Fixed several problems of security. Tiquet: #3550

2016-04-13 13:53:37 +02:00 · 2016-04-13 13:53:37 +02:00 · f2118d3caf
parent 640a9c7406
commit f2118d3caf
4 changed files with 33 additions and 0 deletions
--- a/pandora_console/godmode/update_manager/update_manager.offline.php
+++ b/pandora_console/godmode/update_manager/update_manager.offline.php
@ -18,6 +18,16 @@ global $config;

 ui_require_css_file('update_manager', 'godmode/update_manager/');

+check_login ();
+
+// ui_require_css_file('update_manager', 'godmode/update_manager/');
+if (! check_acl ($config['id_user'], 0, "PM") && ! is_user_admin ($config['id_user'])) {
+	db_pandora_audit("ACL Violation", "Trying to access Setup Management");
+	require ("general/noaccess.php");
+	return;
+}
+$baseurl = ui_get_full_url(false, false, false, false);
+
 ?>
 <script type="text/javascript">
 	<?php
--- a/pandora_console/godmode/update_manager/update_manager.online.php
+++ b/pandora_console/godmode/update_manager/update_manager.online.php
@ -16,6 +16,14 @@

 global $config;

+check_login ();
+
+if (! check_acl ($config['id_user'], 0, "PM") && ! is_user_admin ($config['id_user'])) {
+	db_pandora_audit("ACL Violation", "Trying to access Setup Management");
+	require ("general/noaccess.php");
+	return;
+}
+
 ui_require_css_file('update_manager', 'godmode/update_manager/');
 require_once("include/functions_update_manager.php");
 enterprise_include_once("include/functions_update_manager.php");
--- a/pandora_console/godmode/update_manager/update_manager.php
+++ b/pandora_console/godmode/update_manager/update_manager.php
@ -16,9 +16,16 @@

 global $config;

+check_login ();
 //The ajax is in
 // include/ajax/update_manager.ajax.php

+if (! check_acl ($config['id_user'], 0, "PM") && ! is_user_admin ($config['id_user'])) {
+	db_pandora_audit("ACL Violation", "Trying to access Setup Management");
+	require ("general/noaccess.php");
+	return;
+}
+
 $tab = get_parameter('tab', 'online');

 $buttons = array(
--- a/pandora_console/godmode/update_manager/update_manager.setup.php
+++ b/pandora_console/godmode/update_manager/update_manager.setup.php
@ -16,6 +16,14 @@

 global $config;

+check_login ();
+
+if (! check_acl ($config['id_user'], 0, "PM") && ! is_user_admin ($config['id_user'])) {
+	db_pandora_audit("ACL Violation", "Trying to access Setup Management");
+	require ("general/noaccess.php");
+	return;
+}
+
 $action_update_url_update_manager = (bool)get_parameter(
 	'action_update_url_update_manager', 0);