oqapi/webgui
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merging 6.8.7 security fixes

Browse source
This commit is contained in:
Roy Johnson 2006-02-23 02:40:58 +00:00
parent b32a94d4d0
commit 3530c41e7d
3 changed files with 22 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

10
lib/WebGUI/AssetPackage.pm
View file

@ -81,10 +81,16 @@ Returns "". Deploys a Package. If canEdit is Fales, renders an insufficient Priv
sub www_deployPackage {
my $self = shift;
return $self->session->privilege->insufficient() unless $self->canEdit;
my $packageMasterAssetId = $self->session->form->process("assetId");
# Must have edit rights to the asset deploying the package. Also, must be a Content Manager.
# This protects against non content managers deploying packages using a post or similar trickery.
return $self->session->privilege->insufficient() unless ($self->canEdit && WebGUI::Grouping::isInGroup('4'));
my $packageMasterAssetId = $session{form}{assetId};
if (defined $packageMasterAssetId) {
my $packageMasterAsset = WebGUI::Asset->newByDynamicClass($packageMasterAssetId);
unless ($packageMasterAsset->getValue('isPackage')) { #only deploy packages
WebGUI::ErrorHandler::security('deploy an asset as a package which was not set as a package.');
return;
}
my $masterLineage = $packageMasterAsset->get("lineage");
if (defined $packageMasterAsset && $packageMasterAsset->canView && $self->get("lineage") !~ /^$masterLineage/) {
my $deployedTreeMaster = $self->duplicateBranch($packageMasterAsset);