nsinnovations/fusionpbx
2
0
Fork 0
mirror of https://github.com/fusionpbx/fusionpbx.git synced 2026-01-06 11:43:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Harden the security with specific permissions for domains, domain settings and default settings. Everyone using multi-tenant are encouraged to update. Run Upgrade Schema on wiki.fusionpbx.com. After updating go to advanced -> group manager click on the superadmin group and then select the permissions for domains, domains settings, and default settings. Logout and back in.

Browse Source
This commit is contained in:
Mark Crane
2012-09-27 00:34:10 +00:00
parent 6e662615d4
commit 23a2f84577
16 changed files with 161 additions and 113 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
core/domains/app_config.php
View File

@@ -31,7 +31,11 @@
$apps[$x]['permissions'][$y]['name'] = 'domain_delete';
$apps[$x]['permissions'][$y]['groups'][] = 'superadmin';
$y++;
$apps[$x]['permissions'][$y]['name'] = 'domain_view';
$apps[$x]['permissions'][$y]['name'] = 'domain_select';
$apps[$x]['permissions'][$y]['groups'][] = 'superadmin';
$y++;
$apps[$x]['permissions'][$y]['name'] = 'domain_setting_view';
$apps[$x]['permissions'][$y]['groups'][] = 'superadmin';
$y++;
$apps[$x]['permissions'][$y]['name'] = 'domain_setting_add';

41
core/domains/domain_settings.php
View File

@@ -26,7 +26,7 @@
require_once "root.php";
require_once "includes/require.php";
require_once "includes/checkauth.php";
if (if_group("admin") || if_group("superadmin")) {
if (permission_exists('domain_setting_view')) {
//access granted
}
else {
@@ -49,20 +49,20 @@ require_once "includes/paging.php";
//echo "<table width='100%' border='0'>\n";
//echo " <tr>\n";
//echo " <td width='50%' nowrap><b>Domain Settings</b></td>\n";
//echo " <td width='50%' align='left' nowrap='nowrap'><b>Domain Settings</b></td>\n";
//echo " <td width='50%' align='right'>&nbsp;</td>\n";
//echo " </tr>\n";
//echo " <tr>\n";
//echo " <td colspan='2'>\n";
//echo " <td align='left' colspan='2'>\n";
//echo " Settings used for each domain.<br /><br />\n";
//echo " </td>\n";
//echo " </tr>\n";
//echo "</table>\n";
//prepare to page the results
$sql = " select count(*) as num_rows from v_domain_settings ";
$sql .= " where domain_uuid = '$domain_uuid' ";
$sql .= " and domain_uuid = '$domain_uuid' ";
$sql = "select count(*) as num_rows from v_domain_settings ";
$sql .= "where domain_uuid = '$domain_uuid' ";
$sql .= "and domain_uuid = '$domain_uuid' ";
if (strlen($order_by)> 0) { $sql .= "order by $order_by $order "; }
$prep_statement = $db->prepare($sql);
if ($prep_statement) {
@@ -84,13 +84,11 @@ require_once "includes/paging.php";
list($paging_controls, $rows_per_page, $var3) = paging($num_rows, $param, $rows_per_page);
$offset = $rows_per_page * $page;
//get the domain list
$sql = "";
$sql .= " select * from v_domain_settings ";
$sql .= " where domain_uuid = '$domain_uuid' ";
$sql .= " and domain_uuid = '$domain_uuid' ";
//get the list
$sql = "select * from v_domain_settings ";
$sql .= "where domain_uuid = '$domain_uuid' ";
if (strlen($order_by)> 0) { $sql .= "order by $order_by $order "; }
$sql .= " limit $rows_per_page offset $offset ";
$sql .= "limit $rows_per_page offset $offset ";
$prep_statement = $db->prepare(check_sql($sql));
$prep_statement->execute();
$result = $prep_statement->fetchAll(PDO::FETCH_NAMED);
@@ -119,7 +117,13 @@ require_once "includes/paging.php";
echo th_order_by('domain_setting_enabled', 'Enabled', $order_by, $order);
echo th_order_by('domain_setting_description', 'Description', $order_by, $order);
echo "<td align='right' width='42'>\n";
echo " <a href='domain_settings_edit.php?domain_uuid=".$_GET['id']."' alt='add'>$v_link_label_add</a>\n";
if (permission_exists('domain_setting_add')) {
echo " <a href='domain_settings_edit.php?domain_uuid=".$_GET['id']."' alt='add'>$v_link_label_add</a>\n";
}
else {
echo " &nbsp;\n";
}
echo "</td>\n";
echo "</tr>\n";
}
@@ -149,8 +153,12 @@ require_once "includes/paging.php";
echo " <td valign='top' class='".$row_style[$c]."'>".$row['domain_setting_enabled']."&nbsp;</td>\n";
echo " <td valign='top' class='".$row_style[$c]."'>".$row['domain_setting_description']."&nbsp;</td>\n";
echo " <td valign='top' align='right'>\n";
if (permission_exists('domain_setting_edit')) {
echo " <a href='domain_settings_edit.php?domain_uuid=".$row['domain_uuid']."&id=".$row['domain_setting_uuid']."' alt='edit'>$v_link_label_edit</a>\n";
}
if (permission_exists('domain_setting_delete')) {
echo " <a href='domain_settings_delete.php?domain_uuid=".$row['domain_uuid']."&id=".$row['domain_setting_uuid']."' alt='delete' onclick=\"return confirm('Do you really want to delete this?')\">$v_link_label_delete</a>\n";
}
echo " </td>\n";
echo "</tr>\n";
$previous_category = $row['domain_setting_category'];
@@ -166,7 +174,12 @@ require_once "includes/paging.php";
echo " <td width='33.3%' nowrap>&nbsp;</td>\n";
echo " <td width='33.3%' align='center' nowrap>$paging_controls</td>\n";
echo " <td width='33.3%' align='right'>\n";
echo " <a href='domain_settings_edit.php?domain_uuid=".$_GET['id']."' alt='add'>$v_link_label_add</a>\n";
if (permission_exists('domain_setting_add')) {
echo " <a href='domain_settings_edit.php?domain_uuid=".$_GET['id']."' alt='add'>$v_link_label_add</a>\n";
}
else {
echo " &nbsp;\n";
}
echo " </td>\n";
echo " </tr>\n";
echo " </table>\n";

