[FIX] website_slides: do not allow fullscreen to bypass ACLs

Currently fullscreen takes all information from categorized slides to display its menu. In order to avoid calls to server some information is prepared in DOM to speedup loading. It means slide information is available even when not being member of a course which leads to some content leak. This commit fixes that by correctly checking that a slide can be accessed before allowing to have access to its information and embedded code. Access of a slide is either member of a course, either course publisher. Task 2058595 (eLearning v13 testing) Task 2064112 (fullscreen bug report)

[FIX] website_slides: do not allow fullscreen to bypass ACLs
3f4bd440 · Thibault Delavallée · 6d224059 · 3f4bd440 · 3f4bd440 · 3f4bd440
Commit 3f4bd440 authored 5 years ago by Thibault Delavallée
--- a/addons/website_slides/static/src/js/slides_course_fullscreen_player.js
+++ b/addons/website_slides/static/src/js/slides_course_fullscreen_player.js
@@ -257,10 +257,12 @@ odoo.define('website_slides.fullscreen', function (require) {
        _onClickTab: function (ev) {
            ev.stopPropagation();
            var $elem = $(ev.currentTarget);
-            var isQuiz = $elem.data('isQuiz');
-            var slideID = parseInt($elem.data('id'));
-            var slide = findSlide(this.slideEntries, {id: slideID, isQuiz: isQuiz});
-            this.set('slideEntry', slide);
+            if ($elem.data('canAccess') === 'True') {
+                var isQuiz = $elem.data('isQuiz');
+                var slideID = parseInt($elem.data('id'));
+                var slide = findSlide(this.slideEntries, {id: slideID, isQuiz: isQuiz});
+                this.set('slideEntry', slide);
+            }
        },
        /**
         * Actively changes the active tab in the sidebar so that it corresponds
@@ -710,7 +712,7 @@ odoo.define('website_slides.fullscreen', function (require) {
         * Creates slides objects from every slide-list-cells attributes
         */
        _getSlides: function (){
-            var $slides = this.$('.o_wslides_fs_sidebar_list_item');
+            var $slides = this.$('.o_wslides_fs_sidebar_list_item[data-can-access="True"]');
            var slideList = [];
            $slides.each(function () {
                var slideData = $(this).data();

--- a/addons/website_slides/views/website_slides_templates_lesson.xml
+++ b/addons/website_slides/views/website_slides_templates_lesson.xml
@@ -137,10 +137,13 @@
        </a>
        <ul class="collapse show p-0 m-0 list-unstyled" t-att-id="('collapse-%s') % (category.id if category else 0)" >
            <t t-foreach="category_slide_ids" t-as="aside_slide">
+                <t t-set="slide_completed" t-value="channel_progress[aside_slide.id].get('completed')"/>
+                <t t-set="is_member" t-value="aside_slide.channel_id.is_member"/>
+                <t t-set="can_access" t-value="aside_slide.is_preview or is_member or aside_slide.channel_id.can_publish"/>
                <li class="p-0 pb-1">
-                    <a t-att-href="'/slides/slide/%s' % (slug(aside_slide))"
-                        t-att-class="'o_wslides_lesson_aside_list_link d-flex align-items-top px-2 pt-1 text-decoration-none %s' % ('bg-100 py-1 active' if aside_slide == slide else '')">
-                        <div t-if="aside_slide.channel_id.is_member" >
+                    <a t-att-href="'/slides/slide/%s' % (slug(aside_slide)) if can_access else '#'"
+                        t-att-class="'o_wslides_lesson_aside_list_link d-flex align-items-top px-2 pt-1 text-decoration-none %s%s' % (('bg-100 py-1 active' if aside_slide == slide else ''), 'text-muted' if not can_access else '')">
+                        <div t-if="is_member" >
                            <i t-att-id="'o_wslides_lesson_aside_slide_check_%s' % (aside_slide.id)"
                                t-att-class="'mr-1 fa fa-fw %s' % ('text-success fa-check-circle' if channel_progress[aside_slide.id].get('completed') else 'text-600 fa-circle-o')">
                            </i>
@@ -160,15 +163,22 @@
                    <ul t-if="aside_slide.link_ids or aside_slide.question_ids" class="list-group px-2 mb-1 list-unstyled">
                        <t t-foreach="aside_slide.link_ids" t-as="resource">
                            <li class="pl-4">
-                                <a t-attf-href="#{resource.link}" target="new" class="text-decoration-none small">
+                                <a t-if="can_access" t-att-href="resource.link" target="new" class="text-decoration-none small">
                                    <i class="fa fa-link mr-1"/><span t-field="resource.name"/>
                                </a>
+                                <span t-else="" class="text-decoration-none text-muted small">
+                                    <i class="fa fa-link mr-1"/><span t-field="resource.name"/>
+                                </span>
                            </li>
                        </t>
                        <li class="pl-4">
-                            <a t-if="aside_slide.question_ids and aside_slide.slide_type != 'quiz'" t-att-href="'/slides/slide/%s#lessonQuiz' % (slug(aside_slide))" class="o_wslides_lesson_aside_list_link text-decoration-none small text-600">
+                            <a t-if="can_access and aside_slide.question_ids and aside_slide.slide_type != 'quiz'" t-att-href="'/slides/slide/%s#lessonQuiz' % (slug(aside_slide))" class="o_wslides_lesson_aside_list_link text-decoration-none small text-600">
                                <i class="fa fa-flag text-warning"/> Quiz
                            </a>
+                            <span t-elif="not can_access and aside_slide.question_ids and aside_slide.slide_type != 'quiz'"
+                                class="o_wslides_lesson_aside_list_link text-decoration-none small text-600 text-muted">
+                                <i class="fa fa-flag text-warning"/> Quiz
+                            </span>
                        </li>
                    </ul>
                </li>

