Deny access for files from template of hidden content

docs/CHANGELOG.md

@@ -1,6 +1,10 @@
 Changelog
 =========
 
+1.10.0 (Unreleased)
+-------------------------
+- Enh #308: Deny access for files from template of hidden content
+
 1.9.5 (November 16, 2023)
 -------------------------
 - Enh #303: Fix visibility of the method `Controller::getAccessRules()`

module.json

@@ -3,9 +3,9 @@
     "name": "Custom Pages",
     "description": "Create custom pages and widgets and share them with your users. Take advantage of a wide range of editing options, including HTML and Markdown.",
     "keywords": ["pages", "custom", "iframe", "markdown", "link", "navigation", "spaces"],
-    "version": "1.9.5",
+    "version": "1.10.0",
     "homepage": "https://github.com/humhub/custom-pages",
     "humhub": {
-        "minVersion": "1.14"
+        "minVersion": "1.16"
     }
 }

modules/template/models/TemplateContentActiveRecord.php

@@ -2,13 +2,19 @@
 
 namespace humhub\modules\custom_pages\modules\template\models;
 
-use Yii;
 use humhub\components\ActiveRecord;
+use humhub\interfaces\ViewableInterface;
+use humhub\modules\content\components\ContentActiveRecord;
+use humhub\modules\custom_pages\models\CustomContentContainer;
+use Yii;
+use yii\db\ActiveQuery;
 
 /**
  * This is the base class for all TemplateContent types.
+ *
+ * @property-read OwnerContent $ownerContent
  */
-abstract class TemplateContentActiveRecord extends ActiveRecord
+abstract class TemplateContentActiveRecord extends ActiveRecord implements ViewableInterface
 {
 
     const SCENARIO_CREATE = 'create';
@@ -325,4 +331,43 @@ public function isEmpty(): bool
         return false;
     }
 
+    public function getOwnerContent(): ActiveQuery
+    {
+        return $this->hasOne(OwnerContent::class, ['content_id' => 'id'])
+            ->andWhere([OwnerContent::tableName() . '.content_type' => get_class($this)]);
+    }
+
+    public function getCustomContentContainer(): ?CustomContentContainer
+    {
+        $ownerContent = $this->ownerContent;
+        if (!$ownerContent instanceof OwnerContent) {
+            return null;
+        }
+
+        $ownerModel = $ownerContent->getOwner();
+        if (!$ownerModel instanceof TemplateInstance) {
+            return null;
+        }
+
+        return $ownerModel->getObject();
+    }
+
+    /**
+     * @inheritdoc
+     */
+    public function canView($user = null): bool
+    {
+        $customContentContainer = $this->getCustomContentContainer();
+
+        if ($customContentContainer instanceof ContentActiveRecord) {
+            return $customContentContainer->content->canView($user);
+        }
+
+        if ($customContentContainer instanceof ViewableInterface) {
+            return $customContentContainer->canView($user);
+        }
+
+        return false;
+    }
+
 }

modules/template/models/TemplateInstance.php

@@ -4,6 +4,7 @@
 
 use humhub\components\ActiveRecord;
 use humhub\modules\content\models\Content;
+use humhub\modules\custom_pages\models\CustomContentContainer;
 use yii\db\ActiveQuery;
 
 /**
@@ -98,6 +99,15 @@ public function getTemplate()
         return $this->hasOne(Template::class, ['id' => 'template_id']);
     }
 
+    public function getObject(): ?CustomContentContainer
+    {
+        if (empty($this->object_model) || empty($this->object_id)) {
+            return null;
+        }
+
+        return call_user_func($this->object_model . '::findOne', ['id' => $this->object_id]);
+    }
+
     public function getTemplateId()
     {
         return $this->template_id;