Skip to content

Commit

Permalink
Confidential information provided to user with no permissions (#15530)
Browse files Browse the repository at this point in the history
* Fix: check user permissions

* some optimizations

* Restrict access to /admin/index/statics

* remove unused

---------

Co-authored-by: dvesh3 <divesh.pahuja@pimcore.com>
  • Loading branch information
robertSt7 and dvesh3 committed Jul 19, 2023
1 parent 5526a49 commit 0237527
Show file tree
Hide file tree
Showing 4 changed files with 12 additions and 1 deletion.
Expand Up @@ -91,6 +91,9 @@ public function getAssetTypesAction(Request $request)
*/
public function getTreeAction(Request $request)
{
// we need to check objects permission for listing in pimcore.model.objecttypes ext model
$this->checkPermission('objects');

$defaultIcon = '/bundles/pimcoreadmin/img/flat-color-icons/class.svg';

$classesList = new DataObject\ClassDefinition\Listing();
Expand Down
4 changes: 4 additions & 0 deletions bundles/AdminBundle/Controller/Admin/IndexController.php
Expand Up @@ -138,6 +138,10 @@ public function indexAction(
*/
public function statisticsAction(Request $request, Connection $db, KernelInterface $kernel)
{
if (!$request->isXmlHttpRequest()) {
throw $this->createAccessDeniedHttpException();
}

// DB
try {
$tables = $db->fetchAllAssociative('SELECT TABLE_NAME as name,TABLE_ROWS as `rows` from information_schema.TABLES
Expand Down
3 changes: 3 additions & 0 deletions bundles/AdminBundle/Controller/Admin/SettingsController.php
Expand Up @@ -1069,6 +1069,9 @@ public function glossaryAction(Request $request)
*/
public function getAvailableSitesAction(Request $request)
{
// we need to check documents permission for listing purposes in sites ext model & url-slugs
$this->checkPermission('documents');

$excludeMainSite = $request->get('excludeMainSite');

$sitesList = new Model\Site\Listing();
Expand Down
3 changes: 2 additions & 1 deletion bundles/AdminBundle/Resources/public/js/pimcore/startup.js
Expand Up @@ -571,8 +571,9 @@ Ext.onReady(function () {
}

if (data.pushStatistics) {
var request = new XMLHttpRequest();
const request = new XMLHttpRequest();
request.open('GET', Routing.generate('pimcore_admin_index_statistics'));
request.setRequestHeader('X-Requested-With', 'XMLHttpRequest');

request.onload = function () {
if (this.status >= 200 && this.status < 400) {
Expand Down

0 comments on commit 0237527

Please sign in to comment.