[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Noalyss-commit] [noalyss] 05/24: Security : management , profile access
From: |
Dany De Bontridder |
Subject: |
[Noalyss-commit] [noalyss] 05/24: Security : management , profile access |
Date: |
Tue, 12 Jul 2022 07:05:24 -0400 (EDT) |
sparkyx pushed a commit to branch master
in repository noalyss.
commit 6c4a4156a49290fa1071312b6f20927b7e40e42a
Author: sparkyx <danydb@noalyss.eu>
AuthorDate: Tue May 3 22:41:00 2022 +0200
Security : management , profile access
---
include/action.common.inc.php | 11 +++-
include/class/follow_up.class.php | 18 +++---
include/class/user.class.php | 50 ++++++++++++-----
include/template/action_display_short.php | 2 +-
include/template/followup-show-action-add.php | 6 +-
unit-test/include/class/userTest.php | 79 +++++++++++++++++++++++++++
6 files changed, 139 insertions(+), 27 deletions(-)
diff --git a/include/action.common.inc.php b/include/action.common.inc.php
index 4e05db6c1..b29687199 100644
--- a/include/action.common.inc.php
+++ b/include/action.common.inc.php
@@ -40,6 +40,15 @@ if (isset($_REQUEST['sb']))
$supl_hidden.=HtmlInput::hidden('sb', $http->request("sb"));
$supl_hidden.=HtmlInput::hidden('ac', $http->request("ac"));
+/**
+ * if no group available , then stop
+ */
+global $g_user;
+
+if ( empty ($g_user->get_readable_profile() ) ) {
+ echo_warning(_("Aucun profil disponible"));
+ return;
+}
$correction = 0;
$error_id=0;
@@ -343,7 +352,7 @@ if ($sub_action == "save_action_st2")
}
//--------------------------------------------------------------------------------
// Add an action
-if ($sub_action == "add_action")
+if ($sub_action == "add_action" && ! empty($g_user->get_writable_profile() ) )
{
$act = new Follow_Up($cn);
$act->fromArray($_POST);
diff --git a/include/class/follow_up.class.php
b/include/class/follow_up.class.php
index bd079d5a1..cdde6d324 100644
--- a/include/class/follow_up.class.php
+++ b/include/class/follow_up.class.php
@@ -109,10 +109,10 @@ class Follow_Up
}
if ($p_mode=='R')
{
- $sql=" (ag_dest in (select p_granted from user_sec_action_profile
where p_id=$profile ) ) ";
+ $sql=" (ag_dest in (select p_granted from user_sec_action_profile
where p_id=$profile and ua_right !='X' ) ) ";
} else if ($p_mode=='W')
{
- $sql=" ( ag_dest in (select p_granted from user_sec_action_profile
where p_id=$profile and ua_right='W' ) )";
+ $sql=" ( ag_dest in (select p_granted from user_sec_action_profile
where p_id=$profile and ua_right in ('W','O') ) )";
} else {
record_log(_('Securité'));
throw new Exception(_('Securité'));
@@ -270,7 +270,7 @@ class Follow_Up
// select profile
$aAg_dest=$this->db->make_array("select p_id as value, ".
"p_name as label ".
- " from profile where p_id in
".$g_user->get_writable_profile()."order by 2");
+ " from profile where p_id in
".$g_user->sql_writable_profile()." order by 2");
$ag_dest->value=$aAg_dest;
$ag_dest->selected=$this->ag_dest;
@@ -1170,20 +1170,20 @@ class Follow_Up
$aAg_dest=$cn->make_array("select p_id as value, ".
"p_name as label ".
" from profile where p_id in ".
- $g_user->get_readable_profile().
+ $g_user->sql_readable_profile().
