groove/Part-DB-server
1
0
Fork 0
mirror of https://github.com/Part-DB/Part-DB-server.git synced 2026-03-07 15:59:35 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 9

Ensure that user has read permission to part and category to prevent IPN info leakage

Browse source 
issue #1283
This commit is contained in:
Jan Böhmer 2026-03-04 23:54:18 +01:00
parent af6ddffa1d
commit a6ee68d75a
1 changed files with 7 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

7
src/Controller/TypeaheadController.php
View file

@ -208,9 +208,16 @@ class TypeaheadController extends AbstractController
/** @var Category|null $category */
$category = $entityManager->getRepository(Category::class)->find($categoryId);
//Ensure the user has access to both the part and the category
$this->denyAccessUnlessGranted('read', $part);
if ($category !== null) {
$this->denyAccessUnlessGranted('read', $category);
}
$clonedPart = clone $part;
$clonedPart->setCategory($category);
$partRepository = $entityManager->getRepository(Part::class);
$ipnSuggestions = $partRepository->autoCompleteIpn($clonedPart, $description, $this->ipnSuggestSettings->suggestPartDigits);