From: William Mortada Date: Mon, 16 Oct 2017 11:01:44 +0000 (+0100) Subject: Check that the user in logged in and has permissions to adminster site configuration... X-Git-Url: https://vcs.fsf.org/?a=commitdiff_plain;h=bb79149d74998c12cb0a8370b0c5b7f4c01026b3;p=civicrm-core.git Check that the user in logged in and has permissions to adminster site configuration (Drupal only) This is necessary because the script exposes the database settings in the form and these could be viewed by unauthorised users --- diff --git a/install/index.php b/install/index.php index 6209ef0209..d0bb8db17e 100644 --- a/install/index.php +++ b/install/index.php @@ -257,8 +257,20 @@ if ($installType == 'drupal') { } } - // Bootstrap Drupal to get settings - drupal_bootstrap(DRUPAL_BOOTSTRAP_CONFIGURATION); + // Bootstrap Drupal to get settings and user + $base_root = (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') ? 'https' : 'http'; + $base_root .= '://' . $_SERVER['HTTP_HOST']; + $base_url = $base_root; + drupal_bootstrap(DRUPAL_BOOTSTRAP_FULL); + + // Check that user is logged in and has administrative permissions + // This is necessary because the script exposes the database settings in the form and these could be viewed by unauthorised users + if ((!function_exists('user_access')) || (!user_access('administer site configuration'))) { + $errorTitle = ts("You don't have permission to access this page"); + $errorMsg = ts("The installer can only be run by a user with the permission to administer site configuration."); + errorDisplayPage($errorTitle, $errorMsg); + exit(); + } if (!defined('VERSION') or version_compare(VERSION, '6.0') < 0) { $errorTitle = ts("Oops! Incorrect Drupal version");