diff options
| -rw-r--r-- | db/update.sql | 22 | ||||
| -rw-r--r-- | includes/pages/admin_news.php | 11 | ||||
| -rw-r--r-- | includes/pages/admin_user.php | 2 | ||||
| -rw-r--r-- | includes/pages/guest_login.php | 2 | ||||
| -rw-r--r-- | includes/pages/user_news.php | 12 | ||||
| -rw-r--r-- | includes/sys_auth.php | 2 | ||||
| -rw-r--r-- | includes/sys_form.php | 15 |
7 files changed, 41 insertions, 25 deletions
diff --git a/db/update.sql b/db/update.sql index dd203a86..5d93e230 100644 --- a/db/update.sql +++ b/db/update.sql @@ -8,19 +8,23 @@ ALTER TABLE `User` ADD COLUMN `email_by_human_allowed` BOOLEAN NOT NULL; -- No Self Sign Up for some Angel Types ALTER TABLE AngelTypes ADD no_self_signup TINYINT(1) NOT NULL; -ALTER TABLE `AngelTypes` - ADD `contact_user_id` INT NULL, - ADD `contact_name` VARCHAR(250) NULL, - ADD `contact_dect` VARCHAR(5) NULL, - ADD `contact_email` VARCHAR(250) NULL, +ALTER TABLE `AngelTypes` + ADD `contact_user_id` INT NULL, + ADD `contact_name` VARCHAR(250) NULL, + ADD `contact_dect` VARCHAR(5) NULL, + ADD `contact_email` VARCHAR(250) NULL, ADD INDEX (`contact_user_id`); -ALTER TABLE `AngelTypes` +ALTER TABLE `AngelTypes` ADD FOREIGN KEY (`contact_user_id`) REFERENCES `User`(`UID`) ON DELETE SET NULL ON UPDATE CASCADE; - INSERT INTO `Privileges` (`id`, `name`, `desc`) VALUES (NULL, 'shiftentry_edit_angeltype_supporter', 'If user with this privilege is angeltype supporter, he can put users in shifts for their angeltype'); - -- DB Performance ALTER TABLE `Shifts` ADD INDEX(`start`); -ALTER TABLE `NeededAngelTypes` ADD INDEX(`count`);
\ No newline at end of file +ALTER TABLE `NeededAngelTypes` ADD INDEX(`count`); + +-- Security +UPDATE `Groups` SET UID = UID * 10; +INSERT INTO `Groups` (Name, UID) VALUES ('News Admin', -65); +INSERT INTO `Privileges` (id, name, `desc`) VALUES (42, 'admin_news_html', 'Use HTML in news'); +INSERT INTO `GroupPrivileges` (group_id, privilege_id) VALUES (-65, 14), (-65, 42); diff --git a/includes/pages/admin_news.php b/includes/pages/admin_news.php index 64a54f4b..bc78a6b1 100644 --- a/includes/pages/admin_news.php +++ b/includes/pages/admin_news.php @@ -7,7 +7,7 @@ use Engelsystem\Database\DB; */ function admin_news() { - global $user; + global $user, $privileges; $request = request(); if (!$request->has('action')) { @@ -51,6 +51,11 @@ function admin_news() break; case 'save': + $text = $request->postData('eText'); + if (!in_array('admin_news_html', $privileges)) { + $text = strip_tags($text); + } + DB::update(' UPDATE `News` SET `Datum`=?, @@ -62,8 +67,8 @@ function admin_news() ', [ time(), - $request->postData('eBetreff'), - $request->postData('eText'), + strip_tags($request->postData('eBetreff')), + $text, $user['UID'], $request->has('eTreffen') ? 1 : 0, $news_id diff --git a/includes/pages/admin_user.php b/includes/pages/admin_user.php index aea68f52..ca814b2e 100644 --- a/includes/pages/admin_user.php +++ b/includes/pages/admin_user.php @@ -272,7 +272,7 @@ function admin_user() WHERE `UID` = ? LIMIT 1'; DB::update($sql, [ - $request->postData('eNick'), + User_validate_Nick($request->postData('eNick')), $request->postData('eName'), $request->postData('eVorname'), $request->postData('eTelefon'), diff --git a/includes/pages/guest_login.php b/includes/pages/guest_login.php index 3966b55c..9c706cfc 100644 --- a/includes/pages/guest_login.php +++ b/includes/pages/guest_login.php @@ -233,7 +233,7 @@ function guest_register() // Assign user-group and set password $user_id = DB::getPdo()->lastInsertId(); - DB::insert('INSERT INTO `UserGroups` (`uid`, `group_id`) VALUES (?, -2)', [$user_id]); + DB::insert('INSERT INTO `UserGroups` (`uid`, `group_id`) VALUES (?, -20)', [$user_id]); set_password($user_id, $request->postData('password')); // Assign angel-types diff --git a/includes/pages/user_news.php b/includes/pages/user_news.php index bdbb0645..0e38e619 100644 --- a/includes/pages/user_news.php +++ b/includes/pages/user_news.php @@ -155,7 +155,7 @@ function user_news_comments() $user_source = User($comment['UID']); $html .