mirror of
https://github.com/fusionpbx/fusionpbx.git
synced 2025-12-30 00:53:50 +00:00
Security - Use POST method instead of GET for deleting groups (#7494)
* Security - Use POST method instead of GET for deleting groups * Update user_edit.php * Update user_edit.php * Update dashboard_widget_edit.php * Update dashboard_widget_edit.php * Update device_vendor_function_edit.php * Update dashboard_widget_edit.php * Update device_vendor_function_edit.php * Update menu_item_edit.php * Update device_vendor_function_edit.php * Update device_vendor_function_edit.php * Update device_vendor_function_edit.php
This commit is contained in:
Alex
@@ -34,32 +34,6 @@
|
||||
//set the defaults
|
||||
$device_vendor_function_uuid = '';
|
||||
|
||||
//delete the group from the menu item
|
||||
if (!empty($_REQUEST["a"]) && $_REQUEST["a"] == "delete" && permission_exists("device_vendor_function_delete") && !empty($_REQUEST["id"])) {
|
||||
//get the id
|
||||
$device_vendor_function_group_uuid = $_REQUEST["id"];
|
||||
$device_vendor_function_uuid = $_REQUEST["device_vendor_function_uuid"];
|
||||
$device_vendor_uuid = $_REQUEST["device_vendor_uuid"];
|
||||
|
||||
//delete the device vendor function group
|
||||
$array['device_vendor_function_groups'][0]['device_vendor_function_group_uuid'] = $device_vendor_function_group_uuid;
|
||||
|
||||
$p = permissions::new();
|
||||
$p->add('device_vendor_function_group_delete', 'temp');
|
||||
|
||||
$database->app_name = 'devices';
|
||||
$database->app_uuid = '4efa1a1a-32e7-bf83-534b-6c8299958a8e';
|
||||
$database->delete($array);
|
||||
unset($array);
|
||||
|
||||
$p->delete('device_vendor_function_group_delete', 'temp');
|
||||
|
||||
//redirect the browser
|
||||
message::add($text['message-delete'] ?? '');
|
||||
header("Location: device_vendor_function_edit.php?id=".escape($device_vendor_function_uuid) ."&device_vendor_uuid=".escape($device_vendor_uuid));
|
||||
exit;
|
||||
}
|
||||
|
||||
//check permissions
|
||||
require_once "resources/check_auth.php";
|
||||
if (permission_exists('device_vendor_function_add') || permission_exists('device_vendor_function_edit')) {
|
||||
@@ -98,6 +72,33 @@
|
||||
$description = $_POST["description"];
|
||||
}
|
||||
|
||||
//delete the group from the sub table
|
||||
if (!empty($_POST["action"]) && $_POST["action"] === "delete" && permission_exists("device_vendor_function_group_delete") && is_uuid($_POST["device_vendor_function_group_uuid"])) {
|
||||
//get the uuid
|
||||
$device_vendor_function_group_uuid = $_POST["device_vendor_function_group_uuid"];
|
||||
|
||||
//validate the token
|
||||
$token = new token;
|
||||
if (!$token->validate($_SERVER['PHP_SELF'])) {
|
||||
message::add($text['message-invalid_token'],'negative');
|
||||
header('Location: devices.php');
|
||||
exit;
|
||||
}
|
||||
|
||||
//delete the device vendor function group
|
||||
$array['device_vendor_function_groups'][0]['device_vendor_function_group_uuid'] = $device_vendor_function_group_uuid;
|
||||
$database = new database;
|
||||
$database->app_name = 'devices';
|
||||
$database->app_uuid = '4efa1a1a-32e7-bf83-534b-6c8299958a8e';
|
||||
$database->delete($array);
|
||||
unset($array);
|
||||
|
||||
//redirect the user
|
||||
message::add($text['message-delete'] ?? '');
|
||||
header("Location: device_vendor_function_edit.php?id=".escape($device_vendor_function_uuid) ."&device_vendor_uuid=".escape($device_vendor_uuid));
|
||||
exit;
|
||||
}
|
||||
|
||||
//process the http variables
|
||||
if (count($_POST) > 0 && empty($_POST["persistformvar"])) {
|
||||
|
||||
@@ -335,18 +336,25 @@
|
||||
echo " <td class='vtable'>";
|
||||
if (is_array($function_groups) && @sizeof($function_groups) != 0) {
|
||||
echo "<table cellpadding='0' cellspacing='0' border='0'>\n";
|
||||
if (permission_exists('device_vendor_function_group_delete')) {
|
||||
echo " <input type='hidden' id='action' name='action' value=''>\n";
|
||||
echo " <input type='hidden' id='device_vendor_function_group_uuid' name='device_vendor_function_group_uuid' value=''>\n";
|
||||
}
|
||||
$x = 0;
|
||||
foreach ($function_groups as $field) {
|
||||
if (!empty($field['group_name'])) {
|
||||
echo "<tr>\n";
|
||||
echo " <td class='vtable' style='white-space: nowrap; padding-right: 30px;' nowrap='nowrap'>";
|
||||
echo $field['group_name'].(($field['group_domain_uuid'] != '') ? "@".$_SESSION['domains'][$field['group_domain_uuid']]['domain_name'] : null);
|
||||
echo " </td>\n";
|
||||
if (permission_exists('group_member_delete') || if_group("superadmin")) {
|
||||
if (permission_exists('device_vendor_function_group_delete')) {
|
||||
echo " <td class='list_control_icons' style='width: 25px;'>";
|
||||
echo "<a href='device_vendor_function_edit.php?id=".$field['device_vendor_function_group_uuid']."&group_uuid=".$field['group_uuid']."&device_vendor_function_uuid=".$device_vendor_function_uuid."&device_vendor_uuid=".$device_vendor_uuid."&a=delete' alt='".$text['button-delete']."' onclick=\"return confirm('".$text['confirm-delete']."')\">".$v_link_label_delete."</a>";
|
||||
echo button::create(['type'=>'button','icon'=>'fas fa-minus','id'=>'btn_delete','class'=>'default list_control_icon','name'=>'btn_delete','onclick'=>"modal_open('modal-delete-group-$x','btn_delete');"]);
|
||||
echo modal::create(['id'=>'modal-delete-group-'.$x,'type'=>'delete','actions'=>button::create(['type'=>'button','label'=>$text['button-continue'],'icon'=>'check','id'=>'btn_delete','style'=>'float: right; margin-left: 15px;','collapse'=>'never','onclick'=>"modal_close(); list_action_set('delete'); document.getElementById('device_vendor_function_group_uuid').value = '".escape($field['device_vendor_function_group_uuid'])."'; list_form_submit('frm');"])]);
|
||||
echo " </td>";
|
||||
}
|
||||
echo "</tr>\n";
|
||||
$x++;
|
||||
}
|
||||
}
|
||||
echo "</table>\n";
|
||||
|
||||
Reference in New Issue
Block a user