[Tag]: Incorrect permission check in tags (#1785)

* fix: incorrect permission check in tags

* fix: sonar

* fix: update throw tags

Author: lukmzig

src/Asset/Controller/Export/ZipFolderController.php

@@ -20,6 +20,7 @@
 use Pimcore\Bundle\StudioBackendBundle\Controller\AbstractApiController;
 use Pimcore\Bundle\StudioBackendBundle\Exception\Api\EnvironmentException;
 use Pimcore\Bundle\StudioBackendBundle\Exception\Api\ForbiddenException;
+use Pimcore\Bundle\StudioBackendBundle\Exception\Api\InvalidQueryTypeException;
 use Pimcore\Bundle\StudioBackendBundle\Exception\Api\MaxFileSizeExceededException;
 use Pimcore\Bundle\StudioBackendBundle\Exception\Api\NotFoundException;
 use Pimcore\Bundle\StudioBackendBundle\Exception\Api\StreamResourceNotFoundException;
@@ -48,8 +49,12 @@ public function __construct(
     }
 
     /**
-     * @throws ForbiddenException|NotFoundException|StreamResourceNotFoundException
-     * @throws EnvironmentException|MaxFileSizeExceededException
+     * @throws ForbiddenException
+     * @throws NotFoundException
+     * @throws StreamResourceNotFoundException
+     * @throws EnvironmentException
+     * @throws MaxFileSizeExceededException
+     * @throws InvalidQueryTypeException
      */
     #[Route('/assets/export/zip/folder', name: 'pimcore_studio_api_asset_export_zip_folder', methods: ['POST'])]
     #[IsGranted(UserPermissions::ASSETS->value)]

src/Asset/Controller/Grid/GetController.php

@@ -17,6 +17,8 @@
 use Pimcore\Bundle\StudioBackendBundle\Controller\AbstractApiController;
 use Pimcore\Bundle\StudioBackendBundle\Exception\Api\GdiParsingException;
 use Pimcore\Bundle\StudioBackendBundle\Exception\Api\InvalidArgumentException;
+use Pimcore\Bundle\StudioBackendBundle\Exception\Api\InvalidElementTypeException;
+use Pimcore\Bundle\StudioBackendBundle\Exception\Api\InvalidQueryTypeException;
 use Pimcore\Bundle\StudioBackendBundle\Grid\Attribute\Property\GridCollection;
 use Pimcore\Bundle\StudioBackendBundle\Grid\Attribute\Request\GridRequestBody;
 use Pimcore\Bundle\StudioBackendBundle\Grid\MappedParameter\GridParameter;
@@ -46,7 +48,10 @@ public function __construct(
     }
 
     /**
-     * @throws InvalidArgumentException|GdiParsingException
+     * @throws InvalidArgumentException
+     * @throws InvalidQueryTypeException
+     * @throws InvalidElementTypeException
+     * @throws GdiParsingException
      */
     #[Route('/assets/grid', name: 'pimcore_studio_api_get_asset_grid', methods: ['POST'])]
     #[IsGranted(UserPermissions::ASSETS->value)]

src/Asset/Service/AssetService.php

@@ -26,19 +26,14 @@
 use Pimcore\Bundle\StudioBackendBundle\Asset\Schema\Type\Text;
 use Pimcore\Bundle\StudioBackendBundle\Asset\Schema\Type\Unknown;
 use Pimcore\Bundle\StudioBackendBundle\Asset\Schema\Type\Video;
-use Pimcore\Bundle\StudioBackendBundle\DataIndex\Query\AssetQueryInterface;
+use Pimcore\Bundle\StudioBackendBundle\DataIndex\Provider\AssetQueryProviderInterface;
 use Pimcore\Bundle\StudioBackendBundle\DataIndex\Request\ElementParameters;
 use Pimcore\Bundle\StudioBackendBundle\DataIndex\SearchIndexFilterInterface;
 use Pimcore\Bundle\StudioBackendBundle\DataIndex\Service\AssetSearchServiceInterface;
 use Pimcore\Bundle\StudioBackendBundle\Exception\Api\DatabaseException;
 use Pimcore\Bundle\StudioBackendBundle\Exception\Api\ForbiddenException;
 use Pimcore\Bundle\StudioBackendBundle\Exception\Api\InvalidElementTypeException;
-use Pimcore\Bundle\StudioBackendBundle\Exception\Api\InvalidFilterServiceTypeException;
-use Pimcore\Bundle\StudioBackendBundle\Exception\Api\InvalidFilterTypeException;
-use Pimcore\Bundle\StudioBackendBundle\Exception\Api\InvalidQueryTypeException;
 use Pimcore\Bundle\StudioBackendBundle\Exception\Api\NotFoundException;
-use Pimcore\Bundle\StudioBackendBundle\Exception\Api\SearchException;
-use Pimcore\Bundle\StudioBackendBundle\Exception\Api\UserNotFoundException;
 use Pimcore\Bundle\StudioBackendBundle\Filter\Service\FilterServiceProviderInterface;
 use Pimcore\Bundle\StudioBackendBundle\Response\Collection;
 use Pimcore\Bundle\StudioBackendBundle\Security\Service\SecurityServiceInterface;
@@ -60,6 +55,7 @@
     use UserPermissionTrait;
 
