From 93b176269c7c268e7d924aca559c02a80005d1f6 Mon Sep 17 00:00:00 2001 From: alejandro-campos Date: Thu, 26 Sep 2019 10:38:12 +0200 Subject: [PATCH] remove acl check in integria ticket dashboard --- .../dashboard_detail_integriaims_incident.php | 489 +++++++++--------- 1 file changed, 243 insertions(+), 246 deletions(-) diff --git a/pandora_console/operation/incidents/dashboard_detail_integriaims_incident.php b/pandora_console/operation/incidents/dashboard_detail_integriaims_incident.php index 8d9b908c3a..e99b6f9347 100644 --- a/pandora_console/operation/incidents/dashboard_detail_integriaims_incident.php +++ b/pandora_console/operation/incidents/dashboard_detail_integriaims_incident.php @@ -96,273 +96,270 @@ $priority_text = integriaims_get_details('priority', $priority); $resolution_text = integriaims_get_details('resolution', $resolution); $type_text = integriaims_get_details('type', $type); -if (check_acl($config['id_user'], 0, 'IW')) { - // Incident file management. - $upload_file = get_parameter('upload_file'); - $delete_file_id = get_parameter('delete_file'); - $download_file_id = get_parameter('download_file'); - $download_file_name = get_parameter('download_file_name'); +// Incident file management. +$upload_file = get_parameter('upload_file'); +$delete_file_id = get_parameter('delete_file'); +$download_file_id = get_parameter('download_file'); +$download_file_name = get_parameter('download_file_name'); - // Files section table. - $table_files_section = new stdClass(); - $table_files_section->width = '100%'; - $table_files_section->id = 'files_section_table'; - $table_files_section->class = 'databox filters'; - $table_files_section->head = []; +// Files section table. +$table_files_section = new stdClass(); +$table_files_section->width = '100%'; +$table_files_section->id = 'files_section_table'; +$table_files_section->class = 'databox filters'; +$table_files_section->head = []; - $table_files_section->data = []; - $table_files_section->size = []; - $table_files_section->colspan[2][0] = 3; +$table_files_section->data = []; +$table_files_section->size = []; +$table_files_section->colspan[2][0] = 3; - // Files list table. - $table_files = new stdClass(); - $table_files->width = '100%'; - $table_files->class = 'info_table'; - $table_files->head = []; +// Files list table. +$table_files = new stdClass(); +$table_files->width = '100%'; +$table_files->class = 'info_table'; +$table_files->head = []; - $table_files->head[0] = __('Filename'); - $table_files->head[1] = __('Timestamp'); - $table_files->head[2] = __('Description'); - $table_files->head[3] = __('User'); - $table_files->head[4] = __('Size'); - $table_files->head[5] = __('Delete'); +$table_files->head[0] = __('Filename'); +$table_files->head[1] = __('Timestamp'); +$table_files->head[2] = __('Description'); +$table_files->head[3] = __('User'); +$table_files->head[4] = __('Size'); +$table_files->head[5] = __('Delete'); - $table_files->data = []; +$table_files->data = []; - // Upload file. - if ($upload_file && ($_FILES['userfile']['name'] != '')) { - $filedescription = get_parameter('file_description', __('No description available')); +// Upload file. +if ($upload_file && ($_FILES['userfile']['name'] != '')) { + $filedescription = get_parameter('file_description', __('No description available')); - $filename = io_safe_input($_FILES['userfile']['name']); - $filesize = io_safe_input($_FILES['userfile']['size']); + $filename = io_safe_input($_FILES['userfile']['name']); + $filesize = io_safe_input($_FILES['userfile']['size']); - $extension = pathinfo($filename, PATHINFO_EXTENSION); - $invalid_extensions = '/^(bat|exe|cmd|sh|php|php1|php2|php3|php4|php5|pl|cgi|386|dll|com|torrent|js|app|jar|iso| - pif|vb|vbscript|wsf|asp|cer|csr|jsp|drv|sys|ade|adp|bas|chm|cpl|crt|csh|fxp|hlp|hta|inf|ins|isp|jse|htaccess| - htpasswd|ksh|lnk|mdb|mde|mdt|mdw|msc|msi|msp|mst|ops|pcd|prg|reg|scr|sct|shb|shs|url|vbe|vbs|wsc|wsf|wsh)$/i'; + $extension = pathinfo($filename, PATHINFO_EXTENSION); + $invalid_extensions = '/^(bat|exe|cmd|sh|php|php1|php2|php3|php4|php5|pl|cgi|386|dll|com|torrent|js|app|jar|iso| + pif|vb|vbscript|wsf|asp|cer|csr|jsp|drv|sys|ade|adp|bas|chm|cpl|crt|csh|fxp|hlp|hta|inf|ins|isp|jse|htaccess| + htpasswd|ksh|lnk|mdb|mde|mdt|mdw|msc|msi|msp|mst|ops|pcd|prg|reg|scr|sct|shb|shs|url|vbe|vbs|wsc|wsf|wsh)$/i'; - if (!preg_match($invalid_extensions, $extension)) { - // The following is if you have clamavlib installed. - // (php5-clamavlib) and enabled in php.ini - // http://www.howtoforge.com/scan_viruses_with_php_clamavlib - if (extension_loaded('clamav')) { - cl_setlimits(5, 1000, 200, 0, 10485760); - $malware = cl_scanfile($_FILES['file']['tmp_name']); - if ($malware) { - $error = 'Malware detected: '.$malware.'
