bsiggel
127fa6503b
- Updated copyright headers in 3,055 core application files - Changed 'Copyright (C) 2014-2025' to 'Copyright (C) 2014-2026' - Added 123 new files from EspoCRM core updates - Removed 4 deprecated files - Total changes: 61,637 insertions, 54,283 deletions This is a routine maintenance update for the new year 2026.
308 lines
9.6 KiB
PHP
308 lines
9.6 KiB
PHP
<?php
|
||
/************************************************************************
|
||
* This file is part of EspoCRM.
|
||
*
|
||
* EspoCRM – Open Source CRM application.
|
||
* Copyright (C) 2014-2026 EspoCRM, Inc.
|
||
* Website: https://www.espocrm.com
|
||
*
|
||
* This program is free software: you can redistribute it and/or modify
|
||
* it under the terms of the GNU Affero General Public License as published by
|
||
* the Free Software Foundation, either version 3 of the License, or
|
||
* (at your option) any later version.
|
||
*
|
||
* This program is distributed in the hope that it will be useful,
|
||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||
* GNU Affero General Public License for more details.
|
||
*
|
||
* You should have received a copy of the GNU Affero General Public License
|
||
* along with this program. If not, see <https://www.gnu.org/licenses/>.
|
||
*
|
||
* The interactive user interfaces in modified source and object code versions
|
||
* of this program must display Appropriate Legal Notices, as required under
|
||
* Section 5 of the GNU Affero General Public License version 3.
|
||
*
|
||
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
|
||
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
|
||
************************************************************************/
|
||
|
||
namespace Espo\Core\Select\Where;
|
||
|
||
use Espo\Core\Exceptions\Forbidden;
|
||
use Espo\Core\Exceptions\BadRequest;
|
||
use Espo\Core\Acl;
|
||
use Espo\Core\Select\Where\Item\Type;
|
||
use Espo\Entities\Team;
|
||
use Espo\ORM\Defs\Params\RelationParam;
|
||
use Espo\ORM\QueryComposer\Util;
|
||
use Espo\ORM\QueryComposer\Util as QueryUtil;
|
||
use Espo\ORM\EntityManager;
|
||
use Espo\ORM\Entity;
|
||
use Espo\ORM\BaseEntity;
|
||
|
||
/**
|
||
* Checks Where parameters. Throws an exception if anything not allowed is met.
|
||
*
|
||
* @todo Check read access to foreign entity for belongs-to, belongs-to-parent, has-one.
|
||
*/
|
||
class Checker
|
||
{
|
||
private ?Entity $seed = null;
|
||
|
||
private const TYPE_IN_CATEGORY = 'inCategory';
|
||
private const TYPE_IS_USER_FROM_TEAMS = 'isUserFromTeams';
|
||
|
||
/** @var string[] */
|
||
private $nestingTypeList = [
|
||
Type::OR,
|
||
Type::AND,
|
||
Type::NOT,
|
||
Type::SUBQUERY_IN,
|
||
Type::SUBQUERY_NOT_IN,
|
||
];
|
||
|
||
/** @var string[] */
|
||
private $subQueryTypeList = [
|
||
Type::SUBQUERY_IN,
|
||
Type::SUBQUERY_NOT_IN,
|
||
Type::NOT,
|
||
];
|
||
|
||
/** @var string[] */
|
||
private $linkTypeList = [
|
||
self::TYPE_IN_CATEGORY,
|
||
self::TYPE_IS_USER_FROM_TEAMS,
|
||
Type::IS_LINKED_WITH,
|
||
Type::IS_NOT_LINKED_WITH,
|
||
Type::IS_LINKED_WITH_ALL,
|
||
Type::IS_LINKED_WITH_ANY,
|
||
Type::IS_LINKED_WITH_NONE,
|
||
];
|
||
|
||
/** @var string[] */
|
||
private $linkWithIdsTypeList = [
|
||
self::TYPE_IN_CATEGORY,
|
||
self::TYPE_IS_USER_FROM_TEAMS,
|
||
Type::IS_LINKED_WITH,
|
||
Type::IS_NOT_LINKED_WITH,
|
||
Type::IS_LINKED_WITH_ALL,
|
||
];
|
||
|
||
public function __construct(
|
||
private string $entityType,
|
||
private EntityManager $entityManager,
|
||
private Acl $acl,
|
||
) {}
|
||
|
||
/**
|
||
* Check.
