diff --git a/datamodels/2.x/itop-portal-base/portal/src/controllers/objectcontroller.class.inc.php b/datamodels/2.x/itop-portal-base/portal/src/controllers/objectcontroller.class.inc.php index 9705de2ae3..6f21f26913 100644 --- a/datamodels/2.x/itop-portal-base/portal/src/controllers/objectcontroller.class.inc.php +++ b/datamodels/2.x/itop-portal-base/portal/src/controllers/objectcontroller.class.inc.php @@ -86,7 +86,7 @@ class ObjectController extends AbstractController } // Retrieving object - $oObject = MetaModel::GetObject($sObjectClass, $sObjectId, false /* MustBeFound */); + $oObject = MetaModel::GetObject($sObjectClass, $sObjectId, false /* MustBeFound */, $oApp['scope_validator']->IsAllDataAllowedForScope(UserRights::ListProfiles(), $sObjectClass)); if ($oObject === null) { // We should never be there as the secuirty helper makes sure that the object exists, but just in case. @@ -158,7 +158,7 @@ class ObjectController extends AbstractController } // Retrieving object - $oObject = MetaModel::GetObject($sObjectClass, $sObjectId, false /* MustBeFound */); + $oObject = MetaModel::GetObject($sObjectClass, $sObjectId, false /* MustBeFound */, $oApp['scope_validator']->IsAllDataAllowedForScope(UserRights::ListProfiles(), $sObjectClass)); if ($oObject === null) { // We should never be there as the secuirty helper makes sure that the object exists, but just in case. @@ -278,8 +278,9 @@ class ObjectController extends AbstractController } // Retrieving origin object - $oOriginObject = MetaModel::GetObject($sObjectClass, $sObjectId); - + // Note : AllowAllData set to true here instead of checking scope's flag because we are displaying a value that has been set and validated + $oOriginObject = MetaModel::GetObject($sObjectClass, $sObjectId, true, true); + // Retrieving target object (We check if the method is a simple function or if it's part of a class in which case only static function are supported) if (!strpos($sMethodName, '::')) { @@ -332,7 +333,7 @@ class ObjectController extends AbstractController // } // Retrieving object - $oObject = MetaModel::GetObject($sObjectClass, $sObjectId, false /* MustBeFound */); + $oObject = MetaModel::GetObject($sObjectClass, $sObjectId, false /* MustBeFound */, $oApp['scope_validator']->IsAllDataAllowedForScope(UserRights::ListProfiles(), $sObjectClass)); if ($oObject === null) { // We should never be there as the secuirty helper makes sure that the object exists, but just in case. @@ -461,7 +462,7 @@ class ObjectController extends AbstractController } else { - $oObject = MetaModel::GetObject($sObjectClass, $sObjectId); + $oObject = MetaModel::GetObject($sObjectClass, $sObjectId, true, $oApp['scope_validator']->IsAllDataAllowedForScope(UserRights::ListProfiles(), $sObjectClass)); } // Preparing transitions only if we are currently going through one @@ -666,7 +667,8 @@ class ObjectController extends AbstractController // Retrieving host object for future DBSearch parameters if ($sHostObjectId !== null) { - $oHostObject = MetaModel::GetObject($sHostObjectClass, $sHostObjectId); + // Note : AllowAllData set to true here instead of checking scope's flag because we are displaying a value that has been set and validated + $oHostObject = MetaModel::GetObject($sHostObjectClass, $sHostObjectId, true, true); } else { @@ -803,7 +805,8 @@ class ObjectController extends AbstractController // Retrieving host object for future DBSearch parameters if ($sHostObjectId !== null) { - $oHostObject = MetaModel::GetObject($sHostObjectClass, $sHostObjectId); + // Note : AllowAllData set to true here instead of checking scope's flag because we are displaying a value that has been set and validated + $oHostObject = MetaModel::GetObject($sHostObjectClass, $sHostObjectId, true, true); } else { @@ -1121,7 +1124,8 @@ class ObjectController extends AbstractController // Retrieving host object for future DBSearch parameters if ($sHostObjectId !