Merging 6.8.7 security fixes

docs/changelog/6.x.x.txt

@@ -44,6 +44,18 @@
  - fix [ 1431098 ] op=becomeUser can become non-existent userIds
  - fix [ 1431944 ] 6.8.6 DataForm moving fields
  - fix [ 1433195 ] 6.8.6 In/Out board labels missing
+ - fix : Registered users can deploy packages (Thanks to Lucas Bartholemy
+   for his work on finding this bug)
+ - fix : Package will deploy assets not defined as packages (Thanks to Lucas
+   Bartholemy for his work on finding this bug)
+ - fix : editBranchSave method does not check that user is a content
+   manager (Thanks to Lucas Bartholemy for his work on finding this bug)
+ - fix : editBranchSave does not check privileges of descendants (Thanks to
+   Lucas Bartholemy for his work on finding this bug)
+ - fix : setParent does not check that user is a content manager (Colin
+   Kuskie / Thanks to Lucas Bartholemy for his work on finding this bug)
+ - fix : setParent does not check permissions of target page (Colin Kuskie
+   / Thanks to Lucas Bartholemy for his work on finding this bug)
 
 6.8.6
  - Added logic to deal with case sensitivity and whitespace problems in LDAP

lib/WebGUI/AssetBranch.pm

@@ -272,7 +272,7 @@ Verifies proper inputs in the Asset Tree and saves them. Returns ManageAssets me
 
 sub www_editBranchSave {
 	my $self = shift;
-	return $self->session->privilege->insufficient() unless ($self->canEdit);
+	return $self->session->privilege->insufficient() unless ($self->canEdit && WebGUI::Grouping::isInGroup('4'));
 	my %data;
 	$data{isHidden} = $self->session->form->yesNo("isHidden") if ($self->session->form->yesNo("change_isHidden"));
 	$data{newWindow} = $self->session->form->yesNo("newWindow") if ($self->session->form->yesNo("change_newWindow"));
@@ -297,6 +297,7 @@ sub www_editBranchSave {
 	}
 	my $descendants = $self->getLineage(["self","descendants"],{returnObjects=>1});	
 	foreach my $descendant (@{$descendants}) {
+		next unless $descendant->canEdit;
 		my $url;
 		if ($changeUrl) {
 			if ($urlBaseBy eq "parentUrl") {

lib/WebGUI/AssetPackage.pm

@@ -81,10 +81,16 @@ Returns "". Deploys a Package. If canEdit is Fales, renders an insufficient Priv
 
 sub www_deployPackage {
 	my $self = shift;
-	return $self->session->privilege->insufficient() unless $self->canEdit;
+	# Must have edit rights to the asset deploying the package.  Also, must be a Content Manager.
-	my $packageMasterAssetId = $self->session->form->process("assetId");
+	# This protects against non content managers deploying packages using a post or similar trickery.
+	return $self->session->privilege->insufficient() unless ($self->canEdit && WebGUI::Grouping::isInGroup('4'));
+	my $packageMasterAssetId = $session{form}{assetId};
 	if (defined $packageMasterAssetId) {
 		my $packageMasterAsset = WebGUI::Asset->newByDynamicClass($packageMasterAssetId);
+		unless ($packageMasterAsset->getValue('isPackage')) { #only deploy packages
+		 WebGUI::ErrorHandler::security('deploy an asset as a package which was not set as a package.');
+		 return;
+		}
 		my $masterLineage = $packageMasterAsset->get("lineage");
                 if (defined $packageMasterAsset && $packageMasterAsset->canView && $self->get("lineage") !~ /^$masterLineage/) {
 			my $deployedTreeMaster = $self->duplicateBranch($packageMasterAsset);