Merge remote-tracking branch 'origin/support/2.7' into support/3.1

2026-02-12 23:14:18 +01:00 · 2025-03-03 14:36:50 +01:00
parent 94d6eca0c1 97848cea4f
commit da4457f5b4
7 changed files with 292 additions and 7 deletions
--- a/core/restservices.class.inc.php
+++ b/core/restservices.class.inc.php
@@ -156,6 +156,25 @@ class ObjectResult
 	{
 		$this->fields[$sAttCode] = $this->MakeResultValue($oObject, $sAttCode, $bExtendedOutput);
 	}
+	
+public function SanitizeContent()
+	{
+		foreach($this->fields as $sAttCode => $value)
+		{
+            try{
+			$oAttDef = MetaModel::GetAttributeDef($this->class, $sAttCode);
+            } catch (Exception $e) { // for special cases like ID
+                continue;
+            }
+			if ($oAttDef instanceof iAttributeNoGroupBy) // iAttributeNoGroupBy is equivalent to sensitive attribute
+            {
+                $this->fields[$sAttCode] = '******';
+            }
+			{
+				$this->fields[$sAttCode] = '******';
+			}
+		}
+	}
 }


@@ -221,6 +240,16 @@ class RestResultWithObjects extends RestResult
 		$sObjKey = get_class($oObject).'::'.$oObject->GetKey();
 		$this->objects[$sObjKey] = $oObjRes;
 	}
+	
+public function SanitizeContent()
+	{
+		parent::SanitizeContent();
+		
+		foreach($this->objects as $sObjKey => $oObjRes)
+		{
+			$oObjRes->SanitizeContent();
+		}
+	}
 }

 /**
@@ -308,7 +337,7 @@ class RestDelete
 *
 * @package     Core
 */
-class CoreServices implements iRestServiceProvider
+class CoreServices implements iRestServiceProvider, iRestInputSanitizer
 {
 	/**
 	 * Enumerate services delivered by this class
@@ -736,6 +765,34 @@ class CoreServices implements iRestServiceProvider
 		}
 		return $oResult;
 	}
+	
+	public function SanitizeJsonInput(string $sJsonInput): string
+	{
+        $sSanitizedJsonInput = $sJsonInput;
+        $aJsonData = json_decode($sSanitizedJsonInput, true);
+        $sOperation = $aJsonData['operation'];
+
+        switch ($sOperation) {
+            case 'core/check_credentials':
+                if (isset($aJsonData['password'])) {
+                    $aJsonData['password'] = '*****';
+                }
+                break;
+            case 'core/update':
+            case 'core/create':
+            default :
+            $sClass = $aJsonData['class'];
+            foreach ($aJsonData['fields'] as $sAttCode => $value) {
+                $oAttDef = MetaModel::GetAttributeDef($sClass, $sAttCode);
+                if ($oAttDef instanceof iAttributeNoGroupBy) // iAttributeNoGroupBy is equivalent to sensitive attribute
+                {
+                    $aJsonData['fields'][$sAttCode] = '*****';
+                }
+            }
+            break;
+        }
+		return json_encode($aJsonData, JSON_UNESCAPED_SLASHES | JSON_PRETTY_PRINT);
+	}

 	/**
 	 * Helper for object deletion