mirror of
https://github.com/fusionpbx/fusionpbx.git
synced 2026-01-06 11:43:50 +00:00
Add permissions for every table (view, add, edit, and delete). Important change to increase security on the REST API and will be beneficial for more detailed control of permissions.
This commit is contained in:
Mark Crane
@@ -36,17 +36,17 @@
|
||||
$apps[$x]['menu'][0]['groups'][] = 'superadmin';
|
||||
|
||||
//permission details
|
||||
$apps[$x]['permissions'][0]['name'] = 'variable_view';
|
||||
$apps[$x]['permissions'][0]['groups'][] = 'superadmin';
|
||||
|
||||
$apps[$x]['permissions'][1]['name'] = 'variable_add';
|
||||
$apps[$x]['permissions'][1]['groups'][] = 'superadmin';
|
||||
|
||||
$apps[$x]['permissions'][2]['name'] = 'variable_edit';
|
||||
$apps[$x]['permissions'][2]['groups'][] = 'superadmin';
|
||||
|
||||
$apps[$x]['permissions'][3]['name'] = 'variable_delete';
|
||||
$apps[$x]['permissions'][3]['groups'][] = 'superadmin';
|
||||
$apps[$x]['permissions'][$y]['name'] = 'var_view';
|
||||
$apps[$x]['permissions'][$y]['groups'][] = 'superadmin';
|
||||
$y++;
|
||||
$apps[$x]['permissions'][$y]['name'] = 'var_add';
|
||||
$apps[$x]['permissions'][$y]['groups'][] = 'superadmin';
|
||||
$y++;
|
||||
$apps[$x]['permissions'][$y]['name'] = 'var_edit';
|
||||
$apps[$x]['permissions'][$y]['groups'][] = 'superadmin';
|
||||
$y++;
|
||||
$apps[$x]['permissions'][$y]['name'] = 'var_delete';
|
||||
$apps[$x]['permissions'][$y]['groups'][] = 'superadmin';
|
||||
|
||||
//schema details
|
||||
$apps[$x]['db'][$y]['table'] = 'v_vars';
|
||||
|
||||
@@ -17,7 +17,7 @@
|
||||
|
||||
The Initial Developer of the Original Code is
|
||||
Mark J Crane <markjcrane@fusionpbx.com>
|
||||
Portions created by the Initial Developer are Copyright (C) 2008-2012
|
||||
Portions created by the Initial Developer are Copyright (C) 2008-2013
|
||||
the Initial Developer. All Rights Reserved.
|
||||
|
||||
Contributor(s):
|
||||
@@ -26,7 +26,7 @@
|
||||
include "root.php";
|
||||
require_once "resources/require.php";
|
||||
require_once "resources/check_auth.php";
|
||||
if (permission_exists('variable_delete')) {
|
||||
if (permission_exists('var_delete')) {
|
||||
//access granted
|
||||
}
|
||||
else {
|
||||
@@ -40,12 +40,13 @@ else {
|
||||
$text[$key] = $value[$_SESSION['domain']['language']['code']];
|
||||
}
|
||||
|
||||
if (count($_GET)>0) {
|
||||
$id = $_GET["id"];
|
||||
}
|
||||
//get the id
|
||||
if (count($_GET) > 0) {
|
||||
$id = $_GET["id"];
|
||||
}
|
||||
|
||||
//delete the data
|
||||
if (strlen($id)>0) {
|
||||
if (strlen($id) > 0) {
|
||||
$sql = "delete from v_vars ";
|
||||
$sql .= "where var_uuid = '$id' ";
|
||||
$prep_statement = $db->prepare(check_sql($sql));
|
||||
|
||||
@@ -26,7 +26,7 @@
|
||||
include "root.php";
|
||||
require_once "resources/require.php";
|
||||
require_once "resources/check_auth.php";
|
||||
if (permission_exists('variable_view')) {
|
||||
if (permission_exists('var_view')) {
|
||||
//access granted
|
||||
}
|
||||
else {
|
||||
@@ -90,7 +90,7 @@ else {
|
||||
$tmp_var_header .= th_order_by('var_enabled', $text['label-enabled'], $order_by, $order);
|
||||
$tmp_var_header .= "<th>".$text['label-description']."</th>\n";
|
||||
$tmp_var_header .= "<td align='right' width='42'>\n";
|
||||
if (permission_exists('variable_add')) {
|
||||
if (permission_exists('var_add')) {
|
||||
$tmp_var_header .= " <a href='var_edit.php' alt='".$text['button-add']."'>$v_link_label_add</a>\n";
|
||||
}
|
||||
$tmp_var_header .= "</td>\n";
|
||||
@@ -111,7 +111,7 @@ else {
|
||||
echo " <td width='33.3%' nowrap> </td>\n";
|
||||
echo " <td width='33.3%' align='center' nowrap> </td>\n";
