mirror of
https://github.com/Combodo/iTop.git
synced 2026-05-20 15:52:24 +02:00
Merge remote-tracking branch 'origin/support/2.7' into support/3.0
# Conflicts: # composer.json # composer.lock # core/config.class.inc.php # core/dbobject.class.php # core/email.class.inc.php # datamodels/2.x/itop-core-update/dictionaries/hu.dict.itop-core-update.php # datamodels/2.x/itop-core-update/dictionaries/it.dict.itop-core-update.php # datamodels/2.x/itop-core-update/dictionaries/ja.dict.itop-core-update.php # datamodels/2.x/itop-core-update/dictionaries/nl.dict.itop-core-update.php # datamodels/2.x/itop-core-update/dictionaries/ru.dict.itop-core-update.php # datamodels/2.x/itop-core-update/dictionaries/sk.dict.itop-core-update.php # datamodels/2.x/itop-core-update/dictionaries/tr.dict.itop-core-update.php # datamodels/2.x/itop-core-update/dictionaries/zh_cn.dict.itop-core-update.php # datamodels/2.x/itop-core-update/pt_br.dict.itop-core-update.php # datamodels/2.x/itop-core-update/view/ConfirmUpdate.html.twig # datamodels/2.x/itop-portal-base/portal/src/Twig/AppExtension.php # datamodels/2.x/itop-tickets/datamodel.itop-tickets.xml # datamodels/2.x/itop-welcome-itil/datamodel.itop-welcome-itil.xml # dictionaries/cs.dictionary.itop.core.php # dictionaries/cs.dictionary.itop.ui.php # dictionaries/da.dictionary.itop.core.php # dictionaries/da.dictionary.itop.ui.php # dictionaries/de.dictionary.itop.core.php # dictionaries/de.dictionary.itop.ui.php # dictionaries/en.dictionary.itop.ui.php # dictionaries/es_cr.dictionary.itop.core.php # dictionaries/es_cr.dictionary.itop.ui.php # dictionaries/fr.dictionary.itop.core.php # dictionaries/fr.dictionary.itop.ui.php # dictionaries/hu.dictionary.itop.core.php # dictionaries/hu.dictionary.itop.ui.php # dictionaries/it.dictionary.itop.core.php # dictionaries/it.dictionary.itop.ui.php # dictionaries/ja.dictionary.itop.core.php # dictionaries/ja.dictionary.itop.ui.php # dictionaries/nl.dictionary.itop.core.php # dictionaries/nl.dictionary.itop.ui.php # dictionaries/pt_br.dictionary.itop.core.php # dictionaries/pt_br.dictionary.itop.ui.php # dictionaries/ru.dictionary.itop.core.php # dictionaries/ru.dictionary.itop.ui.php # dictionaries/sk.dictionary.itop.core.php # dictionaries/sk.dictionary.itop.ui.php # dictionaries/tr.dictionary.itop.core.php # dictionaries/tr.dictionary.itop.ui.php # dictionaries/zh_cn.dictionary.itop.core.php # dictionaries/zh_cn.dictionary.itop.ui.php # lib/composer/autoload_classmap.php # lib/composer/autoload_real.php # lib/composer/autoload_static.php # lib/composer/installed.json # lib/composer/installed.php # sources/application/TwigBase/Controller/Controller.php # sources/application/TwigBase/Twig/TwigHelper.php
This commit is contained in:
Benjamin Dalsass
@@ -91,6 +91,7 @@ class ObjectFormManager extends FormManager
|
||||
* @return array formmanager_data as a PHP array
|
||||
*
|
||||
* @since 2.7.6 3.0.0 N°4384 method creation : factorize as this is used twice now
|
||||
* @since 2.7.7 3.0.1 only used once but kept
|
||||
*/
|
||||
protected static function DecodeFormManagerData($formManagerData)
|
||||
{
|
||||
@@ -106,17 +107,15 @@ class ObjectFormManager extends FormManager
|
||||
* - formobject_class : The class of the object that is being edited/viewed
|
||||
* - formmode : view|edit|create
|
||||
* - values for parent
|
||||
* @param bool $bTrustContent if false then won't allow modified TWIG content
|
||||
*
|
||||
* @return \Combodo\iTop\Portal\Form\ObjectFormManager new instance init from JSON data
|
||||
*
|
||||
* @inheritDoc
|
||||
* @throws \Exception
|
||||
* @throws \SecurityException if twig content is present and $bTrustContent is false
|
||||
*
|
||||
* @since 2.7.6 3.0.0 N°4384 new $bTrustContent parameter
|
||||
* @since 2.7.7 3.0.1 N°4867 remove param $bTrustContent
|
||||
*/
|
||||
public static function FromJSON($sJson, $bTrustContent = false)
|
||||
public static function FromJSON($sJson)
|
||||
{
|
||||
$aJson = static::DecodeFormManagerData($sJson);
|
||||
|
||||
@@ -172,37 +171,6 @@ class ObjectFormManager extends FormManager
|
||||
return $oFormManager;
|
||||
}
|
||||
|
||||
/**
|
||||
* @param string $sPostedFormManagerData received data from the browser
|
||||
* @param array $aOriginalFormProperties data generated server side
|
||||
*
|
||||
* @return bool true if the data are identical
|
||||
*
|
||||
* @since 2.7.6 3.0.0 N°4384 Check formmanager_data
|
||||
*/
|
