N°7873 - Portal: Brick visible despite XML security tag allowed profiles

2026-02-13 07:24:13 +01:00 · 2025-01-13 11:06:03 +01:00
parent efb7831a5a
commit a4490e2b5f
2 changed files with 100 additions and 4 deletions
--- a/datamodels/2.x/itop-portal-base/portal/src/Helper/ApplicationHelper.php
+++ b/datamodels/2.x/itop-portal-base/portal/src/Helper/ApplicationHelper.php
@@ -100,9 +100,9 @@ class ApplicationHelper
 		try
 		{
 			// Allowed profiles
-			if ($oBrick->GetAllowedProfilesOql() !== null && $oBrick->GetAllowedProfilesOql() !== '')
+			if (utils::IsNotNullOrEmptyString($oBrick->GetAllowedProfilesOql()))
 			{
-				$oSearch = DBObjectSearch::FromOQL($oBrick->GetAllowedProfilesOql());
+				$oSearch = DBObjectSearch::FromOQL_AllData($oBrick->GetAllowedProfilesOql());
 				$oSet = new DBObjectSet($oSearch);
 				while ($oProfile = $oSet->Fetch())
 				{
@@ -111,9 +111,9 @@ class ApplicationHelper
 			}

 			// Denied profiles
-			if ($oBrick->GetDeniedProfilesOql() !== null && $oBrick->GetDeniedProfilesOql() !== '')
+			if (utils::IsNotNullOrEmptyString($oBrick->GetDeniedProfilesOql()))
 			{
-				$oSearch = DBObjectSearch::FromOQL($oBrick->GetDeniedProfilesOql());
+				$oSearch = DBObjectSearch::FromOQL_AllData($oBrick->GetDeniedProfilesOql());
 				$oSet = new DBObjectSet($oSearch);
 				while ($oProfile = $oSet->Fetch())
 				{
--- a/tests/php-unit-tests/unitary-tests/datamodels/2.x/itop-portal-base/ApplicationHelperTest.php
+++ b/tests/php-unit-tests/unitary-tests/datamodels/2.x/itop-portal-base/ApplicationHelperTest.php
@@ -0,0 +1,96 @@
+<?php
+
+namespace Combodo\iTop\Test\UnitTest\Module\iTopPortalBase;
+/**
+ * Copyright (C) 2010-2024 Combodo SAS
+ *
+ *   This file is part of iTop.
+ *
+ *   iTop is free software; you can redistribute it and/or modify
+ *   it under the terms of the GNU Affero General Public License as published by
+ *   the Free Software Foundation, either version 3 of the License, or
+ *   (at your option) any later version.
+ *
+ *   iTop is distributed in the hope that it will be useful,
+ *   but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *   GNU Affero General Public License for more details.
+ *
+ *   You should have received a copy of the GNU Affero General Public License
+ *   along with iTop. If not, see <http: *www.gnu.org/licenses/>
+ *
+ */
+
+use Combodo\iTop\Portal\Brick\AbstractBrick;
+use Combodo\iTop\Portal\Helper\ApplicationHelper;
+use Combodo\iTop\Test\UnitTest\ItopDataTestCase;
+
+/**
+ * @covers \Combodo\iTop\Portal\Helper\RequestManipulatorHelper
+ */
+class ApplicationHelperTest extends ItopDataTestCase
+{
+	const PASSWORD = "aBCDEFG@123456789";
+
+	protected function LoadRequiredItopFiles(): void
+	{
+		parent::LoadRequiredItopFiles();
+		$this->RequireOnceItopFile('datamodels/2.x/itop-portal-base/portal/src/Helper/ApplicationHelper.php');
+	}
+
+	public static function LoadBrickSecurityProvider()
+	{
+		return [
+			'can access admin profile' => [
+				'associated_profile' => 'Administrator',
+			],
+			'cannot access admin profile' => [
+				'associated_profile' => 'Portal user',
+			],
+		];
+	}
+
+	/**
+	 * @dataProvider LoadBrickSecurityProvider
+	 */
+	public function testLoadBrickSecurity_GetAllowedProfilesOql(string $sAssociatedProfileName)
+	{
+		$oBrick = $this->createMock(AbstractBrick::class);
+		$oBrick->expects($this->any())
+			->method('GetAllowedProfilesOql')
+			->willReturn("SELECT URP_Profiles WHERE name IN ('Administrator')");
+
+		$oBrick->expects($this->exactly(1))
+			->method('AddAllowedProfile')
+			->willReturn("Administrator");
+
+		$_SESSION = [];
+		$oUser = $this->CreateContactlessUser("$sAssociatedProfileName-" . uniqid(), self::$aURP_Profiles[$sAssociatedProfileName], self::PASSWORD);
+		\UserRights::Login($oUser->Get('login'));
+
+		$this->InvokeNonPublicStaticMethod(ApplicationHelper::class, 'LoadBrickSecurity', [$oBrick]);
+	}
+
+	/**
+	 * @dataProvider LoadBrickSecurityProvider
+	 */
+	public function testLoadBrickSecurity_GetDeniedProfilesOql(string $sAssociatedProfileName)
+	{
+		$oBrick = $this->createMock(AbstractBrick::class);
+		$oBrick->expects($this->any())
+			->method('GetDeniedProfilesOql')
+			->willReturn("SELECT URP_Profiles WHERE name IN ('Administrator')");
+
+		$oBrick->expects($this->exactly(1))
+			->method('AddDeniedProfile')
+			->willReturn("Administrator");
+
+		$_SESSION = [];
+		$oUser = $this->CreateContactlessUser("$sAssociatedProfileName-" . uniqid(), self::$aURP_Profiles[$sAssociatedProfileName], self::PASSWORD);
+		\UserRights::Login($oUser->Get('login'));
+
+		$this->InvokeNonPublicStaticMethod(ApplicationHelper::class, 'LoadBrickSecurity', [$oBrick]);
+	}
+
+
+}