== null) { - $oHostObject = MetaModel::GetObject($sHostObjectClass, $sHostObjectId); + // Note : AllowAllData set to true here instead of checking scope's flag because we are displaying a value that has been set and validated + $oHostObject = MetaModel::GetObject($sHostObjectClass, $sHostObjectId, true, true); } else { @@ -1427,7 +1431,12 @@ class ObjectController extends AbstractController } // Building the search + $bIgnoreSilos = $oApp['scope_validator']->IsAllDataAllowedForScope(UserRights::ListProfiles(), $sObjectClass); $oSearch = DBObjectSearch::FromOQL("SELECT " . $sObjectClass . " WHERE id IN ('" . implode("','", $aObjectIds) . "')"); + if ($bIgnoreSilos === true) + { + $oSearch->AllowAllData(); + } $oSet = new DBObjectSet($oSearch); $oSet->OptimizeColumnLoad($aObjectAttCodes); diff --git a/datamodels/2.x/itop-portal-base/portal/src/forms/objectformmanager.class.inc.php b/datamodels/2.x/itop-portal-base/portal/src/forms/objectformmanager.class.inc.php index 004facaa04..225b68fc97 100644 --- a/datamodels/2.x/itop-portal-base/portal/src/forms/objectformmanager.class.inc.php +++ b/datamodels/2.x/itop-portal-base/portal/src/forms/objectformmanager.class.inc.php @@ -94,7 +94,8 @@ class ObjectFormManager extends FormManager } else { - $oObject = MetaModel::GetObject($sObjectClass, $aJson['formobject_id'], true); + // Note : AllowAllData set to true here instead of checking scope's flag because we are displaying a value that has been set and validated + $oObject = MetaModel::GetObject($sObjectClass, $aJson['formobject_id'], true, true); } $oFormManager->SetObject($oObject); @@ -945,7 +946,8 @@ class ObjectFormManager extends FormManager // LinkedSet if (!$oAttDef->IsIndirect()) { - $oLinkedObject = MetaModel::GetObject($sTargetClass, abs($iTargetId)); + // Note : AllowAllData set to true here instead of checking scope's flag because we are displaying a value that has been set and validated + $oLinkedObject = MetaModel::GetObject($sTargetClass, abs($iTargetId), true, true); $oValueSet->AddObject($oLinkedObject); } // LinkedSetIndirect @@ -961,7 +963,8 @@ class ObjectFormManager extends FormManager // Existing relation else { - $oLink = MetaModel::GetObject($sTargetClass, $iTargetId); + // Note : AllowAllData set to true here instead of checking scope's flag because we are displaying a value that has been set and validated + $oLink = MetaModel::GetObject($sTargetClass, $iTargetId, true, true); } $oValueSet->AddObject($oLink); } diff --git a/datamodels/2.x/itop-portal-base/portal/src/helpers/scopevalidatorhelper.class.inc.php b/datamodels/2.x/itop-portal-base/portal/src/helpers/scopevalidatorhelper.class.inc.php index 7d8af6d304..94f5d6954f 100644 --- a/datamodels/2.x/itop-portal-base/portal/src/helpers/scopevalidatorhelper.class.inc.php +++ b/datamodels/2.x/itop-portal-base/portal/src/helpers/scopevalidatorhelper.class.inc.php @@ -544,6 +544,39 @@ class ScopeValidatorHelper return $oSearch; } + /** + * Returns true if at least one of the $aProfiles has the ignore_silos flag set to true for the $sClass. + * + * @param array $aProfiles + * @param string $sClass + * @return boolean + */ + public function IsAllDataAllowedForScope($aProfiles, $sClass) + { + $bIgnoreSilos = false; + + // Iterating on profiles to retrieving the different OQLs parts + foreach ($aProfiles as $sProfile) + { + // Retrieving matrix informtions + $iProfileId = $this->GetProfileIdFromProfileName($sProfile); + + // Retrieving profile OQLs + $sScopeValuesClass = $this->sGeneratedClass; + $aProfileMatrix = $sScopeValuesClass::GetProfileScope($iProfileId, $sClass, static::ENUM_MODE_READ); + if ($aProfileMatrix !