composer/iTop
6
0
Fork 0
mirror of https://github.com/Combodo/iTop.git synced 2026-02-13 15:34:12 +01:00
Code Issues Packages Projects Releases Wiki Activity

N°1576 Portal: Security hardening.

Browse Source 
SVN:trunk[5983]
This commit is contained in:
Guillaume Lajarige
2018-07-25 14:48:11 +00:00
parent 3589783ee1
commit ab1715edec
5 changed files with 44 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
datamodels/2.x/itop-portal-base/portal/src/controllers/browsebrickcontroller.class.inc.php
View File

@@ -659,8 +659,9 @@ class BrowseBrickController extends BrickController
if ($aLevelsProperties[$key][$sOptionalAttribute] !== null)
{
$sPropertyName = substr($sOptionalAttribute, 0, -4);
$oAttDef = MetaModel::GetAttributeDef(get_class($value), $aLevelsProperties[$key][$sOptionalAttribute]);
$tmpAttValue = $value->Get($aLevelsProperties[$key][$sOptionalAttribute]);
$tmpAttValue = $value->GetAsHTML($aLevelsProperties[$key][$sOptionalAttribute]);
if($sOptionalAttribute === 'image_att')
{
if (is_object($tmpAttValue) && !$tmpAttValue->IsEmpty())
@@ -669,7 +670,7 @@ class BrowseBrickController extends BrickController
}
else
{
$tmpAttValue = MetaModel::GetAttributeDef(get_class($value), $aLevelsProperties[$key][$sOptionalAttribute])->Get('default_image');
$tmpAttValue = $oAttDef->Get('default_image');
}
}
@@ -683,7 +684,7 @@ class BrowseBrickController extends BrickController
foreach ($aLevelsProperties[$key]['fields'] as $aField)
{
$oAttDef = MetaModel::GetAttributeDef(get_class($value), $aField['code']);
$aRow[$key]['fields'][$aField['code']] = $oAttDef->GetValueLabel($value->Get($aField['code']));
$aRow[$key]['fields'][$aField['code']] = $oAttDef->GetAsHTML($value->Get($aField['code']));
}
}
}
@@ -755,8 +756,9 @@ class BrowseBrickController extends BrickController
if ($aLevelsProperties[$aCurrentRowKeys[0]][$sOptionalAttribute] !== null)
{
$sPropertyName = substr($sOptionalAttribute, 0, -4);
$oAttDef = MetaModel::GetAttributeDef(get_class($aCurrentRowValues[0]), $aLevelsProperties[$aCurrentRowKeys[0]][$sOptionalAttribute]);
$tmpAttValue = $aCurrentRowValues[0]->Get($aLevelsProperties[$aCurrentRowKeys[0]][$sOptionalAttribute]);
$tmpAttValue = $aCurrentRowValues[0]->GetAsHTML($aLevelsProperties[$aCurrentRowKeys[0]][$sOptionalAttribute]);
if($sOptionalAttribute === 'image_att')
{
if (is_object($tmpAttValue) && !$tmpAttValue->IsEmpty())
@@ -765,7 +767,7 @@ class BrowseBrickController extends BrickController
}
else
{
$tmpAttValue = MetaModel::GetAttributeDef(get_class($aCurrentRowValues[0]), $aLevelsProperties[$aCurrentRowKeys[0]][$sOptionalAttribute])->Get('default_image');
$tmpAttValue = $oAttDef->Get('default_image');
}
}

25
datamodels/2.x/itop-portal-base/portal/src/controllers/managebrickcontroller.class.inc.php
View File

@@ -23,8 +23,7 @@ use Exception;
use AttributeDate;
use AttributeDateTime;
use AttributeDefinition;
use AttributeDuration;
use AttributeSubItem;
use AttributeImage;
use BinaryExpression;
use CMDBSource;
use Combodo\iTop\Portal\Brick\AbstractBrick;
@@ -237,7 +236,6 @@ class ManageBrickController extends BrickController
return $oApp['twig']->render(static::EXCEL_EXPORT_TEMPLATE_PATH, $aData);
}
/**
* @param \Symfony\Component\HttpFoundation\Request $oRequest
* @param \Silex\Application $oApp
@@ -586,7 +584,7 @@ class ManageBrickController extends BrickController
$oAttDef = MetaModel::GetAttributeDef($sCurrentClass, $sItemAttr);
if ($oAttDef->IsExternalKey())
{
$sValue = $oCurrentRow->Get($sItemAttr.'_friendlyname');
$sValue = $oCurrentRow->GetAsHTML($sItemAttr.'_friendlyname');
// Adding a view action on the external keys
if ($oCurrentRow->Get($sItemAttr) !== $oAttDef->GetNullValue())
@@ -604,13 +602,22 @@ class ManageBrickController extends BrickController
}
}
}
elseif ($oAttDef instanceof AttributeSubItem || $oAttDef instanceof AttributeDuration)
{
$sValue = $oAttDef->GetAsHTML($oCurrentRow->Get($sItemAttr));
}
elseif ($oAttDef instanceof AttributeImage)
{
$oOrmDoc = $oCurrentRow->Get($sItemAttr);
if (is_object($oOrmDoc) && !$oOrmDoc->IsEmpty())
{
$sUrl = $oApp['url_generator']->generate('p_object_document_display', array('sObjectClass' => get_class($oCurrentRow), 'sObjectId' => $oCurrentRow->GetKey(), 'sObjectField' => $sItemAttr, 'cache' => 86400));
}
else
{
$sUrl = $oAttDef->Get('default_image');
}
$sValue = '<img src="' . $sUrl . '" />';
}
else
{
$sValue = $oAttDef->GetValueLabel($oCurrentRow->Get($sItemAttr));
$sValue = $oAttDef->GetAsHTML($oCurrentRow->Get($sItemAttr));
}
unset($oAttDef);

18
datamodels/2.x/itop-portal-base/portal/src/controllers/objectcontroller.class.inc.php
View File

@@ -40,6 +40,7 @@ use ListExpression;
use ScalarExpression;
use DBObjectSet;
use AttributeEnum;
use AttributeImage;
use AttributeFinalClass;
use AttributeFriendlyName;
use UserRights;
@@ -1481,7 +1482,7 @@ class ObjectController extends AbstractController
if ($oAttDef->IsExternalKey())
{
$aAttData['value'] = $oObject->Get($oAttDef->GetCode() . '_friendlyname');
$aAttData['value'] = $oObject->GetAsHTML($oAttDef->GetCode() . '_friendlyname');
// Checking if user can access object's external key
if (SecurityHelper::IsActionAllowed($oApp, UR_ACTION_READ, $oAttDef->GetTargetClass()))
@@ -1494,9 +1495,22 @@ class ObjectController extends AbstractController
// We skip it
continue;
}
elseif ($oAttDef instanceof AttributeImage)
{
$oOrmDoc = $oObject->Get($oAttDef->GetCode());
if (is_object($oOrmDoc) && !$oOrmDoc->IsEmpty())
{
$sUrl = $oApp['url_generator']->generate('p_object_document_display', array('sObjectClass' => get_class($oObject), 'sObjectId' => $oObject->GetKey(), 'sObjectField' => $oAttDef->GetCode(), 'cache' => 86400));
}
else
{
$sUrl = $oAttDef->Get('default_image');
}
$aAttData['value'] = '<img src="' . $sUrl . '" />';
}
else
{
$aAttData['value'] = $oAttDef->GetValueLabel($oObject->Get($oAttDef->GetCode()));
$aAttData['value'] = $oAttDef->GetAsHTML($oObject->Get($oAttDef->GetCode()));
if ($oAttDef instanceof AttributeFriendlyName)
{

4
sources/form/field/textareafield.class.inc.php
View File

@@ -28,6 +28,8 @@ use AttributeText;
* Description of TextAreaField
*
* @author Guillaume Lajarige <guillaume.lajarige@combodo.com>
* @package \Combodo\iTop\Form\Field
* @since 2.3.0
*/
class TextAreaField extends TextField
{
@@ -112,7 +114,7 @@ class TextAreaField extends TextField
{
if ($this->GetFormat() == TextAreaField::ENUM_FORMAT_TEXT)
{
$sValue = $this->GetCurrentValue();
$sValue = \Str::pure2html($this->GetCurrentValue());
$sValue = AttributeText::RenderWikiHtml($sValue);
return "<div>".str_replace("\n", "<br>\n", $sValue).'</div>';
}

3
sources/renderer/bootstrap/fieldrenderer/bslinkedsetfieldrenderer.class.inc.php
View File

@@ -585,6 +585,7 @@ EOF
);
// Target object others attributes
// TODO: Support for AttriubteImage, AttributeBlob
foreach ($this->oField->GetAttributesToDisplay(true) as $sAttCode)
{
if ($sAttCode !== 'id')
@@ -607,7 +608,7 @@ EOF
}
else
{
$aAttProperties['value'] = $oAttDef->GetValueLabel($oRemoteItem->Get($sAttCode));
$aAttProperties['value'] = $oAttDef->GetAsHTML($oRemoteItem->Get($sAttCode));
if ($oAttDef instanceof AttributeFriendlyName)
{