composer/iTop
6
0
Fork 0
mirror of https://github.com/Combodo/iTop.git synced 2026-04-24 02:58:43 +02:00
Code Issues Packages Projects Releases Wiki Activity

N°1232 Portal: Harmonize right checks for external url in forms

Browse Source
This commit is contained in:
Stephen Abello
2019-08-02 11:04:32 +02:00
parent 305b236f41
commit d2015b7d7b
5 changed files with 8 additions and 88 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
datamodels/2.x/itop-portal-base/portal/src/Form/ObjectFormManager.php
View File

@@ -29,7 +29,6 @@ use CMDBSource;
use Combodo\iTop\Form\Field\Field; use Combodo\iTop\Form\Field\Field;
use Combodo\iTop\Form\Field\FileUploadField; use Combodo\iTop\Form\Field\FileUploadField;
use Combodo\iTop\Form\Field\LabelField; use Combodo\iTop\Form\Field\LabelField;
use Combodo\iTop\Form\Field\SelectObjectField;
use Combodo\iTop\Form\Form; use Combodo\iTop\Form\Form;
use Combodo\iTop\Form\FormManager; use Combodo\iTop\Form\FormManager;
use Combodo\iTop\Portal\Helper\ApplicationHelper; use Combodo\iTop\Portal\Helper\ApplicationHelper;
@@ -827,20 +826,6 @@ class ObjectFormManager extends FormManager
else else
{ {
$oField->SetReadOnly(true); $oField->SetReadOnly(true);
// Specific operation on field
// - SelectObjectField
if ($oField instanceof SelectObjectField)
{
// - Set if remote object can be accessed
if ($this->oContainer !== null && !$oAttDef->IsNull($oField->GetCurrentValue()) && !is_null($oField->GetSearch()))
{
$sRemoteObjectFieldClass = $oField->GetSearch()->GetClass();
$sRemoteObjectFieldId = $oField->GetCurrentValue();
$bIsRemoteObjectReadAllowed = $this->oContainer->get('security_helper')->IsActionAllowed(UR_ACTION_READ, $sRemoteObjectFieldClass, $sRemoteObjectFieldId);
$oField->SetRemoteObjectAccessible($bIsRemoteObjectReadAllowed);
}
}
} }
} }

1
sources/autoload.php
View File

@@ -42,7 +42,6 @@ require_once APPROOT . 'sources/form/field/caselogfield.class.inc.php';
require_once APPROOT . 'sources/form/field/multiplechoicesfield.class.inc.php'; require_once APPROOT . 'sources/form/field/multiplechoicesfield.class.inc.php';
require_once APPROOT . 'sources/form/field/selectfield.class.inc.php'; require_once APPROOT . 'sources/form/field/selectfield.class.inc.php';
require_once APPROOT . 'sources/form/field/multipleselectfield.class.inc.php'; require_once APPROOT . 'sources/form/field/multipleselectfield.class.inc.php';
require_once APPROOT . 'sources/form/field/remoteobjectfield.class.inc.php';
require_once APPROOT . 'sources/form/field/selectobjectfield.class.inc.php'; require_once APPROOT . 'sources/form/field/selectobjectfield.class.inc.php';
require_once APPROOT . 'sources/form/field/checkboxfield.class.inc.php'; require_once APPROOT . 'sources/form/field/checkboxfield.class.inc.php';
require_once APPROOT . 'sources/form/field/radiofield.class.inc.php'; require_once APPROOT . 'sources/form/field/radiofield.class.inc.php';

66
sources/form/field/remoteobjectfield.class.inc.php
View File

@@ -1,66 +0,0 @@
<?php
/**
* Copyright (C) 2013-2019 Combodo SARL
*
* This file is part of iTop.
*
* iTop is free software; you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* iTop is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
*/
namespace Combodo\iTop\Form\Field;
use Closure;
/**
* Fields pointing to a remote object
*
* @author Guillaume Lajarige <guillaume.lajarige@combodo.com>
* @since 2.7.0
*/
abstract class RemoteObjectField extends Field
{
/** @var bool DEFAULT_IS_REMOTE_OBJECT_ACCESSIBLE */
const DEFAULT_IS_REMOTE_OBJECT_ACCESSIBLE = true;
/** @var boolean $bIsRemoteObjectAccessible */
protected $bIsRemoteObjectAccessible;
/**
* @inheritDoc
*/
public function __construct($sId, Closure $onFinalizeCallback = null)
{
parent::__construct($sId, $onFinalizeCallback);
$this->bIsRemoteObjectAccessible = static::DEFAULT_IS_REMOTE_OBJECT_ACCESSIBLE;
}
/**
* Return true if the remote object pointed by this field is accessible
*
* @return boolean
*/
public function GetRemoteObjectAccessible()
{
return $this->bIsRemoteObjectAccessible;
}
/**
* @param boolean $bIsRemoteObjectAccessible
*/
public function SetRemoteObjectAccessible($bIsRemoteObjectAccessible)
{
$this->bIsRemoteObjectAccessible = $bIsRemoteObjectAccessible;
}
}

