This project does not seem to handle request data directly as such no vulnerable execution paths were found.
include
, or for example
via PHP's auto-loading mechanism.
These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more
1 | <?php |
||
2 | 1 | if(!defined('sugarEntry') || !sugarEntry) die('Not A Valid Entry Point'); |
|
3 | /********************************************************************************* |
||
4 | * SugarCRM Community Edition is a customer relationship management program developed by |
||
5 | * SugarCRM, Inc. Copyright (C) 2004-2013 SugarCRM Inc. |
||
6 | |||
7 | * SuiteCRM is an extension to SugarCRM Community Edition developed by Salesagility Ltd. |
||
8 | * Copyright (C) 2011 - 2016 Salesagility Ltd. |
||
9 | * |
||
10 | * This program is free software; you can redistribute it and/or modify it under |
||
11 | * the terms of the GNU Affero General Public License version 3 as published by the |
||
12 | * Free Software Foundation with the addition of the following permission added |
||
13 | * to Section 15 as permitted in Section 7(a): FOR ANY PART OF THE COVERED WORK |
||
14 | * IN WHICH THE COPYRIGHT IS OWNED BY SUGARCRM, SUGARCRM DISCLAIMS THE WARRANTY |
||
15 | * OF NON INFRINGEMENT OF THIRD PARTY RIGHTS. |
||
16 | * |
||
17 | * This program is distributed in the hope that it will be useful, but WITHOUT |
||
18 | * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS |
||
19 | * FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more |
||
20 | * details. |
||
21 | * |
||
22 | * You should have received a copy of the GNU Affero General Public License along with |
||
23 | * this program; if not, see http://www.gnu.org/licenses or write to the Free |
||
24 | * Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA |
||
25 | * 02110-1301 USA. |
||
26 | * |
||
27 | * You can contact SugarCRM, Inc. headquarters at 10050 North Wolfe Road, |
||
28 | * SW2-130, Cupertino, CA 95014, USA. or at email address [email protected]. |
||
29 | * |
||
30 | * The interactive user interfaces in modified source and object code versions |
||
31 | * of this program must display Appropriate Legal Notices, as required under |
||
32 | * Section 5 of the GNU Affero General Public License version 3. |
||
33 | * |
||
34 | * In accordance with Section 7(b) of the GNU Affero General Public License version 3, |
||
35 | * these Appropriate Legal Notices must retain the display of the "Powered by |
||
36 | * SugarCRM" logo and "Supercharged by SuiteCRM" logo. If the display of the logos is not |
||
37 | * reasonably feasible for technical reasons, the Appropriate Legal Notices must |
||
38 | * display the words "Powered by SugarCRM" and "Supercharged by SuiteCRM". |
||
39 | ********************************************************************************/ |
||
40 | |||
41 | |||
42 | /** |
||
43 | * Homepage dashlet manager |
||
44 | * @api |
||
45 | */ |
||
46 | class MySugar{ |
||
47 | var $type; |
||
48 | |||
49 | 1 | public function __construct($type){ |
|
50 | 1 | $this->type = $type; |
|
51 | 1 | } |
|
52 | |||
53 | /** |
||
54 | * @deprecated deprecated since version 7.6, PHP4 Style Constructors are deprecated and will be remove in 7.8, please update your code, use __construct instead |
||
55 | */ |
||
56 | public function MySugar($type){ |
||
57 | $deprecatedMessage = 'PHP4 Style Constructors are deprecated and will be remove in 7.8, please update your code'; |
||
58 | if(isset($GLOBALS['log'])) { |
||
59 | $GLOBALS['log']->deprecated($deprecatedMessage); |
||
60 | } |
||
61 | else { |
||
62 | trigger_error($deprecatedMessage, E_USER_DEPRECATED); |
||
