Merge pull request #5209 from 3liz/backport-5138-to-release_3_9

[Backport release_3_9] OGC Service WFS: Forbidden direct access without rights
3liz · Jan 15, 2025 · 48a3236 · 48a3236
2 parents 41c44f9 + 9fd440e
commit 48a3236
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 1 deletion.
diff --git a/lizmap/modules/lizmap/controllers/service.classic.php b/lizmap/modules/lizmap/controllers/service.classic.php
@@ -300,6 +300,8 @@ protected function serviceException()
                 if ($addwww) {
                     $rep->addHttpHeader('WWW-Authenticate', 'Basic realm="LizmapWebClient", charset="UTF-8"');
                 }
+            } elseif ($code == 'Forbidden') {
+                $rep->setHttpStatus(403, \Lizmap\Request\Proxy::getHttpStatusMsg(403));
             } elseif ($code == 'ProjectNotDefined'
                       || $code == 'RepositoryNotDefined') {
                 $rep->setHttpStatus(404, \Lizmap\Request\Proxy::getHttpStatusMsg(404));
@@ -429,7 +431,7 @@ protected function getServiceParameters($forOptionsMethodOnly = false)
 
         // Redirect if no rights to access this repository
         if (!$lproj->checkAcl()) {
-            jMessage::add(jLocale::get('view~default.repository.access.denied'), 'AuthorizationRequired');
+            jMessage::add(jLocale::get('view~default.service.access.denied'), 'AuthorizationRequired');
 
             return false;
         }
@@ -439,6 +441,21 @@ protected function getServiceParameters($forOptionsMethodOnly = false)
         $pParams['map'] = $lproj->getRelativeQgisPath();
         $params = \Lizmap\Request\Proxy::normalizeParams($pParams);
 
+        // Check WFS rights
+        if (isset($params['service']) && strtolower($params['service']) === 'wfs'
+            && !$lproj->getAppContext()->aclCheck('lizmap.tools.layer.export', $this->repository->getKey())) {
+            $request_headers = \jApp::coord()->request->headers();
+            if (!isset($_SESSION['html_map_token'])
+                || $_SESSION['html_map_token'] !== md5(json_encode(array(
+                    'Host' => $request_headers['Host'],
+                    'User-Agent' => $request_headers['User-Agent'],
+                )))) {
+                jMessage::add(jLocale::get('view~default.service.access.forbidden'), 'Forbidden');
+
+                return false;
+            }
+        }
+
         // Define parameters class private property
         $this->params = $params;
 

diff --git a/lizmap/modules/view/controllers/lizMap.classic.php b/lizmap/modules/view/controllers/lizMap.classic.php
@@ -538,6 +538,12 @@ function f($x)
 
         $rep->body->assign($assign);
 
+        $request_headers = \jApp::coord()->request->headers();
+        $_SESSION['html_map_token'] = md5(json_encode(array(
+            'Host' => $request_headers['Host'],
+            'User-Agent' => $request_headers['User-Agent'],
+        )));
+
         // Log
         $eventParams = array(
             'key' => 'viewmap',

diff --git a/lizmap/modules/view/locales/en_US/default.UTF-8.properties b/lizmap/modules/view/locales/en_US/default.UTF-8.properties
@@ -7,6 +7,9 @@ home.menu=Home
 server.information.error=This map cannot be displayed. Please contact the server administrator to check the server information panel.
 server.information.error.admin=Maps cannot be displayed. Please check the server information panel.
 
+service.access.denied=Access denied to the service.
+service.access.forbidden=Access forbidden to the service.
+
 project.access.denied=Access denied for this project.
 project.title.label=Title
 project.abstract.label=Abstract