dbxe
/
fusionpbx
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Harden the security with specific permissions for domains, domain settings and default settings. Everyone using multi-tenant are encouraged to update. Run Upgrade Schema on wiki.fusionpbx.com. After updating go to advanced -> group manager click on the superadmin group and then select the permissions for domains, domains settings, and default settings. Logout and back in.

This commit is contained in:
Mark Crane 2012-09-27 00:34:10 +00:00
parent 6e662615d4
commit 23a2f84577
16 changed files with 161 additions and 113 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
app/xml_edit/fileread.php
View File

@ -36,7 +36,6 @@ else {
$filename = check_str($_POST["file"]);
$filename = str_replace ("\\", "/", $filename);
$handle = fopen($filename, "r");
if ($handle) {
while (!feof($handle)) {

5
core/default_settings/app_config.php
View File

@ -1,7 +1,7 @@
<?php
//application details
$apps[$x]['name'] = 'Default Settings';
$apps[$x]['guid'] = '2c2453c0-1bea-4475-9f44-4d969650de09';
$apps[$x]['uuid'] = '2c2453c0-1bea-4475-9f44-4d969650de09';
$apps[$x]['category'] = 'Core';
$apps[$x]['subcategory'] = '';
$apps[$x]['version'] = '';
@ -19,6 +19,9 @@
//permission details
$y = 0;
$apps[$x]['permissions'][$y]['name'] = 'default_setting_view';
$apps[$x]['permissions'][$y]['groups'][] = 'superadmin';
$y++;
$apps[$x]['permissions'][$y]['name'] = 'default_setting_add';
$apps[$x]['permissions'][$y]['groups'][] = 'superadmin';
$y++;

33
core/default_settings/default_settings.php
View File

@ -26,7 +26,7 @@
require_once "root.php";
require_once "includes/require.php";
require_once "includes/checkauth.php";
if (if_group("admin") || if_group("superadmin")) {
if (permission_exists('default_setting_view')) {
//access granted
}
else {
@ -60,8 +60,7 @@ require_once "includes/paging.php";
echo "</table>\n";
//prepare to page the results
$sql = "";
$sql .= " select count(*) as num_rows from v_default_settings ";
$sql = "select count(*) as num_rows from v_default_settings ";
if (strlen($order_by)> 0) { $sql .= "order by $order_by $order "; }
$prep_statement = $db->prepare($sql);
if ($prep_statement) {
@ -83,9 +82,8 @@ require_once "includes/paging.php";
list($paging_controls, $rows_per_page, $var3) = paging($num_rows, $param, $rows_per_page);
$offset = $rows_per_page * $page;
//get the domain list
$sql = "";
$sql .= " select * from v_default_settings ";
//get the list
$sql = "select * from v_default_settings ";
if (strlen($order_by) == 0) {
$sql .= "order by default_setting_category, default_setting_subcategory asc ";
}
@ -120,7 +118,12 @@ require_once "includes/paging.php";
echo th_order_by('default_setting_enabled', 'Enabled', $order_by, $order);
echo th_order_by('default_setting_description', 'Description', $order_by, $order);
echo "<td align='right' width='42'>\n";
if (permission_exists('default_setting_add')) {
echo " <a href='default_settings_edit.php' alt='add'>$v_link_label_add</a>\n";
}
else {
echo " &nbsp;\n";
}
echo "</td>\n";
echo "</tr>\n";
}
@ -133,8 +136,7 @@ require_once "includes/paging.php";
$subcategory = $row['default_setting_subcategory'];
$name = $row['default_setting_name'];
if ($category == "domain" && $subcategory == "menu" && $name == "uuid" ) {
$sql = "";
$sql .= "select * from v_menus ";
$sql = "select * from v_menus ";
$sql .= "where menu_uuid = '".$row['default_setting_value']."' ";
$sub_prep_statement = $db->prepare(check_sql($sql));
$sub_prep_statement->execute();
@ -150,8 +152,12 @@ require_once "includes/paging.php";
echo " <td valign='top' class='".$row_style[$c]."'>".$row['default_setting_enabled']."&nbsp;</td>\n";
echo " <td valign='top' class='".$row_style[$c]."'>".$row['default_setting_description']."&nbsp;</td>\n";
echo " <td valign='top' align='right'>\n";
echo " <a href='default_settings_edit.php?id=".$row['default_setting_uuid']."' alt='edit'>$v_link_label_edit</a>\n";
echo " <a href='default_settings_delete.php?id=".$row['default_setting_uuid']."' alt='delete' onclick=\"return confirm('Do you really want to delete this?')\">$v_link_label_delete</a>\n";
if (permission_exists('default_setting_edit')) {
echo " <a href='default_setting_edit.php?id=".$row['default_setting_uuid']."' alt='edit'>$v_link_label_edit</a>\n";
}
if (permission_exists('default_setting_delete')) {
echo " <a href='default_setting_delete.php?id=".$row['default_setting_uuid']."' alt='delete' onclick=\"return confirm('Do you really want to delete this?')\">$v_link_label_delete</a>\n";
}
echo " </td>\n";
echo "</tr>\n";
$previous_category = $row['default_setting_category'];
@ -167,7 +173,12 @@ require_once "includes/paging.php";
echo " <td width='33.3%' nowrap>&nbsp;</td>\n";
echo " <td width='33.3%' align='center' nowrap>$paging_controls</td>\n";
echo " <td width='33.3%' align='right'>\n";
echo " <a href='default_settings_edit.php' alt='add'>$v_link_label_add</a>\n";
if (permission_exists('default_setting_add')) {
echo " <a href='default_setting_edit.php' alt='add'>$v_link_label_add</a>\n";
}
else {
echo " &nbsp;\n";
}
echo " </td>\n";
echo " </tr>\n";
echo " </table>\n";