= '<div class="panel panel-default">'; - $html .= '<div class="panel-body">' . nl2br($comment['Text']) . '</div>'; + $html .= '<div class="panel-body">' . nl2br(htmlspecialchars($comment['Text'])) . '</div>'; $html .= '<div class="panel-footer text-muted">'; $html .= '<span class="glyphicon glyphicon-time"></span> ' . $comment['Datum'] . ' '; $html .= User_Nick_render($user_source); @@ -191,14 +191,20 @@ function user_news() if (!$request->has('treffen')) { $isMeeting = 0; } + + $text = $request->postData('text'); + if (!in_array('admin_news_html', $privileges)) { + $text = strip_tags($text); + } + DB::insert(' INSERT INTO `News` (`Datum`, `Betreff`, `Text`, `UID`, `Treffen`) VALUES (?, ?, ?, ?, ?) ', [ time(), - $request->postData('betreff'), - $request->postData('text'), + strip_tags($request->postData('betreff')), + $text, $user['UID'], $isMeeting, ] diff --git a/includes/sys_auth.php b/includes/sys_auth.php index 856ed4ab..607d180b 100644 --- a/includes/sys_auth.php +++ b/includes/sys_auth.php @@ -31,7 +31,7 @@ function load_auth() } // guest privileges - $privileges = privileges_for_group(-1); + $privileges = privileges_for_group(-10); } /** diff --git a/includes/sys_form.php b/includes/sys_form.php index 78e97792..148af965 100644 --- a/includes/sys_form.php +++ b/includes/sys_form.php @@ -10,7 +10,7 @@ */ function form_hidden($name, $value) { - return '<input type="hidden" name="' . $name . '" value="' . $value . '" />'; + return '<input type="hidden" name="' . $name . '" value="' . htmlspecialchars($value) . '" />'; } /** @@ -25,7 +25,7 @@ function form_spinner($name, $label, $value) { return form_element($label, ' <div class="input-group"> - <input id="spinner-' . $name . '" class="form-control" type="text" name="' . $name . '" value="' . $value . '" /> + <input id="spinner-' . $name . '" class="form-control" name="' . $name . '" value="' . htmlspecialchars($value) . '" /> <div class="input-group-btn"> <button id="spinner-' . $name . '-down" class="btn btn-default" type="button"> <span class="glyphicon glyphicon-minus"></span> @@ -66,7 +66,8 @@ function form_date($name, $label, $value, $start_date = '', $end_date = '') $end_date = is_numeric($end_date) ? date('Y-m-d', $end_date) : ''; return form_element($label, ' <div class="input-group date" id="' . $dom_id . '"> - <input type="text" name="' . $name . '" class="form-control" value="' . $value . '"><span class="input-group-addon">' . glyph('th') . '</span> + <input name="' . $name . '" class="form-control" value="' . htmlspecialchars($value) . '">' + . '<span class="input-group-addon">' . glyph('th') . '</span> </div> <script type="text/javascript"> $(function(){ @@ -154,7 +155,7 @@ function form_checkbox($name, $label, $selected, $value = 'checked', $id = null) } return '<div class="checkbox"><label>' - . '<input type="checkbox" id="' . $name . '" name="' . $name . '" value="' . $value . '" ' + . '<input type="checkbox" id="' . $id . '" name="' . $name . '" value="' . htmlspecialchars($value) . '" ' . ($selected ? ' checked="checked"' : '') . ' /> ' . $label . '</label></div>'; @@ -172,7 +173,7 @@ function form_checkbox($name, $label, $selected, $value = 'checked', $id = null) function form_radio($name, $label, $selected, $value) { return '<div class="radio">' - . '<label><input type="radio" id="' . $name . '" name="' . $name . '" value="' . $value . '" ' + . '<label><input type="radio" id="' . $name . '" name="' . $name . '" value="' . htmlspecialchars($value) . '" ' . ($selected ? ' checked="checked"' : '') . ' /> ' . $label . '</label></div>'; @@ -333,8 +334,8 @@ function form_textarea($name, $label, $value, $disabled = false) $disabled = $disabled ? ' disabled="disabled"' : ''; return form_element( $label, - '<textarea rows="5" class="form-control" id="form_' . $name . '" type="text" name="' - . $name . '" ' . $disabled . '>' . $value . '</textarea>', + '<textarea rows="5" class="form-control" id="form_' . $name . '" name="' + . $name . '" ' . $disabled . '>' . htmlspecialchars($value) . '</textarea>', 'form_' . $name ); } |