iger
/
engelsystem
9
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Security: Only allow angels with admin_news_html privilege to use HTML

This commit is contained in:
Igor Scheller 2017-08-29 22:22:53 +02:00
parent cc01c906ba
commit 3002ed9e93
7 changed files with 41 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
db/update.sql
View File

@ -8,19 +8,23 @@ ALTER TABLE `User` ADD COLUMN `email_by_human_allowed` BOOLEAN NOT NULL;
-- No Self Sign Up for some Angel Types -- No Self Sign Up for some Angel Types
ALTER TABLE AngelTypes ADD no_self_signup TINYINT(1) NOT NULL; ALTER TABLE AngelTypes ADD no_self_signup TINYINT(1) NOT NULL;
ALTER TABLE `AngelTypes` ALTER TABLE `AngelTypes`
ADD `contact_user_id` INT NULL, ADD `contact_user_id` INT NULL,
ADD `contact_name` VARCHAR(250) NULL, ADD `contact_name` VARCHAR(250) NULL,
ADD `contact_dect` VARCHAR(5) NULL, ADD `contact_dect` VARCHAR(5) NULL,
ADD `contact_email` VARCHAR(250) NULL, ADD `contact_email` VARCHAR(250) NULL,
ADD INDEX (`contact_user_id`); ADD INDEX (`contact_user_id`);
ALTER TABLE `AngelTypes` ALTER TABLE `AngelTypes`
ADD FOREIGN KEY (`contact_user_id`) REFERENCES `User`(`UID`) ON DELETE SET NULL ON UPDATE CASCADE; ADD FOREIGN KEY (`contact_user_id`) REFERENCES `User`(`UID`) ON DELETE SET NULL ON UPDATE CASCADE;
INSERT INTO `Privileges` (`id`, `name`, `desc`) VALUES (NULL, 'shiftentry_edit_angeltype_supporter', 'If user with this privilege is angeltype supporter, he can put users in shifts for their angeltype'); INSERT INTO `Privileges` (`id`, `name`, `desc`) VALUES (NULL, 'shiftentry_edit_angeltype_supporter', 'If user with this privilege is angeltype supporter, he can put users in shifts for their angeltype');
-- DB Performance -- DB Performance
ALTER TABLE `Shifts` ADD INDEX(`start`); ALTER TABLE `Shifts` ADD INDEX(`start`);
ALTER TABLE `NeededAngelTypes` ADD INDEX(`count`); ALTER TABLE `NeededAngelTypes` ADD INDEX(`count`);
-- Security
UPDATE `Groups` SET UID = UID * 10;
INSERT INTO `Groups` (Name, UID) VALUES ('News Admin', -65);
INSERT INTO `Privileges` (id, name, `desc`) VALUES (42, 'admin_news_html', 'Use HTML in news');
INSERT INTO `GroupPrivileges` (group_id, privilege_id) VALUES (-65, 14), (-65, 42);

11
includes/pages/admin_news.php
View File

@ -7,7 +7,7 @@ use Engelsystem\Database\DB;
*/ */
function admin_news() function admin_news()
{ {
global $user; global $user, $privileges;
$request = request(); $request = request();
if (!$request->has('action')) { if (!$request->has('action')) {
@ -51,6 +51,11 @@ function admin_news()
break; break;
case 'save': case 'save':
$text = $request->postData('eText');
if (!in_array('admin_news_html', $privileges)) {
$text = strip_tags($text);
}
DB::update(' DB::update('
UPDATE `News` SET UPDATE `News` SET
`Datum`=?, `Datum`=?,
@ -62,8 +67,8 @@ function admin_news()
', ',
[ [
time(), time(),
$request->postData('eBetreff'), strip_tags($request->postData('eBetreff')),
$request->postData('eText'), $text,
$user['UID'], $user['UID'],
$request->has('eTreffen') ? 1 : 0, $request->has('eTreffen') ? 1 : 0,
$news_id $news_id

2
includes/pages/admin_user.php
View File

@ -272,7 +272,7 @@ function admin_user()
WHERE `UID` = ? WHERE `UID` = ?
LIMIT 1'; LIMIT 1';
DB::update($sql, [ DB::update($sql, [
$request->postData('eNick'), User_validate_Nick($request->postData('eNick')),
$request->postData('eName'), $request->postData('eName'),
$request->postData('eVorname'), $request->postData('eVorname'),
$request->postData('eTelefon'), $request->postData('eTelefon'),

2
includes/pages/guest_login.php
View File

@ -233,7 +233,7 @@ function guest_register()
// Assign user-group and set password // Assign user-group and set password
$user_id = DB::getPdo()->lastInsertId(); $user_id = DB::getPdo()->lastInsertId();
DB::insert('INSERT INTO `UserGroups` (`uid`, `group_id`) VALUES (?, -2)', [$user_id]); DB::insert('INSERT INTO `UserGroups` (`uid`, `group_id`) VALUES (?, -20)', [$user_id]);
set_password($user_id, $request->postData('password')); set_password($user_id, $request->postData('password'));
// Assign angel-types // Assign angel-types

