N°1608 - Fix attachments access rights

core/ormdocument.class.inc.php

@@ -256,7 +256,19 @@ class ormDocument
 			$oObj = MetaModel::GetObject($sClass, $id, false, false);
 			if (!is_object($oObj))
 			{
-				throw new Exception("Invalid id ($id) for class '$sClass' - the object does not exist or you are not allowed to view it");
+				// If access to the document is not granted, check if the access to the host object is allowed
+				$oObj = MetaModel::GetObject($sClass, $id, false, true);
+				if ($oObj instanceof Attachment) {
+					$sItemClass = $oObj->Get('item_class');
+					$sItemId = $oObj->Get('item_id');
+					$oHost = MetaModel::GetObject($sItemClass, $sItemId, false, false);
+					if (!is_object($oHost)) {
+						$oObj = null;
+					}
+				}
+				if (!is_object($oObj)) {
+					throw new Exception("Invalid id ($id) for class '$sClass' - the object does not exist or you are not allowed to view it");
+				}
 			}
 			if (($sSecretField != null) && ($oObj->Get($sSecretField) != $sSecretValue))
 			{
@@ -286,6 +298,7 @@ class ormDocument
 					$oObj->Set($sAttCode, $oDocument);
 					// $oObj can be a \DBObject or \cmdbAbstractObject so we ahve to protect it
 					if (method_exists($oObj, 'AllowWrite')) {
+						// AllowWrite method is implemented in cmdbAbstractObject, but $oObject could be a DBObject or CMDBObject
 						$oObj->AllowWrite();
 					}
 					$oObj->DBUpdate();

datamodels/2.x/itop-attachments/datamodel.itop-attachments.xml

@@ -186,36 +186,25 @@
           <type>Overload-ExNihilo</type>
           <code><![CDATA[	public function SetDefaultOrgId()
 	{
-		// First check that the organization CAN be fetched from the target class
-		//
-		$sClass = $this->Get('item_class');
-		$aCallSpec = array($sClass, 'MapContextParam');
-		if (is_callable($aCallSpec))
-		{
-			$sAttCode = call_user_func($aCallSpec, 'org_id'); // Returns null when there is no mapping for this parameter
-			if (MetaModel::IsValidAttCode($sClass, $sAttCode))
-			{
-				// Second: check that the organization CAN be fetched from the current user
-				//
-				if (MetaModel::IsValidClass('Person'))
-				{
-					$aCallSpec = array('Person', 'MapContextParam');
-					if (is_callable($aCallSpec))
-					{
-						$sAttCode = call_user_func($aCallSpec, 'org_id'); // Returns null when there is no mapping for this parameter
-						if (MetaModel::IsValidAttCode('Person', $sAttCode))
-						{
-							// OK - try it
-							//
-							$oCurrentPerson = MetaModel::GetObject('Person', UserRights::GetContactId(), false);
-							if ($oCurrentPerson)
-							{
-						 		$this->Set('item_org_id', $oCurrentPerson->Get($sAttCode));
-						 	}
-						}
-					}
-				}
-			}
+    // Check that the organization CAN be fetched from the current user
+    //
+    if (MetaModel::IsValidClass('Person'))
+    {
+      $aCallSpec = array('Person', 'MapContextParam');
+      if (is_callable($aCallSpec))
+      {
+        $sAttCode = call_user_func($aCallSpec, 'org_id'); // Returns null when there is no mapping for this parameter
+        if (MetaModel::IsValidAttCode('Person', $sAttCode))
+        {
+          // OK - try it
+          //
+          $oCurrentPerson = MetaModel::GetObject('Person', UserRights::GetContactId(), false);
+          if ($oCurrentPerson)
+          {
+            $this->Set('item_org_id', $oCurrentPerson->Get($sAttCode));
+          }
+        }
+      }
 		}
 	}]]></code>
         </method>

datamodels/2.x/itop-attachments/main.itop-attachments.php

@@ -280,11 +280,11 @@ class AttachmentPlugIn implements iApplicationUIExtension, iApplicationObjectExt
 		if (!is_null($sTransactionId))
 		{
 			$aActions = array();
-			$aAttachmentIds = utils::ReadParam('attachments', array());
 			$aRemovedAttachmentIds = utils::ReadParam('removed_attachments', array());
 
