Merge remote-tracking branch 'refs/remotes/gitdedalo/v7_developer' into v7_developer

devpacdd · devpacdd · commit 205f8b2e55e0 · 2026-04-25T13:08:43.000+02:00
diff --git a/core/api/v1/common/class.dd_core_api.php b/core/api/v1/common/class.dd_core_api.php
@@ -1389,19 +1389,18 @@ public static function count(object $rqo) : object {
 			}
 
 		// permissions check. If user don't have access to any section, set total to zero and prevent search
+			// SEC-09: check permissions for all sections, not only DEDALO_SECTION_USERS_TIPO
 			$ar_section_tipo = $sqo->section_tipo;
 			if( empty($ar_section_tipo) ){
 				$response->result = 0;
 				return $response;
 			}
 			foreach ($ar_section_tipo as $current_section_tipo) {
-				if($current_section_tipo===DEDALO_SECTION_USERS_TIPO) {
-					$permissions = common::get_permissions($current_section_tipo, $current_section_tipo);
-					if($permissions<1){
-						$result = (object)[
-							'total' => 0
-						];
-					}
+				$permissions = common::get_permissions($current_section_tipo, $current_section_tipo);
+				if ($permissions < 1) {
+					$response->result	= (object)['total' => 0];
+					$response->msg		= 'OK. Request done successfully';
+					return $response;
 				}
 			}
 
@@ -1634,7 +1633,7 @@ public static function get_section_elements_context(object $rqo) : object {
 			$ar_section_tipo		= (array)$options->ar_section_tipo;
 			$use_real_sections		= $options->use_real_sections ?? false;
 			$ar_components_exclude	= $options->ar_components_exclude ?? null;
-			$skip_permissions		= $options->skip_permissions ?? false;
+			$skip_permissions		= false; // SEC-07: never allow client to skip permissions
 
 		// section_elements_context_options
 			$section_elements_context_options = (object)[
diff --git a/core/api/v1/common/class.dd_diffusion_api.php b/core/api/v1/common/class.dd_diffusion_api.php
@@ -81,6 +81,14 @@ public static function diffuse(object $rqo): object {
 				throw new Exception("No section related to $diffusion_tipo");
 			}
 
+			// SEC-13: check read permissions for the section being diffused
+			$permissions = common::get_permissions($main_section_tipo, $main_section_tipo);
+			if ($permissions < 1) {
+				$response->errors[] = 'insufficient permissions';
+				$response->msg = "Error. Insufficient permissions to diffuse section ($main_section_tipo)";
+				return $response;
+			}
+
 			// =====================================================
 			// BUILD LANGS
 			// =====================================================
@@ -264,6 +272,14 @@ public static function validate(object $rqo): object {
 	public static function get_ontology_map(object $rqo): object {
 		$response = new stdClass();
 
+		// SEC-14: Restrict ontology map to global admins
+		if (security::is_global_admin(logged_user_id()) !== true) {
+			$response->result = false;
+			$response->errors[] = 'insufficient permissions';
+			$response->msg = 'Error. Insufficient permissions to access ontology map.';
+			return $response;
+		}
+
 		$diffusion_tipo = $rqo->options->diffusion_tipo ?? null;
 		if (!$diffusion_tipo) {
 			$response->result = false;
diff --git a/core/api/v1/common/class.dd_tools_api.php b/core/api/v1/common/class.dd_tools_api.php
@@ -143,8 +143,20 @@ public static function tool_request(object $rqo) : object {
 			require_once $class_file;
 
 		// method (static)
-			if (!method_exists($tool_name, $tool_method)) {
-				$response->msg = 'Error. tool method \''.$tool_method.'\' do not exists ';
+			$is_valid = false;
+			if (method_exists($tool_name, $tool_method)) {
+				try {
+					$reflection = new ReflectionMethod($tool_name, $tool_method);
+					if ($reflection->isPublic() && $reflection->isStatic()) {
+						$is_valid = true;
+					}
+				} catch (Exception $e) {
+					// Ignore exception and leave is_valid false
+				}
+			}
+			if (!$is_valid) {
+				$response->msg = 'Error. tool method not accessible: '.$tool_method;
+				$response->errors[] = 'unauthorized_method';
 				return $response;
 			}
 
diff --git a/core/api/v1/common/class.dd_ts_api.php b/core/api/v1/common/class.dd_ts_api.php
@@ -258,6 +258,14 @@ public static function add_child(object $rqo) : object {
 			$section_tipo	= $source->section_tipo;
 			$section_id		= $source->section_id;
 
+		// SEC-10: check write permissions
+			$permissions = common::get_permissions($section_tipo, $section_tipo);
+			if ($permissions < 2) {
+				$response->errors[] = 'insufficient permissions';
+				$response->msg = "Error. Insufficient permissions to create in section ($section_tipo)";
+				return $response;
+			}
+
 		// new section. Create a new empty section
 			$new_section = section::get_instance($section_tipo);
 			$new_section_id = $new_section->create_record();
@@ -467,6 +475,14 @@ public static function update_parent_data(object $rqo) : object {
 			$new_parent_section_id		= $source->new_parent_section_id;
 			$new_parent_section_tipo	= $source->new_parent_section_tipo;
 