4
core/default_settings/default_settings_delete.php
View File

@ -26,7 +26,7 @@
require_once "root.php";
require_once "includes/require.php";
require_once "includes/checkauth.php";
if (if_group("admin") || if_group("superadmin")) {
if (permission_exists('default_setting_delete')) {
//access granted
}
else {
@ -39,6 +39,7 @@ if (count($_GET)>0) {
}
if (strlen($id)>0) {
//delete default_setting
$sql = "delete from v_default_settings ";
$sql .= "where default_setting_uuid = '$id' ";
$prep_statement = $db->prepare(check_sql($sql));
@ -46,6 +47,7 @@ if (strlen($id)>0) {
unset($sql);
}
//redirect the user
require_once "includes/header.php";
echo "<meta http-equiv=\"refresh\" content=\"2;url=default_settings.php\">\n";
echo "<div align='center'>\n";

8
core/default_settings/default_settings_edit.php
View File

@ -26,7 +26,7 @@
require_once "root.php";
require_once "includes/require.php";
require_once "includes/checkauth.php";
if (if_group("admin") || if_group("superadmin")) {
if (permission_exists('default_setting_add') || permission_exists('default_setting_edit')) {
//access granted
}
else {
@ -82,7 +82,7 @@ if (count($_POST)>0 && strlen($_POST["persistformvar"]) == 0) {
//add or update the database
if ($_POST["persistformvar"] != "true") {
if ($action == "add") {
if ($action == "add" && permission_exists('default_setting_add')) {
$sql = "insert into v_default_settings ";
$sql .= "(";
$sql .= "default_setting_uuid, ";
@ -115,7 +115,7 @@ if (count($_POST)>0 && strlen($_POST["persistformvar"]) == 0) {
return;
} //if ($action == "add")
if ($action == "update") {
if ($action == "update" && permission_exists('default_setting_edit')) {
$sql = "update v_default_settings set ";
$sql .= "default_setting_category = '$default_setting_category', ";
$sql .= "default_setting_subcategory = '$default_setting_subcategory', ";
@ -140,7 +140,7 @@ if (count($_POST)>0 && strlen($_POST["persistformvar"]) == 0) {
//pre-populate the form
if (count($_GET)>0 && $_POST["persistformvar"] != "true") {
$default_setting_uuid = $_GET["id"];
$default_setting_uuid = check_str($_GET["id"]);
$sql = "select * from v_default_settings ";
$sql .= "where default_setting_uuid = '$default_setting_uuid' ";
$prep_statement = $db->prepare(check_sql($sql));

6
core/domains/app_config.php
View File

@ -31,7 +31,11 @@
$apps[$x]['permissions'][$y]['name'] = 'domain_delete';
$apps[$x]['permissions'][$y]['groups'][] = 'superadmin';
$y++;
$apps[$x]['permissions'][$y]['name'] = 'domain_view';
$apps[$x]['permissions'][$y]['name'] = 'domain_select';
$apps[$x]['permissions'][$y]['groups'][] = 'superadmin';
$y++;
$apps[$x]['permissions'][$y]['name'] = 'domain_setting_view';
$apps[$x]['permissions'][$y]['groups'][] = 'superadmin';
$y++;
$apps[$x]['permissions'][$y]['name'] = 'domain_setting_add';

