From a0171ac9cfd483a5b2f63201878b304ca99bf09c Mon Sep 17 00:00:00 2001 From: Guillaume Lajarige Date: Wed, 25 Jul 2018 16:48:11 +0200 Subject: [PATCH] =?UTF-8?q?(Cherry=20pick=20from=20develop=20ab1715e)=20N?= =?UTF-8?q?=C2=B01576=20Portal:=20Security=20hardening.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../browsebrickcontroller.class.inc.php | 12 ++-- .../managebrickcontroller.class.inc.php | 67 +++++++++++-------- .../objectcontroller.class.inc.php | 18 ++++- .../form/field/textareafield.class.inc.php | 4 +- .../bslinkedsetfieldrenderer.class.inc.php | 3 +- 5 files changed, 67 insertions(+), 37 deletions(-) diff --git a/datamodels/2.x/itop-portal-base/portal/src/controllers/browsebrickcontroller.class.inc.php b/datamodels/2.x/itop-portal-base/portal/src/controllers/browsebrickcontroller.class.inc.php index 49f8af31f9..e2d2b70a9d 100644 --- a/datamodels/2.x/itop-portal-base/portal/src/controllers/browsebrickcontroller.class.inc.php +++ b/datamodels/2.x/itop-portal-base/portal/src/controllers/browsebrickcontroller.class.inc.php @@ -634,8 +634,9 @@ class BrowseBrickController extends BrickController if ($aLevelsProperties[$key][$sOptionalAttribute] !== null) { $sPropertyName = substr($sOptionalAttribute, 0, -4); + $oAttDef = MetaModel::GetAttributeDef(get_class($value), $aLevelsProperties[$key][$sOptionalAttribute]); - $tmpAttValue = $value->Get($aLevelsProperties[$key][$sOptionalAttribute]); + $tmpAttValue = $value->GetAsHTML($aLevelsProperties[$key][$sOptionalAttribute]); if($sOptionalAttribute === 'image_att') { if (is_object($tmpAttValue) && !$tmpAttValue->IsEmpty()) @@ -644,7 +645,7 @@ class BrowseBrickController extends BrickController } else { - $tmpAttValue = MetaModel::GetAttributeDef(get_class($value), $aLevelsProperties[$key][$sOptionalAttribute])->Get('default_image'); + $tmpAttValue = $oAttDef->Get('default_image'); } } @@ -658,7 +659,7 @@ class BrowseBrickController extends BrickController foreach ($aLevelsProperties[$key]['fields'] as $aField) { $oAttDef = MetaModel::GetAttributeDef(get_class($value), $aField['code']); - $aRow[$key]['fields'][$aField['code']] = $oAttDef->GetValueLabel($value->Get($aField['code'])); + $aRow[$key]['fields'][$aField['code']] = $oAttDef->GetAsHTML($value->Get($aField['code'])); } } } @@ -726,8 +727,9 @@ class BrowseBrickController extends BrickController if ($aLevelsProperties[$aCurrentRowKeys[0]][$sOptionalAttribute] !== null) { $sPropertyName = substr($sOptionalAttribute, 0, -4); + $oAttDef = MetaModel::GetAttributeDef(get_class($aCurrentRowValues[0]), $aLevelsProperties[$aCurrentRowKeys[0]][$sOptionalAttribute]); - $tmpAttValue = $aCurrentRowValues[0]->Get($aLevelsProperties[$aCurrentRowKeys[0]][$sOptionalAttribute]); + $tmpAttValue = $aCurrentRowValues[0]->GetAsHTML($aLevelsProperties[$aCurrentRowKeys[0]][$sOptionalAttribute]); if($sOptionalAttribute === 'image_att') { if (is_object($tmpAttValue) && !