[Rt-commit] rt branch, 4.2/allowed-components, updated. rt-4.0.0rc6-168-g890312a

Shawn Moore sartak at bestpractical.com
Tue Mar 15 15:14:38 EDT 2011 

The branch, 4.2/allowed-components has been updated
       via  890312ab81ec750520fa5be142a36ca7814ff5b4 (commit)
      from  1add097535b40b3e26747e4d4729a02911eef391 (commit)

Summary of changes:
 .../html/Dashboards/Elements/ShowPortlet/component |   12 +++++++++++-
 share/html/Elements/MyRT                           |    8 ++++++--
 2 files changed, 17 insertions(+), 3 deletions(-)

- Log -----------------------------------------------------------------
commit 890312ab81ec750520fa5be142a36ca7814ff5b4
Author: Shawn M Moore <sartak at bestpractical.com>
Date:   Tue Mar 15 15:12:59 2011 -0400

    Validate portlets against HomepageComponents
    
        It'd be nice if we had a clicky link for "gotcha, now remove this
        from my homepage/dashboard" but we haven't grown that logic yet

diff --git a/share/html/Dashboards/Elements/ShowPortlet/component b/share/html/Dashboards/Elements/ShowPortlet/component
index 230a15c..0142ac7 100644
--- a/share/html/Dashboards/Elements/ShowPortlet/component
+++ b/share/html/Dashboards/Elements/ShowPortlet/component
@@ -51,4 +51,14 @@ $Portlet
 $Rows => 20
 $Preview => 0
 </%args>
-% $m->comp($Portlet->{path});
+<%init>
+my $full_path = $Portlet->{path};
+(my $path = $full_path) =~ s{^/Elements/}{};
+
+my $allowed = grep { $_ eq $path } @{RT->Config->Get('HomepageComponents')};
+</%init>
+% if (!$allowed) {
+%     $m->out(loc("Invalid portlet [_1]", $path));
+% } else {
+%     $m->comp($full_path);
+% }
diff --git a/share/html/Elements/MyRT b/share/html/Elements/MyRT
index e4d84d2..5523fe7 100644
--- a/share/html/Elements/MyRT
+++ b/share/html/Elements/MyRT
@@ -89,8 +89,12 @@ my $show_cb = sub {
     my $type  = $entry->{type};
     my $name = $entry->{'name'};
     if ( $type eq 'component' ) {
-        # XXX: security check etc.
-        $m->comp( $name, %{ $entry->{arguments} || {} } );
+        if (!$allowed_components{$name}) {
+            $m->out(loc("Invalid portlet [_1]", $name));
+        }
+        else {
+            $m->comp( $name, %{ $entry->{arguments} || {} } );
+        }
     } elsif ( $type eq 'system' ) {
         $m->comp( '/Elements/ShowSearch', Name => $name, Override => { Rows => $Rows } );
     } elsif ( $type eq 'saved' ) {

-----------------------------------------------------------------------

More information about the Rt-commit mailing list