N°8606 - Check user permissions in search operation of ajax.render.php

Author: Lenaick

sources/Controller/AjaxRenderController.php

@@ -42,6 +42,7 @@
 use ScalarExpression;
 use SetupUtils;
 use UILinksWidget;
+use UserRights;
 use utils;
 use WizardHelper;
 
@@ -71,6 +72,12 @@ public static function GetDataForTable(DBObjectSet $oSet, array $aClassAliases,
 			$bShowObsoleteData = utils::ShowObsoleteData();
 		}
 		$oSet->SetShowObsoleteData($bShowObsoleteData);
+
+		// N°8606 : Check user permissions on the main class
+		if (!UserRights::IsActionAllowed($oSet->GetClass(), UR_ACTION_READ, $oSet) == UR_ALLOWED_YES) {
+			throw new Exception(Dict::Format('UI:Error:ReadNotAllowedOn_Class', $oSet->GetClass()));
+		}
+
 		$aResult["draw"] = $iDrawNumber;
 		$aResult["recordsTotal"] = $oSet->Count();
 		$aResult["recordsFiltered"] = $aResult["recordsTotal"] ;
@@ -95,6 +102,11 @@ public static function GetDataForTable(DBObjectSet $oSet, array $aClassAliases,
 						continue;
 					}
 
+					// N°8606 : Check user permissions on the current class
+					if (!UserRights::IsActionAllowed($sClass, UR_ACTION_READ, $oSet) == UR_ALLOWED_YES) {
+						throw new Exception(Dict::Format('UI:Error:ReadNotAllowedOn_Class', $sClass));
+					}
+
 					foreach ($aColumnsLoad[$sAlias] as $sAttCode) {
 						$aObj[$sAlias."/".$sAttCode] = $aObject[$sAlias]->GetAsHTML($sAttCode);
 						$bExcludeRawValue = false;