[Rt-commit] rt branch 4.4/self-service-download-ocfv created. rt-4.4.5-115-gb044413379

BPS Git Server git at git.bestpractical.com
Tue May 24 17:31:49 UTC 2022 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "rt".

The branch, 4.4/self-service-download-ocfv has been created
        at  b044413379aa082c6bade25f61fe8ae2469e1ea0 (commit)

- Log -----------------------------------------------------------------
commit b044413379aa082c6bade25f61fe8ae2469e1ea0
Author: sunnavy <sunnavy at bestpractical.com>
Date:   Tue May 24 23:21:38 2022 +0800

    Test article image custom field download from SelfService

diff --git a/t/articles/upload-customfields.t b/t/articles/upload-customfields.t
index 6ff042b7be..36f915e955 100644
--- a/t/articles/upload-customfields.t
+++ b/t/articles/upload-customfields.t
@@ -2,7 +2,7 @@
 use strict;
 use warnings;
 
-use RT::Test tests => 20;
+use RT::Test tests => undef;
 
 use RT;
 my $logo;
@@ -88,3 +88,29 @@ $m->title_like(qr/Modify article #$id/, "Editing article $id");
 
 $m->follow_link( text => $logo );
 $m->content_is(ImageFileContent, "it links to the uploaded image");
+
+my $user_a = RT::Test->load_or_create_user(
+    Name         => 'user_a',
+    Password     => 'password',
+    EmailAddress => 'user_a at example.com',
+    Privileged   => 0,
+);
+ok( $user_a && $user_a->id, 'loaded or created user' );
+ok( !$user_a->Privileged,   'user is not privileged' );
+$user_a->PrincipalObj->GrantRight( Right => $_ ) for qw/ShowArticle SeeCustomField/;
+
+ok( $m->login( 'user_a', 'password', logout => 1 ) );
+
+$m->get_ok( '/SelfService/Article/Display.html?id=' . $id );
+$m->follow_link_ok( { text => $logo } );
+$m->content_is( ImageFileContent, 'Content of img custom field' );
+my $download_url = $m->uri;
+
+$user_a->PrincipalObj->RevokeRight( Right => 'SeeCustomField' );
+$m->get_ok( '/SelfService/Article/Display.html?id=' . $id );
+$m->text_lacks( 'img' . $$, 'No img custom field' );
+$m->get($download_url);
+is( $m->status, 403, 'No access to cf download url' );
+$m->warning_like( qr/Permission Denied/, "got a permission denied warning" );
+
+done_testing;

commit bf39b0e5d7874e547d6ab3e4e6dbff99b0945c07
Author: sunnavy <sunnavy at bestpractical.com>
Date:   Tue May 24 21:33:55 2022 +0800

    Support to download custom field attachments from SelfService
    
    This is initially for file/image custom fields in articles.

diff --git a/share/html/Elements/ShowCustomFieldBinary b/share/html/Elements/ShowCustomFieldBinary
index 2b569e4276..89d636f7a8 100644
--- a/share/html/Elements/ShowCustomFieldBinary
+++ b/share/html/Elements/ShowCustomFieldBinary
@@ -48,7 +48,8 @@
 % if (my $url = RT->System->ExternalStorageURLFor($Object)) {
 <a href="<%$url%>">
 % } else {
-<a href="<%RT->Config->Get('WebPath')%>/Download/CustomFieldValue/<% $Object->Id %>/<% $Object->Content |un %>">
+% my $home_path = RT->Config->Get('WebPath') . ( !$session{CurrentUser}->Privileged ? '/SelfService' : '' );
+<a href="<% $home_path %>/Download/CustomFieldValue/<% $Object->Id %>/<% $Object->Content |un %>">
 % }
 
 <% $Object->Content %>
diff --git a/share/html/Elements/ShowCustomFieldImage b/share/html/Elements/ShowCustomFieldImage
index 9194fd887c..1b367659b0 100644
--- a/share/html/Elements/ShowCustomFieldImage
+++ b/share/html/Elements/ShowCustomFieldImage
@@ -51,6 +51,15 @@
 $Object
 </%ARGS>
 <%INIT>
-my $url = RT->System->ExternalStorageURLFor($Object)
-       || RT->Config->Get('WebPath') . "/Download/CustomFieldValue/".$Object->Id.'/'.$m->interp->apply_escapes($Object->Content, 'u');
+my $url = RT->System->ExternalStorageURLFor($Object);
+if ( !$url ) {
+    my $home_path = RT->Config->Get('WebPath') . ( !$session{CurrentUser}->Privileged ? '/SelfService' : '' );
+    $url
+        = $home_path
+        . "/Download/CustomFieldValue/"
+        . $Object->Id . '/'
+        . $m->interp->apply_escapes( $Object->Content, 'u' );
+
+}
+
 </%INIT>
diff --git a/share/html/Elements/ShowCustomFieldBinary b/share/html/SelfService/Download/CustomFieldValue/dhandler
similarity index 88%
copy from share/html/Elements/ShowCustomFieldBinary
copy to share/html/SelfService/Download/CustomFieldValue/dhandler
index 2b569e4276..5a78d8febc 100644
--- a/share/html/Elements/ShowCustomFieldBinary
+++ b/share/html/SelfService/Download/CustomFieldValue/dhandler
@@ -45,14 +45,7 @@
 %# those contributions and any derivatives thereof.
 %#
 %# END BPS TAGGED BLOCK }}}
-% if (my $url = RT->System->ExternalStorageURLFor($Object)) {
-<a href="<%$url%>">
-% } else {
-<a href="<%RT->Config->Get('WebPath')%>/Download/CustomFieldValue/<% $Object->Id %>/<% $Object->Content |un %>">
-% }
-
-<% $Object->Content %>
-</a>
-<%ARGS>
-$Object => undef
-</%ARGS>
+<%init>
+$m->comp('/Download/CustomFieldValue/dhandler', %ARGS);
+$m->abort;
+</%init>

commit 9970c8c5c9653b52a19d36aaa65c8c39a6e4594e
Author: sunnavy <sunnavy at bestpractical.com>
Date:   Tue May 24 21:31:19 2022 +0800