ClamAV version: '.clam_get_version(); - die($error); - // On malware, we die because it's not good to handle it - } + if (!preg_match($invalid_extensions, $extension)) { + // The following is if you have clamavlib installed. + // (php5-clamavlib) and enabled in php.ini + // http://www.howtoforge.com/scan_viruses_with_php_clamavlib + if (extension_loaded('clamav')) { + cl_setlimits(5, 1000, 200, 0, 10485760); + $malware = cl_scanfile($_FILES['file']['tmp_name']); + if ($malware) { + $error = 'Malware detected: '.$malware.'
ClamAV version: '.clam_get_version(); + die($error); + // On malware, we die because it's not good to handle it } - - $filecontent = base64_encode(file_get_contents($_FILES['userfile']['tmp_name'])); - - $result_api_call = integria_api_call($config['integria_hostname'], $config['integria_user'], $config['integria_pass'], $config['integria_api_pass'], 'attach_file', [$incident_id, $filename, $filesize, $filedescription, $filecontent]); - - // API method returns '0' string if success. - $file_added = ($result_api_call === '0') ? true : false; - - ui_print_result_message( - $file_added, - __('File successfully added'), - __('File could not be added') - ); - } else { - ui_print_error_message(__('File has an invalid extension')); } - } - // Delete file. - if (isset($_GET['delete_file'])) { - $result_api_call = integria_api_call($config['integria_hostname'], $config['integria_user'], $config['integria_pass'], $config['integria_api_pass'], 'delete_file', [$delete_file_id]); + $filecontent = base64_encode(file_get_contents($_FILES['userfile']['tmp_name'])); - $file_deleted = false; + $result_api_call = integria_api_call($config['integria_hostname'], $config['integria_user'], $config['integria_pass'], $config['integria_api_pass'], 'attach_file', [$incident_id, $filename, $filesize, $filedescription, $filecontent]); - if ($result_api_call === '0') { - $file_deleted = true; - } + // API method returns '0' string if success. + $file_added = ($result_api_call === '0') ? true : false; ui_print_result_message( - $file_deleted, - __('File successfully deleted'), - __('File could not be deleted') + $file_added, + __('File successfully added'), + __('File could not be added') ); - } - - // Download file. - if (isset($_GET['download_file'])) { - $file_base64 = integria_api_call($config['integria_hostname'], $config['integria_user'], $config['integria_pass'], $config['integria_api_pass'], 'download_file', [$download_file_id]); - ob_end_clean(); - - $decoded = base64_decode($file_base64); - - file_put_contents($download_file_name, $decoded); - ob_end_clean(); - - if (file_exists($download_file_name)) { - header('Content-Description: File Transfer'); - header('Content-Type: application/octet-stream'); - header('Content-Disposition: attachment; filename="'.basename($download_file_name).'"'); - header('Expires: 0'); - header('Cache-Control: must-revalidate'); - header('Pragma: public'); - header('Content-Length: '.filesize($download_file_name)); - ob_end_clean(); - readfile($download_file_name); - unlink($download_file_name); - exit; - } - - header('Location: index.php?sec=incident&sec2=operation/incidents/dashboard_detail_integriaims_incident&incident_id='.$incident_id); - } - - // Retrieve files belonging to incident and create list table. - $result_api_call = integria_api_call($config['integria_hostname'], $config['integria_user'], $config['integria_pass'], $config['integria_api_pass'], 'get_incident_files', [$incident_id]); - - if ($result_api_call != false && strlen($result_api_call) > 0) { - $files = []; - $csv_array = explode("\n", $result_api_call); - - foreach ($csv_array as $csv_line) { - if (!empty($csv_line)) { - $files[] = explode(',', $csv_line); - } - } - } - - $i = 0; - - foreach ($files as $key => $value) { - $table_files->data[$i][0] = ''.$value[11].''; - $table_files->data[$i][1] = $value[14]; - $table_files->data[$i][2] = $value[12]; - $table_files->data[$i][3] = $value[8]; - $table_files->data[$i][4] = $value[13]; - $table_files->data[$i][5] .= ''; - $table_files->data[$i][5] .= html_print_image('images/cross.png', true, ['title' => __('Delete')]); - $table_files->data[$i][5] .= ''; - - $i++; - } - - $table_files_section->data[0][0] = '

