[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Noalyss-commit] [noalyss] 11/119: Improve use of the security
|
From: |
Dany De Bontridder |
|
Subject: |
[Noalyss-commit] [noalyss] 11/119: Improve use of the security |
|
Date: |
Mon, 26 Oct 2020 18:27:02 -0400 (EDT) |
sparkyx pushed a commit to branch master
in repository noalyss.
commit 455a072e272683aaea36464885c7a4a91e95ace6
Author: Dany De Bontridder <danydb@noalyss.eu>
AuthorDate: Mon Sep 21 22:05:02 2020 +0200
Improve use of the security
---
html/style-classic7.css | 5 ++
include/ajax/ajax_get_profile.php | 5 +-
include/class/extension.class.php | 6 +++
include/param_sec.inc.php | 76 +++++++++++++++++++------------
include/template/security_list_action.php | 3 +-
5 files changed, 63 insertions(+), 32 deletions(-)
diff --git a/html/style-classic7.css b/html/style-classic7.css
index 866f4d3..56db14e 100644
--- a/html/style-classic7.css
+++ b/html/style-classic7.css
@@ -2469,3 +2469,8 @@ span.title_tab_row {
color : white !important;
}
+p.info {
+ font-size:90%;
+ font-family: sans-serif;
+ font-style: italic;
+}
\ No newline at end of file
diff --git a/include/ajax/ajax_get_profile.php
b/include/ajax/ajax_get_profile.php
index 586a92d..9f92f8d 100644
--- a/include/ajax/ajax_get_profile.php
+++ b/include/ajax/ajax_get_profile.php
@@ -55,7 +55,7 @@ $a_tab[$call_tab]='tabs_selected';
<li class="<?php echo $a_tab['profile_gen_div']?>"><a
href="javascript:void(0)"
onclick="unselect_other_tab(this.parentNode.parentNode);this.parentNode.className='tabs_selected';profile_show('profile_gen_div')"><?php
echo _('Nom')?></a></li>
<li class="<?php echo $a_tab['profile_menu_div']?>"><a
href="javascript:void(0)"
onclick="unselect_other_tab(this.parentNode.parentNode);this.parentNode.className='tabs_selected';profile_show('profile_menu_div')"><?php
echo _('Détail Menus')?></a></li>
<li class="<?php echo $a_tab['profile_print_div']?>"><a
href="javascript:void(0)"
onclick="unselect_other_tab(this.parentNode.parentNode);this.parentNode.className='tabs_selected';profile_show('profile_print_div')"><?php
echo _('Détail Impressions')?></a></li>
- <li class="<?php echo $a_tab['profile_gestion_div']?>"><a
href="javascript:void(0)" style=""
onclick="unselect_other_tab(this.parentNode.parentNode);this.parentNode.className='tabs_selected';profile_show('profile_gestion_div')"><?php
echo _('Action Gestion')?> </a></li>
+ <li class="<?php echo $a_tab['profile_gestion_div']?>"><a
href="javascript:void(0)" style=""
onclick="unselect_other_tab(this.parentNode.parentNode);this.parentNode.className='tabs_selected';profile_show('profile_gestion_div')"><?php
echo _('Groupe Gestion')?> </a></li>
<li class="<?php echo $a_tab['profile_repo_div']?>"><a
href="javascript:void(0)"
onclick="unselect_other_tab(this.parentNode.parentNode);this.parentNode.className='tabs_selected';profile_show('profile_repo_div')"><?php
echo _('Dépôts')?></a>
</ul>
@@ -111,7 +111,6 @@ if ($profile->p_id > 0)
echo '</div>';
echo '<div class="myfieldset" style="display:none"
id="profile_menu_div">';
//Menu / Module /plugin in this profile
- echo "<h1 class=\"legend\">"._("Menu")."</h2>";
$profile_menu = new Profile_Menu($cn);
$profile_menu->p_id=$p_id;
$profile_menu->display_profile_menu_detail();
@@ -122,7 +121,7 @@ if ($profile->p_id > 0)
echo $add_impression;
echo '</div>';
echo '<div class="myfieldset" style="display:none"
id="profile_gestion_div">';
- echo "<h1 class=\"legend\">".('Groupe gestion')."</h1>";
+
$profile_menu->available_profile();
echo '</div>';
echo '<div class="myfieldset" style="display:none"
id="profile_repo_div">';
diff --git a/include/class/extension.class.php
