From f2118d3caf91d8b45d8f89ae04b92f19f7349ef9 Mon Sep 17 00:00:00 2001
From: m-lopez-f <miguel.lopez@artica.es>
Date: Wed, 13 Apr 2016 13:53:37 +0200
Subject: [PATCH] Fixed several problems of security. Tiquet: #3550

---
 .../godmode/update_manager/update_manager.offline.php  | 10 ++++++++++
 .../godmode/update_manager/update_manager.online.php   |  8 ++++++++
 .../godmode/update_manager/update_manager.php          |  7 +++++++
 .../godmode/update_manager/update_manager.setup.php    |  8 ++++++++
 4 files changed, 33 insertions(+)

diff --git a/pandora_console/godmode/update_manager/update_manager.offline.php b/pandora_console/godmode/update_manager/update_manager.offline.php
index db0c14c307..e521a015a5 100644
--- a/pandora_console/godmode/update_manager/update_manager.offline.php
+++ b/pandora_console/godmode/update_manager/update_manager.offline.php
@@ -18,6 +18,16 @@ global $config;
 
 ui_require_css_file('update_manager', 'godmode/update_manager/');
 
+check_login ();
+
+// ui_require_css_file('update_manager', 'godmode/update_manager/');
+if (! check_acl ($config['id_user'], 0, "PM") && ! is_user_admin ($config['id_user'])) {
+	db_pandora_audit("ACL Violation", "Trying to access Setup Management");
+	require ("general/noaccess.php");
+	return;
+}
+$baseurl = ui_get_full_url(false, false, false, false);
+
 ?>
 <script type="text/javascript">
 	<?php
diff --git a/pandora_console/godmode/update_manager/update_manager.online.php b/pandora_console/godmode/update_manager/update_manager.online.php
index 30cd8c94cc..d9939fcb27 100644
--- a/pandora_console/godmode/update_manager/update_manager.online.php
+++ b/pandora_console/godmode/update_manager/update_manager.online.php
@@ -16,6 +16,14 @@
 
 global $config;
 
+check_login ();
+
+if (! check_acl ($config['id_user'], 0, "PM") && ! is_user_admin ($config['id_user'])) {
+	db_pandora_audit("ACL Violation", "Trying to access Setup Management");
+	require ("general/noaccess.php");
+	return;
+}
+
 ui_require_css_file('update_manager', 'godmode/update_manager/');
 require_once("include/functions_update_manager.php");
 enterprise_include_once("include/functions_update_manager.php");
diff --git a/pandora_console/godmode/update_manager/update_manager.php b/pandora_console/godmode/update_manager/update_manager.php
index 45692f9c28..4a7d14aaff 100644
--- a/pandora_console/godmode/update_manager/update_manager.php
+++ b/pandora_console/godmode/update_manager/update_manager.php
@@ -16,9 +16,16 @@
 
 global $config;
 
+check_login ();
 //The ajax is in
 // include/ajax/update_manager.ajax.php
 
+if (! check_acl ($config['id_user'], 0, "PM") && ! is_user_admin ($config['id_user'])) {
+	db_pandora_audit("ACL Violation", "Trying to access Setup Management");
+	require ("general/noaccess.php");
+	return;
+}
+
 $tab = get_parameter('tab', 'online');
 
 $buttons = array(
diff --git a/pandora_console/godmode/update_manager/update_manager.setup.php b/pandora_console/godmode/update_manager/update_manager.setup.php
index f1af09d8a9..8a06e17150 100644
--- a/pandora_console/godmode/update_manager/update_manager.setup.php
+++ b/pandora_console/godmode/update_manager/update_manager.setup.php
@@ -16,6 +16,14 @@
 
 global $config;
 
+check_login ();
+
+if (! check_acl ($config['id_user'], 0, "PM") && ! is_user_admin ($config['id_user'])) {
+	db_pandora_audit("ACL Violation", "Trying to access Setup Management");
+	require ("general/noaccess.php");
+	return;
+}
+
 $action_update_url_update_manager = (bool)get_parameter(
 	'action_update_url_update_manager', 0);