From 89e7ab351c193a407bb261c1bdf7845474c734a7 Mon Sep 17 00:00:00 2001
From: sunnavy <sunnavy@bestpractical.com>
Date: Thu, 4 Apr 2024 11:44:46 -0400
Subject: [PATCH] Check rights/paths/objects to protect /Views/

---
 share/html/Views/Component/dhandler | 30 ++++++++++++++++++++++++-----
 share/html/Views/Ticket/dhandler    | 21 +++++++++++++++++++-
 2 files changed, 45 insertions(+), 6 deletions(-)

diff --git a/share/html/Views/Component/dhandler b/share/html/Views/Component/dhandler
index fa877d4bdb9..0fa5615e26f 100644
--- a/share/html/Views/Component/dhandler
+++ b/share/html/Views/Component/dhandler
@@ -45,11 +45,6 @@
 %# those contributions and any derivatives thereof.
 %#
 %# END BPS TAGGED BLOCK }}}
-% if ( $component_name eq 'SavedSearch' ) {
-% $m->comp( "/Elements/ShowSearch", %ARGS );
-% } else {
-% $m->comp( "/Elements/$component_name", %ARGS );
-% }
 
 <%init>
 my ($component_name) = $m->dhandler_arg;
@@ -67,9 +62,34 @@ if ( $component_name eq 'SavedSearch' ) {
 elsif ( $ARGS{ObjectType} && $ARGS{ObjectType}->can('Load') && $ARGS{ObjectId} ) {
     my $object = $ARGS{ObjectType}->new( $session{CurrentUser} );
     $object->Load( $ARGS{ObjectId} );
+    return unless $object->Id;
+
     if ( $object->CurrentUserCanSee ) {
         $ARGS{Object} = $object;
     }
+    else {
+        Abort( loc('Permission Denied'), SuppressHeader => 1, Code => HTTP::Status::HTTP_FORBIDDEN );
+    }
+}
+
+my $out;
+if ( $component_name eq 'SavedSearch' ) {
+    eval { $out = $m->scomp( "/Elements/ShowSearch", %ARGS ) };
+}
+else {
+    unless ( $m->comp_exists("/Elements/$component_name") ) {
+        RT->Logger->warning("Component $component_name does not exist");
+        Abort( loc('Invalid Path'), SuppressHeader => 1 );
+    }
+    eval { $out = $m->scomp( "/Elements/$component_name", %ARGS ) };
+}
+
+if ($@) {
+    RT->Logger->warning("Error loading $component_name: $@");
+    Abort( loc('Error'), SuppressHeader => 1 );
+}
+else {
+    $m->out($out);
 }
 </%init>
 <%args>
diff --git a/share/html/Views/Ticket/dhandler b/share/html/Views/Ticket/dhandler
index 64a2df8294b..6d814972cb1 100644
--- a/share/html/Views/Ticket/dhandler
+++ b/share/html/Views/Ticket/dhandler
@@ -45,12 +45,31 @@
 %# those contributions and any derivatives thereof.
 %#
 %# END BPS TAGGED BLOCK }}}
-% $m->comp( "/Ticket/Elements/$component_name", Ticket => $ticket, %ARGS );
 <%INIT>
 return unless $id;
 my ($component_name) = $m->dhandler_arg;
 my $ticket = RT::Ticket->new( $session{CurrentUser} );
 $ticket->Load($id);
+return unless $ticket->Id;
+
+unless ( $ticket->CurrentUserCanSee ) {
+    Abort( loc('Permission Denied'), SuppressHeader => 1, Code => HTTP::Status::HTTP_FORBIDDEN );
+}
+
+unless ( $m->comp_exists("/Ticket/Elements/$component_name") ) {
+    RT->Logger->warning( "Component $component_name does not exist" );
+    Abort( loc('Invalid Path'), SuppressHeader => 1 );
+}
+
+my $out;
+eval { $out = $m->scomp( "/Ticket/Elements/$component_name", Ticket => $ticket, %ARGS ) };
+if ($@) {
+    RT->Logger->warning("Error loading $component_name: $@");
+    Abort( loc('Error'), SuppressHeader => 1 );
+}
+else {
+    $m->out($out);
+}
 </%INIT>
 
 <%ARGS>