$tmpAttValue->IsEmpty()) @@ -736,7 +738,7 @@ class BrowseBrickController extends BrickController } else { - $tmpAttValue = MetaModel::GetAttributeDef(get_class($aCurrentRowValues[0]), $aLevelsProperties[$aCurrentRowKeys[0]][$sOptionalAttribute])->Get('default_image'); + $tmpAttValue = $oAttDef->Get('default_image'); } } diff --git a/datamodels/2.x/itop-portal-base/portal/src/controllers/managebrickcontroller.class.inc.php b/datamodels/2.x/itop-portal-base/portal/src/controllers/managebrickcontroller.class.inc.php index 76993a0a5c..8aa0536a22 100644 --- a/datamodels/2.x/itop-portal-base/portal/src/controllers/managebrickcontroller.class.inc.php +++ b/datamodels/2.x/itop-portal-base/portal/src/controllers/managebrickcontroller.class.inc.php @@ -31,6 +31,7 @@ use \AttributeDate; use \AttributeDateTime; use \AttributeDuration; use \AttributeSubItem; +use \AttributeImage; use \DBSearch; use \DBObjectSearch; use \DBObjectSet; @@ -388,7 +389,7 @@ class ManageBrickController extends BrickController { // Set properties $sCurrentClass = $sKey; - + // Defining which attribute will open the edition form) $sMainActionAttrCode = $aColumnsAttrs[0]; @@ -444,36 +445,46 @@ class ManageBrickController extends BrickController } } - /** @var AttributeDefinition $oAttDef */ - $oAttDef = MetaModel::GetAttributeDef($sCurrentClass, $sItemAttr); - if ($oAttDef->IsExternalKey()) - { - $sValue = $oCurrentRow->Get($sItemAttr . '_friendlyname'); - - // Adding a view action on the external keys - if ($oCurrentRow->Get($sItemAttr) !== $oAttDef->GetNullValue()) + /** @var AttributeDefinition $oAttDef */ + $oAttDef = MetaModel::GetAttributeDef($sCurrentClass, $sItemAttr); + if ($oAttDef->IsExternalKey()) { - // Checking if we can view the object - if ((SecurityHelper::IsActionAllowed($oApp, UR_ACTION_READ, $oAttDef->GetTargetClass(), $oCurrentRow->Get($sItemAttr)))) + $sValue = $oCurrentRow->GetAsHTML($sItemAttr.'_friendlyname'); + + // Adding a view action on the external keys + if ($oCurrentRow->Get($sItemAttr) !== $oAttDef->GetNullValue()) { - $aActions[] = array( - 'type' => ManageBrick::ENUM_ACTION_VIEW, - 'class' => $oAttDef->GetTargetClass(), - 'id' => $oCurrentRow->Get($sItemAttr), - 'opening_target' => $oBrick->GetOpeningTarget(), - ); + // Checking if we can view the object + if ((SecurityHelper::IsActionAllowed($oApp, UR_ACTION_READ, $oAttDef->GetTargetClass(), + $oCurrentRow->Get($sItemAttr)))) + { + $aActions[] = array( + 'type' => ManageBrick::ENUM_ACTION_VIEW, + 'class' => $oAttDef->GetTargetClass(), + 'id' => $oCurrentRow->Get($sItemAttr), + 'opening_target' => $oBrick->GetOpeningTarget(), + ); + } } } - } - elseif ($oAttDef instanceof AttributeSubItem || $oAttDef instanceof AttributeDuration) - { - $sValue = $oAttDef->GetAsHTML($oCurrentRow->Get($sItemAttr)); - } - else - { - $sValue = $oAttDef->GetValueLabel($oCurrentRow->Get($sItemAttr)); - } - unset($oAttDef); + elseif ($oAttDef instanceof AttributeImage) + { + $oOrmDoc = $oCurrentRow->Get($sItemAttr); + if (is_object($oOrmDoc) && !$oOrmDoc->IsEmpty()) + { + $sUrl = $oApp['url_generator']->generate('p_object_document_display', array('sObjectClass' => get_class($oCurrentRow), 'sObjectId' => $oCurrentRow->GetKey(), 'sObjectField' => $sItemAttr, 'cache' => 86400)); + } + else + { + $sUrl = $oAttDef->Get('default_image'); + } + $sValue = ''; + } + else + { + $sValue = $oAttDef->GetAsHTML($oCurrentRow->Get($sItemAttr)); + } + unset($oAttDef); $aItemAttrs[$sItemAttr] = array( 'att_code' => $sItemAttr, @@ -501,7 +512,7 @@ class ManageBrickController extends BrickController } } } - + // ... And item's properties $aItems[] = array( 'id' => $oCurrentRow->GetKey(), diff --git a/datamodels/2.x/itop-portal-base/portal/src/controllers/objectcontroller.class.inc.php b/datamodels/2.x/itop-portal-base/portal/src/controllers/objectcontroller.class.inc.php index 9c35cc39e6..0cf4380440 100644 --- a/datamodels/2.x/itop-portal-base/portal/src/controllers/objectcontroller.class.inc.php +++ b/datamodels/2.x/itop-portal-base/portal/src/controllers/objectcontroller.class.inc.php @@ -42,6 +42,7 @@ use \ScalarExpression; use \DBObjectSet; use \cmdbAbstractObject; use \AttributeEnum; +use \AttributeImage; use \AttributeFinalClass; use \AttributeFriendlyName; use \UserRights; @@ -1587,7 +1588,7 @@ class ObjectController extends AbstractController if ($oAttDef->IsExternalKey()) { - $aAttData['value'] = $oObject->Get($oAttDef->GetCode() . '_friendlyname'); + $aAttData['value'] = $oObject->GetAsHTML($oAttDef->GetCode() . '_friendlyname'); // Checking if user can access object's external key if (SecurityHelper::IsActionAllowed($oApp, UR_ACTION_READ, $oAttDef->GetTargetClass())) @@ -1600,9 +1601,22 @@ class ObjectController extends AbstractController // We skip it continue; } + elseif ($oAttDef instanceof AttributeImage) + { + $oOrmDoc = $oObject->Get($oAttDef->GetCode()); + if (is_object($oOrmDoc) && !$oOrmDoc->IsEmpty()) + { + $sUrl = $oApp['url_generator']->generate('p_object_document_display', array('sObjectClass' => get_class($oObject), 'sObjectId' => $oObject->GetKey(), 'sObjectField' => $oAttDef->GetCode(), 'cache' => 86400)); + } + else + { + $sUrl = $oAttDef->Get('default_image'); + } + $aAttData['value'] = ''; + } else { - $aAttData['value'] = $oAttDef->GetValueLabel($oObject->Get($oAttDef->GetCode())); + $aAttData['value'] = $oAttDef->GetAsHTML($oObject->Get($oAttDef->GetCode())); if ($oAttDef instanceof AttributeFriendlyName) { diff --git a/sources/form/field/textareafield.class.inc.php b/sources/form/field/textareafield.class.inc.php index 9820d0e477..5e380c430d 100644 --- a/sources/form/field/textareafield.class.inc.php +++ b/sources/form/field/textareafield.class.inc.php @@ -29,6 +29,8 @@ use \Combodo\iTop\Form\Field\TextField; * Description of TextAreaField * * @author Guillaume Lajarige + * @package \Combodo\iTop\Form\Field + * @since 2.3.0 */ class TextAreaField extends TextField { @@ -113,7 +115,7 @@ class TextAreaField extends TextField { if ($this->GetFormat() == TextAreaField::ENUM_FORMAT_TEXT) { - $sValue = $this->GetCurrentValue(); + $sValue = \Str::pure2html($this->GetCurrentValue()); $sValue = AttributeText::RenderWikiHtml($sValue); return "
".str_replace("\n", "
\n", $sValue).'
'; } diff --git a/sources/renderer/bootstrap/fieldrenderer/bslinkedsetfieldrenderer.class.inc.php b/sources/renderer/bootstrap/fieldrenderer/bslinkedsetfieldrenderer.class.inc.php index 67e9ddbd23..4f3d8aae5a 100644 --- a/sources/renderer/bootstrap/fieldrenderer/bslinkedsetfieldrenderer.class.inc.php +++ b/sources/renderer/bootstrap/fieldrenderer/bslinkedsetfieldrenderer.class.inc.php @@ -576,6 +576,7 @@ EOF ); // Target object others attributes + // TODO: Support for AttriubteImage, AttributeBlob foreach ($this->oField->GetAttributesToDisplay(true) as $sAttCode) { if ($sAttCode !== 'id') @@ -598,7 +599,7 @@ EOF } else { - $aAttProperties['value'] = $oAttDef->GetValueLabel($oRemoteItem->Get($sAttCode)); + $aAttProperties['value'] = $oAttDef->GetAsHTML($oRemoteItem->Get($sAttCode)); if ($oAttDef instanceof AttributeFriendlyName) {