From d833ab2cb96d007f6d2b9cf144bcd30294564bc9 Mon Sep 17 00:00:00 2001 From: snehal0904 Date: Mon, 10 Dec 2018 10:33:28 +0530 Subject: [PATCH 1/3] Security fix (#117) * Task #137634 fix: Instead of passing location.href to download button pass the download task link * Task #137634 fix: Instead of passing location.href to download button pass the download task link * Task #137634 fix: Instead of passing location.href to download button pass the download task link * Task #137634 fix: Instead of passing location.href to download button pass the download task link * Task #137634 fix: Instead of passing location.href to download button pass the download task link * Task #137634 fix: Instead of passing location.href to download button pass the download task link --- tjreports/site/views/reports/view.csv.php | 32 ++++++++++++++++++++-- tjreports/site/views/reports/view.html.php | 20 ++++++++------ 2 files changed, 41 insertions(+), 11 deletions(-) diff --git a/tjreports/site/views/reports/view.csv.php b/tjreports/site/views/reports/view.csv.php index 69bbf4b..710e3f0 100644 --- a/tjreports/site/views/reports/view.csv.php +++ b/tjreports/site/views/reports/view.csv.php @@ -13,6 +13,7 @@ defined('_JEXEC') or die('Restricted access'); jimport('joomla.application.component.view'); jimport('techjoomla.view.csv'); +JLoader::import('components.com_tjreports.helpers.tjreports', JPATH_ADMINISTRATOR); /** * CSV class for a list of Tjreports. @@ -35,14 +36,39 @@ class TjreportsViewReports extends TjExportCsv * * @param string $tpl The name of the template file to parse; automatically searches through the template paths. * - * @return Toolbar instance + * @return Object|Boolean in case of success instance and failure - boolean * * @since 1.6 */ public function display($tpl = null) { - $this->getItems(); - parent::display(); + $input = JFactory::getApplication()->input; + $user = JFactory::getUser(); + $canDo = TjreportsHelper::getActions(); + + if (!$canDo->get('core.export') || !$user) + { + // Redirect to the list screen. + $redirect = JRoute::_('index.php?option=com_tjreports&view=reports', false); + JFactory::getApplication()->redirect($redirect, JText::_('JERROR_ALERTNOAUTHOR')); + + return false; + } + else + { + if ($input->get('task') == 'download') + { + $fileName = $input->get('file_name'); + $this->download($fileName); + JFactory::getApplication()->close(); + } + else + { + $this->getItems(); + + parent::display(); + } + } } /** diff --git a/tjreports/site/views/reports/view.html.php b/tjreports/site/views/reports/view.html.php index 6e6ed2f..b2ed844 100755 --- a/tjreports/site/views/reports/view.html.php +++ b/tjreports/site/views/reports/view.html.php @@ -55,8 +55,9 @@ public function display($tpl = null) */ protected function addToolbar() { - $app = JFactory::getApplication(); - $bar = JToolBar::getInstance('toolbar'); + $app = JFactory::getApplication(); + $bar = JToolBar::getInstance('toolbar'); + $canDo = TjreportsHelper::getActions(); if ($app->isAdmin()) { @@ -94,12 +95,15 @@ protected function addToolbar() $this->document->setTitle($title); } - $message = array(); - $message['success'] = JText::_("COM_TJREPORTS_EXPORT_FILE_SUCCESS"); - $message['error'] = JText::_("COM_TJREPORTS_EXPORT_FILE_ERROR"); - $message['inprogress'] = JText::_("COM_TJREPORTS_EXPORT_FILE_NOTICE"); - $message['text'] = JText::_("COM_TJREPORTS_CSV_EXPORT"); - $bar->appendButton('CsvExport', $message); + if ($canDo->get('core.export')) + { + $message = array(); + $message['success'] = JText::_("COM_TJREPORTS_EXPORT_FILE_SUCCESS"); + $message['error'] = JText::_("COM_TJREPORTS_EXPORT_FILE_ERROR"); + $message['inprogress'] = JText::_("COM_TJREPORTS_EXPORT_FILE_NOTICE"); + $message['text'] = JText::_("COM_TJREPORTS_CSV_EXPORT"); + $bar->appendButton('CsvExport', $message); + } $button = ' From d29f22000acd8c9fda4f28d87cc48a4759f1185e Mon Sep 17 00:00:00 2001 From: snehal0904 Date: Mon, 10 Dec 2018 17:20:30 +0530 Subject: [PATCH 