Fixes::158429882::Chaitanya N::Broken access control in migration module issue is fixed.

237038b6 · root · bd2ae92c · 237038b6 · 237038b6 · 237038b6
Commit 237038b6 authored 1 year ago by root
--- a/modules/Migration/actions/DisableModules.php
+++ b/modules/Migration/actions/DisableModules.php
@@ -9,6 +9,17 @@
 ************************************************************************************/

 class Migration_DisableModules_Action extends Vtiger_Action_Controller {
+	
+	public function checkPermission(\Vtiger_Request $request) {
+		global $current_user;
+		$isAdmin = is_admin($current_user);
+		if ($isAdmin == true) {
+			return true;
+		} else {
+			throw new Exception(vtranslate('LBL_ONLY_ADMINS_CAN_ACCESS'));
+		}
+		return parent::checkPermission($request);
+	}

 	public function process(Vtiger_Request $request) {
 		$modulesList = $request->get('modulesList');

--- a/modules/Migration/actions/Extract.php
+++ b/modules/Migration/actions/Extract.php
@@ -22,27 +22,32 @@ class Migration_Extract_Action extends Vtiger_Action_Controller {
 		$user = CRMEntity::getInstance('Users');
 		$user->column_fields['user_name'] = $userName;
 		if ($user->doLogin($password)) {
-			$zip = new ZipArchive();
-			$fileName = 'vtiger8.zip';
-			if ($zip->open($fileName)) {
-				if ($zip->extractTo($root_directory)) {
-					$zip->close();
+			if($user->is_admin == 'on') {
+				$zip = new ZipArchive();
+				$fileName = 'vtiger8.zip';
+				if ($zip->open($fileName)) {
+					if ($zip->extractTo($root_directory)) {
+						$zip->close();

-					$userid = $user->retrieve_user_id($userName);
-					$_SESSION['authenticated_user_id'] = $userid;
-					$_SESSION['app_unique_key'] = vglobal('application_unique_key');
+						$userid = $user->retrieve_user_id($userName);
+						$_SESSION['authenticated_user_id'] = $userid;
+						$_SESSION['app_unique_key'] = vglobal('application_unique_key');

-					/* Give time for PHP runtime to pickup new changes after zip 
-					 * for files that are include/require once previously */
-					sleep(5);
+						/* Give time for PHP runtime to pickup new changes after zip 
+						 * for files that are include/require once previously */
+						sleep(5);

-					header('Location: index.php?module=Migration&view=Index&mode=step1');
+						header('Location: index.php?module=Migration&view=Index&mode=step1');
+					} else {
+						$errorMessage = 'ERROR EXTRACTING MIGRATION ZIP FILE!';
+						header('Location: migrate/index.php?error='.$errorMessage);
+					}
 				} else {
-					$errorMessage = 'ERROR EXTRACTING MIGRATION ZIP FILE!';
+					$errorMessage = 'ERROR READING MIGRATION ZIP FILE!';
 					header('Location: migrate/index.php?error='.$errorMessage);
 				}
-			} else {
-				$errorMessage = 'ERROR READING MIGRATION ZIP FILE!';
+			}else{
+				$errorMessage = 'PERMISSION DENIED! ONLY ADMIN USERS CAN ACCESS';
 				header('Location: migrate/index.php?error='.$errorMessage);
 			}
 		} else {

--- a/modules/Migration/views/Index.php
+++ b/modules/Migration/views/Index.php
@@ -18,7 +18,13 @@ class Migration_Index_View extends Vtiger_View_Controller {
 	}

 	public function checkPermission(Vtiger_Request $request){
-		return true;
+		global $current_user;
+		$isAdmin = is_admin($current_user);
+		if ($isAdmin == true) {
+			return true;
+		} else {
+			throw new Exception('ADMIN USERS CAN ONLY ACCESS');
+		}
 	}

 	public function process(Vtiger_Request $request) {