From cbb5bc441f2537554acfacb49169ef0dc32a32e9 Mon Sep 17 00:00:00 2001 From: Yonas Habteab Date: Fri, 27 Aug 2021 16:12:07 +0200 Subject: [PATCH] ObjectAuthorization: Quote RoleName which is used as an alias for mysql Query --- .../Icingadb/Authentication/ObjectAuthorization.php | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/library/Icingadb/Authentication/ObjectAuthorization.php b/library/Icingadb/Authentication/ObjectAuthorization.php index 3959ec5a..b18cb5f9 100644 --- a/library/Icingadb/Authentication/ObjectAuthorization.php +++ b/library/Icingadb/Authentication/ObjectAuthorization.php @@ -104,8 +104,10 @@ class ObjectAuthorization $query = $model::on($this->getDb()); $tableName = $query->getModel()->getTableName(); + $inspectedRoles = []; $roleExpressions = []; $rolesWithoutRestrictions = []; + foreach ($this->getAuth()->getUser()->getRoles() as $role) { $roleFilter = Filter::all(); if (($restriction = $role->getRestrictions('icingadb/filter/objects'))) { @@ -127,6 +129,9 @@ class ObjectAuthorization continue; } + $inspectedRoles[] = $role->getName(); + $roleName = $this->getDb()->quoteIdentifier($role->getName()); + if ($cache) { FilterProcessor::apply($roleFilter, $query); $where = $query->getSelectBase()->getWhere(); @@ -134,10 +139,10 @@ class ObjectAuthorization $values = []; $rendered = $this->getDb()->getQueryBuilder()->buildCondition($where, $values); - $roleExpressions[$role->getName()] = new Expression($rendered, null, ...$values); + $roleExpressions[$roleName] = new Expression($rendered, null, ...$values); } else { $subQuery = clone $query; - $roleExpressions[$role->getName()] = $subQuery + $roleExpressions[$roleName] = $subQuery ->columns([new Expression('1')]) ->filter($roleFilter) ->filter($filter) @@ -158,7 +163,7 @@ class ObjectAuthorization foreach ($query as $row) { $roles = $rolesWithoutRestrictions; - foreach ($roleExpressions as $alias => $_) { + foreach ($inspectedRoles as $alias) { if ($row->$alias) { $rolesWithRestrictions[$alias] = true; $roles[] = $alias;