Fix for modmore#101 (access to restricted resources)

CensusNL · Sep 17, 2018 · fbe113b · fbe113b
1 parent d575c89
commit fbe113b
Show file tree

Hide file tree

Showing 4 changed files with 67 additions and 1 deletion.
diff --git a/core/components/versionx/controllers/index.php b/core/components/versionx/controllers/index.php
@@ -37,12 +37,16 @@
             $v = $versionx->getVersionDetails('vxResource',$versionid,true);
             if ($v !== false)
                 $modx->regClientStartupHTMLBlock('<script type="text/javascript">VersionX.record = '.$v.'; </script>');
+            else
+                return $modx->error->failure($modx->lexicon('versionx.error.noresults'));
         }
         /* If an ID to compare to was passed, fetch that aswell. */
         if ($compareid > 0) {
             $v = $versionx->getVersionDetails('vxResource',$compareid,true);
             if ($v !== false)
                 $modx->regClientStartupHTMLBlock('<script type="text/javascript">VersionX.cmrecord = '.$v.'; </script>');
+            else
+                return $modx->error->failure($modx->lexicon('versionx.error.noresults'));
         }
 
         $scripts[] = $versionx->config['js_url'].'mgr/action.resource.js';

diff --git a/core/components/versionx/model/versionx.class.php b/core/components/versionx/model/versionx.class.php
@@ -399,6 +399,10 @@ public function getVersionDetails($class = 'vxResource',$id = 0, $json = false,
             /* Class specific processing */
             switch ($class) {
                 case 'vxResource':
+                    $resource = $this->modx->getObject('modResource',$v->get('content_id'));
+                    if(!$resource) {
+                        return false;
+                    }
                     $vArray = array_merge($vArray,$vArray['fields']);
 
                     if ($vArray['parent'] != 0) {

diff --git a/core/components/versionx/processors/mgr/resources/get_versions.php b/core/components/versionx/processors/mgr/resources/get_versions.php
@@ -12,6 +12,8 @@
 $current = intval($modx->getOption('current',$scriptProperties,0));
 
 $c = $modx->newQuery('vxResource');
+$c->leftJoin('modContextSetting','ContextSetting','ContextSetting.context_key = vxResource.context_key');
+$c->leftJoin('modResourceGroupResource','ResourceGroup','ResourceGroup.document = vxResource.content_id');
 $c->select(array('version_id','saved','mode'));
 
 if (strlen($search) > 1) {
@@ -22,6 +24,33 @@
 if ($current > 0)
     $c->where(array('version_id:!=' => $current));
 
+/* 1. The connected context has is ignoring access through resource groups */
+$where = [
+    [
+        [
+            'ContextSetting.key' => 'access_resource_group_enabled',
+            'ContextSetting.value' => 0
+        ]
+    ]
+];
+
+/* 2. The default context is ignoring access through resource groups disabled */
+if(!$modx->getOption('access_resource_group_enabled', null, true)) {
+    array_push($where, [
+        'OR:vxResource.context_key:=' => $modx->getOption('default_context')
+    ]);
+    array_push($where[0], [
+        'OR:ContextSetting.key' => 'access_resource_group_enabled',
+        'ContextSetting.value:IS' => null,
+    ]);
+}
+
+/* 3. The resource is not restricted or the user has access to the resourcegroup */
+array_push($where, [
+    'OR:ResourceGroup.id:IS' => null,
+    'OR:ResourceGroup.document_group:IN' => $modx->user->getResourceGroups(),
+]);
+$c->where($where);
 $total = $modx->getCount('vxResource',$c);
 
 $c->sortby($sort,$dir);

diff --git a/core/components/versionx/processors/mgr/resources/getlist.php b/core/components/versionx/processors/mgr/resources/getlist.php
@@ -21,7 +21,9 @@
 $c = $modx->newQuery('vxResource');
 $c->leftJoin('modUser','User');
 $c->leftJoin('modUserProfile','Profile','Profile.internalKey = User.id');
-$c->select(array('version_id','content_id','saved','mode','marked','title','context_key','class','User.username'));
+$c->leftJoin('modContextSetting','ContextSetting','ContextSetting.context_key = vxResource.context_key');
+$c->leftJoin('modResourceGroupResource','ResourceGroup','ResourceGroup.document = vxResource.content_id');
+$c->select(array('vxResource.version_id','vxResource.content_id','vxResource.saved','vxResource.mode','vxResource.marked','vxResource.title','vxResource.context_key','vxResource.class','User.username'));
 
 /* Filter */
 if ($search)
@@ -39,6 +41,33 @@
 if ($until)
     $c->where(array('saved:<' => $until));
 
+/* 1. The connected context has is ignoring access through resource groups */
+$where = [
+    [
+        [
+        'ContextSetting.key' => 'access_resource_group_enabled',
+        'ContextSetting.value' => 0
+        ]
+    ]
+];
+
+/* 2. The default context is ignoring access through resource groups disabled */
+if(!$modx->getOption('access_resource_group_enabled', null, true)) {
+    array_push($where, [
+        'OR:vxResource.context_key:=' => $modx->getOption('default_context')
+    ]);
+    array_push($where[0], [
+        'OR:ContextSetting.key' => 'access_resource_group_enabled',
+        'ContextSetting.value:IS' => null,
+    ]);
+}
+
+/* 3. The resource is not restricted or the user has access to the resourcegroup */
+array_push($where, [
+    'OR:ResourceGroup.id:IS' => null,
+    'OR:ResourceGroup.document_group:IN' => $modx->user->getResourceGroups(),
+]);
+$c->where($where);
 
 $total = $modx->getCount('vxResource',$c);