N°8007 - Security hardening

core/oql/oqlinterpreter.class.inc.php

@@ -36,7 +36,13 @@ class UnknownClassOqlException extends OqlNormalizeException
 {
 	public function __construct($sInput, OqlName $oName, $aExpecting = null)
 	{
-		parent::__construct('Unknown class', $sInput, $oName, $aExpecting);
+		$aAllowedClasses = [];
+		foreach ($aExpecting as $sClass) {
+			if (UserRights::IsActionAllowed($sClass, UR_ACTION_READ)) {
+				$aAllowedClasses[] = $sClass;
+			}
+		}
+		parent::__construct('Unknown class', $sInput, $oName, $aAllowedClasses);
 	}
 
 	public function GetUserFriendlyDescription()

tests/php-unit-tests/unitary-tests/core/OQLParserTest.php

@@ -12,13 +12,17 @@ namespace Combodo\iTop\Test\UnitTest\Core;
 
 use Combodo\iTop\Test\UnitTest\ItopDataTestCase;
 use DBObjectSearch;
+use DBSearch;
 use OQLException;
 use OqlInterpreter;
 use OQLParserException;
+use UnknownClassOqlException;
+use UserRights;
 
 class OQLParserTest extends ItopDataTestCase
 {
 	const USE_TRANSACTION = false;
+	const CREATE_TEST_ORG = true;
 
 	/**
 	 * @group iTopChangeMgt
@@ -40,6 +44,20 @@ class OQLParserTest extends ItopDataTestCase
 		self::assertEquals($sQuery,$sOql);
 	}
 
+	public function testUnknownClassOqlException()
+	{
+		$sLogin = $this->GivenUserRestrictedToAnOrganizationInDB($this->getTestOrgId(), self::$aURP_Profiles['Portal user']);
+		UserRights::Login($sLogin);
+
+		try {
+			DBSearch::FromOQL('SELECT UnknownClass');
+			$this->fail('An UnknownClassOqlException should have been thrown');
+		}
+		catch (UnknownClassOqlException $e) {
+			$this->assertNotContains('DBProperty', $e->GetSuggestions(), 'user should not be recommanded to perform queries on classes his not allowed to see');
+		}
+	}
+
 	public function NestedQueryProvider()
 	{
 		return array(