27
core/domains/domain_settings.php
View File

@ -26,7 +26,7 @@
require_once "root.php";
require_once "includes/require.php";
require_once "includes/checkauth.php";
if (if_group("admin") || if_group("superadmin")) {
if (permission_exists('domain_setting_view')) {
//access granted
}
else {
@ -49,11 +49,11 @@ require_once "includes/paging.php";
//echo "<table width='100%' border='0'>\n";
//echo " <tr>\n";
//echo " <td width='50%' nowrap><b>Domain Settings</b></td>\n";
//echo " <td width='50%' align='left' nowrap='nowrap'><b>Domain Settings</b></td>\n";
//echo " <td width='50%' align='right'>&nbsp;</td>\n";
//echo " </tr>\n";
//echo " <tr>\n";
//echo " <td colspan='2'>\n";
//echo " <td align='left' colspan='2'>\n";
//echo " Settings used for each domain.<br /><br />\n";
//echo " </td>\n";
//echo " </tr>\n";
@ -84,11 +84,9 @@ require_once "includes/paging.php";
list($paging_controls, $rows_per_page, $var3) = paging($num_rows, $param, $rows_per_page);
$offset = $rows_per_page * $page;
//get the domain list
$sql = "";
$sql .= " select * from v_domain_settings ";
//get the list
$sql = "select * from v_domain_settings ";
$sql .= "where domain_uuid = '$domain_uuid' ";
$sql .= " and domain_uuid = '$domain_uuid' ";
if (strlen($order_by)> 0) { $sql .= "order by $order_by $order "; }
$sql .= "limit $rows_per_page offset $offset ";
$prep_statement = $db->prepare(check_sql($sql));
@ -119,7 +117,13 @@ require_once "includes/paging.php";
echo th_order_by('domain_setting_enabled', 'Enabled', $order_by, $order);
echo th_order_by('domain_setting_description', 'Description', $order_by, $order);
echo "<td align='right' width='42'>\n";
if (permission_exists('domain_setting_add')) {
echo " <a href='domain_settings_edit.php?domain_uuid=".$_GET['id']."' alt='add'>$v_link_label_add</a>\n";
}
else {
echo " &nbsp;\n";
}
echo "</td>\n";
echo "</tr>\n";
}
@ -149,8 +153,12 @@ require_once "includes/paging.php";
echo " <td valign='top' class='".$row_style[$c]."'>".$row['domain_setting_enabled']."&nbsp;</td>\n";
echo " <td valign='top' class='".$row_style[$c]."'>".$row['domain_setting_description']."&nbsp;</td>\n";
echo " <td valign='top' align='right'>\n";
if (permission_exists('domain_setting_edit')) {
echo " <a href='domain_settings_edit.php?domain_uuid=".$row['domain_uuid']."&id=".$row['domain_setting_uuid']."' alt='edit'>$v_link_label_edit</a>\n";
}
if (permission_exists('domain_setting_delete')) {
echo " <a href='domain_settings_delete.php?domain_uuid=".$row['domain_uuid']."&id=".$row['domain_setting_uuid']."' alt='delete' onclick=\"return confirm('Do you really want to delete this?')\">$v_link_label_delete</a>\n";
}
echo " </td>\n";
echo "</tr>\n";
$previous_category = $row['domain_setting_category'];
@ -166,7 +174,12 @@ require_once "includes/paging.php";
echo " <td width='33.3%' nowrap>&nbsp;</td>\n";
echo " <td width='33.3%' align='center' nowrap>$paging_controls</td>\n";
echo " <td width='33.3%' align='right'>\n";
if (permission_exists('domain_setting_add')) {
echo " <a href='domain_settings_edit.php?domain_uuid=".$_GET['id']."' alt='add'>$v_link_label_add</a>\n";
}
else {
echo " &nbsp;\n";
}
echo " </td>\n";
echo " </tr>\n";
echo " </table>\n";

7
core/domains/domain_settings_delete.php
View File

@ -26,7 +26,7 @@
require_once "root.php";
require_once "includes/require.php";
require_once "includes/checkauth.php";
if (if_group("admin") || if_group("superadmin")) {
if (permission_exists('domain_setting_delete')) {
//access granted
}
else {
@ -40,8 +40,8 @@ if (count($_GET)>0) {
}
if (strlen($id)>0) {
$sql = "";
$sql .= "delete from v_domain_settings ";
//delete domain_setting
$sql = "delete from v_domain_settings ";
$sql .= "where domain_uuid = '$domain_uuid' ";
$sql .= "and domain_setting_uuid = '$id' ";
$prep_statement = $db->prepare(check_sql($sql));
@ -49,6 +49,7 @@ if (strlen($id)>0) {
unset($sql);
}
//redirect the user
require_once "includes/header.php";
echo "<meta http-equiv=\"refresh\" content=\"2;url=domains_edit.php?id=$domain_uuid\">\n";
echo "<div align='center'>\n";

