Fixed injection issues with SQL. Fixed a JS issue introduced in previous bug fix.
This commit is contained in:
khenn
parent
c3989308fa
commit
3141a6ed5e
2 changed files with 102 additions and 8 deletions
|
|
@ -20,6 +20,58 @@ use WebGUI::Utility;
|
|||
use Class::C3;
|
||||
use base qw/WebGUI::Asset::Wobject/;
|
||||
|
||||
|
||||
#-------------------------------------------------------------------
|
||||
|
||||
=head2 canAdd ( session, [userId, groupId] )
|
||||
|
||||
Verifies that the user has the privileges necessary to add this type of asset and that the requested asset
|
||||
can be added as a child of this asset. Return a boolean.
|
||||
|
||||
A class method.
|
||||
|
||||
=head3 session
|
||||
|
||||
The session variable.
|
||||
|
||||
=head3 userId
|
||||
|
||||
Unique hash identifier for a user. If not supplied, current user.
|
||||
|
||||
=head3 groupId
|
||||
|
||||
Only developers extending this method should use this parameter. By default WebGUI will check groups in this order, whichever is defined:
|
||||
|
||||
=over 4
|
||||
|
||||
=item *
|
||||
|
||||
Group id assigned in the config file for each asset.
|
||||
|
||||
=item *
|
||||
|
||||
Group assigned by the developer in the asset itself if s/he extended this method to do so.
|
||||
|
||||
=item *
|
||||
|
||||
The "turn admin on" group which is group id 12.
|
||||
|
||||
=back
|
||||
|
||||
=cut
|
||||
|
||||
sub canAdd {
|
||||
my $className = shift;
|
||||
my $session = shift;
|
||||
my $userId = shift || $session->user->userId;
|
||||
my $user = WebGUI::User->new($session, $userId);
|
||||
my $subclassGroupId = shift;
|
||||
my $addPrivsGroup = $session->config->get("assets/".$className."/addGroup");
|
||||
my $groupId = $addPrivsGroup || $subclassGroupId || '3';
|
||||
my $validParent = $className->validParent($session);
|
||||
return $user->isInGroup($groupId) && $validParent;
|
||||
}
|
||||
|
||||
#-------------------------------------------------------------------
|
||||
|
||||
=head2 definition ( session, definition )
|
||||
|
|
@ -106,6 +158,7 @@ Get template variables common to all views of the Asset Report.
|
|||
sub getTemplateVars {
|
||||
my $self = shift;
|
||||
my $session = $self->session;
|
||||
my $db = $session->db;
|
||||
|
||||
my $var = $self->get;
|
||||
|
||||
|
|
@ -126,9 +179,9 @@ sub getTemplateVars {
|
|||
my $where = $settings->{where};
|
||||
foreach my $key (keys %{$where}) {
|
||||
my $clause = $where->{$key};
|
||||
my $prop = $clause->{propSelect};
|
||||
my $op = $clause->{opSelect};
|
||||
my $value = $clause->{valText};
|
||||
my $prop = $self->secure_identifier($clause->{propSelect});
|
||||
my $op = $self->validate_clause($clause->{opSelect});
|
||||
my $value = $db->quote($clause->{valText});
|
||||
|
||||
$rules->{'whereClause'} .= qq{ $condition } if ($key > 1);
|
||||
$rules->{'whereClause'} .= qq{$prop $op $value};
|
||||
|
|
@ -145,8 +198,8 @@ sub getTemplateVars {
|
|||
$rules->{'orderByClause'} = undef;
|
||||
foreach my $key (@order) {
|
||||
my $orderBy = $order->{$key};
|
||||
my $orderSelect = $orderBy->{orderSelect};
|
||||
my $dirSelect = $orderBy->{dirSelect};
|
||||
my $orderSelect = $self->secure_identifier($orderBy->{orderSelect});
|
||||
my $dirSelect = (lc($orderBy->{dirSelect}) eq "desc") ? "DESC" : "ASC";
|
||||
|
||||
$rules->{'orderByClause'} .= q{, } if($key > 1);
|
||||
$rules->{'orderByClause'} .= qq{$orderSelect $dirSelect};
|
||||
|
|
@ -177,6 +230,50 @@ sub getTemplateVars {
|
|||
|
||||
#----------------------------------------------------------------------------
|
||||
|
||||
=head2 secure_identifier ( identifier )
|
||||
|
||||
Checks the identifier and passes back a secure string.
|
||||
|
||||
=cut
|
||||
|
||||
sub secure_identifier {
|
||||
my $self = shift;
|
||||
my $db = $self->session->db;
|
||||
my $identifier = shift;
|
||||
|
||||
my @parts = split(/\./,$identifier);
|
||||
if(scalar(@parts) > 1) {
|
||||
my $table = $parts[0];
|
||||
my $column = $parts[1];
|
||||
$identifier = $db->dbh->quote_identifier($table).".".$db->dbh->quote_identifier($column);
|
||||
}
|
||||
else {
|
||||
$identifier = $db->dbh->quote_identifier($identifier);
|
||||
}
|
||||
|
||||
return $identifier;
|
||||
} ## end sub view
|
||||
|
||||
#----------------------------------------------------------------------------
|
||||
|
||||
=head2 validate_clause ( clause )
|
||||
|
||||
validates a clause against valid types. Returns "=" if no match is found.
|
||||
|
||||
=cut
|
||||
|
||||
sub validate_clause {
|
||||
my $self = shift;
|
||||
my $clause = shift;
|
||||
my $ops = WebGUI::Form::AssetReportQuery->getOps();
|
||||
unless ($ops->{$clause}) {
|
||||
$clause = "=";
|
||||
}
|
||||
return $clause;
|
||||
} ## end sub view
|
||||
|
||||
#----------------------------------------------------------------------------
|
||||
|
||||
=head2 view ( )
|
||||
|
||||
method called by the www_view method. Returns a processed template
|
||||
|
|
|
|||
|
|
@ -359,8 +359,5 @@ YAHOO.util.Event.onDOMReady( function () {
|
|||
loadClasses(document.getElementById("className_formId"));
|
||||
loadWhereRows(document.getElementById("whereBody"));
|
||||
loadOrder(document.getElementById("orderBody"));
|
||||
};
|
||||
|
||||
|
||||
});
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue