Security: Only allow angels with admin_news_html privilege to use HTML
This commit is contained in:
Igor Scheller
parent
cc01c906ba
commit
3002ed9e93
|
|
@ -17,10 +17,14 @@ ALTER TABLE `AngelTypes`
|
||||||
ALTER TABLE `AngelTypes`
|
ALTER TABLE `AngelTypes`
|
||||||
ADD FOREIGN KEY (`contact_user_id`) REFERENCES `User`(`UID`) ON DELETE SET NULL ON UPDATE CASCADE;
|
ADD FOREIGN KEY (`contact_user_id`) REFERENCES `User`(`UID`) ON DELETE SET NULL ON UPDATE CASCADE;
|
||||||
|
|
||||||
|
|
||||||
INSERT INTO `Privileges` (`id`, `name`, `desc`) VALUES (NULL, 'shiftentry_edit_angeltype_supporter', 'If user with this privilege is angeltype supporter, he can put users in shifts for their angeltype');
|
INSERT INTO `Privileges` (`id`, `name`, `desc`) VALUES (NULL, 'shiftentry_edit_angeltype_supporter', 'If user with this privilege is angeltype supporter, he can put users in shifts for their angeltype');
|
||||||
|
|
||||||
|
|
||||||
-- DB Performance
|
-- DB Performance
|
||||||
ALTER TABLE `Shifts` ADD INDEX(`start`);
|
ALTER TABLE `Shifts` ADD INDEX(`start`);
|
||||||
ALTER TABLE `NeededAngelTypes` ADD INDEX(`count`);
|
ALTER TABLE `NeededAngelTypes` ADD INDEX(`count`);
|
||||||
|
|
||||||
|
-- Security
|
||||||
|
UPDATE `Groups` SET UID = UID * 10;
|
||||||
|
INSERT INTO `Groups` (Name, UID) VALUES ('News Admin', -65);
|
||||||
|
INSERT INTO `Privileges` (id, name, `desc`) VALUES (42, 'admin_news_html', 'Use HTML in news');
|
||||||
|
INSERT INTO `GroupPrivileges` (group_id, privilege_id) VALUES (-65, 14), (-65, 42);
|
||||||
|
|
|
||||||
|
|
@ -7,7 +7,7 @@ use Engelsystem\Database\DB;
|
||||||
*/
|
*/
|
||||||
function admin_news()
|
function admin_news()
|
||||||
{
|
{
|
||||||
global $user;
|
global $user, $privileges;
|
||||||
$request = request();
|
$request = request();
|
||||||
|
|
||||||
if (!$request->has('action')) {
|
if (!$request->has('action')) {
|
||||||
|
|
@ -51,6 +51,11 @@ function admin_news()
|
||||||
break;
|
break;
|
||||||
|
|
||||||
case 'save':
|
case 'save':
|
||||||
|
$text = $request->postData('eText');
|
||||||
|
if (!in_array('admin_news_html', $privileges)) {
|
||||||
|
$text = strip_tags($text);
|
||||||
|
}
|
||||||
|
|
||||||
DB::update('
|
DB::update('
|
||||||
UPDATE `News` SET
|
UPDATE `News` SET
|
||||||
`Datum`=?,
|
`Datum`=?,
|
||||||
|
|
@ -62,8 +67,8 @@ function admin_news()
|
||||||
',
|
',
|
||||||
[
|
[
|
||||||
time(),
|
time(),
|
||||||
$request->postData('eBetreff'),
|
strip_tags($request->postData('eBetreff')),
|
||||||
$request->postData('eText'),
|
$text,
|
||||||
$user['UID'],
|
$user['UID'],
|
||||||
$request->has('eTreffen') ? 1 : 0,
|
$request->has('eTreffen') ? 1 : 0,
|
||||||
$news_id
|
$news_id
|
||||||
|
|
|
||||||
|
|
@ -272,7 +272,7 @@ function admin_user()
|
||||||
WHERE `UID` = ?
|
WHERE `UID` = ?
