From addcdabe573972fb4df21c63db0a21ecd424a8d1 Mon Sep 17 00:00:00 2001 From: Ryuji Masukawa Date: Fri, 20 May 2016 12:25:10 +0900 Subject: [PATCH 1/7] =?UTF-8?q?=E4=BC=9A=E5=93=A1=E7=AE=A1=E7=90=86?= =?UTF-8?q?=EF=BC=9A=E3=83=90=E3=83=AA=E3=83=87=E3=83=BC=E3=82=B7=E3=83=A7?= =?UTF-8?q?=E3=83=B3=E4=BF=AE=E6=AD=A3=E3=80=82?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../modules/user/validator/Validator_ItemsInputs.class.php | 3 +++ 1 file changed, 3 insertions(+) diff --git a/html/webapp/modules/user/validator/Validator_ItemsInputs.class.php b/html/webapp/modules/user/validator/Validator_ItemsInputs.class.php index 0d31c3e..d3faeee 100644 --- a/html/webapp/modules/user/validator/Validator_ItemsInputs.class.php +++ b/html/webapp/modules/user/validator/Validator_ItemsInputs.class.php @@ -131,6 +131,9 @@ function validate($attributes, $errStr, $params) //システム管理者の場合、変更不可 if($attributes['user_id'] == $_system_user_id && $content != _SYSTEM_ROLE_AUTH_ID) { return $err_prefix._INVALID_INPUT; + } else if ($content == _SYSTEM_ROLE_AUTH_ID && $session->getParameter("_user_auth_id") != _AUTH_ADMIN) { + // システム管理者へ権限を変更できるのは、管理者だけ + return $err_prefix._INVALID_INPUT; } } if($items['type'] == "email" || $items['type'] == "mobile_email") { From ec7b4b7ae95c1edfee19e338c18b0006431eec1c Mon Sep 17 00:00:00 2001 From: Ryuji Masukawa Date: Fri, 27 May 2016 11:45:49 +0900 Subject: [PATCH 2/7] =?UTF-8?q?=E4=BC=9A=E5=93=A1=E7=AE=A1=E7=90=86?= =?UTF-8?q?=EF=BC=9A=E5=BF=B5=E3=81=AE=E7=82=BA=E3=80=81=E3=82=BB=E3=82=AD?= =?UTF-8?q?=E3=83=A5=E3=83=AA=E3=83=86=E3=82=A3=E3=81=95=E3=82=89=E3=81=AB?= =?UTF-8?q?=E5=BC=B7=E5=8C=96=E3=80=82?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../user/validator/Validator_ItemsInputs.class.php | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/html/webapp/modules/user/validator/Validator_ItemsInputs.class.php b/html/webapp/modules/user/validator/Validator_ItemsInputs.class.php index d3faeee..dd70479 100644 --- a/html/webapp/modules/user/validator/Validator_ItemsInputs.class.php +++ b/html/webapp/modules/user/validator/Validator_ItemsInputs.class.php @@ -36,6 +36,7 @@ function validate($attributes, $errStr, $params) $container =& DIContainerFactory::getContainer(); $session =& $container->getComponent("Session"); $usersView =& $container->getComponent("usersView"); + $authoritiesView =& $container->getComponent("authoritiesView"); $_system_user_id = $session->getParameter("_system_user_id"); if(!isset($attributes['user_id'])) $attributes['user_id'] = "0"; @@ -135,6 +136,16 @@ function validate($attributes, $errStr, $params) // システム管理者へ権限を変更できるのは、管理者だけ return $err_prefix._INVALID_INPUT; } + $_user_auth_id = $session->getParameter("_user_auth_id"); + $_role_auth_id = $session->getParameter("_role_auth_id"); + $authority = $authoritiesView->getAuthorityByID($content); + if ($_user_auth_id == _AUTH_CHIEF && $authority["user_authority_id"] >= _AUTH_CHIEF) { + // 事務局が、主担、事務局以上 + return $err_prefix._INVALID_INPUT; + } else if ($_user_auth_id == _AUTH_ADMIN && $_role_auth_id != _ROLE_AUTH_ADMIN && $authority["role_authority_id"] == _ROLE_AUTH_ADMIN) { + // 管理者がシステム管理者へ + return $err_prefix._INVALID_INPUT; + } } if($items['type'] == "email" || $items['type'] == "mobile_email") { $email = $content; From 63c3ebed814475f87bc4fe4e3f0aeeb463c81c47 Mon Sep 17 00:00:00 2001 From: Ryuji Masukawa Date: Mon, 6 Jun 2016 12:02:21 +0900 Subject: [PATCH 3/7] =?UTF-8?q?#93=20=E5=86=8D=E4=BF=AE=E6=AD=A3?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- html/maple/nccore/db/DbObjectAdodb.class.php | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/html/maple/nccore/db/DbObjectAdodb.class.php b/html/maple/nccore/db/DbObjectAdodb.class.php index 81c7e25..8258c9e 100644 --- a/html/maple/nccore/db/DbObjectAdodb.class.php +++ b/html/maple/nccore/db/DbObjectAdodb.class.php @@ -916,8 +916,10 @@ function addError($error_no=null, $error_mes=null) $session =& $container->getComponent("Session"); if(isset($session) && $session->getParameter("_php_debug") == _ON) { $errorList->add($this->ErrorNo(), $this->ErrorMsg(). ":\n". $this->_bck_sql); - } else { + } else if (defined('_INVALID_INPUT')) { $errorList->add($this->ErrorNo(), _INVALID_INPUT); + } else { + $errorList->add($this->ErrorNo(), "Security Error! Unauthorized input."); } } else { $errorList->add($error_no, $error_mes); From 9ff513c811888ed75e300c2f99a8a1631ac75394 Mon Sep 17 00:00:00 2001 From: Ryuji Masukawa Date: Tue, 6 Sep 2016 16:52:28 +0900 Subject: [PATCH 4/7] =?UTF-8?q?=E6=8E=B2=E7=A4=BA=E6=9D=BF=E3=81=AE?= =?UTF-8?q?=E6=8A=95=E7=A8=BF=E7=AD=89=E3=82=92=E3=83=A1=E3=83=BC=E3=83=AB?= =?UTF-8?q?=E3=81=A7=E5=8F=97=E3=81=91=E5=8F=96=E3=82=8A=E3=80=81=E3=81=9D?= =?UTF-8?q?=E3=82=8C=E3=82=92=E3=82=B9=E3=83=9E=E3=83=9B=E3=81=A7=E7=A2=BA?= =?UTF-8?q?=E8=AA=8D=E3=81=97=E3=80=81=E3=83=A1=E3=83=BC=E3=83=AB=E4=B8=8B?= =?UTF-8?q?=E9=83=A8=E3=81=AE=E3=83=AA=E3=83=B3=E3=82=AF=E3=81=8B=E3=82=89?= =?UTF-8?q?=20NC2=E3=81=AE=E3=82=B5=E3=82=A4=E3=83=88=E3=82=92=E9=96=B2?= =?UTF-8?q?=E8=A6=A7=E3=81=99=E3=82=8B=E3=81=A8=E7=94=BB=E9=9D=A2=E3=81=8C?= =?UTF-8?q?=E7=9C=9F=E3=81=A3=E7=99=BD=E3=81=AB=E3=81=AA=E3=82=8B=E3=80=82?= =?UTF-8?q?=20=EF=BC=88URL=E3=81=AB=E3=80=8C=EF=BC=83=E3=80=8D=E3=82=92?= =?UTF-8?q?=E3=81=A4=E3=81=91=E3=81=9F=E3=82=82=E3=81=AE=E3=81=AFjQueryMob?= =?UTF-8?q?ile=E3=81=AF=E3=82=A2=E3=83=B3=E3=82=AB=E3=83=BC=E3=82=BF?= =?UTF-8?q?=E3=82=B0=E3=81=A7=E3=81=AF=20=E3=81=AA=E3=81=8F=E3=80=81?= =?UTF-8?q?=E7=8B=AC=E8=87=AA=E3=81=AB=E7=AE=A1=E7=90=86=E3=81=97=E3=81=A6?= =?UTF-8?q?=E3=81=84=E3=82=8B=E3=83=9A=E3=83=BC=E3=82=B8=E3=83=87=E3=83=BC?= =?UTF-8?q?=E3=82=BF=E3=81=B8=E3=81=AE=E3=82=A2=E3=82=AF=E3=82=BB=E3=82=B9?= =?UTF-8?q?=E3=81=A8=E5=87=A6=E7=90=86=E3=81=97=E3=81=A6=E3=81=84=E3=82=8B?= =?UTF-8?q?=E3=81=93=E3=81=A8=E3=81=8C=E5=88=A4=E6=98=8E=20=E3=81=97?= =?UTF-8?q?=E3=81=BE=E3=81=97=E3=81=9F=E3=80=82=EF=BC=89=20=3D>=E3=80=8C$.?= =?UTF-8?q?mobile.hashListeningEnabled=20=3D=20false;=E3=80=8D=E3=81=AB?= =?UTF-8?q?=E3=81=99=E3=82=8B=E3=81=93=E3=81=A8=E3=81=AB=E3=82=88=E3=82=8A?= =?UTF-8?q?=E5=AF=BE=E5=BF=9C=E3=80=82?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- html/webapp/templates/main/mobile_smart.html | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/html/webapp/templates/main/mobile_smart.html b/html/webapp/templates/main/mobile_smart.html index 4329aed..f1ef9ec 100644 --- a/html/webapp/templates/main/mobile_smart.html +++ b/html/webapp/templates/main/mobile_smart.html @@ -7,6 +7,11 @@ <{$smarty.const.INDEX_FILE_NAME}>?action=common_download_css&dir_name=/comp/extension/jquery.mobile-1.0.1.min.css&header=0&vs=<{$smarty.const._CSS_VERSION}>" /> <{$smarty.const.INDEX_FILE_NAME}>?action=common_download_css&dir_name=/comp/extension/jquery.mobile_addition.css&header=0&vs=<{$smarty.const._CSS_VERSION}>" /> + From 909fdcadc30a3d4cf209546bbb5fce1bb8f920ff Mon Sep 17 00:00:00 2001 From: Ryuji Masukawa Date: Tue, 4 Oct 2016 13:59:28 +0900 Subject: [PATCH 5/7] =?UTF-8?q?=E6=BA=96=E5=82=99=E4=B8=AD=E3=81=AE?= =?UTF-8?q?=E3=82=82=E3=81=AE=E3=81=8C=E4=B8=80=E9=83=A8=E8=A1=A8=E7=A4=BA?= =?UTF-8?q?=E3=81=95=E3=82=8C=E3=82=8B=E4=B8=8D=E5=85=B7=E5=90=88=E3=81=AB?= =?UTF-8?q?=E5=AF=BE=E5=BF=9C?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../admin/chgdisplay/Chgdisplay.class.php | 28 ++++++++++++++++--- 1 file changed, 24 insertions(+), 4 deletions(-) mode change 100755 => 100644 html/webapp/modules/room/action/admin/chgdisplay/Chgdisplay.class.php diff --git a/html/webapp/modules/room/action/admin/chgdisplay/Chgdisplay.class.php b/html/webapp/modules/room/action/admin/chgdisplay/Chgdisplay.class.php old mode 100755 new mode 100644 index 173d264..4e7ec24 --- a/html/webapp/modules/room/action/admin/chgdisplay/Chgdisplay.class.php +++ b/html/webapp/modules/room/action/admin/chgdisplay/Chgdisplay.class.php @@ -53,10 +53,15 @@ function execute() // --- 準備中->公開中に変更した場合、そのサブグループも公開中にする // ---------------------------------------------------------------------- if($this->page['display_flag'] != $display_flag) { - $where_params = array( - "parent_id" => intval($this->edit_current_page_id) + $rooms_where_params = array( + "room_id = ".intval($this->edit_current_page_id)." OR parent_id = ".intval($this->edit_current_page_id) => null ); - $subgroup_pages_id_arr =& $this->pagesView->getPages($where_params, null, null, null, array($this, "_subpagesFetchcallback")); + $rooms_id_arr =& $this->pagesView->getPages($rooms_where_params, null, null, null, array($this, "_roomsFetchcallback")); + $pages_where_params = array( + " room_id IN (". implode(",", $rooms_id_arr). ") " => null + ); + $subgroup_pages_id_arr =& $this->pagesView->getPages($pages_where_params, null, null, null, array($this, "_subpagesFetchcallback")); + if(count($subgroup_pages_id_arr) > 0) { $params = array( "display_flag" => $display_flag @@ -71,7 +76,22 @@ function execute() } } } - + + // add by mutaguchi@opensource-workshop.jp + /** + * fetch時コールバックメソッド + * @param result adodb object + * @return array items + * @access private + */ + function &_roomsFetchcallback($result) { + $ret = array(); + while ($row = $result->fetchRow()) { + $ret[$row['room_id']] = $row['room_id']; + } + return $ret; + } + /** * fetch時コールバックメソッド * @param result adodb object From b4fb8b6f6fc7077bd2ccc9a4a10aacdf6fe4d6a5 Mon Sep 17 00:00:00 2001 From: kteraguchi Date: Tue, 25 Apr 2017 18:04:04 +0900 Subject: [PATCH 6/7] Fix script tag escape --- html/webapp/components/escape/Text.class.php | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/html/webapp/components/escape/Text.class.php b/html/webapp/components/escape/Text.class.php index c3e1ae6..7572899 100644 --- a/html/webapp/components/escape/Text.class.php +++ b/html/webapp/components/escape/Text.class.php @@ -445,6 +445,11 @@ function _escapeWysiwygAllowHtmltag($string) { $script_flag = false; foreach ($parts as $part) { // script-/scriptまではそのまま連結 + if(preg_match("/<\/script>$/u", $part)) { + $script_flag = false; + $string .= $part; + continue; + } if(preg_match("/^/u", $part) || $script_flag == true) { $script_flag = true; if (preg_match("/<\!\-\-comment\-\->/u", $part)) { @@ -453,10 +458,6 @@ function _escapeWysiwygAllowHtmltag($string) { } $string .= $part; continue; - } else if(preg_match("/<\/script>$/u", $part)) { - $script_flag = false; - $string .= $part; - continue; } if (preg_match("/<\!\-\-comment\-\->/u", $part)) { From c06abd188c5e04d4f52ae58b587d9915f23341bf Mon Sep 17 00:00:00 2001 From: Ryuji Masukawa Date: Wed, 17 Jan 2018 18:52:29 +0900 Subject: [PATCH 7/7] =?UTF-8?q?=E4=BB=A5=E4=B8=8B=E3=81=AE=E4=B8=8D?= =?UTF-8?q?=E5=85=B7=E5=90=88=E3=82=92=E4=BF=AE=E6=AD=A3=20=E2=91=A0?= =?UTF-8?q?=E6=96=B0=E8=A6=8F=E3=81=A7ToDo=E3=82=92=E4=BD=9C=E6=88=90=20?= =?UTF-8?q?=E2=91=A1ToDo=E3=82=92=E8=BF=BD=E5=8A=A0=EF=BC=88=E3=82=AB?= =?UTF-8?q?=E3=83=AC=E3=83=B3=E3=83=80=E3=83=BC=E3=81=AB=E8=A1=A8=E7=A4=BA?= =?UTF-8?q?=E3=81=95=E3=81=9B=E3=82=8B=EF=BC=89=20=E2=91=A2=E3=82=BB?= =?UTF-8?q?=E3=83=83=E3=83=86=E3=82=A3=E3=83=B3=E3=82=B0=E3=83=A2=E3=83=BC?= =?UTF-8?q?=E3=83=89=E3=81=A7ToDo=E3=83=AA=E3=82=B9=E3=83=88=E4=B8=80?= =?UTF-8?q?=E8=A6=A7=E8=A1=A8=E7=A4=BA=E3=81=AE=E7=8A=B6=E6=85=8B=E3=81=A7?= =?UTF-8?q?=E3=83=AA=E3=82=B9=E3=83=88=E9=81=B8=E6=8A=9E=E3=80=81=E3=80=8C?= =?UTF-8?q?=E5=89=8A=E9=99=A4=E3=80=8D=E3=83=9C=E3=82=BF=E3=83=B3=E6=8A=BC?= =?UTF-8?q?=E4=B8=8B=20=E2=91=A3=E3=82=AB=E3=83=AC=E3=83=B3=E3=83=80?= =?UTF-8?q?=E3=83=BC=E3=81=AE=E4=BA=88=E5=AE=9A=E3=81=8C=E5=89=8A=E9=99=A4?= =?UTF-8?q?=E3=81=95=E3=82=8C=E3=81=9A=E6=AE=8B=E3=81=A3=E3=81=A6=E3=81=84?= =?UTF-8?q?=E3=82=8B=E7=8A=B6=E6=85=8B?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- html/webapp/modules/todo/action/dicon.ini | 3 ++- .../todo/action/edit/delete/Delete.class.php | 14 ++++++++++++++ .../modules/todo/action/edit/delete/maple.ini | 1 + 3 files changed, 17 insertions(+), 1 deletion(-) diff --git a/html/webapp/modules/todo/action/dicon.ini b/html/webapp/modules/todo/action/dicon.ini index a22cc43..d94360c 100644 --- a/html/webapp/modules/todo/action/dicon.ini +++ b/html/webapp/modules/todo/action/dicon.ini @@ -1,3 +1,4 @@ [DIContainer] todoAction = "modules://todo.components.action" -todoView = "modules://todo.components.view" \ No newline at end of file +todoView = "modules://todo.components.view" +calendarPlanAction = "calendar.action" diff --git a/html/webapp/modules/todo/action/edit/delete/Delete.class.php b/html/webapp/modules/todo/action/edit/delete/Delete.class.php index bf49ca8..d2d0144 100644 --- a/html/webapp/modules/todo/action/edit/delete/Delete.class.php +++ b/html/webapp/modules/todo/action/edit/delete/Delete.class.php @@ -19,6 +19,7 @@ class Todo_Action_Edit_Delete extends Action // 使用コンポーネントを受け取るため var $todoAction = null; var $db = null; + var $calendarPlanAction = null; /** * Todo削除アクション @@ -27,6 +28,19 @@ class Todo_Action_Edit_Delete extends Action */ function execute() { + $whereParams = array( + "todo_id" => $this->todo_id, + "calendar_id!=0" => null + ); + $tasks = $this->db->selectExecute('todo_task', $whereParams); + if(!empty($tasks)) { + foreach($tasks as $task) { + if (!$this->calendarPlanAction->deletePlan($task["calendar_id"], CALENDAR_PLAN_EDIT_THIS)) { + return false; + } + } + } + $whereParams = array( "todo_id" => $this->todo_id ); diff --git a/html/webapp/modules/todo/action/edit/delete/maple.ini b/html/webapp/modules/todo/action/edit/delete/maple.ini index ba8de50..6bf5c35 100644 --- a/html/webapp/modules/todo/action/edit/delete/maple.ini +++ b/html/webapp/modules/todo/action/edit/delete/maple.ini @@ -6,6 +6,7 @@ key:room_id,block_id,todo_id.todo.todoExists = "1:lang._invalid_input" [Action] db = "ref:DbObject" +calendarPlanAction = "ref:calendarPlanAction" [View] success = "action:todo_view_edit_list" \ No newline at end of file