From 632f1566be6d3a0f153ed1e7fbe4a0716d260d63 Mon Sep 17 00:00:00 2001
From: Marius Burkard <m.burkard@pixcept.de>
Date: Wed, 02 Mar 2016 07:18:56 -0500
Subject: [PATCH] - removed unneeded security check (Fixes #3785)

---
 interface/lib/classes/tform_actions.inc.php |   35 ++++++++++++++++++-----------------
 1 files changed, 18 insertions(+), 17 deletions(-)

diff --git a/interface/lib/classes/tform_actions.inc.php b/interface/lib/classes/tform_actions.inc.php
index 82d747f..7ab09ae 100644
--- a/interface/lib/classes/tform_actions.inc.php
+++ b/interface/lib/classes/tform_actions.inc.php
@@ -46,7 +46,7 @@
 		$app->tpl->newTemplate("tabbed_form.tpl.htm");
 
 		// Load table definition from file
-		$app->tform->loadFormDef($tform_def_file);
+		$app->tform->loadFormDef($tform_def_file, (isset($_SESSION['s']['module']['name']) ? $_SESSION['s']['module']['name'] : ''));
 
 		// Importing ID
 		$this->id = (isset($_REQUEST["id"]))?$app->functions->intval($_REQUEST["id"]):0;
@@ -82,7 +82,7 @@
 		// check if the client is locked - he may not change anything, then.
 		if(!$app->auth->is_admin()) {
 			$client_group_id = $app->functions->intval($_SESSION["s"]["user"]["default_group"]);
-			$client = $app->db->queryOneRecord("SELECT client.locked FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ".$app->functions->intval($client_group_id));
+			$client = $app->db->queryOneRecord("SELECT client.locked FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $client_group_id);
 			if(is_array($client) && $client['locked'] == 'y') {
 				$app->tform->errorMessage .= $app->lng("client_you_are_locked")."<br />";
 			}
@@ -106,6 +106,7 @@
 		global $app, $conf;
 
 		$this->onBeforeUpdate();
+		$app->plugin->raiseEvent($_SESSION['s']['module']['name'].':'.$app->tform->formDef['name'].':'.'on_before_update', $this);
 
 		$ext_where = '';
 		$sql = $app->tform->getSQL($this->dataRecord, $app->tform->getCurrentTab(), 'UPDATE', $this->id, $ext_where);
@@ -190,6 +191,7 @@
 		global $app, $conf;
 
 		$this->onBeforeInsert();
+		$app->plugin->raiseEvent($_SESSION['s']['module']['name'].':'.$app->tform->formDef['name'].':'.'on_before_insert', $this);
 
 		$ext_where = '';
 		$sql = $app->tform->getSQL($this->dataRecord, $app->tform->getCurrentTab(), 'INSERT', $this->id, $ext_where);
@@ -309,7 +311,6 @@
 				if($app->tform->checkPerm($this->id, 'd') == false) $app->error($app->lng('error_no_delete_permission'));
 			}
 
-			//$this->dataRecord = $app->db->queryOneRecord("SELECT * FROM ".$liste["table"]." WHERE ".$liste["table_idx"]." = ".$this->id);
 			$this->dataRecord = $app->tform->getDataRecord($this->id);
 
 			$app->plugin->raiseEvent($_SESSION['s']['module']['name'].':'.$app->tform->formDef['name'].':'.'on_check_delete', $this);
@@ -322,7 +323,7 @@
 				$app->tform->datalogSave('DELETE', $this->id, $this->dataRecord, array());
 			}
 
-			$app->db->query("DELETE FROM ".$app->tform->formDef['db_table']." WHERE ".$app->tform->formDef['db_table_idx']." = ".$this->id." LIMIT 1");
+			$app->db->query("DELETE FROM ?? WHERE ?? = ? LIMIT 1", $app->tform->formDef['db_table'], $app->tform->formDef['db_table_idx'], $this->id);
 
 
 			// loading plugins
@@ -377,11 +378,11 @@
 		$app->tpl->setInclude("content_tpl", $app->tform->formDef['template_print']);
 
 		if($app->tform->formDef['auth'] == 'no') {
-			$sql = "SELECT * FROM ".$app->tform->formDef['db_table']." WHERE ".$app->tform->formDef['db_table_idx']." = ".$this->id;
+			$sql = "SELECT * FROM ?? WHERE ?? = ?";
 		} else {
-			$sql = "SELECT * FROM ".$app->tform->formDef['db_table']." WHERE ".$app->tform->formDef['db_table_idx']." = ".$this->id." AND ".$app->tform->getAuthSQL('r');
+			$sql = "SELECT * FROM ?? WHERE ?? = ? AND ".$app->tform->getAuthSQL('r');
 		}
-		if(!$record = $app->db->queryOneRecord($sql)) $app->error($app->lng('error_no_view_permission'));
+		if(!$record = $app->db->queryOneRecord($sql, $app->tform->formDef['db_table'], $app->tform->formDef['db_table_idx'], $this->id)) $app->error($app->lng('error_no_view_permission'));
 
