[Noalyss-commit] [noalyss] 17/29: Security For document_state and tag_group

[Dany De Bontridder]

sparkyx pushed a commit to branch master
in repository noalyss.

commit 9a03147cbf04d033b843d8d64939c3925eef8c2c
Author: Dany wm De Bontridder <danydb@noalyss.eu>
AuthorDate: Sun Nov 1 13:33:31 2020 +0100

    Security For document_state and tag_group
---
 include/ajax/ajax_document_state.php | 6 +++++-
 include/ajax/ajax_tag_group.php      | 9 ++++++++-
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/include/ajax/ajax_document_state.php 
b/include/ajax/ajax_document_state.php
index d5cfed6..e0776af 100644
--- a/include/ajax/ajax_document_state.php
+++ b/include/ajax/ajax_document_state.php
@@ -24,7 +24,11 @@ if (!defined('ALLOWED'))     die('Appel direct ne sont pas 
permis');
 require_once NOALYSS_INCLUDE."/class/document_state_mtable.php";
 global $g_user;
 
-$g_user->check_action('CFGDOCST',2);
+if ( $g_user->check_module('CFGDOCST') == 0 ) {
+    record_log("forbidden : CFGDOCST ".__FILE__);
+    exit();
+}
+
 
 /**
  * @file
diff --git a/include/ajax/ajax_tag_group.php b/include/ajax/ajax_tag_group.php
index dc13576..7da3aa4 100644
--- a/include/ajax/ajax_tag_group.php
+++ b/include/ajax/ajax_tag_group.php
@@ -21,6 +21,12 @@
 
 if (!defined('ALLOWED'))
     die('Appel direct ne sont pas permis');
+
+if ( $g_user->check_module('CFGTAG') == 0 ) {
+    record_log("forbidden : AJT01 ".__FILE__);
+    exit();
+}
+
 require_once NOALYSS_INCLUDE."/class/tag_group_mtable.class.php";
 /**
  * @file
@@ -36,6 +42,7 @@ try {
     echo $e->getMessage();
     return;
 }
+
 $obj=new Tag_Group_SQL($cn,$p_id);
 $obj_manage=new Tag_Group_MTable($obj);
 $obj_manage->set_callback("ajax_misc.php");
@@ -61,4 +68,4 @@ elseif ($action=="delete")
     $xml=$obj_manage->ajax_delete();
     header('Content-type: text/xml; charset=UTF-8');
     echo $xml->saveXML();
-}
\ No newline at end of file
+}