composer/iTop
6
0
Fork 0
mirror of https://github.com/Combodo/iTop.git synced 2026-04-23 02:28:44 +02:00
Code Issues Packages Projects Releases Wiki Activity

N°978 Portal: Display / download of blob attributes and attachments in the portal was not compatible with portal configuration and silos by-passing.

Browse Source 
SVN:trunk[4871]
This commit is contained in:
Guillaume Lajarige
2017-08-22 10:38:10 +00:00
parent b1494d0dd9
commit fe98b850d1
3 changed files with 129 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
datamodels/2.x/itop-portal-base/portal/src/controllers/browsebrickcontroller.class.inc.php
View File

@@ -1,6 +1,6 @@
<?php
// Copyright (C) 2010-2015 Combodo SARL
// Copyright (C) 2010-2017 Combodo SARL
//
// This file is part of iTop.
//
@@ -334,12 +334,12 @@ class BrowseBrickController extends BrickController
{
case BrowseBrick::ENUM_BROWSE_MODE_TREE:
case BrowseBrick::ENUM_BROWSE_MODE_MOSAIC:
static::AddToTreeItems($aItems, $aCurrentRow, $aLevelsProperties);
static::AddToTreeItems($aItems, $aCurrentRow, $aLevelsProperties, null, $oApp);
break;
case BrowseBrick::ENUM_BROWSE_MODE_LIST:
default:
$aItems[] = static::AddToFlatItems($aCurrentRow, $aLevelsProperties);
$aItems[] = static::AddToFlatItems($aCurrentRow, $aLevelsProperties, $oApp);
break;
}
}
@@ -611,7 +611,7 @@ class BrowseBrickController extends BrickController
* @param array $aLevelsProperties
* @return array
*/
public static function AddToFlatItems(array $aCurrentRow, array &$aLevelsProperties)
public static function AddToFlatItems(array $aCurrentRow, array &$aLevelsProperties, Application $oApp)
{
$aRow = array();
@@ -640,7 +640,7 @@ class BrowseBrickController extends BrickController
{
if (is_object($tmpAttValue) && !$tmpAttValue->IsEmpty())
{
$tmpAttValue = $tmpAttValue->GetDisplayURL(get_class($value), $value->GetKey(), $aLevelsProperties[$key][$sOptionalAttribute]);
$tmpAttValue = $oApp['url_generator']->generate('p_object_document_display', array('sObjectClass' => get_class($value), 'sObjectId' => $value->GetKey(), 'sObjectField' => $aLevelsProperties[$key][$sOptionalAttribute]));
}
else
{
@@ -696,7 +696,7 @@ class BrowseBrickController extends BrickController
* @param array $aCurrentRow
* @param array $aLevelsProperties
*/
public static function AddToTreeItems(array &$aItems, array $aCurrentRow, array &$aLevelsProperties, $aCurrentRowObjects = null)
public static function AddToTreeItems(array &$aItems, array $aCurrentRow, array &$aLevelsProperties, $aCurrentRowObjects = null, Application $oApp = null)
{
$aCurrentRowKeys = array_keys($aCurrentRow);
$aCurrentRowValues = array_values($aCurrentRow);
@@ -732,7 +732,7 @@ class BrowseBrickController extends BrickController
{
if (is_object($tmpAttValue) && !$tmpAttValue->IsEmpty())
{
$tmpAttValue = $tmpAttValue->GetDisplayURL(get_class($aCurrentRowValues[0]), $aCurrentRowValues[0]->GetKey(), $aLevelsProperties[$aCurrentRowKeys[0]][$sOptionalAttribute]);
$tmpAttValue = $oApp['url_generator']->generate('p_object_document_display', array('sObjectClass' => get_class($aCurrentRowValues[0]), 'sObjectId' => $aCurrentRowValues[0]->GetKey(), 'sObjectField' => $aLevelsProperties[$aCurrentRowKeys[0]][$sOptionalAttribute]));
}
else
{
@@ -748,7 +748,7 @@ class BrowseBrickController extends BrickController
$aCurrentRowSliced = array_slice($aCurrentRow, 1);
if (!empty($aCurrentRowSliced))
{
static::AddToTreeItems($aItems[$sCurrentIndex]['subitems'], $aCurrentRowSliced, $aLevelsProperties, $aCurrentRowObjects);
static::AddToTreeItems($aItems[$sCurrentIndex]['subitems'], $aCurrentRowSliced, $aLevelsProperties, $aCurrentRowObjects, $oApp);
}
}

