
this this
); );

11
api/src/Storage/Customfields.php
View File

@ -272,9 +272,7 @@ class Customfields implements \IteratorAggregate
/** /**
* Read the options of a 'select' or 'radio' custom field from a file * Read the options of a 'select' or 'radio' custom field from a file
* *
* For security reasons that file has to be relative to the eGW root * For security reasons it has to be a php file setting one variable called options,
* (to not use that feature to explore arbitrary files on the server)
* and it has to be a php file setting one variable called options,
* (to not display it to anonymously by the webserver). * (to not display it to anonymously by the webserver).
* The $options var has to be an array with value => label pairs, eg: * The $options var has to be an array with value => label pairs, eg:
* *
@ -292,12 +290,11 @@ class Customfields implements \IteratorAggregate
{ {
$options = array(); $options = array();
if (!($path = realpath($file[0] == '/' ? $file : EGW_SERVER_ROOT.'/'.$file)) || // file does not exist if(!($path = Api\Vfs::resolve_url($file)) || // file does not exist // we are NOT inside the eGW root
substr($path,0,strlen(EGW_SERVER_ROOT)+1) != EGW_SERVER_ROOT.'/' || // we are NOT inside the eGW root basename($path, '.php') . '.php' != basename($path) || // extension is NOT .php
basename($path,'.php').'.php' != basename($path) || // extension is NOT .php
basename($path) == 'header.inc.php') // dont allow to include our header again basename($path) == 'header.inc.php') // dont allow to include our header again
{ {
return array(lang("'%1' is no php file in the eGW server root (%2)!".': '.$path,$file,EGW_SERVER_ROOT)); return array(lang("'%1' is no php file in the eGW server root (%2)!" . ': ' . $path, $file, EGW_SERVER_ROOT));
} }
include($path); include($path);