'.__('File name').':

'; - $table_files_section->data[0][0] .= html_print_input_file('userfile', true); - $table_files_section->data[1][0] = '

'.__('Description').':

'; - $table_files_section->data[1][0] .= html_print_textarea( - 'file_description', - 3, - 20, - '', - '', - true - ); - - $table_files_section->data[2][0] .= '
'.html_print_submit_button(__('Upload'), 'accion', false, 'class="sub wand"', true).'
'; - - $upload_file_form = '
'; - - if (check_acl($config['id_user'], 0, 'IW')) { - $upload_file_form .= '
'.'

'.__('Add attachment').'

'.html_print_table($table_files_section, true).html_print_input_hidden('upload_file', 1, true); - } - - $upload_file_form .= '

'.__('Attached files').'

'.html_print_table($table_files, true).'
'; - - // Incident comments management. - $upload_comment = get_parameter('upload_comment'); - $comment_description = get_parameter('comment_description'); - - // Comments section table. - $table_comments_section = new stdClass(); - $table_comments_section->width = '100%'; - $table_comments_section->id = 'files_section_table'; - $table_comments_section->class = 'databox filters'; - $table_comments_section->head = []; - - $table_comments_section->data = []; - $table_comments_section->size = []; - - // Comments list table. - $table_comments = new stdClass(); - $table_comments->width = '100%'; - $table_comments->class = 'info_table'; - $table_comments->head = []; - - $table_comments->head[0] = __('Filename'); - $table_comments->head[1] = __('Timestamp'); - $table_comments->head[2] = __('Description'); - $table_comments->head[3] = __('User'); - $table_comments->head[4] = __('Size'); - $table_comments->head[5] = __('Delete'); - - $table_comments->data = []; - - $comment_disabled = ($array_get_incidents[6] == 7); - - if ($comment_disabled === true) { - $attribute = 'disabled=disabled'; - } - - $table_comments_section->data[0][0] = '

'.__('Description').':

