Fix: front/ check (#949)

* Fix: front/ check

* add check

* return

* lint

---------

Co-authored-by: Stanislas <skita@teclib.com>

Author: Rom1-B

ajax/container.php

@@ -29,10 +29,18 @@
  */
 
 include('../../../inc/includes.php');
+Session::checkLoginUser();
 
 use Glpi\Http\Response;
 
 if (isset($_GET['action']) && $_GET['action'] === 'get_fields_html') {
+
+    $right = PluginFieldsProfile::getRightOnContainer($_SESSION['glpiactiveprofile']['id'], $_GET['id']);
+    if ($right < READ) {
+        Response::sendError(403, 'Forbidden');
+        return;
+    }
+
     $containers_id = $_GET['id'];
     $itemtype      = $_GET['itemtype'];
     $items_id      = (int) $_GET['items_id'];

ajax/container_display_condition.php

@@ -29,6 +29,7 @@
  */
 
 include('../../../inc/includes.php');
+Session::checkLoginUser();
 
 if (isset($_GET['action'])) {
     if ($_GET['action'] === 'get_add_form') {

ajax/container_itemtypes_dropdown.php

@@ -29,5 +29,6 @@
  */
 
 include('../../../inc/includes.php');
+Session::checkLoginUser();
 
 PluginFieldsContainer::showFormItemtype($_REQUEST);

ajax/container_subtype_dropdown.php

@@ -29,5 +29,6 @@
  */
 
 include('../../../inc/includes.php');
+Session::checkLoginUser();
 
 PluginFieldsContainer::showFormSubtype($_REQUEST, true);

ajax/reorder.php

@@ -29,6 +29,7 @@
  */
 
 include('../../../inc/includes.php');
+Session::checkLoginUser();
 
 if (
     !array_key_exists('container_id', $_POST)

ajax/status_override.php

@@ -29,6 +29,7 @@
  */
 
 include('../../../inc/includes.php');
+Session::checkLoginUser();
 
 if (isset($_GET['action'])) {
     if ($_GET['action'] === 'get_status_dropdown') {

front/commondropdown.form.php

@@ -29,6 +29,7 @@
  */
 
 include '../../../inc/includes.php';
+Session::checkLoginUser();
 if (preg_match('/[a-z]/i', $_REQUEST['ddtype']) !== 1) {
     throw new \RuntimeException(sprintf('Invalid itemtype "%1$s"', $_REQUEST['ddtype']));
 }

front/commondropdown.php

@@ -29,6 +29,7 @@
  */
 
 include '../../../inc/includes.php';
+Session::checkLoginUser();
 if (preg_match('/[a-z]/i', $_REQUEST['ddtype']) !== 1) {
     throw new \RuntimeException(sprintf('Invalid itemtype "%1$s"', $_REQUEST['ddtype']));
 }

front/container.form.php

@@ -29,6 +29,7 @@
  */
 
 include('../../../inc/includes.php');
+Session::checkLoginUser();
 
 if (empty($_GET['id'])) {
     $_GET['id'] = '';
@@ -59,6 +60,12 @@
     }
     Html::back();
 } else {
+
+    $right = PluginFieldsProfile::getRightOnContainer($_SESSION['glpiactiveprofile']['id'], $_GET['id']);
+    if ($right < READ) {
+        Html::displayRightError("User is missing the " . READ . " ('read') right for container");
+    }
+
     Html::header(
         __('Additional fields', 'fields'),
         $_SERVER['PHP_SELF'],

front/container.php

@@ -29,6 +29,7 @@
  */
 
 include('../../../inc/includes.php');
+Session::checkLoginUser();
 
 Html::header(
     __('Additional fields', 'fields'),
@@ -38,7 +39,7 @@
     'fieldscontainer',
 );
 
-Session::checkRight('entity', READ);
+Session::checkRight('config', READ);
 
 PluginFieldsContainer::titleList();
 Search::show('PluginFieldsContainer');