     public function __construct(
+        private AssetQueryProviderInterface $assetQueryProvider,
         private AssetSearchServiceInterface $assetSearchService,
         private AssetServiceResolverInterface $assetServiceResolver,
         private EventDispatcherInterface $eventDispatcher,
@@ -71,15 +67,16 @@ public function __construct(
     }
 
     /**
-     * @throws InvalidFilterServiceTypeException|SearchException|InvalidQueryTypeException|InvalidFilterTypeException
+     * {@inheritdoc}
      */
     public function getAssets(ElementParameters $parameters): Collection
     {
         /** @var SearchIndexFilterInterface $filterService */
         $filterService = $this->filterServiceProvider->create(SearchIndexFilterInterface::SERVICE_TYPE);
 
-        /** @var AssetQueryInterface $assetQuery */
+        $assetQuery = $this->assetQueryProvider->createAssetQuery();
         $assetQuery = $filterService->applyFilters(
+            $assetQuery,
             $parameters,
             ElementTypes::TYPE_ASSET
         );
@@ -99,7 +96,7 @@ public function getAssets(ElementParameters $parameters): Collection
     }
 
     /**
-     * @throws SearchException|NotFoundException|UserNotFoundException
+     * {@inheritdoc}
      */
     public function getAsset(
         int $id,
@@ -121,7 +118,7 @@ public function getAsset(
     }
 
     /**
-     * @throws SearchException|NotFoundException
+     * {@inheritdoc}
      */
     public function getAssetForUser(
         int $id,
@@ -135,7 +132,7 @@ public function getAssetForUser(
     }
 
     /**
-     * @throws SearchException|NotFoundException
+     * {@inheritdoc}
      */
     public function getAssetFolder(int $id, bool $checkPermissionsForCurrentUser = true): AssetFolder
     {
@@ -154,7 +151,7 @@ public function getAssetFolder(int $id, bool $checkPermissionsForCurrentUser = t
     }
 
     /**
-     * @throws SearchException|NotFoundException
+     * {@inheritdoc}
      */
     public function getAssetFolderForUser(int $id, UserInterface $user): AssetFolder
     {
@@ -170,7 +167,7 @@ public function getAssetFolderForUser(int $id, UserInterface $user): AssetFolder
     }
 
     /**
-     * @throws SearchException
+     * {@inheritdoc}
      */
     public function assetFolderExists(int $id, bool $checkPermissionsForCurrentUser = true): bool
     {
@@ -184,7 +181,7 @@ public function assetFolderExists(int $id, bool $checkPermissionsForCurrentUser
     }
 
     /**
-     * @throws SearchException
+     * {@inheritdoc}
      */
     public function assetFolderExistsForUser(int $id, UserInterface $user): bool
     {
@@ -198,7 +195,7 @@ public function assetFolderExistsForUser(int $id, UserInterface $user): bool
     }
 
     /**
-     * @throws ForbiddenException|NotFoundException
+     * {@inheritdoc}
      */
     public function getAssetElement(
         UserInterface $user,
@@ -215,7 +212,7 @@ public function getAssetElement(
     }
 
     /**
-     * @throws ForbiddenException|NotFoundException
+     * {@inheritdoc}
      */
     public function getAssetElementByPath(
         UserInterface $user,
@@ -252,7 +249,7 @@ public function getUniqueAssetName(string $targetPath, string $filename): string
     }
 
     /**
-     * @throws DatabaseException|ForbiddenException
+     * {@inheritdoc}
      */
     public function clearThumbnails(int $id): void
     {

src/Asset/Service/ExecutionEngine/ZipService.php

@@ -152,6 +152,9 @@ public function generateZipFileForAssets(ExportAssetFileParameter $parameter): i
         return $this->createJobRunAndStartExecution($parameter->getAssets());
     }
 