8
core/domains/domain_settings_edit.php
View File

@ -26,7 +26,7 @@
require_once "root.php";
require_once "includes/require.php";
require_once "includes/checkauth.php";
if (if_group("admin") || if_group("superadmin")) {
if (permission_exists('domain_setting_add') || permission_exists('domain_setting_edit')) {
//access granted
}
else {
@ -87,7 +87,7 @@ if (count($_POST)>0 && strlen($_POST["persistformvar"]) == 0) {
//add or update the database
if ($_POST["persistformvar"] != "true") {
if ($action == "add") {
if ($action == "add" && permission_exists('domain_setting_add')) {
$sql = "insert into v_domain_settings ";
$sql .= "(";
$sql .= "domain_uuid, ";
@ -122,7 +122,7 @@ if (count($_POST)>0 && strlen($_POST["persistformvar"]) == 0) {
return;
} //if ($action == "add")
if ($action == "update") {
if ($action == "update" && permission_exists('domain_setting_edit')) {
$sql = "update v_domain_settings set ";
$sql .= "domain_setting_category = '$domain_setting_category', ";
$sql .= "domain_setting_subcategory = '$domain_setting_subcategory', ";
@ -148,7 +148,7 @@ if (count($_POST)>0 && strlen($_POST["persistformvar"]) == 0) {
//pre-populate the form
if (count($_GET)>0 && $_POST["persistformvar"] != "true") {
$domain_setting_uuid = $_GET["id"];
$domain_setting_uuid = check_str($_GET["id"]);
$sql = "select * from v_domain_settings ";
$sql .= "where domain_uuid = '$domain_uuid' ";
$sql .= "and domain_setting_uuid = '$domain_setting_uuid' ";

23
core/domains/domains.php
View File

@ -26,7 +26,7 @@
require_once "root.php";
require_once "includes/require.php";
require_once "includes/checkauth.php";
if (if_group("admin") || if_group("superadmin")) {
if (permission_exists('domain_view')) {
//access granted
}
else {
@ -34,8 +34,9 @@ else {
exit;
}
//change the tenant
if (strlen($_GET["domain_uuid"]) > 0 && $_GET["domain_change"] == "true") {
//change the domain
if (strlen(check_str($_GET["domain_uuid"])) > 0 && check_str($_GET["domain_change"]) == "true") {
if (permission_exists('domain_select')) {
//get the domain_uuid
$sql = "select * from v_domains ";
$sql .= "order by domain_name asc ";
@ -75,6 +76,7 @@ else {
$_SESSION["context"] = 'default';
}
}
}
//includes
require_once "includes/header.php";
@ -151,7 +153,12 @@ else {
echo th_order_by('domain_name', 'Domain', $order_by, $order);
echo th_order_by('domain_description', 'Description', $order_by, $order);
echo "<td align='right' width='42'>\n";
if (permission_exists('domain_add')) {
echo " <a href='domains_edit.php' alt='add'>$v_link_label_add</a>\n";
}
else {
echo " &nbsp;\n";
}
echo "</td>\n";
echo "<tr>\n";
@ -161,8 +168,12 @@ else {
echo " <td valign='top' class='".$row_style[$c]."'>".$row['domain_name']."&nbsp;</td>\n";
echo " <td valign='top' class='".$row_style[$c]."'>".$row['domain_description']."&nbsp;</td>\n";
echo " <td valign='top' align='right'>\n";
if (permission_exists('domain_edit')) {
echo " <a href='domains_edit.php?id=".$row['domain_uuid']."' alt='edit'>$v_link_label_edit</a>\n";
}
if (permission_exists('domain_delete')) {
echo " <a href='domains_delete.php?id=".$row['domain_uuid']."' alt='delete' onclick=\"return confirm('Do you really want to delete this?')\">$v_link_label_delete</a>\n";
}
echo " </td>\n";
echo "</tr>\n";
if ($c==0) { $c=1; } else { $c=0; }
@ -170,7 +181,6 @@ else {
unset($sql, $result, $row_count);
} //end if results
echo "<tr>\n";
echo "<td colspan='3' align='left'>\n";
echo " <table width='100%' cellpadding='0' cellspacing='0'>\n";
@ -178,7 +188,12 @@ else {
echo " <td width='33.3%' nowrap>&nbsp;</td>\n";
echo " <td width='33.3%' align='center' nowrap>$paging_controls</td>\n";
echo " <td width='33.3%' align='right'>\n";
if (permission_exists('domain_add')) {
echo " <a href='domains_edit.php' alt='add'>$v_link_label_add</a>\n";
}
else {
echo " &nbsp;\n";
}
echo " </td>\n";
echo " </tr>\n";
echo " </table>\n";

