Skip to content
Permalink
Browse files Browse the repository at this point in the history
fix: [security] Make cluster's elements adhere to ACL
  • Loading branch information
mokaddem committed Nov 24, 2020
1 parent 83ce94a commit 4237505
Show file tree
Hide file tree
Showing 2 changed files with 37 additions and 2 deletions.
6 changes: 4 additions & 2 deletions app/Controller/GalaxyElementsController.php
Expand Up @@ -14,9 +14,11 @@ class GalaxyElementsController extends AppController
)
);

public function index($id)
public function index($clusterId)
{
$this->paginate['conditions'] = array('GalaxyElement.galaxy_cluster_id' => $id);
$aclConditions = $this->GalaxyElement->buildClusterConditions($this->Auth->user(), $clusterId);
$this->paginate['conditions'] = [$aclConditions];
$this->paginate['contain'] = ['GalaxyCluster' => ['fields' => ['id', 'distribution', 'org_id']]];
$clusters = $this->paginate();
$this->set('list', $clusters);
if ($this->request->is('ajax')) {
Expand Down
33 changes: 33 additions & 0 deletions app/Model/GalaxyElement.php
Expand Up @@ -95,4 +95,37 @@ public function captureElements($user, $elements, $clusterId)
}
$this->saveMany($tempElements);
}

public function buildACLConditions($user)
{
$conditions = [];
if (!$user['Role']['perm_site_admin']) {
$conditions = $this->GalaxyCluster->buildConditions($user);
}
return $conditions;
}

public function buildClusterConditions($user, $clusterId)
{
return [
$this->buildACLConditions($user),
'GalaxyCluster.id' => $clusterId
];
}

public function fetchElements(array $user, $clusterId)
{
$params = array(
'conditions' => $this->buildClusterConditions($user, $clusterId),
'contain' => ['GalaxyCluster' => ['fields' => ['id', 'distribution', 'org_id']]],
'recursive' => -1
);
$elements = $this->find('all', $params);
foreach ($elements as $i => $element) {
$elements[$i] = $elements[$i]['GalaxyElement'];
unset($elements[$i]['GalaxyCluster']);
unset($elements[$i]['GalaxyElement']);
}
return $elements;
}
}

1 comment on commit 4237505

@abergmann
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CVE-2020-29006 was assigned to this commit.

Please sign in to comment.