    Add ACL check to /Download/CustomFieldValue/... endpoints

diff --git a/share/html/Download/CustomFieldValue/dhandler b/share/html/Download/CustomFieldValue/dhandler
index 688160bdd9..7825104636 100644
--- a/share/html/Download/CustomFieldValue/dhandler
+++ b/share/html/Download/CustomFieldValue/dhandler
@@ -61,6 +61,8 @@ unless ($OCFV->id) {
     Abort("Bad OCFV id. Couldn't find OCFV '$id'\n");
 }
 
+Abort( loc('Permission Denied'), Code => HTTP::Status::HTTP_FORBIDDEN ) unless $OCFV->CurrentUserCanSee;
+
 my $content_type = $OCFV->ContentType || 'text/plain; charset=utf-8';
     
 if (RT->Config->Get('AlwaysDownloadAttachments')) {

commit 5ec152b54ed569c9dea062a4c2d064f660ec37c0
Author: sunnavy <sunnavy at bestpractical.com>
Date:   Tue May 24 21:28:54 2022 +0800

    Add ACL check to ObjectCustomFieldValues

diff --git a/lib/RT/ObjectCustomFieldValue.pm b/lib/RT/ObjectCustomFieldValue.pm
index 1a11e13e13..bbac1e0f3b 100644
--- a/lib/RT/ObjectCustomFieldValue.pm
+++ b/lib/RT/ObjectCustomFieldValue.pm
@@ -523,9 +523,9 @@ Get the OCFV cache key for this object
 
 sub GetOCFVCacheKey {
     my $self = shift;
-    my $ocfv_key = "CustomField-" . $self->CustomField
-        . '-ObjectType-' . $self->ObjectType
-        . '-ObjectId-' . $self->ObjectId;
+    my $ocfv_key = "CustomField-" . $self->__Value('CustomField')
+        . '-ObjectType-' . $self->__Value('ObjectType')
+        . '-ObjectId-' . $self->__Value('ObjectId');
     return $ocfv_key;
 }
 
@@ -806,6 +806,32 @@ sub ExternalStoreDigest {
     return $self->_Value( 'LargeContent' );
 }
 
+=head2 CurrentUserCanSee
+
+Returns true if user has "SeeCustomField" on the associated CustomField
+object, otherwise false.
+
+=cut
+
+sub CurrentUserCanSee {
+    my $self = shift;
+    return $self->CustomFieldObj->CurrentUserHasRight('SeeCustomField');
+}
+
+sub _Value {
+    my $self  = shift;
+    return undef unless $self->id;
+
+    unless ( $self->CurrentUserCanSee ) {
+        $RT::Logger->debug(
+            "Permission denied. User #". $self->CurrentUser->id
+            ." has no SeeCustomField right on CF #". $self->__Value('CustomField')
+        );
+        return undef;
+    }
+    return $self->__Value( @_ );
+}
+
 RT::Base->_ImportOverlays();
 
 1;
diff --git a/lib/RT/ObjectCustomFieldValues.pm b/lib/RT/ObjectCustomFieldValues.pm
index ce698f5dcd..9705b2f2d2 100644
--- a/lib/RT/ObjectCustomFieldValues.pm
+++ b/lib/RT/ObjectCustomFieldValues.pm
@@ -230,6 +230,15 @@ sub _DoCount {
     return $self->SUPER::_DoCount(@_);
 }
 
+
+sub AddRecord {
+    my $self = shift;
+    my ($record) = @_;
+
+    return unless $record->CurrentUserCanSee;
+    return $self->SUPER::AddRecord($record);
+}
+
 RT::Base->_ImportOverlays();
 
 # Clear the OCVF cache on exit to release connected RT::Ticket objects.
diff --git a/lib/RT/Record.pm b/lib/RT/Record.pm
index bf7d8abef8..65d700b44b 100644
--- a/lib/RT/Record.pm
+++ b/lib/RT/Record.pm
@@ -2036,7 +2036,8 @@ sub _AddCustomFieldValue {
               );
         }
 
-        my $new_content = $new_value->Content;
+        # Fall back to '' in case current user doesn't have rights.
+        my $new_content = $new_value->Content // '';
 
         # For datetime, we need to display them in "human" format in result message
         #XXX TODO how about date without time?
diff --git a/lib/RT/System.pm b/lib/RT/System.pm
index 0c90f3c88e..8e7839b4d3 100644
--- a/lib/RT/System.pm
+++ b/lib/RT/System.pm
@@ -386,7 +386,8 @@ sub ExternalStorageURLFor {
     # external storage direct links disabled
     return undef if !RT->Config->Get('ExternalStorageDirectLink');
 
-    return undef unless $Object->ContentEncoding eq 'external';
+    # If current user doesn't have rights, ContentEncoding is undef
+    return undef unless ( $Object->ContentEncoding // '' ) eq 'external';
 
     return $self->ExternalStorage->DownloadURLFor($Object);
 }

-----------------------------------------------------------------------


hooks/post-receive
-- 
rt

More information about the rt-commit mailing list