From 461bf296743d1f147de9f83becaf214e676ab3ae Mon Sep 17 00:00:00 2001
From: Jean-Laurent <jean-laurent.duzant@xelians.fr>
Date: Mon, 25 Apr 2022 14:22:59 +0200
Subject: [PATCH] FIX #20512 TIME 0:10 BACK : add privilege control && check if
 it comes from the linkedRes component

---
 .../search/controllers/SearchController.php   | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

diff --git a/src/app/search/controllers/SearchController.php b/src/app/search/controllers/SearchController.php
index 4bb898be2e4..228c44541fe 100644
--- a/src/app/search/controllers/SearchController.php
+++ b/src/app/search/controllers/SearchController.php
@@ -57,15 +57,24 @@ class SearchController
 {
     public function get(Request $request, Response $response)
     {
-        $adminSearch = ConfigurationModel::getByPrivilege(['privilege' => 'admin_search', 'select' => ['value']]);
-        if (empty($adminSearch)) {
-            return $response->withStatus(400)->withJson(['errors' => 'No admin_search configuration found', 'lang' => 'noAdminSearchConfiguration']);
+        // $adminSearch = ConfigurationModel::getByPrivilege(['privilege' => 'admin_search', 'select' => ['value']]);
+        // if (empty($adminSearch)) {
+        //     return $response->withStatus(400)->withJson(['errors' => 'No admin_search configuration found', 'lang' => 'noAdminSearchConfiguration']);
+        // }
+
+        $body = $request->getParsedBody();
+
+        if (!PrivilegeController::hasPrivilege(['privilegeId' => 'adv_search_mlb', 'userId' => $GLOBALS['id']]) && !$body['linkedResource']) {
+            return $response->withStatus(403)->withJson(['errors' => 'Service forbidden']);
+        } else {
+            $adminSearch = ConfigurationModel::getByPrivilege(['privilege' => 'admin_search', 'select' => ['value']]);
+            if (empty($adminSearch)) {
+                return $response->withStatus(400)->withJson(['errors' => 'No admin_search configuration found', 'lang' => 'noAdminSearchConfiguration']);
+            }
         }
 
         ini_set('memory_limit', -1);
 
-        $body = $request->getParsedBody();
-
         $userdataClause = SearchController::getUserDataClause(['userId' => $GLOBALS['id'], 'login' => $GLOBALS['login']]);
         $searchWhere    = $userdataClause['searchWhere'];
         $searchData     = $userdataClause['searchData'];
-- 
GitLab