This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "rt".
The branch, 6.0/htmx has been updated
via 89e7ab351c193a407bb261c1bdf7845474c734a7 (commit)
via a5fb0edae8dbf5098a88b6f20d260cc60f2a9cff (commit)
from f52a07631ee48f479757cdbb62fe0849927ff32e (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 89e7ab351c193a407bb261c1bdf7845474c734a7
Author: sunnavy <sunnavy@bestpractical.com>
Date: Thu Apr 4 11:44:46 2024 -0400
Check rights/paths/objects to protect /Views/
diff --git a/share/html/Views/Component/dhandler b/share/html/Views/Component/dhandler
index fa877d4bdb..0fa5615e26 100644
--- a/share/html/Views/Component/dhandler
+++ b/share/html/Views/Component/dhandler
@@ -45,11 +45,6 @@
%# those contributions and any derivatives thereof.
%#
%# END BPS TAGGED BLOCK }}}
-% if ( $component_name eq 'SavedSearch' ) {
-% $m->comp( "/Elements/ShowSearch", %ARGS );
-% } else {
-% $m->comp( "/Elements/$component_name", %ARGS );
-% }
<%init>
my ($component_name) = $m->dhandler_arg;
@@ -67,9 +62,34 @@ if ( $component_name eq 'SavedSearch' ) {
elsif ( $ARGS{ObjectType} && $ARGS{ObjectType}->can('Load') && $ARGS{ObjectId} ) {
my $object = $ARGS{ObjectType}->new( $session{CurrentUser} );
$object->Load( $ARGS{ObjectId} );
+ return unless $object->Id;
+
if ( $object->CurrentUserCanSee ) {
$ARGS{Object} = $object;
}
+ else {
+ Abort( loc('Permission Denied'), SuppressHeader => 1, Code => HTTP::Status::HTTP_FORBIDDEN );
+ }
+}
+
+my $out;
+if ( $component_name eq 'SavedSearch' ) {
+ eval { $out = $m->scomp( "/Elements/ShowSearch", %ARGS ) };
+}
+else {
+ unless ( $m->comp_exists("/Elements/$component_name") ) {
+ RT->Logger->warning("Component $component_name does not exist");
+ Abort( loc('Invalid Path'), SuppressHeader => 1 );
+ }
+ eval { $out = $m->scomp( "/Elements/$component_name", %ARGS ) };
+}
+
+if ($@) {
+ RT->Logger->warning("Error loading $component_name: $@");
+ Abort( loc('Error'), SuppressHeader => 1 );
+}
+else {
+ $m->out($out);
}
</%init>
<%args>
diff --git a/share/html/Views/Ticket/dhandler b/share/html/Views/Ticket/dhandler
index 64a2df8294..6d814972cb 100644
--- a/share/html/Views/Ticket/dhandler
+++ b/share/html/Views/Ticket/dhandler
@@ -45,12 +45,31 @@
%# those contributions and any derivatives thereof.
%#
%# END BPS TAGGED BLOCK }}}
-% $m->comp( "/Ticket/Elements/$component_name", Ticket => $ticket, %ARGS );
<%INIT>
return unless $id;
my ($component_name) = $m->dhandler_arg;
my $ticket = RT::Ticket->new( $session{CurrentUser} );
$ticket->Load($id);
+return unless $ticket->Id;
+
+unless ( $ticket->CurrentUserCanSee ) {
+ Abort( loc('Permission Denied'), SuppressHeader => 1, Code => HTTP::Status::HTTP_FORBIDDEN );
+}
+
+unless ( $m->comp_exists("/Ticket/Elements/$component_name") ) {
+ RT->Logger->warning( "Component $component_name does not exist" );
+ Abort( loc('Invalid Path'), SuppressHeader => 1 );
+}
+
+my $out;
+eval { $out = $m->scomp( "/Ticket/Elements/$component_name", Ticket => $ticket, %ARGS ) };
+if ($@) {
+ RT->Logger->warning("Error loading $component_name: $@");
+ Abort( loc('Error'), SuppressHeader => 1 );
+}
+else {
+ $m->out($out);
+}
</%INIT>
<%ARGS>
commit a5fb0edae8dbf5098a88b6f20d260cc60f2a9cff
Author: sunnavy <sunnavy@bestpractical.com>
Date: Thu Apr 4 10:51:21 2024 -0400
Suppress footer too when SuppressHeader is true for error page
Header and Footer are supposed to be paired.
diff --git a/share/html/Elements/Error b/share/html/Elements/Error
index 2060c98256..ccc929e640 100644
--- a/share/html/Elements/Error
+++ b/share/html/Elements/Error
@@ -60,7 +60,9 @@
<%$Details%>
</div>
+% unless ($SuppressHeader) {
<& /Elements/Footer &>
+% }
% $m->abort;
<%args>
-----------------------------------------------------------------------
Summary of changes:
share/html/Elements/Error | 2 ++
share/html/Views/Component/dhandler | 30 +++++++++++++++++++++++++-----
share/html/Views/Ticket/dhandler | 21 ++++++++++++++++++++-
3 files changed, 47 insertions(+), 6 deletions(-)
hooks/post-receive
--
rt
_______________________________________________
rt-commit mailing list
rt-commit@lists.bestpractical.com
https://lists.bestpractical.com/mailman/listinfo/rt-commit
generated because a ref change was pushed to the repository containing
the project "rt".
