From f5de808c7c6686e3d41017ca277a2fd82850845c Mon Sep 17 00:00:00 2001
From: jf-cbd <121934370+jf-cbd@users.noreply.github.com>
Date: Fri, 13 Dec 2024 15:09:18 +0100
Subject: [PATCH 1/2] Security hardening (#685)

* security hardening
---
 .../portal/src/Controller/ObjectController.php                 | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/datamodels/2.x/itop-portal-base/portal/src/Controller/ObjectController.php b/datamodels/2.x/itop-portal-base/portal/src/Controller/ObjectController.php
index c9104cf9f..e6cb08a16 100644
--- a/datamodels/2.x/itop-portal-base/portal/src/Controller/ObjectController.php
+++ b/datamodels/2.x/itop-portal-base/portal/src/Controller/ObjectController.php
@@ -1246,7 +1246,8 @@ class ObjectController extends BrickController
 		$bIgnoreSilos = $oScopeValidator->IsAllDataAllowedForScope(UserRights::ListProfiles(), $sObjectClass);
 		$aParams = array('objects_id' => $aObjectIds);
 		$oSearch = DBObjectSearch::FromOQL("SELECT $sObjectClass WHERE id IN (:objects_id)");
-		if ($bIgnoreSilos === true)
+        $oScopeValidator->AddScopeToQuery($oSearch, $sObjectClass);
+        if ($bIgnoreSilos === true)
 		{
 			$oSearch->AllowAllData();
 		}

From 95aa444ee683775f5fe22232591514ff39325864 Mon Sep 17 00:00:00 2001
From: jf-cbd <jimmy.fayolle@combodo.com>
Date: Fri, 13 Dec 2024 16:48:13 +0100
Subject: [PATCH 2/2] Security hardening

---
 .../portal/src/Controller/ObjectController.php              | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/datamodels/2.x/itop-portal-base/portal/src/Controller/ObjectController.php b/datamodels/2.x/itop-portal-base/portal/src/Controller/ObjectController.php
index e6cb08a16..c2366c6e5 100644
--- a/datamodels/2.x/itop-portal-base/portal/src/Controller/ObjectController.php
+++ b/datamodels/2.x/itop-portal-base/portal/src/Controller/ObjectController.php
@@ -1246,7 +1246,11 @@ class ObjectController extends BrickController
 		$bIgnoreSilos = $oScopeValidator->IsAllDataAllowedForScope(UserRights::ListProfiles(), $sObjectClass);
 		$aParams = array('objects_id' => $aObjectIds);
 		$oSearch = DBObjectSearch::FromOQL("SELECT $sObjectClass WHERE id IN (:objects_id)");
-        $oScopeValidator->AddScopeToQuery($oSearch, $sObjectClass);
+        if (!$oScopeValidator->AddScopeToQuery($oSearch, $sObjectClass)
+        ) {
+            IssueLog::Warning(__METHOD__ . ' at line ' . __LINE__ . ' : User #' . UserRights::GetUserId() . ' not allowed to read ' . $sObjectClass . ' object.');
+            throw new HttpException(Response::HTTP_NOT_FOUND, Dict::S('UI:ObjectDoesNotExist'));
+        }
         if ($bIgnoreSilos === true)
 		{
 			$oSearch->AllowAllData();