From fbe113b91a21f7507a3bc793cf617df2fd1b8594 Mon Sep 17 00:00:00 2001 From: Bert Kooij Date: Mon, 17 Sep 2018 10:12:29 +0200 Subject: [PATCH] Fix for #101 (access to restricted resources) --- .../components/versionx/controllers/index.php | 4 +++ .../versionx/model/versionx.class.php | 4 +++ .../processors/mgr/resources/get_versions.php | 29 +++++++++++++++++ .../processors/mgr/resources/getlist.php | 31 ++++++++++++++++++- 4 files changed, 67 insertions(+), 1 deletion(-) diff --git a/core/components/versionx/controllers/index.php b/core/components/versionx/controllers/index.php index d744031..f4380d4 100644 --- a/core/components/versionx/controllers/index.php +++ b/core/components/versionx/controllers/index.php @@ -37,12 +37,16 @@ $v = $versionx->getVersionDetails('vxResource',$versionid,true); if ($v !== false) $modx->regClientStartupHTMLBlock(''); + else + return $modx->error->failure($modx->lexicon('versionx.error.noresults')); } /* If an ID to compare to was passed, fetch that aswell. */ if ($compareid > 0) { $v = $versionx->getVersionDetails('vxResource',$compareid,true); if ($v !== false) $modx->regClientStartupHTMLBlock(''); + else + return $modx->error->failure($modx->lexicon('versionx.error.noresults')); } $scripts[] = $versionx->config['js_url'].'mgr/action.resource.js'; diff --git a/core/components/versionx/model/versionx.class.php b/core/components/versionx/model/versionx.class.php index 5dd538c..06b6cc2 100644 --- a/core/components/versionx/model/versionx.class.php +++ b/core/components/versionx/model/versionx.class.php @@ -399,6 +399,10 @@ public function getVersionDetails($class = 'vxResource',$id = 0, $json = false, /* Class specific processing */ switch ($class) { case 'vxResource': + $resource = $this->modx->getObject('modResource',$v->get('content_id')); + if(!$resource) { + return false; + } $vArray = array_merge($vArray,$vArray['fields']); if ($vArray['parent'] != 0) { diff --git a/core/components/versionx/processors/mgr/resources/get_versions.php b/core/components/versionx/processors/mgr/resources/get_versions.php index 1baa462..fdf686e 100644 --- a/core/components/versionx/processors/mgr/resources/get_versions.php +++ b/core/components/versionx/processors/mgr/resources/get_versions.php @@ -12,6 +12,8 @@ $current = intval($modx->getOption('current',$scriptProperties,0)); $c = $modx->newQuery('vxResource'); +$c->leftJoin('modContextSetting','ContextSetting','ContextSetting.context_key = vxResource.context_key'); +$c->leftJoin('modResourceGroupResource','ResourceGroup','ResourceGroup.document = vxResource.content_id'); $c->select(array('version_id','saved','mode')); if (strlen($search) > 1) { @@ -22,6 +24,33 @@ if ($current > 0) $c->where(array('version_id:!=' => $current)); +/* 1. The connected context has is ignoring access through resource groups */ +$where = [ + [ + [ + 'ContextSetting.key' => 'access_resource_group_enabled', + 'ContextSetting.value' => 0 + ] + ] +]; + +/* 2. The default context is ignoring access through resource groups disabled */ +if(!$modx->getOption('access_resource_group_enabled', null, true)) { + array_push($where, [ + 'OR:vxResource.context_key:=' => $modx->getOption('default_context') + ]); + array_push($where[0], [ + 'OR:ContextSetting.key' => 'access_resource_group_enabled', + 'ContextSetting.value:IS' => null, + ]); +} + +/* 3. The resource is not restricted or the user has access to the resourcegroup */ +array_push($where, [ + 'OR:ResourceGroup.id:IS' => null, + 'OR:ResourceGroup.document_group:IN' => $modx->user->getResourceGroups(), +]); +$c->where($where); $total = $modx->getCount('vxResource',$c); $c->sortby($sort,$dir); diff --git a/core/components/versionx/processors/mgr/resources/getlist.php b/core/components/versionx/processors/mgr/resources/getlist.php index 9a96757..63c1395 100644 --- a/core/components/versionx/processors/mgr/resources/getlist.php +++ b/core/components/versionx/processors/mgr/resources/getlist.php @@ -21,7 +21,9 @@ $c = $modx->newQuery('vxResource'); $c->leftJoin('modUser','User'); $c->leftJoin('modUserProfile','Profile','Profile.internalKey = User.id'); -$c->select(array('version_id','content_id','saved','mode','marked','title','context_key','class','User.username')); +$c->leftJoin('modContextSetting','ContextSetting','ContextSetting.context_key = vxResource.context_key'); +$c->leftJoin('modResourceGroupResource','ResourceGroup','ResourceGroup.document = vxResource.content_id'); +$c->select(array('vxResource.version_id','vxResource.content_id','vxResource.saved','vxResource.mode','vxResource.marked','vxResource.title','vxResource.context_key','vxResource.class','User.username')); /* Filter */ if ($search) @@ -39,6 +41,33 @@ if ($until) $c->where(array('saved:<' => $until)); +/* 1. The connected context has is ignoring access through resource groups */ +$where = [ + [ + [ + 'ContextSetting.key' => 'access_resource_group_enabled', + 'ContextSetting.value' => 0 + ] + ] +]; + +/* 2. The default context is ignoring access through resource groups disabled */ +if(!$modx->getOption('access_resource_group_enabled', null, true)) { + array_push($where, [ + 'OR:vxResource.context_key:=' => $modx->getOption('default_context') + ]); + array_push($where[0], [ + 'OR:ContextSetting.key' => 'access_resource_group_enabled', + 'ContextSetting.value:IS' => null, + ]); +} + +/* 3. The resource is not restricted or the user has access to the resourcegroup */ +array_push($where, [ + 'OR:ResourceGroup.id:IS' => null, + 'OR:ResourceGroup.document_group:IN' => $modx->user->getResourceGroups(), +]); +$c->where($where); $total = $modx->getCount('vxResource',$c);