b/include/class/extension.class.php
index 5fad200..1b321fe 100644
--- a/include/class/extension.class.php
+++ b/include/class/extension.class.php
@@ -251,6 +251,12 @@ class Extension extends Menu_Ref_sql
}
}
+ /**
+ * compare the version of the plugin and the last version , propose to
update it if a new version exists
+ * @todo add a mechanism to check once a day
+ * @global User $g_user
+ * @global number $version_plugin
+ */
static function check_plugin_version()
{
global $g_user, $version_plugin;
diff --git a/include/param_sec.inc.php b/include/param_sec.inc.php
index 2447692..d40d084 100644
--- a/include/param_sec.inc.php
+++ b/include/param_sec.inc.php
@@ -51,6 +51,7 @@ require_once NOALYSS_INCLUDE.'/lib/user_menu.php';
if ( ! isset($_REQUEST['action']))
{
$base_url=$_SERVER['PHP_SELF']."?ac=".$_REQUEST['ac']."&".dossier::get();
+
$base_url=NOALYSS_URL."/do.php?".http_build_query(array("ac"=>$http->request("ac"),"gDossier"=>dossier::id()));
echo '<DIV class="content" >';
$header=new Sort_Table();
@@ -59,7 +60,7 @@ if ( ! isset($_REQUEST['action']))
$header->add(_("Type d'utilisateur"),$base_url,"order by use_admin
asc,use_login asc","order by use_admin desc,use_login desc",'ta','td');
- $order=(isset($_REQUEST['ord']))?$_REQUEST['ord']:'la';
+ $order=$http->request("ord","string","la");
$ord_sql=$header->get_sql_order($order);
@@ -73,12 +74,13 @@ if ( ! isset($_REQUEST['action']))
use_admin
from ac_users left join
jnt_use_dos using (use_id)
where use_login != $2 and use_active=1
- and (dos_id=$1 or (dos_id is null and
use_admin=1))" . $ord_sql, array($gDossier,NOALYSS_ADMINISTRATOR));
+ and (dos_id=$1 or (dos_id is null and
use_admin=1))" . $ord_sql,
+ array($gDossier,NOALYSS_ADMINISTRATOR));
$MaxUser = Database::num_row($user_sql);
- echo '<TABLE class="result" style="width:80%;margin-left:10%">';
+ echo '<TABLE class="result" >';
echo "<tr>";
echo '<th>'.$header->get_header(0).'</th>';
echo '<th>'.$header->get_header(1).'</th>';
@@ -98,24 +100,28 @@ if ( ! isset($_REQUEST['action']))
if ( $l_line['use_admin'] == 1 )
$str=_('Administrateur');
- // get profile
- $profile=$cn->get_value("select p_name from profile
- join profile_user using(p_id) where
user_name=$1",array($l_line['use_login']));
-
- $url=$base_url."&action=view&user_id=".$l_line['use_id'];
- echo "<td>";
- echo HtmlInput::anchor($l_line['use_login'], $url);
- echo "</td>";
- echo td($l_line['use_name']);
- echo td($l_line['use_first_name']);
- echo td($profile);
- // status of security on ledger and action
- $a_sec=$cn->get_row("select us_ledger,us_action from
user_active_security where us_login =$1",
- [$l_line['use_login']]);
- echo td($a_sec['us_ledger']);
- echo td($a_sec['us_action']);
- echo td($str);
- echo "</TR>";
+ // get profile
+ $profile=$cn->get_value("select p_name from profile
+ join profile_user using(p_id) where
user_name=$1",array($l_line['use_login']));
+
+ $url=$base_url."&action=view&user_id=".$l_line['use_id'];
+ echo "<td>";
+ echo HtmlInput::anchor($l_line['use_login'], $url);
+ echo "</td>";
+ echo td($l_line['use_name']);
+ echo td($l_line['use_first_name']);
+ echo td($profile);
+ // status of security on ledger and action
+ $a_sec=$cn->get_row("select us_ledger,us_action from
user_active_security where us_login =$1",
+ [$l_line['use_login']]);
+ if ( ! empty($a_sec ) ) {
+ echo td($a_sec['us_ledger']);
+ echo td($a_sec['us_action']);
+ } else {
+ echo td(_("Erreur sécurité"));
+ }
+ echo td($str);
+ echo "</TR>";
}
echo '</TABLE>';
}
@@ -138,7 +144,7 @@ if ( isset ($_GET["action"] ))
if ( $action == "view" )
{
$l_Db=sprintf("dossier%d",$gDossier);
