tyler.durden
/
pandorafms
mirror of https://github.com/pandorafms/pandorafms.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch '2290-seguridad-en-la-api-3' into 'develop' 

2290 seguridad en la api 3

See merge request artica/pandorafms!1546
This commit is contained in:
slerena 2018-06-19 16:23:09 +02:00
parent 3614e5caeb 2fc6b86251
commit b56cb02761
1 changed files with 24 additions and 53 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

77
pandora_console/include/functions_api.php
View File

@ -314,60 +314,24 @@ function api_get_groups($thrash1, $thrash2, $other, $returnType, $user_in_db) {
returnData($returnType, $data, $separator); returnData($returnType, $data, $separator);
} }
function api_get_agent_module_name_last_value($agentName, $moduleName, $other = ';', $returnType) function api_get_agent_module_name_last_value($agentName, $moduleName, $other = ';', $returnType){
{
global $config;
$idAgent = agents_get_agent_id($agentName); $idAgent = agents_get_agent_id($agentName);
$sql = sprintf('SELECT id_agente_modulo $sql = sprintf('SELECT id_agente_modulo
FROM tagente_modulo FROM tagente_modulo
WHERE id_agente = %d AND nombre LIKE "%s"', $idAgent, $moduleName); WHERE id_agente = %d AND nombre LIKE "%s"', $idAgent, $moduleName);
$idModuleAgent = db_get_value_sql($sql); $idModuleAgent = db_get_value_sql($sql);
$user_has_access = users_access_to_agent($idAgent); api_get_module_last_value($idModuleAgent, null, $other, $returnType);
if (($value === false || !$user_has_access) && isset($other['data'][0])) {
if ($other['type'] == 'array' && $other['data'][0] == 'error_value') {
returnData($returnType, array('type' => 'string', 'data' => $other['data'][1]));
} else {
if (!$value) {
returnError('id_not_found', $returnType);
} else {
returnError('forbidden', $returnType);
}
}
}
else {
api_get_module_last_value($idModuleAgent, null, $other, $returnType);
}
} }
function api_get_agent_module_name_last_value_alias($alias, $moduleName, $other = ';', $returnType) function api_get_agent_module_name_last_value_alias($alias, $moduleName, $other = ';', $returnType) {
{
global $config;
$sql = sprintf('SELECT tagente_modulo.id_agente_modulo FROM tagente_modulo $sql = sprintf('SELECT tagente_modulo.id_agente_modulo FROM tagente_modulo
INNER JOIN tagente ON tagente_modulo.id_agente = tagente.id_agente INNER JOIN tagente ON tagente_modulo.id_agente = tagente.id_agente
WHERE tagente.alias LIKE "%s" AND tagente_modulo.nombre LIKE "%s"', $alias, $moduleName); WHERE tagente.alias LIKE "%s" AND tagente_modulo.nombre LIKE "%s"', $alias, $moduleName);
$idModuleAgent = db_get_value_sql($sql); $idModuleAgent = db_get_value_sql($sql);
$user_has_access = users_access_to_agent($idAgent); api_get_module_last_value($idModuleAgent, null, $other, $returnType);
if (($value === false || !$user_has_access) && isset($other['data'][0])) {
if ($other['type'] == 'array' && $other['data'][0] == 'error_value') {
returnData($returnType, array('type' => 'string', 'data' => $other['data'][1]));
} else {
if (!$value) {
returnError('id_not_found', $returnType);
} else {
returnError('forbidden', $returnType);
}
}
}
else {
api_get_module_last_value($idModuleAgent, null, $other, $returnType);
}
} }
@ -377,28 +341,30 @@ function api_get_module_last_value($idAgentModule, $trash1, $other = ';', $retur
return; return;
} }
$user_has_access = users_access_to_agent(modules_get_agentmodule_agent($idAgentModule)); $check_access = agents_check_access_agent(modules_get_agentmodule_agent($idAgentModule));
if ($check_access === false || !check_acl($config['id_user'], 0, "AR")) {
returnError('forbidden', $returnType);
return;
}
$sql = sprintf('SELECT datos $sql = sprintf('SELECT datos
FROM tagente_estado FROM tagente_estado
WHERE id_agente_modulo = %d', $idAgentModule); WHERE id_agente_modulo = %d', $idAgentModule);
$value = db_get_value_sql($sql); $value = db_get_value_sql($sql);
if (($value === false || !$user_has_access) && isset($other['data'][0])) { if ($value === false) {
if ($other['type'] == 'array' && $other['data'][0] == 'error_value') { if (isset($other['data'][1]) && $other['data'][0] == 'error_value') {
returnData($returnType, array('type' => 'string', 'data' => $other['data'][1])); returnData($returnType, array('type' => 'string', 'data' => $other['data'][1]));
} elseif ($check_access) {
returnError('no_data_to_show', $returnType);
} else { } else {
if (!$value) { returnError('id_not_found', $returnType);
returnError('id_not_found', $returnType);
} else {
returnError('forbidden', $returnType);
}
} }
return;
} }
else {
$data = array('type' => 'string', 'data' => $value); $data = array('type' => 'string', 'data' => $value);
returnData($returnType, $data); returnData($returnType, $data);
}
} }
/*** DB column mapping table used by tree_agents (and get module_properties) ***/ /*** DB column mapping table used by tree_agents (and get module_properties) ***/
@ -2504,6 +2470,11 @@ function api_get_policies($thrash1, $thrash2, $other, $thrash3) {
return; return;
} }
if (!check_acl($config['id_user'], 0, "AW")) {
returnError('forbidden', 'csv');
return;
}
$user_groups = implode (',', array_keys(users_get_groups($config["id_user"], "AW"))); $user_groups = implode (',', array_keys(users_get_groups($config["id_user"], "AW")));
if ($other['data'][0] != "") { if ($other['data'][0] != "") {
@ -11480,7 +11451,7 @@ function api_get_modules_id_name_by_cluster_name ($cluster_name){
function util_api_check_agent_and_print_error($id_agent, $returnType, $access = "AR") { function util_api_check_agent_and_print_error($id_agent, $returnType, $access = "AR") {
global $config; global $config;
$check_agent = agents_check_access_agent($id_agent["id_agente"], $access); $check_agent = agents_check_access_agent($id_agent, $access);
if ($check_agent === true) return true; if ($check_agent === true) return true;
if ($check_agent === false || !check_acl($config['id_user'], 0, $access)) { if ($check_agent === false || !check_acl($config['id_user'], 0, $access)) {