diff options
author | sunnavy <sunnavy@bestpractical.com> | 2022-06-17 17:00:10 +0300 |
---|---|---|
committer | sunnavy <sunnavy@bestpractical.com> | 2022-06-17 17:00:10 +0300 |
commit | 024ce4644606e19ea11b47db456af34a46accf36 (patch) | |
tree | 36504fc858a22f19a44db8b82b89b9bd85c6733c /lib | |
parent | 9a571e96f25ebdca5d59613510e1646aa9bc0177 (diff) | |
parent | 03f12ca042121c94c5f35f736cabd8da84275be2 (diff) |
Merge branch 'security/4.4/ocfv-acl' into security/4.4.6-releng
Diffstat (limited to 'lib')
-rw-r--r-- | lib/RT/ObjectCustomFieldValue.pm | 32 | ||||
-rw-r--r-- | lib/RT/ObjectCustomFieldValues.pm | 9 | ||||
-rw-r--r-- | lib/RT/Record.pm | 3 | ||||
-rw-r--r-- | lib/RT/System.pm | 3 |
4 files changed, 42 insertions, 5 deletions
diff --git a/lib/RT/ObjectCustomFieldValue.pm b/lib/RT/ObjectCustomFieldValue.pm index 0faad54131..76b72769c0 100644 --- a/lib/RT/ObjectCustomFieldValue.pm +++ b/lib/RT/ObjectCustomFieldValue.pm @@ -523,9 +523,9 @@ Get the OCFV cache key for this object sub GetOCFVCacheKey { my $self = shift; - my $ocfv_key = "CustomField-" . $self->CustomField - . '-ObjectType-' . $self->ObjectType - . '-ObjectId-' . $self->ObjectId; + my $ocfv_key = "CustomField-" . $self->__Value('CustomField') + . '-ObjectType-' . $self->__Value('ObjectType') + . '-ObjectId-' . $self->__Value('ObjectId'); return $ocfv_key; } @@ -806,6 +806,32 @@ sub ExternalStoreDigest { return $self->_Value( 'LargeContent' ); } +=head2 CurrentUserCanSee + +Returns true if user has "SeeCustomField" on the associated CustomField +object, otherwise false. + +=cut + +sub CurrentUserCanSee { + my $self = shift; + return $self->CustomFieldObj->CurrentUserHasRight('SeeCustomField'); +} + +sub _Value { + my $self = shift; + return undef unless $self->id; + + unless ( $self->CurrentUserCanSee ) { + $RT::Logger->debug( + "Permission denied. User #". $self->CurrentUser->id + ." has no SeeCustomField right on CF #". $self->__Value('CustomField') + ); + return undef; + } + return $self->SUPER::_Value(@_); +} + RT::Base->_ImportOverlays(); 1; diff --git a/lib/RT/ObjectCustomFieldValues.pm b/lib/RT/ObjectCustomFieldValues.pm index 83d603b2f3..54ff692c96 100644 --- a/lib/RT/ObjectCustomFieldValues.pm +++ b/lib/RT/ObjectCustomFieldValues.pm @@ -230,6 +230,15 @@ sub _DoCount { return $self->SUPER::_DoCount(@_); } + +sub AddRecord { + my $self = shift; + my ($record) = @_; + + return unless $record->CurrentUserCanSee; + return $self->SUPER::AddRecord($record); +} + RT::Base->_ImportOverlays(); # Clear the OCVF cache on exit to release connected RT::Ticket objects. diff --git a/lib/RT/Record.pm b/lib/RT/Record.pm index 642e71632d..7189125a8b 100644 --- a/lib/RT/Record.pm +++ b/lib/RT/Record.pm @@ -2036,7 +2036,8 @@ sub _AddCustomFieldValue { ); } - my $new_content = $new_value->Content; + # Fall back to '' in case current user doesn't have rights. + my $new_content = $new_value->Content // ''; # For datetime, we need to display them in "human" format in result message #XXX TODO how about date without time? diff --git a/lib/RT/System.pm b/lib/RT/System.pm index 6d453c41fd..e79f7571da 100644 --- a/lib/RT/System.pm +++ b/lib/RT/System.pm @@ -386,7 +386,8 @@ sub ExternalStorageURLFor { # external storage direct links disabled return undef if !RT->Config->Get('ExternalStorageDirectLink'); - return undef unless $Object->ContentEncoding eq 'external'; + # If current user doesn't have rights, ContentEncoding is undef + return undef unless ( $Object->ContentEncoding // '' ) eq 'external'; return $self->ExternalStorage->DownloadURLFor($Object); } |