From 0cd1fc79f22965af9f7251dd19135af0c885b7aa Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Tue, 30 Apr 2019 13:05:13 +0200 Subject: [PATCH] NEW Add a security permission to edit php dynamic content on website. --- htdocs/core/modules/modWebsite.class.php | 8 +++++++- htdocs/langs/en_US/website.lang | 1 + htdocs/website/index.php | 12 ++++++++++++ 3 files changed, 20 insertions(+), 1 deletion(-) diff --git a/htdocs/core/modules/modWebsite.class.php b/htdocs/core/modules/modWebsite.class.php index 6f882f082ad..24a929c82a0 100644 --- a/htdocs/core/modules/modWebsite.class.php +++ b/htdocs/core/modules/modWebsite.class.php @@ -92,12 +92,18 @@ class modWebsite extends DolibarrModules $r++; $this->rights[$r][0] = 10002; - $this->rights[$r][1] = 'Create/modify website content'; + $this->rights[$r][1] = 'Create/modify website content (html and javascript content)'; $this->rights[$r][3] = 0; $this->rights[$r][4] = 'write'; $r++; $this->rights[$r][0] = 10003; + $this->rights[$r][1] = 'Create/modify website content (dynamic php code). Dangerous, must be reserved to restricted developers.'; + $this->rights[$r][3] = 0; + $this->rights[$r][4] = 'writephp'; + $r++; + + $this->rights[$r][0] = 10005; $this->rights[$r][1] = 'Delete website content'; $this->rights[$r][3] = 0; $this->rights[$r][4] = 'delete'; diff --git a/htdocs/langs/en_US/website.lang b/htdocs/langs/en_US/website.lang index f20aab8c0a7..4655bf3493a 100644 --- a/htdocs/langs/en_US/website.lang +++ b/htdocs/langs/en_US/website.lang @@ -97,3 +97,4 @@ ThisPageHasTranslationPages=This page/container has translation NoWebSiteCreateOneFirst=No website has been created yet. Create one first. GoTo=Go to DynamicPHPCodeContainsAForbiddenInstruction=You add dynamic PHP code that contains the PHP instruction '%s' that is forbidden by default as dynamic content (see hidden options WEBSITE_PHP_ALLOW_xxx to increase list of allowed commands). +NotAllowedToAddDynamicContent=You don't have permission to add or edit PHP dynamic content in websites. Ask permission or just keep code into php tags unmodified. \ No newline at end of file diff --git a/htdocs/website/index.php b/htdocs/website/index.php index 49859101ea9..2099102cced 100644 --- a/htdocs/website/index.php +++ b/htdocs/website/index.php @@ -1448,6 +1448,8 @@ if (($action == 'updatesource' || $action == 'updatecontent' || $action == 'conf { $db->begin(); + $phpfullcodestringold = dolKeepOnlyPhpCode($objectpage->content); + $objectpage->content = GETPOST('PAGE_CONTENT', 'none'); // Security analysis @@ -1469,6 +1471,16 @@ if (($action == 'updatesource' || $action == 'updatecontent' || $action == 'conf } } + if (empty($user->rights->website->writephp)) + { + if ($phpfullcodestringold != $phpfullcodestring) + { + $error++; + setEventMessages($langs->trans("NotAllowedToAddDynamicContent"), null, 'errors'); + if ($action == 'updatesource') $action = 'editsource'; + if ($action == 'updatecontent') $action = 'editcontent'; + } + } // Clean data. We remove all the head section. $objectpage->content = preg_replace('/.*<\/head>/ims', '', $objectpage->content);