mirror/librenms-librenms
1
0
Fork 0
mirror of https://github.com/librenms/librenms.git synced 2024-10-07 16:52:45 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Sanitize data in dashboard add/edit/delete (#9171)

Browse Source 
* sanitize data in dashboard add/edit/delete

* handle access differently
This commit is contained in:
Tony Murray
2018-09-08 08:54:03 -05:00
committed by GitHub
parent 67e883f1a0
commit 3c530d6a4f
3 changed files with 19 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
html/includes/forms/add-dashboard.inc.php
View File

@@ -28,7 +28,10 @@ header('Content-type: application/json');
$status = 'error';
$message = 'unknown error';
if (isset($_REQUEST['dashboard_name']) && ($dash_id = dbInsert(array('dashboard_name'=>$_REQUEST['dashboard_name'],'user_id'=>Auth::id()), 'dashboards'))) {
$dashboard_name = display($_REQUEST['dashboard_name']);
if (!empty($dashboard_name) && ($dash_id = dbInsert(['dashboard_name' => $dashboard_name, 'user_id' => Auth::id()], 'dashboards'))) {
$status = 'ok';
$message = 'Created';
} else {

11
html/includes/forms/delete-dashboard.inc.php
View File

@@ -28,13 +28,16 @@ header('Content-type: application/json');
$status = 'error';
$message = 'unknown error';
if (isset($_REQUEST['dashboard_id'])) {
dbDelete('users_widgets', 'user_id = ? && dashboard_id = ?', array(Auth::id(),$_REQUEST['dashboard_id']));
if (dbDelete('dashboards', 'user_id = ? && dashboard_id = ?', array(Auth::id(),$_REQUEST['dashboard_id']))) {
$dashboard_id = (int)$_REQUEST['dashboard_id'];
if ($dashboard_id) {
dbDelete('users_widgets', 'user_id = ? && dashboard_id = ?', [Auth::id(), $dashboard_id]);
if (dbDelete('dashboards', 'user_id = ? && dashboard_id = ?', [Auth::id(), $dashboard_id])) {
$status = 'ok';
$message = 'Deleted dashboard';
} else {
$message = 'ERROR: Could not delete dashboard '.$_REQUEST['dashboard_id'];
$message = 'ERROR: Could not delete dashboard '. $dashboard_id;
}
} else {
$message = 'ERROR: Not enough params';

11
html/includes/forms/edit-dashboard.inc.php
View File

@@ -28,12 +28,17 @@ header('Content-type: application/json');
$status = 'error';
$message = 'unknown error';
if (isset($_REQUEST['dashboard_id']) && isset($_REQUEST['dashboard_name']) && isset($_REQUEST['access'])) {
if (dbUpdate(array('dashboard_name'=>$_REQUEST['dashboard_name'],'access'=>$_REQUEST['access']), 'dashboards', '(user_id = ? || access = 2) && dashboard_id = ?', array(Auth::id(),$_REQUEST['dashboard_id'])) >= 0) {
$dashboard_id = (int)$_REQUEST['dashboard_id'];
$dashboard_name = display($_REQUEST['dashboard_name']);
$access = $_REQUEST['access'] ? 1 : 0;
if (isset($dashboard_id) && isset($dashboard_name) && isset($access)) {
if (dbUpdate(['dashboard_name'=> $dashboard_name,'access'=> $access], 'dashboards', '(user_id = ? || access = 2) && dashboard_id = ?', [Auth::id(), $dashboard_id]) >= 0) {
$status = 'ok';
$message = 'Updated dashboard';
} else {
$message = 'ERROR: Could not update dashboard '.$_REQUEST['dashboard_id'];
$message = 'ERROR: Could not update dashboard '. $dashboard_id;
}
} else {
$message = 'ERROR: Not enough params';