[Vtigercrm-developers] security hole in 4.2.x
Matthew Brichacek
mmbrich at fosslabs.com
Fri Jun 23 21:11:40 PDT 2006
RE:
http://forums.vtiger.com/viewtopic.php?p=26520#26520
If it wasn't fixed already (didnt check), this isn't a patch but its an
easy one:
modules/Settings/index.php
require_once($theme_path.'layout_utils.php');
+ require_once("include/database/PearDatabase.php");
+ $is_Admin = $adb->query_result($adb->query("Select is_admin from users
where id='".$_SESSION["authenticated_user_id"]."'"),0,"is_admin");
+ if($is_Admin == "on")
+ $xtpl=new XTemplate ('modules/Settings/index.html');
+ else
+ $xtpl=new XTemplate ('modules/Settings/noauth.html');
$xtpl->assign("MOD", $mod_strings);
noauth.html is a stripped down version of index.html with a few things
like block layout allowed.
For each individual settings page you will also need to put something
like this to keep users from entering other URLs by hand and changing
the settings.
Matt
More information about the vtigercrm-developers
mailing list