In-Portal Issue Tracker - In-Portal CMS
Viewing Issue Advanced Details
ID: Category: Type: Reproducibility: Date Submitted: Last Update:
14 [In-Portal CMS] Security bug report always 2009-05-18 10:48 2010-07-22 15:06
Reporter: alex Platform:  
Assigned To: alex OS:  
Priority: normal OS Version:  
Status: closed Product Version: 5.0.0  
Product Build: Resolution: fixed  
 
ETA: none Fixed in Version: 5.1.0-B1  
Reference:
Change Log Message:
Estimate Points: 0
Summary: 0000014: Check ADD/EDIT Permissions in Section drop-down
Description: Check for ADD/EDIT Permissions in Section drop-down on General tab of Add/Edit items.

Currently you can add/edit to Section that you have no permissions to add/edit.
Steps To Reproduce:
Additional Information: Implementation Steps:


1. Create NEW tag to glue (using "-") together all values from following SQL:

SELECT *
FROM Permissions
WHERE (Type = 0) AND (Permission LIKE '%.VIEW' OR Permission LIKE '%.ADD' OR Permission LIKE '%.DELETE' OR Permission LIKE '%.MODIFY')

2. Get Groups of current User.

3. Create array keys for (for each group) which will be checked in generated above array.

4. Check ADD permissions to Add a new item, Check MODIFY permission to Edit an item. First part of permissions (LINK, NEWS, и etc) get by Prefix from unit config: ItemPermPrefix option.

5. After all checked we know list of Sections where User can Add/Edit items.

6. Using JSONHelper output that Array as a Tag result.

7. At the bottom of template using JQuery go through all <SELECT> Options of ParentId/CategoryId field and DISABLE the ones that do NOT have permissions from the above Array.
Relationships
Attached Files: patch sections_dropdown_modules.patch (3,184) 2010-03-03 13:05
http://tracker.in-portal.org/file_download.php?file_id=323&type=bug
patch sections_dropdown_core.patch (6,209) 2010-03-03 13:05
http://tracker.in-portal.org/file_download.php?file_id=324&type=bug
Issue History
Date Modified Username Field Change
2010-07-22 15:06 alex Note Added: 0002541
2010-07-22 15:06 alex Status resolved => closed
2010-04-28 08:10 alex Note Added: 0002016
2010-04-28 08:10 alex Status reviewed and tested => resolved
2010-04-28 08:10 alex Fixed in Version => 5.1.0-B1
2010-04-28 08:10 alex Resolution open => fixed
2010-04-28 08:10 alex Assigned To !COMMUNITY => alex
2010-04-28 08:10 alex Changeset attached 5.1.x r13461
2010-04-28 08:09 alex Changeset attached 5.1.x r13460
2010-04-28 08:08 alex Changeset attached 5.1.x r13459
2010-04-28 08:08 alex Changeset attached 5.1.x r13458
2010-04-28 08:07 alex Changeset attached 5.1.x r13457
2010-04-28 07:36 Dmitry Note Added: 0002014
2010-04-28 07:36 Dmitry Status needs testing => reviewed and tested
2010-04-28 07:22 alex Note Added: 0002013
2010-04-28 07:22 alex Assigned To alex => !COMMUNITY
2010-04-28 07:22 alex Status needs work => needs testing
2010-04-27 18:39 Dmitry Note Added: 0001995
2010-04-27 18:39 Dmitry Assigned To !COMMUNITY => alex
2010-04-27 18:39 Dmitry Status needs testing => needs work
2010-03-03 13:05 alex Time Estimate Removed 1 =>
2010-03-03 13:05 alex Assigned To => !COMMUNITY
2010-03-03 13:05 alex Developer => alex
2010-03-03 13:05 alex Status active => needs testing
2010-03-03 13:05 alex File Added: sections_dropdown_core.patch
2010-03-03 13:05 alex File Added: sections_dropdown_modules.patch
2010-01-12 11:33 alex Time Estimate Added 1
2009-10-03 07:53 administrator Status reviewed and tested => active
2009-09-29 09:03 alex Patch Status => Not Used
2009-09-29 09:03 alex Reporter administrator => alex
2009-08-03 15:58 Dmitry Status active => reviewed and tested
2009-08-03 15:58 Dmitry Target Version 5.0.1 => 5.1.0
2009-05-18 14:06 alex Additional Information Updated bug_revision_view_page.php?rev_id=22#r22
2009-05-18 10:55 administrator Type refactoring => bug report
2009-05-18 10:48 administrator New Issue

Notes
(0001995)
Dmitry   
2010-04-27 18:39   
Patch works okay on described functionality.


But I get the following Fatal when I login as Admin, edit the Section and go to the Permission tab:


Fatal Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ' 0, 1) AS Inherited, IF(p.PermissionValue IS NOT NULL, p.PermissionValue,' at line 8 (1064) [SELECT pc.PermissionName, pc.Description, IF (tmp_p.PermissionValue IS NULL AND p.PermissionValue IS NULL, 0, IF (tmp_p.PermissionValue IS NOT NULL, tmp_p.PermissionValue, p.PermissionValue) ) AS Value, IF (tmp_p.CatId IS NOT NULL, tmp_p.CatId, IF(p.CatId IS NOT NULL, p.CatId, 0) ) AS InheritedFrom, IF(tmp_p.CatId = , 0, 1) AS Inherited, IF(p.PermissionValue IS NOT NULL, p.PermissionValue, 0) AS InheritedValue FROM PermissionConfig pc LEFT JOIN Permissions p ON (p.Permission = pc.PermissionName) AND (0) AND (p.GroupId = 11) LEFT JOIN ses_476081267_7_edit_Permissions tmp_p ON (tmp_p.Permission = pc.PermissionName) AND (tmp_p.CatId = 0) AND (tmp_p.GroupId = 11) WHERE Mo #615421469 in /home/simone/web/dev/SVN/5.1.x/core/kernel/application.php on line 2623
(0002013)
alex   
2010-04-28 07:22   
Can't replicate.
(0002014)
Dmitry   
2010-04-28 07:36   
Tested ok.

Previously reported bug can't be replicated.
(0002016)
alex   
2010-04-28 08:10   
Fix committed to 5.1.x branch. Commit Message:

Fixes 0000014: Check ADD/EDIT Permissions in Section drop-down
(0002541)
alex   
2010-07-22 15:06   
Closing, since 5.1.0 release has been released.