When developers override "kDBEventHandler::getPassedId
" method and manually call the $this->Application->GetVar
method inside, then it's up to them to set the "id_from_request"
event parameter.
In-Portal uses object automatic loading technique, that attempts to load an object with ID provided in Web Request (e.g. in URL). For example:
- user opens /cars/japan/2013-suzuki-sx4.html url
- based on this URL following is automatically detected:
- this is "cars/japan" category
- this is "2013-suzuki-sx4" product
- the product detail template is shown
- the product detail template contains
<inp2:p_Field name="Name"/>
tag that shows product name - the "Field" tag requested data from product object
- the product object is created since this is a 1st request to that object
- product object is loaded using "2013-suzuki-sx4" ID from Web Request
Since data from Web Request cannot be trusted the permission checking code is invoked on that product object to ensure, that user have permissions for accessing that product.
While developing different projects, that use In-Portal we've started to use object auto-loading in our favor by supplying it with IDs that doesn't come from Web Request at all and therefore are safe to use without permission checks. Unfortunately permission checking code doesn't know how to distinguish safe IDs from unsafe ones.
Solution
Plan for fixing:
- make "
kDBEventHandler::getPassedId
" and "kDBEventHandler::StoreSelectedIDs
" methods to set "id_from_request
" event parameter to the "$event" variable, when ID was obtained from Web Request - in the "
kDBEventHandler::OnItemBuild
" event, when we're doing object auto-loading replace call to "kDBEventHandler::checkItemStatus
" method with "true
", when "id_from_request
" event parameter is "false
" - to reduce human error factor the "
kEvent::ID_FROM_REQUEST
" constant needs to be created and used instead of using "id_from_request
" string