From 407fbf450f84eb26d8ad9ad73628a4b1d227494a Mon Sep 17 00:00:00 2001 From: fbsanchez Date: Fri, 16 Feb 2018 15:09:37 +0100 Subject: [PATCH 1/3] Fixed permission checks in event_acl Added event response macro _group_custom_id_ --- pandora_console/include/functions_events.php | 5 +++++ pandora_console/include/functions_tags.php | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/pandora_console/include/functions_events.php b/pandora_console/include/functions_events.php index 31cfde5fa7..b8c0c6834b 100644 --- a/pandora_console/include/functions_events.php +++ b/pandora_console/include/functions_events.php @@ -1981,6 +1981,11 @@ function events_get_response_target($event_id, $response_id, $server_id, $histor $event_st = events_display_status($event['estado']); $target = str_replace('_event_status_', $event_st["title"], $target); } + if (strpos($target, '_group_custom_id_') !== false) { + $group_custom_id = db_get_value($dbh, "SELECT custom_id FROM tgrupo WHERE id_grupo=?", $event["id_grupo"]); + $event_st = events_display_status($event['estado']); + $target = str_replace('_group_custom_id_', $group_custom_id, $target); + } // Parse the event custom data if (!empty($event['custom_data'])){ $custom_data = json_decode (base64_decode ($event['custom_data'])); diff --git a/pandora_console/include/functions_tags.php b/pandora_console/include/functions_tags.php index 08cfecf26e..6163503d5e 100644 --- a/pandora_console/include/functions_tags.php +++ b/pandora_console/include/functions_tags.php @@ -1482,7 +1482,7 @@ function tags_checks_event_acl($id_user, $id_group, $access, $tags = array(), $c $group_ids = implode(',', $childrens_ids); } $sql = "SELECT id_usuario FROM tusuario_perfil - WHERE id_usuario = '".$config["id_user"]."' AND tags IN ('$tags_str') + WHERE id_usuario = '".$config["id_user"]."' AND (tags IN ('$tags_str') OR tags = '') AND id_perfil IN (SELECT id_perfil FROM tperfil WHERE ".get_acl_column($access)."=1) AND id_grupo IN ($group_ids)"; $has_perm = db_get_value_sql ($sql); From 33089f2ff29bcdab1344eab11f4d044a38fa2004 Mon Sep 17 00:00:00 2001 From: fbsanchez Date: Mon, 19 Feb 2018 11:34:07 +0100 Subject: [PATCH 2/3] Minor fix in sql query --- pandora_console/include/functions_tags.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pandora_console/include/functions_tags.php b/pandora_console/include/functions_tags.php index 6163503d5e..5e1b57708a 100644 --- a/pandora_console/include/functions_tags.php +++ b/pandora_console/include/functions_tags.php @@ -1482,7 +1482,7 @@ function tags_checks_event_acl($id_user, $id_group, $access, $tags = array(), $c $group_ids = implode(',', $childrens_ids); } $sql = "SELECT id_usuario FROM tusuario_perfil - WHERE id_usuario = '".$config["id_user"]."' AND (tags IN ('$tags_str') OR tags = '') + WHERE id_usuario = '".$config["id_user"]."' AND (tags IN ($tags_str) OR tags = '') AND id_perfil IN (SELECT id_perfil FROM tperfil WHERE ".get_acl_column($access)."=1) AND id_grupo IN ($group_ids)"; $has_perm = db_get_value_sql ($sql); From 49f1ad38e73307ea2822619b212db2cc63d96b3f Mon Sep 17 00:00:00 2001 From: fbsanchez Date: Mon, 19 Feb 2018 11:44:35 +0100 Subject: [PATCH 3/3] Event ACL check: Fix case multiple tags --- pandora_console/include/functions_tags.php | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/pandora_console/include/functions_tags.php b/pandora_console/include/functions_tags.php index 5e1b57708a..8fe2fc3993 100644 --- a/pandora_console/include/functions_tags.php +++ b/pandora_console/include/functions_tags.php @@ -1481,10 +1481,20 @@ function tags_checks_event_acl($id_user, $id_group, $access, $tags = array(), $c } $group_ids = implode(',', $childrens_ids); } + $tag_conds = ""; + + if(!empty($tags_str)) { + $tag_conds = " AND (tags IN ('$tags_str') OR tags = '') "; + } + else { + $tag_conds = " AND tags = '' "; + } + $sql = "SELECT id_usuario FROM tusuario_perfil - WHERE id_usuario = '".$config["id_user"]."' AND (tags IN ($tags_str) OR tags = '') - AND id_perfil IN (SELECT id_perfil FROM tperfil WHERE ".get_acl_column($access)."=1) - AND id_grupo IN ($group_ids)"; + WHERE id_usuario = '".$config["id_user"]."' $tag_conds + AND id_perfil IN (SELECT id_perfil FROM tperfil WHERE ".get_acl_column($access)."=1) + AND id_grupo IN ($group_ids)"; + $has_perm = db_get_value_sql ($sql); if ($has_perm) {