+		// SEC-11: check write permissions
+			$permissions = common::get_permissions($section_tipo, $section_tipo);
+			if ($permissions < 2) {
+				$response->errors[] = 'insufficient permissions';
+				$response->msg = "Error. Insufficient permissions to update in section ($section_tipo)";
+				return $response;
+			}
+
 		// component_relation_parent
 			$parent_tipo	= section::get_ar_children_tipo_by_model_name_in_section($section_tipo, ['component_relation_parent'], true, true, true, true)[0];
 			$model_name		= ontology_node::get_model_by_tipo($parent_tipo,true);
@@ -577,6 +593,14 @@ public static function save_order(object $rqo) : object {
 			$parent_section_tipo= $source->parent_section_tipo ?? null;
 			$parent_section_id	= $source->parent_section_id ?? null;
 
+		// SEC-12: check write permissions
+			$permissions = common::get_permissions($section_tipo, $section_tipo);
+			if ($permissions < 2) {
+				$response->errors[] = 'insufficient permissions';
+				$response->msg = "Error. Insufficient permissions to update order in section ($section_tipo)";
+				return $response;
+			}
+
 		// validate parent context
 			if (empty($parent_section_tipo) || empty($parent_section_id)) {
 				$response->msg = 'Error. parent_section_tipo and parent_section_id are required';
diff --git a/test/server/api/SecurityAudit_Test.php b/test/server/api/SecurityAudit_Test.php
@@ -156,6 +156,116 @@ public function test_read_raw_permission_check() : void {
         $this->assertContains('insufficient permissions', $response->errors, "Should return insufficient permissions error for read_raw");
     }
 
+    /**
+     * TEST_TS_ADD_CHILD_PERMISSION_CHECK
+     * Verify that add_child is blocked for sections the user cannot write to.
+     */
+    public function test_ts_add_child_permission_check() : void {
+        $this->force_limited_user_login(999);
+
+        $rqo = (object)[
+            'action' => 'add_child',
+            'dd_api' => 'dd_ts_api',
+            'source' => (object)[
+                'section_tipo' => self::$section_tipo,
+                'section_id' => '1'
+            ]
+        ];
+
+        $response = dd_ts_api::add_child($rqo);
+
+        $this->assertContains('insufficient permissions', $response->errors, "Should return insufficient permissions error for add_child");
+    }
+
+    /**
+     * TEST_TS_UPDATE_PARENT_PERMISSION_CHECK
+     * Verify that update_parent_data is blocked for sections the user cannot write to.
+     */
+    public function test_ts_update_parent_permission_check() : void {
+        $this->force_limited_user_login(999);
+
+        $rqo = (object)[
+            'action' => 'update_parent_data',
+            'dd_api' => 'dd_ts_api',
+            'source' => (object)[
+                'section_tipo' => self::$section_tipo,
+                'section_id' => '1',
+                'old_parent_section_tipo' => self::$section_tipo,
+                'old_parent_section_id' => '2',
+                'new_parent_section_tipo' => self::$section_tipo,
+                'new_parent_section_id' => '3'
+            ]
+        ];
+
+        $response = dd_ts_api::update_parent_data($rqo);
+
+        $this->assertContains('insufficient permissions', $response->errors, "Should return insufficient permissions error for update_parent_data");
+    }
+
+    /**
+     * TEST_TS_SAVE_ORDER_PERMISSION_CHECK
+     * Verify that save_order is blocked for sections the user cannot write to.
+     */
+    public function test_ts_save_order_permission_check() : void {
+        $this->force_limited_user_login(999);
+
+        $rqo = (object)[
+            'action' => 'save_order',
+            'dd_api' => 'dd_ts_api',
+            'source' => (object)[
+                'section_tipo' => self::$section_tipo,
+                'ar_locators' => [],
+                'parent_section_tipo' => self::$section_tipo,
+                'parent_section_id' => '1'
+            ]
+        ];
+
+        $response = dd_ts_api::save_order($rqo);
+
+        $this->assertContains('insufficient permissions', $response->errors, "Should return insufficient permissions error for save_order");
+    }
+
+    /**
+     * TEST_DIFFUSION_ONTOLOGY_MAP_PERMISSION_CHECK
+     * Verify that get_ontology_map is blocked for non-admin users.
+     */
+    public function test_diffusion_ontology_map_permission_check() : void {
+        $this->force_limited_user_login(999);
+
+        $rqo = (object)[
+            'action' => 'get_ontology_map',
+            'dd_api' => 'dd_diffusion_api',
+            'options' => (object)[
+                'diffusion_tipo' => 'rsc450'
+            ]
+        ];
+
+        $response = dd_diffusion_api::get_ontology_map($rqo);
+
+        $this->assertContains('insufficient permissions', $response->errors, "Should return insufficient permissions error for get_ontology_map for non-admins");
+    }
+
+    /**
+     * TEST_TOOL_REQUEST_REFLECTION_CHECK
+     * Verify that tool_request blocks non-public/non-static methods.
+     */
+    public function test_tool_request_reflection_check() : void {
+        $this->user_login();
+
+        $rqo = (object)[
+            'action' => 'tool_request',
+            'dd_api' => 'dd_tools_api',
+            'source' => (object)[
+                'model' => 'tool_time_machine', // valid standard tool
+                'action' => '__construct'
+            ]
+        ];
+
+        $response = dd_tools_api::tool_request($rqo);
+
+        $this->assertContains('unauthorized_method', $response->errors, "Should return unauthorized_method error for non-callable methods");
+    }
+
     private function force_limited_user_login(int $user_id) : void {
         login_test::force_login($user_id);
         $_SESSION['dedalo']['auth']['is_global_admin'] = false;
