lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

NEW Add a security permission to edit php dynamic content on website.

Browse Source
This commit is contained in:
Laurent Destailleur 2019-04-30 13:05:13 +02:00
parent 3007905508
commit 0cd1fc79f2
3 changed files with 20 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
htdocs/core/modules/modWebsite.class.php
View File

@ -92,12 +92,18 @@ class modWebsite extends DolibarrModules
$r++;
$this->rights[$r][0] = 10002;
$this->rights[$r][1] = 'Create/modify website content';
$this->rights[$r][1] = 'Create/modify website content (html and javascript content)';
$this->rights[$r][3] = 0;
$this->rights[$r][4] = 'write';
$r++;
$this->rights[$r][0] = 10003;
$this->rights[$r][1] = 'Create/modify website content (dynamic php code). Dangerous, must be reserved to restricted developers.';
$this->rights[$r][3] = 0;
$this->rights[$r][4] = 'writephp';
$r++;
$this->rights[$r][0] = 10005;
$this->rights[$r][1] = 'Delete website content';
$this->rights[$r][3] = 0;
$this->rights[$r][4] = 'delete';

1
htdocs/langs/en_US/website.lang
View File

@ -97,3 +97,4 @@ ThisPageHasTranslationPages=This page/container has translation
NoWebSiteCreateOneFirst=No website has been created yet. Create one first.
GoTo=Go to
DynamicPHPCodeContainsAForbiddenInstruction=You add dynamic PHP code that contains the PHP instruction '<strong>%s</strong>' that is forbidden by default as dynamic content (see hidden options WEBSITE_PHP_ALLOW_xxx to increase list of allowed commands).
NotAllowedToAddDynamicContent=You don't have permission to add or edit PHP dynamic content in websites. Ask permission or just keep code into php tags unmodified.

12
htdocs/website/index.php
View File

@ -1448,6 +1448,8 @@ if (($action == 'updatesource' || $action == 'updatecontent' || $action == 'conf
{
$db->begin();
$phpfullcodestringold = dolKeepOnlyPhpCode($objectpage->content);
$objectpage->content = GETPOST('PAGE_CONTENT', 'none');
// Security analysis
@ -1469,6 +1471,16 @@ if (($action == 'updatesource' || $action == 'updatecontent' || $action == 'conf
}
}
if (empty($user->rights->website->writephp))
{
if ($phpfullcodestringold != $phpfullcodestring)
{
$error++;
setEventMessages($langs->trans("NotAllowedToAddDynamicContent"), null, 'errors');
if ($action == 'updatesource') $action = 'editsource';
if ($action == 'updatecontent') $action = 'editcontent';
}
}
// Clean data. We remove all the head section.
$objectpage->content = preg_replace('/<head>.*<\/head>/ims', '', $objectpage->content);