'; - $table_comments_section->data[0][0] .= html_print_textarea( - 'comment_description', - 3, - 20, - '', - $attribute, - true - ); - - $table_comments_section->data[1][1] .= '
'.html_print_submit_button(__('Add'), 'accion', $comment_disabled, 'class="sub wand"', true).'
'; - - // Upload comment. If ticket is closed, this action cannot be performed. - if ($upload_comment && $array_get_incidents[6] != 7) { - $result_api_call = integria_api_call($config['integria_hostname'], $config['integria_user'], $config['integria_pass'], $config['integria_api_pass'], 'create_workunit', [$incident_id, $comment_description, '0.00', 0, 1, '0']); - - // API method returns id of new comment if success. - $comment_added = ($result_api_call >= '0') ? true : false; - - ui_print_result_message( - $comment_added, - __('Comment successfully added'), - __('Comment could not be added') - ); - } - - // Retrieve comments belonging to incident and create comments table. - $result_api_call = integria_api_call($config['integria_hostname'], $config['integria_user'], $config['integria_pass'], $config['integria_api_pass'], 'get_incident_workunits', [$incident_id]); - - if ($result_api_call != false && strlen($result_api_call) > 0) { - $comments = []; - $csv_array = explode("\n", $result_api_call); - - foreach ($csv_array as $csv_line) { - if (!empty($csv_line)) { - $comments[] = explode(',', $csv_line); - } - } - } - - $comment_table = ''; - - if (!empty($comments)) { - foreach ($comments as $key => $value) { - $comment_table .= '
'.$value[3].' said '.$value[1].''.$value[2].' Hours
'; - $comment_table .= '
'.$value[4].'
'; - } } else { - $comment_table = __('No comments found'); + ui_print_error_message(__('File has an invalid extension')); } - - $upload_comment_form = '
'; - - if (check_acl($config['id_user'], 0, 'IW')) { - $upload_comment_form .= '

'.__('Add comment').'

'.html_print_table($table_comments_section, true).html_print_input_hidden('upload_comment', 1, true).'
'; - } - - $upload_comment_form .= '

'.__('Comments').'

'.$comment_table.'
'; } +// Delete file. +if (isset($_GET['delete_file'])) { + $result_api_call = integria_api_call($config['integria_hostname'], $config['integria_user'], $config['integria_pass'], $config['integria_api_pass'], 'delete_file', [$delete_file_id]); + + $file_deleted = false; + + if ($result_api_call === '0') { + $file_deleted = true; + } + + ui_print_result_message( + $file_deleted, + __('File successfully deleted'), + __('File could not be deleted') + ); +} + +// Download file. +if (isset($_GET['download_file'])) { + $file_base64 = integria_api_call($config['integria_hostname'], $config['integria_user'], $config['integria_pass'], $config['integria_api_pass'], 'download_file', [$download_file_id]); + ob_end_clean(); + + $decoded = base64_decode($file_base64); + + file_put_contents($download_file_name, $decoded); + ob_end_clean(); + + if (file_exists($download_file_name)) { + header('Content-Description: File Transfer'); + header('Content-Type: application/octet-stream'); + header('Content-Disposition: attachment; filename="'.basename($download_file_name).'"'); + header('Expires: 0'); + header('Cache-Control: must-revalidate'); + header('Pragma: public'); + header('Content-Length: '.filesize($download_file_name)); + ob_end_clean(); + readfile($download_file_name); + unlink($download_file_name); + exit; + } + + header('Location: index.php?sec=incident&sec2=operation/incidents/dashboard_detail_integriaims_incident&incident_id='.$incident_id); +} + +// Retrieve files belonging to incident and create list table. +$result_api_call = integria_api_call($config['integria_hostname'], $config['integria_user'], $config['integria_pass'], $config['integria_api_pass'], 'get_incident_files', [$incident_id]); + +if ($result_api_call != false && strlen($result_api_call) > 0) { + $files = []; + $csv_array = explode("\n", $result_api_call); + + foreach ($csv_array as $csv_line) { + if (!empty($csv_line)) { + $files[] = explode(',', $csv_line); + } + } +} + +$i = 0; + +foreach ($files as $key => $value) { + $table_files->data[$i][0] = ''.$value[11].''; + $table_files->data[$i][1] = $value[14]; + $table_files->data[$i][2] = $value[12]; + $table_files->data[$i][3] = $value[8]; + $table_files->data[$i][4] = $value[13]; + $table_files->data[$i][5] .= ''; + $table_files->data[$i][5] .= html_print_image('images/cross.png', true, ['title' => __('Delete')]); + $table_files->data[$i][5] .= ''; + + $i++; +} + +$table_files_section->data[0][0] = '

