mirror of
https://github.com/Combodo/iTop.git
synced 2026-02-12 23:14:18 +01:00
#888 Security on the portal incompatible with customizations (regression introduced in 2.0.2), now requires to define PORTAL_USERREQUEST_DISPLAY_QUERY and PORTAL_USERREQUEST_DISPLAY_POWERUSER_QUERY
SVN:trunk[3086]
This commit is contained in:
Romain Quetiez
@@ -50,6 +50,46 @@ function GetTicketClasses()
|
||||
return $aClasses;
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Helper to protect the portal against malicious usages
|
||||
* Throws an exception if the current user is not allowed to view the object details
|
||||
*/
|
||||
function ValidateObject($oObject)
|
||||
{
|
||||
if (IsPowerUser())
|
||||
{
|
||||
$sValidationDefine = 'PORTAL_'.strtoupper(get_class($oObject)).'_DISPLAY_POWERUSER_QUERY';
|
||||
}
|
||||
else
|
||||
{
|
||||
$sValidationDefine = 'PORTAL_'.strtoupper(get_class($oObject)).'_DISPLAY_QUERY';
|
||||
}
|
||||
if (defined($sValidationDefine))
|
||||
{
|
||||
$sValidationOql = constant($sValidationDefine);
|
||||
$oSearch = DBObjectSearch::FromOQL($sValidationOql);
|
||||
$oSearch->AddCondition('id', $oObject->GetKey());
|
||||
|
||||
if ($iUser = UserRights::GetContactId())
|
||||
{
|
||||
$oContact = MetaModel::GetObject('Contact', $iUser);
|
||||
$aArgs = $oContact->ToArgs('contact');
|
||||
}
|
||||
else
|
||||
{
|
||||
$aArgs = array();
|
||||
}
|
||||
|
||||
$oSet = new DBObjectSet($oSearch, array(), $aArgs);
|
||||
if ($oSet->Count() == 0)
|
||||
{
|
||||
throw new SecurityException('You are not allowed to access the object '.get_class($oObject).'::'.$oObject->GetKey());
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Helper to get the relevant constant
|
||||
*/
|
||||
@@ -1249,6 +1289,7 @@ try
|
||||
$oP->set_title(Dict::S('Portal:TitleDetailsFor_Request'));
|
||||
DisplayMainMenu($oP);
|
||||
$oObj = $oP->FindObjectFromArgs(GetTicketClasses());
|
||||
ValidateObject($oObj);
|
||||
DisplayObject($oP, $oObj, $oUserOrg);
|
||||
break;
|
||||
|
||||
@@ -1258,6 +1299,7 @@ try
|
||||
if (!MetaModel::DBIsReadOnly())
|
||||
{
|
||||
$oObj = $oP->FindObjectFromArgs(GetTicketClasses());
|
||||
ValidateObject($oObj);
|
||||
$aAttList = array(
|
||||
GetConstant(get_class($oObj), 'PUBLIC_LOG'),
|
||||
'user_satisfaction',
|
||||
|
||||
@@ -41,6 +41,8 @@ PORTAL_<TICKET-CLASS>_TYPE: optional attribute to be set with the value of "requ
|
||||
PORTAL_<TICKET-CLASS>_LIST_ZLIST: list of attribute displayed in the lists (opened and resolved)
|
||||
PORTAL_<TICKET-CLASS>_CLOSED_ZLIST: list of attribute displayed in the list of closed tickets
|
||||
PORTAL_<TICKET-CLASS>_DETAILS_ZLIST: selection and presentation of attributes in the page that shows their details
|
||||
PORTAL_<TICKET-CLASS>_DISPLAY_QUERY: selection of displayable objects (use parameters contact->attcode to check things against the user/contact)
|
||||
PORTAL_<TICKET-CLASS>_DISPLAY_POWERUSER_QUERY: selection of displayable objects for power users (use parameters contact->attcode to check things against the user/contact)
|
||||
|
||||
|
||||
How to add a type of ticket (example: Incident)
|
||||
|
||||
Reference in New Issue
Block a user