Close security hole where non torqueadmins could upload data files.

We want api users to only be able to query, unless they are admins.
YaxelPerez · Apr 14, 2020 · b3afba9 · b3afba9
1 parent 52f064f
commit b3afba9
Show file tree

Hide file tree

Showing 3 changed files with 3 additions and 0 deletions.
diff --git a/TorqueDataConnect/include/api/TorqueDataConnectUploadAttachment.php b/TorqueDataConnect/include/api/TorqueDataConnectUploadAttachment.php
@@ -6,6 +6,7 @@ public function __construct($main, $action) {
   }
 
   public function execute() {
+    parent::checkUserRightsAny(["torquedataconnect-admin"]);
     # We use phpcurl here because it's really straightforward, and
     # research (stackoverflow) didn't produce a compelling native php method.
     $attachment = $this->getParameter("attachment");

diff --git a/TorqueDataConnect/include/api/TorqueDataConnectUploadSheet.php b/TorqueDataConnect/include/api/TorqueDataConnectUploadSheet.php
@@ -6,6 +6,7 @@ public function __construct($main, $action) {
   }
 
   public function execute() {
+    parent::checkUserRightsAny(["torquedataconnect-admin"]);
     # We use phpcurl here because it's really straightforward, and
     # research (stackoverflow) didn't produce a compelling native php method.
     $file = $this->getParameter("data_file");

diff --git a/TorqueDataConnect/include/api/TorqueDataConnectUploadToc.php b/TorqueDataConnect/include/api/TorqueDataConnectUploadToc.php
@@ -6,6 +6,7 @@ public function __construct($main, $action) {
   }
 
   public function execute() {
+    parent::checkUserRightsAny(["torquedataconnect-admin"]);
     # We use phpcurl here because it's really straightforward, and
     # research (stackoverflow) didn't produce a compelling native php method.
     $json = $this->getParameter("json");