composer/iTop
6
0
Fork 0
mirror of https://github.com/Combodo/iTop.git synced 2026-05-18 23:08:46 +02:00
Code Issues Packages Projects Releases Wiki Activity

(Cherry pick from develop ab1715e) N°1576 Portal: Security hardening.

Browse Source
This commit is contained in:
Guillaume Lajarige
2018-07-25 16:48:11 +02:00
committed by Molkobain
parent 4b4bb6aa0b
commit a0171ac9cf
5 changed files with 67 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
datamodels/2.x/itop-portal-base/portal/src/controllers/browsebrickcontroller.class.inc.php
View File

@@ -634,8 +634,9 @@ class BrowseBrickController extends BrickController
if ($aLevelsProperties[$key][$sOptionalAttribute] !== null) if ($aLevelsProperties[$key][$sOptionalAttribute] !== null)
{ {
$sPropertyName = substr($sOptionalAttribute, 0, -4); $sPropertyName = substr($sOptionalAttribute, 0, -4);
$oAttDef = MetaModel::GetAttributeDef(get_class($value), $aLevelsProperties[$key][$sOptionalAttribute]);
$tmpAttValue = $value->Get($aLevelsProperties[$key][$sOptionalAttribute]); $tmpAttValue = $value->GetAsHTML($aLevelsProperties[$key][$sOptionalAttribute]);
if($sOptionalAttribute === 'image_att') if($sOptionalAttribute === 'image_att')
{ {
if (is_object($tmpAttValue) && !$tmpAttValue->IsEmpty()) if (is_object($tmpAttValue) && !$tmpAttValue->IsEmpty())
@@ -644,7 +645,7 @@ class BrowseBrickController extends BrickController
} }
else else
{ {
$tmpAttValue = MetaModel::GetAttributeDef(get_class($value), $aLevelsProperties[$key][$sOptionalAttribute])->Get('default_image'); $tmpAttValue = $oAttDef->Get('default_image');
} }
} }
@@ -658,7 +659,7 @@ class BrowseBrickController extends BrickController
foreach ($aLevelsProperties[$key]['fields'] as $aField) foreach ($aLevelsProperties[$key]['fields'] as $aField)
{ {
$oAttDef = MetaModel::GetAttributeDef(get_class($value), $aField['code']); $oAttDef = MetaModel::GetAttributeDef(get_class($value), $aField['code']);
$aRow[$key]['fields'][$aField['code']] = $oAttDef->GetValueLabel($value->Get($aField['code'])); $aRow[$key]['fields'][$aField['code']] = $oAttDef->GetAsHTML($value->Get($aField['code']));
} }
} }
} }
@@ -726,8 +727,9 @@ class BrowseBrickController extends BrickController
if ($aLevelsProperties[$aCurrentRowKeys[0]][$sOptionalAttribute] !== null) if ($aLevelsProperties[$aCurrentRowKeys[0]][$sOptionalAttribute] !== null)
{ {
$sPropertyName = substr($sOptionalAttribute, 0, -4); $sPropertyName = substr($sOptionalAttribute, 0, -4);
$oAttDef = MetaModel::GetAttributeDef(get_class($aCurrentRowValues[0]), $aLevelsProperties[$aCurrentRowKeys[0]][$sOptionalAttribute]);
$tmpAttValue = $aCurrentRowValues[0]->Get($aLevelsProperties[$aCurrentRowKeys[0]][$sOptionalAttribute]); $tmpAttValue = $aCurrentRowValues[0]->GetAsHTML($aLevelsProperties[$aCurrentRowKeys[0]][$sOptionalAttribute]);
if($sOptionalAttribute === 'image_att') if($sOptionalAttribute === 'image_att')
{ {
if (is_object($tmpAttValue) && !$tmpAttValue->IsEmpty()) if (is_object($tmpAttValue) && !$tmpAttValue->IsEmpty())
@@ -736,7 +738,7 @@ class BrowseBrickController extends BrickController
} }
else else
{ {
$tmpAttValue = MetaModel::GetAttributeDef(get_class($aCurrentRowValues[0]), $aLevelsProperties[$aCurrentRowKeys[0]][$sOptionalAttribute])->Get('default_image'); $tmpAttValue = $oAttDef->Get('default_image');
} }
} }

67
datamodels/2.x/itop-portal-base/portal/src/controllers/managebrickcontroller.class.inc.php
View File

