[Vtigercrm-developers] security hole in 4.2.x

Matthew Brichacek mmbrich at fosslabs.com
Fri Jun 23 21:11:40 PDT 2006


RE:
http://forums.vtiger.com/viewtopic.php?p=26520#26520

If it wasn't fixed already (didnt check), this isn't a patch but its an
easy one:
modules/Settings/index.php


require_once($theme_path.'layout_utils.php');

+ require_once("include/database/PearDatabase.php");
+ $is_Admin = $adb->query_result($adb->query("Select is_admin from users
where id='".$_SESSION["authenticated_user_id"]."'"),0,"is_admin");
+ if($is_Admin == "on")
+        $xtpl=new XTemplate ('modules/Settings/index.html');
+ else
+        $xtpl=new XTemplate ('modules/Settings/noauth.html');

$xtpl->assign("MOD", $mod_strings);

noauth.html is a stripped down version of index.html with a few things
like block layout allowed.

For each individual settings page you will also need to put something
like this to keep users from entering other URLs by hand and changing
the settings.

Matt




More information about the vtigercrm-developers mailing list