N°8606 - Check user permissions in search operation of ajax.render.php

2026-03-11 03:54:21 +01:00 · 2026-03-10 12:08:11 +01:00
2 changed files with 12 additions and 6 deletions
--- a/pages/UI.php
+++ b/pages/UI.php
@@ -1186,12 +1186,6 @@ try {
 							if ($bRes) {
 								try {
 									$bApplyStimulus = $oObj->ApplyStimulus($sStimulus); // will write the object in the DB
-								}
-								catch (CoreCannotSaveObjectException $e) {
-									// Rollback to the previous state... by reloading the object from the database and applying the modifications again
-									$oObj = MetaModel::GetObject(get_class($oObj), $oObj->GetKey());
-									$oObj->UpdateObjectFromPostedForm('', array_keys($aExpectedAttributes), $aExpectedAttributes);
-									$sIssues = implode(' ', $e->getIssues());
 								} catch (CoreException $e) {
 									// Rollback to the previous state... by reloading the object from the database and applying the modifications again
 									$oObj = MetaModel::GetObject(get_class($oObj), $oObj->GetKey());
--- a/sources/Controller/AjaxRenderController.php
+++ b/sources/Controller/AjaxRenderController.php
@@ -42,6 +42,7 @@ use RunTimeEnvironment;
 use ScalarExpression;
 use SetupUtils;
 use UILinksWidget;
+use UserRights;
 use utils;
 use WizardHelper;

@@ -71,6 +72,12 @@ class AjaxRenderController
 			$bShowObsoleteData = utils::ShowObsoleteData();
 		}
 		$oSet->SetShowObsoleteData($bShowObsoleteData);
+
+		// N°8606 : Check user permissions on the main class
+		if (UserRights::IsActionAllowed($oSet->GetClass(), UR_ACTION_READ, $oSet) !== UR_ALLOWED_YES) {
+			throw new Exception(Dict::Format('UI:Error:ReadNotAllowedOn_Class', $oSet->GetClass()));
+		}
+
 		$aResult["draw"] = $iDrawNumber;
 		$aResult["recordsTotal"] = $oSet->Count();
 		$aResult["recordsFiltered"] = $aResult["recordsTotal"] ;
@@ -95,6 +102,11 @@ class AjaxRenderController
 						continue;
 					}

+					// N°8606 : Check user permissions on the current class
+					if (UserRights::IsActionAllowed($sClass, UR_ACTION_READ, $oSet) !== UR_ALLOWED_YES) {
+						throw new Exception(Dict::Format('UI:Error:ReadNotAllowedOn_Class', $sClass));
+					}
+
 					foreach ($aColumnsLoad[$sAlias] as $sAttCode) {
 						$aObj[$sAlias."/".$sAttCode] = $aObject[$sAlias]->GetAsHTML($sAttCode);
 						$bExcludeRawValue = false;