- $return= HtmlInput::button_anchor(_('Retour à la
liste'),'?&ac='.$_REQUEST['ac'].'&'.dossier::get(),_('retour'),"",'smallbutton');
+ $return= HtmlInput::button_anchor(_('Retour à la
liste'),'?&ac='.$http->request('ac').'&'.dossier::get(),_('retour'),"",'smallbutton');
$repo=new Database();
$user_id=$http->get('user_id',"number");
@@ -221,9 +227,7 @@ if ( $action == "view" )
echo _("Profil")." ".$ie_profile->input();
echo "</p>";
echo '<Fieldset><legend>'._('Journaux').'</legend>';
- echo HtmlInput::button("grant_all", _("Accès à tout"), " onclick=\"
grant_ledgers ('W') \"");
- echo HtmlInput::button("grant_readonly", _("Uniquement Lecture"), "
onclick=\" grant_ledgers ('R') \"");
- echo HtmlInput::button("revoke_all", _("Aucun accès"), " onclick=\"
grant_ledgers ('X') \"");
+
//-------------------------------------------------------------------------
// Enable or not the security on ledger
//-------------------------------------------------------------------------
@@ -238,6 +242,7 @@ if ( $action == "view" )
$status_sec_ledger=0;
$sec_User->set_status_security_ledger(0);
} else {
+
$sec_ledger=new Inplace_Switch("sec_ledger", $status_sec_ledger);
$sec_ledger->set_callback("ajax_misc.php");
$sec_ledger->add_json_param("gDossier", $n_dossier_id);
@@ -245,12 +250,19 @@ if ( $action == "view" )
$sec_ledger->add_json_param("op", "user_sec_ledger");
$sec_ledger->set_jscript(" if ( $('security_ledger_tbl').visible() ||
{$sec_User->Admin()}==1) { $('security_ledger_tbl').hide();} else {
$('security_ledger_tbl').show();}");
echo $sec_ledger->input();
+ echo "<p class='info'>";
+ echo _("La sécurité sur les journaux, permet de limiter l'accès de
l'utilisateur aux journaux, si cette ".
+ " sécurité n'est pas activée , l'utilisateur a accès à tous
les journaux en lecture et écriture");
+ echo "</p>";
}
echo "</p>";
//------------------------------------------------------------------------
// Access by ledgers, needed if the security on ledger is enable
//------------------------------------------------------------------------
echo '<div id="security_ledger_tbl">';
+ echo HtmlInput::button("grant_all", _("Accès à tout"), " onclick=\"
grant_ledgers ('W') \"");
+ echo HtmlInput::button("grant_readonly", _("Uniquement Lecture"), "
onclick=\" grant_ledgers ('R') \"");
+ echo HtmlInput::button("revoke_all", _("Aucun accès"), " onclick=\"
grant_ledgers ('X') \"");
echo '<table>';
$MaxJrn=Database::num_row($Res);
$jrn_priv=new ISelect("iledger");
@@ -285,12 +297,12 @@ if ( $action == "view" )
echo '</div>';
echo '</fieldset>';
+ echo '<hr>';
//**********************************************************************
// Show Priv. for actions
//**********************************************************************
echo '<fieldset> <legend>'._('Actions').'</legend>';
- echo HtmlInput::button("grant_all_action", _("Toutes les actions"), "
onclick=\" grant_action(1) \"");
- echo HtmlInput::button("revoke_all_action", _("Aucune action"), "
onclick=\" grant_action (0) \"");
+
//-------------------------------------------------------------------------
// Enable or not the security on ledger
//-------------------------------------------------------------------------
@@ -303,7 +315,7 @@ if ( $action == "view" )
$status_sec_action=0;
$sec_User->set_status_security_action(0);
} else {
-
+
$status_sec_action=$sec_User->get_status_security_action();
$sec_action=new Inplace_Switch("sec_action", $status_sec_action);
$sec_action->set_callback("ajax_misc.php");
@@ -312,6 +324,10 @@ if ( $action == "view" )
$sec_action->add_json_param("op", "user_sec_action");
$sec_action->set_jscript(" if ( $('security_action_tbl').visible() ) {