@@ -31,6 +31,7 @@ use \AttributeDate;
use \AttributeDateTime; use \AttributeDateTime;
use \AttributeDuration; use \AttributeDuration;
use \AttributeSubItem; use \AttributeSubItem;
use \AttributeImage;
use \DBSearch; use \DBSearch;
use \DBObjectSearch; use \DBObjectSearch;
use \DBObjectSet; use \DBObjectSet;
@@ -388,7 +389,7 @@ class ManageBrickController extends BrickController
{ {
// Set properties // Set properties
$sCurrentClass = $sKey; $sCurrentClass = $sKey;
// Defining which attribute will open the edition form) // Defining which attribute will open the edition form)
$sMainActionAttrCode = $aColumnsAttrs[0]; $sMainActionAttrCode = $aColumnsAttrs[0];
@@ -444,36 +445,46 @@ class ManageBrickController extends BrickController
} }
} }
/** @var AttributeDefinition $oAttDef */ /** @var AttributeDefinition $oAttDef */
$oAttDef = MetaModel::GetAttributeDef($sCurrentClass, $sItemAttr); $oAttDef = MetaModel::GetAttributeDef($sCurrentClass, $sItemAttr);
if ($oAttDef->IsExternalKey()) if ($oAttDef->IsExternalKey())
{
$sValue = $oCurrentRow->Get($sItemAttr . '_friendlyname');
// Adding a view action on the external keys
if ($oCurrentRow->Get($sItemAttr) !== $oAttDef->GetNullValue())
{ {
// Checking if we can view the object $sValue = $oCurrentRow->GetAsHTML($sItemAttr.'_friendlyname');
if ((SecurityHelper::IsActionAllowed($oApp, UR_ACTION_READ, $oAttDef->GetTargetClass(), $oCurrentRow->Get($sItemAttr))))
// Adding a view action on the external keys
if ($oCurrentRow->Get($sItemAttr) !== $oAttDef->GetNullValue())
{ {
$aActions[] = array( // Checking if we can view the object
'type' => ManageBrick::ENUM_ACTION_VIEW, if ((SecurityHelper::IsActionAllowed($oApp, UR_ACTION_READ, $oAttDef->GetTargetClass(),
'class' => $oAttDef->GetTargetClass(), $oCurrentRow->Get($sItemAttr))))
'id' => $oCurrentRow->Get($sItemAttr), {
'opening_target' => $oBrick->GetOpeningTarget(), $aActions[] = array(
); 'type' => ManageBrick::ENUM_ACTION_VIEW,
'class' => $oAttDef->GetTargetClass(),
'id' => $oCurrentRow->Get($sItemAttr),
'opening_target' => $oBrick->GetOpeningTarget(),
);
}
} }
} }
} elseif ($oAttDef instanceof AttributeImage)
elseif ($oAttDef instanceof AttributeSubItem || $oAttDef instanceof AttributeDuration) {
{ $oOrmDoc = $oCurrentRow->Get($sItemAttr);
$sValue = $oAttDef->GetAsHTML($oCurrentRow->Get($sItemAttr)); if (is_object($oOrmDoc) && !$oOrmDoc->IsEmpty())
} {
else $sUrl = $oApp['url_generator']->generate('p_object_document_display', array('sObjectClass' => get_class($oCurrentRow), 'sObjectId' => $oCurrentRow->GetKey(), 'sObjectField' => $sItemAttr, 'cache' => 86400));
{ }
$sValue = $oAttDef->GetValueLabel($oCurrentRow->Get($sItemAttr)); else
} {
unset($oAttDef); $sUrl = $oAttDef->Get('default_image');
}
$sValue = '<img src="' . $sUrl . '" />';
}
else
{
$sValue = $oAttDef->GetAsHTML($oCurrentRow->Get($sItemAttr));
}
unset($oAttDef);
$aItemAttrs[$sItemAttr] = array( $aItemAttrs[$sItemAttr] = array(
'att_code' => $sItemAttr, 'att_code' => $sItemAttr,
@@ -501,7 +512,7 @@ class ManageBrickController extends BrickController
} }
} }
} }
// ... And item's properties // ... And item's properties
$aItems[] = array( $aItems[] = array(
'id' => $oCurrentRow->GetKey(), 'id' => $oCurrentRow->GetKey(),

18
datamodels/2.x/itop-portal-base/portal/src/controllers/objectcontroller.class.inc.php
View File

