Fix missing authorization checks in AJAX endpoints and module actions

Author: anonymoususer72041

ajax/deleteActivity.php

@@ -38,6 +38,12 @@
     die();
 }
 
+if ($_SESSION['CATS']->getAccessLevel('contacts.deleteActivity') < ACCESS_LEVEL_EDIT)
+{
+    $interface->outputXMLErrorPage(-1, ERROR_NO_PERMISSION);
+    die();
+}
+
 if (!$interface->isRequiredIDValid('activityID'))
 {
     $interface->outputXMLErrorPage(-1, 'Invalid activity ID.');

ajax/editActivity.php

@@ -41,6 +41,12 @@
     die();
 }
 
+if ($_SESSION['CATS']->getAccessLevel('contacts.editActivity') < ACCESS_LEVEL_EDIT)
+{
+    $interface->outputXMLErrorPage(-1, ERROR_NO_PERMISSION);
+    die();
+}
+
 if (!$interface->isRequiredIDValid('activityID'))
 {
     $interface->outputXMLErrorPage(-1, 'Invalid activity ID.');

ajax/testEmailSettings.php

@@ -38,6 +38,12 @@
     die();
 }
 
+if ($_SESSION['CATS']->getAccessLevel('settings.emailSettings.POST') < ACCESS_LEVEL_SA)
+{
+    $interface->outputXMLErrorPage(-1, ERROR_NO_PERMISSION);
+    die();
+}
+
 $siteID = $interface->getSiteID();
 
 if (!isset($_POST['testEmailAddress']) ||

lib/Calendar.php

@@ -270,6 +270,32 @@ public function getAllEventTypes()
         return $this->_db->getAllAssoc($sql);
     }
 
+    /**
+     * Returns a calendar event.
+     *
+     * @param integer Calendar Event ID.
+     * @return array Calendar event data array, or empty array if no record
+     *               is present.
+     */
+    public function get($eventID)
+    {
+        $sql = sprintf(
+            "SELECT
+                calendar_event.calendar_event_id AS eventID,
+                calendar_event.entered_by AS enteredBy
+            FROM
+                calendar_event
+            WHERE
+                calendar_event.calendar_event_id = %s
+            AND
+                calendar_event.site_id = %s",
+            $this->_db->makeQueryInteger($eventID),
+            $this->_siteID
+        );
+
+        return $this->_db->getAssoc($sql);
+    }
+
     /**
      * Adds a calendar event to the database.
      *

modules/calendar/CalendarUI.php

@@ -582,6 +582,19 @@ private function onEditEvent()
 
         $eventID  = $_POST['eventID'];
         $type     = $_POST['type'];
+        $calendar = new Calendar($this->_siteID);
+        $eventRS = $calendar->get($eventID);
+
+        if (empty($eventRS))
+        {
+            CommonErrors::fatal(COMMONERROR_BADINDEX, $this, 'Invalid event ID.');
+        }
+
+        if ($eventRS['enteredBy'] != $this->_userID &&
+            $this->getUserAccessLevel('calendar.show') < ACCESS_LEVEL_SA)
+        {
+            CommonErrors::fatal(COMMONERROR_PERMISSION, $this, 'Invalid user level for action.');
+        }
 
         if ($_POST['allDay'] == 1)
         {
@@ -662,7 +675,6 @@ private function onEditEvent()
         if (!eval(Hooks::get('CALENDAR_EDIT_PRE'))) return;
 
         /* Update the event. */
-        $calendar = new Calendar($this->_siteID);
         if (!$calendar->updateEvent($eventID, $type, $date, $description,
             $allDay, $dataItemID, $dataItemType, 'NULL', $title, $duration,
             $reminderEnabled, $reminderEmail, $reminderTime, $publicEntry,
@@ -711,10 +723,22 @@ private function onDeleteEvent()
         }
 
         $eventID = $_POST['eventID'];
+        $calendar = new Calendar($this->_siteID);
+        $eventRS = $calendar->get($eventID);
+
+        if (empty($eventRS))
+        {
+            CommonErrors::fatal(COMMONERROR_BADINDEX, $this, 'Invalid event ID.');
+        }
+
+        if ($eventRS['enteredBy'] != $this->_userID &&
+            $this->getUserAccessLevel('calendar.show') < ACCESS_LEVEL_SA)
+        {
+            CommonErrors::fatal(COMMONERROR_PERMISSION, $this, 'Invalid user level for action.');
+        }
 
         if (!eval(Hooks::get('CALENDAR_DELETE_PRE'))) return;
 
-        $calendar = new Calendar($this->_siteID);
         $calendar->deleteEvent($eventID);
 
         if (!eval(Hooks::get('CALENDAR_DELETE_POST'))) return;

modules/import/ImportUI.php

@@ -154,6 +154,11 @@ public function handleRequest()
     */
     private function revert()
     {
+        if ($this->getUserAccessLevel('import.import') < ACCESS_LEVEL_EDIT)
+        {
+            CommonErrors::fatal(COMMONERROR_PERMISSION, $this, 'Invalid user level for action.');
+        }
+
         if (!$this->isRequiredIDValid('importID', $_POST))
         {
             $this->import();

modules/lists/ajax/addToLists.php

@@ -68,6 +68,12 @@ function isRequiredValueValid($value)
     die();
 }
 
+if ($_SESSION['CATS']->getAccessLevel('lists') < ACCESS_LEVEL_EDIT)
+{
+    $interface->outputXMLErrorPage(-1, ERROR_NO_PERMISSION);
+    die();
+}
+
 if (!isset($_POST['listsToAdd']))
 {
     $interface->outputXMLErrorPage(-1, 'No listsToAdd passed.');

modules/lists/ajax/deleteList.php

@@ -41,6 +41,12 @@
     die();
 }
 
+if ($_SESSION['CATS']->getAccessLevel('lists') < ACCESS_LEVEL_EDIT)
+{
+    $interface->outputXMLErrorPage(-1, ERROR_NO_PERMISSION);
+    die();
+}
+
 if (!isset($_POST['savedListID']) || !ctype_digit((string) $_POST['savedListID']))
 {
     $interface->outputXMLErrorPage(-1, 'Invalid saved list ID.');

modules/lists/ajax/editListName.php

@@ -41,6 +41,12 @@
     die();
 }
 
+if ($_SESSION['CATS']->getAccessLevel('lists') < ACCESS_LEVEL_EDIT)
+{
+    $interface->outputXMLErrorPage(-1, ERROR_NO_PERMISSION);
+    die();
+}
+
 if (!isset($_POST['savedListID']) || !ctype_digit((string) $_POST['savedListID']))
 {
     $interface->outputXMLErrorPage(-1, 'Invalid saved list ID.');

modules/lists/ajax/newList.php

@@ -41,6 +41,12 @@
     die();
 }
 
+if ($_SESSION['CATS']->getAccessLevel('lists') < ACCESS_LEVEL_EDIT)
+{
+    $interface->outputXMLErrorPage(-1, ERROR_NO_PERMISSION);
+    die();
+}
+
 if (!isset($_POST['dataItemType']) || !ctype_digit((string) $_POST['dataItemType']))
 {
     $interface->outputXMLErrorPage(-1, 'Invalid saved list type.');