Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security hardening #685

Merged
merged 2 commits into from
Dec 13, 2024
Merged

Security hardening #685

merged 2 commits into from
Dec 13, 2024

Conversation

jf-cbd
Copy link
Contributor

@jf-cbd jf-cbd commented Nov 27, 2024

Internal - security

@jf-cbd jf-cbd requested a review from steffunky November 27, 2024 14:58
@CombodoApplicationsAccount CombodoApplicationsAccount added the internal Work made by Combodo label Nov 27, 2024
@jf-cbd
Copy link
Contributor Author

jf-cbd commented Dec 13, 2024

$oSecurityHelper->IsActionAllowed seems useless since AddScopeToQuery check if action is allowed

@jf-cbd jf-cbd merged commit f5de808 into support/2.7 Dec 13, 2024
@Molkobain
Copy link
Contributor

$oSecurityHelper->IsActionAllowed seems useless since AddScopeToQuery check if action is allowed

I think it is actually the other way around: SecurityHelper::IsActionAllowed() checks if there is a scope for the specified object and check if the object is within that scope.

Calling ScopeValidatorHelper::AddScopeToQuery() only tries to add the scope for specified object class, but it doesn't check if you have access to the object or not, whether it would be based on the scopes or the DM rights.

@jf-cbd
Copy link
Contributor Author

jf-cbd commented Dec 13, 2024

Thanks for your message :) If there is no scope, then we should throw an error. Else it should be only filtered data rendered.

That should be enough, right ?

		if (!$oScopeValidator->AddScopeToQuery($oSearch, $sObjectClass)
		) {
			IssueLog::Warning(__METHOD__.' at line '.__LINE__.' : User #'.UserRights::GetUserId().' not allowed to read '.$sObjectClass.' object.');
			throw new HttpException(Response::HTTP_NOT_FOUND, Dict::S('UI:ObjectDoesNotExist'));
		}

@Molkobain
Copy link
Contributor

Exactly yes. You can check other usages of this method in the portal for an example, and see that we check the returned value. :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Molkobain Molkobain Molkobain approved these changes

@Hipska Hipska Hipska left review comments

@steffunky steffunky steffunky approved these changes

Assignees
No one assigned
Labels
internal Work made by Combodo
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@jf-cbd @Molkobain @Hipska @steffunky @CombodoApplicationsAccount