Do not allow upload in restricted mode

2026-06-28 06:56:05 +00:00 · 2026-04-30 16:47:57 +03:00
parent c5c8c1bcbc
commit c75932a0e8
2 changed files with 32 additions and 26 deletions
--- a/application/Espo/Controllers/Admin.php
+++ b/application/Espo/Controllers/Admin.php
@@ -101,16 +101,7 @@ class Admin
     */
    public function postActionUploadUpgradePackage(Request $request): object
    {
-        if (
-            $this->config->get('restrictedMode') &&
-            !$this->user->isSuperAdmin()
-        ) {
-            throw new Forbidden();
-        }
-
-        if ($this->config->get('adminUpgradeDisabled')) {
-            throw new Forbidden("Disabled with 'adminUpgradeDisabled' parameter.");
-        }
+        $this->assertUpgradeAllowed();

        $data = $request->getBodyContents();

@@ -137,12 +128,7 @@ class Admin
    {
        $data = $request->getParsedBody();

-        if (
-            $this->config->get('restrictedMode') &&
-            !$this->user->isSuperAdmin()
-        ) {
-            throw new Forbidden();
-        }
+        $this->assertUpgradeAllowed();

        $upgradeManager = new UpgradeManager($this->container);

@@ -190,4 +176,18 @@ class Admin

        return (object) $this->systemRequirements->getAllRequiredList();
    }
+
+    /**
+     * @throws Forbidden
+     */
+    private function assertUpgradeAllowed(): void
+    {
+        if ($this->config->get('restrictedMode')) {
+            throw new Forbidden("Not allowed in restricted mode.");
+        }
+
+        if ($this->config->get('adminUpgradeDisabled')) {
+            throw new Forbidden("Disabled with 'adminUpgradeDisabled' parameter.");
+        }
+    }
 }
--- a/application/Espo/Controllers/Extension.php
+++ b/application/Espo/Controllers/Extension.php
@@ -53,13 +53,7 @@ class Extension extends RecordBase
     */
    public function postActionUpload(Request $request): stdClass
    {
-        if ($this->config->get('restrictedMode') && !$this->user->isSuperAdmin()) {
-            throw new Forbidden();
-        }
-
-        if ($this->config->get('adminUpgradeDisabled')) {
-            throw new Forbidden("Disabled with 'adminUpgradeDisabled' parameter.");
-        }
+        $this->assertUpgradeAllowed();

        $body = $request->getBodyContents();

@@ -127,9 +121,7 @@ class Extension extends RecordBase
    {
        $params = $request->getRouteParams();

-        if ($this->config->get('restrictedMode') && !$this->user->isSuperAdmin()) {
-            throw new Forbidden();
-        }
+        $this->assertUpgradeAllowed();

        $manager = $this->createManager();

@@ -152,4 +144,18 @@ class Extension extends RecordBase
    {
        return $this->injectableFactory->create(ExtensionManager::class);
    }
+
+    /**
+     * @throws Forbidden
+     */
+    private function assertUpgradeAllowed(): void
+    {
+        if ($this->config->get('restrictedMode')) {
+            throw new Forbidden("Not allowed in restricted mode.");
+        }
+
+        if ($this->config->get('adminUpgradeDisabled')) {
+            throw new Forbidden("Disabled with 'adminUpgradeDisabled' parameter.");
+        }
+    }
 }