"order by 2");
- $aAg_dest[]=array('value'=>'-2', 'label'=>_('Tous les profiles'));
+ $aAg_dest[]=array('value'=>'-2', 'label'=>_('Tous les profils'));
$ag_dest=new ISelect();
$ag_dest->name="ag_dest_query";
$ag_dest->value=$aAg_dest;
-
$ag_dest->selected=(isset($_GET["ag_dest_query"]))?$_GET["ag_dest_query"]:-2;
+ $ag_dest->selected=$http->get("ag_dest_query","number",-2);
$str_ag_dest=$ag_dest->input();
$osag_ref=new IText("sag_ref");
- $osag_ref->value=(isset($_GET['sag_ref']))?$_GET['sag_ref']:"";
+ $osag_ref->value=$http->get('sag_ref',"string","");
$remind_date=new IDate('remind_date');
-
$remind_date->value=(isset($_GET['remind_date']))?$_GET['remind_date']:"";
+ $remind_date->value=$http->get('remind_date',"string","");
$remind_date_end=new IDate('remind_date_end');
-
$remind_date_end->value=(isset($_GET['remind_date_end']))?$_GET['remind_date_end']:"";
+ $remind_date_end->value=$http->get('remind_date_end',"string","");
$otag=new Tag($cn);
// show the action in
diff --git a/include/class/user.class.php b/include/class/user.class.php
index 405c96fa8..dee3e115b 100644
--- a/include/class/user.class.php
+++ b/include/class/user.class.php
@@ -1356,7 +1356,7 @@ class User
}
/**
- * Audit action from the administration menu
+ * @brief Audit action from the administration menu
* @param $p_module description of the action
*/
static function audit_admin($p_module)
@@ -1412,62 +1412,82 @@ class User
}
/**
- * return the profile (p_id)
+ * @brief return the profile (p_id)
* @return profile.p_id
*/
function get_profile()
{
$profile=$this->db->get_value("select p_id from profile_user where
- lower(user_name)=lower($1)",
array($this->login));
+ lower(user_name)=lower($1) ",
array($this->login));
return $profile;
}
/**
- * Compute the SQL string for the writable profile,
+ * @brief Compute the SQL string for the writable profile,
* the subselect for p_id , example
- * p_id in $g_user->get_writable_profile.
+ * p_id in $g_user->sql_writable_profile.
* The administrator can access all the profiles
+ * R = Read Only W = Write and delete O = write and not delete
* @return SQL string with the subselect for p_id
*/
- function get_writable_profile()
+ function sql_writable_profile()
{
if ($this->admin!=1)
{
$sql=" (select p_granted "
." from user_sec_action_profile "
- ." where ua_right='W' and
p_id=".$this->get_profile().") ";
+ ." where ua_right in ('W','O') and
p_id=".$this->get_profile().") ";
}
else
{
- $sql="(select p_id from profile)";
+ $sql="(select p_id p_granted from profile)";
}
return $sql;
}
-
/**
- * Compute the SQL string for the readable profile,
+ * @brief return array of writable action_profile
+ *
+ */
+ function get_writable_profile()
+ {
+ $value=$this->db->get_array("select p_granted from
".$this->sql_writable_profile()." as m") ;
+ $aGranted=array_column($value,"p_granted");
+ return $aGranted;
+ }
+ /**
+ * @brief return array of readable action_profile
+ *
+ */
+ function get_readable_profile()
+ {
+ $value=$this->db->get_array("select p_granted from
".$this->sql_readable_profile()." as m") ;
+ $aGranted=array_column($value,"p_granted");
+ return $aGranted;
+ }
+ /**
+ *@brief Compute the SQL string for the readable profile,
* the subselect for p_id , example
- * p_id in $g_user->get_readable_profile.
+ * p_id in $g_user->sql_readable_profile.
* The administrator can read all the profiles
* @return SQL string with the subselect for p_id
*/
- function get_readable_profile()
+ function sql_readable_profile()
{
if ($this->admin!=1)
{
$sql=" (select p_granted "
." from user_sec_action_profile "
- ." where ua_right in ('W','R') and
p_id=".$this->get_profile().") ";
+ ." where ua_right in ('W','R','O') and
p_id=".$this->get_profile().") ";
}
else
{
- $sql="(select p_id from profile)";
+ $sql="(select p_id p_granted from profile)";
}
return $sql;
}
/**
- * Check if the current user can add an action in the profile given
+ * @brief Check if the current user can add an action in the profile given
* in parameter
* @param type $p_profile profile.p_id = action_gestion.ag_dest
* @return boolean
diff --git a/include/template/action_display_short.php
b/include/template/action_display_short.php
index 2afec0525..08b60c048 100644
--- a/include/template/action_display_short.php
+++ b/include/template/action_display_short.php
@@ -49,7 +49,7 @@ $profile->value=$cn->make_array("select p_id as value, ".