||||
public static function CanTrustFormLayoutContent($sPostedFormManagerData, $aOriginalFormProperties)
|
||||
{
|
||||
$aPostedFormManagerData = static::DecodeFormManagerData($sPostedFormManagerData);
|
||||
$sPostedFormLayoutType = (isset($aPostedFormManagerData['formproperties']['layout']['type'])) ? $aPostedFormManagerData['formproperties']['layout']['type'] : '';
|
||||
|
||||
if ($sPostedFormLayoutType === 'xhtml') {
|
||||
return true;
|
||||
}
|
||||
|
||||
// We need to parse the content so that autoclose tags are returned correctly (`<div />` => `<div></div>`)
|
||||
$oHtmlDocument = new \DOMDocument();
|
||||
|
||||
$sPostedFormLayoutContent = (isset($aPostedFormManagerData['formproperties']['layout']['content'])) ? $aPostedFormManagerData['formproperties']['layout']['content'] : '';
|
||||
$oHtmlDocument->loadXML('<root>'.$sPostedFormLayoutContent.'</root>');
|
||||
$sPostedFormLayoutRendered = $oHtmlDocument->saveHTML();
|
||||
|
||||
$sOriginalFormLayoutContent = (isset($aOriginalFormProperties['layout']['content'])) ? $aOriginalFormProperties['layout']['content'] : '';
|
||||
$oHtmlDocument->loadXML('<root>'.$sOriginalFormLayoutContent.'</root>');
|
||||
$sOriginalFormLayoutContentRendered = $oHtmlDocument->saveHTML();
|
||||
|
||||
return ($sPostedFormLayoutRendered === $sOriginalFormLayoutContentRendered);
|
||||
}
|
||||
|
||||
/**
|
||||
*
|
||||
* @return \Symfony\Component\DependencyInjection\ContainerInterface
|
||||
|
||||
@@ -132,12 +132,10 @@ class ObjectFormHandlerHelper
|
||||
$bModal = ($oRequest->isXmlHttpRequest() && empty($sOperation));
|
||||
|
||||
// - Retrieve form properties
|
||||
$aOriginalFormProperties = ApplicationHelper::GetLoadedFormFromClass($this->aCombodoPortalInstanceConf['forms'], $sObjectClass, $sMode);
|
||||
if ($aFormProperties === null)
|
||||
{
|
||||
$aFormProperties = $aOriginalFormProperties;
|
||||
$aFormProperties = ApplicationHelper::GetLoadedFormFromClass($this->aCombodoPortalInstanceConf['forms'], $sObjectClass, $sMode);
|
||||
}
|
||||
|
||||
// - Create and
|
||||
if (empty($sOperation))
|
||||
{
|
||||
@@ -300,8 +298,8 @@ class ObjectFormHandlerHelper
|
||||
throw new HttpException(Response::HTTP_INTERNAL_SERVER_ERROR, 'Parameters formmanager_class and formmanager_data must be defined.');
|
||||
}
|
||||
|
||||
$bTrustContent = $sFormManagerClass::CanTrustFormLayoutContent($sFormManagerData, $aOriginalFormProperties);
|
||||
$oFormManager = $sFormManagerClass::FromJSON($sFormManagerData, $bTrustContent);
|
||||
$this->CheckReadFormDataAllowed($sFormManagerData);
|
||||
$oFormManager = $sFormManagerClass::FromJSON($sFormManagerData);
|
||||
$oFormManager->SetContainer($this->oContainer);
|
||||
|
||||
// Applying action rules if present
|
||||
@@ -439,6 +437,29 @@ class ObjectFormHandlerHelper
|
||||
return $oTwig->render($sId, $aData);
|
||||
}
|
||||
|
||||
/**
|
||||
* Check if read object include in form data is allowed, throw an exception otherwise.
|
||||
*
|
||||
* @since 2.7.7
|
||||
*
|
||||
* @param $sFormManagerData form data to check
|
||||
*
|
||||
* @return void
|
||||
* @throws \CoreException
|
||||
* @throws \MissingQueryArgument
|
||||
* @throws \MySQLException
|
||||
* @throws \MySQLHasGoneAwayException
|
||||
* @throws \OQLException
|
||||
*/
|
||||
public function CheckReadFormDataAllowed($sFormManagerData){
|
||||
$aJsonFromData = json_decode($sFormManagerData, true);
|
||||
if(isset($aJsonFromData['formobject_class'])
|
||||
&& isset($aJsonFromData['formobject_id'])
|
||||
&& !$this->oSecurityHelper->IsActionAllowed(UR_ACTION_READ, $aJsonFromData['formobject_class'], $aJsonFromData['formobject_id'])){
|
||||
throw new HttpException(Response::HTTP_INTERNAL_SERVER_ERROR, 'Form data access denied.');
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Return an array of the available modes for a form.
|
||||
*
|
||||
|
||||
@@ -161,6 +161,8 @@ class AppExtension extends AbstractExtension
|
||||
*/
|
||||
$filters[] = new Twig_SimpleFilter('var_export', 'var_export');
|
||||
|
||||
//since 2.7.7 3.0.2 3.1.0 N°4867 "Twig content not allowed" error when use the extkey widget search icon in the user portal
|
||||
//overwrite native twig filter : disable use of 'system' filter
|
||||
$filters[] = new Twig_SimpleFilter('filter', function ($array, $arrow) {
|
||||
if ($arrow == 'system'){
|
||||
return json_encode($array);
|
||||
|
||||
Reference in New Issue
Block a user