Jeffrey Bostoen - 2022-07-04

I'm most definitely overlooking something.

I've enabled "attachments" on a custom class.

Now, I have assigned a client both "portal user" and "portal power user" rights. They have rights through their profiles (iTop backend) and as far as I see to the host object in the "classes" defined for the XML portal.

The host class does NOT contain an org_id , so the attachment's item_org_id is 0.

I believe this leads to unwanted behavior here: https://github.com/Combodo/iTop/blob/2b885beb82d1be17c858eaa5bc9fefb55e62a7f1/datamodels/2.x/itop-portal-base/portal/src/Controller/ObjectController.php#L1130

As rights are expected, the org_id would have to be the same as that of the user.

Ideally, in this block ( https://github.com/Combodo/iTop/blob/2b885beb82d1be17c858eaa5bc9fefb55e62a7f1/datamodels/2.x/itop-portal-base/portal/src/Controller/ObjectController.php#L1103 ) there should be a condition to check if the attachment is actually org-restricted; and if not; allow "all data" (or basically also allow item_org_id = 0) to be fetched. This would also be in line with the comment right above the block.

Would a PR request be accepted?

Basically the new "if" would look like this:

        // When reaching to an Attachment, we have to check security on its host object instead of the Attachment itself
        if ($sObjectClass === 'Attachment')
        {
            $oAttachment = MetaModel::GetObject($sObjectClass, $sObjectId, true, true);
            $sHostClass = $oAttachment->Get('item_class');
            $sHostId = $oAttachment->Get('item_id');

            if($oAttachment->Get('item_org_id') == 0) {
                $bCheckSecurity = false;
            }

        }

Update: https://github.com/Combodo/iTop/pull/303

 

Last edit: Jeffrey Bostoen 2022-07-04