99
datamodels/2.x/itop-portal-base/portal/src/controllers/objectcontroller.class.inc.php
View File

@@ -1356,10 +1356,93 @@ class ObjectController extends AbstractController
return $oResponse;
}
/**
* Handles ormDocument display / download from an object
*
* Note: This is inspired from pages/ajax.document.php, but duplicated as there is no secret mecanism for ormDocument yet.
*
* @param Request $oRequest
* @param Application $oApp
* @param string $sOperation
*/
public function DocumentAction(Request $oRequest, Application $oApp, $sOperation = null)
{
// Setting default operation
if($sOperation === null)
{
$sOperation = 'display';
}
// Retrieving ormDocument's host object
$sObjectClass = $oRequest->get('sObjectClass');
$sObjectId = $oRequest->get('sObjectId');
$sObjectField = $oRequest->get('sObjectField');
// When reaching to an Attachment, we have to check security on its host object instead of the Attachment itself
if($sObjectClass === 'Attachment')
{
$oAttachment = MetaModel::GetObject($sObjectClass, $sObjectId, true, true);
$sHostClass = $oAttachment->Get('item_class');
$sHostId = $oAttachment->Get('item_id');
}
else
{
$sHostClass = $sObjectClass;
$sHostId = $sObjectId;
}
// Checking security layers
if (!SecurityHelper::IsActionAllowed($oApp, UR_ACTION_READ, $sHostClass, $sHostId))
{
IssueLog::Warning(__METHOD__ . ' at line ' . __LINE__ . ' : User #' . UserRights::GetUserId() . ' not allowed to retrieve document from attribute ' . $sObjectField . ' as it not allowed to read ' . $sHostClass . '::' . $sHostId . ' object.');
$oApp->abort(404, Dict::S('UI:ObjectDoesNotExist'));
}
// Retrieving object
$oObject = MetaModel::GetObject($sObjectClass, $sObjectId, false /* Must not be found */, $oApp['scope_validator']->IsAllDataAllowedForScope(UserRights::ListProfiles(), $sHostClass));
if ($oObject === null)
{
// We should never be there as the secuirty helper makes sure that the object exists, but just in case.
IssueLog::Info(__METHOD__ . ' at line ' . __LINE__ . ' : Could not load object ' . $sObjectClass . '::' . $sObjectId . '.');
$oApp->abort(404, Dict::S('UI:ObjectDoesNotExist'));
}
// Setting cache timeout
// Note: Attachment download should be handle through AttachmentAction()
if($sObjectClass === 'Attachment')
{
// One year ahead: an attachement cannot change
$iCacheSec = 31556926;
}
else
{
$sCache = $oRequest->get('cache');
$iCacheSec = ($sCache !== null) ? (int) $sCache : 0;
}
$aHeaders = array();
if($iCacheSec > 0)
{
$aHeaders['Expires'] = '';
$aHeaders['Cache-Control'] = 'no-transform, public,max-age='.$iCacheSec.',s-maxage='.$iCacheSec;
// Reset the value set previously
$aHeaders['Pragma'] = 'cache';
// An arbitrary date in the past is ok
$aHeaders['Last-Modified'] = 'Wed, 15 Jun 2015 13:21:15 GMT';
}
/** @var \ormDocument $oDocument */
$oDocument = $oObject->Get($sObjectField);
$aHeaders['Content-Type'] = $oDocument->GetMimeType();
$aHeaders['Content-Disposition'] = (($sOperation === 'display') ? 'inline' : 'attachment') . ';filename="'.$oDocument->GetFileName().'"';
return new Response($oDocument->GetData(), Response::HTTP_OK, $aHeaders);
}
/**
* Handles attachment add/remove on an object
*
* Note : This is inspired from itop-attachment/ajax.attachment.php
* Note: This is inspired from itop-attachment/ajax.attachment.php
*
* @param Request $oRequest
* @param Application $oApp
@@ -1419,10 +1502,18 @@ class ObjectController extends AbstractController
break;
case 'download':
$sAttachmentId = $oRequest->get('sAttachmentId');
$sAttachmentUrl = utils::GetAbsoluteUrlAppRoot() . ATTACHMENT_DOWNLOAD_URL . $sAttachmentId;
// Preparing redirection
// - Route
$aRouteParams = array(
'sObjectClass' => 'Attachment',
'sObjectId' => $oRequest->get('sAttachmentId'),
'sObjectField' => 'contents',
);
$sRedirectRoute = $oApp['url_generator']->generate('p_object_document_download', $aRouteParams);
// - Request
$oSubRequest = Request::create($sRedirectRoute, 'GET', $oRequest->query->all(), $oRequest->cookies->all(), array(), $oRequest->server->all());
$oResponse = new RedirectResponse($sAttachmentUrl);
$oResponse = $oApp->handle($oSubRequest, HttpKernelInterface::SUB_REQUEST, true);
break;
default:

