tyler.durden
/
pandorafms
mirror of https://github.com/pandorafms/pandorafms.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix dashboards ACLs

This commit is contained in:
José González 2021-05-27 12:16:17 +02:00
parent 22a9043378
commit a495b96bd6
1 changed files with 7 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
pandora_console/index.php
View File

@ -1124,8 +1124,8 @@ if ($searchPage) {
include 'general/noaccess.php'; include 'general/noaccess.php';
} else { } else {
$sec = $main_sec; $sec = $main_sec;
if (file_exists($page)) { if (file_exists($page) === true) {
if (! extensions_is_extension($page)) { if (extensions_is_extension($page) === false) {
include_once $page; include_once $page;
} else { } else {
if ($sec[0] == 'g') { if ($sec[0] == 'g') {
@ -1141,7 +1141,7 @@ if ($searchPage) {
} else { } else {
// Home screen chosen by the user. // Home screen chosen by the user.
$home_page = ''; $home_page = '';
if (isset($config['id_user'])) { if (isset($config['id_user']) === true) {
$user_info = users_get_user_by_id($config['id_user']); $user_info = users_get_user_by_id($config['id_user']);
$home_page = io_safe_output($user_info['section']); $home_page = io_safe_output($user_info['section']);
$home_url = $user_info['data_section']; $home_url = $user_info['data_section'];
@ -1175,7 +1175,8 @@ if ($searchPage) {
break; break;
case 'Dashboard': case 'Dashboard':
$str = 'sec=reporting&sec2=operation/dashboard/dashboard&dashboardId='.$home_url.'&d_from_main_page=1'; $_GET['specialSec2'] = sprintf('operation/dashboard/dashboard&dashboardId=%s', $home_url);
$str = sprintf('sec=reporting&sec2=%s&d_from_main_page=1', $_GET['specialSec2']);
parse_str($str, $res); parse_str($str, $res);
foreach ($res as $key => $param) { foreach ($res as $key => $param) {
$_GET[$key] = $param; $_GET[$key] = $param;
@ -1211,7 +1212,7 @@ if ($searchPage) {
break; break;
} }
if (isset($_GET['sec2'])) { if (isset($_GET['sec2']) === true) {
$file = $_GET['sec2'].'.php'; $file = $_GET['sec2'].'.php';
// Make file path absolute to prevent accessing remote files. // Make file path absolute to prevent accessing remote files.
$file = __DIR__.'/'.$file; $file = __DIR__.'/'.$file;
@ -1220,7 +1221,7 @@ if ($searchPage) {
$_GET['sec'] = ($main_sec == false) ? $_GET['sec'] : $main_sec; $_GET['sec'] = ($main_sec == false) ? $_GET['sec'] : $main_sec;
// Third condition is aimed to prevent from traversal attack. // Third condition is aimed to prevent from traversal attack.
if (!file_exists($file) if (file_exists($file) === false
|| ($_GET['sec2'] != 'general/logon_ok' && enterprise_hook( || ($_GET['sec2'] != 'general/logon_ok' && enterprise_hook(
'enterprise_acl', 'enterprise_acl',
[ [