noalyss-commit
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Noalyss-commit] [noalyss] 04/06: Task #1215 - Administrateur globaux p


From: Dany De Bontridder
Subject: [Noalyss-commit] [noalyss] 04/06: Task #1215 - Administrateur globaux phpcompta n'a pas accès à tous les profiles #1215 : security , filter the profiles ,
Date: Fri, 06 Nov 2015 18:06:37 +0000

sparkyx pushed a commit to branch master
in repository noalyss.

commit 4b00276e82db554c627a87eb91d2943ad846db8f
Author: Dany De Bontridder <address@hidden>
Date:   Fri Nov 6 18:44:29 2015 +0100

    Task #1215 - Administrateur globaux phpcompta n'a pas accès à tous les 
profiles
    #1215 : security , filter the profiles ,
---
 include/class/class_follow_up.php         |    7 ++++-
 include/class/class_user.php              |   38 +++++++++++++++++++++++++++++
 include/template/action_display_short.php |    4 +--
 3 files changed, 44 insertions(+), 5 deletions(-)

diff --git a/include/class/class_follow_up.php 
b/include/class/class_follow_up.php
index 92b9c48..68f8c76 100644
--- a/include/class/class_follow_up.php
+++ b/include/class/class_follow_up.php
@@ -290,7 +290,7 @@ class Follow_Up
         // select profile
         $aAg_dest=$this->db->make_array("select  p_id as value, ".
                 "p_name as label ".
-                " from profile  where p_id in (select p_granted from 
user_sec_action_profile where ua_right='W' and p_id=".$g_user->get_profile().") 
order by 2");
+                " from profile  where p_id in 
".$g_user->get_writable_profile()."order by 2");
 
         $ag_dest->value=$aAg_dest;
         $ag_dest->selected=$this->ag_dest;
@@ -1172,6 +1172,7 @@ class Follow_Up
      */
     static function display_search($cn, $inner=false)
     {
+        global $g_user;
         $a=(isset($_GET['action_query']))?$_GET['action_query']:"";
         $qcode=(isset($_GET['qcode']))?$_GET['qcode']:"";
 
@@ -1246,7 +1247,9 @@ class Follow_Up
         // select profile
         $aAg_dest=$cn->make_array("select  p_id as value, ".
                 "p_name as label ".
-                " from profile order by 2");
+                " from profile where p_id in ".
+                $g_user->get_readable_profile().
+                "order by 2");
         $aAg_dest[]=array('value'=>'-2', 'label'=>_('Tous les profiles'));
         $ag_dest=new ISelect();
         $ag_dest->name="ag_dest_query";
diff --git a/include/class/class_user.php b/include/class/class_user.php
index aaf412d..124628d 100644
--- a/include/class/class_user.php
+++ b/include/class/class_user.php
@@ -1103,6 +1103,44 @@ class User
                return $profile;
        }
         /**
+        * Compute the SQL string for the writable profile, 
+         * the subselect for p_id , example
+        * p_id in $g_user->get_writable_profile.
+        * The administrator can access all the profiles
+        * @return SQL string with the subselect for p_id 
+        */
+       function get_writable_profile() 
+       {
+           if ( $this->admin != 1)
+           {
+               $sql = " (select p_granted "
+                   . "     from user_sec_action_profile "
+                   . "     where ua_right='W' and 
p_id=".$this->get_profile().") ";
+           } else {
+               $sql = "(select p_id from profile)";
+           }
+           return $sql;
+       }
+        /**
+        * Compute the SQL string for the readable profile, 
+         * the subselect for p_id , example
+        * p_id in $g_user->get_readable_profile.
+        * The administrator can read all the profiles
+        * @return SQL string with the subselect for p_id 
+        */
+       function get_readable_profile() 
+       {
+           if ( $this->admin != 1)
+           {
+               $sql = " (select p_granted "
+                   . "     from user_sec_action_profile "
+                   . "     where ua_right in ('W','R') and 
p_id=".$this->get_profile().") ";
+           } else {
+               $sql = "(select p_id from profile)";
+           }
+           return $sql;
+       }
+        /**
          * Check if the current user can add an action in the profile given
          * in parameter
          * @param type $p_profile profile.p_id = action_gestion.ag_dest
diff --git a/include/template/action_display_short.php 
b/include/template/action_display_short.php
index 080f8f7..f9dc76b 100644
--- a/include/template/action_display_short.php
+++ b/include/template/action_display_short.php
@@ -48,9 +48,7 @@ $profile->value=$cn->make_array("select  p_id as value, ".
                 " from profile  "
         . "where "
         . "p_id in "
-        . " (select p_granted "
-        . "     from user_sec_action_profile "
-        . "     where ua_right='W' and p_id=".$g_user->get_profile().") "
+        . $g_user->get_writable_profile()
         . "order by 2");
 
 // priority



reply via email to

[Prev in Thread] Current Thread [Next in Thread]