" from profile "
. "where "
. "p_id in "
- . $g_user->get_writable_profile()
+ . $g_user->sql_writable_profile()
. "order by 2");
// priority
diff --git a/include/template/followup-show-action-add.php
b/include/template/followup-show-action-add.php
index ebfb7c39b..2f749ff10 100644
--- a/include/template/followup-show-action-add.php
+++ b/include/template/followup-show-action-add.php
@@ -27,8 +27,12 @@ $cn=Dossier::connect();
* @file
* @brief display a button for adding an followup action
*/
-echo HtmlInput::button(uniqid(), _("Ajout action"),
+global $g_user;
+if ( ! empty ($g_user->get_writable_profile()))
+{
+ echo HtmlInput::button(uniqid(), _("Ajout action"),
'onclick="document.getElementById(\'action_add_d\').style.display=\'block\';"');
+}
?>
<div id="action_add_d" class="inner_box"
style="width:25rem;display:none;top:10rem;">
<?php echo HtmlInput::title_box(_("Choississez une action"),
"action_add_d"); ?>
diff --git a/unit-test/include/class/userTest.php
b/unit-test/include/class/userTest.php
index 4ee68bbd5..5825824d8 100644
--- a/unit-test/include/class/userTest.php
+++ b/unit-test/include/class/userTest.php
@@ -160,5 +160,84 @@ class UserTest extends TestCase
+ }
+ /**
+ * @brief test the writable profile : W (Read Write) and O (Read Write NO
delete)
+ */
+ public function testsql_writable_profile()
+ {
+ $cn=Dossier::connect();
+ $user=new User($cn);
+ $_SESSION[SESSION_KEY.'use_admin']=0;
+ $user->admin=0;
+ $this->assertEquals(0 , $user->getAdmin()," Error user is admin");
+
+ $sql=$user->sql_writable_profile();
+ $sql= " select count(*) from ".$sql." as a";
+ var_dump($sql);
+
+ $this->assertEquals(3,$cn->get_value($sql),"Error writable profile
must be = 3");
+ $this->assertEquals(3,count($user->get_writable_profile()),"Error
writable profile must be = 3");
+
+ $sql=$user->sql_readable_profile();
+ $sql= " select count(*) from ".$sql." as a";
+
+ $this->assertEquals(3,$cn->get_value($sql),"Error readable profile
must be = 3");
+ $this->assertEquals(3,count($user->get_writable_profile()),"Error
readable profile must be = 3");
+
+ // remove profile 1
+ $cn->exec_sql("delete from user_sec_action_profile where p_id=$1 and
p_granted=$2",[$user->get_profile(),1]);
+
+ $sql=$user->sql_writable_profile();
+ $sql= " select count(*) from ".$sql." as a";
+ var_dump($sql);
+
+ $this->assertEquals(2,$cn->get_value($sql),"Error writable profile
must be = 2 ");
+ $this->assertEquals(2,count($user->get_writable_profile()),"Error
writable profile must be = 2");
+
+ $sql=$user->sql_readable_profile();
+ $sql= " select count(*) from ".$sql." as a";
+
+ $this->assertEquals(2,$cn->get_value($sql),"Error readable profile
must be = 2");
+ $this->assertEquals(2,count($user->get_writable_profile()),"Error
readable profile must be = 2");
+
+ // add profile 1 read only
+ $cn->exec_sql("insert into
user_sec_action_profile(p_id,p_granted,ua_right) values($1,$2,$3)"
+ ,[$user->get_profile(),1,"R"]);
+
+ $sql=$user->sql_writable_profile();
+ $sql= " select count(*) from ".$sql." as a";
+
+
+ $this->assertEquals(2,$cn->get_value($sql),"Error writable profile
must be = ");
+ $this->assertEquals(2,count($user->get_writable_profile()),"Error
writable profile must be = 2");
+
+ $sql=$user->sql_readable_profile();
