Better handle permissions with bad data

Signed-off-by: snipe <snipe@snipe.net>
2025-04-30 13:43:05 +01:00 · 2025-04-30 13:43:05 +01:00 · 6c6b37000a
commit 6c6b37000a
parent b5c79624c6
2 changed files with 37 additions and 21 deletions
--- a/app/Models/Group.php
+++ b/app/Models/Group.php
@ -76,7 +76,7 @@ class Group extends SnipeModel
     *
     * @author A. Gianotto <snipe@snipe.net>
     * @since [v1.0]
-     * @return array
+     * @return array | \stdClass
     */
    public function decodePermissions()
    {
@ -84,20 +84,24 @@ class Group extends SnipeModel
        if (is_array($this->permissions)) {
            $this->permissions = json_encode($this->permissions);
        }
+
        $permissions = json_decode($this->permissions ?? '{}', JSON_OBJECT_AS_ARRAY);

-        // If there are no permissions, return an empty array
-        if (!$permissions) {
-            return [];
-        }
-
        // Otherwise, loop through the permissions and cast the values as integers
+        if ((is_array($permissions)) && ($permissions)) {
            foreach ($permissions as $permission => $value) {
+
+                if (!is_integer($permission)) {
                    $permissions[$permission] = (int) $value;
+                } else {
+                    \Log::info('Weird data here - skipping it');
+                    unset($permissions[$permission]);
                }
+            }
+            return $permissions ?: new \stdClass;
+        }
+        return new \stdClass;

-
-        return $permissions;
    }

    /**
--- a/app/Models/User.php
+++ b/app/Models/User.php
@ -746,24 +746,36 @@ class User extends SnipeModel implements AuthenticatableContract, AuthorizableCo
    }


-
+    /**
+     * Decode JSON permissions into array
+     *
+     * @author A. Gianotto <snipe@snipe.net>
+     * @since [v1.0]
+     * @return array | \stdClass
+     */
    public function decodePermissions()
    {
        // Set default to empty JSON if the value is null
+        if (is_array($this->permissions)) {
+            $this->permissions = json_encode($this->permissions);
+        }
+
        $permissions = json_decode($this->permissions ?? '{}', JSON_OBJECT_AS_ARRAY);

-        // If there are no permissions, return an empty array
-        if (!$permissions) {
-            return [];
-        }
-
        // Otherwise, loop through the permissions and cast the values as integers
+        if ((is_array($permissions)) && ($permissions)) {
            foreach ($permissions as $permission => $value) {
+
+                if (!is_integer($permission)) {
                    $permissions[$permission] = (int) $value;
+                } else {
+                    \Log::info('Weird data here - skipping it');
+                    unset($permissions[$permission]);
                }
-
-
-        return $permissions;
+            }
+            return $permissions ?: new \stdClass;
+        }
+        return new \stdClass;
    }

    /**