12
includes/pages/user_news.php
View File

@ -155,7 +155,7 @@ function user_news_comments()
$user_source = User($comment['UID']); $user_source = User($comment['UID']);
$html .= '<div class="panel panel-default">'; $html .= '<div class="panel panel-default">';
$html .= '<div class="panel-body">' . nl2br($comment['Text']) . '</div>'; $html .= '<div class="panel-body">' . nl2br(htmlspecialchars($comment['Text'])) . '</div>';
$html .= '<div class="panel-footer text-muted">'; $html .= '<div class="panel-footer text-muted">';
$html .= '<span class="glyphicon glyphicon-time"></span> ' . $comment['Datum'] . '&emsp;'; $html .= '<span class="glyphicon glyphicon-time"></span> ' . $comment['Datum'] . '&emsp;';
$html .= User_Nick_render($user_source); $html .= User_Nick_render($user_source);
@ -191,14 +191,20 @@ function user_news()
if (!$request->has('treffen')) { if (!$request->has('treffen')) {
$isMeeting = 0; $isMeeting = 0;
} }
$text = $request->postData('text');
if (!in_array('admin_news_html', $privileges)) {
$text = strip_tags($text);
}
DB::insert(' DB::insert('
INSERT INTO `News` (`Datum`, `Betreff`, `Text`, `UID`, `Treffen`) INSERT INTO `News` (`Datum`, `Betreff`, `Text`, `UID`, `Treffen`)
VALUES (?, ?, ?, ?, ?) VALUES (?, ?, ?, ?, ?)
', ',
[ [
time(), time(),
$request->postData('betreff'), strip_tags($request->postData('betreff')),
$request->postData('text'), $text,
$user['UID'], $user['UID'],
$isMeeting, $isMeeting,
] ]

2
includes/sys_auth.php
View File

@ -31,7 +31,7 @@ function load_auth()
} }
// guest privileges // guest privileges
$privileges = privileges_for_group(-1); $privileges = privileges_for_group(-10);
} }
/** /**

15
includes/sys_form.php
View File

@ -10,7 +10,7 @@
*/ */
function form_hidden($name, $value) function form_hidden($name, $value)
{ {
return '<input type="hidden" name="' . $name . '" value="' . $value . '" />'; return '<input type="hidden" name="' . $name . '" value="' . htmlspecialchars($value) . '" />';
} }
/** /**
@ -25,7 +25,7 @@ function form_spinner($name, $label, $value)
{ {
return form_element($label, ' return form_element($label, '
<div class="input-group"> <div class="input-group">
<input id="spinner-' . $name . '" class="form-control" type="text" name="' . $name . '" value="' . $value . '" /> <input id="spinner-' . $name . '" class="form-control" name="' . $name . '" value="' . htmlspecialchars($value) . '" />
<div class="input-group-btn"> <div class="input-group-btn">
<button id="spinner-' . $name . '-down" class="btn btn-default" type="button"> <button id="spinner-' . $name . '-down" class="btn btn-default" type="button">
<span class="glyphicon glyphicon-minus"></span> <span class="glyphicon glyphicon-minus"></span>
@ -66,7 +66,8 @@ function form_date($name, $label, $value, $start_date = '', $end_date = '')
$end_date = is_numeric($end_date) ? date('Y-m-d', $end_date) : ''; $end_date = is_numeric($end_date) ? date('Y-m-d', $end_date) : '';
return form_element($label, ' return form_element($label, '
<div class="input-group date" id="' . $dom_id . '"> <div class="input-group date" id="' . $dom_id . '">
<input type="text" name="' . $name . '" class="form-control" value="' . $value . '"><span class="input-group-addon">' . glyph('th') . '</span> <input name="' . $name . '" class="form-control" value="' . htmlspecialchars($value) . '">'
. '<span class="input-group-addon">' . glyph('th') . '</span>
</div> </div>
<script type="text/javascript"> <script type="text/javascript">
$(function(){ $(function(){
@ -154,7 +155,7 @@ function form_checkbox($name, $label, $selected, $value = 'checked', $id = null)
} }
return '<div class="checkbox"><label>' return '<div class="checkbox"><label>'
. '<input type="checkbox" id="' . $name . '" name="' . $name . '" value="' . $value . '" ' . '<input type="checkbox" id="' . $id . '" name="' . $name . '" value="' . htmlspecialchars($value) . '" '
. ($selected ? ' checked="checked"' : '') . ' /> ' . ($selected ? ' checked="checked"' : '') . ' /> '
. $label . $label
. '</label></div>'; . '</label></div>';
@ -172,7 +173,7 @@ function form_checkbox($name, $label, $selected, $value = 'checked', $id = null)
function form_radio($name, $label, $selected, $value) function form_radio($name, $label, $selected, $value)
{ {
return '<div class="radio">' return '<div class="radio">'
. '<label><input type="radio" id="' . $name . '" name="' . $name . '" value="' . $value . '" ' . '<label><input type="radio" id="' . $name . '" name="' . $name . '" value="' . htmlspecialchars($value) . '" '
. ($selected ? ' checked="checked"' : '') . ' /> ' . ($selected ? ' checked="checked"' : '') . ' /> '
. $label . $label
. '</label></div>'; . '</label></div>';
@ -333,8 +334,8 @@ function form_textarea($name, $label, $value, $disabled = false)
$disabled = $disabled ? ' disabled="disabled"' : ''; $disabled = $disabled ? ' disabled="disabled"' : '';
return form_element( return form_element(
$label, $label,
'<textarea rows="5" class="form-control" id="form_' . $name . '" type="text" name="' '<textarea rows="5" class="form-control" id="form_' . $name . '" name="'
. $name . '" ' . $disabled . '>' . $value . '</textarea>', . $name . '" ' . $disabled . '>' . htmlspecialchars($value) . '</textarea>',
'form_' . $name 'form_' . $name
); );
} }