Merge pull request from GHSA-qjx3-2g35-6hv8

* - included new permission to denied unauthorized access
- included functional tests

* - take out import permission

* - change permission parameters from lead to user data

* - change permission parameters from lead to user data

---------

Co-authored-by: Lenon Leite <lenonleite@gmail.com>
Co-authored-by: lenonleite <lenonleite@github.com>
Co-authored-by: lenonleite <lenonleite@cience.com>

app/bundles/LeadBundle/Controller/CompanyController.php

@@ -818,13 +818,19 @@ public function mergeAction($objectId)
         //set some permissions
         $permissions = $this->get('mautic.security')->isGranted(
             [
+                'lead:leads:viewown',
                 'lead:leads:viewother',
                 'lead:leads:create',
                 'lead:leads:editother',
                 'lead:leads:deleteother',
             ],
             'RETURN_ARRAY'
         );
+
+        if (!$permissions['lead:leads:viewown'] && !$permissions['lead:leads:viewother']) {
+            return $this->accessDenied();
+        }
+
         /** @var CompanyModel $model */
         $model            = $this->getModel('lead.company');
         $secondaryCompany = $model->getEntity($objectId);

app/bundles/LeadBundle/Controller/LeadController.php

@@ -208,6 +208,28 @@ public function indexAction($page = 1)
      */
     public function quickAddAction()
     {
+        // set some permissions
+        $permissions = $this->get('mautic.security')->isGranted(
+            [
+                'lead:leads:viewown',
+                'lead:leads:viewother',
+                'lead:leads:create',
+                'lead:leads:editown',
+                'lead:leads:editother',
+            ],
+            'RETURN_ARRAY'
+        );
+
+        if (
+            !$permissions['lead:leads:viewown']
+            && !$permissions['lead:leads:viewother']
+            && !$permissions['lead:leads:create']
+            && !$permissions['lead:leads:editown']
+            && !$permissions['lead:leads:editother']
+        ) {
+            return $this->accessDenied();
+        }
+
         /** @var \Mautic\LeadBundle\Model\LeadModel $model */
         $model = $this->getModel('lead.lead');
 
@@ -1831,6 +1853,10 @@ public function batchStagesAction($objectId = 0)
      */
     public function batchOwnersAction($objectId = 0)
     {
+        if (!$this->get('mautic.security')->isGranted('user:users:view')) {
+            return $this->accessDenied();
+        }
+
         if ('POST' == $this->request->getMethod()) {
             /** @var \Mautic\LeadBundle\Model\LeadModel $model */
             $model = $this->getModel('lead');

app/bundles/LeadBundle/Tests/Functional/Controller/CompanyControllerTest.php

@@ -0,0 +1,71 @@
+<?php
+
+namespace Mautic\LeadBundle\Tests\Functional\Controller;
+
+use Mautic\CoreBundle\Test\MauticMysqlTestCase;
+use Mautic\UserBundle\Entity\Role;
+use Mautic\UserBundle\Entity\User;
+
+class CompanyControllerTest extends MauticMysqlTestCase
+{
+    public const USERNAME = 'jhony';
+
+    public function testMergeAction(): void
+    {
+        $this->client->request('GET', '/s/companies/merge/1');
+        $clientResponse         = $this->client->getResponse();
+        $this->assertEquals(200, $clientResponse->getStatusCode());
+    }
+
+    public function testMergeActionWithoutPermission(): void
+    {
+        $this->createAndLoginUser();
+        $this->client->request('GET', '/s/companies/merge/1');
+        $clientResponse         = $this->client->getResponse();
+        $this->assertEquals(403, $clientResponse->getStatusCode());
+    }
+
+    private function createAndLoginUser(): User
+    {
+        // Create non-admin role
+        $role = $this->createRole();
+        // Create non-admin user
+        $user = $this->createUser($role);
+
+        $this->em->flush();
+        $this->em->detach($role);
+
+        $this->loginUser(self::USERNAME);
+        $this->client->setServerParameter('PHP_AUTH_USER', self::USERNAME);
+        $this->client->setServerParameter('PHP_AUTH_PW', 'mautic');
+
+        return $user;
+    }
+
+    private function createRole(bool $isAdmin = false): Role
+    {
+        $role = new Role();
+        $role->setName('Role');
+        $role->setIsAdmin($isAdmin);
+
+        $this->em->persist($role);
+
+        return $role;
+    }
+
+    private function createUser(Role $role): User
+    {
+        $user = new User();
+        $user->setFirstName('Jhony');
+        $user->setLastName('Doe');
+        $user->setUsername(self::USERNAME);
+        $user->setEmail('john.doe@email.com');
+        $encoder = self::$container->get('security.encoder_factory')->getEncoder($user);
+        $user->setPassword($encoder->encodePassword('mautic', null));
+        $user->setRole($role);
+
+        $this->em->persist($user);
+
+        return $user;
+    }
+}