31
core/domains/domain_settings_delete.php
View File

@@ -26,7 +26,7 @@
require_once "root.php";
require_once "includes/require.php";
require_once "includes/checkauth.php";
if (if_group("admin") || if_group("superadmin")) {
if (permission_exists('domain_setting_delete')) {
//access granted
}
else {
@@ -40,21 +40,22 @@ if (count($_GET)>0) {
}
if (strlen($id)>0) {
$sql = "";
$sql .= "delete from v_domain_settings ";
$sql .= "where domain_uuid = '$domain_uuid' ";
$sql .= "and domain_setting_uuid = '$id' ";
$prep_statement = $db->prepare(check_sql($sql));
$prep_statement->execute();
unset($sql);
//delete domain_setting
$sql = "delete from v_domain_settings ";
$sql .= "where domain_uuid = '$domain_uuid' ";
$sql .= "and domain_setting_uuid = '$id' ";
$prep_statement = $db->prepare(check_sql($sql));
$prep_statement->execute();
unset($sql);
}
require_once "includes/header.php";
echo "<meta http-equiv=\"refresh\" content=\"2;url=domains_edit.php?id=$domain_uuid\">\n";
echo "<div align='center'>\n";
echo "Delete Complete\n";
echo "</div>\n";
require_once "includes/footer.php";
return;
//redirect the user
require_once "includes/header.php";
echo "<meta http-equiv=\"refresh\" content=\"2;url=domains_edit.php?id=$domain_uuid\">\n";
echo "<div align='center'>\n";
echo "Delete Complete\n";
echo "</div>\n";
require_once "includes/footer.php";
return;
?>

10
core/domains/domain_settings_edit.php
View File

@@ -26,7 +26,7 @@
require_once "root.php";
require_once "includes/require.php";
require_once "includes/checkauth.php";
if (if_group("admin") || if_group("superadmin")) {
if (permission_exists('domain_setting_add') || permission_exists('domain_setting_edit')) {
//access granted
}
else {
@@ -87,7 +87,7 @@ if (count($_POST)>0 && strlen($_POST["persistformvar"]) == 0) {
//add or update the database
if ($_POST["persistformvar"] != "true") {
if ($action == "add") {
if ($action == "add" && permission_exists('domain_setting_add')) {
$sql = "insert into v_domain_settings ";
$sql .= "(";
$sql .= "domain_uuid, ";
@@ -122,7 +122,7 @@ if (count($_POST)>0 && strlen($_POST["persistformvar"]) == 0) {
return;
} //if ($action == "add")
if ($action == "update") {
if ($action == "update" && permission_exists('domain_setting_edit')) {
$sql = "update v_domain_settings set ";
$sql .= "domain_setting_category = '$domain_setting_category', ";
$sql .= "domain_setting_subcategory = '$domain_setting_subcategory', ";
@@ -148,7 +148,7 @@ if (count($_POST)>0 && strlen($_POST["persistformvar"]) == 0) {
//pre-populate the form
if (count($_GET)>0 && $_POST["persistformvar"] != "true") {
$domain_setting_uuid = $_GET["id"];
$domain_setting_uuid = check_str($_GET["id"]);
$sql = "select * from v_domain_settings ";
$sql .= "where domain_uuid = '$domain_uuid' ";
$sql .= "and domain_setting_uuid = '$domain_setting_uuid' ";
@@ -175,7 +175,7 @@ if (count($_POST)>0 && strlen($_POST["persistformvar"]) == 0) {
echo "<table width='100%' border='0' cellpadding='0' cellspacing=''>\n";
echo "<tr class='border'>\n";
echo " <td align=\"left\">\n";
echo " <br>";
echo " <br>";
echo "<form method='post' name='frm' action=''>\n";
echo "<div align='center'>\n";

