oqapi/webgui
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Fixed injection issues with SQL. Fixed a JS issue introduced in previous bug fix.

Browse source
This commit is contained in:
khenn 2010-08-10 21:35:07 -05:00
parent c3989308fa
commit 3141a6ed5e
2 changed files with 102 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

107
lib/WebGUI/Asset/Wobject/AssetReport.pm
View file

@ -20,6 +20,58 @@ use WebGUI::Utility;
use Class::C3; use Class::C3;
use base qw/WebGUI::Asset::Wobject/; use base qw/WebGUI::Asset::Wobject/;
#-------------------------------------------------------------------
=head2 canAdd ( session, [userId, groupId] )
Verifies that the user has the privileges necessary to add this type of asset and that the requested asset
can be added as a child of this asset. Return a boolean.
A class method.
=head3 session
The session variable.
=head3 userId
Unique hash identifier for a user. If not supplied, current user.
=head3 groupId
Only developers extending this method should use this parameter. By default WebGUI will check groups in this order, whichever is defined:
=over 4
=item *
Group id assigned in the config file for each asset.
=item *
Group assigned by the developer in the asset itself if s/he extended this method to do so.
=item *
The "turn admin on" group which is group id 12.
=back
=cut
sub canAdd {
my $className = shift;
my $session = shift;
my $userId = shift || $session->user->userId;
my $user = WebGUI::User->new($session, $userId);
my $subclassGroupId = shift;
my $addPrivsGroup = $session->config->get("assets/".$className."/addGroup");
my $groupId = $addPrivsGroup || $subclassGroupId || '3';
my $validParent = $className->validParent($session);
return $user->isInGroup($groupId) && $validParent;
}
#------------------------------------------------------------------- #-------------------------------------------------------------------
=head2 definition ( session, definition ) =head2 definition ( session, definition )
@ -106,6 +158,7 @@ Get template variables common to all views of the Asset Report.
sub getTemplateVars { sub getTemplateVars {
my $self = shift; my $self = shift;
my $session = $self->session; my $session = $self->session;
my $db = $session->db;
my $var = $self->get; my $var = $self->get;
@ -126,9 +179,9 @@ sub getTemplateVars {
my $where = $settings->{where}; my $where = $settings->{where};
foreach my $key (keys %{$where}) { foreach my $key (keys %{$where}) {
my $clause = $where->{$key}; my $clause = $where->{$key};
my $prop = $clause->{propSelect}; my $prop = $self->secure_identifier($clause->{propSelect});
my $op = $clause->{opSelect}; my $op = $self->validate_clause($clause->{opSelect});
my $value = $clause->{valText}; my $value = $db->quote($clause->{valText});
$rules->{'whereClause'} .= qq{ $condition } if ($key > 1); $rules->{'whereClause'} .= qq{ $condition } if ($key > 1);
$rules->{'whereClause'} .= qq{$prop $op $value}; $rules->{'whereClause'} .= qq{$prop $op $value};
@ -145,8 +198,8 @@ sub getTemplateVars {
$rules->{'orderByClause'} = undef; $rules->{'orderByClause'} = undef;
foreach my $key (@order) { foreach my $key (@order) {
my $orderBy = $order->{$key}; my $orderBy = $order->{$key};
my $orderSelect = $orderBy->{orderSelect}; my $orderSelect = $self->secure_identifier($orderBy->{orderSelect});
my $dirSelect = $orderBy->{dirSelect}; my $dirSelect = (lc($orderBy->{dirSelect}) eq "desc") ? "DESC" : "ASC";
$rules->{'orderByClause'} .= q{, } if($key > 1); $rules->{'orderByClause'} .= q{, } if($key > 1);
$rules->{'orderByClause'} .= qq{$orderSelect $dirSelect}; $rules->{'orderByClause'} .= qq{$orderSelect $dirSelect};
@ -177,6 +230,50 @@ sub getTemplateVars {
#---------------------------------------------------------------------------- #----------------------------------------------------------------------------
=head2 secure_identifier ( identifier )
Checks the identifier and passes back a secure string.
=cut
sub secure_identifier {
my $self = shift;
my $db = $self->session->db;
my $identifier = shift;
my @parts = split(/\./,$identifier);
if(scalar(@parts) > 1) {
my $table = $parts[0];
my $column = $parts[1];
$identifier = $db->dbh->quote_identifier($table).".".$db->dbh->quote_identifier($column);
}
else {
$identifier = $db->dbh->quote_identifier($identifier);
}
return $identifier;
} ## end sub view
#----------------------------------------------------------------------------
=head2 validate_clause ( clause )
validates a clause against valid types. Returns "=" if no match is found.
=cut
sub validate_clause {
my $self = shift;
my $clause = shift;
my $ops = WebGUI::Form::AssetReportQuery->getOps();
unless ($ops->{$clause}) {
$clause = "=";
}
return $clause;
} ## end sub view
#----------------------------------------------------------------------------
=head2 view ( ) =head2 view ( )
method called by the www_view method. Returns a processed template method called by the www_view method. Returns a processed template

3
www/extras/yui-webgui/build/form/assetReportQuery.js vendored
View file

@ -359,8 +359,5 @@ YAHOO.util.Event.onDOMReady( function () {
loadClasses(document.getElementById("className_formId")); loadClasses(document.getElementById("className_formId"));
loadWhereRows(document.getElementById("whereBody")); loadWhereRows(document.getElementById("whereBody"));
loadOrder(document.getElementById("orderBody")); loadOrder(document.getElementById("orderBody"));
};
}); });