Merge remote-tracking branch 'origin/support/3.1' into support/3.2

2026-02-12 23:14:18 +01:00 · 2025-03-06 14:58:24 +01:00
parent 5aee7f4722 1142bf327c
commit 8fd9eb6a84
5 changed files with 411 additions and 163 deletions
--- a/core/restservices.class.inc.php
+++ b/core/restservices.class.inc.php
@@ -44,6 +44,8 @@ class ObjectResult
 	 * @var string
 	 * @api
 	 */
+    use SanitizeTrait;
+
 	public $message;
 	/**
 	 * @var mixed|null
@@ -156,20 +158,17 @@ class ObjectResult
 	{
 		$this->fields[$sAttCode] = $this->MakeResultValue($oObject, $sAttCode, $bExtendedOutput);
 	}
-	
+
 public function SanitizeContent()
 	{
-		foreach($this->fields as $sAttCode => $value)
+		foreach($this->fields as $sFieldAttCode => $fieldValue)
 		{
-            try{
-			$oAttDef = MetaModel::GetAttributeDef($this->class, $sAttCode);
+            try {
+			$oAttDef = MetaModel::GetAttributeDef($this->class, $sFieldAttCode);
            } catch (Exception $e) { // for special cases like ID
                continue;
            }
-			if ($oAttDef instanceof iAttributeNoGroupBy) // iAttributeNoGroupBy is equivalent to sensitive attribute
-            {
-                $this->fields[$sAttCode] = '******';
-            }
+                $this->SanitizeFieldIfSensitive($this->fields, $sFieldAttCode, $fieldValue, $oAttDef);
 		}
 	}
 }
@@ -237,11 +236,11 @@ class RestResultWithObjects extends RestResult
 		$sObjKey = get_class($oObject).'::'.$oObject->GetKey();
 		$this->objects[$sObjKey] = $oObjRes;
 	}
-	
+
 public function SanitizeContent()
 	{
 		parent::SanitizeContent();
-		
+
 		foreach($this->objects as $sObjKey => $oObjRes)
 		{
 			$oObjRes->SanitizeContent();
@@ -336,7 +335,8 @@ class RestDelete
 */
 class CoreServices implements iRestServiceProvider, iRestInputSanitizer
 {
-	/**
+    use SanitizeTrait;
+    /**
 	 * Enumerate services delivered by this class
 	 * 	 
 	 * @param string $sVersion The version (e.g. 1.0) supported by the services
@@ -554,18 +554,18 @@ class CoreServices implements iRestServiceProvider, iRestInputSanitizer
            }
 			else
 			{
-                                if (!$bExtendedOutput && RestUtils::GetOptionalParam($aParams, 'output_fields', '*') != '*') 
+                                if (!$bExtendedOutput && RestUtils::GetOptionalParam($aParams, 'output_fields', '*') != '*')
                                {
                                        $aFields = $aShowFields[$sClass];
                                        //Id is not a valid attribute to optimize
-                                        if (in_array('id', $aFields)) 
+                                        if (in_array('id', $aFields))
                                        {
                                            unset($aFields[array_search('id', $aFields)]);
                                        }
                                        $aAttToLoad = array($oObjectSet->GetClassAlias() => $aFields);
                                        $oObjectSet->OptimizeColumnLoad($aAttToLoad);
                                }
-                                
+
 				while ($oObject = $oObjectSet->Fetch())
 				{
 					$oResult->AddObject(0, '', $oObject, $aShowFields, $bExtendedOutput);
@@ -762,7 +762,7 @@ class CoreServices implements iRestServiceProvider, iRestInputSanitizer
 		}
 		return $oResult;
 	}
-	
+
 	public function SanitizeJsonInput(string $sJsonInput): string
 	{
        $sSanitizedJsonInput = $sJsonInput;
@@ -780,17 +780,14 @@ class CoreServices implements iRestServiceProvider, iRestInputSanitizer
            default :
            $sClass = $aJsonData['class'];
            if (isset($aJsonData['fields'])) {
-                foreach ($aJsonData['fields'] as $sAttCode => $value) {
-                $oAttDef = MetaModel::GetAttributeDef($sClass, $sAttCode);
-                if ($oAttDef instanceof iAttributeNoGroupBy) // iAttributeNoGroupBy is equivalent to sensitive attribute
-                {
-                        $aJsonData['fields'][$sAttCode] = '*****';
-                    }
+                foreach ($aJsonData['fields'] as $sFieldAttCode => $fieldValue) {
+                    $oAttDef = MetaModel::GetAttributeDef($sClass, $sFieldAttCode);
+                    $this->SanitizeFieldIfSensitive($aJsonData['fields'], $sFieldAttCode, $fieldValue, $oAttDef);
                }
            }
            break;
        }
-		return json_encode($aJsonData, JSON_UNESCAPED_SLASHES | JSON_PRETTY_PRINT);
+		return json_encode($aJsonData, JSON_UNESCAPED_SLASHES | JSON_PRETTY_PRINT | JSON_UNESCAPED_UNICODE);
 	}

 	/**
@@ -931,3 +928,50 @@ class CoreServices implements iRestServiceProvider, iRestInputSanitizer
 		return $iLimit * max(0, $iPage - 1);
 	}
 }
+
+trait SanitizeTrait
+{
+    /**
+     * Sanitize a field if it is sensitive.
+     *
+     * @param array $fields The fields array
+     * @param string $sFieldAttCode The attribute code
+     * @param mixed $oAttDef The attribute definition
+     * @throws Exception
+     */
+    private function SanitizeFieldIfSensitive(array &$fields, string $sFieldAttCode, $fieldValue, $oAttDef): void
+    {
+        // for simple attribute
+        if ($oAttDef instanceof iAttributeNoGroupBy) // iAttributeNoGroupBy is equivalent to sensitive attribute
+        {
+            $fields[$sFieldAttCode] = '*****';
+            return;
+        }
+        // for 1-n / n-n relation
+        if ($oAttDef instanceof AttributeLinkedSet) {
+            foreach ($fieldValue as $i => $aLnkValues) {
+                foreach ($aLnkValues as $sLnkAttCode => $sLnkValue) {
+                    $oLnkAttDef = MetaModel::GetAttributeDef($oAttDef->GetLinkedClass(), $sLnkAttCode);
+                    if ($oLnkAttDef instanceof iAttributeNoGroupBy) { // 1-n relation
+                        $fields[$sFieldAttCode][$i][$sLnkAttCode] = '*****';
+                    }
+                    elseif ($oAttDef instanceof AttributeLinkedSetIndirect && $oLnkAttDef instanceof AttributeExternalField) { // for n-n relation
+                        $oExtKeyAttDef = MetaModel::GetAttributeDef($oLnkAttDef->GetTargetClass(), $oLnkAttDef->GetExtAttCode());
+                        if ($oExtKeyAttDef instanceof iAttributeNoGroupBy) {
+                            $fields[$sFieldAttCode][$i][$sLnkAttCode] = '*****';
+                        }
+                    }
+                }
+            }
+            return;
+        }
+
+        // for external attribute
+        if ($oAttDef instanceof AttributeExternalField) {
+            $oExtKeyAttDef = MetaModel::GetAttributeDef($oAttDef->GetTargetClass(), $oAttDef->GetExtAttCode());
+            if ($oExtKeyAttDef instanceof iAttributeNoGroupBy) {
+                $fields[$sFieldAttCode] = '*****';
+            }
+        }
+    }
+}