N°6151 - Portal rules: source_oql containing UNION not allowed

2026-02-13 07:24:13 +01:00 · 2023-04-06 11:07:05 +02:00
parent e6f1a87234
commit 2907efde4b
6 changed files with 53 additions and 164 deletions
--- a/core/dbobjectsearch.class.php
+++ b/core/dbobjectsearch.class.php
@@ -1,21 +1,8 @@
 <?php
-// Copyright (c) 2010-2023 Combodo SARL
-//
-//   This file is part of iTop.
-//
-//   iTop is free software; you can redistribute it and/or modify
-//   it under the terms of the GNU Affero General Public License as published by
-//   the Free Software Foundation, either version 3 of the License, or
-//   (at your option) any later version.
-//
-//   iTop is distributed in the hope that it will be useful,
-//   but WITHOUT ANY WARRANTY; without even the implied warranty of
-//   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-//   GNU Affero General Public License for more details.
-//
-//   You should have received a copy of the GNU Affero General Public License
-//   along with iTop. If not, see <http://www.gnu.org/licenses/>
-//
+/*
+ * @copyright   Copyright (C) 2010-2023 Combodo SARL
+ * @license     http://opensource.org/licenses/AGPL-3.0
+ */

 /** @internal Dev hack for disabling some query build optimizations (Folding/Merging) */
 define('ENABLE_OPT', true);
@@ -2064,7 +2051,7 @@ class DBObjectSearch extends DBSearch
 	 * @param $sAttCode
 	 * @return \FunctionExpression|mixed|null
 	 * @throws \CoreException
-*/
+	*/
 	static public function GetPolymorphicExpression($sClass, $sAttCode)
 	{
 		$oExpression = ExpressionCache::GetCachedExpression($sClass, $sAttCode);
@@ -2140,7 +2127,7 @@ class DBObjectSearch extends DBSearch
 		return $oExpression;
 	}

-	public function ListParameters()
+	function GetExpectedArguments(): array
 	{
 		return $this->GetCriteria()->ListParameters();
 	}
--- a/core/dbobjectset.class.php
+++ b/core/dbobjectset.class.php
@@ -1,20 +1,8 @@
 <?php
-// Copyright (C) 2010-2023 Combodo SARL
-//
-//   This file is part of iTop.
-//
-//   iTop is free software; you can redistribute it and/or modify	
-//   it under the terms of the GNU Affero General Public License as published by
-//   the Free Software Foundation, either version 3 of the License, or
-//   (at your option) any later version.
-//
-//   iTop is distributed in the hope that it will be useful,
-//   but WITHOUT ANY WARRANTY; without even the implied warranty of
-//   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-//   GNU Affero General Public License for more details.
-//
-//   You should have received a copy of the GNU Affero General Public License
-//   along with iTop. If not, see <http://www.gnu.org/licenses/>
+/*
+ * @copyright   Copyright (C) 2010-2023 Combodo SARL
+ * @license     http://opensource.org/licenses/AGPL-3.0
+ */

 require_once('dbobjectiterator.php');

@@ -1482,7 +1470,7 @@ class DBObjectSet implements iDBObjectSetIterator
 	public function ListConstantFields()
 	{
 		// The complete list of arguments will include magic arguments (e.g. current_user->attcode)
-		$aScalarArgs = MetaModel::PrepareQueryArguments($this->m_oFilter->GetInternalParams(), $this->m_aArgs, $this->m_oFilter->ListParameters());
+		$aScalarArgs = MetaModel::PrepareQueryArguments($this->m_oFilter->GetInternalParams(), $this->m_aArgs, $this->m_oFilter->GetExpectedArguments());
 		$aConst = $this->m_oFilter->ListConstantFields();
 				
 		foreach($aConst as $sClassAlias => $aVals)
--- a/core/dbsearch.class.php
+++ b/core/dbsearch.class.php
@@ -1,49 +1,15 @@
 <?php
-/**
- * Copyright (C) 2013-2023 Combodo SARL
- *
- * This file is part of iTop.
- *
- * iTop is free software; you can redistribute it and/or modify
- * it under the terms of the GNU Affero General Public License as published by
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
- *
- * iTop is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU Affero General Public License for more details.
- *
- * You should have received a copy of the GNU Affero General Public License
+/*
+ * @copyright   Copyright (C) 2010-2023 Combodo SARL
+ * @license     http://opensource.org/licenses/AGPL-3.0
 */

