[Rt-commit] rt branch 6.0/htmx updated. rt-5.0.5-248-g89e7ab351c

Thu Apr 4 15:54:14 UTC 2024

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "rt".

The branch, 6.0/htmx has been updated
       via  89e7ab351c193a407bb261c1bdf7845474c734a7 (commit)
       via  a5fb0edae8dbf5098a88b6f20d260cc60f2a9cff (commit)
      from  f52a07631ee48f479757cdbb62fe0849927ff32e (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 89e7ab351c193a407bb261c1bdf7845474c734a7
Author: sunnavy <sunnavy at bestpractical.com>
Date:   Thu Apr 4 11:44:46 2024 -0400

    Check rights/paths/objects to protect /Views/

diff --git a/share/html/Views/Component/dhandler b/share/html/Views/Component/dhandler
index fa877d4bdb..0fa5615e26 100644
--- a/share/html/Views/Component/dhandler
+++ b/share/html/Views/Component/dhandler
@@ -45,11 +45,6 @@
 %# those contributions and any derivatives thereof.
 %#
 %# END BPS TAGGED BLOCK }}}
-% if ( $component_name eq 'SavedSearch' ) {
-% $m->comp( "/Elements/ShowSearch", %ARGS );
-% } else {
-% $m->comp( "/Elements/$component_name", %ARGS );
-% }
 
 <%init>
 my ($component_name) = $m->dhandler_arg;
@@ -67,9 +62,34 @@ if ( $component_name eq 'SavedSearch' ) {
 elsif ( $ARGS{ObjectType} && $ARGS{ObjectType}->can('Load') && $ARGS{ObjectId} ) {
     my $object = $ARGS{ObjectType}->new( $session{CurrentUser} );
     $object->Load( $ARGS{ObjectId} );
+    return unless $object->Id;
+
     if ( $object->CurrentUserCanSee ) {
         $ARGS{Object} = $object;
     }
+    else {
+        Abort( loc('Permission Denied'), SuppressHeader => 1, Code => HTTP::Status::HTTP_FORBIDDEN );
+    }
+}
+
+my $out;
+if ( $component_name eq 'SavedSearch' ) {
+    eval { $out = $m->scomp( "/Elements/ShowSearch", %ARGS ) };
+}
+else {
+    unless ( $m->comp_exists("/Elements/$component_name") ) {
+        RT->Logger->warning("Component $component_name does not exist");
+        Abort( loc('Invalid Path'), SuppressHeader => 1 );
+    }
+    eval { $out = $m->scomp( "/Elements/$component_name", %ARGS ) };
+}
+
+if ($@) {
+    RT->Logger->warning("Error loading $component_name: $@");
+    Abort( loc('Error'), SuppressHeader => 1 );
+}
+else {
+    $m->out($out);
 }
 </%init>
 <%args>
diff --git a/share/html/Views/Ticket/dhandler b/share/html/Views/Ticket/dhandler
index 64a2df8294..6d814972cb 100644
--- a/share/html/Views/Ticket/dhandler
+++ b/share/html/Views/Ticket/dhandler
@@ -45,12 +45,31 @@
 %# those contributions and any derivatives thereof.
 %#
 %# END BPS TAGGED BLOCK }}}
-% $m->comp( "/Ticket/Elements/$component_name", Ticket => $ticket, %ARGS );
 <%INIT>
 return unless $id;
 my ($component_name) = $m->dhandler_arg;
 my $ticket = RT::Ticket->new( $session{CurrentUser} );
 $ticket->Load($id);
+return unless $ticket->Id;
+
+unless ( $ticket->CurrentUserCanSee ) {
+    Abort( loc('Permission Denied'), SuppressHeader => 1, Code => HTTP::Status::HTTP_FORBIDDEN );
+}
+
+unless ( $m->comp_exists("/Ticket/Elements/$component_name") ) {
+    RT->Logger->warning( "Component $component_name does not exist" );
+    Abort( loc('Invalid Path'), SuppressHeader => 1 );
+}
+
+my $out;
+eval { $out = $m->scomp( "/Ticket/Elements/$component_name", Ticket => $ticket, %ARGS ) };
+if ($@) {
+    RT->Logger->warning("Error loading $component_name: $@");
+    Abort( loc('Error'), SuppressHeader => 1 );
+}
+else {
+    $m->out($out);
+}
 </%INIT>
 
 <%ARGS>

commit a5fb0edae8dbf5098a88b6f20d260cc60f2a9cff
Author: sunnavy <sunnavy at bestpractical.com>
Date:   Thu Apr 4 10:51:21 2024 -0400

    Suppress footer too when SuppressHeader is true for error page
    
    Header and Footer are supposed to be paired.

diff --git a/share/html/Elements/Error b/share/html/Elements/Error
index 2060c98256..ccc929e640 100644
--- a/share/html/Elements/Error
+++ b/share/html/Elements/Error
@@ -60,7 +60,9 @@
 <%$Details%>
 </div>
 
+% unless ($SuppressHeader) {
 <& /Elements/Footer &>
+% }
 % $m->abort;
 
 <%args>

-----------------------------------------------------------------------

Summary of changes:
 share/html/Elements/Error           |  2 ++
 share/html/Views/Component/dhandler | 30 +++++++++++++++++++++++++-----
 share/html/Views/Ticket/dhandler    | 21 ++++++++++++++++++++-
 3 files changed, 47 insertions(+), 6 deletions(-)


hooks/post-receive
-- 
rt
