From f26beef62f85db117eb790ac14714fe364319003 Mon Sep 17 00:00:00 2001
From: Uladzimir Tsykun <tsykun314@gmail.com>
Date: Wed, 27 Dec 2023 18:46:54 +0100
Subject: [PATCH] Check ACL for all version with the same reference

---
 src/Controller/ZipballController.php | 7 +++++--
 src/Entity/Package.php               | 9 +++++++++
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/src/Controller/ZipballController.php b/src/Controller/ZipballController.php
index 8c0b8338..dae50d0d 100644
--- a/src/Controller/ZipballController.php
+++ b/src/Controller/ZipballController.php
@@ -87,8 +87,11 @@ public function zipballAction(#[Vars('name')] Package $package, string $hash): R
             return $this->createNotFound();
         }
 
-        $version = $package->getVersionByReference($reference);
-        if (!$this->isGranted('ROLE_FULL_CUSTOMER', $version) && !$this->isGranted('VIEW_ALL_VERSION', $package)) {
+        $isGranted = $this->isGranted('VIEW_ALL_VERSION', $package);
+        foreach ($package->getAllVersionsByReference($reference) as $version) {
+            $isGranted |= $this->isGranted('ROLE_FULL_CUSTOMER', $version);
+        }
+        if (!$isGranted) {
             return $this->createNotFound();
         }
 
diff --git a/src/Entity/Package.php b/src/Entity/Package.php
index 751d99f4..31e13b95 100644
--- a/src/Entity/Package.php
+++ b/src/Entity/Package.php
@@ -536,6 +536,15 @@ public function getVersionByReference(string $reference): ?Version
         return $this->versions->findFirst(fn($k, $v) => $v->getReference() === $reference);
     }
 
+    /**
+     * @param string $reference
+     * @return Version[]
+     */
+    public function getAllVersionsByReference(string $reference): array
+    {
+        return $this->versions->filter(fn(Version $v, $k) => $v->getReference() === $reference)->toArray();
+    }
+
     public function getVersion($normalizedVersion)
     {
         if (null === $this->cachedVersions) {