-
 /**
- * An object search
- *
- * DBSearch provides an API that leverage the possibility to construct a search against iTop's persisted objects.
- * In order to do so, it let you declare the classes you want to fetch, the conditions you want to apply, ...
- *
- * Note: in the ancient times of iTop, a search was named after DBObjectSearch.
- * When the UNION has been introduced, it has been decided to:
- *   * declare a hierarchy of search classes : `DBObjectSearch` & `DBUnionSearch`
- *     * DBObjectSearch cope with single query (A JOIN B... WHERE...)
- *     * DBUnionSearch cope with several queries (query1 UNION query2)
- *   * in order to preserve forward/backward compatibility of the existing modules
- *     * keep the name of DBObjectSearch even if it a little bit confusing
- *     * do not provide a type-hint for function parameters defined in the modules
- *     * leave the statements DBObjectSearch::FromOQL in the modules, though DBSearch is more relevant
- *
- * @copyright   Copyright (C) 2015-2023 Combodo SARL
- * @license     http://opensource.org/licenses/AGPL-3.0
- *
- *
 * @package     iTopORM
 * @api
 * @see DBObjectSearch::__construct()
 * @see DBUnionSearch::__construct()
 */
- 
 abstract class DBSearch
 {
 	/** @internal */
@@ -1017,11 +983,6 @@ abstract class DBSearch
 		return $sRes;
 	}

-	function GetExpectedArguments()
-	{
-		return $this->GetCriteria()->ListParameters();
-	}
-
 	/**
 	 * Generate a SQL query from the current search
 	 *
@@ -1266,18 +1227,6 @@ abstract class DBSearch
 		$aAttToLoad, $bGetCount, $aGroupByExpr = null, $aSelectedClasses = null, $aSelectExpr = null
 	);

-	/**
-     * Get the current search conditions
-     *
-     * @internal
-     * @see DBSearch $m_oSearchCondition
-     *
-	 * @return \Expression
-	 */
-	public abstract function GetCriteria();
-
-	public abstract function ListParameters();
-
    /**
     * Shortcut to add efficient IN condition
     *
@@ -1719,4 +1668,21 @@ abstract class DBSearch
 	{
 		return $this->ToOQL(true);
 	}
+
+	/**
+	 * @return array{\VariableExpression}
+	 *
+	 * @deprecated use DBSearch::GetExpectedArguments() instead
+	 */
+	public function ListParameters(): array
+	{
+		return $this->GetExpectedArguments();
+	}
+
+	/**
+	 * Get parameters from the condition expression(s)
+	 *
+	 * @return array{\VariableExpression}
+	 */
+	abstract function GetExpectedArguments(): array;
 }
--- a/core/dbunionsearch.class.php
+++ b/core/dbunionsearch.class.php
@@ -1,21 +1,8 @@
 <?php
-// Copyright (C) 2015-2023 Combodo SARL
-//
-//   This file is part of iTop.
-//
-//   iTop is free software; you can redistribute it and/or modify	
-//   it under the terms of the GNU Affero General Public License as published by
-//   the Free Software Foundation, either version 3 of the License, or
-//   (at your option) any later version.
-//
-//   iTop is distributed in the hope that it will be useful,
-//   but WITHOUT ANY WARRANTY; without even the implied warranty of
-//   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-//   GNU Affero General Public License for more details.
-//
-//   You should have received a copy of the GNU Affero General Public License
-//   along with iTop. If not, see <http://www.gnu.org/licenses/>
-
+/*
+ * @copyright   Copyright (C) 2010-2023 Combodo SARL
+ * @license     http://opensource.org/licenses/AGPL-3.0
+ */

 /**
 * A union of DBObjectSearches
@@ -34,7 +21,6 @@
 * @see DBSearch
 * @see DBObjectSearch
 */
- 
 class DBUnionSearch extends DBSearch
 {
 	protected $aSearches; // source queries
@@ -676,26 +662,6 @@ class DBUnionSearch extends DBSearch
 		return $oSQLQuery;
 	}