'.__('File name').':

'; +$table_files_section->data[0][0] .= html_print_input_file('userfile', true); +$table_files_section->data[1][0] = '

'.__('Description').':

'; +$table_files_section->data[1][0] .= html_print_textarea( + 'file_description', + 3, + 20, + '', + '', + true +); + +$table_files_section->data[2][0] .= '
'.html_print_submit_button(__('Upload'), 'accion', false, 'class="sub wand"', true).'
'; + +$upload_file_form = '
'; + +if (check_acl($config['id_user'], 0, 'IW')) { + $upload_file_form .= '
'.'

'.__('Add attachment').'

'.html_print_table($table_files_section, true).html_print_input_hidden('upload_file', 1, true); +} + +$upload_file_form .= '

'.__('Attached files').'

'.html_print_table($table_files, true).'
'; + +// Incident comments management. +$upload_comment = get_parameter('upload_comment'); +$comment_description = get_parameter('comment_description'); + +// Comments section table. +$table_comments_section = new stdClass(); +$table_comments_section->width = '100%'; +$table_comments_section->id = 'files_section_table'; +$table_comments_section->class = 'databox filters'; +$table_comments_section->head = []; + +$table_comments_section->data = []; +$table_comments_section->size = []; + +// Comments list table. +$table_comments = new stdClass(); +$table_comments->width = '100%'; +$table_comments->class = 'info_table'; +$table_comments->head = []; + +$table_comments->head[0] = __('Filename'); +$table_comments->head[1] = __('Timestamp'); +$table_comments->head[2] = __('Description'); +$table_comments->head[3] = __('User'); +$table_comments->head[4] = __('Size'); +$table_comments->head[5] = __('Delete'); + +$table_comments->data = []; + +$comment_disabled = ($array_get_incidents[6] == 7); + +if ($comment_disabled === true) { + $attribute = 'disabled=disabled'; +} + +$table_comments_section->data[0][0] = '

'.__('Description').':

'; +$table_comments_section->data[0][0] .= html_print_textarea( + 'comment_description', + 3, + 20, + '', + $attribute, + true +); + +$table_comments_section->data[1][1] .= '
'.html_print_submit_button(__('Add'), 'accion', $comment_disabled, 'class="sub wand"', true).'
'; + +// Upload comment. If ticket is closed, this action cannot be performed. +if ($upload_comment && $array_get_incidents[6] != 7) { + $result_api_call = integria_api_call($config['integria_hostname'], $config['integria_user'], $config['integria_pass'], $config['integria_api_pass'], 'create_workunit', [$incident_id, $comment_description, '0.00', 0, 1, '0']); + + // API method returns id of new comment if success. + $comment_added = ($result_api_call >= '0') ? true : false; + + ui_print_result_message( + $comment_added, + __('Comment successfully added'), + __('Comment could not be added') + ); +} + +// Retrieve comments belonging to incident and create comments table. +$result_api_call = integria_api_call($config['integria_hostname'], $config['integria_user'], $config['integria_pass'], $config['integria_api_pass'], 'get_incident_workunits', [$incident_id]); + +if ($result_api_call != false && strlen($result_api_call) > 0) { + $comments = []; + $csv_array = explode("\n", $result_api_call); + + foreach ($csv_array as $csv_line) { + if (!empty($csv_line)) { + $comments[] = explode(',', $csv_line); + } + } +} + +$comment_table = ''; + +if (!empty($comments)) { + foreach ($comments as $key => $value) { + $comment_table .= '
'.$value[3].' said '.$value[1].''.$value[2].' Hours
'; + $comment_table .= '
'.$value[4].'
'; + } +} else { + $comment_table = __('No comments found'); +} + +$upload_comment_form = '
'; + +if (check_acl($config['id_user'], 0, 'IW')) { + $upload_comment_form .= '

'.__('Add comment').'

'.html_print_table($table_comments_section, true).html_print_input_hidden('upload_comment', 1, true).'
'; +} + +$upload_comment_form .= '

'.__('Comments').'

'.$comment_table.'
'; // Details box. $details_box = '
';