From: Tim Otten <totten@civicrm.org>
Date: Tue, 23 Aug 2016 22:56:10 +0000 (-0700)
Subject: CRM-15925 - CRM_Contact_Import_Form_DataSource - Enforce permissions
X-Git-Url: https://vcs.fsf.org/?a=commitdiff_plain;h=8ccb59ba19f5a4f986e0d72b7403a060556c04ac;p=civicrm-core.git

CRM-15925 - CRM_Contact_Import_Form_DataSource - Enforce permissions
---

diff --git a/CRM/Contact/Import/Form/DataSource.php b/CRM/Contact/Import/Form/DataSource.php
index 004966f7ec..b6b1ff5a32 100644
--- a/CRM/Contact/Import/Form/DataSource.php
+++ b/CRM/Contact/Import/Form/DataSource.php
@@ -112,13 +112,17 @@ class CRM_Contact_Import_Form_DataSource extends CRM_Core_Form {
       $this->assign('showOnlyDataSourceFormPane', TRUE);
     }
 
-    if (strpos($this->_dataSource, 'CRM_Import_DataSource_') === 0) {
+    $dataSources = $this->_getDataSources();
+    if ($this->_dataSource && isset($dataSources[$this->_dataSource])) {
       $this->_dataSourceIsValid = TRUE;
       $this->assign('showDataSourceFormPane', TRUE);
       $dataSourcePath = explode('_', $this->_dataSource);
       $templateFile = "CRM/Contact/Import/Form/" . $dataSourcePath[3] . ".tpl";
       $this->assign('dataSourceFormTemplateFile', $templateFile);
     }
+    elseif ($this->_dataSource) {
+      throw new \CRM_Core_Exception("Invalid data source");
+    }
   }
 
   /**
@@ -259,6 +263,11 @@ class CRM_Contact_Import_Form_DataSource extends CRM_Core_Form {
    * @throws Exception
    */
   private function _getDataSources() {
+    // Hmm... file-system scanners don't really belong in forms...
+    if (isset(Civi::$statics[__CLASS__]['datasources'])) {
+      return Civi::$statics[__CLASS__]['datasources'];
+    }
+
     // Open the data source dir and scan it for class files
     global $civicrm_root;
     $dataSourceDir = $civicrm_root . DIRECTORY_SEPARATOR . 'CRM' . DIRECTORY_SEPARATOR . 'Import' . DIRECTORY_SEPARATOR . 'DataSource' . DIRECTORY_SEPARATOR;
@@ -280,10 +289,14 @@ class CRM_Contact_Import_Form_DataSource extends CRM_Core_Form {
         require_once $dataSourceDir . DIRECTORY_SEPARATOR . $dataSourceFile;
         $object = new $dataSourceClass();
         $info = $object->getInfo();
-        $dataSources[$dataSourceClass] = $info['title'];
+        if ($object->checkPermission()) {
+          $dataSources[$dataSourceClass] = $info['title'];
+        }
       }
     }
     closedir($dataSourceHandle);
+
+    Civi::$statics[__CLASS__]['datasources'] = $dataSources;
     return $dataSources;
   }