noalyss-commit
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Noalyss-commit] [noalyss] 45/323: Task #0001519: Assouplissement de la


From: Dany De Bontridder
Subject: [Noalyss-commit] [noalyss] 45/323: Task #0001519: Assouplissement de la sécurité : journaux et actions
Date: Wed, 14 Mar 2018 17:38:15 -0400 (EDT)

sparkyx pushed a commit to branch master
in repository noalyss.

commit 2e4bbf1eb007b36de0c7bca5c16db71fdbd30fcb
Author: Dany De Bontridder <address@hidden>
Date:   Wed Jan 10 15:36:02 2018 +0100

    Task #0001519: Assouplissement de la sécurité : journaux et actions
---
 html/ajax_misc.php                        |  4 ++
 include/action.common.inc.php             | 18 +++++---
 include/ajax/ajax_card.php                |  2 +-
 include/ajax/ajax_user_security.php       | 52 ++++++++++++++++++++++
 include/class/acc_ledger_search.class.php |  9 ++--
 include/class/document.class.php          |  2 +-
 include/class/user.class.php              | 74 ++++++++++++++++++++++++++++---
 include/history_operation.inc.php         |  1 -
 include/param_sec.inc.php                 | 65 ++++++++++++++++++++++++---
 include/template/security_list_action.php |  6 ++-
 sql/upgrade.sql                           | 17 +++++++
 11 files changed, 222 insertions(+), 28 deletions(-)

diff --git a/html/ajax_misc.php b/html/ajax_misc.php
index bf4883a..d2c7e2f 100644
--- a/html/ajax_misc.php
+++ b/html/ajax_misc.php
@@ -115,6 +115,10 @@ $path = array(
     "ledger_access"=>"ajax_user_security",
     // Manage user profile
     "profile"=>"ajax_user_security",
+    // enable or not the security on ledger
+    "user_sec_ledger"=>"ajax_user_security",
+    // enable or not the security on action
+    "user_sec_action"=>"ajax_user_security",
     // Update in once all the ledgers
     "ledger_access_all"=>"ajax_user_security",
     // From the page CFGSEC,set the actions
diff --git a/include/action.common.inc.php b/include/action.common.inc.php
index 43041e3..0d9d803 100644
--- a/include/action.common.inc.php
+++ b/include/action.common.inc.php
@@ -40,6 +40,7 @@ if (isset($_REQUEST['sb']))
 $supl_hidden.=HtmlInput::hidden('ac', $_REQUEST['ac']);
 $correction = 0;
 $error_id=0;
+$http=new HttpInput();
 
/*-----------------------------------------------------------------------------*/
 /* For other action
 
/*-----------------------------------------------------------------------------*/
@@ -123,7 +124,7 @@ if ($sub_action == "update")
        {
                $act2 = new Follow_Up($cn);
                $act2->fromArray($_POST);
-               if ($g_user->can_write_action($act2->ag_id) == false )
+               if ($g_user->can_write_action($act2->ag_id) == FALSE )
                {
                        echo '<div class="redcontent">';
                        echo '<h2 class="error">'._('Cette action ne vous est 
pas autorisée Contactez votre responsable').'</h2>';
@@ -154,15 +155,22 @@ if ($sub_action == "update")
        // Add a related action
        //----------------------------------------------------------------------
        if (isset($_POST['add_action_here']))
-       {
-               $act = new Follow_Up($cn);
-
+       {   
+                $ag_id=$http->post('ag_id',"number");
+               $act = new Follow_Up($cn,$ag_id);
+                if ($g_user->can_write_action($act->ag_id) == FALSE )
+               {
+                       echo '<div class="redcontent">';
+                       echo '<h2 class="error">'._('Cette action ne vous est 
pas autorisée Contactez votre responsable').'</h2>';
+                       echo '</div>';
+                       return;
+               }
 