+ $sql= " select count(*) from ".$sql." as a";
+ var_dump($sql);
+ $this->assertEquals(3,$cn->get_value($sql),"Error readable profile
must be = 3");
+ $this->assertEquals(3,count($user->get_readable_profile()),"Error
readable profile must be = 3");
+
+ // update profile 1 O Write and no suppress
+ $cn->exec_sql("update user_sec_action_profile set ua_right = $3 where
p_id =$1 and p_granted = $2"
+ ,[$user->get_profile(),1,"O"]);
+
+ $sql=$user->sql_writable_profile();
+ $sql= " select count(*) from ".$sql." as a";
+
+ $this->assertEquals(3,$cn->get_value($sql),"Error writable profile
must be = ");
+ $this->assertEquals(3,count($user->get_writable_profile()),"Error
writable profile must be = 2");
+
+ $sql=$user->sql_readable_profile();
+ $sql= " select count(*) from ".$sql." as a";
+
+ $this->assertEquals(3,$cn->get_value($sql),"Error readable profile
must be = 3");
+ $this->assertEquals(3,count($user->get_writable_profile()),"Error
readable profile must be = 3");
+
+ // update profile 1 W Write
+ $cn->exec_sql("update user_sec_action_profile set ua_right = $3 where
p_id =$1 and p_granted = $2"
+ ,[$user->get_profile(),1,"W"]);
+ $_SESSION[SESSION_KEY.'use_admin']=1;
+ $user->admin=1;
}
}
- [Noalyss-commit] [noalyss] branch master updated (f8d23563a -> cbc0d3fb7), Dany De Bontridder, 2022/07/12
- [Noalyss-commit] [noalyss] 01/24: Cosmetic : error message when user cannot add card, Dany De Bontridder, 2022/07/12
- [Noalyss-commit] [noalyss] 02/24: remove direct access to $_POST and extract, Dany De Bontridder, 2022/07/12
- [Noalyss-commit] [noalyss] 03/24: ISelect->display fails if this->value if null, Dany De Bontridder, 2022/07/12
- [Noalyss-commit] [noalyss] 06/24: Bug when ledger badly parametrized, Dany De Bontridder, 2022/07/12
- [Noalyss-commit] [noalyss] 08/24: Merge branch 'devel', Dany De Bontridder, 2022/07/12
- [Noalyss-commit] [noalyss] 05/24: Security : management , profile access,
Dany De Bontridder <=
- [Noalyss-commit] [noalyss] 09/24: Supplemental TAX : manage parameter A ledger can have only 1 supplemental tax, Dany De Bontridder, 2022/07/12
- [Noalyss-commit] [noalyss] 13/24: code documentation, Dany De Bontridder, 2022/07/12
- [Noalyss-commit] [noalyss] 10/24: New : 2178 Additional Tax : input in purchase and sale ledger - tax with positive amount - tax with negative amount - tax in currency, Dany De Bontridder, 2022/07/12
- [Noalyss-commit] [noalyss] 11/24: Nouveau #0002178: Cotisation de solidarité Impression : Listing (HTML, CSV et PDF) Impression : Extended (HTML, CSV et PDF) Negatif amount and currency, Dany De Bontridder, 2022/07/12
- [Noalyss-commit] [noalyss] 14/24: Additional Tax : database changes, Dany De Bontridder, 2022/07/12
- [Noalyss-commit] [noalyss] 16/24: Additional Tax : export operation PDF, Dany De Bontridder, 2022/07/12
- [Noalyss-commit] [noalyss] 17/24: Additional Tax : automatic compute, Dany De Bontridder, 2022/07/12
- [Noalyss-commit] [noalyss] 23/24: Bug : supplemental tax cannot be deleted, Dany De Bontridder, 2022/07/12
- [Noalyss-commit] [noalyss] 19/24: Cosmetic : waiting box if confirmed, Dany De Bontridder, 2022/07/12
- [Noalyss-commit] [noalyss] 04/24: Remove unauthorized profile, Dany De Bontridder, 2022/07/12