 			// Get all current attachments
 			$oSearch = DBObjectSearch::FromOQL("SELECT Attachment WHERE item_class = :class AND item_id = :item_id");
+			$oSearch->AllowAllData();
 			$oSet = new DBObjectSet($oSearch, array(), array('class' => get_class($oObject), 'item_id' => $oObject->GetKey()));
 			while ($oAttachment = $oSet->Fetch())
 			{
@@ -304,26 +304,24 @@ class AttachmentPlugIn implements iApplicationUIExtension, iApplicationObjectExt
 			// for this object, but deleting the "new" ones that were already removed from the form
 			$sOQL = 'SELECT Attachment WHERE temp_id = :temp_id';
 			$oSearch = DBObjectSearch::FromOQL($sOQL);
-			foreach ($aAttachmentIds as $iAttachmentId)
+			$oSearch->AllowAllData();
+			$oSet = new DBObjectSet($oSearch, array(), array('temp_id' => $sTempId));
+			while ($oAttachment = $oSet->Fetch())
 			{
-				$oSet = new DBObjectSet($oSearch, array(), array('temp_id' => $sTempId));
-				while ($oAttachment = $oSet->Fetch())
+				if (in_array($oAttachment->GetKey(), $aRemovedAttachmentIds))
 				{
-					if (in_array($oAttachment->GetKey(), $aRemovedAttachmentIds))
-					{
-						$oAttachment->DBDelete();
-						// temporary attachment removed, don't even mention it in the history
-					}
-					else
-					{
-						$oAttachment->SetItem($oObject);
-						$oAttachment->Set('temp_id', '');
-						$oAttachment->DBUpdate();
-						// temporary attachment confirmed, list it in the history
-						$aActions[] = self::GetActionChangeOp($oAttachment, true /* true => creation */);
-						$aData = ['target_object' => $oObject];
-						$oAttachment->FireEvent(EVENT_ADD_ATTACHMENT_TO_OBJECT, $aData);
-					}
+					$oAttachment->DBDelete();
+					// temporary attachment removed, don't even mention it in the history
+				}
+				else
+				{
+					$oAttachment->SetItem($oObject);
+					$oAttachment->Set('temp_id', '');
+					$oAttachment->DBUpdate();
+					// temporary attachment confirmed, list it in the history
+					$aActions[] = self::GetActionChangeOp($oAttachment, true /* true => creation */);
+					$aData = ['target_object' => $oObject];
+					$oAttachment->FireEvent(EVENT_ADD_ATTACHMENT_TO_OBJECT, $aData);
 				}
 			}
 			if (count($aActions) > 0)

datamodels/2.x/itop-attachments/renderers.itop-attachments.php

@@ -117,9 +117,11 @@ abstract class AbstractAttachmentsRenderer
 		$this->sTransactionId = $sTransactionId;
 
 		$oSearch = DBObjectSearch::FromOQL('SELECT Attachment WHERE item_class = :class AND item_id = :item_id');
+		$oSearch->AllowAllData();
 		$this->oAttachmentsSet = new DBObjectSet($oSearch, array(), array('class' => $sObjClass, 'item_id' => $iObjKey));
 
 		$oSearchTemp = DBObjectSearch::FromOQL('SELECT Attachment WHERE temp_id = :temp_id');
+		$oSearchTemp->AllowAllData();
 		$this->oTempAttachmentsSet = new DBObjectSet($oSearchTemp, array(), array('temp_id' => $this->sTransactionId));
 	}