Fixed several problems of security. Tiquet: #3550

pandora_console/godmode/update_manager/update_manager.offline.php

@@ -18,6 +18,14 @@ global $config;
 
 // ui_require_css_file('update_manager', 'godmode/update_manager/');
 
+check_login ();
+
+// ui_require_css_file('update_manager', 'godmode/update_manager/');
+if (! check_acl ($config['id_user'], 0, "PM") && ! is_user_admin ($config['id_user'])) {
+	db_pandora_audit("ACL Violation", "Trying to access Setup Management");
+	require ("general/noaccess.php");
+	return;
+}
 $baseurl = ui_get_full_url(false, false, false, false);
 
 ?>

pandora_console/godmode/update_manager/update_manager.online.php

@@ -16,6 +16,14 @@
 
 global $config;
 
+check_login ();
+
+if (! check_acl ($config['id_user'], 0, "PM") && ! is_user_admin ($config['id_user'])) {
+	db_pandora_audit("ACL Violation", "Trying to access Setup Management");
+	require ("general/noaccess.php");
+	return;
+}
+
 ui_require_css_file('update_manager', 'godmode/update_manager/');
 require_once("include/functions_update_manager.php");
 enterprise_include_once("include/functions_update_manager.php");

pandora_console/godmode/update_manager/update_manager.php

@@ -16,9 +16,16 @@
 
 global $config;
 
+check_login ();
 //The ajax is in
 // include/ajax/update_manager.ajax.php
 
+if (! check_acl ($config['id_user'], 0, "PM") && ! is_user_admin ($config['id_user'])) {
+	db_pandora_audit("ACL Violation", "Trying to access Setup Management");
+	require ("general/noaccess.php");
+	return;
+}
+
 $tab = get_parameter('tab', 'online');
 
 $buttons = array(

pandora_console/godmode/update_manager/update_manager.setup.php

@@ -16,6 +16,14 @@
 
 global $config;
 
+check_login ();
+
+if (! check_acl ($config['id_user'], 0, "PM") && ! is_user_admin ($config['id_user'])) {
+	db_pandora_audit("ACL Violation", "Trying to access Setup Management");
+	require ("general/noaccess.php");
+	return;
+}
+
 $action_update_url_update_manager = (bool)get_parameter(
 	'action_update_url_update_manager', 0);