Home Explore Help
Register Sign In
SKZH
/
ITSSTOOLS
3
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

PPortal web page improvements: protected update feature (class/attcodes explicitely restricted)

git-svn-id: http://svn.code.sf.net/p/itop/code/trunk@1324 a333f486-631f-4898-b8df-5754b55c2be0
romainq 14 years ago
parent
dc82ced733
commit
f267acdd82
2 changed files with 23 additions and 8 deletions
Unified View Show Diff Stats
  1. 2 2
      application/cmdbabstract.class.inc.php
  2. 21 6
      application/portalwebpage.class.inc.php

+ 2 - 2
application/cmdbabstract.class.inc.php
View File 

@@ -2156,9 +2156,9 @@ EOF
 
 		$aErrors = array();

 		$aErrors = array();

 		if (!is_array($aAttList))

 		if (!is_array($aAttList))

 		{

 		{

-			$sAttList = $this->FlattenZList(MetaModel::GetZListItems(get_class($this), 'details'));

+			$aAttList = $this->FlattenZList(MetaModel::GetZListItems(get_class($this), 'details'));

 		}

 		}

-		foreach($sAttList as $sAttCode)

+		foreach($aAttList as $sAttCode)

 		{

 		{

 			$oAttDef = MetaModel::GetAttributeDef(get_class($this), $sAttCode);

 			$oAttDef = MetaModel::GetAttributeDef(get_class($this), $sAttCode);

+ 21 - 6
application/portalwebpage.class.inc.php
View File 

@@ -561,9 +561,10 @@ EOF
 
 	/**
 
 	/**
 
 	 * Updates the object form POSTED arguments, and writes it into the DB (applies a stimuli if requested)
 
 	 * Updates the object form POSTED arguments, and writes it into the DB (applies a stimuli if requested)
 
 	 * @param DBObject $oObj The object to update
 
 	 * @param DBObject $oObj The object to update
 
+	 * $param array $aAttList If set, this will limit the list of updated attributes	 
 	 * @return void
 
 	 * @return void
 
 	 */
 
 	 */
 
-	public function DoUpdateObjectFromPostedForm(DBObject $oObj)
 
+	public function DoUpdateObjectFromPostedForm(DBObject $oObj, $aAttList = null)
 
 	{
 
 	{
 
 		$sTransactionId = utils::ReadPostedParam('transaction_id', '');
 
 		$sTransactionId = utils::ReadPostedParam('transaction_id', '');
 
 		if (!utils::IsTransactionValid($sTransactionId))
 
 		if (!utils::IsTransactionValid($sTransactionId))
 
@@ -573,10 +574,7 @@ EOF
 
 	
 	
 		$sClass = get_class($oObj);
 
 		$sClass = get_class($oObj);
 
 	
 	
-	
-		// TODO - Secure this: specify the list of attributes that can be updated
 
-		//        the list must correspond to the attributes proposed in the form
 
-		$oObj->UpdateObject(/* Form prefix */);
 
+		$oObj->UpdateObject('' /* form prefix */, $aAttList);
 
 	
 	
 	   // Optional: apply a stimulus
 
 	   // Optional: apply a stimulus
 
 	   //
 
 	   //
 
@@ -606,7 +604,7 @@ EOF
 
 	 * @param WebPage $oP The current page
 
 	 * @param WebPage $oP The current page
 
 	 * @return DBObject The found object, or throws an exception in case of failure
 
 	 * @return DBObject The found object, or throws an exception in case of failure
 
 	 */
 
 	 */
 
-	public function FindObjectFromArgs()
 
+	public function FindObjectFromArgs($aAllowedClasses = null)
 
 	{
 
 	{
 
 		$sClass = utils::ReadParam('class', '');
 
 		$sClass = utils::ReadParam('class', '');
 
 		$iId = utils::ReadParam('id', 0);
 
 		$iId = utils::ReadParam('id', 0);
 
@@ -623,6 +621,23 @@ EOF
 
 		{
 
 		{
 
 			throw new Exception("Missing argument 'id'");
 
 			throw new Exception("Missing argument 'id'");
 
 		}
 
 		}
 
+
 
+		if(!is_null($aAllowedClasses))
 
+		{
 
+			$bAllowed = false;
 
+			foreach($aAllowedClasses as $sParentClass)
 
+			{
 
+				if (MetaModel::IsParentClass($sParentClass, $sClass))
 
+				{
 
+					$bAllowed = true;
 
+				}
 
+			}
 
+			if (!$bAllowed)
 
+			{
 
+				throw new Exception("Class '$sClass not allowed in this implementation'");
 
+			}
 
+		}
 
+
 
 		$oObj = MetaModel::GetObject($sClass, $iId, false);
 
 		$oObj = MetaModel::GetObject($sClass, $iId, false);
 
 		if (!is_object($oObj))
 
 		if (!is_object($oObj))
 
 		{
 
 		{