Fix #10150 - Allow internal enpoints in iframe dashlet - Githubissues

salesagility / SuiteCRM

SuiteCRM - Open source CRM for the world

https://www.suitecrm.com

GNU Affero General Public License v3.0

4.29k stars 2.04k forks source link

Fix #10150 - Allow internal enpoints in iframe dashlet #10358

Open pstevens71 opened 5 months ago

pstevens71 commented 5 months ago

Description

Created a new function getCustomEntrypoints() to find all the custom entry points, then modified the function isSelfRequest($endpoint) to check the list of custom entry points in which case it will return false and allow the entry point.

Create a custom entry point.
Add a web iframe dashlet to your dashboard with the interal URL
It will not be allowed. Apply the fix, and it will be allowed.
https://github.com/salesagility/SuiteCRM/issues/10150

Motivation and Context

This allows internal entrypoints to be allowed to be embedded in a dashlet. One would presume that internal entry points created by a developer should be allowed to be embeded.

How To Test This

Apply the patch and then create a custom entry point. Like echo "hello world"; and then try and embed that URL in Dashlet as iframe. It should be allowed with these modificaitons.

Types of changes

[ x] Bug fix (non-breaking change which fixes an issue)
[ ] New feature (non-breaking change which adds functionality)
[ ] Breaking change (fix or feature that would cause existing functionality to change)

Final checklist

[ x] My code follows the code style of this project found here.
[ ] My change requires a change to the documentation.
[ x] I have read the How to Contribute guidelines.

serhiisamko091184 commented 4 months ago

Hi @pstevens71,

thanks for contributing to our project,

I'm afraid I can't replicate the expected behavior, would you please check my steps:

1) I've got my entry point registered:

2) This is an expected result with commented-out lines mentioned in the issue:

3) This is the applied fix:

The changes are present in the code base:

Homepage after running the utility 'Repair & Rebuilt':

I would appreciate your feedback on my replication steps.

Thanks a lot in advance!

Regards, Serhii

pstevens71 commented 4 months ago

Did you re-add the dashlet after the change?

serhiisamko091184 commented 4 months ago

Thanks for asking - yes, I did.

pstevens71 commented 4 months ago

Hmm, did you flush all the JS stuff out in Repair? I've implemented this on at least 3 installations without problem.

Also does the base URL in your config match the URL of the internal link?

serhiisamko091184 commented 4 months ago

Thank you for the quick reply, yes - all is fine (JS & URL).

I tend to think that the issue is with the pattern given. After some changes, I have a proper result:

Have a closer look, please:

I have never entered the control structure as preg_match gives false:

Would it be possible to make additional changes?

Thanks in advance.

Regards, Serhii

pstevens71 commented 4 months ago

Ok, thanks! How do I make changes? Do I do another PR?

pgorod commented 4 months ago

Paul, if you simply edit the files in our own fork, in the same branch you're using for this PR, they will show up here.

pstevens71 commented 4 months ago

Thanks @pgorod for the tip! I think I got it.

serhiisamko091184 commented 4 months ago

Hello @pstevens71,

thanks for the changes you've made!

Regards, Serhii