10
sources/form/field/selectobjectfield.class.inc.php
View File

@@ -32,7 +32,7 @@ use ScalarExpression;
* *
* @author Romain Quetiez <romain.quetiez@combodo.com> * @author Romain Quetiez <romain.quetiez@combodo.com>
*/ */
class SelectObjectField extends RemoteObjectField class SelectObjectField extends Field
{ {
protected $oSearch; protected $oSearch;
protected $iMaximumComboLength; protected $iMaximumComboLength;
@@ -100,6 +100,7 @@ class SelectObjectField extends RemoteObjectField
* Setting the value will automatically add/remove a MandatoryValidator to the Field * Setting the value will automatically add/remove a MandatoryValidator to the Field
* *
* @param boolean $bMandatory * @param boolean $bMandatory
*
* @return \Combodo\iTop\Form\Field\Field * @return \Combodo\iTop\Form\Field\Field
*/ */
public function SetMandatory($bMandatory) public function SetMandatory($bMandatory)
@@ -169,14 +170,15 @@ class SelectObjectField extends RemoteObjectField
*/ */
public function VerifyCurrentValue($bAlways = false) public function VerifyCurrentValue($bAlways = false)
{ {
if(!$this->GetReadOnly() || $bAlways) if (!$this->GetReadOnly() || $bAlways)
{ {
$oValuesScope = $this->GetSearch()->DeepClone(); $oValuesScope = $this->GetSearch()->DeepClone();
$oBinaryExp = new BinaryExpression(new FieldExpression('id', $oValuesScope->GetClassAlias()), '=', new ScalarExpression($this->currentValue)); $oBinaryExp = new BinaryExpression(new FieldExpression('id', $oValuesScope->GetClassAlias()), '=',
new ScalarExpression($this->currentValue));
$oValuesScope->AddConditionExpression($oBinaryExp); $oValuesScope->AddConditionExpression($oBinaryExp);
$oValuesSet = new DBObjectSet($oValuesScope); $oValuesSet = new DBObjectSet($oValuesScope);
if($oValuesSet->Count() === 0) if ($oValuesSet->Count() === 0)
{ {
$this->currentValue = null; $this->currentValue = null;
} }

4
sources/renderer/bootstrap/fieldrenderer/bsselectobjectfieldrenderer.class.inc.php
View File

@@ -329,9 +329,9 @@ EOF
// Note : AllowAllData set to true here instead of checking scope's flag because we are displaying a value that has been set and validated // Note : AllowAllData set to true here instead of checking scope's flag because we are displaying a value that has been set and validated
$oFieldValue = MetaModel::GetObject($sFieldValueClass, $this->oField->GetCurrentValue(), true, true); $oFieldValue = MetaModel::GetObject($sFieldValueClass, $this->oField->GetCurrentValue(), true, true);
$sFieldHtmlValue = $oFieldValue->GetName(); $sFieldHtmlValue = $oFieldValue->GetName();
if ($this->oField->GetRemoteObjectAccessible()) $sFieldUrl = ApplicationContext::MakeObjectUrl($sFieldValueClass, $this->oField->GetCurrentValue());
if(!empty($sFieldUrl))
{ {
$sFieldUrl = ApplicationContext::MakeObjectUrl($sFieldValueClass, $this->oField->GetCurrentValue());
$sFieldHtmlValue = '<a href="'.$sFieldUrl.'" data-toggle="itop-portal-modal">'.$sFieldHtmlValue.'</a>'; $sFieldHtmlValue = '<a href="'.$sFieldUrl.'" data-toggle="itop-portal-modal">'.$sFieldHtmlValue.'</a>';
} }
} }