Página Principal Explorar Ajuda
Iniciar Sessão
bn
/
se
2
0
Fork 0
Ficheiros Problemas 0 Pull Requests 0 Wiki
Ver Fonte

fixed security bug in wfs data API - hide value for fields not allowed to read

Piotr Labudda há 9 anos atrás
pai
4b362cbdac
commit
e5f47f523d
3 ficheiros alterados com 33 adições e 14 exclusões
Visão Dividida Mostrar Estatísticas Diff
  1. 16 13
      SE/se-lib/Api/WfsDataServer.php
  2. 1 1
      SE/se-lib/Api/WfsServerBase.php
  3. 16 0
      SE/se-lib/TableAcl.php

+ 16 - 13
SE/se-lib/Api/WfsDataServer.php
Ver Ficheiro 

@@ -127,7 +127,7 @@ class Api_WfsDataServer extends Api_WfsServerBase {
 
 		// get BBox from geom_field (only one geom fld is allowed)
 
 		$geomFld = null;
 
 		{
 
-			foreach ($fldList as $fldName) {
 
+			foreach ($fldList as $idZasob => $fldName) {
 
 				if ($acl->isGeomField($fldName)) {
 
 					$geomFld = $fldName;
 
 				}
 
@@ -198,22 +198,25 @@ if($DBG){echo 'item['.$itemKey.'] ('.$geomFld.')isEmpty('.empty($item->{$geomFld
 
 				$featureNode = $dom->createElementNS($wfsNsUri, "{$wfsNs}:{$type}");
 
 				$featureMemberNode->appendChild($featureNode);
 
 				$featureNode->setAttribute('fid', "{$type}.{$itemKey}");
 
-					foreach ($fldList as $fldName) {
 
+					foreach ($fldList as $idZasob => $fldName) {
 
 						$featureFldNode = $dom->createElementNS($wfsNsUri, "{$wfsNs}:{$fldName}");
 
-						if ($geomFld != null && $geomFld == $fldName) {
 
-							$geomNode = $this->_typeConverter->createGmlFromWkt($item->{$fldName}, $dom);
 
-							if (!$geomNode) continue;
 
-							$featureFldNode->appendChild($geomNode);
 
-						} else {
 
-							$featureFldNode->nodeValue = str_replace('&', '&', $item->{$fldName});
 
-							if (empty($featureFldNode->nodeValue) && '0' !== $featureFldNode->nodeValue) {
 
-								continue;
 
+						if ($acl->isAllowed($idZasob, 'R', $item)) {
 
+							if ($geomFld != null && $geomFld == $fldName) {
 
+								$geomNode = $this->_typeConverter->createGmlFromWkt($item->{$fldName}, $dom);
 
+								if (!$geomNode) continue;
 
+								$featureFldNode->appendChild($geomNode);
 
+							} else {
 
+								$featureFldNode->nodeValue = str_replace('&', '&', $item->{$fldName});
 
+								if (empty($featureFldNode->nodeValue) && '0' !== $featureFldNode->nodeValue) {
 
+									continue;
 
+								}
 
 							}
 
 						}
 
 						if (!$simple) {
 
-							$idZasob = $acl->getFieldIdByName($fldName);
 
-							// TODO: if ! allowed to 'R' - hide text
 
-							if ($idZasob > 0 && $acl->isAllowed($idZasob, 'W', $item)) {
 
+							if (!$acl->isAllowed($idZasob, 'R', $item)) {
 
+								$featureFldNode->setAttributeNS($rootWfsNsUri, "{$rootWfsNs}:allow_read", "false");
 
+							}
 
+							if ($acl->isAllowed($idZasob, 'W', $item)) {
 
 								$featureFldNode->setAttributeNS($rootWfsNsUri, "{$rootWfsNs}:allow_write", "true");
 
 							}
 
 						}

+ 1 - 1
SE/se-lib/Api/WfsServerBase.php
Ver Ficheiro 

@@ -1577,7 +1577,7 @@ if($DBG){echo 'L.' . __LINE__ . ' $validateConvertedTransactionXsdString:';print
 
 	}
 
 
 	public function _getFieldListFromAcl($acl) {
 
-		$fldList = $acl->getRealFieldList();
 
+		$fldList = $acl->getRealFieldListByIdZasob();
 
 		return $fldList;
 
 	}

+ 16 - 0
SE/se-lib/TableAcl.php
Ver Ficheiro 

@@ -1202,6 +1202,22 @@ class TableAcl {
 
 		return $cols;
 
 	}
 
 
+	public function getRealFieldListByIdZasob() {
 
+		$cols = array();
 
+		foreach ($this->_fields as $idField => $fld) {
 
+			if ($fld['name'] == 'ID') {
 
+				$cols[$idField] = 'ID';
 
+			}
 
+		}
 
+		foreach ($this->_fields as $idField => $fld) {
 
+			if ($fld['name'] == 'ID') continue;
 
+			if (array_key_exists($fld['name'], $this->_types)) {
 
+				$cols[$idField] = $fld['name'];
 
+			}
 
+		}
 
+		return $cols;
 
+	}
 
+
 
 	public function getVirtualFieldList() {
 
 		$cols = array();
 
 		foreach ($this->_fields as $kFieldID => $vField) {