38
datamodels/2.x/itop-portal-base/portal/src/routers/objectrouter.class.inc.php
View File

@@ -1,6 +1,6 @@
<?php
// Copyright (C) 2010-2015 Combodo SARL
// Copyright (C) 2010-2017 Combodo SARL
//
// This file is part of iTop.
//
@@ -44,17 +44,6 @@ class ObjectRouter extends AbstractRouter
'callback' => 'Combodo\\iTop\\Portal\\Controller\\ObjectController::ApplyStimulusAction',
'bind' => 'p_object_apply_stimulus'
),
array('pattern' => '/object/attachment/add',
'callback' => 'Combodo\\iTop\\Portal\\Controller\\ObjectController::AttachmentAction',
'bind' => 'p_object_attachment_add'
),
array('pattern' => '/object/attachment/download/{sAttachmentId}',
'callback' => 'Combodo\\iTop\\Portal\\Controller\\ObjectController::AttachmentAction',
'bind' => 'p_object_attachment_download',
'values' => array(
'sOperation' => 'download'
)
),
array('pattern' => '/object/search',
'callback' => 'Combodo\\iTop\\Portal\\Controller\\ObjectController::SearchRegularAction',
'bind' => 'p_object_search_regular'
@@ -96,6 +85,31 @@ class ObjectRouter extends AbstractRouter
'callback' => 'Combodo\\iTop\\Portal\\Controller\\ObjectController::GetInformationsAsJsonAction',
'bind' => 'p_object_get_informations_json',
),
array('pattern' => '/object/document/display/{sObjectClass}/{sObjectId}/{sObjectField}',
'callback' => 'Combodo\\iTop\\Portal\\Controller\\ObjectController::DocumentAction',
'bind' => 'p_object_document_display',
'values' => array(
'sOperation' => 'display'
)
),
array('pattern' => '/object/document/download/{sObjectClass}/{sObjectId}/{sObjectField}',
'callback' => 'Combodo\\iTop\\Portal\\Controller\\ObjectController::DocumentAction',
'bind' => 'p_object_document_download',
'values' => array(
'sOperation' => 'download'
)
),
array('pattern' => '/object/attachment/add',
'callback' => 'Combodo\\iTop\\Portal\\Controller\\ObjectController::AttachmentAction',
'bind' => 'p_object_attachment_add'
),
array('pattern' => '/object/attachment/download/{sAttachmentId}',
'callback' => 'Combodo\\iTop\\Portal\\Controller\\ObjectController::AttachmentAction',
'bind' => 'p_object_attachment_download',
'values' => array(
'sOperation' => 'download'
)
),
);
}