+    /**
+     * {@inheritdoc}
+     */
     public function generateZipFileForFolders(ExportFolderFileParameter $parameter): int
     {
         $folders = $parameter->getFolders();

src/Asset/Service/ExecutionEngine/ZipServiceInterface.php

@@ -17,6 +17,7 @@
 use Pimcore\Bundle\StudioBackendBundle\Asset\MappedParameter\ExportFolderFileParameter;
 use Pimcore\Bundle\StudioBackendBundle\Exception\Api\EnvironmentException;
 use Pimcore\Bundle\StudioBackendBundle\Exception\Api\ForbiddenException;
+use Pimcore\Bundle\StudioBackendBundle\Exception\Api\InvalidQueryTypeException;
 use Pimcore\Bundle\StudioBackendBundle\Exception\Api\MaxFileSizeExceededException;
 use Pimcore\Bundle\StudioBackendBundle\Exception\Api\NotFoundException;
 use Pimcore\Model\Asset;
@@ -70,6 +71,9 @@ public function uploadZipAssets(
      */
     public function generateZipFileForAssets(ExportAssetFileParameter $parameter): int;
 
+    /**
+     * @throws InvalidQueryTypeException
+     */
     public function generateZipFileForFolders(ExportFolderFileParameter $parameter): int;
 
     /**

src/DataIndex/Filter/FilterInterface.php

@@ -20,5 +20,12 @@
  */
 interface FilterInterface
 {
+    /**
+     * @template T of QueryInterface
+     *
+     * @param T $query
+     *
+     * @return T
+     */
     public function apply(mixed $parameters, QueryInterface $query): QueryInterface;
 }

src/DataIndex/Filter/TagFilter.php

@@ -14,9 +14,11 @@
 namespace Pimcore\Bundle\StudioBackendBundle\DataIndex\Filter;
 
 use Pimcore\Bundle\StudioBackendBundle\DataIndex\Query\QueryInterface;
+use Pimcore\Bundle\StudioBackendBundle\Exception\Api\ForbiddenException;
 use Pimcore\Bundle\StudioBackendBundle\Exception\Api\InvalidArgumentException;
 use Pimcore\Bundle\StudioBackendBundle\Grid\Column\ColumnType;
 use Pimcore\Bundle\StudioBackendBundle\MappedParameter\Filter\SimpleColumnFiltersParameterInterface;
+use Pimcore\Bundle\StudioBackendBundle\Util\Constant\UserPermissions;
 
 /**
  * @internal
@@ -34,6 +36,16 @@ public function apply(mixed $parameters, QueryInterface $query): QueryInterface
         if (!$filter) {
             return $query;
         }
+        
+        $user = $query->getSearch()->getUser();
+        if (!$user || !$user->isAllowed(UserPermissions::TAGS_SEARCH->value)) {
+            throw new ForbiddenException(
+                sprintf(
+                    'User does not have permission: %s',
+                    UserPermissions::TAGS_SEARCH->value
+                )
+            );
+        }
 
         $filterValue = $filter->getFilterValue();
 

src/DataIndex/Grid/GridSearch.php

@@ -20,16 +20,16 @@
 use Pimcore\Bundle\StudioBackendBundle\DataIndex\Query\AssetQueryInterface;
 use Pimcore\Bundle\StudioBackendBundle\DataIndex\Query\DataObjectQueryInterface;
 use Pimcore\Bundle\StudioBackendBundle\DataIndex\Query\DocumentQueryInterface;
+use Pimcore\Bundle\StudioBackendBundle\DataIndex\Query\QueryInterface;
 use Pimcore\Bundle\StudioBackendBundle\DataIndex\SearchIndexFilterInterface;
 use Pimcore\Bundle\StudioBackendBundle\DataIndex\Service\AssetSearchServiceInterface;
 use Pimcore\Bundle\StudioBackendBundle\DataIndex\Service\DataObjectSearchServiceInterface;
 use Pimcore\Bundle\StudioBackendBundle\DataIndex\Service\DocumentSearchServiceInterface;
 use Pimcore\Bundle\StudioBackendBundle\DataObject\Schema\DataObject;
 use Pimcore\Bundle\StudioBackendBundle\DataObject\Schema\Type\DataObjectFolder;
-use Pimcore\Bundle\StudioBackendBundle\Exception\Api\InvalidArgumentException;
 use Pimcore\Bundle\StudioBackendBundle\Exception\Api\InvalidElementTypeException;
 use Pimcore\Bundle\StudioBackendBundle\Exception\Api\NotFoundException;
-use Pimcore\Bundle\StudioBackendBundle\Exception\Api\SearchException;
+use Pimcore\Bundle\StudioBackendBundle\Factory\QueryFactoryInterface;
 use Pimcore\Bundle\StudioBackendBundle\Filter\MappedParameter\FilterParameter;
 use Pimcore\Bundle\StudioBackendBundle\Filter\Service\FilterServiceProviderInterface;
 use Pimcore\Bundle\StudioBackendBundle\Grid\MappedParameter\GridParameter;
@@ -46,17 +46,18 @@
     private SearchIndexFilterInterface $filterService;
 
