From 93c30549882e931ead429d5910d48883e23a8a75 Mon Sep 17 00:00:00 2001 From: Yuriy Bakhtin Date: Tue, 21 Nov 2023 15:05:19 +0100 Subject: [PATCH] Deny access for files from template of hidden content --- docs/CHANGELOG.md | 4 ++ module.json | 4 +- .../models/TemplateContentActiveRecord.php | 49 ++++++++++++++++++- modules/template/models/TemplateInstance.php | 10 ++++ 4 files changed, 63 insertions(+), 4 deletions(-) diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md index 72d08e22..bc216c11 100644 --- a/docs/CHANGELOG.md +++ b/docs/CHANGELOG.md @@ -1,6 +1,10 @@ Changelog ========= +1.10.0 (Unreleased) +------------------------- +- Enh #308: Deny access for files from template of hidden content + 1.9.5 (November 16, 2023) ------------------------- - Enh #303: Fix visibility of the method `Controller::getAccessRules()` diff --git a/module.json b/module.json index 43ebc5f8..440aea5f 100644 --- a/module.json +++ b/module.json @@ -3,9 +3,9 @@ "name": "Custom Pages", "description": "Create custom pages and widgets and share them with your users. Take advantage of a wide range of editing options, including HTML and Markdown.", "keywords": ["pages", "custom", "iframe", "markdown", "link", "navigation", "spaces"], - "version": "1.9.5", + "version": "1.10.0", "homepage": "https://github.com/humhub/custom-pages", "humhub": { - "minVersion": "1.14" + "minVersion": "1.16" } } diff --git a/modules/template/models/TemplateContentActiveRecord.php b/modules/template/models/TemplateContentActiveRecord.php index ea13bca3..93c7cf1e 100644 --- a/modules/template/models/TemplateContentActiveRecord.php +++ b/modules/template/models/TemplateContentActiveRecord.php @@ -2,13 +2,19 @@ namespace humhub\modules\custom_pages\modules\template\models; -use Yii; use humhub\components\ActiveRecord; +use humhub\interfaces\ViewableInterface; +use humhub\modules\content\components\ContentActiveRecord; +use humhub\modules\custom_pages\models\CustomContentContainer; +use Yii; +use yii\db\ActiveQuery; /** * This is the base class for all TemplateContent types. + * + * @property-read OwnerContent $ownerContent */ -abstract class TemplateContentActiveRecord extends ActiveRecord +abstract class TemplateContentActiveRecord extends ActiveRecord implements ViewableInterface { const SCENARIO_CREATE = 'create'; @@ -325,4 +331,43 @@ public function isEmpty(): bool return false; } + public function getOwnerContent(): ActiveQuery + { + return $this->hasOne(OwnerContent::class, ['content_id' => 'id']) + ->andWhere([OwnerContent::tableName() . '.content_type' => get_class($this)]); + } + + public function getCustomContentContainer(): ?CustomContentContainer + { + $ownerContent = $this->ownerContent; + if (!$ownerContent instanceof OwnerContent) { + return null; + } + + $ownerModel = $ownerContent->getOwner(); + if (!$ownerModel instanceof TemplateInstance) { + return null; + } + + return $ownerModel->getObject(); + } + + /** + * @inheritdoc + */ + public function canView($user = null): bool + { + $customContentContainer = $this->getCustomContentContainer(); + + if ($customContentContainer instanceof ContentActiveRecord) { + return $customContentContainer->content->canView($user); + } + + if ($customContentContainer instanceof ViewableInterface) { + return $customContentContainer->canView($user); + } + + return false; + } + } diff --git a/modules/template/models/TemplateInstance.php b/modules/template/models/TemplateInstance.php index 8c1d51e9..604c7f16 100644 --- a/modules/template/models/TemplateInstance.php +++ b/modules/template/models/TemplateInstance.php @@ -4,6 +4,7 @@ use humhub\components\ActiveRecord; use humhub\modules\content\models\Content; +use humhub\modules\custom_pages\models\CustomContentContainer; use yii\db\ActiveQuery; /** @@ -98,6 +99,15 @@ public function getTemplate() return $this->hasOne(Template::class, ['id' => 'template_id']); } + public function getObject(): ?CustomContentContainer + { + if (empty($this->object_model) || empty($this->object_id)) { + return null; + } + + return call_user_func($this->object_model . '::findOne', ['id' => $this->object_id]); + } + public function getTemplateId() { return $this->template_id;