                //----------------------------------------
                // puis comme ajout normal (copier / coller )
                $act->ag_id = 0;
                $act->d_id = 0;
-               $act->action = $_POST['ag_id'];
+               $act->action = $http->post('ag_id',"number");
                 $act->ag_timestamp=date('d.m.Y');
                 $act->ag_hour="";
                 $act->ag_title="";
diff --git a/include/ajax/ajax_card.php b/include/ajax/ajax_card.php
index 696368d..10e4bf7 100644
--- a/include/ajax/ajax_card.php
+++ b/include/ajax/ajax_card.php
@@ -180,7 +180,7 @@ case 'dc':
     /* Blank card */
     /* ------------------------------------------------------------ */
 case 'bc':
-    if ( $g_user->check_action(FICADD)==1 )
+    if ( $g_user->check_action(FICADD)==1 || $g_user->check_action(FIC)==1)
     {
         $r=HtmlInput::title_box(_("Nouvelle fiche"), $ctl);
        /* get cat. name */
diff --git a/include/ajax/ajax_user_security.php 
b/include/ajax/ajax_user_security.php
index 60cce2f..d1517c8 100644
--- a/include/ajax/ajax_user_security.php
+++ b/include/ajax/ajax_user_security.php
@@ -34,6 +34,10 @@ require_once NOALYSS_INCLUDE.'/lib/inplace_switch.class.php';
  * @brief Manage the security of a ledger , from CFGSEC module
  * 
  */
+ global $g_user;
+if ( $g_user->check_module("CFGSEC") == 0)        
+        throw new Exception(_("Non autorisé"));
+    
 $n_dossier_id=Dossier::id();
 //-----------------------------------------------------------------------------
 // Manage the user's access to ledgers
@@ -218,4 +222,52 @@ if ($op=="action_access_all")
                 array($sec_User->login));
     }
     
+}
+//----------------------------------------------------------------------------
+// Enable or disable security on ledger
+//----------------------------------------------------------------------------
+if ($op=="user_sec_ledger")
+{
+    $user_id=$http->get("user_id", "number");
+    $value=$http->get("value", "number");
+    $sec_user=new User($cn, $user_id);
+    $status_sec_ledger=$sec_user->get_status_security_ledger();
+    $sec_ledger=new Inplace_Switch("sec_ledger", $status_sec_ledger);
+    $sec_ledger->set_callback("ajax_misc.php");
+    $sec_ledger->add_json_param("gDossier", $n_dossier_id);
+    $sec_ledger->add_json_param("user_id", $user_id);
+    $sec_ledger->add_json_param("op", "user_sec_ledger");
+    if ($sec_user->get_status_security_ledger()==1)
+    {
+        $sec_user->set_status_security_ledger(0);
+        echo $sec_ledger->get_iconoff();
+    }else {
+        $sec_user->set_status_security_ledger(1);
+        echo $sec_ledger->get_iconon();
+        
+    }
+}
+//----------------------------------------------------------------------------
+// Enable or disable security on action
+//----------------------------------------------------------------------------
+if ($op=="user_sec_action")
+{
+    $user_id=$http->get("user_id", "number");
+    $value=$http->get("value", "number");
+    $sec_user=new User($cn, $user_id);
+    $status_sec_action=$sec_user->get_status_security_action();
+    $sec_action=new Inplace_Switch("sec_action", $status_sec_action);
+    $sec_action->set_callback("ajax_misc.php");
+    $sec_action->add_json_param("gDossier", $n_dossier_id);
+    $sec_action->add_json_param("user_id", $user_id);
+    $sec_action->add_json_param("op", "user_sec_action");
+    if ($sec_user->get_status_security_action()==1)
+    {
+        $sec_user->set_status_security_action(0);
+        echo $sec_action->get_iconoff();
+    }else {
+        $sec_user->set_status_security_action(1);
+        echo $sec_action->get_iconon();
+        
+    }
 }
\ No newline at end of file
diff --git a/include/class/acc_ledger_search.class.php 
b/include/class/acc_ledger_search.class.php
index 69bff39..ff1654e 100644
--- a/include/class/acc_ledger_search.class.php
+++ b/include/class/acc_ledger_search.class.php
@@ -531,13 +531,10 @@ class Acc_Ledger_Search
             $fil_paid=$and.SQL_LIST_UNPAID_INVOICE;
             $and=" and ";
         }
-        $repo=new Database();
-        $g_user=new User($repo);
-        $g_user->Check();
-        $g_user->check_dossier(dossier::id());
-
-        if ($g_user->admin==0&&$g_user->is_local_admin()==0)
+        global $g_user;
+        if ($g_user->admin==0&&$g_user->is_local_admin()==0 && 
$g_user->get_status_security_ledger()==1 )
         {
+            
             $fil_sec=$and." jr_def_id in ( select uj_jrn_id ".
                     " from user_sec_jrn where ".
                     " uj_login='".sql_string($_SESSION['g_user'])."'".
diff --git a/include/class/document.class.php b/include/class/document.class.php
index 8a81ff2..22cdb9d 100644
--- a/include/class/document.class.php
+++ b/include/class/document.class.php
@@ -478,7 +478,7 @@ class Document
             $doc->d_number=$res[$i]['d_number'];
             $doc->d_filename=$res[$i]['d_filename'];
             $doc->d_mimetype=$res[$i]['d_mimetype'];
-            $doc->d_description=$row['d_description'];
+            $doc->d_description=$res[$i]['d_description'];
             $a[$i]=clone $doc;
         }
         return $a;
diff --git a/include/class/user.class.php b/include/class/user.class.php
index e48541d..79329e3 100644
--- a/include/class/user.class.php
+++ b/include/class/user.class.php
@@ -280,7 +280,8 @@ class User
        function get_ledger_access($p_ledger)
        {
                if ($this->admin == 1 ||
-                               $this->is_local_admin(dossier::id()) == 1)
+                               $this->is_local_admin(dossier::id()) == 1
+                        || $this->get_status_security_ledger()==0)
                        return 'W';
 
