rt 4.0.6

author: Ivan Kohler <ivan@freeside.biz> 2012-06-07 16:55:45 -0700
committer: Ivan Kohler <ivan@freeside.biz> 2012-06-07 16:55:45 -0700
commit: c24d6e2242ae0e026684b8f95decf156aba6e75e (patch)
tree: 8597d00e2e6bf2cf400437b9344f43b1500da412 /rt/share/html/Helpers
parent: 6686c29104e555ea23446fe1db330664fa110bc0 (diff)
2 files changed, 45 insertions, 3 deletions
diff --git a/rt/share/html/Helpers/Autocomplete/CustomFieldValues b/rt/share/html/Helpers/Autocomplete/CustomFieldValues
index b8b21e4fe..887302f0c 100644
--- a/rt/share/html/Helpers/Autocomplete/CustomFieldValues
+++ b/rt/share/html/Helpers/Autocomplete/CustomFieldValues
@@ -52,6 +52,17 @@
 # Only autocomplete the last value
 my $term = (split /\n/, $ARGS{term} || '')[-1];
 
+my $abort = sub {
+    $r->content_type('application/json');
+    $m->out(JSON::to_json( [] ));
+    $m->abort;
+};
+
+unless ( exists $ARGS{ContextType} and exists $ARGS{ContextId} ) {
+    RT->Logger->debug("No context provided");
+    $abort->();
+}
+
 my $CustomField;
 for my $k ( keys %ARGS ) {
     next unless $k =~ /^Object-.*?-\d*-CustomField-(\d+)-Values?$/;
@@ -59,9 +70,38 @@ for my $k ( keys %ARGS ) {
     last;
 }
 
-$m->abort unless $CustomField;
+unless ( $CustomField ) {
+    RT->Logger->debug("No CustomField provided");
+    $abort->();
+}
+
+my $SystemCustomFieldObj = RT::CustomField->new( RT->SystemUser );
+my ($id, $msg) = $SystemCustomFieldObj->LoadById( $CustomField ) ;
+unless ( $id ) {
+    RT->Logger->debug("Invalid CustomField provided: $msg");
+    $abort->();
+}
+
+my $context_object = $SystemCustomFieldObj->LoadContextObject(
+    $ARGS{ContextType}, $ARGS{ContextId} );
+$abort->() unless $context_object;
+
 my $CustomFieldObj = RT::CustomField->new( $session{'CurrentUser'} );
-$CustomFieldObj->Load( $CustomField );
+if ( $SystemCustomFieldObj->ValidateContextObject($context_object) ) {
+    # drop our privileges that came from calling LoadContextObject as the System User
+    $context_object->new($session{'CurrentUser'});
+    $context_object->LoadById($ARGS{ContextId});
+    $CustomFieldObj->SetContextObject( $context_object );
+} else {
+    RT->Logger->debug("Invalid Context Object ".$context_object->id." for Custom Field ".$SystemCustomFieldObj->id);
+    $abort->();
+}
+
+($id, $msg) = $CustomFieldObj->LoadById( $CustomField );
+unless ( $CustomFieldObj->Name ) {
+    RT->Logger->debug("Current User cannot see this Custom Field, terminating");
+    $abort->();
+}
 
 my $values = $CustomFieldObj->Values;
 $values->Limit(
diff --git a/rt/share/html/Helpers/Toggle/ShowRequestor b/rt/share/html/Helpers/Toggle/ShowRequestor
index bb90b9887..68e8a0517 100644
--- a/rt/share/html/Helpers/Toggle/ShowRequestor
+++ b/rt/share/html/Helpers/Toggle/ShowRequestor
@@ -47,7 +47,9 @@
 %# END BPS TAGGED BLOCK }}}
 <%INIT>
 my $TicketTemplate = "/Ticket/Elements/ShowRequestorTickets$Status";
-$TicketTemplate = "/Ticket/Elements/ShowRequestorTicketsActive" unless $m->comp_exists($TicketTemplate);
+$TicketTemplate = "/Ticket/Elements/ShowRequestorTicketsActive"
+    unless RT::Interface::Web->ComponentPathIsSafe($TicketTemplate)
+       and $m->comp_exists($TicketTemplate);
 my $user_obj = RT::User->new($session{CurrentUser});
 my ($val, $msg) = $user_obj->Load($Requestor);
 unless ($val) {
author	Ivan Kohler <ivan@freeside.biz>	2012-06-07 16:55:45 -0700
committer	Ivan Kohler <ivan@freeside.biz>	2012-06-07 16:55:45 -0700
commit	c24d6e2242ae0e026684b8f95decf156aba6e75e (patch)
tree	8597d00e2e6bf2cf400437b9344f43b1500da412 /rt/share/html/Helpers
parent	6686c29104e555ea23446fe1db330664fa110bc0 (diff)