N°978 Portal: Display / download of blob attributes and attachments in the portal was not compatible with portal configuration and silos by-passing.

git-svn-id: http://svn.code.sf.net/p/itop/code/trunk@4871 a333f486-631f-4898-b8df-5754b55c2be0

datamodels/2.x/itop-portal-base/portal/src/controllers/browsebrickcontroller.class.inc.php

@@ -1,6 +1,6 @@
 <?php
 
-// Copyright (C) 2010-2015 Combodo SARL
+// Copyright (C) 2010-2017 Combodo SARL
 //
 //   This file is part of iTop.
 //
@@ -334,12 +334,12 @@ class BrowseBrickController extends BrickController
 			{
 				case BrowseBrick::ENUM_BROWSE_MODE_TREE:
                 case BrowseBrick::ENUM_BROWSE_MODE_MOSAIC:
-					static::AddToTreeItems($aItems, $aCurrentRow, $aLevelsProperties);
+					static::AddToTreeItems($aItems, $aCurrentRow, $aLevelsProperties, null, $oApp);
 					break;
 
 				case BrowseBrick::ENUM_BROWSE_MODE_LIST:
 				default:
-					$aItems[] = static::AddToFlatItems($aCurrentRow, $aLevelsProperties);
+					$aItems[] = static::AddToFlatItems($aCurrentRow, $aLevelsProperties, $oApp);
 					break;
 			}
 		}
@@ -611,7 +611,7 @@ class BrowseBrickController extends BrickController
 	 * @param array $aLevelsProperties
 	 * @return array
 	 */
-	public static function AddToFlatItems(array $aCurrentRow, array &$aLevelsProperties)
+	public static function AddToFlatItems(array $aCurrentRow, array &$aLevelsProperties, Application $oApp)
 	{
 		$aRow = array();
 
@@ -640,7 +640,7 @@ class BrowseBrickController extends BrickController
                     {
                         if (is_object($tmpAttValue) && !$tmpAttValue->IsEmpty())
                         {
-                            $tmpAttValue = $tmpAttValue->GetDisplayURL(get_class($value), $value->GetKey(), $aLevelsProperties[$key][$sOptionalAttribute]);
+                            $tmpAttValue = $oApp['url_generator']->generate('p_object_document_display', array('sObjectClass' => get_class($value), 'sObjectId' => $value->GetKey(), 'sObjectField' => $aLevelsProperties[$key][$sOptionalAttribute]));
                         }
                         else
                         {
@@ -696,7 +696,7 @@ class BrowseBrickController extends BrickController
 	 * @param array $aCurrentRow
 	 * @param array $aLevelsProperties
 	 */
-	public static function AddToTreeItems(array &$aItems, array $aCurrentRow, array &$aLevelsProperties, $aCurrentRowObjects = null)
+	public static function AddToTreeItems(array &$aItems, array $aCurrentRow, array &$aLevelsProperties, $aCurrentRowObjects = null, Application $oApp = null)
 	{
 		$aCurrentRowKeys = array_keys($aCurrentRow);
 		$aCurrentRowValues = array_values($aCurrentRow);
@@ -732,7 +732,7 @@ class BrowseBrickController extends BrickController
                     {
                         if (is_object($tmpAttValue) && !$tmpAttValue->IsEmpty())
                         {
-                            $tmpAttValue = $tmpAttValue->GetDisplayURL(get_class($aCurrentRowValues[0]), $aCurrentRowValues[0]->GetKey(), $aLevelsProperties[$aCurrentRowKeys[0]][$sOptionalAttribute]);
+                            $tmpAttValue = $oApp['url_generator']->generate('p_object_document_display', array('sObjectClass' => get_class($aCurrentRowValues[0]), 'sObjectId' => $aCurrentRowValues[0]->GetKey(), 'sObjectField' => $aLevelsProperties[$aCurrentRowKeys[0]][$sOptionalAttribute]));
                         }
                         else
                         {
@@ -748,7 +748,7 @@ class BrowseBrickController extends BrickController
 		$aCurrentRowSliced = array_slice($aCurrentRow, 1);
 		if (!empty($aCurrentRowSliced))
 		{
-			static::AddToTreeItems($aItems[$sCurrentIndex]['subitems'], $aCurrentRowSliced, $aLevelsProperties, $aCurrentRowObjects);
+			static::AddToTreeItems($aItems[$sCurrentIndex]['subitems'], $aCurrentRowSliced, $aLevelsProperties, $aCurrentRowObjects, $oApp);
 		}
 	}
 

datamodels/2.x/itop-portal-base/portal/src/controllers/objectcontroller.class.inc.php

