Skip to content

Commit

Permalink
Check rights/paths/objects to protect /Views/
Browse files Browse the repository at this point in the history
  • Loading branch information
@sunnavy
sunnavy committed Apr 4, 2024
1 parent a5fb0ed commit 89e7ab3
Show file tree
Hide file tree
Showing 2 changed files with 45 additions and 6 deletions.
30 changes: 25 additions & 5 deletions share/html/Views/Component/dhandler
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,11 +45,6 @@
%# those contributions and any derivatives thereof.
%#
%# END BPS TAGGED BLOCK }}}
% if ( $component_name eq 'SavedSearch' ) {
% $m->comp( "/Elements/ShowSearch", %ARGS );
% } else {
% $m->comp( "/Elements/$component_name", %ARGS );
% }

<%init>
my ($component_name) = $m->dhandler_arg;
Expand All @@ -67,9 +62,34 @@ if ( $component_name eq 'SavedSearch' ) {
elsif ( $ARGS{ObjectType} && $ARGS{ObjectType}->can('Load') && $ARGS{ObjectId} ) {
my $object = $ARGS{ObjectType}->new( $session{CurrentUser} );
$object->Load( $ARGS{ObjectId} );
return unless $object->Id;

if ( $object->CurrentUserCanSee ) {
$ARGS{Object} = $object;
}
else {
Abort( loc('Permission Denied'), SuppressHeader => 1, Code => HTTP::Status::HTTP_FORBIDDEN );
}
}

my $out;
if ( $component_name eq 'SavedSearch' ) {
eval { $out = $m->scomp( "/Elements/ShowSearch", %ARGS ) };
}
else {
unless ( $m->comp_exists("/Elements/$component_name") ) {
RT->Logger->warning("Component $component_name does not exist");
Abort( loc('Invalid Path'), SuppressHeader => 1 );
}
eval { $out = $m->scomp( "/Elements/$component_name", %ARGS ) };
}

if ($@) {
RT->Logger->warning("Error loading $component_name: $@");
Abort( loc('Error'), SuppressHeader => 1 );
}
else {
$m->out($out);
}
</%init>
<%args>
Expand Down
21 changes: 20 additions & 1 deletion share/html/Views/Ticket/dhandler
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,12 +45,31 @@
%# those contributions and any derivatives thereof.
%#
%# END BPS TAGGED BLOCK }}}
% $m->comp( "/Ticket/Elements/$component_name", Ticket => $ticket, %ARGS );
<%INIT>
return unless $id;
my ($component_name) = $m->dhandler_arg;
my $ticket = RT::Ticket->new( $session{CurrentUser} );
$ticket->Load($id);
return unless $ticket->Id;

unless ( $ticket->CurrentUserCanSee ) {
Abort( loc('Permission Denied'), SuppressHeader => 1, Code => HTTP::Status::HTTP_FORBIDDEN );
}

unless ( $m->comp_exists("/Ticket/Elements/$component_name") ) {
RT->Logger->warning( "Component $component_name does not exist" );
Abort( loc('Invalid Path'), SuppressHeader => 1 );
}

my $out;
eval { $out = $m->scomp( "/Ticket/Elements/$component_name", Ticket => $ticket, %ARGS ) };
if ($@) {
RT->Logger->warning("Error loading $component_name: $@");
Abort( loc('Error'), SuppressHeader => 1 );
}
else {
$m->out($out);
}
</%INIT>

<%ARGS>
Expand Down

0 comments on commit 89e7ab3

Please sign in to comment.