From aa4376ca04d56d80bebf837b6df7b8862ad7de10 Mon Sep 17 00:00:00 2001 From: jf-cbd Date: Wed, 27 Nov 2024 14:47:44 +0100 Subject: [PATCH] security hardening --- .../portal/src/Controller/ObjectController.php | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/datamodels/2.x/itop-portal-base/portal/src/Controller/ObjectController.php b/datamodels/2.x/itop-portal-base/portal/src/Controller/ObjectController.php index c9104cf9f2..c99f85ccb6 100644 --- a/datamodels/2.x/itop-portal-base/portal/src/Controller/ObjectController.php +++ b/datamodels/2.x/itop-portal-base/portal/src/Controller/ObjectController.php @@ -1228,6 +1228,8 @@ public function GetInformationAsJsonAction(Request $oRequest) $oRequestManipulator = $this->get('request_manipulator'); /** @var \Combodo\iTop\Portal\Helper\ScopeValidatorHelper $oScopeValidator */ $oScopeValidator = $this->get('scope_validator'); + /** @var \Combodo\iTop\Portal\Helper\SecurityHelper $oSecurityHelper */ + $oSecurityHelper = $this->get('security_helper'); $aData = array(); @@ -1246,7 +1248,8 @@ public function GetInformationAsJsonAction(Request $oRequest) $bIgnoreSilos = $oScopeValidator->IsAllDataAllowedForScope(UserRights::ListProfiles(), $sObjectClass); $aParams = array('objects_id' => $aObjectIds); $oSearch = DBObjectSearch::FromOQL("SELECT $sObjectClass WHERE id IN (:objects_id)"); - if ($bIgnoreSilos === true) + $oScopeValidator->AddScopeToQuery($oSearch, $sObjectClass); + if ($bIgnoreSilos === true) { $oSearch->AllowAllData(); } @@ -1263,6 +1266,12 @@ public function GetInformationAsJsonAction(Request $oRequest) // Retrieving objects while ($oObject = $oSet->Fetch()) { + $sObjectId = $oObject->Get('id'); + if (!$oSecurityHelper->IsActionAllowed(UR_ACTION_READ, $sObjectClass, $sObjectId)) + { + IssueLog::Warning(__METHOD__.' at line '.__LINE__.' : User #'.UserRights::GetUserId().' not allowed to read '.$sObjectClass.'::'.$sObjectId.' object.'); + throw new HttpException(Response::HTTP_NOT_FOUND, Dict::S('UI:ObjectDoesNotExist')); + } $aData['items'][] = $this->PrepareObjectInformation($oObject, $aObjectAttCodes); }