--- a/addons/website_slides/views/website_slides_templates_lesson_fullscreen.xml
+++ b/addons/website_slides/views/website_slides_templates_lesson_fullscreen.xml
@@ -82,8 +82,10 @@
            <t t-foreach="slides" t-as="slide">
                <t t-set="slide_completed" t-value="channel_progress[slide.id].get('completed')"/>
                <t t-set="is_member" t-value="slide.channel_id.is_member"/>
+                <t t-set="can_access" t-value="slide.is_preview or is_member or slide.channel_id.can_publish"/>
                <li t-att-class="'o_wslides_fs_sidebar_list_item d-flex align-items-top py-1 %s' % ('active' if slide.id == current_slide.id else '')"
                    t-att-data-id="slide.id"
+                    t-att-data-can-access="can_access"
                    t-att-data-name="slide.name"
                    t-att-data-type="slide.slide_type"
                    t-att-data-slug="slug(slide)"
@@ -98,20 +100,30 @@
                        <i t-if="not slide_completed and is_member" class="fa fa-circle-thin fa-fw" t-att-data-slide-id="slide.id"/>
                    </span>
                    <div class="ml-2">
-                        <a class="d-block pt-1" href="#">
+                        <a t-if="can_access" class="d-block pt-1" href="#">
                            <div class="d-flex ">
                                <t t-call="website_slides.slide_icon"/>
                                <div class="o_wslides_fs_slide_name" t-esc="slide.name"/>
                            </div>
                        </a>
+                        <span t-else="" class="d-block pt-1" href="#">
+                            <div class="d-flex ">
+                                <t t-call="website_slides.slide_icon"/>
+                                <div class="o_wslides_fs_slide_name  text-muted" t-esc="slide.name"/>
+                            </div>
+                        </span>
                        <ul class="list-unstyled w-100 pt-2 small" t-if="slide.link_ids or (slide.question_ids and not slide.slide_type =='quiz')" >
                            <li t-if="slide.link_ids" t-foreach="slide.link_ids" t-as="link" class="pl-0 mb-1">
-                                <a class="o_wslides_fs_slide_link" t-att-href="link.link" target="_blank">
+                                <a t-if="can_access" class="o_wslides_fs_slide_link" t-att-href="link.link" target="_blank">
                                    <i class="fa fa-link mr-2"/><span t-esc="link.name"/>
                                </a>
+                                <span t-else="" class="o_wslides_fs_slide_link text-muted">
+                                    <i class="fa fa-link mr-2"/><span t-esc="link.name"/>
+                                </span>
                            </li>
                            <li class="o_wslides_fs_sidebar_list_item pl-0 mb-1" t-if="slide.question_ids and not slide.slide_type == 'quiz'"
                                t-att-data-id="slide.id"
+                                t-att-data-can-access="can_access"
                                t-att-data-name="slide.name"
                                t-att-data-type="slide.slide_type"
                                t-att-data-slug="slug(slide)"
@@ -119,9 +131,12 @@
                                t-att-data-is-quiz="1"
                                t-att-data-completed="1 if slide_completed else 0"
                                t-att-data-readonly="not is_member">
-                                <a class="o_wslides_fs_slide_quiz" href="#" t-att-index="i">
+                                <a t-if="can_access" class="o_wslides_fs_slide_quiz" href="#" t-att-index="i">
                                    <i class="fa fa-flag-checkered text-warning mr-2"/>Quiz
                                </a>
+                                <span t-else="" class="text-muted">
+                                    <i class="fa fa-flag-checkered text-warning mr-2"/>Quiz
+                                </span>
                            </li>
                        </ul>
                    </div>