(Retrofit from deveop ab1715ed) N°1576 Portal: Security hardening.

2026-05-21 00:02:17 +02:00 · 2018-07-25 16:48:11 +02:00
parent fcb6a4069a
commit e3e416b467
4 changed files with 28 additions and 9 deletions
--- a/datamodels/2.x/itop-portal-base/portal/src/controllers/browsebrickcontroller.class.inc.php
+++ b/datamodels/2.x/itop-portal-base/portal/src/controllers/browsebrickcontroller.class.inc.php
@@ -631,8 +631,9 @@ class BrowseBrickController extends BrickController
                if ($aLevelsProperties[$key][$sOptionalAttribute] !== null)
                {
                    $sPropertyName = substr($sOptionalAttribute, 0, -4);
+                    $oAttDef = MetaModel::GetAttributeDef(get_class($value), $aLevelsProperties[$key][$sOptionalAttribute]);

-                    $tmpAttValue = $value->Get($aLevelsProperties[$key][$sOptionalAttribute]);
+                    $tmpAttValue = $value->GetAsHTML($aLevelsProperties[$key][$sOptionalAttribute]);
                    if($sOptionalAttribute === 'image_att')
                    {
                        if (is_object($tmpAttValue) && !$tmpAttValue->IsEmpty())
@@ -641,7 +642,7 @@ class BrowseBrickController extends BrickController
                        }
                        else
                        {
-                            $tmpAttValue = MetaModel::GetAttributeDef(get_class($value), $aLevelsProperties[$key][$sOptionalAttribute])->Get('default_image');
+                            $tmpAttValue = $oAttDef->Get('default_image');
                        }
                    }

@@ -655,7 +656,7 @@ class BrowseBrickController extends BrickController
 				foreach ($aLevelsProperties[$key]['fields'] as $aField)
 				{
 					$oAttDef = MetaModel::GetAttributeDef(get_class($value), $aField['code']);
-					$aRow[$key]['fields'][$aField['code']] = $oAttDef->GetValueLabel($value->Get($aField['code']));
+					$aRow[$key]['fields'][$aField['code']] = $oAttDef->GetAsHTML($value->Get($aField['code']));
 				}
 			}
 		}
@@ -723,8 +724,9 @@ class BrowseBrickController extends BrickController
                if ($aLevelsProperties[$aCurrentRowKeys[0]][$sOptionalAttribute] !== null)
                {
                    $sPropertyName = substr($sOptionalAttribute, 0, -4);
+                    $oAttDef = MetaModel::GetAttributeDef(get_class($aCurrentRowValues[0]), $aLevelsProperties[$aCurrentRowKeys[0]][$sOptionalAttribute]);

-                    $tmpAttValue = $aCurrentRowValues[0]->Get($aLevelsProperties[$aCurrentRowKeys[0]][$sOptionalAttribute]);
+                    $tmpAttValue = $aCurrentRowValues[0]->GetAsHTML($aLevelsProperties[$aCurrentRowKeys[0]][$sOptionalAttribute]);
                    if($sOptionalAttribute === 'image_att')
                    {
                        if (is_object($tmpAttValue) && !$tmpAttValue->IsEmpty())
@@ -733,7 +735,7 @@ class BrowseBrickController extends BrickController
                        }
                        else
                        {
-                            $tmpAttValue = MetaModel::GetAttributeDef(get_class($aCurrentRowValues[0]), $aLevelsProperties[$aCurrentRowKeys[0]][$sOptionalAttribute])->Get('default_image');
+                            $tmpAttValue = $oAttDef->Get('default_image');
                        }
                    }

--- a/datamodels/2.x/itop-portal-base/portal/src/controllers/objectcontroller.class.inc.php
+++ b/datamodels/2.x/itop-portal-base/portal/src/controllers/objectcontroller.class.inc.php
@@ -40,6 +40,7 @@ use ListExpression;
 use ScalarExpression;
 use DBObjectSet;
 use AttributeEnum;
+use AttributeImage;
 use AttributeFinalClass;
 use AttributeFriendlyName;
 use UserRights;
@@ -1597,7 +1598,7 @@ class ObjectController extends AbstractController

 			if ($oAttDef->IsExternalKey())
 			{
-				$aAttData['value'] = $oObject->Get($oAttDef->GetCode() . '_friendlyname');
+				$aAttData['value'] = $oObject->GetAsHTML($oAttDef->GetCode() . '_friendlyname');

 				// Checking if user can access object's external key
 				if (SecurityHelper::IsActionAllowed($oApp, UR_ACTION_READ, $oAttDef->GetTargetClass()))
@@ -1610,9 +1611,22 @@ class ObjectController extends AbstractController
 				// We skip it
 				continue;
 			}
+			elseif ($oAttDef instanceof AttributeImage)
+            {
+                $oOrmDoc = $oObject->Get($oAttDef->GetCode());
+                if (is_object($oOrmDoc) && !$oOrmDoc->IsEmpty())
+                {
+                    $sUrl = $oApp['url_generator']->generate('p_object_document_display', array('sObjectClass' => get_class($oObject), 'sObjectId' => $oObject->GetKey(), 'sObjectField' => $oAttDef->GetCode(), 'cache' => 86400));
+                }
+                else
+                {
+                    $sUrl = $oAttDef->Get('default_image');
+                }
+                $aAttData['value'] = '<img src="' . $sUrl . '" />';
+            }
 			else
 			{
-				$aAttData['value'] = $oAttDef->GetValueLabel($oObject->Get($oAttDef->GetCode()));
+				$aAttData['value'] = $oAttDef->GetAsHTML($oObject->Get($oAttDef->GetCode()));

 				if ($oAttDef instanceof AttributeFriendlyName)
 				{