2/3] Task #137724 fix: Check user is authorised to export the report on initial as well as global level (#118) --- tjreports/site/views/reports/tmpl/default.php | 116 +++++++++--------- tjreports/site/views/reports/view.csv.php | 15 ++- tjreports/site/views/reports/view.html.php | 11 +- 3 files changed, 79 insertions(+), 63 deletions(-) diff --git a/tjreports/site/views/reports/tmpl/default.php b/tjreports/site/views/reports/tmpl/default.php index e521b09..8ae974f 100644 --- a/tjreports/site/views/reports/tmpl/default.php +++ b/tjreports/site/views/reports/tmpl/default.php @@ -1,60 +1,62 @@ - http://www.techjoomla.com - */ - - // no direct access - defined('_JEXEC') or die; - - JHtml::addIncludePath(JPATH_COMPONENT . '/helpers/html'); - - $app = JFactory::getApplication(); - $headerLevel = $this->headerLevel; - $this->listOrder = $this->state->get('list.ordering'); - $this->listDirn = $this->state->get('list.direction'); - $totalCount = 0; - - foreach ($this->colToshow as $key=>$data) - { - if (is_array($data)) - { - $totalCount = $totalCount + count($data); - } - else - { - $totalCount++; - } - } - - $input = JFactory::getApplication()->input; - $displayFilters = $this->userFilters; - $totalHeadRows = count($displayFilters); - - if ($app->isSite()) - { - $siteUrl = JUri::root(); - $message = array(); - $message['success'] = JText::_("COM_TJREPORTS_EXPORT_FILE_SUCCESS"); - $message['error'] = JText::_("COM_TJREPORTS_EXPORT_FILE_ERROR"); - $message['inprogress'] = JText::_("COM_TJREPORTS_EXPORT_FILE_NOTICE"); - $message['text'] = JText::_("COM_TJREPORTS_CSV_EXPORT"); - - JHtml::script(JUri::base() . 'libraries/techjoomla/assets/js/tjexport.js'); - $document = JFactory::getDocument(); - $csv_url = 'index.php?option=' . $input->get('option') . '&view=' . $input->get('view') . '&format=csv'; - - $document->addScriptDeclaration("var csv_export_url='{$csv_url}';"); - $document->addScriptDeclaration("var csv_export_success='{$message['success']}';"); - $document->addScriptDeclaration("var csv_export_error='{$message['error']}';"); - $document->addScriptDeclaration("var csv_export_inprogress='{$message['inprogress']}';"); - $document->addScriptDeclaration("var tj_csv_site_root='{$siteUrl}';"); - } - - ?> +/** + * @version 1.0.0 + * @package com_tjreports + * @copyright Copyright (C) 2014. All rights reserved. + * @license GNU General Public License version 2 or later; see LICENSE.txt + * @author TechJoomla - http://www.techjoomla.com +*/ + +// no direct access +defined('_JEXEC') or die; + +JHtml::addIncludePath(JPATH_COMPONENT . '/helpers/html'); + +$app = JFactory::getApplication(); +$headerLevel = $this->headerLevel; +$this->listOrder = $this->state->get('list.ordering'); +$this->listDirn = $this->state->get('list.direction'); +$totalCount = 0; + +foreach ($this->colToshow as $key=>$data) +{ + if (is_array($data)) + { + $totalCount = $totalCount + count($data); + } + else + { + $totalCount++; + } +} + +$input = JFactory::getApplication()->input; +$displayFilters = $this->userFilters; +$totalHeadRows = count($displayFilters); +$reportId = $app->getUserStateFromRequest('reportId', 'reportId', ''); +$user = JFactory::getUser(); +$userAuthorisedExport = $user->authorise('core.export', 'com_tjreports.tjreport.' . $reportId); + +if ($app->isSite()) +{ + $siteUrl = JUri::root(); + $message = array(); + $message['success'] = JText::_("COM_TJREPORTS_EXPORT_FILE_SUCCESS"); + $message['error'] = JText::_("COM_TJREPORTS_EXPORT_FILE_ERROR"); + $message['inprogress'] = JText::_("COM_TJREPORTS_EXPORT_FILE_NOTICE"); + $message['text'] = JText::_("COM_TJREPORTS_CSV_EXPORT"); + + JHtml::script(JUri::base() . 'libraries/techjoomla/assets/js/tjexport.js'); + $document = JFactory::getDocument(); + $csv_url = 'index.php?option=' . $input->get('option') . '&view=' . $input->get('view') . '&format=csv'; + + $document->addScriptDeclaration("var csv_export_url='{$csv_url}';"); + $document->addScriptDeclaration("var csv_export_success='{$message['success']}';"); + $document->addScriptDeclaration("var csv_export_error='{$message['error']}';"); + $document->addScriptDeclaration("var csv_export_inprogress='{$message['inprogress']}';"); + $document->addScriptDeclaration("var tj_csv_site_root='{$siteUrl}';"); +} +?>
