From 55effea0a3fb186c3fc7c720466056836cc7bf4e Mon Sep 17 00:00:00 2001 From: acognet Date: Thu, 10 Feb 2022 11:50:46 +0100 Subject: [PATCH] =?UTF-8?q?N=C2=B04513=20-=20User=20Portal=20can=20apply?= =?UTF-8?q?=20transition=20on=20on=20an=20objetc=20not=20in=20his=20scope?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../portal/src/Controller/ObjectController.php | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/datamodels/2.x/itop-portal-base/portal/src/Controller/ObjectController.php b/datamodels/2.x/itop-portal-base/portal/src/Controller/ObjectController.php index 4de21fbc4..fd23c4c28 100644 --- a/datamodels/2.x/itop-portal-base/portal/src/Controller/ObjectController.php +++ b/datamodels/2.x/itop-portal-base/portal/src/Controller/ObjectController.php @@ -389,14 +389,18 @@ class ObjectController extends BrickController } // Checking security layers + if (!$oSecurityHelper->IsActionAllowed(UR_ACTION_MODIFY, $sObjectClass, $sObjectId)) + { + IssueLog::Warning(__METHOD__.' at line '.__LINE__.' : User #'.UserRights::GetUserId().' not allowed to modify '.$sObjectClass.'::'.$sObjectId.' object.'); + throw new HttpException(Response::HTTP_NOT_FOUND, Dict::S('UI:ObjectDoesNotExist')); + } if (!$oSecurityHelper->IsStimulusAllowed($sStimulusCode, $sObjectClass)) { throw new HttpException(Response::HTTP_NOT_FOUND, Dict::S('UI:ObjectDoesNotExist')); } // Retrieving object - $oObject = MetaModel::GetObject($sObjectClass, $sObjectId, false /* MustBeFound */, - $oScopeValidator->IsAllDataAllowedForScope(UserRights::ListProfiles(), $sObjectClass)); + $oObject = MetaModel::GetObject($sObjectClass, $sObjectId, false /* MustBeFound */, $oScopeValidator->IsAllDataAllowedForScope(UserRights::ListProfiles(), $sObjectClass)); if ($oObject === null) { // We should never be there as the secuirty helper makes sure that the object exists, but just in case.