Page Menu
Home
In-Portal Phabricator
Search
Configure Global Search
Log In
Files
F1167395
D486.id1389.diff
No One
Temporary
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Subscribers
None
File Metadata
Details
File Info
Storage
Attached
Created
Tue, Sep 23, 11:20 AM
Size
2 KB
Mime Type
text/x-diff
Expires
Wed, Sep 24, 11:20 AM (16 h, 56 m)
Engine
blob
Format
Raw Data
Handle
756166
Attached To
D486: INP-1876 - Verify system settings access permissions before allowing to change them
D486.id1389.diff
View Options
Index: branches/5.2.x/core/units/configuration/configuration_event_handler.php
===================================================================
--- branches/5.2.x/core/units/configuration/configuration_event_handler.php
+++ branches/5.2.x/core/units/configuration/configuration_event_handler.php
@@ -373,7 +373,17 @@
return;
}
- $items_info = $this->Application->GetVar($event->getPrefixSpecial(true));
+ /*
+ * This is Linked Var coming from Session. The same
+ * section variable is used also during permission
+ * checking.
+ */
+ $section = $this->Application->GetVar('section');
+
+ $items_info = $this->filterBySection(
+ $this->Application->GetVar($event->getPrefixSpecial(true)),
+ $section
+ );
// 1. save user selected module root category
$new_category_id = getArrayValue($items_info, 'ModuleRootCategory', 'VariableValue');
@@ -451,7 +461,42 @@
// keeps module and section in REQUEST to ensure, that last admin template will work
$event->SetRedirectParam('module', $this->Application->GetVar('module'));
- $event->SetRedirectParam('section', $this->Application->GetVar('section'));
+ $event->SetRedirectParam('section', $section);
+ }
+
+ /**
+ * Filters system settings by section.
+ *
+ * @param array $items_info Items info.
+ * @param string $section Section.
+ *
+ * @return array
+ * @throws RuntimeException When given section doesn't have any settings.
+ */
+ protected function filterBySection(array $items_info, $section)
+ {
+ $id_field = $this->Application->getUnitOption($this->Prefix, 'IDField');
+ $table_name = $this->Application->getUnitOption($this->Prefix, 'TableName');
+
+ $sql = 'SELECT ' . $id_field . '
+ FROM ' . $table_name . '
+ WHERE `Section` = ' . $this->Conn->qstr($section);
+ $section_system_setting_ids = $this->Conn->GetCol($sql);
+
+ if ( !$section_system_setting_ids ) {
+ throw new RuntimeException('The "' . $section . '" section does not have any settings.');
+ }
+
+ $ret = array();
+ $section_system_setting_ids[] = 'ModuleRootCategory';
+
+ foreach ( $section_system_setting_ids as $system_setting_id ) {
+ if ( array_key_exists($system_setting_id, $items_info) ) {
+ $ret[$system_setting_id] = $items_info[$system_setting_id];
+ }
+ }
+
+ return $ret;
}
/**
Event Timeline
Log In to Comment