isAdmin()) + if (!$app->isAdmin() && $userAuthorisedExport && $user) { ?>
diff --git a/tjreports/site/views/reports/view.csv.php b/tjreports/site/views/reports/view.csv.php index 710e3f0..429c4f0 100644 --- a/tjreports/site/views/reports/view.csv.php +++ b/tjreports/site/views/reports/view.csv.php @@ -45,6 +45,8 @@ public function display($tpl = null) $input = JFactory::getApplication()->input; $user = JFactory::getUser(); $canDo = TjreportsHelper::getActions(); + $reportId = $input->post->get('reportId'); + $userAuthorisedExport = $user->authorise('core.export', 'com_tjreports.tjreport.' . $reportId); if (!$canDo->get('core.export') || !$user) { @@ -64,9 +66,18 @@ public function display($tpl = null) } else { - $this->getItems(); + if ($userAuthorisedExport) + { + $this->getItems(); - parent::display(); + parent::display(); + } + else + { + JFactory::getApplication()->enqueueMessage(JText::_('JERROR_ALERTNOAUTHOR'), 'error'); + + return false; + } } } } diff --git a/tjreports/site/views/reports/view.html.php b/tjreports/site/views/reports/view.html.php index b2ed844..094a890 100755 --- a/tjreports/site/views/reports/view.html.php +++ b/tjreports/site/views/reports/view.html.php @@ -55,9 +55,12 @@ public function display($tpl = null) */ protected function addToolbar() { - $app = JFactory::getApplication(); - $bar = JToolBar::getInstance('toolbar'); - $canDo = TjreportsHelper::getActions(); + $app = JFactory::getApplication(); + $reportId = $app->getUserStateFromRequest('reportId', 'reportId', ''); + $user = JFactory::getUser(); + $userAuthorisedExport = $user->authorise('core.export', 'com_tjreports.tjreport.' . $reportId); + $bar = JToolBar::getInstance('toolbar'); + $canDo = TjreportsHelper::getActions(); if ($app->isAdmin()) { @@ -95,7 +98,7 @@ protected function addToolbar() $this->document->setTitle($title); } - if ($canDo->get('core.export')) + if ($canDo->get('core.export') && $userAuthorisedExport) { $message = array(); $message['success'] = JText::_("COM_TJREPORTS_EXPORT_FILE_SUCCESS"); From 7fca66d33d9b655bc3dbff0d3e3fc1c45cbe4512 Mon Sep 17 00:00:00 2001 From: Deepa Date: Tue, 25 Dec 2018 10:59:48 +0530 Subject: [PATCH 3/3] Task 136745 fix: Version and Date changes --- plugins/actionlog/tjreports/tjreports.xml | 4 ++-- plugins/privacy/tjreports/tjreports.xml | 4 ++-- tjreports/tjreports.xml | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/plugins/actionlog/tjreports/tjreports.xml b/plugins/actionlog/tjreports/tjreports.xml index d83aebf..d566037 100644 --- a/plugins/actionlog/tjreports/tjreports.xml +++ b/plugins/actionlog/tjreports/tjreports.xml @@ -2,12 +2,12 @@ plg_actionlog_tjreports Techjoomla - 16th Nov 2018 + 25th Dec 2018 Copyright (C) 2016 - 2018 Techjoomla. All rights reserved. http://www.gnu.org/licenses/gpl-2.0.html GNU/GPL extensions@techjoomla.com https://techjoomla.com - 1.0.3 + 1.0.4 PLG_ACTIONLOG_TJREPORTS_XML_DESCRIPTION tjreports.php diff --git a/plugins/privacy/tjreports/tjreports.xml b/plugins/privacy/tjreports/tjreports.xml index fef7d47..dfc9e1e 100644 --- a/plugins/privacy/tjreports/tjreports.xml +++ b/plugins/privacy/tjreports/tjreports.xml @@ -1,8 +1,8 @@ plg_privacy_tjreports - 1.0.3 - 16th Nov 2018 + 1.0.4 + 25th Dec 2018 Techjoomla extensions@techjoomla.com https://techjoomla.com diff --git a/tjreports/tjreports.xml b/tjreports/tjreports.xml index a4dca05..9afe826 100644 --- a/tjreports/tjreports.xml +++ b/tjreports/tjreports.xml @@ -6,8 +6,8 @@ https://techjoomla.com Copyright (C) 2016 - 2018 Techjoomla. All rights reserved. http://www.gnu.org/licenses/gpl-2.0.html GNU/GPL - 16th Nov 2018 - 1.0.3 + 25th Dec 2018 + 1.0.4 This component is used to access all the report at single place.