 		$record["datum"] = date("d.m.Y");
 
@@ -421,11 +422,11 @@
 			$app->tpl->setInclude("content_tpl", $app->tform->formDef['template_mailsend']);
 			$app->tpl->setVar('show_mail', 1);
 			if($app->tform->formDef['auth'] == 'no') {
-				$sql = "SELECT * FROM ".$app->tform->formDef['db_table']." WHERE ".$app->tform->formDef['db_table_idx']." = ".$this->id;
+				$sql = "SELECT * FROM ?? WHERE ?? = ?";
 			} else {
-				$sql = "SELECT * FROM ".$app->tform->formDef['db_table']." WHERE ".$app->tform->formDef['db_table_idx']." = ".$this->id." AND ".$app->tform->getAuthSQL('r');
+				$sql = "SELECT * FROM ?? WHERE ?? = ? AND ".$app->tform->getAuthSQL('r');
 			}
-			if(!$record = $app->db->queryOneRecord($sql)) $app->error($app->lng('error_no_view_permission'));
+			if(!$record = $app->db->queryOneRecord($sql, $app->tform->formDef['db_table'], $app->tform->formDef['db_table_idx'], $this->id)) $app->error($app->lng('error_no_view_permission'));
 
 			$record["datum"] = date("d.m.Y");
 			$record["mailmessage"] = $_POST["message"];
@@ -457,11 +458,11 @@
 
 
 		if($app->tform->formDef['auth'] == 'no') {
-			$sql = "SELECT * FROM ".$app->tform->formDef['db_table']." WHERE ".$app->tform->formDef['db_table_idx']." = ".$this->id;
+			$sql = "SELECT * FROM ?? WHERE ?? = ?";
 		} else {
-			$sql = "SELECT * FROM ".$app->tform->formDef['db_table']." WHERE ".$app->tform->formDef['db_table_idx']." = ".$this->id." AND ".$app->tform->getAuthSQL('r');
+			$sql = "SELECT * FROM ?? WHERE ?? = ? AND ".$app->tform->getAuthSQL('r');
 		}
-		if(!$record = $app->db->queryOneRecord($sql)) $app->error($app->lng('error_no_view_permission'));
+		if(!$record = $app->db->queryOneRecord($sql, $app->tform->formDef['db_table'], $app->tform->formDef['db_table_idx'], $this->id)) $app->error($app->lng('error_no_view_permission'));
 
 		$record["datum"] = date("d.m.Y");
 
@@ -558,11 +559,11 @@
 		// bestehenden Datensatz anzeigen
 		if($app->tform->errorMessage == '') {
 			if($app->tform->formDef['auth'] == 'yes' && $_SESSION["s"]["user"]["typ"] != 'admin') {
-				$sql = "SELECT * FROM ".$app->tform->formDef['db_table']." WHERE ".$app->tform->formDef['db_table_idx']." = ".$this->id." AND ".$app->tform->getAuthSQL('r');
+				$sql = "SELECT * FROM ?? WHERE ?? = ? AND ".$app->tform->getAuthSQL('r');
 			} else {
-				$sql = "SELECT * FROM ".$app->tform->formDef['db_table']." WHERE ".$app->tform->formDef['db_table_idx']." = ".$this->id;
+				$sql = "SELECT * FROM ?? WHERE ?? = ?";
 			}
-			if(!$record = $app->db->queryOneRecord($sql)) $app->error($app->lng('error_no_view_permission'));
+			if(!$record = $app->db->queryOneRecord($sql, $app->tform->formDef['db_table'], $app->tform->formDef['db_table_idx'], $this->id)) $app->error($app->lng('error_no_view_permission'));
 		} else {
 			// $record = $app->tform->encode($_POST,$this->active_tab);
 			$record = $app->tform->encode($this->dataRecord, $this->active_tab, false);
@@ -593,7 +594,7 @@
 				$app->load($plugin_class);
 				$this->plugins[$plugin_name] = new $plugin_class;
 				$this->plugins[$plugin_name]->setOptions($plugin_name, $plugin_settings['options']);
-				// Make the data of the form easily accessible for the plugib
+				// Make the data of the form easily accessible for the plugin
 				$this->plugins[$plugin_name]->form = $this;
 				$this->plugins[$plugin_name]->onLoad();
 			}

--
Gitblit v1.9.1