63 | } |
||
64 | self::__construct($type); |
||
65 | } |
||
66 | |||
67 | |||
68 | 1 | function checkDashletDisplay () { |
|
69 | |||
70 | 1 | if((!in_array($this->type, $GLOBALS['moduleList']) |
|
71 | 1 | && !in_array($this->type, $GLOBALS['modInvisList'])) |
|
72 | 1 | && (!in_array('Activities', $GLOBALS['moduleList']))){ |
|
73 | $displayDashlet = false; |
||
74 | } |
||
75 | 1 | elseif (ACLController::moduleSupportsACL($this->type) ) { |
|
76 | 1 | $bean = SugarModule::get($this->type)->loadBean(); |
|
77 | 1 | if ( !ACLController::checkAccess($this->type,'list',true,$bean->acltype)) { |
|
78 | $displayDashlet = false; |
||
79 | } |
||
80 | 1 | $displayDashlet = true; |
|
81 | } |
||
82 | else{ |
||
83 | 1 | $displayDashlet = true; |
|
84 | } |
||
85 | |||
86 | 1 | return $displayDashlet; |
|
87 | } |
||
88 | |||
89 | function addDashlet(){ |
||
90 | if(!is_file(sugar_cached('dashlets/dashlets.php'))) { |
||
91 | require_once('include/Dashlets/DashletCacheBuilder.php'); |
||
92 | |||
93 | $dc = new DashletCacheBuilder(); |
||
94 | $dc->buildCache(); |
||
95 | } |
||
96 | require_once sugar_cached('dashlets/dashlets.php'); |
||
97 | |||
98 | global $current_user; |
||
99 | |||
100 | if(isset($_REQUEST['id'])){ |
||
101 | $pages = $current_user->getPreference('pages', $this->type); |
||
102 | |||
103 | $dashlets = $current_user->getPreference('dashlets', $this->type); |
||
104 | |||
105 | $guid = create_guid(); |
||
106 | $options = array(); |
||
107 | if (isset($_REQUEST['type']) && $_REQUEST['type'] == 'web') { |
||
108 | $dashlet_module = 'Home'; |
||
109 | require_once('include/Dashlets/DashletRssFeedTitle.php'); |
||
110 | $options['url'] = $_REQUEST['type_module']; |
||
111 | $webDashlet = new DashletRssFeedTitle($options['url']); |
||
112 | $options['title'] = $webDashlet->generateTitle(); |
||
113 | unset($webDashlet); |
||
114 | } |
||
115 | elseif (!empty($_REQUEST['type_module'])) { |
||
116 | $dashlet_module = $_REQUEST['type_module']; |
||
117 | } |
||
118 | elseif (isset($dashletsFiles[$_REQUEST['id']]['module'])) { |
||
0 ignored issues
–
show
|
|||
119 | $dashlet_module = $dashletsFiles[$_REQUEST['id']]['module']; |
||
120 | } |
||
121 | else { |
||
122 | $dashlet_module = 'Home'; |
||
123 | } |
||
124 | |||
125 | $dashlets[$guid] = array('className' => $dashletsFiles[$_REQUEST['id']]['class'], |
||
126 | 'module' => $dashlet_module, |
||
127 | 'options' => $options, |
||
128 | 'fileLocation' => $dashletsFiles[$_REQUEST['id']]['file']); |
||
129 | |||
130 | |||
131 | if(!array_key_exists('current_tab',$_SESSION)){ |
||
132 | $_SESSION["current_tab"] = '0'; |
||
133 | } |
||
134 | |||
135 | array_unshift($pages[$_SESSION['current_tab']]['columns'][0]['dashlets'], $guid); |
||
136 | |||
137 | $current_user->setPreference('dashlets', $dashlets, 0, $this->type); |
||
138 | |||
139 | |||
140 | echo $guid; |
||
141 | } |
||
142 | else { |
||
143 | echo 'ofdaops'; |
||
144 | } |
||
145 | } |
||
146 | |||
147 | function displayDashlet(){ |
||
148 | global $current_user, $mod_strings, $app_strings; |
||
149 | |||
150 | if(!empty($_REQUEST['id'])) { |
||
151 | $id = $_REQUEST['id']; |
||
152 | $dashlets = $current_user->getPreference('dashlets', $this->type); |
||
153 | |||
154 | $sortOrder = ''; |
||
155 | $orderBy = ''; |
||
156 | foreach($_REQUEST as $k => $v){ |
||
157 | if($k == 'lvso'){ |
||
158 | $sortOrder = $v; |
||
159 | } |
||
160 | else if(preg_match('/Home2_.+_ORDER_BY/', $k)){ |
||
161 | $orderBy = $v; |
||
162 | } |
||
163 | } |
||
164 | if(!empty($sortOrder) && !empty($orderBy)){ |
||
