projects / Evergreen.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 7c6d7a8)
Backport security fix r16747 from trunk
authordbs <dbs@dcc99617-32d9-48b4-a31d-7c20da2025e4>
Fri, 18 Jun 2010 04:48:03 +0000 (04:48 +0000)
committerdbs <dbs@dcc99617-32d9-48b4-a31d-7c20da2025e4>
Fri, 18 Jun 2010 04:48:03 +0000 (04:48 +0000)
1. Disable fleshing for PCRUD.  Otherwise fleshing would provide a
back door whereby a user could see stuff he has no permission to see.

2. For the id_list method: strip out the "flesh_fields" entry, not
the "flesh_columns" entry (which doesn't exist).  This actually makes
no difference, but if we're going to do something useless, we might
as well do it right.

git-svn-id: svn://svn.open-ils.org/ILS/branches/rel_1_6_0@16749 dcc99617-32d9-48b4-a31d-7c20da2025e4

Open-ILS/src/c-apps/oils_cstore.c patch | blob | history

diff --git a/Open-ILS/src/c-apps/oils_cstore.c b/Open-ILS/src/c-apps/oils_cstore.c
index d78a713..e3ddf75 100644 (file)
--- a/Open-ILS/src/c-apps/oils_cstore.c
+++ b/Open-ILS/src/c-apps/oils_cstore.c
@@ -94,6 +94,12 @@ static dbi_conn dbhandle; /* our CURRENT db connection */
 static jsonObject* jsonNULL = NULL; // 
 static int max_flesh_depth = 100;
 
+#ifdef PCRUD
+static int enforce_pcrud = 1;     // Boolean
+#else
+static int enforce_pcrud = 0;     // Boolean
+#endif
+
 /* called when this process is about to exit */
 void osrfAppChildExit() {
     osrfLogDebug(OSRF_LOG_MARK, "Child is exiting, disconnecting from database...");
@@ -804,7 +810,7 @@ int dispatchCRUDMethod ( osrfMethodContext* ctx ) {
             jsonObjectRemoveKey( jsonObjectGetIndex( _p, 1 ), "select" );
             jsonObjectRemoveKey( jsonObjectGetIndex( _p, 1 ), "no_i18n" );
             jsonObjectRemoveKey( jsonObjectGetIndex( _p, 1 ), "flesh" );
-            jsonObjectRemoveKey( jsonObjectGetIndex( _p, 1 ), "flesh_columns" );
+            jsonObjectRemoveKey( jsonObjectGetIndex( _p, 1 ), "flesh_fields" );
         } else {
             jsonObjectSetIndex( _p, 1, jsonNewObjectType(JSON_HASH) );
         }
@@ -4271,7 +4277,7 @@ static jsonObject* doFieldmapperSearch ( osrfMethodContext* ctx, osrfHash* meta,
        dbi_result_free(result);
        free(sql);
 
-       if (res_list->size && order_hash) {
+       if (res_list->size && order_hash && ! enforce_pcrud) {
                _tmp = jsonObjectGetKeyConst( order_hash, "flesh" );
                if (_tmp) {
                        int x = (int)jsonObjectGetNumber(_tmp);
Evergreen ILS