2
core/domains/domains_delete.php
View File

@ -26,7 +26,7 @@
require_once "root.php";
require_once "includes/require.php";
require_once "includes/checkauth.php";
if (if_group("admin") || if_group("superadmin")) {
if (permission_exists('domain_delete')) {
//access granted
}
else {

6
core/domains/domains_edit.php
View File

@ -26,7 +26,7 @@
require_once "root.php";
require_once "includes/require.php";
require_once "includes/checkauth.php";
if (if_group("admin") || if_group("superadmin")) {
if (permission_exists('domain_add') || permission_exists('domain_edit')) {
//access granted
}
else {
@ -74,7 +74,7 @@ if (count($_POST) > 0 && strlen($_POST["persistformvar"]) == 0) {
//add or update the database
if ($_POST["persistformvar"] != "true") {
if ($action == "add") {
if ($action == "add" && permission_exists('domain_add')) {
$sql = "select count(*) as num_rows from v_domains ";
$sql .= "where domain_name = '$domain_name' ";
$prep_statement = $db->prepare($sql);
@ -100,7 +100,7 @@ if (count($_POST) > 0 && strlen($_POST["persistformvar"]) == 0) {
}
}
if ($action == "update") {
if ($action == "update" && permission_exists('domain_edit')) {
$sql = "update v_domains set ";
$sql .= "domain_name = '$domain_name', ";
$sql .= "domain_description = '$domain_description' ";

2
themes/accessible/template.php
View File

@ -421,7 +421,7 @@ function confirmdelete(url) {
</td>
<td width='50%' class='' align='right' valign='middle'>
<?php
if (if_group("superadmin") && count($_SESSION['domains']) > 1) {
if (permission_exists("domain_select") && count($_SESSION['domains']) > 1) {
//$tmp_style = "style=\"opacity:0.7;filter:alpha(opacity=70)\" ";
//$tmp_style .= "onmouseover=\"this.style.opacity=1;this.filters.alpha.opacity=90\" ";
//$tmp_style .= "onmouseout=\"this.style.opacity=0.7;this.filters.alpha.opacity=70\" ";

2
themes/classic/template.php
View File

@ -518,7 +518,7 @@ function confirmdelete(url) {
</td>
<td width='50%' class='' align='right' valign='middle'>
<?php
if (if_group("superadmin") && count($_SESSION['domains']) > 1) {
if (permission_exists("domain_select") && count($_SESSION['domains']) > 1) {
//$tmp_style = "style=\"opacity:0.7;filter:alpha(opacity=70)\" ";
//$tmp_style .= "onmouseover=\"this.style.opacity=1;this.filters.alpha.opacity=90\" ";
//$tmp_style .= "onmouseout=\"this.style.opacity=0.7;this.filters.alpha.opacity=70\" ";

2
themes/default/template.php
View File

@ -654,7 +654,7 @@ function confirmdelete(url) {
</td>
<td width='50%' class='' align='right' valign='middle'>
<?php
if (if_group("superadmin") && count($_SESSION['domains']) > 1) {
if (permission_exists("domain_select") && count($_SESSION['domains']) > 1) {
//$tmp_style = "style=\"opacity:0.7;filter:alpha(opacity=70)\" ";
//$tmp_style .= "onmouseover=\"this.style.opacity=1;this.filters.alpha.opacity=90\" ";
//$tmp_style .= "onmouseout=\"this.style.opacity=0.7;this.filters.alpha.opacity=70\" ";

2
themes/enhanced/template.php
View File

@ -655,7 +655,7 @@ function confirmdelete(url) {
</td>
<td width='50%' class='' align='right' valign='middle'>
<?php
if (if_group("superadmin") && count($_SESSION['domains']) > 1) {
if (permission_exists("domain_select") && count($_SESSION['domains']) > 1) {
//$tmp_style = "style=\"opacity:0.7;filter:alpha(opacity=70)\" ";
//$tmp_style .= "onmouseover=\"this.style.opacity=1;this.filters.alpha.opacity=90\" ";
//$tmp_style .= "onmouseout=\"this.style.opacity=0.7;this.filters.alpha.opacity=70\" ";