From a6ee68d75a31809a349074957bf493b58c865bd8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20B=C3=B6hmer?= <mail@jan-boehmer.de>
Date: Wed, 4 Mar 2026 23:54:18 +0100
Subject: [PATCH] Ensure that user has read permission to part and category to
 prevent IPN info leakage

issue #1283
---
 src/Controller/TypeaheadController.php | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/Controller/TypeaheadController.php b/src/Controller/TypeaheadController.php
index b84f3dc0..95480329 100644
--- a/src/Controller/TypeaheadController.php
+++ b/src/Controller/TypeaheadController.php
@@ -208,9 +208,16 @@ class TypeaheadController extends AbstractController
         /** @var Category|null $category */
         $category = $entityManager->getRepository(Category::class)->find($categoryId);
 
+        //Ensure the user has access to both the part and the category
+        $this->denyAccessUnlessGranted('read', $part);
+        if ($category !== null) {
+            $this->denyAccessUnlessGranted('read', $category);
+        }
+
         $clonedPart = clone $part;
         $clonedPart->setCategory($category);
 
+
         $partRepository = $entityManager->getRepository(Part::class);
         $ipnSuggestions = $partRepository->autoCompleteIpn($clonedPart, $description, $this->ipnSuggestSettings->suggestPartDigits);