                $sql = "select uj_priv from user_sec_jrn where uj_login=$1 and 
uj_jrn_id=$2";
@@ -310,7 +311,7 @@ class User
 
        function get_ledger($p_type = 'ALL', $p_access = 3)
        {
-               if ($this->admin != 1 && $this->is_local_admin() != 1)
+               if ($this->admin != 1 && $this->is_local_admin() != 1 && 
$this->get_status_security_ledger() == 1)
                {
                        $sql_type = ($p_type == 'ALL') ? '' : "and 
jrn_def_type=upper('" . sql_string($p_type) . "')";
                        switch ($p_access)
@@ -578,7 +579,8 @@ class User
                        return 1;
                if ($this->is_local_admin(dossier::id()) == 1)
                        return 1;
-
+                if ( $this->get_status_security_action() == 0)
+                    return 1;
                $Res = $this->db->exec_sql(
                                "select * from user_sec_act where ua_login=$1 
and ua_act_id=$2", array($this->login, $p_action_id));
                $Count = Database::num_row($Res);
@@ -1164,12 +1166,13 @@ class User
          */
        function can_write_action($dtoc)
        {
-            if ( $this->Admin() == 1 ) return true;
-               $profile = $this->get_profile();
+            if ( $this->Admin() == 1 ) return TRUE;
+            if ( $this->get_status_security_action()==0)                return 
TRUE;
+            $profile = $this->get_profile();
                     $r = $this->db->get_value(" select count(*) from 
action_gestion where ag_id=$1 and ag_dest in
                                (select p_granted from user_sec_action_profile 
where ua_right='W' and p_id=$2) ", array($dtoc, $profile));
                if ($r == 0)
-                       return false;
+                       return FALSE;
                return true;
        }
 
