Skip to content

Commit

Permalink
Merge pull request #311 from humhub/enh/308-file-access
Browse files Browse the repository at this point in the history
[v1.16] Deny access for files from template of hidden content
  • Loading branch information
luke- authored Sep 24, 2024
2 parents 641fc49 + 18f2d1e commit 4722771
Show file tree
Hide file tree
Showing 4 changed files with 61 additions and 5 deletions.
5 changes: 3 additions & 2 deletions docs/CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,9 +1,10 @@
Changelog
=========

1.10.8 (Unreleased)
----------------------------
1.10.8 (September 24, 2024)
---------------------------
- Fix #347: Fix errors after save a new page
- Enh #308: Deny access for files from template of hidden content

1.10.7 (September 19, 2024)
----------------------------
Expand Down
2 changes: 1 addition & 1 deletion module.json
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,6 @@
"version": "1.10.8",
"homepage": "https://github.com/humhub/custom-pages",
"humhub": {
"minVersion": "1.14"
"minVersion": "1.16"
}
}
49 changes: 47 additions & 2 deletions modules/template/models/TemplateContentActiveRecord.php
Original file line number Diff line number Diff line change
Expand Up @@ -2,13 +2,19 @@

namespace humhub\modules\custom_pages\modules\template\models;

use Yii;
use humhub\components\ActiveRecord;
use humhub\interfaces\ViewableInterface;
use humhub\modules\content\components\ContentActiveRecord;
use humhub\modules\custom_pages\models\CustomContentContainer;
use Yii;
use yii\db\ActiveQuery;

/**
* This is the base class for all TemplateContent types.
*
* @property-read OwnerContent $ownerContent
*/
abstract class TemplateContentActiveRecord extends ActiveRecord
abstract class TemplateContentActiveRecord extends ActiveRecord implements ViewableInterface
{

const SCENARIO_CREATE = 'create';
Expand Down Expand Up @@ -325,4 +331,43 @@ public function isEmpty(): bool
return false;
}

public function getOwnerContent(): ActiveQuery
{
return $this->hasOne(OwnerContent::class, ['content_id' => 'id'])
->andWhere([OwnerContent::tableName() . '.content_type' => get_class($this)]);
}

public function getCustomContentContainer(): ?CustomContentContainer
{
$ownerContent = $this->ownerContent;
if (!$ownerContent instanceof OwnerContent) {
return null;
}

$ownerModel = $ownerContent->getOwner();
if (!$ownerModel instanceof TemplateInstance) {
return null;
}

return $ownerModel->getObject();
}

/**
* @inheritdoc
*/
public function canView($user = null): bool
{
$customContentContainer = $this->getCustomContentContainer();

if ($customContentContainer instanceof ContentActiveRecord) {
return $customContentContainer->content->canView($user);
}

if ($customContentContainer instanceof ViewableInterface) {
return $customContentContainer->canView($user);
}

return false;
}

}
10 changes: 10 additions & 0 deletions modules/template/models/TemplateInstance.php
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@

use humhub\components\ActiveRecord;
use humhub\modules\content\models\Content;
use humhub\modules\custom_pages\models\CustomContentContainer;
use yii\db\ActiveQuery;

/**
Expand Down Expand Up @@ -98,6 +99,15 @@ public function getTemplate()
return $this->hasOne(Template::class, ['id' => 'template_id']);
}

public function getObject(): ?CustomContentContainer
{
if (empty($this->object_model) || empty($this->object_id)) {
return null;
}

return call_user_func($this->object_model . '::findOne', ['id' => $this->object_id]);
}

public function getTemplateId()
{
return $this->template_id;
Expand Down

0 comments on commit 4722771

Please sign in to comment.