composer/iTop
6
0
Fork 0
mirror of https://github.com/Combodo/iTop.git synced 2026-04-23 18:48:51 +02:00
Code Issues Packages Projects Releases Wiki Activity

Computation of user rights: deny on a parent class must give DENY even if the class is explicitely ALLOW on the same profile (that was already working if the rules are given on several profiles). Note that this has a cost when building the grant matrix!

Browse Source 
SVN:trunk[3365]
This commit is contained in:
Romain Quetiez
2014-10-16 09:02:47 +00:00
parent 1300811007
commit 1f8d4d379f
1 changed files with 52 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files

88
setup/compiler.class.inc.php
View File

@@ -1650,15 +1650,16 @@ class ProfilesConfig
public static function GetProfileActionGrant(\$iProfileId, \$sClass, \$sAction)
{
// Search for a grant, starting from the most explicit declaration,
// then searching for less and less explicit declaration
// Search for a grant, stoping if any deny is encountered (allowance implies the verification of all paths)
\$bAllow = null;
// 1 - The class itself
//
\$sGrantKey = \$iProfileId.'_'.\$sClass.'_'.\$sAction;
if (isset(self::\$aGRANTS[\$sGrantKey]))
{
return self::\$aGRANTS[\$sGrantKey];
\$bAllow = self::\$aGRANTS[\$sGrantKey];
if (!\$bAllow) return false;
}
// 2 - The parent classes, up to the root class
@@ -1668,12 +1669,58 @@ class ProfilesConfig
\$sGrantKey = \$iProfileId.'_'.\$sParent.'+_'.\$sAction;
if (isset(self::\$aGRANTS[\$sGrantKey]))
{
return self::\$aGRANTS[\$sGrantKey];
\$bAllow = self::\$aGRANTS[\$sGrantKey];
if (!\$bAllow) return false;
}
}
// 3 - The related classes (if the current is an N-N link with AUTO_DEL)
// 3 - The related classes (if the current is an N-N link with DEL_AUTO/DEL_SILENT)
//
\$bGrant = self::GetLinkActionGrant(\$iProfileId, \$sClass, \$sAction);
if (!is_null(\$bGrant))
{
\$bAllow = \$bGrant;
if (!\$bAllow) return false;
}
// 4 - All
//
\$sGrantKey = \$iProfileId.'_*_'.\$sAction;
if (isset(self::\$aGRANTS[\$sGrantKey]))
{
\$bAllow = self::\$aGRANTS[\$sGrantKey];
if (!\$bAllow) return false;
}
// null or true
return \$bAllow;
}
public static function GetProfileStimulusGrant(\$iProfileId, \$sClass, \$sStimulus)
{
\$sGrantKey = \$iProfileId.'_'.\$sClass.'_s_'.\$sStimulus;
if (isset(self::\$aGRANTS[\$sGrantKey]))
{
return self::\$aGRANTS[\$sGrantKey];
}
\$sGrantKey = \$iProfileId.'_*_s_'.\$sStimulus;
if (isset(self::\$aGRANTS[\$sGrantKey]))
{
return self::\$aGRANTS[\$sGrantKey];
}
return null;
}
// returns an array of id => array of column => php value(so-called "real value")
public static function GetProfilesValues()
{
return self::\$aPROFILES;
}
// Propagate the rights on classes onto the links themselves (the external keys must have DEL_AUTO or DEL_SILENT
//
protected static function GetLinkActionGrant(\$iProfileId, \$sClass, \$sAction)
{
if (array_key_exists(\$sClass, self::\$aLINKTOCLASSES))
{
// Get the grant for the remote classes. The resulting grant is:
@@ -1714,38 +1761,7 @@ class ProfilesConfig
return false;
}
}
// 4 - All
//
\$sGrantKey = \$iProfileId.'_*_'.\$sAction;
if (isset(self::\$aGRANTS[\$sGrantKey]))
{
return self::\$aGRANTS[\$sGrantKey];
}
// Still undefined for this class
return null;
}
public static function GetProfileStimulusGrant(\$iProfileId, \$sClass, \$sStimulus)
{
\$sGrantKey = \$iProfileId.'_'.\$sClass.'_s_'.\$sStimulus;
if (isset(self::\$aGRANTS[\$sGrantKey]))
{
return self::\$aGRANTS[\$sGrantKey];
}
\$sGrantKey = \$iProfileId.'_*_s_'.\$sStimulus;
if (isset(self::\$aGRANTS[\$sGrantKey]))
{
return self::\$aGRANTS[\$sGrantKey];
}
return null;
}
// returns an array of id => array of column => php value(so-called "real value")
public static function GetProfilesValues()
{
return self::\$aPROFILES;
}
}