From 0a076ebb994a73524243dfc2d5257649a2a6cf90 Mon Sep 17 00:00:00 2001
From: Guillaume Heurtier <guillaume.heurtier@maarch.org>
Date: Fri, 4 Dec 2020 13:56:32 +0100
Subject: [PATCH] FIX #12026 TIME 0:10 fix perimeter check

---
 src/app/attachment/controllers/AttachmentController.php | 6 +++++-
 src/app/resource/controllers/ResController.php          | 4 ++++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/src/app/attachment/controllers/AttachmentController.php b/src/app/attachment/controllers/AttachmentController.php
index 7a9c799408f..310708da300 100755
--- a/src/app/attachment/controllers/AttachmentController.php
+++ b/src/app/attachment/controllers/AttachmentController.php
@@ -489,11 +489,15 @@ class AttachmentController
             return $response->withStatus(403)->withJson(['errors' => 'id param is not an integer']);
         }
 
-        $document = AttachmentModel::getById(['select' => [1], 'id' => $args['id']]);
+        $document = AttachmentModel::getById(['select' => ['res_id_master'], 'id' => $args['id']]);
         if (empty($document)) {
             return $response->withStatus(400)->withJson(['errors' => 'Document does not exist']);
         }
 
+        if (!ResController::hasRightByResId(['resId' => [$document['res_id_master']], 'userId' => $GLOBALS['id']])) {
+            return $response->withStatus(403)->withJson(['errors' => 'Document out of perimeter']);
+        }
+
         $docserver = DocserverModel::getByDocserverId(['docserverId' => 'TNL_ATTACH', 'select' => ['path_template']]);
         if (empty($docserver['path_template']) || !file_exists($docserver['path_template'])) {
             return $response->withStatus(400)->withJson(['errors' => 'Docserver does not exist']);
diff --git a/src/app/resource/controllers/ResController.php b/src/app/resource/controllers/ResController.php
index b744a1add45..6e0d7097f2e 100755
--- a/src/app/resource/controllers/ResController.php
+++ b/src/app/resource/controllers/ResController.php
@@ -757,6 +757,10 @@ class ResController extends ResourceControlController
             return $response->withStatus(400)->withJson(['errors' => 'Document does not exist']);
         }
 
+        if (!ResController::hasRightByResId(['resId' => [$args['resId']], 'userId' => $GLOBALS['id']])) {
+            return $response->withStatus(403)->withJson(['errors' => 'Document out of perimeter']);
+        }
+
         $docserver = DocserverModel::getByDocserverId(['docserverId' => 'TNL_MLB', 'select' => ['path_template']]);
         if (empty($docserver['path_template']) || !file_exists($docserver['path_template'])) {
             return $response->withStatus(400)->withJson(['errors' => 'Docserver does not exist']);
-- 
GitLab