Merge pull request #7128 from Countly/anna/master

Cookiezaurs · web-flow · commit cf228bfedfed · 2026-01-07T10:22:57.000+02:00
[SER-2763] (Pentest)Filter out apps when updating widget based on user rights.
diff --git a/plugins/dashboards/api/api.js b/plugins/dashboards/api/api.js
@@ -12,7 +12,7 @@ var pluginOb = {},
     localize = require('../../../api/utils/localization.js'),
     async = require('async'),
     mail = require("../../../api/parts/mgmt/mail"),
-    { validateUser } = require('../../../api/utils/rights.js');
+    { validateUser, getUserApps, getAdminApps} = require('../../../api/utils/rights.js');
 
 var ejs = require("ejs");
 
@@ -1205,6 +1205,24 @@ plugins.setConfigs("dashboards", {
                 widget.contenthtml = sanitizeNote(widget.contenthtml);
             }
 
+            //Filter out app_ids that current users does not have access to
+            if (widget.apps && Array.isArray(widget.apps)) {
+                var user_apps = getUserApps(params.member) || [];
+                var admin_apps = getAdminApps(params.member) || [];
+                widget.apps = widget.apps.filter(appId => {
+                    if (params.member.global_admin) {
+                        return true;
+                    }
+                    else if (user_apps && user_apps.indexOf(appId) !== -1) {
+                        return true;
+                    }
+                    else if (admin_apps && admin_apps.indexOf(appId) !== -1) {
+                        return true;
+                    }
+                    return false;
+                });
+            }
+
             common.db.collection("dashboards").findOne({_id: common.db.ObjectID(dashboardId)}, function(err, dashboard) {
                 if (err || !dashboard) {
                     common.returnMessage(params, 400, "Dashboard with the given id doesn't exist");
@@ -1287,6 +1305,24 @@ plugins.setConfigs("dashboards", {
                 common.returnMessage(params, 400, 'Invalid parameter: widget_id');
                 return true;
             }
+            //Filter out app_ids that current users does not have access to
+            if (widget.apps && Array.isArray(widget.apps)) {
+                var user_apps = getUserApps(params.member) || [];
+                var admin_apps = getAdminApps(params.member) || [];
+                widget.apps = widget.apps.filter(appId => {
+                    if (params.member.global_admin) {
+                        return true;
+                    }
+                    else if (user_apps && user_apps.indexOf(appId) !== -1) {
+                        return true;
+                    }
+                    else if (admin_apps && admin_apps.indexOf(appId) !== -1) {
+                        return true;
+                    }
+                    return false;
+                });
+            }
+
 
             common.db.collection("dashboards").findOne({_id: common.db.ObjectID(dashboardId), widgets: {$in: [common.db.ObjectID(widgetId)]}}, function(err, dashboard) {
                 if (err || !dashboard) {