165 | $dashlets[$id]['sort_options'] = array('sortOrder' => $sortOrder, 'orderBy' => $orderBy); |
||
166 | $current_user->setPreference('dashlets', $dashlets, 0, $this->type); |
||
167 | } |
||
168 | |||
169 | require_once($dashlets[$id]['fileLocation']); |
||
170 | $dashlet = new $dashlets[$id]['className']($id, (isset($dashlets[$id]['options']) ? $dashlets[$id]['options'] : array())); |
||
171 | if(!empty($_REQUEST['configure']) && $_REQUEST['configure']) { // save settings |
||
172 | $dashletDefs[$id]['options'] = $dashlet->saveOptions($_REQUEST); |
||
173 | $current_user->setPreference('dashlets', $dashletDefs, 0, $this->type); |
||
174 | } |
||
175 | if(!empty($_REQUEST['dynamic']) && $_REQUEST['dynamic'] == 'true' && $dashlet->hasScript) { |
||
176 | $dashlet->isConfigurable = false; |
||
177 | echo $dashlet->getTitle('') . $app_strings['LBL_RELOAD_PAGE']; |
||
178 | } |
||
179 | else { |
||
180 | $lvsParams = array(); |
||
181 | if(!empty($dashlets[$id]['sort_options'])){ |
||
182 | $lvsParams = $dashlets[$id]['sort_options']; |
||
183 | } |
||
184 | $dashlet->process($lvsParams); |
||
185 | $contents = $dashlet->display(); |
||
186 | // Many dashlets expect to be able to initialize in the display() function, so we have to create the header second |
||
187 | echo $dashlet->getHeader(); |
||
188 | echo $contents; |
||
189 | echo $dashlet->getFooter(); |
||
190 | } |
||
191 | } |
||
192 | else { |
||
193 | header("Location: index.php?action=index&module=". $this->type); |
||
194 | } |
||
195 | } |
||
196 | |||
197 | function getPredefinedChartScript(){ |
||
198 | global $current_user, $mod_strings; |
||
199 | |||
200 | if(!empty($_REQUEST['id'])) { |
||
201 | $id = $_REQUEST['id']; |
||
202 | $dashlets = $current_user->getPreference('dashlets', $this->type); |
||
203 | |||
204 | require_once($dashlets[$id]['fileLocation']); |
||
205 | $dashlet = new $dashlets[$id]['className']($id, (isset($dashlets[$id]['options']) ? $dashlets[$id]['options'] : array())); |
||
206 | $dashlet->process(); |
||
207 | echo $dashlet->displayScript(); |
||
208 | } |
||
209 | else { |
||
210 | header("Location: index.php?action=index&module=". $this->type); |
||
211 | } |
||
212 | } |
||
213 | |||
214 | |||
215 | |||
216 | function deleteDashlet(){ |
||
217 | |||
218 | |||
219 | global $current_user; |
||
220 | |||
221 | if(!empty($_REQUEST['id'])) { |
||
222 | $pages = $current_user->getPreference('pages', $this->type); |
||
223 | $dashlets = $current_user->getPreference('dashlets', $this->type); |
||
224 | |||
225 | $activePage = '0'; |
||
226 | |||
227 | foreach($pages[$activePage]['columns'] as $colNum => $column) { |
||
228 | foreach($column['dashlets'] as $num => $dashletId) { |
||
229 | if($dashletId == $_REQUEST['id']) { |
||
230 | unset($pages[$activePage]['columns'][$colNum]['dashlets'][$num]); |
||
231 | } |
||
232 | } |
||
233 | } |
||
234 | |||
235 | foreach($dashlets as $dashletId => $data) { |
||
236 | if($dashletId == $_REQUEST['id']) { |
||
237 | unset($dashlets[$dashletId]); |
||
238 | } |
||
239 | } |
||
240 | |||
241 | $current_user->setPreference('dashlets', $dashlets, 0, $this->type); |
||
242 | $current_user->setPreference('pages', $pages, 0, $this->type); |
||
243 | |||
244 | echo '1'; |
||
245 | } |
||
246 | else { |
||
247 | echo 'oops'; |
||
248 | } |
||
249 | } |
||
250 | |||
251 | function dashletsDialog(){ |
||
252 | require_once('include/MySugar/DashletsDialog/DashletsDialog.php'); |
||
253 | |||
254 | global $current_language, $app_strings; |
||
255 | |||
256 | $chartsList = array(); |
||
257 | $DashletsDialog = new DashletsDialog(); |
||
258 | |||
259 | $DashletsDialog->getDashlets(); |
||
