From: Tim Otten <totten@civicrm.org>
Date: Tue, 23 Aug 2016 22:56:10 +0000 (-0700)
Subject: CRM-15925 - CRM_Contact_Import_Form_DataSource - Enforce permissions
X-Git-Url: https://vcs.fsf.org/?a=commitdiff_plain;h=d21e5a1eb1dca039700bcdfe93ff5af59ea67181;p=civicrm-core.git

CRM-15925 - CRM_Contact_Import_Form_DataSource - Enforce permissions
---

diff --git a/CRM/Contact/Import/Form/DataSource.php b/CRM/Contact/Import/Form/DataSource.php
index b18665b776..1c279842de 100644
--- a/CRM/Contact/Import/Form/DataSource.php
+++ b/CRM/Contact/Import/Form/DataSource.php
@@ -117,13 +117,17 @@ class CRM_Contact_Import_Form_DataSource extends CRM_Core_Form {
       $this->assign('showOnlyDataSourceFormPane', TRUE);
     }
 
-    if (strpos($this->_dataSource, 'CRM_Import_DataSource_') === 0) {
+    $dataSources = $this->_getDataSources();
+    if ($this->_dataSource && isset($dataSources[$this->_dataSource])) {
       $this->_dataSourceIsValid = TRUE;
       $this->assign('showDataSourceFormPane', TRUE);
       $dataSourcePath = explode('_', $this->_dataSource);
       $templateFile = "CRM/Contact/Import/Form/" . $dataSourcePath[3] . ".tpl";
       $this->assign('dataSourceFormTemplateFile', $templateFile);
     }
+    elseif ($this->_dataSource) {
+      throw new \CRM_Core_Exception("Invalid data source");
+    }
   }
 
   /**
@@ -271,6 +275,11 @@ class CRM_Contact_Import_Form_DataSource extends CRM_Core_Form {
    * @throws Exception
    */
   private function _getDataSources() {
+    // Hmm... file-system scanners don't really belong in forms...
+    if (isset(Civi::$statics[__CLASS__]['datasources'])) {
+      return Civi::$statics[__CLASS__]['datasources'];
+    }
+
     // Open the data source dir and scan it for class files
     $config = CRM_Core_Config::singleton();
     $dataSourceDir = $config->importDataSourceDir;
@@ -292,10 +301,14 @@ class CRM_Contact_Import_Form_DataSource extends CRM_Core_Form {
         require_once $dataSourceDir . DIRECTORY_SEPARATOR . $dataSourceFile;
         $object = new $dataSourceClass();
         $info = $object->getInfo();
-        $dataSources[$dataSourceClass] = $info['title'];
+        if ($object->checkPermission()) {
+          $dataSources[$dataSourceClass] = $info['title'];
+        }
       }
     }
     closedir($dataSourceHandle);
+
+    Civi::$statics[__CLASS__]['datasources'] = $dataSources;
     return $dataSources;
   }