extern/egroupware_official
1
0
Fork 0
mirror of https://github.com/EGroupware/egroupware.git synced 2025-01-06 14:09:52 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix ACL error allowing regular users to delete global categories

Browse Source
This commit is contained in:
Nathan Gray 2015-09-29 15:15:45 +00:00
parent afa106cbf3
commit f1837813a4
1 changed files with 21 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
admin/inc/class.admin_categories.inc.php
View File

@ -369,6 +369,17 @@ class admin_categories
{ {
$row['class'] .= ' rowNoEdit rowNoDelete '; $row['class'] .= ' rowNoEdit rowNoDelete ';
} }
else if (!$GLOBALS['egw_info']['user']['apps']['admin'])
{
if(!$cats->check_perms(EGW_ACL_EDIT, $row['id']))
{
$row['class'] .= ' rowNoEdit';
}
if(!$cats->check_perms(EGW_ACL_DELETE, $row['id']))
{
$row['class'] .= ' rowNoDelete';
}
}
// Can only edit (via context menu) categories for the selected app (backend restriction) // Can only edit (via context menu) categories for the selected app (backend restriction)
if($row['appname'] != $query['appname'] || (array_sum($row['owner']) > 0)) if($row['appname'] != $query['appname'] || (array_sum($row['owner']) > 0))
{ {
@ -661,12 +672,19 @@ class admin_categories
switch($action) switch($action)
{ {
case 'delete': case 'delete':
$action_msg = lang('deleted');
foreach($checked as $id) foreach($checked as $id)
{
if($cats->check_perms(EGW_ACL_DELETE, $id, (boolean)$GLOBALS['egw_info']['user']['apps']['admin']))
{ {
$cats->delete($id,$settings == 'sub',$settings != 'sub'); $cats->delete($id,$settings == 'sub',$settings != 'sub');
$action_msg = lang('deleted');
$success++; $success++;
} }
else
{
$failed++;
}
}
break; break;
case 'owner': case 'owner':
$action_msg = lang('updated'); $action_msg = lang('updated');