fix: [security] Make cluster's elements adhere to ACL

app/Controller/GalaxyElementsController.php

@@ -14,9 +14,11 @@ class GalaxyElementsController extends AppController
             )
     );
 
-    public function index($id)
+    public function index($clusterId)
     {
-        $this->paginate['conditions'] = array('GalaxyElement.galaxy_cluster_id' => $id);
+        $aclConditions = $this->GalaxyElement->buildClusterConditions($this->Auth->user(), $clusterId);
+        $this->paginate['conditions'] = [$aclConditions];
+        $this->paginate['contain'] = ['GalaxyCluster' => ['fields' => ['id', 'distribution', 'org_id']]];
         $clusters = $this->paginate();
         $this->set('list', $clusters);
         if ($this->request->is('ajax')) {

app/Model/GalaxyElement.php

@@ -95,4 +95,37 @@ class GalaxyElement extends AppModel
         }
         $this->saveMany($tempElements);
     }
+
+    public function buildACLConditions($user)
+    {
+        $conditions = [];
+        if (!$user['Role']['perm_site_admin']) {
+            $conditions = $this->GalaxyCluster->buildConditions($user);
+        }
+        return $conditions;
+    }
+
+    public function buildClusterConditions($user, $clusterId)
+    {
+        return [
+            $this->buildACLConditions($user),
+            'GalaxyCluster.id' => $clusterId
+        ];
+    }
+
+    public function fetchElements(array $user, $clusterId)
+    {
+        $params = array(
+            'conditions' => $this->buildClusterConditions($user, $clusterId),
+            'contain' => ['GalaxyCluster' => ['fields' => ['id', 'distribution', 'org_id']]],
+            'recursive' => -1
+        );
+        $elements = $this->find('all', $params);
+        foreach ($elements as $i => $element) {
+            $elements[$i] = $elements[$i]['GalaxyElement'];
+            unset($elements[$i]['GalaxyCluster']);
+            unset($elements[$i]['GalaxyElement']);
+        }
+        return $elements;
+    }
 }