blackteay/ApiAdmin
1
0
Fork 0
mirror of https://gitee.com/apiadmin/ApiAdmin.git synced 2025-05-25 14:29:25 +08:00
Code Issues Projects Releases Wiki Activity

modified 修复权限放大带来的URL漏洞!

Browse Source
This commit is contained in:
zhaoxiang 2016-11-20 16:51:59 +08:00
parent ae4cbd8e50
commit 69e8b7139c
1 changed files with 16 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
application/admin/controller/Base.php
View File

@ -51,8 +51,8 @@ class Base extends Controller {
* @return mixed * @return mixed
*/ */
protected function _prepareTemplate( $temp ){ protected function _prepareTemplate( $temp ){
if( !isAdministrator() ){
$MenuInfo = Menu::where([])->column('hide','url'); $MenuInfo = Menu::where([])->column('hide','url');
if( !isAdministrator() ){
$authList = (new \Permission())->getAuthList($this->uid); $authList = (new \Permission())->getAuthList($this->uid);
switch ( $temp['tempType'] ){ switch ( $temp['tempType'] ){
case 'table': case 'table':
@ -84,6 +84,21 @@ class Base extends Controller {
case 'form': case 'form':
break; break;
} }
}else{
switch ( $temp['tempType'] ){
case 'table':
foreach ( $temp['topButton'] as $key => $value ){
$temp['topButton'][$key]['href'] = url($value['href']);
}
$temp['topButton'] = array_values($temp['topButton']);
foreach ( $temp['rightButton'] as $k => $v ){
$temp['rightButton'][$k]['href'] = url($v['href']);
}
$temp['rightButton'] = array_values($temp['rightButton']);
break;
case 'form':
break;
}
} }
return $temp; return $temp;
} }