[GDPR] fix permission issues when exporting elements

* fix user being able to extract data without element permissions

* fix error when extracting pimcore user data due to wrong permission check

* Apply php-cs-fixer changes

---------

Co-authored-by: wwidergoldpimcore <265217381+wwidergoldpimcore@users.noreply.github.com>

Author: wwidergoldpimcore

src/Gdpr/Provider/AssetsProvider.php

@@ -17,14 +17,17 @@
 use Pimcore\Bundle\StudioBackendBundle\DataIndex\Provider\AssetQueryProviderInterface;
 use Pimcore\Bundle\StudioBackendBundle\DataIndex\Query\QueryInterface;
 use Pimcore\Bundle\StudioBackendBundle\DataIndex\Service\AssetSearchServiceInterface;
+use Pimcore\Bundle\StudioBackendBundle\Exception\Api\ForbiddenException;
 use Pimcore\Bundle\StudioBackendBundle\Exception\Api\NotFoundException;
 use Pimcore\Bundle\StudioBackendBundle\Filter\MappedParameter\FilterParameter;
 use Pimcore\Bundle\StudioBackendBundle\Gdpr\Provider\Legacy\AssetExporterInterface;
 use Pimcore\Bundle\StudioBackendBundle\Gdpr\Schema\GdprDataRow;
 use Pimcore\Bundle\StudioBackendBundle\Response\Collection;
+use Pimcore\Bundle\StudioBackendBundle\Util\Constant\ElementPermissions;
 use Pimcore\Bundle\StudioBackendBundle\Util\Constant\UserPermissions;
 use Pimcore\Model\Asset;
 use Symfony\Component\HttpFoundation\Response;
+use function sprintf;
 
 /**
  * @internal
@@ -130,6 +133,10 @@ public function getSingleItemForDownload(int $id): Response
             throw new NotFoundException('Asset Not Found', $id);
         }
 
+        if (!$asset->isAllowed(ElementPermissions::VIEW_PERMISSION)) {
+            throw new ForbiddenException(sprintf('Access Denied for asset with id "%d".', $asset->getId()));
+        }
+
         return $this->assetExporter->doExportData($asset);
     }
 

src/Gdpr/Provider/DataObjectProvider.php

@@ -17,14 +17,17 @@
 use Pimcore\Bundle\StudioBackendBundle\DataIndex\Provider\DataObjectQueryProviderInterface;
 use Pimcore\Bundle\StudioBackendBundle\DataIndex\Query\QueryInterface;
 use Pimcore\Bundle\StudioBackendBundle\DataIndex\Service\DataObjectSearchServiceInterface;
+use Pimcore\Bundle\StudioBackendBundle\Exception\Api\ForbiddenException;
 use Pimcore\Bundle\StudioBackendBundle\Exception\Api\NotFoundException;
 use Pimcore\Bundle\StudioBackendBundle\Filter\MappedParameter\FilterParameter;
 use Pimcore\Bundle\StudioBackendBundle\Gdpr\Provider\Legacy\ObjectExporterInterface;
 use Pimcore\Bundle\StudioBackendBundle\Gdpr\Schema\GdprDataRow;
 use Pimcore\Bundle\StudioBackendBundle\Response\Collection;
+use Pimcore\Bundle\StudioBackendBundle\Util\Constant\ElementPermissions;
 use Pimcore\Bundle\StudioBackendBundle\Util\Constant\UserPermissions;
 use Pimcore\Model\DataObject;
 use Pimcore\Model\DataObject\Concrete;
+use function sprintf;
 
 /**
  * @internal
@@ -132,6 +135,10 @@ public function getSingleItemForDownload(int $id): array
             throw new NotFoundException('Requested object is not a Concrete data object', $id);
         }
 
+        if (!$object->isAllowed(ElementPermissions::VIEW_PERMISSION)) {
+            throw new ForbiddenException(sprintf('Access Denied for object with id "%d".', $object->getId()));
+        }
+
         $export = [
             'id'            => $object->getId(),
             'fullPath'      => $object->getFullPath(),

src/Gdpr/Provider/PimcoreUserProvider.php

@@ -213,6 +213,6 @@ public function getSortPriority(): int
      */
     public function getRequiredPermissions(): array
     {
-        return [UserPermissions::PIMCORE_USER->value];
+        return [UserPermissions::USER_MANAGEMENT->value];
     }
 }