From ca662b1fc9788b52baad6164f89e7714dd6d0c29 Mon Sep 17 00:00:00 2001 From: Ben Klang Date: Sun, 10 Jan 2010 13:56:12 -0500 Subject: [PATCH] Operator: Fix account code security * Add Operator_Exception class * Catch and notify cases where not account codes are valid --- operator/lib/Exception.php | 1 + operator/lib/Form/SearchCDR.php | 9 ++++++++- operator/lib/Operator.php | 30 +++++++++++++++++------------- 3 files changed, 26 insertions(+), 14 deletions(-) create mode 100644 operator/lib/Exception.php diff --git a/operator/lib/Exception.php b/operator/lib/Exception.php new file mode 100644 index 000000000..4d31fd8b7 --- /dev/null +++ b/operator/lib/Exception.php @@ -0,0 +1 @@ +set('enddate', $enddate); } + try { + $accountcodes = Operator::getAccountCodes(true); + } catch (Exception $e) { + $GLOBALS['notification']->push($e); + $accountcodes = array(); + } + // Parameters for Horde_Form_datetime $start_year = date('Y', $now) - 3; @@ -59,7 +66,7 @@ class SearchCDRForm extends Horde_Form { $params = array($start_year, $end_year, $picker, $format_in, $format_out, $show_seconds); - $this->addVariable(_("Account Code"), 'accountcode', 'enum', false, false, null, array(Operator::getAccountCodes(true))); + $this->addVariable(_("Account Code"), 'accountcode', 'enum', false, false, null, array($accountcodes)); $this->addVariable(_("Destination Context"), 'dcontext', 'text', false, false, _("An empty destination context will match all destination contexts.")); $this->addVariable(_("Start Date/Time"), 'startdate', 'datetime', true, false, null, $params); $this->addVariable(_("End Date/Time"), 'enddate', 'datetime', true, false, null, $params); diff --git a/operator/lib/Operator.php b/operator/lib/Operator.php index 90dbbaa3c..c52e65521 100644 --- a/operator/lib/Operator.php +++ b/operator/lib/Operator.php @@ -90,9 +90,10 @@ class Operator { { global $operator; - $accountcodes = $operator->driver->getAccountCodes(); + // Set up arrays for filtering + $keys = $values = $operator->driver->getAccountCodes(); - if (Horde_Auth::isAdmin() || + if (Horde_Auth::isAdmin() || $GLOBALS['perms']->hasPermission('operator:accountcodes', Horde_Auth::getAuth(), Horde_Perms::READ)) { @@ -101,26 +102,24 @@ class Operator { if (!$permfilter || $GLOBALS['perms']->hasPermission('operator:accountcodes:%', - Horde_Auth::geAuth(), + Horde_Auth::getAuth(), Horde_Perms::READ)) { // Add an option to select all accounts - $keys = $accountcodes; array_unshift($keys, '%'); - $values = $accountcodes; array_unshift($values, _("-- All Accounts Combined --")); } - + // Only add the Empty value if it is exists in the backend if ($index = array_search('', $values)) { $values[$index] = _("-- Empty Accountcode --"); } - // Filter the returned list of account codes through Permissions - // if requested. - $accountcodes = array(); - foreach ($keys as $index => $accountcode) { - if ($permfilter) { + if ($permfilter) { + // Filter the returned list of account codes through Permissions + // if requested. + $accountcodes = array(); + foreach ($keys as $index => $accountcode) { if (empty($accountcode)) { $permitem = 'operator:accountcodes'; } else { @@ -133,10 +132,15 @@ class Operator { Horde_Perms::SHOW)) { $accountcodes[$accountcode] = $values[$index]; } - } else { - $accountcodes[$accountcode] = $values[$index]; } + + if (empty($accountcodes)) { + throw new Operator_Exception(_("You do not have permission to view any accounts.")); + } + } else { + $accountcodes = array_merge($keys, $values); } + return $accountcodes; } -- 2.11.0