The branch, 6.0/htmx has been updated
via 89e7ab351c193a407bb261c1bdf7845474c734a7 (commit)
via a5fb0edae8dbf5098a88b6f20d260cc60f2a9cff (commit)
from f52a07631ee48f479757cdbb62fe0849927ff32e (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 89e7ab351c193a407bb261c1bdf7845474c734a7
Author: sunnavy <sunnavy@bestpractical.com>
Date: Thu Apr 4 11:44:46 2024 -0400
Check rights/paths/objects to protect /Views/
diff --git a/share/html/Views/Component/dhandler b/share/html/Views/Component/dhandler
index fa877d4bdb..0fa5615e26 100644
--- a/share/html/Views/Component/dhandler
+++ b/share/html/Views/Component/dhandler
@@ -45,11 +45,6 @@
%# those contributions and any derivatives thereof.
%#
%# END BPS TAGGED BLOCK }}}
-% if ( $component_name eq 'SavedSearch' ) {
-% $m->comp( "/Elements/ShowSearch", %ARGS );
-% } else {
-% $m->comp( "/Elements/$component_name", %ARGS );
-% }
<%init>
my ($component_name) = $m->dhandler_arg;
@@ -67,9 +62,34 @@ if ( $component_name eq 'SavedSearch' ) {
elsif ( $ARGS{ObjectType} && $ARGS{ObjectType}->can('Load') && $ARGS{ObjectId} ) {
my $object = $ARGS{ObjectType}->new( $session{CurrentUser} );
$object->Load( $ARGS{ObjectId} );
+ return unless $object->Id;
+
if ( $object->CurrentUserCanSee ) {
$ARGS{Object} = $object;
}
+ else {
+ Abort( loc('Permission Denied'), SuppressHeader => 1, Code => HTTP::Status::HTTP_FORBIDDEN );
+ }
+}
+
+my $out;
+if ( $component_name eq 'SavedSearch' ) {
+ eval { $out = $m->scomp( "/Elements/ShowSearch", %ARGS ) };
+}
+else {
+ unless ( $m->comp_exists("/Elements/$component_name") ) {
+ RT->Logger->warning("Component $component_name does not exist");
+ Abort( loc('Invalid Path'), SuppressHeader => 1 );
+ }
+ eval { $out = $m->scomp( "/Elements/$component_name", %ARGS ) };
+}
+
+if ($@) {
+ RT->Logger->warning("Error loading $component_name: $@");
+ Abort( loc('Error'), SuppressHeader => 1 );
+}
+else {
+ $m->out($out);
}
</%init>
<%args>
diff --git a/share/html/Views/Ticket/dhandler b/share/html/Views/Ticket/dhandler
index 64a2df8294..6d814972cb 100644
--- a/share/html/Views/Ticket/dhandler
+++ b/share/html/Views/Ticket/dhandler
@@ -45,12 +45,31 @@
%# those contributions and any derivatives thereof.
%#
%# END BPS TAGGED BLOCK }}}
-% $m->comp( "/Ticket/Elements/$component_name", Ticket => $ticket, %ARGS );
<%INIT>
return unless $id;
my ($component_name) = $m->dhandler_arg;
my $ticket = RT::Ticket->new( $session{CurrentUser} );
$ticket->Load($id);
+return unless $ticket->Id;
+
+unless ( $ticket->CurrentUserCanSee ) {
+ Abort( loc('Permission Denied'), SuppressHeader => 1, Code => HTTP::Status::HTTP_FORBIDDEN );
+}
+
+unless ( $m->comp_exists("/Ticket/Elements/$component_name") ) {
+ RT->Logger->warning( "Component $component_name does not exist" );
+ Abort( loc('Invalid Path'), SuppressHeader => 1 );
+}
+
+my $out;
+eval { $out = $m->scomp( "/Ticket/Elements/$component_name", Ticket => $ticket, %ARGS ) };
+if ($@) {
+ RT->Logger->warning("Error loading $component_name: $@");
+ Abort( loc('Error'), SuppressHeader => 1 );
+}
+else {
+ $m->out($out);
+}
</%INIT>
<%ARGS>
commit a5fb0edae8dbf5098a88b6f20d260cc60f2a9cff
Author: sunnavy <sunnavy@bestpractical.com>
Date: Thu Apr 4 10:51:21 2024 -0400
Suppress footer too when SuppressHeader is true for error page
Header and Footer are supposed to be paired.
diff --git a/share/html/Elements/Error b/share/html/Elements/Error
index 2060c98256..ccc929e640 100644
--- a/share/html/Elements/Error
+++ b/share/html/Elements/Error
@@ -60,7 +60,9 @@
<%$Details%>
</div>
+% unless ($SuppressHeader) {
<& /Elements/Footer &>
+% }
% $m->abort;
<%args>
-----------------------------------------------------------------------
Summary of changes:
share/html/Elements/Error | 2 ++
share/html/Views/Component/dhandler | 30 +++++++++++++++++++++++++-----
share/html/Views/Ticket/dhandler | 21 ++++++++++++++++++++-
3 files changed, 47 insertions(+), 6 deletions(-)
hooks/post-receive
--
rt
_______________________________________________
rt-commit mailing list
rt-commit@lists.bestpractical.com
https://lists.bestpractical.com/mailman/listinfo/rt-commit