|
||
*
|
||
* @throws Forbidden
|
||
* @throws BadRequest
|
||
*/
|
||
public function check(Item $item, Params $params): void
|
||
{
|
||
$this->checkItem($item, $params);
|
||
}
|
||
|
||
/**
|
||
* @throws BadRequest
|
||
* @throws Forbidden
|
||
*/
|
||
private function checkItem(Item $item, Params $params): void
|
||
{
|
||
$type = $item->getType();
|
||
$attribute = $item->getAttribute();
|
||
$value = $item->getValue();
|
||
|
||
$forbidComplexExpressions = $params->forbidComplexExpressions();
|
||
$checkWherePermission = $params->applyPermissionCheck();
|
||
|
||
if ($forbidComplexExpressions) {
|
||
if (in_array($type, $this->subQueryTypeList)) {
|
||
throw new Forbidden("Sub-queries are forbidden in where.");
|
||
}
|
||
}
|
||
|
||
if ($attribute && $forbidComplexExpressions) {
|
||
if (QueryUtil::isComplexExpression($attribute)) {
|
||
throw new Forbidden("Complex expressions are forbidden in where.");
|
||
}
|
||
}
|
||
|
||
if ($attribute) {
|
||
$argumentList = Util::getAllAttributesFromComplexExpression($attribute);
|
||
|
||
foreach ($argumentList as $argument) {
|
||
$this->checkAttributeExistence($argument, $type);
|
||
|
||
if ($checkWherePermission) {
|
||
$this->checkAttributePermission($argument, $type, $value);
|
||
}
|
||
}
|
||
}
|
||
|
||
if (in_array($type, $this->nestingTypeList) && is_array($value)) {
|
||
foreach ($value as $subItem) {
|
||
$this->checkItem(Item::fromRaw($subItem), $params);
|
||
}
|
||
}
|
||
}
|
||
|
||
/**
|
||
* @throws BadRequest
|
||
*/
|
||
private function checkAttributeExistence(string $attribute, string $type): void
|
||
{
|
||
if (str_contains($attribute, '.')) {
|
||
// @todo Check existence of foreign attributes.
|
||
return;
|
||
}
|
||
|
||
if (in_array($type, $this->linkTypeList)) {
|
||
if (!$this->getSeed()->hasRelation($attribute)) {
|
||
throw new BadRequest("Not existing relation '$attribute' in where.");
|
||
}
|
||
|
||
return;
|
||
}
|
||
|
||
if (!$this->getSeed()->hasAttribute($attribute)) {
|
||
throw new BadRequest("Not existing attribute '$attribute' in where.");
|
||
}
|
||
}
|
||
|
||
/**
|
||
* @throws Forbidden
|
||
* @throws BadRequest
|
||
*/
|
||
private function checkAttributePermission(string $attribute, string $type, mixed $value): void
|
||
{
|
||
$entityType = $this->entityType;
|
||
|
||
if (str_contains($attribute, '.')) {
|
||
[$link, $attribute] = explode('.', $attribute);
|
||
|
||
if (!$this->getSeed()->hasRelation($link)) {
|
||
// TODO allow alias
|
||
throw new Forbidden("Bad relation '$link' in where.");
|
||
}
|
||
|
||
$foreignEntityType = $this->getRelationEntityType($this->getSeed(), $link);
|
||
|
||
if (!$foreignEntityType) {
|
||
throw new Forbidden("Bad relation '$link' in where.");
|
||
}
|
||
|
||
if (
|
||
!$this->acl->checkScope($foreignEntityType) ||
|
||
in_array($link, $this->acl->getScopeForbiddenLinkList($entityType))
|
||
) {
|
||
throw new Forbidden("Forbidden relation '$link' in where.");