|
||||
echo " <td width='33.3%' align='right'>\n";
|
||||
if (permission_exists('variable_add')) {
|
||||
if (permission_exists('var_add')) {
|
||||
echo " <a href='var_edit.php' alt='".$text['button-add']."'>$v_link_label_add</a>\n";
|
||||
}
|
||||
echo " </td>\n";
|
||||
@@ -142,10 +142,10 @@ else {
|
||||
$var_description = str_replace(" ", " ", $var_description);
|
||||
echo " <td valign='top' align='left' class='".$row_style[$c]."'>".$var_description." </td>\n";
|
||||
echo " <td valign='top' align='right'>\n";
|
||||
if (permission_exists('variable_edit')) {
|
||||
if (permission_exists('var_edit')) {
|
||||
echo " <a href='var_edit.php?id=".$row['var_uuid']."' alt='".$text['button-edit']."'>$v_link_label_edit</a>\n";
|
||||
}
|
||||
if (permission_exists('variable_delete')) {
|
||||
if (permission_exists('var_delete')) {
|
||||
echo " <a href='var_delete.php?id=".$row['var_uuid']."' alt='".$text['button-delete']."' onclick=\"return confirm('".$text['confirm-delete']."')\">$v_link_label_delete</a>\n";
|
||||
}
|
||||
echo " </td>\n";
|
||||
@@ -164,7 +164,7 @@ else {
|
||||
echo " <td width='33.3%' nowrap> </td>\n";
|
||||
echo " <td width='33.3%' align='center' nowrap>$paging_controls</td>\n";
|
||||
echo " <td width='33.3%' align='right'>\n";
|
||||
if (permission_exists('variable_add')) {
|
||||
if (permission_exists('var_add')) {
|
||||
echo " <a href='var_edit.php' alt='".$text['button-add']."'>$v_link_label_add</a>\n";
|
||||
}
|
||||
echo " </td>\n";
|
||||
|
||||
@@ -26,7 +26,7 @@
|
||||
include "root.php";
|
||||
require_once "resources/require.php";
|
||||
require_once "resources/check_auth.php";
|
||||
if (permission_exists('variable_view')) {
|
||||
if (permission_exists('var_view')) {
|
||||
//access granted
|
||||
}
|
||||
else {
|
||||
@@ -45,7 +45,7 @@ else {
|
||||
$page["title"] = $text['title-variables_advanced'];
|
||||
|
||||
//restore the default vars.xml
|
||||
if ($_GET['a'] == "default" && permission_exists('variable_edit')) {
|
||||
if ($_GET['a'] == "default" && permission_exists('var_edit')) {
|
||||
//read default config file
|
||||
$fd = fopen($_SESSION['switch']['conf']['dir'].".orig/vars.xml", "r");
|
||||
$v_content = fread($fd, filesize($_SESSION['switch']['conf']['dir'].".orig/vars.xml"));
|
||||
@@ -59,7 +59,7 @@ if ($_GET['a'] == "default" && permission_exists('variable_edit')) {
|
||||
}
|
||||
|
||||
//save the vars.xml
|
||||
if ($_POST['a'] == "save" && permission_exists('variable_edit')) {
|
||||
if ($_POST['a'] == "save" && permission_exists('var_edit')) {
|
||||
$v_content = str_replace("\r","",$_POST['code']);
|
||||
$fd = fopen($_SESSION['switch']['conf']['dir']."/vars.xml", "w");
|
||||
fwrite($fd, $v_content);
|
||||
@@ -107,7 +107,7 @@ if ($_GET['a'] == "default" && permission_exists('variable_edit')) {
|
||||
<br /><br />
|
||||
</td>
|
||||
<td align='right' valign='top'>
|
||||
<?php if (permission_exists('variable_edit')) { ?>
|
||||
<?php if (permission_exists('var_edit')) { ?>
|
||||
<input type="submit" class='btn' value="<?=$text['button-save']?>" />
|
||||
<?php } ?>
|
||||
</td>
|
||||
@@ -133,7 +133,7 @@ if ($_GET['a'] == "default" && permission_exists('variable_edit')) {
|
||||
<input type="hidden" name="f" value="<?php echo $_GET['f']; ?>" />
|
||||
<input type="hidden" name="a" value="save" />
|
||||
<?php
|
||||
if (permission_exists('variable_edit')) {
|
||||
if (permission_exists('var_edit')) {
|
||||
echo "<input type='button' class='btn' value='".$text['button-restore']."' onclick=\"document.location.href='vars.php?a=default&f=vars.xml';\" />";
|
||||
}
|
||||
?>
|
||||
|
||||
Reference in New Issue
Block a user