@@ -1328,9 +1331,68 @@ class User
                 $cnx_dossier->exec_sql("delete from profile_user where 
user_name=$1",array($a_user[$i]['user_name']));
                 $cnx_dossier->exec_sql("delete from user_sec_act where 
ua_login=$1",array($a_user[$i]['user_name']));
                 $cnx_dossier->exec_sql("delete from user_sec_jrn where 
uj_login=$1",array($a_user[$i]['user_name']));
+                $cnx_dossier->exec_sql("delete from user_active_security where 
us_login=$1",array($a_user[$i]['user_name']));
             }
         }
     }
+    /**
+     * Check the security on ledger for the user , it returns 1 if the 
security 
+     * on ledgers is enabled, otherwise 0 
+     */
+    function get_status_security_ledger()
+    {
+        $security=$this->db->get_value("select us_ledger from 
user_active_security 
+                where 
+                us_login=$1",[$this->login]);
+        $n_security =($security=="Y")?1:0;
+        return $n_security;
+    }
+    /**
+     * Set the flag in the table user_active_security
+     * @param int $p_value 1==enable  , 0 = disable
+     * @exceptions invalid value
+     */
+    function set_status_security_ledger($p_value)
+    {
+        if ($p_value != 0 && $p_value != 1) throw new Exception (_("Valeur 
invalide"));
+        $exist=$this->db->get_value("select count(*) from user_active_security 
where us_login=$1",
+                [$this->login]);
+        $flag=($p_value==1)?"Y":"N";
+        if ( $exist == 0) {
+            $this->db->exec_sql("insert into user_active_security 
(us_login,us_ledger,us_action) values ($1,$2,$3",[$this->login,$flag,'Y']);
+        } else {
+            $this->db->exec_sql("update user_active_security set us_ledger=$1 
where us_login = $2",[$flag,$this->login]);
+        }
+    }
+    /**
+     * Check the security on ledger for the user , it returns 1 if the 
security 
+     * on ledgers is enabled, otherwise 0 
+     */
+    function get_status_security_action()
+    {
+        $security=$this->db->get_value("select us_action from 
user_active_security 
+                where 
+                us_login=$1",[$this->login]);
+        $n_security =($security=="Y")?1:0;
+        return $n_security;
+    }
+    /**
+     * Set the flag in the table user_active_security
+     * @param int $p_value 1==enable  , 0 = disable
+     * @exceptions invalid value
+     */
+    function set_status_security_action($p_value)
+    {
+        if ($p_value != 0 && $p_value != 1) throw new Exception (_("Valeur 
invalide"));
+        $exist=$this->db->get_value("select count(*) from user_active_security 
where us_login=$1",
+                [$this->login]);
+        $flag=($p_value==1)?"Y":"N";
+        if ( $exist == 0) {
+            $this->db->exec_sql("insert into user_active_security 
(us_login,us_action,us_ledger) values ($1,$2,$3",[$this->login,$flag,'Y']);
+        } else {
+            $this->db->exec_sql("update user_active_security set us_action=$1 
where us_login = $2",[$flag,$this->login]);
+        }
+    }
 }
 
 ?>
diff --git a/include/history_operation.inc.php 
b/include/history_operation.inc.php
index cdba89b..72ae7c0 100644
--- a/include/history_operation.inc.php
+++ b/include/history_operation.inc.php
@@ -99,7 +99,6 @@ else
 }
 /*  compute the sql stmt */
 list($sql, $where) = $Ledger->build_search_sql($p_array);
-
 $max_line = $cn->count_sql($sql);
 
 $step = $_SESSION['g_pagesize'];
diff --git a/include/param_sec.inc.php b/include/param_sec.inc.php
index 42ad171..b41b73c 100644
--- a/include/param_sec.inc.php
+++ b/include/param_sec.inc.php
@@ -84,6 +84,8 @@ if ( ! isset($_REQUEST['action']))
        echo '<th>'.$header->get_header(1).'</th>';
        echo th(_('prénom'));
        echo th(_('profil'));
+       echo th(_('Séc. Journaux actif'));
+       echo th(_('Séc. Action actif'));
        echo '<th>'.$header->get_header(2).'</th>';
     for ($i = 0;$i < $MaxUser;$i++)
     {
@@ -107,8 +109,12 @@ if ( ! isset($_REQUEST['action']))
                echo td($l_line['use_name']);
                echo td($l_line['use_first_name']);
                echo td($profile);
+                // status of security on ledger and action 
+                $a_sec=$cn->get_row("select us_ledger,us_action from 
user_active_security where us_login =$1",
+                        [$l_line['use_login']]);
+                echo td($a_sec['us_ledger']);
+                echo td($a_sec['us_action']);
                echo td($str);
-
                echo "</TR>";
     }
     echo '</TABLE>';
@@ -182,7 +188,8 @@ if ( $action == "view" )
         $action="";
         return;
     }
-
+    
+    
     
