Commit Graph

10 Commits (4fea371c4b417e6eac5cdefe0baf77840f5752a1)

Author SHA1 Message Date
William Robinet 4fea371c4b Fix permissions 2016-02-11 17:03:51 +01:00
iglocska cd3096a38f Fixed a security issue with the regular expressions
- as discovered and reported by Egidio Romano of Minded Security

- Users with the perm_regex permissions could create a malicious regex that leads to RCE using the PHP /e modifier for preg_replace().
- Regular expressions are now sanitised on edit / creation of the malicious modifier

- also added an admin tool that lets admins clean their current set of regexes of the harmful modifier
2015-11-16 19:47:31 +01:00
iglocska 50f3fa40d0 Merge branch 'develop' into feature/CakeResque
Also, more work on the background jobs
- started work on publishing
- started making the background jobs an optional setting in bootstrap

Conflicts:
	app/Controller/AppController.php
	app/Controller/EventsController.php
2013-12-04 11:58:01 +01:00
iglocska d27ddee207 First rework of the siteadmin role
- ADMIN org removed.

- Siteadmins are now identified by the perm_site_admin flag

- Siteadmins can now be of any organisation

- editing the regexp / whitelist rules can now be done by a special user with the perm_regexp_access in his/her role

- Executing a mass replace of attribute values based on the regexp rules cannot be initiated by a regexp/whitelist user, only by a site admin

- If the login page is reached without any users / roles defined they are automatically created (perviously it was only the user that was created)

- Org admins are restricted from assigning perm_site_admin, perm_sync and perm_regexp_access roles to users. This can only be done by a site admin.
2013-10-03 11:45:27 +02:00
iglocska 7c04a116ac First refactoring of the regexp 2013-07-11 13:43:36 +02:00
Andras Iklody 019e976783 Removed the js title bubble for related events
- Removed javascripts based title bubble showing the event info in related
  events / attributes and in the search attribute view.

- Replaced it with values provided by extra cake queries as the delay for
  fetching the info field through a js rest request was annoyingly slow

- some coding standards
2013-03-08 13:16:02 +01:00
Andras Iklody 3646bca059 Regexp validation
- an invalid regexp entry could block any event/attribute from being
  entered. Introduced a check on regexp entry to block faulty patterns.
2013-03-07 15:19:55 +01:00
Andras Iklody 83294820bf Changes to logs and some minor changes
- Regexp, blacklist, roles, whitelists now logged

- adminCRUD now sets ID (for the logging) on edit

- some minor UI changes (removal of empty action menues on the left menu
  bar)
2013-03-07 11:51:43 +01:00
Noud de Brouwer a9a1bc91a1 AdminCrud and coding standard
more AdminCrud and coding standard clean up.
2013-01-04 15:48:46 +00:00
Noud de Brouwer 1e518f8bc0 Import Regexp
Renamed Import Whitelist to Import Regexp.
2012-12-20 18:47:38 +00:00