app/bundles/LeadBundle/Tests/Functional/Controller/LeadControllerTest.php

@@ -0,0 +1,92 @@
+<?php
+
+namespace Mautic\LeadBundle\Tests\Functional\Controller;
+
+use Mautic\CoreBundle\Test\MauticMysqlTestCase;
+use Mautic\UserBundle\Entity\Role;
+use Mautic\UserBundle\Entity\User;
+use Symfony\Component\HttpFoundation\Request;
+
+class LeadControllerTest extends MauticMysqlTestCase
+{
+    public const USERNAME = 'jhony';
+
+    public function testAccessContactQuickAddWithPermission(): void
+    {
+        $this->setAdminUser();
+        $this->client->request(Request::METHOD_GET, '/s/contacts/quickAdd');
+        $this->assertResponseStatusCodeSame(200, (string) $this->client->getResponse()->getStatusCode());
+    }
+
+    private function setAdminUser(): void
+    {
+        $this->loginUser('admin');
+        $this->client->setServerParameter('PHP_AUTH_USER', 'admin');
+        $this->client->setServerParameter('PHP_AUTH_PW', 'mautic');
+    }
+
+    public function testAccessContactQuickAddWithNoPermission(): void
+    {
+        $this->createAndLoginUser();
+        $this->client->request(Request::METHOD_GET, '/s/contacts/quickAdd');
+        $this->assertResponseStatusCodeSame(403, (string) $this->client->getResponse()->getStatusCode());
+    }
+
+    public function testAccessContactBatchOwnersNoPermission(): void
+    {
+        $this->createAndLoginUser();
+        $this->client->request(Request::METHOD_GET, '/s/contacts/batchOwners');
+        $this->assertResponseStatusCodeSame(403, (string) $this->client->getResponse()->getStatusCode());
+    }
+
+    public function testAccessContactBatchOwnersPermission(): void
+    {
+        $this->setAdminUser();
+        $this->client->request(Request::METHOD_GET, '/s/contacts/batchOwners');
+        $this->assertResponseStatusCodeSame(200, (string) $this->client->getResponse()->getStatusCode());
+    }
+
+    private function createAndLoginUser(): User
+    {
+        // Create non-admin role
+        $role = $this->createRole();
+        // Create non-admin user
+        $user = $this->createUser($role);
+
+        $this->em->flush();
+        $this->em->detach($role);
+
+        $this->loginUser(self::USERNAME);
+        $this->client->setServerParameter('PHP_AUTH_USER', self::USERNAME);
+        $this->client->setServerParameter('PHP_AUTH_PW', 'mautic');
+
+        return $user;
+    }
+
+    private function createRole(bool $isAdmin = false): Role
+    {
+        $role = new Role();
+        $role->setName('Role');
+        $role->setIsAdmin($isAdmin);
+
+        $this->em->persist($role);
+
+        return $role;
+    }
+
+    private function createUser(Role $role): User
+    {
+        $user = new User();
+        $user->setFirstName('Jhony');
+        $user->setLastName('Doe');
+        $user->setUsername(self::USERNAME);
+        $user->setEmail('john.doe@email.com');
+        $encoder = self::$container->get('security.encoder_factory')->getEncoder($user);
+        $user->setPassword($encoder->encodePassword('mautic', null));
+        $user->setRole($role);
+
+        $this->em->persist($user);
+
+        return $user;
+    }
+}

plugins/MauticSocialBundle/Controller/MonitoringController.php

@@ -17,6 +17,10 @@ class MonitoringController extends FormController
      */
     public function indexAction($page = 1)
     {
+        if (!$this->get('mautic.security')->isGranted('mauticSocial:monitoring:view')) {
+            return $this->accessDenied();
+        }
+
         $session = $this->get('session');
 