@@ -42,6 +42,7 @@ use \ScalarExpression;
use \DBObjectSet; use \DBObjectSet;
use \cmdbAbstractObject; use \cmdbAbstractObject;
use \AttributeEnum; use \AttributeEnum;
use \AttributeImage;
use \AttributeFinalClass; use \AttributeFinalClass;
use \AttributeFriendlyName; use \AttributeFriendlyName;
use \UserRights; use \UserRights;
@@ -1587,7 +1588,7 @@ class ObjectController extends AbstractController
if ($oAttDef->IsExternalKey()) if ($oAttDef->IsExternalKey())
{ {
$aAttData['value'] = $oObject->Get($oAttDef->GetCode() . '_friendlyname'); $aAttData['value'] = $oObject->GetAsHTML($oAttDef->GetCode() . '_friendlyname');
// Checking if user can access object's external key // Checking if user can access object's external key
if (SecurityHelper::IsActionAllowed($oApp, UR_ACTION_READ, $oAttDef->GetTargetClass())) if (SecurityHelper::IsActionAllowed($oApp, UR_ACTION_READ, $oAttDef->GetTargetClass()))
@@ -1600,9 +1601,22 @@ class ObjectController extends AbstractController
// We skip it // We skip it
continue; continue;
} }
elseif ($oAttDef instanceof AttributeImage)
{
$oOrmDoc = $oObject->Get($oAttDef->GetCode());
if (is_object($oOrmDoc) && !$oOrmDoc->IsEmpty())
{
$sUrl = $oApp['url_generator']->generate('p_object_document_display', array('sObjectClass' => get_class($oObject), 'sObjectId' => $oObject->GetKey(), 'sObjectField' => $oAttDef->GetCode(), 'cache' => 86400));
}
else
{
$sUrl = $oAttDef->Get('default_image');
}
$aAttData['value'] = '<img src="' . $sUrl . '" />';
}
else else
{ {
$aAttData['value'] = $oAttDef->GetValueLabel($oObject->Get($oAttDef->GetCode())); $aAttData['value'] = $oAttDef->GetAsHTML($oObject->Get($oAttDef->GetCode()));
if ($oAttDef instanceof AttributeFriendlyName) if ($oAttDef instanceof AttributeFriendlyName)
{ {

4
sources/form/field/textareafield.class.inc.php
View File

@@ -29,6 +29,8 @@ use \Combodo\iTop\Form\Field\TextField;
* Description of TextAreaField * Description of TextAreaField
* *
* @author Guillaume Lajarige <guillaume.lajarige@combodo.com> * @author Guillaume Lajarige <guillaume.lajarige@combodo.com>
* @package \Combodo\iTop\Form\Field
* @since 2.3.0
*/ */
class TextAreaField extends TextField class TextAreaField extends TextField
{ {
@@ -113,7 +115,7 @@ class TextAreaField extends TextField
{ {
if ($this->GetFormat() == TextAreaField::ENUM_FORMAT_TEXT) if ($this->GetFormat() == TextAreaField::ENUM_FORMAT_TEXT)
{ {
$sValue = $this->GetCurrentValue(); $sValue = \Str::pure2html($this->GetCurrentValue());
$sValue = AttributeText::RenderWikiHtml($sValue); $sValue = AttributeText::RenderWikiHtml($sValue);
return "<div>".str_replace("\n", "<br>\n", $sValue).'</div>'; return "<div>".str_replace("\n", "<br>\n", $sValue).'</div>';
} }

3
sources/renderer/bootstrap/fieldrenderer/bslinkedsetfieldrenderer.class.inc.php
View File

@@ -576,6 +576,7 @@ EOF
); );
// Target object others attributes // Target object others attributes
// TODO: Support for AttriubteImage, AttributeBlob
foreach ($this->oField->GetAttributesToDisplay(true) as $sAttCode) foreach ($this->oField->GetAttributesToDisplay(true) as $sAttCode)
{ {
if ($sAttCode !== 'id') if ($sAttCode !== 'id')
@@ -598,7 +599,7 @@ EOF
} }
else else
{ {
$aAttProperties['value'] = $oAttDef->GetValueLabel($oRemoteItem->Get($sAttCode)); $aAttProperties['value'] = $oAttDef->GetAsHTML($oRemoteItem->Get($sAttCode));
if ($oAttDef instanceof AttributeFriendlyName) if ($oAttDef instanceof AttributeFriendlyName)
{ {