directus#717

itsmerhp · May 9, 2019 · 95895ed · 95895ed
1 parent 81e14ac
commit 95895ed
Show file tree

Hide file tree

Showing 4 changed files with 65 additions and 222 deletions.
diff --git a/src/core/Directus/Database/TableGateway/RelationalTableGateway.php b/src/core/Directus/Database/TableGateway/RelationalTableGateway.php
@@ -1469,9 +1469,21 @@ protected function shouldIgnoreQueryFilter($operator, $value)
      */
     protected function processFilter(Builder $query, array $filters = [])
     {
-        $filters = $this->parseDotFilters($query, $filters);
-
-        foreach ($filters as $column => $conditions) {
+        //Logic for blacklisted fields
+        $blackListStatuses = [];
+        foreach($filters as $column => $conditions){
+            $column = explode('.', $column);
+            $column = array_shift($column);
+            $fieldReadBlackListDetails = $this->acl->getStatusesOnReadFieldBlacklist($this->getTable(),$column);
+            if (isset($fieldReadBlackListDetails['isReadBlackList']) && $fieldReadBlackListDetails['isReadBlackList']) {
+                throw new Exception\ForbiddenFieldAccessException($column);
+            }else if(isset($fieldReadBlackListDetails['statuses']) && !empty ($fieldReadBlackListDetails['statuses'])){
+                $blackListStatuses = array_merge($blackListStatuses,array_values($fieldReadBlackListDetails['statuses']));                
+            }
+        }
+        $filters = $this->parseDotFilters($query, $filters);        
+
+        foreach ($filters as $column => $conditions) {                        
             if ($conditions instanceof Filter) {
                 $column =  $conditions->getIdentifier();
                 $conditions = $conditions->getValue();
@@ -1485,6 +1497,14 @@ protected function processFilter(Builder $query, array $filters = [])
                 $this->doFilter($query, $column, $condition, $this->getTable());
             }
         }
+        //Condition for blacklisted statuses
+        if(!empty($blackListStatuses)){
+            $statusCondition = [
+                'nin' => array_unique($blackListStatuses)
+            ];
+            $statusFieldName = SchemaService::getStatusFieldName($this->getTable());
+            $this->doFilter($query, $statusFieldName, $statusCondition, $this->getTable());
+        }
     }
 
     /**

diff --git a/src/core/Directus/Permissions/Acl.php b/src/core/Directus/Permissions/Acl.php
@@ -1252,15 +1252,16 @@ public function allowTo($action, $level, $collection, $status = null)
             $statuses = $this->getCollectionStatuses($collection);
 
             $allowed = false;
-            foreach ($statuses as $status) {
-                $permission = $this->getPermission($collection, $status);
-                $permissionLevel = ArrayUtils::get($permission, $action);
-                if ($this->can($permissionLevel, $level)) {
-                    $allowed = true;
-                    break;
+            if($statuses){
+                foreach ($statuses as $status) {
+                    $permission = $this->getPermission($collection, $status);
+                    $permissionLevel = ArrayUtils::get($permission, $action);
+                    if ($this->can($permissionLevel, $level)) {
+                        $allowed = true;
+                        break;
+                    }
                 }
             }
-
             return $allowed;
         } else {
             $permissionLevel = ArrayUtils::get($permission, $action);
@@ -1293,7 +1294,40 @@ public function allowToOnce($action, $collection)
 
         return $allowed;
     }
-
+
+    /**
+     * Gets the statuses on which field has been blacklisted
+     *
+     * @param string $collection
+     * @param mixed $status
+     *
+     * @return array
+     */
+    public function getStatusesOnReadFieldBlacklist($collection, $field)
+    {
+        $blackListStatuses = [];
+        $collectionPermission = $this->getCollectionPermissions($collection);
+        $statuses = $this->getCollectionStatuses($collection);
+        if($statuses){
+            foreach($statuses as $status){
+                $readFieldBlackList = isset($collectionPermission[$status]['read_field_blacklist']) ? $collectionPermission[$status]['read_field_blacklist'] : [];
+                if($readFieldBlackList && in_array($field, $readFieldBlackList)){                    
+                    $blackListStatuses['statuses'][] = $status;
+                }
+            }
+            //Set flag for field which is blacklist for all statuses
+            if(isset($blackListStatuses['statuses']) && count($blackListStatuses['statuses']) == count($statuses)){
+                $blackListStatuses['isReadBlackList'] = true;
+            }
+        }else{
+            $readFieldBlackList = isset($collectionPermission['read_field_blacklist']) ? $collectionPermission['read_field_blacklist'] : [];
+            if($readFieldBlackList && in_array($field, $readFieldBlackList)){
+                $blackListStatuses['isReadBlackList'] = true;
+            }
+        }
+        return $blackListStatuses;
+    }
+
     /**
      * Returns a list of status the given collection has permission to read
      *

diff --git a/tests/api/AuthTest.php b/tests/api/AuthTest.php
diff --git a/tests/api/CollectionTest.php b/tests/api/CollectionTest.php