diff options
author | sunnavy <sunnavy@bestpractical.com> | 2022-06-17 17:02:32 +0300 |
---|---|---|
committer | sunnavy <sunnavy@bestpractical.com> | 2022-06-17 17:02:32 +0300 |
commit | f414560c454ed871c88fc0ac45b3e42ca4aa55a3 (patch) | |
tree | ee8574d66d4f39e19a49a739f1b30a5f6262828e /lib | |
parent | c473555a298254ce0ef2570b6732728225e0671e (diff) | |
parent | 03f12ca042121c94c5f35f736cabd8da84275be2 (diff) |
Merge branch 'security/4.4/ocfv-acl' into security/5.0.3-releng
Diffstat (limited to 'lib')
-rw-r--r-- | lib/RT/ObjectCustomFieldValue.pm | 32 | ||||
-rw-r--r-- | lib/RT/ObjectCustomFieldValues.pm | 9 | ||||
-rw-r--r-- | lib/RT/Record.pm | 3 | ||||
-rw-r--r-- | lib/RT/System.pm | 3 |
4 files changed, 42 insertions, 5 deletions
diff --git a/lib/RT/ObjectCustomFieldValue.pm b/lib/RT/ObjectCustomFieldValue.pm index 3c8a131cea..e28c33765c 100644 --- a/lib/RT/ObjectCustomFieldValue.pm +++ b/lib/RT/ObjectCustomFieldValue.pm @@ -523,9 +523,9 @@ Get the OCFV cache key for this object sub GetOCFVCacheKey { my $self = shift; - my $ocfv_key = "CustomField-" . $self->CustomField - . '-ObjectType-' . $self->ObjectType - . '-ObjectId-' . $self->ObjectId; + my $ocfv_key = "CustomField-" . $self->__Value('CustomField') + . '-ObjectType-' . $self->__Value('ObjectType') + . '-ObjectId-' . $self->__Value('ObjectId'); return $ocfv_key; } @@ -806,6 +806,32 @@ sub ExternalStoreDigest { return $self->_Value( 'LargeContent' ); } +=head2 CurrentUserCanSee + +Returns true if user has "SeeCustomField" on the associated CustomField +object, otherwise false. + +=cut + +sub CurrentUserCanSee { + my $self = shift; + return $self->CustomFieldObj->CurrentUserHasRight('SeeCustomField'); +} + +sub _Value { + my $self = shift; + return undef unless $self->id; + + unless ( $self->CurrentUserCanSee ) { + $RT::Logger->debug( + "Permission denied. User #". $self->CurrentUser->id + ." has no SeeCustomField right on CF #". $self->__Value('CustomField') + ); + return undef; + } + return $self->SUPER::_Value(@_); +} + RT::Base->_ImportOverlays(); 1; diff --git a/lib/RT/ObjectCustomFieldValues.pm b/lib/RT/ObjectCustomFieldValues.pm index 269a5ec9aa..393bf23e15 100644 --- a/lib/RT/ObjectCustomFieldValues.pm +++ b/lib/RT/ObjectCustomFieldValues.pm @@ -208,6 +208,15 @@ sub HasEntry { } } + +sub AddRecord { + my $self = shift; + my ($record) = @_; + + return unless $record->CurrentUserCanSee; + return $self->SUPER::AddRecord($record); +} + RT::Base->_ImportOverlays(); # Clear the OCVF cache on exit to release connected RT::Ticket objects. diff --git a/lib/RT/Record.pm b/lib/RT/Record.pm index c627480d24..13691bf1ad 100644 --- a/lib/RT/Record.pm +++ b/lib/RT/Record.pm @@ -2051,7 +2051,8 @@ sub _AddCustomFieldValue { ); } - my $new_content = $new_value->Content; + # Fall back to '' in case current user doesn't have rights. + my $new_content = $new_value->Content // ''; # For datetime, we need to display them in "human" format in result message #XXX TODO how about date without time? diff --git a/lib/RT/System.pm b/lib/RT/System.pm index 10fa368f0e..b07ea86abf 100644 --- a/lib/RT/System.pm +++ b/lib/RT/System.pm @@ -442,7 +442,8 @@ sub ExternalStorageURLFor { # external storage direct links disabled return undef if !RT->Config->Get('ExternalStorageDirectLink'); - return undef unless $Object->ContentEncoding eq 'external'; + # If current user doesn't have rights, ContentEncoding is undef + return undef unless ( $Object->ContentEncoding // '' ) eq 'external'; return $self->ExternalStorage->DownloadURLFor($Object); } |