== null) + { + // If a profile should ignore allowed org, we set it for all its queries no matter the profile + if (isset($aProfileMatrix['ignore_silos']) && $aProfileMatrix['ignore_silos'] === true) + { + $bIgnoreSilos = true; + } + } + } + + return $bIgnoreSilos; + } + /** * Returns the profile id from a string being either a constant or its name. * diff --git a/datamodels/2.x/itop-portal-base/portal/src/helpers/securityhelper.class.inc.php b/datamodels/2.x/itop-portal-base/portal/src/helpers/securityhelper.class.inc.php index b184146c7e..91384d4114 100644 --- a/datamodels/2.x/itop-portal-base/portal/src/helpers/securityhelper.class.inc.php +++ b/datamodels/2.x/itop-portal-base/portal/src/helpers/securityhelper.class.inc.php @@ -112,7 +112,7 @@ class SecurityHelper // Checking if the cmdbAbstractObject exists if id is specified if ($sObjectId !== null) { - $oObject = MetaModel::GetObject($sObjectClass, $sObjectId, false /* MustBeFound */); + $oObject = MetaModel::GetObject($sObjectClass, $sObjectId, false /* MustBeFound */, $oApp['scope_validator']->IsAllDataAllowedForScope(UserRights::ListProfiles(), $sObjectClass)); if ($oObject === null) { if ($oApp['debug']) diff --git a/sources/renderer/bootstrap/fieldrenderer/bsfileuploadfieldrenderer.class.inc.php b/sources/renderer/bootstrap/fieldrenderer/bsfileuploadfieldrenderer.class.inc.php index 85f3ec1201..b5a95373b9 100644 --- a/sources/renderer/bootstrap/fieldrenderer/bsfileuploadfieldrenderer.class.inc.php +++ b/sources/renderer/bootstrap/fieldrenderer/bsfileuploadfieldrenderer.class.inc.php @@ -229,6 +229,8 @@ EOF $sDeleteBtn = Dict::S('Portal:Button:Delete'); $oSearch = DBObjectSearch::FromOQL("SELECT Attachment WHERE item_class = :class AND item_id = :item_id"); + // Note : AllowAllData set to true here instead of checking scope's flag because we are displaying a value that has been set and validated + $oSearch->AllowAllData(); $oSet = new DBObjectSet($oSearch, array(), array('class' => $sObjectClass, 'item_id' => $this->oField->GetObject()->GetKey())); // If in read only and no attachments, we display a short message diff --git a/sources/renderer/bootstrap/fieldrenderer/bslinkedsetfieldrenderer.class.inc.php b/sources/renderer/bootstrap/fieldrenderer/bslinkedsetfieldrenderer.class.inc.php index f60a6015b6..c093ad90fa 100644 --- a/sources/renderer/bootstrap/fieldrenderer/bslinkedsetfieldrenderer.class.inc.php +++ b/sources/renderer/bootstrap/fieldrenderer/bslinkedsetfieldrenderer.class.inc.php @@ -479,7 +479,8 @@ EOF // In case of indirect linked set, we must retrieve the remote object if ($this->oField->IsIndirect()) { - $oRemoteItem = MetaModel::GetObject($this->oField->GetTargetClass(), $oItem->Get($this->oField->GetExtKeyToRemote())); + // Note : AllowAllData set to true here instead of checking scope's flag because we are displaying a value that has been set and validated + $oRemoteItem = MetaModel::GetObject($this->oField->GetTargetClass(), $oItem->Get($this->oField->GetExtKeyToRemote()), true, true); } else { diff --git a/sources/renderer/bootstrap/fieldrenderer/bsselectobjectfieldrenderer.class.inc.php b/sources/renderer/bootstrap/fieldrenderer/bsselectobjectfieldrenderer.class.inc.php index 71b12f96fc..60a5964640 100644 --- a/sources/renderer/bootstrap/fieldrenderer/bsselectobjectfieldrenderer.class.inc.php +++ b/sources/renderer/bootstrap/fieldrenderer/bsselectobjectfieldrenderer.class.inc.php @@ -143,7 +143,8 @@ EOF { try { - $oFieldValue = MetaModel::GetObject($sFieldValueClass, $this->oField->GetCurrentValue()); + // Note : AllowAllData set to true here instead of checking scope's flag because we are displaying a value that has been set and validated + $oFieldValue = MetaModel::GetObject($sFieldValueClass, $this->oField->GetCurrentValue(), true, true); } catch (CoreException $e) { @@ -298,7 +299,8 @@ EOF // Retrieving field value if ($this->oField->GetCurrentValue() !== null && $this->oField->GetCurrentValue() !== 0 && $this->oField->GetCurrentValue() !== '') { - $oFieldValue = MetaModel::GetObject($sFieldValueClass, $this->oField->GetCurrentValue()); + // Note : AllowAllData set to true here instead of checking scope's flag because we are displaying a value that has been set and validated + $oFieldValue = MetaModel::GetObject($sFieldValueClass, $this->oField->GetCurrentValue(), true, true); $sFieldValue = $oFieldValue->GetName(); } else