260 | $allDashlets = $DashletsDialog->dashlets; |
||
261 | |||
262 | $dashletsList = $allDashlets['Module Views']; |
||
263 | $chartsList = $allDashlets['Charts']; |
||
264 | $toolsList = $allDashlets['Tools']; |
||
265 | $sugar_smarty = new Sugar_Smarty(); |
||
266 | |||
267 | $mod_strings = return_module_language($current_language, 'Home'); |
||
268 | |||
269 | $sugar_smarty->assign('LBL_CLOSE_DASHLETS', $mod_strings['LBL_CLOSE_DASHLETS']); |
||
270 | $sugar_smarty->assign('LBL_ADD_DASHLETS', $mod_strings['LBL_ADD_DASHLETS']); |
||
271 | $sugar_smarty->assign('APP', $app_strings); |
||
272 | $sugar_smarty->assign('moduleName', $this->type); |
||
273 | |||
274 | if ($this->type == 'Home'){ |
||
275 | $sugar_smarty->assign('modules', $dashletsList); |
||
276 | $sugar_smarty->assign('tools', $toolsList); |
||
277 | } |
||
278 | |||
279 | $sugar_smarty->assign('charts', $chartsList); |
||
280 | |||
281 | $html = $sugar_smarty->fetch('include/MySugar/tpls/addDashletsDialog.tpl'); |
||
282 | // Bug 34451 - Added hack to make the "Add Dashlet" dialog window not look weird in IE6. |
||
283 | $script = <<<EOJS |
||
284 | if (YAHOO.env.ua.ie > 5 && YAHOO.env.ua.ie < 7) { |
||
285 | document.getElementById('dashletsList').style.width = '430px'; |
||
286 | document.getElementById('dashletsList').style.overflow = 'hidden'; |
||
287 | } |
||
288 | EOJS; |
||
289 | |||
290 | $json = getJSONobj(); |
||
291 | echo 'response = ' . $json->encode(array('html' => $html, 'script' => $script)); |
||
292 | } |
||
293 | |||
294 | |||
295 | function searchModuleToolsDashlets($searchStr, $category){ |
||
296 | require_once('include/MySugar/DashletsDialog/DashletsDialog.php'); |
||
297 | |||
298 | global $app_strings; |
||
299 | |||
300 | $DashletsDialog = new DashletsDialog(); |
||
301 | |||
302 | switch($category){ |
||
303 | case 'module': |
||
304 | $DashletsDialog->getDashlets('module'); |
||
305 | $dashletIndex = 'Module Views'; |
||
306 | $searchCategoryString = $app_strings['LBL_SEARCH_MODULES']; |
||
307 | break; |
||
308 | case 'tools': |
||
0 ignored issues
–
show
|
|||
309 | $DashletsDialog->getDashlets('tools'); |
||
310 | $dashletIndex = 'Tools'; |
||
311 | $searchCategoryString = $app_strings['LBL_SEARCH_TOOLS']; |
||
312 | default: |
||
313 | break; |
||
314 | } |
||
315 | $allDashlets = $DashletsDialog->dashlets; |
||
316 | |||
317 | $searchResult = array(); |
||
318 | $searchResult[$dashletIndex] = array(); |
||
319 | |||
320 | foreach($allDashlets[$dashletIndex] as $dashlet){ |
||
321 | if (stripos($dashlet['title'], $searchStr) !== false){ |
||
322 | array_push($searchResult[$dashletIndex], $dashlet); |
||
323 | } |
||
324 | } |
||
325 | |||
326 | $sugar_smarty = new Sugar_Smarty(); |
||
327 | |||
328 | $sugar_smarty->assign('lblSearchResults', $app_strings['LBL_SEARCH_RESULTS']); |
||
329 | $sugar_smarty->assign('lblSearchCategory', $searchCategoryString); |
||
330 | |||
331 | $sugar_smarty->assign('moduleName', $this->type); |
||
332 | $sugar_smarty->assign('searchString', $searchStr); |
||
333 | |||
334 | $sugar_smarty->assign('dashlets', $searchResult[$dashletIndex]); |
||
335 | |||
336 | return $sugar_smarty->fetch('include/MySugar/tpls/dashletsSearchResults.tpl'); |
||
337 | } |
||
338 | |||
339 | function searchChartsDashlets($searchStr){ |
||
340 | require_once('include/MySugar/DashletsDialog/DashletsDialog.php'); |
||
341 | |||
342 | global $current_language, $app_strings; |
||
343 | |||
344 | $chartsList = array(); |
||
345 | $DashletsDialog = new DashletsDialog(); |
||
346 | |||
347 | $DashletsDialog->getDashlets('charts'); |
||
348 | |||