//--------------------------------------------------------------------------------
     // Show access for journal
     
//--------------------------------------------------------------------------------
@@ -191,10 +198,7 @@ if ( $action == "view" )
                                " order by jrn_def_name");
     $sec_User=new User($cn,$user_id);
     $n_dossier_id=Dossier::id();
-
-    $sHref=sprintf ('export.php?act=PDF:sec&user_id=%s&'.$str_dossier ,
-                    $user_id
-                   );
+    
$sHref=http_build_query(["act"=>"PDF:sec","user_id"=>$user_id,"gDossier"=>$n_dossier_id]);
 
     echo dossier::hidden();
     echo HtmlInput::hidden('action','sec');
@@ -220,6 +224,24 @@ if ( $action == "view" )
     echo HtmlInput::button("grant_all", _("Accès à tout"), " onclick=\" 
grant_ledgers ('W') \"");
     echo HtmlInput::button("grant_readonly", _("Uniquement Lecture"), " 
onclick=\" grant_ledgers ('R') \"");
     echo HtmlInput::button("revoke_all", _("Aucun accès"), " onclick=\" 
grant_ledgers ('X') \"");
+    //-------------------------------------------------------------------------
+    // Enable or not the security on ledger
+    //-------------------------------------------------------------------------
+    echo "<p>";
+    echo _("Sécurité sur les journaux")." ";
+    $status_sec_ledger=$sec_User->get_status_security_ledger();
+    $sec_ledger=new Inplace_Switch("sec_ledger", $status_sec_ledger);
+    $sec_ledger->set_callback("ajax_misc.php");
+    $sec_ledger->add_json_param("gDossier", $n_dossier_id);
+    $sec_ledger->add_json_param("user_id", $user_id);
+    $sec_ledger->add_json_param("op", "user_sec_ledger");
+    $sec_ledger->set_jscript(" if ( $('security_ledger_tbl').visible() ) { 
$('security_ledger_tbl').hide();} else { $('security_ledger_tbl').show();}");
+    echo $sec_ledger->input();
+    echo "</p>";
+    //------------------------------------------------------------------------
+    // Access by ledgers, needed if the security on ledger is enable
+    //------------------------------------------------------------------------
+    echo '<div id="security_ledger_tbl">';
     echo '<table>';
     $MaxJrn=Database::num_row($Res);
     $jrn_priv=new ISelect("iledger");
@@ -251,6 +273,7 @@ if ( $action == "view" )
         echo '</tr>';
     }
     echo '</table>';
+    echo '</div>';
     echo '</fieldset>';
 