|
||||||
LIMIT 1';
|
LIMIT 1';
|
||||||
DB::update($sql, [
|
DB::update($sql, [
|
||||||
$request->postData('eNick'),
|
User_validate_Nick($request->postData('eNick')),
|
||||||
$request->postData('eName'),
|
$request->postData('eName'),
|
||||||
$request->postData('eVorname'),
|
$request->postData('eVorname'),
|
||||||
$request->postData('eTelefon'),
|
$request->postData('eTelefon'),
|
||||||
|
|
|
||||||
|
|
@ -233,7 +233,7 @@ function guest_register()
|
||||||
|
|
||||||
// Assign user-group and set password
|
// Assign user-group and set password
|
||||||
$user_id = DB::getPdo()->lastInsertId();
|
$user_id = DB::getPdo()->lastInsertId();
|
||||||
DB::insert('INSERT INTO `UserGroups` (`uid`, `group_id`) VALUES (?, -2)', [$user_id]);
|
DB::insert('INSERT INTO `UserGroups` (`uid`, `group_id`) VALUES (?, -20)', [$user_id]);
|
||||||
set_password($user_id, $request->postData('password'));
|
set_password($user_id, $request->postData('password'));
|
||||||
|
|
||||||
// Assign angel-types
|
// Assign angel-types
|
||||||
|
|
|
||||||
|
|
@ -155,7 +155,7 @@ function user_news_comments()
|
||||||
$user_source = User($comment['UID']);
|
$user_source = User($comment['UID']);
|
||||||
|
|
||||||
$html .= '<div class="panel panel-default">';
|
$html .= '<div class="panel panel-default">';
|
||||||
$html .= '<div class="panel-body">' . nl2br($comment['Text']) . '</div>';
|
$html .= '<div class="panel-body">' . nl2br(htmlspecialchars($comment['Text'])) . '</div>';
|
||||||
$html .= '<div class="panel-footer text-muted">';
|
$html .= '<div class="panel-footer text-muted">';
|
||||||
$html .= '<span class="glyphicon glyphicon-time"></span> ' . $comment['Datum'] . ' ';
|
$html .= '<span class="glyphicon glyphicon-time"></span> ' . $comment['Datum'] . ' ';
|
||||||
$html .= User_Nick_render($user_source);
|
$html .= User_Nick_render($user_source);
|
||||||
|
|
@ -191,14 +191,20 @@ function user_news()
|
||||||
if (!$request->has('treffen')) {
|
if (!$request->has('treffen')) {
|
||||||
$isMeeting = 0;
|
$isMeeting = 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
$text = $request->postData('text');
|
||||||
|
if (!in_array('admin_news_html', $privileges)) {
|
||||||
|
$text = strip_tags($text);
|
||||||
|
}
|
||||||
|
|
||||||
DB::insert('
|
DB::insert('
|
||||||
INSERT INTO `News` (`Datum`, `Betreff`, `Text`, `UID`, `Treffen`)
|
INSERT INTO `News` (`Datum`, `Betreff`, `Text`, `UID`, `Treffen`)
|
||||||
VALUES (?, ?, ?, ?, ?)
|
VALUES (?, ?, ?, ?, ?)
|
||||||
',
|
',
|
||||||
[
|
[
|
||||||
time(),
|
time(),
|
||||||
$request->postData('betreff'),
|
strip_tags($request->postData('betreff')),
|
||||||
$request->postData('text'),
|
$text,
|
||||||
$user['UID'],
|
$user['UID'],
|
||||||
$isMeeting,
|
$isMeeting,
|
||||||
]
|
]
|
||||||
|
|
|
||||||
|
|
@ -31,7 +31,7 @@ function load_auth()
|
||||||
}
|
}
|
||||||
|
|
||||||
// guest privileges
|
// guest privileges
|
||||||
$privileges = privileges_for_group(-1);
|
$privileges = privileges_for_group(-10);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|
|
||||||
|
|
@ -10,7 +10,7 @@
|
||||||
*/
|
*/
|
||||||
function form_hidden($name, $value)
|
function form_hidden($name, $value)
|
||||||
{
|
{
|
||||||
return '<input type="hidden" name="' . $name . '" value="' . $value . '" />';
|
return '<input type="hidden" name="' . $name . '" value="' . htmlspecialchars($value) . '" />';
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|
@ -25,7 +25,7 @@ function form_spinner($name, $label, $value)
|
||||||
{
|
{
|
||||||
return form_element($label, '
|
return form_element($label, '
|
||||||