-	function GetExpectedArguments()
-	{
-		$aVariableCriteria = array();
-		foreach ($this->aSearches as $oSearch)
-		{
-			$aVariableCriteria = array_merge($aVariableCriteria, $oSearch->GetExpectedArguments());
-		}
-
-		return $aVariableCriteria;
-	}
-	/**
-	 * @return \Expression
-	 */
-	public function GetCriteria()
-	{
-		// We're at the limit here
-		$oSearch = reset($this->aSearches);
-		return $oSearch->GetCriteria();
-	}
-
 	protected function IsDataFiltered()
 	{
 		$bIsAllDataFiltered = true;
@@ -738,13 +704,14 @@ class DBUnionSearch extends DBSearch
 		}
 	}

-	public function ListParameters()
+	function GetExpectedArguments(): array
 	{
-		$aParameters = array();
+		$aVariableCriteria = array();
 		foreach ($this->aSearches as $oSearch)
 		{
-			$aParameters = array_merge($aParameters, $oSearch->ListParameters());
+			$aVariableCriteria = array_merge($aVariableCriteria, $oSearch->GetExpectedArguments());
 		}
-		return $aParameters;
+
+		return $aVariableCriteria;
 	}
 }
--- a/core/oql/expression.class.inc.php
+++ b/core/oql/expression.class.inc.php
@@ -1,20 +1,7 @@
 <?php
 /*
- * Copyright (C) 2010-2023 Combodo SARL
- *
- * This file is part of iTop.
- *
- * iTop is free software; you can redistribute it and/or modify
- * it under the terms of the GNU Affero General Public License as published by
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
- *
- * iTop is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU Affero General Public License for more details.
- *
- * You should have received a copy of the GNU Affero General Public License
+ * @copyright   Copyright (C) 2010-2023 Combodo SARL
+ * @license     http://opensource.org/licenses/AGPL-3.0
 */

 class MissingQueryArgument extends CoreException {
@@ -2525,7 +2512,7 @@ class NestedQueryExpression extends Expression
 	}

 	public function ListParameters() {
-		return $this->m_oNestedQuery->ListParameters();
+		return $this->m_oNestedQuery->GetExpectedArguments();
 	}

 	public function RenameParam($sOldName, $sNewName) {
--- a/datamodels/2.x/itop-portal-base/portal/src/Helper/ContextManipulatorHelper.php
+++ b/datamodels/2.x/itop-portal-base/portal/src/Helper/ContextManipulatorHelper.php
@@ -1,21 +1,8 @@
 <?php

-/**
- * Copyright (C) 2013-2023 Combodo SARL
- *
- * This file is part of iTop.
- *
- * iTop is free software; you can redistribute it and/or modify
- * it under the terms of the GNU Affero General Public License as published by
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
- *
- * iTop is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU Affero General Public License for more details.
- *
- * You should have received a copy of the GNU Affero General Public License
+/*
+ * @copyright   Copyright (C) 2010-2023 Combodo SARL
+ * @license     http://opensource.org/licenses/AGPL-3.0
 */

 namespace Combodo\iTop\Portal\Helper;
@@ -24,6 +11,7 @@ use BinaryExpression;
 use Combodo\iTop\Portal\Brick\BrickCollection;
 use CorePortalInvalidActionRuleException;
 use DBObject;
+use DBObjectSearch;
 use DBObjectSet;
 use DBSearch;
 use DeprecatedCallsLog;
@@ -330,7 +318,13 @@ class ContextManipulatorHelper
 		if ($aRule['source_oql'] !== null)
 		{
 			// Preparing query to retrieve source object(s)
+			/** @var \DBObjectSearch $oSearch */
 			$oSearch = DBSearch::FromOQL($aRule['source_oql']);
+			if (!$oSearch instanceof DBObjectSearch) {
+				$sErrMsg = "Portal query was stopped: action_rule '$sRuleId' source_oql does not allow UNION";
+				IssueLog::Error($sErrMsg);
+				throw new CorePortalInvalidActionRuleException($sErrMsg);
+			}
 			$sSearchClass = $oSearch->GetClass();
 			$aSearchParams = $oSearch->GetInternalParams();