$('security_action_tbl').hide();} else { $('security_action_tbl').show();}");
echo $sec_action->input();
+ echo "<p class='info'>";
+ echo _("La sécurité sur les actions permet de limiter ce que
l'utilisateur peut faire, si "
+ . " elle n'est pas active l'utilisateur a donc accès à toutes
ces actions");
+ echo "</p>";
}
echo "</p>";
@@ -358,7 +374,11 @@ if ( $action == "view" )
var i=0;
var str_id="";
for (i = 0;i < a_select.length;i++) {
+
str_id = new String( a_select[i].id);
+ if ( str_id == 'sec_action') {
+ continue;
+ }
if ( str_id.search(/action/) > -1 ) {
if ( p_value == 0 ) {
a_select[i].setStyle("color:red");
diff --git a/include/template/security_list_action.php
b/include/template/security_list_action.php
index 6f18408..c9ff9e6 100644
--- a/include/template/security_list_action.php
+++ b/include/template/security_list_action.php
@@ -5,7 +5,8 @@
<div id="security_action_tbl">
<?php
-
+ echo HtmlInput::button("grant_all_action", _("Toutes les actions"), "
onclick=\" grant_action(1) \"");
+ echo HtmlInput::button("revoke_all_action", _("Aucune action"), "
onclick=\" grant_action (0) \"");
function display_security_fieldset($p_legend,$p_array,$sec_User) {
$gDossier=dossier::id();
- [Noalyss-commit] [noalyss] 06/119: reconcilaction : possibility to select only one operation, (continued)
- [Noalyss-commit] [noalyss] 06/119: reconcilaction : possibility to select only one operation, Dany De Bontridder, 2020/10/26
- [Noalyss-commit] [noalyss] 13/119: Bug 1834 : order POST over GET, Dany De Bontridder, 2020/10/26
- [Noalyss-commit] [noalyss] 05/119: Bug : syntax error, Dany De Bontridder, 2020/10/26
- [Noalyss-commit] [noalyss] 04/119: Bug : use ilike instead of tilde, Dany De Bontridder, 2020/10/26
- [Noalyss-commit] [noalyss] 02/119: Bug : correct search remove ~, Dany De Bontridder, 2020/10/26
- [Noalyss-commit] [noalyss] 08/119: remove extract, Dany De Bontridder, 2020/10/26
- [Noalyss-commit] [noalyss] 03/119: Merge branch 'master' of gitlab.noalyss.eu:noalyss/noalyss, Dany De Bontridder, 2020/10/26
- [Noalyss-commit] [noalyss] 01/119: Fix warning with empty array, Dany De Bontridder, 2020/10/26
- [Noalyss-commit] [noalyss] 10/119: Fix bug : cannot use % when searching NEW : space can be used now, Dany De Bontridder, 2020/10/26
- [Noalyss-commit] [noalyss] 14/119: doc, Dany De Bontridder, 2020/10/26
- [Noalyss-commit] [noalyss] 11/119: Improve use of the security,
Dany De Bontridder <=
- [Noalyss-commit] [noalyss] 17/119: javascript : add function to concat 2 json objects, Dany De Bontridder, 2020/10/26
- [Noalyss-commit] [noalyss] 18/119: javascript: remove hardcoding of dialog box for manage_table, Dany De Bontridder, 2020/10/26
- [Noalyss-commit] [noalyss] 30/119: Bug 1834 : duplicate , cannot confirm an duplicated operation because the $_GET is taken in priority, Dany De Bontridder, 2020/10/26
- [Noalyss-commit] [noalyss] 29/119: Remove debug info, Dany De Bontridder, 2020/10/26
- [Noalyss-commit] [noalyss] 37/119: javascript: remove hardcoding of dialog box for manage_table, Dany De Bontridder, 2020/10/26
- [Noalyss-commit] [noalyss] 52/119: NEW Security : add tag, Dany De Bontridder, 2020/10/26
- [Noalyss-commit] [noalyss] 22/119: ManageTable : you can set the style of the dialog box, Dany De Bontridder, 2020/10/26
- [Noalyss-commit] [noalyss] 23/119: Rewriting of Predefined Operation. You can add new Predefined Operation, Dany De Bontridder, 2020/10/26
- [Noalyss-commit] [noalyss] 43/119: Documentation, Dany De Bontridder, 2020/10/26
- [Noalyss-commit] [noalyss] 50/119: Follow-up search : show the closing status, Dany De Bontridder, 2020/10/26