Page Menu
Home
In-Portal Phabricator
Search
Configure Global Search
Log In
Files
F1068653
D486.diff
No One
Temporary
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Subscribers
None
File Metadata
Details
File Info
Storage
Attached
Created
Fri, Jul 18, 6:45 PM
Size
2 KB
Mime Type
text/x-diff
Expires
Sat, Jul 19, 6:45 PM (12 h, 22 m)
Engine
blob
Format
Raw Data
Handle
691671
Attached To
D486: INP-1876 - Verify system settings access permissions before allowing to change them
D486.diff
View Options
Index: core/units/configuration/configuration_event_handler.php
===================================================================
--- core/units/configuration/configuration_event_handler.php
+++ core/units/configuration/configuration_event_handler.php
@@ -373,7 +373,17 @@
return;
}
- $items_info = $this->Application->GetVar($event->getPrefixSpecial(true));
+ /*
+ * This is Linked Var coming from Session. The same
+ * section variable is used also during permission
+ * checking.
+ */
+ $section = $this->Application->GetVar('section');
+
+ $items_info = $this->filterBySection(
+ $this->Application->GetVar($event->getPrefixSpecial(true)),
+ $section
+ );
// 1. save user selected module root category
$new_category_id = getArrayValue($items_info, 'ModuleRootCategory', 'VariableValue');
@@ -450,7 +460,42 @@
// keeps module and section in REQUEST to ensure, that last admin template will work
$event->SetRedirectParam('module', $this->Application->GetVar('module'));
- $event->SetRedirectParam('section', $this->Application->GetVar('section'));
+ $event->SetRedirectParam('section', $section);
+ }
+
+ /**
+ * Filters system settings by section.
+ *
+ * @param array $items_info Items info.
+ * @param string $section Section.
+ *
+ * @return array
+ * @throws RuntimeException When given section doesn't have any settings.
+ */
+ protected function filterBySection(array $items_info, $section)
+ {
+ $id_field = $this->Application->getUnitOption($this->Prefix, 'IDField');
+ $table_name = $this->Application->getUnitOption($this->Prefix, 'TableName');
+
+ $sql = 'SELECT ' . $id_field . '
+ FROM ' . $table_name . '
+ WHERE `Section` = ' . $this->Conn->qstr($section);
+ $section_system_setting_ids = $this->Conn->GetCol($sql);
+
+ if ( !$section_system_setting_ids ) {
+ throw new RuntimeException('The "' . $section . '" section does not have any settings.');
+ }
+
+ $ret = array();
+ $section_system_setting_ids[] = 'ModuleRootCategory';
+
+ foreach ( $section_system_setting_ids as $system_setting_id ) {
+ if ( array_key_exists($system_setting_id, $items_info) ) {
+ $ret[$system_setting_id] = $items_info[$system_setting_id];
+ }
+ }
+
+ return $ret;
}
/**
Event Timeline
Log In to Comment