Fix IDOR tokens generation

cedric-anne · btry · commit 3f36ae8a52ac · 2024-03-13T10:32:10.000+01:00
diff --git a/inc/form_validator.class.php b/inc/form_validator.class.php
@@ -192,7 +192,12 @@ public function showForForm(PluginFormcreatorForm $item, $options = []) {
          'valuesnames'     => array_values($selectedValidatorUsers),
          'condition'       => Dropdown::addNewCondition($usersCondition),
       ];
-      $params['_idor_token'] = Session::getNewIDORToken(User::getType());
+      $params['_idor_token'] = Session::getNewIDORToken(
+          User::getType(),
+          [
+              'condition' => $params['condition'],
+          ]
+      );
       echo Html::jsAjaxDropdown(
          '_validator_users[]',
          '_validator_users' . mt_rand(),
@@ -274,7 +279,12 @@ public function showForForm(PluginFormcreatorForm $item, $options = []) {
          'condition'       => Dropdown::addNewCondition($groupsCondition),
          'display_emptychoice' => false,
       ];
-      $params['_idor_token'] = Session::getNewIDORToken(Group::getType());
+      $params['_idor_token'] = Session::getNewIDORToken(
+          Group::getType(),
+          [
+              'condition' => $params['condition'],
+          ]
+      );
       echo Html::jsAjaxDropdown(
          '_validator_groups[]',
          '_validator_groups' . mt_rand(),
@@ -567,8 +577,13 @@ public static function dropdownValidatorUser(): string {
          'entity_restrict' => -1,
          'itemtype'        => User::getType(),
          'condition'       => Dropdown::addNewCondition($usersCondition),
-         '_idor_token'     => Session::getNewIDORToken(User::getType()),
       ];
+      $params['_idor_token'] = Session::getNewIDORToken(
+          User::getType(),
+          [
+              'condition' => $params['condition'],
+          ]
+      );
 
       return Html::jsAjaxDropdown(
          '_validator_users[]',
@@ -646,8 +661,13 @@ public static function dropdownValidatorGroup(): string {
          'itemtype'            => Group::getType(),
          'condition'           => Dropdown::addNewCondition($groupsCondition),
          'display_emptychoice' => false,
-         '_idor_token'         => Session::getNewIDORToken(Group::getType()),
       ];
+      $params['_idor_token'] = Session::getNewIDORToken(
+          Group::getType(),
+          [
+              'condition' => $params['condition'],
+          ]
+      );
 
       return Html::jsAjaxDropdown(
          '_validator_groups[]',
