Skip to content

Commit a6ee68d

Browse files
committed
Ensure that user has read permission to part and category to prevent IPN info leakage
issue #1283
1 parent af6ddff commit a6ee68d

1 file changed

Lines changed: 7 additions & 0 deletions

File tree

src/Controller/TypeaheadController.php

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -208,9 +208,16 @@ public function ipnSuggestions(
208208
/** @var Category|null $category */
209209
$category = $entityManager->getRepository(Category::class)->find($categoryId);
210210

211+
//Ensure the user has access to both the part and the category
212+
$this->denyAccessUnlessGranted('read', $part);
213+
if ($category !== null) {
214+
$this->denyAccessUnlessGranted('read', $category);
215+
}
216+
211217
$clonedPart = clone $part;
212218
$clonedPart->setCategory($category);
213219

220+
214221
$partRepository = $entityManager->getRepository(Part::class);
215222
$ipnSuggestions = $partRepository->autoCompleteIpn($clonedPart, $description, $this->ipnSuggestSettings->suggestPartDigits);
216223

0 commit comments

Comments
 (0)