Fix union query for objects without read permission

Author: iherwig

src/wcmf/lib/model/ObjectQueryUnionQueryProvider.php

@@ -12,6 +12,7 @@
 
 use wcmf\lib\core\IllegalArgumentException;
 use wcmf\lib\core\ObjectFactory;
+use wcmf\lib\persistence\PersistenceAction;
 use wcmf\lib\persistence\UnionQueryProvider;
 
 /**
@@ -52,7 +53,11 @@ public function execute($queryId, $buildDepth, $orderby, $pagingInfo) {
     if (!$query) {
       throw new IllegalArgumentException('Query id '.$queryId.' is unknown');
     }
-    return $query->execute($buildDepth, $orderby, $pagingInfo);
+    $permissionManager = ObjectFactory::getInstance('permissionManager');
+    $tmpPerm = $permissionManager->addTempPermission($query->getQueryType(), '', PersistenceAction::READ);
+    $result = $query->execute($buildDepth, $orderby, $pagingInfo);
+    $permissionManager->removeTempPermission($tmpPerm);
+    return $result;
   }
 
   /**

src/wcmf/lib/persistence/UnionQuery.php

@@ -105,6 +105,13 @@ public static function execute(UnionQueryProvider $queryProvider, $buildDepth=Bu
     }
     $cacheKey = self::getCacheKey($queryIds, $buildDepth, $orderby, $pagingInfo);
     $cache->put($cacheSection, $cacheKey, $offsets);
+
+    // remove objects for which the user is not authorized
+    $permissionManager = ObjectFactory::getInstance('permissionManager');
+    $result = array_filter($result, function($object) use ($permissionManager) {
+      return $permissionManager->authorize($object->getOID(), '', PersistenceAction::READ);
+    });
+
     return $result;
   }
 

src/wcmf/lib/persistence/UnionQueryProvider.php

@@ -25,6 +25,7 @@ public function getIds();
 
   /**
    * Execute a single query
+   * NOTE Queries must load all objects regardless of set permissions. Authorization will be done in UnionQuery
    * @param $queryId
    * @param $buildDepth
    * @param $orderby

src/wcmf/lib/persistence/impl/DefaultUnionQueryProvider.php

@@ -12,6 +12,7 @@
 
 use wcmf\lib\core\IllegalArgumentException;
 use wcmf\lib\core\ObjectFactory;
+use wcmf\lib\persistence\PersistenceAction;
 use wcmf\lib\persistence\UnionQueryProvider;
 
 /**
@@ -71,9 +72,13 @@ public function execute($queryId, $buildDepth, $orderby, $pagingInfo) {
       throw new IllegalArgumentException('Query id '.$queryId.' is unknown');
     }
     $persistenceFacade = ObjectFactory::getInstance('persistenceFacade');
+    $permissionManager = ObjectFactory::getInstance('permissionManager');
     $type = $queryDef['type'];
     $criteria = $queryDef['criteria'];
-    return $persistenceFacade->loadObjects($type, $buildDepth, $criteria, $orderby, $pagingInfo);
+    $tmpPerm = $permissionManager->addTempPermission($type, '', PersistenceAction::READ);
+    $result = $persistenceFacade->loadObjects($type, $buildDepth, $criteria, $orderby, $pagingInfo);
+    $permissionManager->removeTempPermission($tmpPerm);
+    return $result;
   }
 }
 ?>