check for access entity and prevent purge from API

pluginsGLPI · Nov 19, 2024 · deb0d5d · deb0d5d
1 parent b0c2f05
commit deb0d5d
Showing 1 changed file with 23 additions and 0 deletions.
diff --git a/inc/abstractcontainerinstance.class.php b/inc/abstractcontainerinstance.class.php
@@ -32,6 +32,13 @@ abstract class PluginFieldsAbstractContainerInstance extends CommonDBTM
 {
     public function canViewItem()
     {
+        //check if current user have access to the main item entity
+        $item = new $this->fields['itemtype']();
+        $item->getFromDB($this->fields['item_id']);
+        if (!Session::haveAccessToEntity($item->getEntityID(), $item->isRecursive())) {
+            return false;
+        }
+
         $right = PluginFieldsProfile::getRightOnContainer($_SESSION['glpiactiveprofile']['id'], $this->fields['plugin_fields_containers_id']);
         if ($right < READ) {
             return false;
@@ -41,13 +48,29 @@ public function canViewItem()
 
     public function canUpdateItem()
     {
+        //check if current user have access to the main item entity
+        $item = new $this->fields['itemtype']();
+        $item->getFromDB($this->fields['item_id']);
+        if (!Session::haveAccessToEntity($item->getEntityID(), $item->isRecursive())) {
+            return false;
+        }
+
         $right = PluginFieldsProfile::getRightOnContainer($_SESSION['glpiactiveprofile']['id'], $this->fields['plugin_fields_containers_id']);
         if ($right > READ) {
             return true;
         }
         return false;
     }
 
+    public function canPurgeItem()
+    {
+        if (isAPI()) {
+            return false;
+        }
+        return true;
+    }
+
+
     public static function getSpecificValueToSelect($field, $name = '', $values = '', array $options = [])
     {
         if (!is_array($values)) {