groove/Part-DB-server
1
0
Fork 0
mirror of https://github.com/Part-DB/Part-DB-server.git synced 2026-05-19 18:01:30 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Ensure that user has read permission to part and category to prevent IPN info leakage

Browse source 
issue #1283
This commit is contained in:
Jan Böhmer 2026-03-04 23:54:18 +01:00 committed by Marc Kreidler
parent aa40091392
commit 6ab5d3a868
1 changed files with 7 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

7
src/Controller/TypeaheadController.php
View file

@ -208,9 +208,16 @@ class TypeaheadController extends AbstractController
/** @var Category|null $category */ /** @var Category|null $category */
$category = $entityManager->getRepository(Category::class)->find($categoryId); $category = $entityManager->getRepository(Category::class)->find($categoryId);
//Ensure the user has access to both the part and the category
$this->denyAccessUnlessGranted('read', $part);
if ($category !== null) {
$this->denyAccessUnlessGranted('read', $category);
}
$clonedPart = clone $part; $clonedPart = clone $part;
$clonedPart->setCategory($category); $clonedPart->setCategory($category);
$partRepository = $entityManager->getRepository(Part::class); $partRepository = $entityManager->getRepository(Part::class);
$ipnSuggestions = $partRepository->autoCompleteIpn($clonedPart, $description, $this->ipnSuggestSettings->suggestPartDigits); $ipnSuggestions = $partRepository->autoCompleteIpn($clonedPart, $description, $this->ipnSuggestSettings->suggestPartDigits);