97
core/domains/domains.php
View File

@@ -26,7 +26,7 @@
require_once "root.php";
require_once "includes/require.php";
require_once "includes/checkauth.php";
if (if_group("admin") || if_group("superadmin")) {
if (permission_exists('domain_view')) {
//access granted
}
else {
@@ -34,46 +34,48 @@ else {
exit;
}
//change the tenant
if (strlen($_GET["domain_uuid"]) > 0 && $_GET["domain_change"] == "true") {
//get the domain_uuid
$sql = "select * from v_domains ";
$sql .= "order by domain_name asc ";
$prep_statement = $db->prepare($sql);
$prep_statement->execute();
$result = $prep_statement->fetchAll(PDO::FETCH_NAMED);
foreach($result as $row) {
if (count($result) == 0) {
$_SESSION["domain_uuid"] = $row["domain_uuid"];
$_SESSION["domain_name"] = $row['domain_name'];
}
else {
if ($row['domain_name'] == $domain_array[0] || $row['domain_name'] == 'www.'.$domain_array[0]) {
//change the domain
if (strlen(check_str($_GET["domain_uuid"])) > 0 && check_str($_GET["domain_change"]) == "true") {
if (permission_exists('domain_select')) {
//get the domain_uuid
$sql = "select * from v_domains ";
$sql .= "order by domain_name asc ";
$prep_statement = $db->prepare($sql);
$prep_statement->execute();
$result = $prep_statement->fetchAll(PDO::FETCH_NAMED);
foreach($result as $row) {
if (count($result) == 0) {
$_SESSION["domain_uuid"] = $row["domain_uuid"];
$_SESSION["domain_name"] = $row['domain_name'];
}
$_SESSION['domains'][$row['domain_uuid']]['domain_uuid'] = $row['domain_uuid'];
$_SESSION['domains'][$row['domain_uuid']]['domain_name'] = $row['domain_name'];
else {
if ($row['domain_name'] == $domain_array[0] || $row['domain_name'] == 'www.'.$domain_array[0]) {
$_SESSION["domain_uuid"] = $row["domain_uuid"];
$_SESSION["domain_name"] = $row['domain_name'];
}
$_SESSION['domains'][$row['domain_uuid']]['domain_uuid'] = $row['domain_uuid'];
$_SESSION['domains'][$row['domain_uuid']]['domain_name'] = $row['domain_name'];
}
}
}
unset($result, $prep_statement);
unset($result, $prep_statement);
//update the domain session variables
$domain_uuid = check_str($_GET["domain_uuid"]);
$_SESSION['domain_uuid'] = $domain_uuid;
$_SESSION["domain_name"] = $_SESSION['domains'][$domain_uuid]['domain_name'];
$_SESSION['domain']['template']['name'] = $_SESSION['domains'][$domain_uuid]['template_name'];
//clear the menu session so that it is regenerated for the selected domain
$_SESSION["menu"] = '';
//clear the extension array so that it is regenerated for the selected domain
unset($_SESSION['extension_array']);
//set the context
if (count($_SESSION["domains"]) > 1) {
$_SESSION["context"] = $_SESSION["domain_name"];
}
else {
$_SESSION["context"] = 'default';
}
//update the domain session variables
$domain_uuid = check_str($_GET["domain_uuid"]);
$_SESSION['domain_uuid'] = $domain_uuid;
$_SESSION["domain_name"] = $_SESSION['domains'][$domain_uuid]['domain_name'];
$_SESSION['domain']['template']['name'] = $_SESSION['domains'][$domain_uuid]['template_name'];
//clear the menu session so that it is regenerated for the selected domain
$_SESSION["menu"] = '';
//clear the extension array so that it is regenerated for the selected domain
unset($_SESSION['extension_array']);
//set the context
if (count($_SESSION["domains"]) > 1) {
$_SESSION["context"] = $_SESSION["domain_name"];
}
else {
$_SESSION["context"] = 'default';
}
}
}
//includes
@@ -151,7 +153,12 @@ else {
echo th_order_by('domain_name', 'Domain', $order_by, $order);
echo th_order_by('domain_description', 'Description', $order_by, $order);
echo "<td align='right' width='42'>\n";
echo " <a href='domains_edit.php' alt='add'>$v_link_label_add</a>\n";
if (permission_exists('domain_add')) {
echo " <a href='domains_edit.php' alt='add'>$v_link_label_add</a>\n";
}
else {
echo " &nbsp;\n";
}
echo "</td>\n";
echo "<tr>\n";
@@ -161,8 +168,12 @@ else {
echo " <td valign='top' class='".$row_style[$c]."'>".$row['domain_name']."&nbsp;</td>\n";
echo " <td valign='top' class='".$row_style[$c]."'>".$row['domain_description']."&nbsp;</td>\n";
echo " <td valign='top' align='right'>\n";
echo " <a href='domains_edit.php?id=".$row['domain_uuid']."' alt='edit'>$v_link_label_edit</a>\n";
echo " <a href='domains_delete.php?id=".$row['domain_uuid']."' alt='delete' onclick=\"return confirm('Do you really want to delete this?')\">$v_link_label_delete</a>\n";
if (permission_exists('domain_edit')) {
echo " <a href='domains_edit.php?id=".$row['domain_uuid']."' alt='edit'>$v_link_label_edit</a>\n";
}
if (permission_exists('domain_delete')) {
echo " <a href='domains_delete.php?id=".$row['domain_uuid']."' alt='delete' onclick=\"return confirm('Do you really want to delete this?')\">$v_link_label_delete</a>\n";
}
echo " </td>\n";
echo "</tr>\n";
if ($c==0) { $c=1; } else { $c=0; }
@@ -170,7 +181,6 @@ else {
unset($sql, $result, $row_count);
} //end if results
echo "<tr>\n";
echo "<td colspan='3' align='left'>\n";
echo " <table width='100%' cellpadding='0' cellspacing='0'>\n";
@@ -178,7 +188,12 @@ else {
echo " <td width='33.3%' nowrap>&nbsp;</td>\n";
echo " <td width='33.3%' align='center' nowrap>$paging_controls</td>\n";
echo " <td width='33.3%' align='right'>\n";
echo " <a href='domains_edit.php' alt='add'>$v_link_label_add</a>\n";
if (permission_exists('domain_add')) {
echo " <a href='domains_edit.php' alt='add'>$v_link_label_add</a>\n";
}
else {
echo " &nbsp;\n";
}
echo " </td>\n";
echo " </tr>\n";
echo " </table>\n";