349 | $allDashlets = $DashletsDialog->dashlets; |
||
350 | |||
351 | foreach($allDashlets as $category=>$dashlets){ |
||
352 | $searchResult[$category] = array(); |
||
353 | foreach($dashlets as $dashlet){ |
||
354 | if (stripos($dashlet['title'], $searchStr) !== false){ |
||
355 | array_push($searchResult[$category],$dashlet); |
||
356 | } |
||
357 | } |
||
358 | } |
||
359 | |||
360 | $sugar_smarty = new Sugar_Smarty(); |
||
361 | |||
362 | $sugar_smarty->assign('lblSearchResults', $app_strings['LBL_SEARCH_RESULTS']); |
||
363 | $sugar_smarty->assign('searchString', $searchStr); |
||
364 | $sugar_smarty->assign('charts', $searchResult['Charts']); |
||
365 | |||
366 | return $sugar_smarty->fetch('include/MySugar/tpls/chartDashletsSearchResults.tpl'); |
||
367 | } |
||
368 | |||
369 | function searchDashlets(){ |
||
370 | $searchStr = $_REQUEST['search']; |
||
371 | $category = $_REQUEST['category']; |
||
372 | |||
373 | if ($category == 'module' || $category == 'tools'){ |
||
374 | $html = $this->searchModuleToolsDashlets($searchStr, $category); |
||
375 | } |
||
376 | else if ($category == 'chart'){ |
||
377 | $html = $this->searchChartsDashlets($searchStr); |
||
378 | } |
||
379 | |||
380 | $json = getJSONobj(); |
||
381 | echo 'response = ' . $json->encode(array('html' => $html, 'script' => '')); |
||
382 | } |
||
383 | |||
384 | function configureDashlet(){ |
||
385 | global $current_user, $app_strings, $mod_strings; |
||
386 | |||
387 | if(!empty($_REQUEST['id'])) { |
||
388 | $id = $_REQUEST['id']; |
||
389 | $dashletDefs = $current_user->getPreference('dashlets', $this->type); // load user's dashlets config |
||
390 | $dashletLocation = $dashletDefs[$id]['fileLocation']; |
||
391 | |||
392 | require_once($dashletDefs[$id]['fileLocation']); |
||
393 | |||
394 | $dashlet = new $dashletDefs[$id]['className']($id, (isset($dashletDefs[$id]['options']) ? $dashletDefs[$id]['options'] : array())); |
||
395 | if(!empty($_REQUEST['configure']) && $_REQUEST['configure']) { // save settings |
||
396 | $dashletDefs[$id]['options'] = $dashlet->saveOptions($_REQUEST); |
||
397 | $current_user->setPreference('dashlets', $dashletDefs, 0, $this->type); |
||
398 | } |
||
399 | else { // display options |
||
400 | $json = getJSONobj(); |
||
401 | return 'result = ' . $json->encode((array('header' => $dashlet->title . ' : ' . $app_strings['LBL_OPTIONS'], |
||
402 | 'body' => $dashlet->displayOptions()))); |
||
403 | } |
||
404 | } |
||
405 | else { |
||
406 | return '0'; |
||
407 | } |
||
408 | } |
||
409 | |||
410 | function saveLayout(){ |
||
411 | global $current_user; |
||
412 | |||
413 | if(!empty($_REQUEST['layout'])) { |
||
414 | $newColumns = array(); |
||
415 | |||
416 | $newLayout = explode('|', $_REQUEST['layout']); |
||
417 | |||
418 | $pages = $current_user->getPreference('pages', $this->type); |
||
419 | |||
420 | $newColumns = $pages[$_REQUEST['selectedPage']]['columns']; |
||
421 | foreach($newLayout as $col => $ids) { |
||
422 | $newColumns[$col]['dashlets'] = explode(',', $ids); |
||
423 | } |
||
424 | |||
425 | $pages[$_REQUEST['selectedPage']]['columns'] = $newColumns; |
||
426 | $current_user->setPreference('pages', $pages, 0, $this->type); |
||
427 | |||
428 | return '1'; |
||
429 | } |
||
430 | else { |
||
431 | return '0'; |
||
432 | } |
||
433 | } |
||
434 | |||
435 | |||
436 | |||
437 | |||
438 | |||
439 | |||
440 | |||
441 | } |
||
442 |
This check looks for variables that are accessed but have not been defined. It raises an issue if it finds another variable that has a similar name.
The variable may have been renamed without also renaming all references.