     public function __construct(
-        private FilterServiceProviderInterface $filterServiceProvider,
         private AssetSearchServiceInterface $assetSearchService,
         private DataObjectSearchServiceInterface $dataObjectSearchService,
         private DocumentSearchServiceInterface $documentSearchService,
+        private FilterServiceProviderInterface $filterServiceProvider,
+        private QueryFactoryInterface $queryFactory,
         private SecurityServiceInterface $securityService
     ) {
         $this->filterService = $this->filterServiceProvider->create(SearchIndexFilterInterface::SERVICE_TYPE);
     }
 
     /**
-     * @throws NotFoundException|SearchException|InvalidArgumentException
+     * {@inheritdoc}
      */
     public function searchAssets(GridParameter $gridParameter): AssetSearchResult
     {
@@ -67,6 +68,9 @@ public function searchAssets(GridParameter $gridParameter): AssetSearchResult
         );
     }
 
+    /**
+     * {@inheritdoc}
+     */
     public function searchAssetsForUser(GridParameter $gridParameter, UserInterface $user): AssetSearchResult
     {
         return $this->searchElementsForUser(
@@ -76,6 +80,9 @@ public function searchAssetsForUser(GridParameter $gridParameter, UserInterface
         );
     }
 
+    /**
+     * {@inheritdoc}
+     */
     public function searchDataObjects(GridParameter $gridParameter): DataObjectSearchResult
     {
         return $this->searchElementsForUser(
@@ -85,6 +92,9 @@ public function searchDataObjects(GridParameter $gridParameter): DataObjectSearc
         );
     }
 
+    /**
+     * {@inheritdoc}
+     */
     public function searchDocuments(GridParameter $gridParameter): DocumentSearchResult
     {
         return $this->searchElementsForUser(
@@ -94,18 +104,16 @@ public function searchDocuments(GridParameter $gridParameter): DocumentSearchRes
         );
     }
 
+    /**
+     * {@inheritdoc}
+     */
     public function searchElementsForUser(
         string $type,
         GridParameter $gridParameter,
         UserInterface $user
     ): AssetSearchResult|DataObjectSearchResult|DocumentSearchResult {
-        $filter = $gridParameter->getFilters();
-        $type = $this->getStudioElementType($type);
-        $filter = $this->setFilterPath($filter, $type, $gridParameter->getFolderId(), $user);
-
         /** @var AssetQueryInterface|DataObjectQueryInterface|DocumentQueryInterface $query */
-        $query = $this->filterService->applyFilters($filter, $type);
-        $query->setUser($user);
+        $query = $this->getSearchQuery($type, $gridParameter, $user);
 
         return match($type) {
             ElementTypes::TYPE_ASSET => $this->assetSearchService->searchAssets($query),
@@ -115,18 +123,16 @@ public function searchElementsForUser(
         };
     }
 
+    /**
+     * {@inheritdoc}
+     */
     public function searchElementIdsForUser(
         string $type,
         GridParameter $gridParameter,
         UserInterface $user
     ): array {
-        $filter = $gridParameter->getFilters();
-        $type = $this->getStudioElementType($type);
-        $filter = $this->setFilterPath($filter, $type, $gridParameter->getFolderId(), $user);
-
         /** @var AssetQueryInterface|DataObjectQueryInterface $query */
-        $query = $this->filterService->applyFilters($filter, $type);
-        $query->setUser($user);
+        $query = $this->getSearchQuery($type, $gridParameter, $user);
 
         return match($type) {
             ElementTypes::TYPE_ASSET => $this->assetSearchService->fetchAssetIds($query),
@@ -135,6 +141,23 @@ public function searchElementIdsForUser(
         };
     }
 
+    private function getSearchQuery(
+        string $type,
+        GridParameter $gridParameter,
+        UserInterface $user
+    ): QueryInterface
+    {
+        $filter = $gridParameter->getFilters();
+        $type = $this->getStudioElementType($type);
+        $filter = $this->setFilterPath($filter, $type, $gridParameter->getFolderId(), $user);
+
+        $query = $this->queryFactory->create($type);
+        $query = $this->filterService->applyFilters($query, $filter, $type);
+        $query->setUser($user);
+
+        return $query;
+    }
+
     private function setFilterPath(
         FilterParameter $filter,
         string $type,