2
core/domains/domains_delete.php
View File

@@ -26,7 +26,7 @@
require_once "root.php";
require_once "includes/require.php";
require_once "includes/checkauth.php";
if (if_group("admin") || if_group("superadmin")) {
if (permission_exists('domain_delete')) {
//access granted
}
else {

8
core/domains/domains_edit.php
View File

@@ -26,7 +26,7 @@
require_once "root.php";
require_once "includes/require.php";
require_once "includes/checkauth.php";
if (if_group("admin") || if_group("superadmin")) {
if (permission_exists('domain_add') || permission_exists('domain_edit')) {
//access granted
}
else {
@@ -74,7 +74,7 @@ if (count($_POST) > 0 && strlen($_POST["persistformvar"]) == 0) {
//add or update the database
if ($_POST["persistformvar"] != "true") {
if ($action == "add") {
if ($action == "add" && permission_exists('domain_add')) {
$sql = "select count(*) as num_rows from v_domains ";
$sql .= "where domain_name = '$domain_name' ";
$prep_statement = $db->prepare($sql);
@@ -100,7 +100,7 @@ if (count($_POST) > 0 && strlen($_POST["persistformvar"]) == 0) {
}
}
if ($action == "update") {
if ($action == "update" && permission_exists('domain_edit')) {
$sql = "update v_domains set ";
$sql .= "domain_name = '$domain_name', ";
$sql .= "domain_description = '$domain_description' ";
@@ -158,7 +158,7 @@ if (count($_POST) > 0 && strlen($_POST["persistformvar"]) == 0) {
echo "<table width='100%' border='0' cellpadding='0' cellspacing=''>\n";
echo "<tr class='border'>\n";
echo " <td align=\"left\">\n";
echo " <br>";
echo " <br>";
echo "<form method='post' name='frm' action=''>\n";
echo "<div align='center'>\n";