mirror of
https://github.com/Combodo/iTop.git
synced 2026-04-21 17:48:43 +02:00
N°4534 - creation of a new category 'filter' to hide admins to
non-admins without breaking legacy code.
This commit is contained in:
denis.flaven@combodo.com
@@ -34,7 +34,7 @@ class URP_Profiles extends UserRightsBaseClassGUI
|
||||
{
|
||||
$aParams = array
|
||||
(
|
||||
"category" => "addon/userrights,grant_by_profile,silo",
|
||||
"category" => "addon/userrights,grant_by_profile,filter",
|
||||
"key_type" => "autoincrement",
|
||||
"name_attcode" => "name",
|
||||
"state_attcode" => "",
|
||||
@@ -219,7 +219,7 @@ class URP_UserProfile extends UserRightsBaseClassGUI
|
||||
{
|
||||
$aParams = array
|
||||
(
|
||||
"category" => "addon/userrights,grant_by_profile,silo",
|
||||
"category" => "addon/userrights,grant_by_profile,filter",
|
||||
"key_type" => "autoincrement",
|
||||
"name_attcode" => array("userlogin", "profile"),
|
||||
"state_attcode" => "",
|
||||
@@ -610,8 +610,11 @@ class UserRightsProfile extends UserRightsAddOnAPI
|
||||
{
|
||||
$this->LoadCache();
|
||||
|
||||
if (!static::IsAdministrator($oUser)) // Let us pass an administrator for testing without the need of setting up complex profile
|
||||
// Let us pass an administrator for bypassing the grant matrix check in order to test this method without the need to set up a complex profile
|
||||
// In the nominal case Administrators never end up here (since they completely bypass GetSelectFilter)
|
||||
if (!static::IsAdministrator($oUser) && (MetaModel::HasCategory($sClass, 'silo') || MetaModel::HasCategory($sClass, 'bizmodel')))
|
||||
{
|
||||
// N°4354 - Categories 'silo' and 'bizmodel' do check the grant matrix. Whereas 'filter' always allows to read (but the result can be filtered)
|
||||
$aObjectPermissions = $this->GetUserActionGrant($oUser, $sClass, UR_ACTION_READ);
|
||||
if ($aObjectPermissions['permission'] == UR_ALLOWED_NO)
|
||||
{
|
||||
|
||||
@@ -1507,7 +1507,7 @@ class UserRights
|
||||
try
|
||||
{
|
||||
// Check Bug 1436 for details
|
||||
if (MetaModel::HasCategory($sClass, 'bizmodel') || MetaModel::HasCategory($sClass, 'silo'))
|
||||
if (MetaModel::HasCategory($sClass, 'bizmodel') || MetaModel::HasCategory($sClass, 'silo') || MetaModel::HasCategory($sClass, 'filter'))
|
||||
{
|
||||
return self::$m_oAddOn->GetSelectFilter(self::$m_oUser, $sClass, $aSettings);
|
||||
}
|
||||
|
||||
@@ -30,6 +30,7 @@ use Combodo\iTop\Test\UnitTest\ItopDataTestCase;
|
||||
use CoreCannotSaveObjectException;
|
||||
use CoreException;
|
||||
use DBObject;
|
||||
use DBObjectSearch;
|
||||
use DBObjectSet;
|
||||
use DeleteException;
|
||||
use URP_UserProfile;
|
||||
@@ -460,4 +461,68 @@ class UserRightsTest extends ItopDataTestCase
|
||||
$_SESSION = [];
|
||||
}
|
||||
|
||||
/**
|
||||
*@dataProvider NonAdminCanListOwnProfilesProvider
|
||||
*/
|
||||
public function testNonAdminCanListOwnProfiles($bHideAdministrators)
|
||||
{
|
||||
$oUser = $this->AddUser('test1', 2); // portal user
|
||||
$_SESSION = [];
|
||||
utils::GetConfig()->Set('security.hide_administrators', $bHideAdministrators);
|
||||
UserRights::Login('test1');
|
||||
|
||||
// List the link between the User and the Profiles
|
||||
$oSearch = new DBObjectSearch('URP_UserProfile');
|
||||
$oSearch->AddCondition('userid', $oUser->GetKey());
|
||||
$oSet = new DBObjectSet($oSearch);
|
||||
$this->assertEquals(1, $oSet->Count());
|
||||
|
||||
// Get the Profiles as well
|
||||
$oSearch = DBObjectSearch::FromOQL('SELECT URP_Profiles JOIN URP_UserProfile ON URP_UserProfile.profileid = URP_Profiles.id WHERE URP_UserProfile.userid='.$oUser->GetKey());
|
||||
$oSet = new DBObjectSet($oSearch);
|
||||
$this->assertEquals(1, $oSet->Count());
|
||||
|
||||
// logout
|
||||
$_SESSION = [];
|
||||
}
|
||||
|
||||
public function NonAdminCanListOwnProfilesProvider(): array
|
||||
{
|
||||
return [
|
||||
'with Admins visible'=> [false],
|
||||
'with Admins hidden' => [true],
|
||||
];
|
||||
}
|
||||
/**
|
||||
*@dataProvider NonAdminCannotListAdminProfilesProvider
|
||||
*/
|
||||
public function testNonAdminCannotListAdminProfiles($bHideAdministrators, $iExpectedCount)
|
||||
{
|
||||
utils::GetConfig()->Set('security.hide_administrators', $bHideAdministrators);
|
||||
|
||||
$this->AddUser('test1', 2); // portal user
|
||||
$oUserAdmin = $this->AddUser('admin1', 1);
|
||||
$_SESSION = [];
|
||||
UserRights::Login('test1');
|
||||
|
||||
$oSearch = new DBObjectSearch('URP_UserProfile');
|
||||
$oSearch->AddCondition('userid', $oUserAdmin->GetKey());
|
||||
$oSet = new DBObjectSet($oSearch);
|
||||
$this->assertEquals($iExpectedCount, $oSet->Count());
|
||||
// Get the Profiles as well
|
||||
$oSearch = DBObjectSearch::FromOQL('SELECT URP_Profiles JOIN URP_UserProfile ON URP_UserProfile.profileid = URP_Profiles.id WHERE URP_UserProfile.userid='.$oUserAdmin->GetKey());
|
||||
$oSet = new DBObjectSet($oSearch);
|
||||
$this->assertEquals($iExpectedCount, $oSet->Count());
|
||||
|
||||
// logout
|
||||
$_SESSION = [];
|
||||
}
|
||||
|
||||
public function NonAdminCannotListAdminProfilesProvider(): array
|
||||
{
|
||||
return [
|
||||
'with Admins visible'=> [false, 1],
|
||||
'with Admins hidden' => [true, 0],
|
||||
];
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user