     //**********************************************************************
@@ -259,9 +282,23 @@ if ( $action == "view" )
     echo '<fieldset> <legend>'._('Actions').'</legend>';
     echo HtmlInput::button("grant_all_action", _("Toutes les actions"), " 
onclick=\" grant_action(1) \"");
     echo HtmlInput::button("revoke_all_action", _("Aucune action"), " 
onclick=\" grant_action (0) \"");
+    //-------------------------------------------------------------------------
+    // Enable or not the security on ledger
+    //-------------------------------------------------------------------------
+    echo "<p>";
+    echo _("Sécurité sur les actions")." ";
+    $status_sec_action=$sec_User->get_status_security_action();
+    $sec_action=new Inplace_Switch("sec_action", $status_sec_action);
+    $sec_action->set_callback("ajax_misc.php");
+    $sec_action->add_json_param("gDossier", $n_dossier_id);
+    $sec_action->add_json_param("user_id", $user_id);
+    $sec_action->add_json_param("op", "user_sec_action");
+    $sec_action->set_jscript(" if ( $('security_action_tbl').visible() ) { 
$('security_action_tbl').hide();} else { $('security_action_tbl').show();}");
+    echo $sec_action->input();
+    echo "</p>";
     include(NOALYSS_TEMPLATE.'/security_list_action.php');
     echo '</fieldset>';
-    echo 
HtmlInput::button('Imprime',_('imprime'),"onclick=\"window.open('".$sHref."');\"");
+    echo 
HtmlInput::button('Imprime',_('imprime'),"onclick=\"window.open('export.php?".$sHref."');\"");
        echo $return;
     
     ?>
@@ -320,6 +357,20 @@ if ( $action == "view" )
                             }
                 });
      }
+     function display_security_ledger(p_value) {
+        if ( p_value == 1) {
+                $('security_ledger_tbl').show();}
+            else {
+                $('security_ledger_tbl').hide();}
+     }
+    display_security_ledger(<?=$status_sec_ledger?>);
+     function display_security_action(p_value) {
+        if ( p_value == 1) {
+                $('security_action_tbl').show();}
+            else {
+                $('security_action_tbl').hide();}
+     }
+    display_security_action(<?=$status_sec_action?>);
     </script>
 <?php
 } // end of the form
diff --git a/include/template/security_list_action.php 
b/include/template/security_list_action.php
index aadc54d..6f18408 100644
--- a/include/template/security_list_action.php
+++ b/include/template/security_list_action.php
@@ -1,7 +1,10 @@
 <?php
 //This file is part of NOALYSS and is under GPL 
 //see licence.txt
-?><?php
+?>
+<div id="security_action_tbl">
+    
+    <?php
 
        function display_security_fieldset($p_legend,$p_array,$sec_User) {
 
@@ -68,3 +71,4 @@ $array=$cn->get_array("select ac_id, ac_description from 
action  where ac_id >=$
     array(1200,1300));
     display_security_fieldset(_('Note'),$array,$sec_User); 
 ?>
+</div>
\ No newline at end of file
diff --git a/sql/upgrade.sql b/sql/upgrade.sql
index 217dfc0..2e8ecfa 100644
--- a/sql/upgrade.sql
+++ b/sql/upgrade.sql
@@ -69,3 +69,20 @@ alter table jrn_periode alter column   id set default  
nextval('jrn_periode_id_s
 update jrn_periode set id=nextval('jrn_periode_id_seq');
 alter table jrn_periode add  constraint jrn_periode_pk  primary key (id);
 alter table jrn_periode add constraint  jrn_periode_periode_ledger unique 
(jrn_def_id,p_id); 
+
+CREATE TABLE public.user_active_security (
+       id serial not NULL,
+       us_login text NOT NULL,
+       us_ledger varchar(1) not NULL,
+       us_action varchar(1) not NULL
+);
+COMMENT ON COLUMN public.user_active_security.us_login IS 'user''s login' ;
+COMMENT ON COLUMN public.user_active_security.us_ledger IS 'Flag Security for 
ledger' ;
+COMMENT ON COLUMN public.user_active_security.us_action IS 'Security for 
action' ;
+
+ALTER TABLE public.user_active_security ADD CONSTRAINT user_active_security_pk 
PRIMARY KEY (id) ;
+ALTER TABLE public.user_active_security ADD CONSTRAINT 
user_active_security_ledger_check CHECK (us_ledger in ('Y','N')) ;
+ALTER TABLE public.user_active_security ADD CONSTRAINT 
user_active_security_action_check CHECK (us_action in ('Y','N')) ;
+
+insert into user_active_security (us_login,us_ledger,us_action)  select 
user_name,'Y','Y' from profile_user;
+



reply via email to

[Prev in Thread] Current Thread [Next in Thread]