From a79cfb56ac7d3828bfbd208f76628bbfd52945b1 Mon Sep 17 00:00:00 2001 From: Alexander Ebert Date: Tue, 21 Feb 2012 21:53:29 +0100 Subject: [PATCH] Solved a few TODOs and removed an obsolete class AbstractSecureObjectAction is a relict and was replaced by AJAXProxyAction long time ago --- .../AbstractSecureObjectAction.class.php | 92 ------------------- .../files/lib/data/user/UserAction.class.php | 37 ++++++-- .../ValidateActionException.class.php | 14 ++- 3 files changed, 41 insertions(+), 102 deletions(-) delete mode 100644 wcfsetup/install/files/lib/action/AbstractSecureObjectAction.class.php diff --git a/wcfsetup/install/files/lib/action/AbstractSecureObjectAction.class.php b/wcfsetup/install/files/lib/action/AbstractSecureObjectAction.class.php deleted file mode 100644 index e3c0f0d4a9..0000000000 --- a/wcfsetup/install/files/lib/action/AbstractSecureObjectAction.class.php +++ /dev/null @@ -1,92 +0,0 @@ - - * @package com.woltlab.wcf - * @subpackage action - * @category Community Framework - */ -abstract class AbstractSecureObjectAction extends AbstractAction { - protected $action = ''; - protected $actionClass = ''; - protected $actionData = array(); - protected $data = array(); - protected $objectAction = null; - protected $objectIDs = array(); - - /** - * @see wcf\action\IAction::readParameters() - */ - public function readParameters() { - parent::readParameters(); - - if (isset($_POST['actionClass'])) { - $this->actionClass = StringUtil::trim($_POST['actionClass']); - } - if (isset($_POST['data'])) { - $data = json_decode($_POST['data'], true); - if (is_array($data)) $this->data = $data; - } - if (isset($_POST['objectIDs'])) { - $objectIDs = json_decode($_POST['objectIDs']); - if (is_array($objectIDs)) $this->objectIDs = ArrayUtil::toIntegerArray($objectIDs); - } - } - - /** - * @see wcf\action\IAction::execute() - * @todo Add validation for $actionClass, $data and $objectIDs, - * possibly with some kind of derived exception maintaining - * a js-readable output (do not use printable exception!) - */ - public function execute() { - parent::execute(); - - $className = $this->actionClass.'Action'; - $classPath = $this->getClassPath().$this->actionClass.'Action.class.php'; - - require_once($classPath); - $this->objectAction = new $className($this->objectIDs, $this->action, $this->actionData); - } - - /** - * Executes chosen action. This method is not called automatically, - * you must call this method in any derived class. - */ - protected function executeAction() { - $this->objectAction->validateAction(); - $this->objectAction->executeAction(); - - $this->handleResult(); - } - - /** - * Returns class path based upon object action's name (excluding Action-suffix) - * - * @return string - */ - protected function getClassPath() { - $directories = array(); - $components = preg_split('~(?<=[a-z])(?=[A-Z])~', $this->actionClass); - - foreach ($components as $part) { - $directories[] = StringUtil::toLowerCase($part); - } - - $path = WCF_DIR . 'lib/data/' . implode('/', $directories); - return FileUtil::addTrailingSlash($path); - } - - /** - * Handles action result, derived classes must implement this but leave it empty. - */ - abstract protected function handleResult(); -} diff --git a/wcfsetup/install/files/lib/data/user/UserAction.class.php b/wcfsetup/install/files/lib/data/user/UserAction.class.php index 690ead43af..c0344f1181 100644 --- a/wcfsetup/install/files/lib/data/user/UserAction.class.php +++ b/wcfsetup/install/files/lib/data/user/UserAction.class.php @@ -3,6 +3,7 @@ namespace wcf\data\user; use wcf\data\user\group\UserGroup; use wcf\data\AbstractDatabaseObjectAction; use wcf\system\database\util\PreparedStatementConditionBuilder; +use wcf\system\exception\PermissionDeniedException; use wcf\system\exception\ValidateActionException; use wcf\system\WCF; use wcf\util\StringUtil; @@ -38,6 +39,12 @@ class UserAction extends AbstractDatabaseObjectAction { */ protected $permissionsUpdate = array('admin.user.canEditUser'); + /** + * list of user actions allowed within update + * @var array + */ + public $allowOwnUserUpdate = array('data', 'options'); + /** * Validates permissions and parameters. */ @@ -79,17 +86,33 @@ class UserAction extends AbstractDatabaseObjectAction { /** * Validates permissions and parameters. - * - * @todo Handle multiple users? */ public function validateUpdate() { - // read and validate user objects - parent::validateUpdate(); + // read objects + if (!count($this->objects)) { + $this->readObjects(); + } - // editing own user - if (count($this->objectIDs) == 1 && WCF::getUser()->userID == $this->objects[0]->userID) return; + if (!count($this->objects)) { + throw new ValidateActionException('Invalid object id'); + } - throw new ValidateActionException('Insufficient permissions'); + try { + WCF::getSession()->checkPermissions($this->permissionsUpdate); + } + catch (PermissionDeniedException $e) { + // check if we're editing ourselves + if (count($this->objects) == 1 && ($this->objects[0]->userID == WCF::getUser()->userID)) { + foreach (array_keys($this->parameters) as $key) { + // check if action is allowed (prevent the user from updating own groups etc) + if (!in_array($key, $this->allowOwnUserUpdate)) { + throw new ValidateActionException('Insufficient permissions'); + } + } + } + + throw new ValidateActionException('Insufficient permissions'); + } } /** diff --git a/wcfsetup/install/files/lib/system/exception/ValidateActionException.class.php b/wcfsetup/install/files/lib/system/exception/ValidateActionException.class.php index ae12b2043b..d3a3f9b473 100644 --- a/wcfsetup/install/files/lib/system/exception/ValidateActionException.class.php +++ b/wcfsetup/install/files/lib/system/exception/ValidateActionException.class.php @@ -2,11 +2,19 @@ namespace wcf\system\exception; /** - * @todo Ableitung von welcher Exception und wie soll die - * konkrete Anzeige sein, wenn diese Exception nicht - * ordnungsgemäß abgefangen wird? + * Simple exception for AJAX-driven requests. + * + * @author Alexander Ebert + * @copyright 2001-2012 WoltLab GmbH + * @license GNU Lesser General Public License + * @package com.woltlab.wcf + * @subpackage system.exception + * @category Community Framework */ class ValidateActionException extends \Exception { + /** + * @see \Exception::__construct() + */ public function __construct($message) { die($message); } -- 2.20.1