<div class="input-group">
|
<div class="input-group">
|
||||||
<input id="spinner-' . $name . '" class="form-control" type="text" name="' . $name . '" value="' . $value . '" />
|
<input id="spinner-' . $name . '" class="form-control" name="' . $name . '" value="' . htmlspecialchars($value) . '" />
|
||||||
<div class="input-group-btn">
|
<div class="input-group-btn">
|
||||||
<button id="spinner-' . $name . '-down" class="btn btn-default" type="button">
|
<button id="spinner-' . $name . '-down" class="btn btn-default" type="button">
|
||||||
<span class="glyphicon glyphicon-minus"></span>
|
<span class="glyphicon glyphicon-minus"></span>
|
||||||
|
|
@ -66,7 +66,8 @@ function form_date($name, $label, $value, $start_date = '', $end_date = '')
|
||||||
$end_date = is_numeric($end_date) ? date('Y-m-d', $end_date) : '';
|
$end_date = is_numeric($end_date) ? date('Y-m-d', $end_date) : '';
|
||||||
return form_element($label, '
|
return form_element($label, '
|
||||||
<div class="input-group date" id="' . $dom_id . '">
|
<div class="input-group date" id="' . $dom_id . '">
|
||||||
<input type="text" name="' . $name . '" class="form-control" value="' . $value . '"><span class="input-group-addon">' . glyph('th') . '</span>
|
<input name="' . $name . '" class="form-control" value="' . htmlspecialchars($value) . '">'
|
||||||
|
. '<span class="input-group-addon">' . glyph('th') . '</span>
|
||||||
</div>
|
</div>
|
||||||
<script type="text/javascript">
|
<script type="text/javascript">
|
||||||
$(function(){
|
$(function(){
|
||||||
|
|
@ -154,7 +155,7 @@ function form_checkbox($name, $label, $selected, $value = 'checked', $id = null)
|
||||||
}
|
}
|
||||||
|
|
||||||
return '<div class="checkbox"><label>'
|
return '<div class="checkbox"><label>'
|
||||||
. '<input type="checkbox" id="' . $name . '" name="' . $name . '" value="' . $value . '" '
|
. '<input type="checkbox" id="' . $id . '" name="' . $name . '" value="' . htmlspecialchars($value) . '" '
|
||||||
. ($selected ? ' checked="checked"' : '') . ' /> '
|
. ($selected ? ' checked="checked"' : '') . ' /> '
|
||||||
. $label
|
. $label
|
||||||
. '</label></div>';
|
. '</label></div>';
|
||||||
|
|
@ -172,7 +173,7 @@ function form_checkbox($name, $label, $selected, $value = 'checked', $id = null)
|
||||||
function form_radio($name, $label, $selected, $value)
|
function form_radio($name, $label, $selected, $value)
|
||||||
{
|
{
|
||||||
return '<div class="radio">'
|
return '<div class="radio">'
|
||||||
. '<label><input type="radio" id="' . $name . '" name="' . $name . '" value="' . $value . '" '
|
. '<label><input type="radio" id="' . $name . '" name="' . $name . '" value="' . htmlspecialchars($value) . '" '
|
||||||
. ($selected ? ' checked="checked"' : '') . ' /> '
|
. ($selected ? ' checked="checked"' : '') . ' /> '
|
||||||
. $label
|
. $label
|
||||||
. '</label></div>';
|
. '</label></div>';
|
||||||
|
|
@ -333,8 +334,8 @@ function form_textarea($name, $label, $value, $disabled = false)
|
||||||
$disabled = $disabled ? ' disabled="disabled"' : '';
|
$disabled = $disabled ? ' disabled="disabled"' : '';
|
||||||
return form_element(
|
return form_element(
|
||||||
$label,
|
$label,
|
||||||
'<textarea rows="5" class="form-control" id="form_' . $name . '" type="text" name="'
|
'<textarea rows="5" class="form-control" id="form_' . $name . '" name="'
|
||||||
. $name . '" ' . $disabled . '>' . $value . '</textarea>',
|
. $name . '" ' . $disabled . '>' . htmlspecialchars($value) . '</textarea>',
|
||||||
'form_' . $name
|
'form_' . $name
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue