Skip to content

Commit

Permalink
Merge pull request from GHSA-wpww-4jf4-4hx8
Browse files Browse the repository at this point in the history
テーマ編集の許可設定値を追加、デフォルトでは編集不可
  • Loading branch information
baserproject authored Oct 25, 2020
2 parents f918a21 + aef0c75 commit b70474e
Show file tree
Hide file tree
Showing 8 changed files with 48 additions and 18 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,9 @@
<?php endif ?>
</div>
<div class="row-tools">
<?php $this->BcBaser->link('', ['controller' => 'theme_files', 'action' => 'index', $currentTheme['name']], ['title' => __d('baser', 'テンプレート編集'), 'class' => 'bca-btn-icon', 'data-bca-btn-type' => 'file-list', 'data-bca-btn-size' => 'lg']) ?>
<?php if (Configure::read('BcApp.allowedThemeEdit')): ?>
<?php $this->BcBaser->link('', ['controller' => 'theme_files', 'action' => 'index', $currentTheme['name']], ['title' => __d('baser', 'テンプレート編集'), 'class' => 'bca-btn-icon', 'data-bca-btn-type' => 'file-list', 'data-bca-btn-size' => 'lg']) ?>
<?php endif; ?>
<?php $this->BcBaser->link('', ['action' => 'ajax_copy', $currentTheme['name']], ['title' => __d('baser', 'テーマコピー'), 'class' => 'btn-copy bca-btn-icon', 'data-bca-btn-type' => 'copy', 'data-bca-btn-size' => 'lg']) ?>
</div>
</div>
Expand Down Expand Up @@ -74,4 +76,4 @@
<?php else: ?>
<li class="no-data"><?php echo __d('baser', '変更できるテーマがありません。') ?><br><?php echo __d('baser', '<a href="https://market.basercms.net/" target="_blank">baserマーケット</a>でテーマをダウンロードしましょう。') ?></li>
<?php endif; ?>
</ul>
</ul>
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,9 @@
<?php if ($data['name'] != $this->BcBaser->siteConfig['theme']): ?>
<?php $this->BcBaser->link('', ['action' => 'apply', $data['name']], ['title' => __d('baser', '適用'), 'class' => 'submit-token bca-btn-icon', 'data-bca-btn-type' => 'apply', 'data-bca-btn-size' => 'lg']) ?>
<?php endif ?>
<?php if (Configure::read('BcApp.allowedThemeEdit')): ?>
<?php $this->BcBaser->link('', ['controller' => 'theme_files', 'action' => 'index', $data['name']], ['title' => __d('baser', 'テンプレート編集'), 'class' => 'bca-btn-icon', 'data-bca-btn-type' => 'file-list', 'data-bca-btn-size' => 'lg']) ?>
<?php endif; ?>
<?php $this->BcBaser->link('', ['action' => 'ajax_copy', $data['name']], ['title' => __d('baser', 'テーマコピー'), 'class' => 'btn-copy bca-btn-icon', 'data-bca-btn-type' => 'copy', 'data-bca-btn-size' => 'lg']) ?>
<?php $this->BcBaser->link('', ['action' => 'ajax_delete', $data['name']], ['title' => __d('baser', 'テーマ削除'), 'class' => 'btn-delete bca-btn-icon', 'data-bca-btn-type' => 'delete', 'data-bca-btn-size' => 'lg']) ?>
</p>
Expand Down
5 changes: 3 additions & 2 deletions app/webroot/theme/admin-third/ThemeFiles/admin/form.php
Original file line number Diff line number Diff line change
Expand Up @@ -105,12 +105,13 @@
<div class="bca-actions__sub">
<?php $this->BcBaser->link(__d('baser', '削除'), array_merge(['action' => 'del', $theme, $plugin, $type], $params), ['class' => 'submit-token button bca-btn', 'data-bca-btn-type' => 'delete', 'data-bca-btn-size' => 'sm'], sprintf(__d('baser', '%s を本当に削除してもいいですか?'), basename($path)), false) ?>
</div>
<?php endif ?>
<?php endif ?>
<?php else: ?>
<?php // プラグインのアセットの場合はコピーできない ?>
<?php if (!$safeModeOn): ?>
<?php //if($theme == 'core' && !(($type == 'css' || $type == 'js' || $type == 'img') && $plugin)): ?>
<?php if ($theme == 'core'): ?>
<?php // テーマ編集が許可されていない場合コピー不可 ?>
<?php if ($theme == 'core' && Configure::read('BcApp.allowedThemeEdit')): ?>
<?php $this->BcBaser->link(__d('baser', '現在のテーマにコピー'), array_merge(array('action' => 'copy_to_theme', $theme, $plugin, $type), explode('/', $path)), array('class' => 'submit-token btn-red button bca-btn'), sprintf(__d('baser', '本当に現在のテーマ「%s」にコピーしてもいいですか?\n既に存在するファイルは上書きされます。'), Inflector::camelize($siteConfig['theme']))); ?>
<?php endif; ?>
<?php else: ?>
Expand Down
2 changes: 2 additions & 0 deletions lib/Baser/Config/setting.php
Original file line number Diff line number Diff line change
Expand Up @@ -176,6 +176,8 @@
'validSyntaxWithPage' => true,
// 管理者以外のPHPコードを許可するかどうか
'allowedPhpOtherThanAdmins' => true,
// テーマ編集機能の利用を許可するかどうか
'allowedThemeEdit' => false,
'marketThemeRss' => 'https://market.basercms.net/themes.rss',
'marketPluginRss' => 'https://market.basercms.net/plugins.rss',
'specialThanks' => 'https://basercms.net/special_thanks/special_thanks/ajax_users',
Expand Down
36 changes: 27 additions & 9 deletions lib/Baser/Controller/ThemeFilesController.php
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,24 @@ public function __construct(CakeRequest $request, CakeResponse $response) {
$this->crumbs = [
['name' => __d('baser', 'テーマ管理'), 'url' => ['admin' => true, 'controller' => 'themes', 'action' => 'index']]
];

// テーマ編集機能が制限されている場合はアクセス禁止
if (Configure::read('BcApp.allowedThemeEdit') == false) {
$denyList = [
'admin_index',
'admin_add',
'admin_edit',
'admin_add_folder',
'admin_edit_folder',
];
// coreのindexはアクセス可能
if ($this->request->params['pass'][0] === 'core') {
unset($denyList[array_search('admin_index', $denyList)]);
}
if (in_array($this->request->action, $denyList)) {
$this->notfound();
}
}
}

/**
Expand Down Expand Up @@ -136,13 +154,13 @@ public function admin_index() {
$excludeFileList = ['screenshot.png', 'VERSION.txt', 'config.php', 'AppView.php', 'BcAppView.php'];
if (!$path) {
$excludeFolderList = [
'Layouts',
'Elements',
'Layouts',
'Elements',
'Emails',
'Helper',
'Helper',
'Config',
'Plugin',
'img',
'Plugin',
'img',
'css',
'js',
'_notes'
Expand Down Expand Up @@ -185,9 +203,9 @@ public function admin_index() {

/**
* ファイルタイプを取得する
*
*
* @param string $file
* @return mixed false / type
* @return mixed false / type
*/
protected function _getFileType($file) {
if (preg_match('/^(.+?)(\.ctp|\.php|\.css|\.js)$/is', $file)) {
Expand Down Expand Up @@ -873,7 +891,7 @@ public function admin_copy_folder_to_theme() {
/**
* 画像を表示する
* コアの画像等も表示可
*
*
* @param array パス情報
* @return void
*/
Expand Down Expand Up @@ -901,7 +919,7 @@ public function admin_img() {
/**
* 画像を表示する
* コアの画像等も表示可
*
*
* @param int $width
* @param int $height
* @param array パス情報
Expand Down
6 changes: 4 additions & 2 deletions lib/Baser/View/Elements/admin/themes/index_list.php
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,9 @@
<?php endif ?>
</div>
<p class="row-tools">
<?php $this->BcBaser->link($this->BcBaser->getImg('admin/icn_tool_manage.png', ['alt' => __d('baser', 'テンプレート編集'), 'class' => 'btn']), ['controller' => 'theme_files', 'action' => 'index', $currentTheme['name']], ['title' => __d('baser', 'テンプレート編集')]) ?>
<?php if (Configure::read('BcApp.allowedThemeEdit')): ?>
<?php $this->BcBaser->link($this->BcBaser->getImg('admin/icn_tool_manage.png', ['alt' => __d('baser', 'テンプレート編集'), 'class' => 'btn']), ['controller' => 'theme_files', 'action' => 'index', $currentTheme['name']], ['title' => __d('baser', 'テンプレート編集')]) ?>
<?php endif; ?>
<?php $this->BcBaser->link($this->BcBaser->getImg('admin/icn_tool_copy.png', ['alt' => __d('baser', 'テーマコピー'), 'class' => 'btn']), ['action' => 'ajax_copy', $currentTheme['name']], ['title' => __d('baser', 'テーマコピー'), 'class' => 'btn-copy']) ?>
</p>
</div>
Expand Down Expand Up @@ -76,4 +78,4 @@
<li class="no-data"><?php echo __d('baser', '変更できるテーマがありません。')?><br /><a href="https://market.basercms.net/" target="_blank"><?php echo __d('baser', 'baserマーケット</a>でテーマをダウンロードしましょう。')?></li>
<?php endif ?>
<?php endif; ?>
</ul>
</ul>
4 changes: 3 additions & 1 deletion lib/Baser/View/Elements/admin/themes/index_row.php
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,9 @@
<?php if ($data['name'] != $this->BcBaser->siteConfig['theme']): ?>
<?php $this->BcBaser->link($this->BcBaser->getImg('admin/icn_tool_apply.png', ['alt' => __d('baser', '適用'), 'class' => 'btn']), ['action' => 'apply', $data['name']], ['title' => __d('baser', '適用'), 'class' => 'submit-token']) ?>
<?php endif ?>
<?php $this->BcBaser->link($this->BcBaser->getImg('admin/icn_tool_manage.png', ['alt' => __d('baser', 'テンプレート編集'), 'class' => 'btn']), ['controller' => 'theme_files', 'action' => 'index', $data['name']], ['title' => __d('baser', 'テンプレート編集')]) ?>
<?php if (Configure::read('BcApp.allowedThemeEdit')): ?>
<?php $this->BcBaser->link($this->BcBaser->getImg('admin/icn_tool_manage.png', ['alt' => __d('baser', 'テンプレート編集'), 'class' => 'btn']), ['controller' => 'theme_files', 'action' => 'index', $data['name']], ['title' => __d('baser', 'テンプレート編集')]) ?>
<?php endif; ?>
<?php $this->BcBaser->link($this->BcBaser->getImg('admin/icn_tool_copy.png', ['alt' => __d('baser', 'テーマコピー'), 'class' => 'btn']), ['action' => 'ajax_copy', $data['name']], ['title' => __d('baser', 'テーマコピー'), 'class' => 'btn-copy']) ?>
<?php $this->BcBaser->link($this->BcBaser->getImg('admin/icn_tool_delete.png', ['alt' => __d('baser', 'テーマ削除'), 'class' => 'btn']), ['action' => 'ajax_delete', $data['name']], ['title' => __d('baser', 'テーマ削除'), 'class' => 'btn-delete']) ?>
</p>
Expand Down
5 changes: 3 additions & 2 deletions lib/Baser/View/ThemeFiles/admin/form.php
Original file line number Diff line number Diff line change
Expand Up @@ -102,13 +102,14 @@
<?php if($isWritable): ?>
<?php echo $this->BcForm->submit(__d('baser', '保存'), ['div' => false, 'class' => 'button', 'id' => 'BtnSave']) ?>
<?php $this->BcBaser->link(__d('baser', '削除'), array_merge(['action' => 'del', $theme, $plugin, $type], $params), ['class' => 'submit-token button'], sprintf(__d('baser', '%s を本当に削除してもいいですか?'), basename($path)), false) ?>
<?php endif ?>
<?php endif ?>
<?php else: ?>
<?php $this->BcBaser->link(__d('baser', '一覧に戻る'), array_merge(['action' => 'index', $theme, $plugin, $type], $parentPrams), ['class' => 'btn-gray button']); ?>
<?php // プラグインのアセットの場合はコピーできない ?>
<?php if (!$safeModeOn): ?>
<?php //if($theme == 'core' && !(($type == 'css' || $type == 'js' || $type == 'img') && $plugin)): ?>
<?php if ($theme == 'core'): ?>
<?php // テーマ編集が許可されていない場合コピー不可 ?>
<?php if ($theme == 'core' && Configure::read('BcApp.allowedThemeEdit')): ?>
<?php $this->BcBaser->link(__d('baser', '現在のテーマにコピー'), array_merge(['action' => 'copy_to_theme', $theme, $plugin, $type], explode('/', $path)), ['class' => 'submit-token btn-red button'], sprintf(__d('baser', "本当に現在のテーマ「 %s 」にコピーしてもいいですか?\n既に存在するファイルは上書きされます。"), Inflector::camelize($siteConfig['theme']))); ?>
<?php endif; ?>
<?php else: ?>
Expand Down

0 comments on commit b70474e

Please # to comment.