N°602: InlineImage "randomly" not available for display.

Adding an InlineImage while adding an object in a IndirectLinkedSet at the same time would attach the InlineImage to the linked object instead of the host one. If their organizations were different, it could result in a security issue, denying the display of the InlineImage.

SVN:trunk[4561]
This commit is contained in:
Guillaume Lajarige
2017-02-28 09:47:24 +00:00
parent fcc5342775
commit 76ca7dc9e8
2 changed files with 17 additions and 3 deletions

View File

@@ -3328,8 +3328,6 @@ EOF
{
$res = parent::DBInsertNoReload();
InlineImage::FinalizeInlineImages($this);
// Invoke extensions after insertion (the object must exist, have an id, etc.)
foreach (MetaModel::EnumPlugins('iApplicationObjectExtension') as $oExtensionInstance)
{
@@ -3339,6 +3337,14 @@ EOF
return $res;
}
/**
* Attaches InlineImages to the current object
*/
protected function OnObjectKeyReady()
{
InlineImage::FinalizeInlineImages($this);
}
protected function DBCloneTracked_Internal($newKey = null)
{
$oNewObj = parent::DBCloneTracked_Internal($newKey);

View File

@@ -1411,6 +1411,12 @@ abstract class DBObject implements iDisplay
return true;
}
// used only by insert
protected function OnObjectKeyReady()
{
// Meant to be overloaded
}
// used both by insert/update
private function DBWriteLinks()
{
@@ -1648,7 +1654,9 @@ abstract class DBObject implements iDisplay
$this->DBInsertSingleTable($sParentClass);
}
$this->DBWriteLinks();
$this->OnObjectKeyReady();
$this->DBWriteLinks();
$this->WriteExternalAttributes();
$this->m_bIsInDB = true;