Improved AJAXInvokeAction to allow whitelisting of accessible methods
authorAlexander Ebert <ebert@woltlab.com>
Wed, 17 Jul 2013 13:50:36 +0000 (15:50 +0200)
committerAlexander Ebert <ebert@woltlab.com>
Wed, 17 Jul 2013 13:50:36 +0000 (15:50 +0200)
wcfsetup/install/files/lib/acp/action/WorkerProxyAction.class.php
wcfsetup/install/files/lib/action/AJAXInvokeAction.class.php
wcfsetup/install/files/lib/system/importer/ImportHandler.class.php
wcfsetup/install/files/lib/system/user/collapsible/content/UserCollapsibleSidebarHandler.class.php

index cd43203ed9773051c7085f03fcd5348a2bbd2d6e..5061a5fcbf911872f3edcd6ed8f1f6ec9b2733fd 100644 (file)
@@ -36,6 +36,8 @@ class WorkerProxyAction extends AJAXInvokeAction {
         */
        protected $worker = null;
        
+       public static $allowInvoke = array();
+       
        /**
         * @see wcf\action\IAction::readParameters()
         */
index d5b338b95f7438d11820326d67996fb1b0d6ed9b..0daddf1f76dd29b9f43f75a316863639ac176508 100644 (file)
@@ -118,13 +118,25 @@ class AJAXInvokeAction extends AbstractSecureAction {
                        throw new SystemException("'".$this->className."' does not extend 'wcf\system\SingletonFactory'");
                }
                
-               $this->actionObject = call_user_func(array($this->className, 'getInstance'));
-               
                // validate action name
-               if (empty($this->actionName) || !method_exists($this->actionObject, $this->actionName)) {
+               if (empty($this->actionName)) {
                        throw new UserInputException('actionName');
                }
                
+               // validate accessibility
+               $className = $this->className;
+               if (!property_exists($className, 'allowInvoke') || !in_array($this->actionName, $className::$allowInvoke)) {
+                       throw new PermissionDeniedException();
+               }
+               
+               $this->actionObject = call_user_func(array($this->className, 'getInstance'));
+               
+               // check for validate method
+               $validateMethod = 'validate'.ucfirst($this->actionName);
+               if (method_exists($this->actionObject, $this->actionName)) {
+                       $this->actionObject->{$validateMethod}();
+               }
+               
                $this->response = $this->actionObject->{$this->actionName}();
        }
        
index fe4ee88e1787fdc5ae7d23eed1dc0fa4ca67b4c3..02c4065ef76aa66b540c309ffe192df3b02c663e 100644 (file)
@@ -2,6 +2,7 @@
 namespace wcf\system\importer;
 use wcf\data\object\type\ObjectTypeCache;
 use wcf\system\exception\SystemException;
+use wcf\system\IAJAXInvokeAction;
 use wcf\system\SingletonFactory;
 use wcf\system\WCF;
 
@@ -15,7 +16,7 @@ use wcf\system\WCF;
  * @subpackage system.importer
  * @category   Community Framework
  */
-class ImportHandler extends SingletonFactory {
+class ImportHandler extends SingletonFactory implements IAJAXInvokeAction {
        /**
         * id map cache
         * @var array 
@@ -40,6 +41,12 @@ class ImportHandler extends SingletonFactory {
         */
        protected $userMergeMode = 2;
        
+       /**
+        * list of methods allowed for remote invoke
+        * @var array<string>
+        */
+       public static $allowInvoke = array('resetMapping');
+       
        /**
         * @see wcf\system\SingletonFactory::init()
         */
@@ -110,6 +117,13 @@ class ImportHandler extends SingletonFactory {
                unset($this->idMappingCache[$objectTypeID][$oldID]);
        }
        
+       /**
+        * Validates accessibility of resetMapping().
+        */
+       public function validateResetMapping() {
+               WCF::getSession()->checkPermissions(array('admin.system.canImportData'));
+       }
+       
        /**
         * Resets the mapping.
         */
index 7367f42cba8df760b8672b2dc899ec7a00d33c0b..10972761f28292efb6e4dd16f1e3f099dc24956f 100644 (file)
@@ -16,6 +16,12 @@ use wcf\util\StringUtil;
  * @category   Community Framework
  */
 class UserCollapsibleSidebarHandler extends SingletonFactory implements IAJAXInvokeAction {
+       /**
+        * list of methods allowed for remote invoke
+        * @var array<string>
+        */
+       public static $allowInvoke = array('toggle');
+       
        /**
         * Toggles a sidebar.
         */