@@ -1356,10 +1356,93 @@ class ObjectController extends AbstractController
 		return $oResponse;
 	}
 
+    /**
+     * Handles ormDocument display / download from an object
+     *
+     * Note: This is inspired from pages/ajax.document.php, but duplicated as there is no secret mecanism for ormDocument yet.
+     *
+     * @param Request $oRequest
+     * @param Application $oApp
+     * @param string $sOperation
+     */
+	public function DocumentAction(Request $oRequest, Application $oApp, $sOperation = null)
+    {
+        // Setting default operation
+        if($sOperation === null)
+        {
+            $sOperation = 'display';
+        }
+
+        // Retrieving ormDocument's host object
+        $sObjectClass = $oRequest->get('sObjectClass');
+        $sObjectId = $oRequest->get('sObjectId');
+        $sObjectField = $oRequest->get('sObjectField');
+
+        // When reaching to an Attachment, we have to check security on its host object instead of the Attachment itself
+        if($sObjectClass === 'Attachment')
+        {
+            $oAttachment = MetaModel::GetObject($sObjectClass, $sObjectId, true, true);
+            $sHostClass = $oAttachment->Get('item_class');
+            $sHostId = $oAttachment->Get('item_id');
+        }
+        else
+        {
+            $sHostClass = $sObjectClass;
+            $sHostId = $sObjectId;
+        }
+
+        // Checking security layers
+        if (!SecurityHelper::IsActionAllowed($oApp, UR_ACTION_READ, $sHostClass, $sHostId))
+        {
+            IssueLog::Warning(__METHOD__ . ' at line ' . __LINE__ . ' : User #' . UserRights::GetUserId() . ' not allowed to retrieve document from attribute ' . $sObjectField . ' as it not allowed to read ' . $sHostClass . '::' . $sHostId . ' object.');
+            $oApp->abort(404, Dict::S('UI:ObjectDoesNotExist'));
+        }
+
+        // Retrieving object
+        $oObject = MetaModel::GetObject($sObjectClass, $sObjectId, false /* Must not be found */, $oApp['scope_validator']->IsAllDataAllowedForScope(UserRights::ListProfiles(), $sHostClass));
+        if ($oObject === null)
+        {
+            // We should never be there as the secuirty helper makes sure that the object exists, but just in case.
+            IssueLog::Info(__METHOD__ . ' at line ' . __LINE__ . ' : Could not load object ' . $sObjectClass . '::' . $sObjectId . '.');
+            $oApp->abort(404, Dict::S('UI:ObjectDoesNotExist'));
+        }
+
+        // Setting cache timeout
+        // Note: Attachment download should be handle through AttachmentAction()
+        if($sObjectClass === 'Attachment')
+        {
+            // One year ahead: an attachement cannot change
+            $iCacheSec = 31556926;
+        }
+        else
+        {
+            $sCache = $oRequest->get('cache');
+            $iCacheSec = ($sCache !== null) ? (int) $sCache : 0;
+        }
+
+        $aHeaders = array();
+        if($iCacheSec > 0)
+        {
+            $aHeaders['Expires'] = '';
+            $aHeaders['Cache-Control'] = 'no-transform, public,max-age='.$iCacheSec.',s-maxage='.$iCacheSec;
+            // Reset the value set previously
+            $aHeaders['Pragma'] = 'cache';
+            // An arbitrary date in the past is ok
+            $aHeaders['Last-Modified'] = 'Wed, 15 Jun 2015 13:21:15 GMT';
+        }
+
+        /** @var \ormDocument $oDocument */
+        $oDocument = $oObject->Get($sObjectField);
+        $aHeaders['Content-Type'] = $oDocument->GetMimeType();
+        $aHeaders['Content-Disposition'] = (($sOperation === 'display') ? 'inline' : 'attachment') . ';filename="'.$oDocument->GetFileName().'"';
+
+        return new Response($oDocument->GetData(), Response::HTTP_OK, $aHeaders);
+    }
+
 	/**
 	 * Handles attachment add/remove on an object
 	 *
-	 * Note : This is inspired from itop-attachment/ajax.attachment.php
+	 * Note: This is inspired from itop-attachment/ajax.attachment.php
 	 * 
 	 * @param Request $oRequest
 	 * @param Application $oApp
@@ -1419,10 +1502,18 @@ class ObjectController extends AbstractController
 				break;
 