         $this->setListFilters();

plugins/MauticSocialBundle/Tests/Functional/Controller/MonitoringControllerTest.php

@@ -0,0 +1,101 @@
+<?php
+
+namespace MauticPlugin\MauticSocialBundle\Tests\Functional\Controller;
+
+use Mautic\CoreBundle\Test\MauticMysqlTestCase;
+use Mautic\UserBundle\Entity\Role;
+use Mautic\UserBundle\Entity\User;
+
+class MonitoringControllerTest extends MauticMysqlTestCase
+{
+    public const USERNAME = 'jhony';
+
+    public function testIndex(): void
+    {
+        $this->client->request('GET', '/s/monitoring');
+        $response = $this->client->getResponse();
+        $this->assertEquals(200, $response->getStatusCode());
+    }
+
+    public function testNew(): void
+    {
+        $this->client->request('GET', '/s/monitoring/new');
+        $response = $this->client->getResponse();
+        $this->assertEquals(200, $response->getStatusCode());
+    }
+
+    public function testEdit(): void
+    {
+        $this->client->request('GET', '/s/monitoring/edit/1');
+        $response = $this->client->getResponse();
+        $this->assertEquals(200, $response->getStatusCode());
+    }
+
+    public function testIndexWithoutPermission(): void
+    {
+        $this->createAndLoginUser();
+        $this->client->request('GET', '/s/monitoring');
+        $response = $this->client->getResponse();
+        $this->assertEquals(403, $response->getStatusCode());
+    }
+
+    public function testNewWithoutPermission(): void
+    {
+        $this->createAndLoginUser();
+        $this->client->request('GET', '/s/monitoring/new');
+        $response = $this->client->getResponse();
+        $this->assertEquals(403, $response->getStatusCode());
+    }
+
+    public function testEditWithoutPermission(): void
+    {
+        $this->createAndLoginUser();
+        $this->client->request('GET', '/s/monitoring/edit/1');
+        $response = $this->client->getResponse();
+        $this->assertEquals(403, $response->getStatusCode());
+    }
+
+    private function createAndLoginUser(): User
+    {
+        // Create non-admin role
+        $role = $this->createRole();
+        // Create non-admin user
+        $user = $this->createUser($role);
+
+        $this->em->flush();
+        $this->em->detach($role);
+
+        $this->loginUser(self::USERNAME);
+        $this->client->setServerParameter('PHP_AUTH_USER', self::USERNAME);
+        $this->client->setServerParameter('PHP_AUTH_PW', 'mautic');
+
+        return $user;
+    }
+
+    private function createRole(bool $isAdmin = false): Role
+    {
+        $role = new Role();
+        $role->setName('Role');
+        $role->setIsAdmin($isAdmin);
+
+        $this->em->persist($role);
+
+        return $role;
+    }
+
+    private function createUser(Role $role): User
+    {
+        $user = new User();
+        $user->setFirstName('John');
+        $user->setLastName('Doe');
+        $user->setUsername(self::USERNAME);
+        $user->setEmail('john.doe@email.com');
+        $encoder = self::$container->get('security.encoder_factory')->getEncoder($user);
+        $user->setPassword($encoder->encodePassword('mautic', null));
+        $user->setRole($role);
+
+        $this->em->persist($user);
+
+        return $user;
+    }
+}

plugins/MauticTagManagerBundle/Controller/TagController.php

@@ -231,6 +231,10 @@ public function newAction()
      */
     public function editAction($objectId, $ignorePost = false)
     {
+        if (!$this->get('mautic.security')->isGranted('tagManager:tagManager:edit')) {
+            return $this->accessDenied();
+        }
+
         $postActionVars = $this->getPostActionVars($objectId);
 
         try {