validate entity_restrict when available with idor tokens

glpi-project · Mar 2, 2021 · aade65b · aade65b
1 parent b2f6732
commit aade65b
Show file tree

Hide file tree

Showing 6 changed files with 31 additions and 13 deletions.
diff --git a/ajax/dropdownTrackingDeviceType.php b/ajax/dropdownTrackingDeviceType.php
@@ -76,7 +76,9 @@
       'multiple'            => $_POST["multiple"],
       'myname'              => $_POST["myname"],
       'rand'                => $_POST["rand"],
-      '_idor_token'         => Session::getNewIDORToken($itemtype),
+      '_idor_token'         => Session::getNewIDORToken($itemtype, [
+         'entity_restrict' => $_POST['entity_restrict'],
+      ]),
    ];
 
    if (isset($_POST["used"]) && !empty($_POST["used"])) {

diff --git a/inc/computer_item.class.php b/inc/computer_item.class.php
@@ -682,7 +682,9 @@ static function dropdownConnect($itemtype, $fromtype, $myname, $entity_restrict
          'itemtype'        => $itemtype,
          'onlyglobal'      => $onlyglobal,
          'used'            => $used,
-         '_idor_token'     => Session::getNewIDORToken($itemtype),
+         '_idor_token'     => Session::getNewIDORToken($itemtype, [
+            'entity_restrict' => $entity_restrict,
+         ]),
       ];
 
       echo Html::jsAjaxDropdown($myname, $field_id,

diff --git a/inc/dropdown.class.php b/inc/dropdown.class.php
@@ -173,11 +173,13 @@ static function show($itemtype, $options = []) {
             'condition'            => $params['condition'],
             'used'                 => $params['used'],
             'toadd'                => $params['toadd'],
-            'entity_restrict'      => (is_array($params['entity']) ? json_encode(array_values($params['entity'])) : $params['entity']),
+            'entity_restrict'      => ($entity_restrict = (is_array($params['entity']) ? json_encode(array_values($params['entity'])) : $params['entity'])),
             'on_change'            => $params['on_change'],
             'permit_select_parent' => $params['permit_select_parent'],
             'specific_tags'        => $params['specific_tags'],
-            '_idor_token'          => Session::getNewIDORToken($itemtype),
+            '_idor_token'          => Session::getNewIDORToken($itemtype, [
+               'entity_restrict' => $entity_restrict,
+            ]),
       ];
 
       $output = "<span class='no-wrap'>";
@@ -2182,6 +2184,11 @@ static function showListLimit($onchange = '', $display = true) {
    public static function getDropdownValue($post, $json = true) {
       global $DB, $CFG_GLPI;
 
+      // check if asked itemtype is the one originaly requested by the form
+      if (!Session::validateIDOR($post)) {
+         return;
+      }
+
       if (isset($post["entity_restrict"])
          && !is_array($post["entity_restrict"])
          && (substr($post["entity_restrict"], 0, 1) === '[')
@@ -2199,11 +2206,6 @@ public static function getDropdownValue($post, $json = true) {
          $post['entity_restrict'] = $_SESSION['glpiactiveentities'];
       }
 
-      // check if asked itemtype is the one originaly requested by the form
-      if (!Session::validateIDOR($post)) {
-         return;
-      }
-
       // Security
       if (!($item = getItemForItemtype($post['itemtype']))) {
          return;

diff --git a/inc/user.class.php b/inc/user.class.php
@@ -4026,9 +4026,12 @@ static function dropdown($options = []) {
          'on_change'           => $p['on_change'],
          'used'                => $p['used'],
          'inactive_deleted'    => $p['inactive_deleted'],
-         'entity_restrict'     => (is_array($p['entity']) ? json_encode(array_values($p['entity'])) : $p['entity']),
+         'entity_restrict'     => ($entity_restrict = (is_array($p['entity']) ? json_encode(array_values($p['entity'])) : $p['entity'])),
          'specific_tags'       => $p['specific_tags'],
-         '_idor_token'         => Session::getNewIDORToken(__CLASS__, ['right' => $p['right']]),
+         '_idor_token'         => Session::getNewIDORToken(__CLASS__, [
+            'right'           => $p['right'],
+            'entity_restrict' => $entity_restrict,
+         ]),
       ];
 
       $output   = Html::jsAjaxDropdown($p['name'], $field_id,

diff --git a/tests/functionnal/Dropdown.php b/tests/functionnal/Dropdown.php
@@ -765,7 +765,7 @@ public function testGetDropdownValue($params, $expected, $session_params = []) {
          }
       }
 
-      $params['_idor_token'] = \Session::getNewIDORToken($params['itemtype'] ?? '');
+      $params['_idor_token'] = $this->generateIdor($params);
 
       $result = \Dropdown::getDropdownValue($params, false);
 
@@ -928,7 +928,7 @@ public function testGetDropdownConnect($params, $expected, $session_params = [])
          }
       }
 
-      $params['_idor_token'] = \Session::getNewIDORToken($params['itemtype'] ?? '');
+      $params['_idor_token'] = $this->generateIdor($params);
 
       $result = \Dropdown::getDropdownConnect($params, false);
 
@@ -1331,4 +1331,12 @@ public function testGetDropdownValuePaginate() {
             ->hasSize(2);
 
    }
+
+   private function generateIdor(array $params = []) {
+      $idor_add_params = [];
+      if (isset($params['entity_restrict'])) {
+         $idor_add_params['entity_restrict'] = $params['entity_restrict'];
+      }
+      return \Session::getNewIDORToken(($params['itemtype'] ?? ''), $idor_add_params);
+   }
 }
diff --git a/tests/functionnal/Session.php b/tests/functionnal/Session.php
@@ -375,6 +375,7 @@ protected function idorProvider() {
          ['itemtype' => 'Ticket'],
          ['itemtype' => 'Glpi\\Dashboard\\Item'],
          ['itemtype' => 'User', 'add_params' => ['right' => 'all']],
+         ['itemtype' => 'User', 'add_params' => ['entity_restrict' => 0]],
       ];
    }