composer/iTop
6
0
Fork 0
mirror of https://github.com/Combodo/iTop.git synced 2026-04-24 02:58:43 +02:00
Code Issues Packages Projects Releases Wiki Activity

#888 Security on the portal incompatible with customizations (regression introduced in 2.0.2), now requires to define PORTAL_USERREQUEST_DISPLAY_QUERY and PORTAL_USERREQUEST_DISPLAY_POWERUSER_QUERY

Browse Source 
SVN:trunk[3086]
This commit is contained in:
Romain Quetiez
2014-02-24 15:52:04 +00:00
parent d36a03bfc3
commit 5f11c97aef
5 changed files with 51 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
application/portalwebpage.class.inc.php
View File

@@ -793,24 +793,7 @@ EOF
}
}
$sOQL = "SELECT $sClass WHERE org_id = :org_id";
$oSearch = DBObjectSearch::FromOQL($sOQL);
$iUser = UserRights::GetContactId();
if ($iUser > 0 && !IsPowerUser())
{
$oSearch->AddCondition('caller_id', $iUser);
}
$oSearch->AddCondition('id', $iId);
$oContact = MetaModel::GetObject('Contact', $iUser, false); // false => Can fail
if (!is_object($oContact))
{
throw new Exception(Dict::S('Portal:ErrorNoContactForThisUser'));
}
$oSet = new DBObjectSet($oSearch, array(), array('org_id' => $oContact->Get('org_id')));
$oObj = $oSet->Fetch();
$oObj = MetaModel::GetObject($sClass, $iId, false);
if (!is_object($oObj))
{
throw new Exception("Could not find the object $sClass/$iId");