 			case 'download':
-				$sAttachmentId = $oRequest->get('sAttachmentId');
-				$sAttachmentUrl = utils::GetAbsoluteUrlAppRoot() . ATTACHMENT_DOWNLOAD_URL . $sAttachmentId;
-
-				$oResponse = new RedirectResponse($sAttachmentUrl);
+				// Preparing redirection
+                // - Route
+                $aRouteParams = array(
+                    'sObjectClass' => 'Attachment',
+                    'sObjectId' => $oRequest->get('sAttachmentId'),
+                    'sObjectField' => 'contents',
+                );
+                $sRedirectRoute = $oApp['url_generator']->generate('p_object_document_download', $aRouteParams);
+                // - Request
+                $oSubRequest = Request::create($sRedirectRoute, 'GET', $oRequest->query->all(), $oRequest->cookies->all(), array(), $oRequest->server->all());
+
+                $oResponse = $oApp->handle($oSubRequest, HttpKernelInterface::SUB_REQUEST, true);
 				break;
 
 			default:

datamodels/2.x/itop-portal-base/portal/src/routers/objectrouter.class.inc.php

@@ -1,6 +1,6 @@
 <?php
 
-// Copyright (C) 2010-2015 Combodo SARL
+// Copyright (C) 2010-2017 Combodo SARL
 //
 //   This file is part of iTop.
 //
@@ -44,17 +44,6 @@ class ObjectRouter extends AbstractRouter
 			'callback' => 'Combodo\\iTop\\Portal\\Controller\\ObjectController::ApplyStimulusAction',
 			'bind' => 'p_object_apply_stimulus'
 		),
-		array('pattern' => '/object/attachment/add',
-			'callback' => 'Combodo\\iTop\\Portal\\Controller\\ObjectController::AttachmentAction',
-			'bind' => 'p_object_attachment_add'
-		),
-		array('pattern' => '/object/attachment/download/{sAttachmentId}',
-			'callback' => 'Combodo\\iTop\\Portal\\Controller\\ObjectController::AttachmentAction',
-			'bind' => 'p_object_attachment_download',
-			'values' => array(
-				'sOperation' => 'download'
-			)
-		),
 		array('pattern' => '/object/search',
 			'callback' => 'Combodo\\iTop\\Portal\\Controller\\ObjectController::SearchRegularAction',
 			'bind' => 'p_object_search_regular'
@@ -96,6 +85,31 @@ class ObjectRouter extends AbstractRouter
 			'callback' => 'Combodo\\iTop\\Portal\\Controller\\ObjectController::GetInformationsAsJsonAction',
 			'bind' => 'p_object_get_informations_json',
 		),
+        array('pattern' => '/object/document/display/{sObjectClass}/{sObjectId}/{sObjectField}',
+            'callback' => 'Combodo\\iTop\\Portal\\Controller\\ObjectController::DocumentAction',
+            'bind' => 'p_object_document_display',
+            'values' => array(
+                'sOperation' => 'display'
+            )
+        ),
+        array('pattern' => '/object/document/download/{sObjectClass}/{sObjectId}/{sObjectField}',
+            'callback' => 'Combodo\\iTop\\Portal\\Controller\\ObjectController::DocumentAction',
+            'bind' => 'p_object_document_download',
+            'values' => array(
+                'sOperation' => 'download'
+            )
+        ),
+        array('pattern' => '/object/attachment/add',
+            'callback' => 'Combodo\\iTop\\Portal\\Controller\\ObjectController::AttachmentAction',
+            'bind' => 'p_object_attachment_add'
+        ),
+        array('pattern' => '/object/attachment/download/{sAttachmentId}',
+            'callback' => 'Combodo\\iTop\\Portal\\Controller\\ObjectController::AttachmentAction',
+            'bind' => 'p_object_attachment_download',
+            'values' => array(
+                'sOperation' => 'download'
+            )
+        ),
 	);
 
 }