Skip to content

N°8606 - Check user permissions in search operation of ajax.render.php #836

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Lenaick wants to merge 1 commit into
base: support/3.2
Choose a base branch
from
Open

N°8606 - Check user permissions in search operation of ajax.render.php #836

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 12 additions & 0 deletions sources/Controller/AjaxRenderController.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,7 @@
use ScalarExpression;
use SetupUtils;
use UILinksWidget;
use UserRights;
use utils;
use WizardHelper;

Expand Down Expand Up @@ -71,6 +72,12 @@ public static function GetDataForTable(DBObjectSet $oSet, array $aClassAliases,
$bShowObsoleteData = utils::ShowObsoleteData();
}
$oSet->SetShowObsoleteData($bShowObsoleteData);

// N°8606 : Check user permissions on the main class
if (UserRights::IsActionAllowed($oSet->GetClass(), UR_ACTION_READ, $oSet) !== UR_ALLOWED_YES) {
throw new Exception(Dict::Format('UI:Error:ReadNotAllowedOn_Class', $oSet->GetClass()));
}

$aResult["draw"] = $iDrawNumber;
$aResult["recordsTotal"] = $oSet->Count();
$aResult["recordsFiltered"] = $aResult["recordsTotal"] ;
Expand All @@ -95,6 +102,11 @@ public static function GetDataForTable(DBObjectSet $oSet, array $aClassAliases,
continue;
}

// N°8606 : Check user permissions on the current class
if (UserRights::IsActionAllowed($sClass, UR_ACTION_READ, $oSet) !== UR_ALLOWED_YES) {
throw new Exception(Dict::Format('UI:Error:ReadNotAllowedOn_Class', $sClass));
}
Comment on lines +105 to +108
Copy link

Copilot AI Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The permission check for alias classes is placed inside the while ($aObject = $oSet->FetchAssoc()) loop, meaning UserRights::IsActionAllowed is called once per row per alias. Since the check is class-based (not object-based), the result is the same on every iteration. While GetUserActionGrant has internal caching that reduces the cost, this check should be moved before the while loop (alongside the main class check at line 77) for clarity and to avoid unnecessary function call overhead on every row. You could iterate over $aClassAliases before the loop and check each class once.

Copilot uses AI. Check for mistakes.

foreach ($aColumnsLoad[$sAlias] as $sAttCode) {
$aObj[$sAlias."/".$sAttCode] = $aObject[$sAlias]->GetAsHTML($sAttCode);
$bExcludeRawValue = false;
Expand Down