|
||
}
|
||
|
||
if (in_array($attribute, $this->acl->getScopeForbiddenAttributeList($foreignEntityType))) {
|
||
throw new Forbidden("Forbidden attribute '$link.$attribute' in where.");
|
||
}
|
||
|
||
return;
|
||
}
|
||
|
||
if (in_array($type, $this->linkTypeList)) {
|
||
$this->checkLink($type, $entityType, $attribute, $value);
|
||
|
||
return;
|
||
}
|
||
|
||
if (in_array($attribute, $this->acl->getScopeForbiddenAttributeList($entityType))) {
|
||
throw new Forbidden("Forbidden attribute '$attribute' in where.");
|
||
}
|
||
}
|
||
|
||
private function getSeed(): Entity
|
||
{
|
||
$this->seed ??= $this->entityManager->getNewEntity($this->entityType);
|
||
|
||
return $this->seed;
|
||
}
|
||
|
||
private function getRelationEntityType(Entity $entity, string $relation): mixed
|
||
{
|
||
if ($entity instanceof BaseEntity) {
|
||
return $entity->getRelationParam($relation, RelationParam::ENTITY);
|
||
}
|
||
|
||
$entityDefs = $this->entityManager
|
||
->getDefs()
|
||
->getEntity($entity->getEntityType());
|
||
|
||
if (!$entityDefs->hasRelation($relation)) {
|
||
return null;
|
||
}
|
||
|
||
return $entityDefs->getRelation($relation)->getParam(RelationParam::ENTITY);
|
||
}
|
||
|
||
/**
|
||
* @throws BadRequest
|
||
* @throws Forbidden
|
||
*/
|
||
private function checkLink(string $type, string $entityType, string $link, mixed $value): void
|
||
{
|
||
if (!$this->getSeed()->hasRelation($link)) {
|
||
throw new Forbidden("Bad relation '$link' in where.");
|
||
}
|
||
|
||
$foreignEntityType = $this->getRelationEntityType($this->getSeed(), $link);
|
||
|
||
if (!$foreignEntityType) {
|
||
throw new Forbidden("Bad relation '$link' in where.");
|
||
}
|
||
|
||
if ($type === self::TYPE_IS_USER_FROM_TEAMS) {
|
||
$foreignEntityType = Team::ENTITY_TYPE;
|
||
}
|
||
|
||
if (
|
||
in_array($link, $this->acl->getScopeForbiddenFieldList($entityType)) ||
|
||
!$this->acl->checkScope($foreignEntityType) ||
|
||
in_array($link, $this->acl->getScopeForbiddenLinkList($entityType))
|
||
) {
|
||
throw new Forbidden("Forbidden relation '$link' in where.");
|
||
}
|
||
|
||
if (!in_array($type, $this->linkWithIdsTypeList)) {
|
||
return;
|
||
}
|
||
|
||
if ($value === null) {
|
||
return;
|
||
}
|
||
|
||
if (!is_array($value)) {
|
||
$value = [$value];
|
||
}
|
||
|
||
foreach ($value as $it) {
|
||
if (!is_string($it)) {
|
||
throw new BadRequest("Bad where item. Non-string ID.");
|
||
}
|
||
}
|
||
|
||
// @todo Use the Select Builder instead. Check the result count equal the input IDs count.
|
||
|
||
foreach ($value as $id) {
|
||
$entity = $this->entityManager->getEntityById($foreignEntityType, $id);
|
||
|
||
if (!$entity) {
|
||
throw new Forbidden("Record '$foreignEntityType' `$id` not found.");
|
||
}
|
||
|
||
if (!$this->acl->checkEntityRead($entity)) {
|
||
throw new Forbidden("No access to '$foreignEntityType' `$id`.");
|
||
}
|
||
}
|
||
}
|
||
}
|