clones/librenms
1
0
Fork 0
mirror of https://github.com/librenms/librenms.git synced 2024-09-23 03:18:54 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix permissions in update-dashboard-config.inc.php

Browse Source
This commit is contained in:
Daniel Preussker 2015-09-11 20:14:37 +01:00
parent f80b10bfa0
commit 26d7851539
No known key found for this signature in database
GPG Key ID: F5CFDD99E67F8B99
1 changed files with 48 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

73
html/includes/forms/update-dashboard-config.inc.php
View File

@ -9,39 +9,62 @@ $widget_id = mres($_POST['widget_id']);
$dasboard_id = mres($_POST['dashboard_id']);
if ($sub_type == 'remove' && is_numeric($widget_id)) {
if ($widget_id == 0 || dbDelete('users_widgets','`user_id`=? AND `user_widget_id`=? AND `dashboard_id`=?', array($_SESSION['user_id'],$widget_id,$dasboard_id))) {
$status = 'ok';
$message = '';
}
}
elseif ($sub_type == 'remove-all') {
if (dbDelete('users_widgets','`user_id`=? AND `dashboard_id`=?', array($_SESSION['user_id'],$dasboard_id))) {
$status = 'ok';
$message = '';
}
}
elseif ($sub_type == 'add' && is_numeric($widget_id)) {
$widget = dbFetchRow('SELECT * FROM `widgets` WHERE `widget_id`=?', array($widget_id));
if (is_array($widget)) {
list($x,$y) = explode(',',$widget['base_dimensions']);
$item_id = dbInsert(array('user_id'=>$_SESSION['user_id'],'widget_id'=>$widget_id, 'col'=>1,'row'=>1,'refresh'=>60,'title'=>$widget['widget_title'],'size_x'=>$x,'size_y'=>$y,'settings'=>'','dashboard_id'=>$dasboard_id),'users_widgets');
if (is_numeric($item_id)) {
$extra = array('user_widget_id'=>$item_id,'widget_id'=>$item_id,'title'=>$widget['widget_title'],'widget'=>$widget['widget'],'refresh'=>60,'size_x'=>$x,'size_y'=>$y);
if (dbFetchCell('select 1 from dashboards where (user_id = ? || access = 2) && dashboard_id = ?',array($_SESSION['user_id'],$dasboard_id)) == 1) {
if ($widget_id == 0 || dbDelete('users_widgets','`user_widget_id`=? AND `dashboard_id`=?', array($widget_id,$dasboard_id))) {
$status = 'ok';
$message = '';
}
}
else {
$status = 'error';
$message = 'ERROR: You have no write access.';
}
}
elseif ($sub_type == 'remove-all') {
if (dbFetchCell('select 1 from dashboards where (user_id = ? || access = 2) && dashboard_id = ?',array($_SESSION['user_id'],$dasboard_id)) == 1) {
if (dbDelete('users_widgets','`dashboard_id`=?', array($dasboard_id))) {
$status = 'ok';
$message = '';
}
}
else {
$status = 'error';
$message = 'ERROR: You have no write access.';
}
}
elseif ($sub_type == 'add' && is_numeric($widget_id)) {
if (dbFetchCell('select 1 from dashboards where (user_id = ? || access = 2) && dashboard_id = ?',array($_SESSION['user_id'],$dasboard_id)) == 1) {
$widget = dbFetchRow('SELECT * FROM `widgets` WHERE `widget_id`=?', array($widget_id));
if (is_array($widget)) {
list($x,$y) = explode(',',$widget['base_dimensions']);
$item_id = dbInsert(array('user_id'=>$_SESSION['user_id'],'widget_id'=>$widget_id, 'col'=>1,'row'=>1,'refresh'=>60,'title'=>$widget['widget_title'],'size_x'=>$x,'size_y'=>$y,'settings'=>'','dashboard_id'=>$dasboard_id),'users_widgets');
if (is_numeric($item_id)) {
$extra = array('user_widget_id'=>$item_id,'widget_id'=>$item_id,'title'=>$widget['widget_title'],'widget'=>$widget['widget'],'refresh'=>60,'size_x'=>$x,'size_y'=>$y);
$status = 'ok';
$message = '';
}
}
}
else {
$status = 'error';
$message = 'ERROR: You have no write access.';
}
}
else {
$status = 'ok';
$message = '';
foreach ($data as $line) {
if (is_array($line)) {
$update = array('col'=>$line['col'],'row'=>$line['row'],'size_x'=>$line['size_x'],'size_y'=>$line['size_y']);
dbUpdate($update, 'users_widgets', '`user_widget_id`=? AND `user_id`=? AND `dashboard_id`=?', array($line['id'],$_SESSION['user_id'],$dasboard_id));
if (dbFetchCell('select 1 from dashboards where (user_id = ? || access = 2) && dashboard_id = ?',array($_SESSION['user_id'],$dasboard_id)) == 1) {
$status = 'ok';
$message = '';
foreach ($data as $line) {
if (is_array($line)) {
$update = array('col'=>$line['col'],'row'=>$line['row'],'size_x'=>$line['size_x'],'size_y'=>$line['size_y']);
dbUpdate($update, 'users_widgets', '`user_widget_id`=? AND `dashboard_id`=?', array($line['id'],$dasboard_id));
}
}
}
else {
$status = 'error';
$message = 'ERROR: You have no write access.';
}
}
$response = array(