N°4036 - User edition controls : a user cannot add to himself a profile denying the backoffice

2026-02-13 07:24:13 +01:00 · 2021-07-27 12:09:39 +02:00
parent 8f7e7c136d
commit 25f3c1cbc4
3 changed files with 38 additions and 25 deletions
--- a/core/userrights.class.inc.php
+++ b/core/userrights.class.inc.php
@@ -355,11 +355,22 @@ abstract class User extends cmdbAbstractObject
 		// Check that this user has at least one profile assigned when profiles have changed
 		if (array_key_exists('profile_list', $aChanges))
 		{
+			/** @var \DBObjectSet $oSet */
 			$oSet = $this->Get('profile_list');
-			if ($oSet->Count() == 0)
-			{
+			if ($oSet->Count() == 0) {
 				$this->m_aCheckIssues[] = Dict::S('Class:User/Error:AtLeastOneProfileIsNeeded');
 			}
+			// A user cannot add a profile denying the access to the backoffice
+			$aForbiddenProfiles = PortalDispatcherData::GetData('backoffice')['deny'];
+			if (UserRights::GetUserId() == $this->GetKey()) {
+				$oSet->Rewind();
+				while ($oUserProfile = $oSet->Fetch()) {
+					$sProfile = $oUserProfile->Get('profile');
+					if (in_array($sProfile, $aForbiddenProfiles)) {
+						$this->m_aCheckIssues[] = Dict::Format('Class:User/Error:ProfileNotAllowed', $sProfile);
+					}
+				}
+			}
 		}
 		// Only administrators can manage administrators
 		if (UserRights::IsAdministrator($this) && !UserRights::IsAdministrator())
--- a/dictionaries/en.dictionary.itop.ui.php
+++ b/dictionaries/en.dictionary.itop.ui.php
@@ -104,34 +104,35 @@ Dict::Add('EN US', 'English', 'English', array(
 	'Class:User/Attribute:last_name' => 'Last name',
 	'Class:User/Attribute:last_name+' => 'Name of the corresponding contact',
 	'Class:User/Attribute:first_name' => 'First name',
-	'Class:User/Attribute:first_name+' => 'First name of the corresponding contact',
-	'Class:User/Attribute:email' => 'Email',
-	'Class:User/Attribute:email+' => 'Email of the corresponding contact',
-	'Class:User/Attribute:login' => 'Login',
-	'Class:User/Attribute:login+' => 'user identification string',
-	'Class:User/Attribute:language' => 'Language',
-	'Class:User/Attribute:language+' => 'User language',
-	'Class:User/Attribute:language/Value:EN US' => 'English',
+	'Class:User/Attribute:first_name+'           => 'First name of the corresponding contact',
+	'Class:User/Attribute:email'                 => 'Email',
+	'Class:User/Attribute:email+'                => 'Email of the corresponding contact',
+	'Class:User/Attribute:login'                 => 'Login',
+	'Class:User/Attribute:login+'                => 'user identification string',
+	'Class:User/Attribute:language'              => 'Language',
+	'Class:User/Attribute:language+'             => 'User language',
+	'Class:User/Attribute:language/Value:EN US'  => 'English',
 	'Class:User/Attribute:language/Value:EN US+' => 'English (U.S.)',
-	'Class:User/Attribute:language/Value:FR FR' => 'French',
+	'Class:User/Attribute:language/Value:FR FR'  => 'French',
 	'Class:User/Attribute:language/Value:FR FR+' => 'French (France)',
-	'Class:User/Attribute:profile_list' => 'Profiles',
-	'Class:User/Attribute:profile_list+' => 'Roles, granting rights for that person',
-	'Class:User/Attribute:allowed_org_list' => 'Allowed Organizations',
-	'Class:User/Attribute:allowed_org_list+' => 'The end user is allowed to see data belonging to the following organizations. If no organization is specified, there is no restriction.',
-	'Class:User/Attribute:status' => 'Status',
-	'Class:User/Attribute:status+' => 'Whether the user account is enabled or disabled.',
-	'Class:User/Attribute:status/Value:enabled' => 'Enabled',
+	'Class:User/Attribute:profile_list'          => 'Profiles',
+	'Class:User/Attribute:profile_list+'         => 'Roles, granting rights for that person',
+	'Class:User/Attribute:allowed_org_list'      => 'Allowed Organizations',
+	'Class:User/Attribute:allowed_org_list+'     => 'The end user is allowed to see data belonging to the following organizations. If no organization is specified, there is no restriction.',
+	'Class:User/Attribute:status'                => 'Status',
+	'Class:User/Attribute:status+'               => 'Whether the user account is enabled or disabled.',
+	'Class:User/Attribute:status/Value:enabled'  => 'Enabled',
 	'Class:User/Attribute:status/Value:disabled' => 'Disabled',

-	'Class:User/Error:LoginMustBeUnique' => 'Login must be unique - "%1s" is already being used.',
-	'Class:User/Error:AtLeastOneProfileIsNeeded' => 'At least one profile must be assigned to this user.',
+	'Class:User/Error:LoginMustBeUnique'              => 'Login must be unique - "%1$s" is already being used.',
+	'Class:User/Error:AtLeastOneProfileIsNeeded'      => 'At least one profile must be assigned to this user.',
+	'Class:User/Error:ProfileNotAllowed'              => 'Profile "%1$s" cannot be added it will deny the access to backoffice',
 	'Class:User/Error:AtLeastOneOrganizationIsNeeded' => 'At least one organization must be assigned to this user.',
-	'Class:User/Error:OrganizationNotAllowed' => 'Organization not allowed.',
-	'Class:User/Error:UserOrganizationNotAllowed' => 'The user account does not belong to your allowed organizations.',
-	'Class:User/Error:PersonIsMandatory' => 'The Contact is mandatory.',
-	'Class:UserInternal' => 'User Internal',
-	'Class:UserInternal+' => 'User defined within '.ITOP_APPLICATION_SHORT,
+	'Class:User/Error:OrganizationNotAllowed'         => 'Organization not allowed.',
+	'Class:User/Error:UserOrganizationNotAllowed'     => 'The user account does not belong to your allowed organizations.',
+	'Class:User/Error:PersonIsMandatory'              => 'The Contact is mandatory.',
+	'Class:UserInternal'                              => 'User Internal',
+	'Class:UserInternal+'                             => 'User defined within '.ITOP_APPLICATION_SHORT,
 ));

 //
--- a/dictionaries/fr.dictionary.itop.ui.php
+++ b/dictionaries/fr.dictionary.itop.ui.php
@@ -110,6 +110,7 @@ Dict::Add('FR FR', 'French', 'Français', array(

 	'Class:User/Error:LoginMustBeUnique' => 'Le login doit être unique - "%1s" est déjà utilisé.',
 	'Class:User/Error:AtLeastOneProfileIsNeeded' => 'L\'utilisateur doit avoir au moins un profil.',
+	'Class:User/Error:ProfileNotAllowed' => 'Le profil "%1$s" ne peux pas être ajouté à son propre utilisateur, il interdit l\'accès à la console',
 	'Class:User/Error:AtLeastOneOrganizationIsNeeded' => 'L\'utilisateur doit avoir au moins une organisation.',
 	'Class:User/Error:OrganizationNotAllowed' => 'Organisation non autorisée.',
 	'Class:User/Error:UserOrganizationNotAllowed' => 'L\'utilisateur n\'appartient pas à vos organisations.',