composer/iTop
6
0
Fork 0
mirror of https://github.com/Combodo/iTop.git synced 2026-04-24 11:08:45 +02:00
Code Issues Packages Projects Releases Wiki Activity

N°4513 - User Portal can apply transition on on an objetc not in his scope

Browse Source
This commit is contained in:
acognet
2022-02-10 11:50:46 +01:00
parent dfaa973359
commit 55effea0a3
1 changed files with 6 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
datamodels/2.x/itop-portal-base/portal/src/Controller/ObjectController.php
View File

@@ -389,14 +389,18 @@ class ObjectController extends BrickController
} }
// Checking security layers // Checking security layers
if (!$oSecurityHelper->IsActionAllowed(UR_ACTION_MODIFY, $sObjectClass, $sObjectId))
{
IssueLog::Warning(__METHOD__.' at line '.__LINE__.' : User #'.UserRights::GetUserId().' not allowed to modify '.$sObjectClass.'::'.$sObjectId.' object.');
throw new HttpException(Response::HTTP_NOT_FOUND, Dict::S('UI:ObjectDoesNotExist'));
}
if (!$oSecurityHelper->IsStimulusAllowed($sStimulusCode, $sObjectClass)) if (!$oSecurityHelper->IsStimulusAllowed($sStimulusCode, $sObjectClass))
{ {
throw new HttpException(Response::HTTP_NOT_FOUND, Dict::S('UI:ObjectDoesNotExist')); throw new HttpException(Response::HTTP_NOT_FOUND, Dict::S('UI:ObjectDoesNotExist'));
} }
// Retrieving object // Retrieving object
$oObject = MetaModel::GetObject($sObjectClass, $sObjectId, false /* MustBeFound */, $oObject = MetaModel::GetObject($sObjectClass, $sObjectId, false /* MustBeFound */, $oScopeValidator->IsAllDataAllowedForScope(UserRights::ListProfiles(), $sObjectClass));
$oScopeValidator->IsAllDataAllowedForScope(UserRights::ListProfiles(), $sObjectClass));
if ($oObject === null) if ($oObject === null)
{ {
// We should never be there as the secuirty helper makes sure that the object exists, but just in case. // We should never be there as the secuirty helper makes sure that the object exists, but just in case.