Merging 6.8.7 security fixes
This commit is contained in:
Roy Johnson
parent
b32a94d4d0
commit
3530c41e7d
3 changed files with 22 additions and 3 deletions
|
|
@ -44,6 +44,18 @@
|
|||
- fix [ 1431098 ] op=becomeUser can become non-existent userIds
|
||||
- fix [ 1431944 ] 6.8.6 DataForm moving fields
|
||||
- fix [ 1433195 ] 6.8.6 In/Out board labels missing
|
||||
- fix : Registered users can deploy packages (Thanks to Lucas Bartholemy
|
||||
for his work on finding this bug)
|
||||
- fix : Package will deploy assets not defined as packages (Thanks to Lucas
|
||||
Bartholemy for his work on finding this bug)
|
||||
- fix : editBranchSave method does not check that user is a content
|
||||
manager (Thanks to Lucas Bartholemy for his work on finding this bug)
|
||||
- fix : editBranchSave does not check privileges of descendants (Thanks to
|
||||
Lucas Bartholemy for his work on finding this bug)
|
||||
- fix : setParent does not check that user is a content manager (Colin
|
||||
Kuskie / Thanks to Lucas Bartholemy for his work on finding this bug)
|
||||
- fix : setParent does not check permissions of target page (Colin Kuskie
|
||||
/ Thanks to Lucas Bartholemy for his work on finding this bug)
|
||||
|
||||
6.8.6
|
||||
- Added logic to deal with case sensitivity and whitespace problems in LDAP
|
||||
|
|
|
|||
|
|
@ -272,7 +272,7 @@ Verifies proper inputs in the Asset Tree and saves them. Returns ManageAssets me
|
|||
|
||||
sub www_editBranchSave {
|
||||
my $self = shift;
|
||||
return $self->session->privilege->insufficient() unless ($self->canEdit);
|
||||
return $self->session->privilege->insufficient() unless ($self->canEdit && WebGUI::Grouping::isInGroup('4'));
|
||||
my %data;
|
||||
$data{isHidden} = $self->session->form->yesNo("isHidden") if ($self->session->form->yesNo("change_isHidden"));
|
||||
$data{newWindow} = $self->session->form->yesNo("newWindow") if ($self->session->form->yesNo("change_newWindow"));
|
||||
|
|
@ -297,6 +297,7 @@ sub www_editBranchSave {
|
|||
}
|
||||
my $descendants = $self->getLineage(["self","descendants"],{returnObjects=>1});
|
||||
foreach my $descendant (@{$descendants}) {
|
||||
next unless $descendant->canEdit;
|
||||
my $url;
|
||||
if ($changeUrl) {
|
||||
if ($urlBaseBy eq "parentUrl") {
|
||||
|
|
|
|||
|
|
@ -81,10 +81,16 @@ Returns "". Deploys a Package. If canEdit is Fales, renders an insufficient Priv
|
|||
|
||||
sub www_deployPackage {
|
||||
my $self = shift;
|
||||
return $self->session->privilege->insufficient() unless $self->canEdit;
|
||||
my $packageMasterAssetId = $self->session->form->process("assetId");
|
||||
# Must have edit rights to the asset deploying the package. Also, must be a Content Manager.
|
||||
# This protects against non content managers deploying packages using a post or similar trickery.
|
||||
return $self->session->privilege->insufficient() unless ($self->canEdit && WebGUI::Grouping::isInGroup('4'));
|
||||
my $packageMasterAssetId = $session{form}{assetId};
|
||||
if (defined $packageMasterAssetId) {
|
||||
my $packageMasterAsset = WebGUI::Asset->newByDynamicClass($packageMasterAssetId);
|
||||
unless ($packageMasterAsset->getValue('isPackage')) { #only deploy packages
|
||||
WebGUI::ErrorHandler::security('deploy an asset as a package which was not set as a package.');
|
||||
return;
|
||||
}
|
||||
my $masterLineage = $packageMasterAsset->get("lineage");
|
||||
if (defined $packageMasterAsset && $packageMasterAsset->canView && $self->get("lineage") !~ /^$masterLineage/) {
|
||||
my $deployedTreeMaster = $self->duplicateBranch($packageMasterAsset);
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue