mirror of
https://github.com/Combodo/iTop.git
synced 2026-02-13 07:24:13 +01:00
N°1248 - User Management Portal
* Added a new grant_by_profile category that allows to manage certain classes in addition to bizmodel with user profiles.
* The following classes have the new grant_by_profile category:
User, UserInternal, UserLocal, UserLDAP, UserExternal, URP_UserProfile, URP_UserOrg
* For these classes, it is possible to manage access rights with user profiles for non-administrators.
* For these classes, the default behavior of SELECT requests changes from allowed to forbidden.
* For user profiles, the default behavior '*' is limited to the bizmodel category to keep the previous behavior of profiles, i. e. for classes in the grant_by_profile category, rights (including READ) must be given explicitly.
* New constraints have been added, so only an administrator can manage (attach or detach) the 'Administrator' profile.
SVN:trunk[5298]
This commit is contained in:
Eric Espié
@@ -239,7 +239,7 @@ class URP_UserProfile extends UserRightsBaseClassGUI
|
||||
{
|
||||
$aParams = array
|
||||
(
|
||||
"category" => "addon/userrights",
|
||||
"category" => "addon/userrights,grant_by_profile",
|
||||
"key_type" => "autoincrement",
|
||||
"name_attcode" => "userid",
|
||||
"state_attcode" => "",
|
||||
@@ -284,6 +284,34 @@ class URP_UserProfile extends UserRightsBaseClassGUI
|
||||
}
|
||||
return parent::CheckToDelete($oDeletionPlan);
|
||||
}
|
||||
|
||||
protected function OnInsert()
|
||||
{
|
||||
$this->CheckIfProfileIsAllowed(UR_ACTION_CREATE);
|
||||
}
|
||||
|
||||
protected function OnUpdate()
|
||||
{
|
||||
$this->CheckIfProfileIsAllowed(UR_ACTION_MODIFY);
|
||||
}
|
||||
|
||||
protected function OnDelete()
|
||||
{
|
||||
$this->CheckIfProfileIsAllowed(UR_ACTION_DELETE);
|
||||
}
|
||||
|
||||
protected function CheckIfProfileIsAllowed($iActionCode)
|
||||
{
|
||||
if (!UserRights::IsActionAllowed(get_class($this), $iActionCode, DBObjectSet::FromObject($this)))
|
||||
{
|
||||
throw new SecurityException(Dict::Format('UI:Error:ObjectCannotBeUpdated'));
|
||||
}
|
||||
if (UserRights::IsLoggedIn() && !UserRights::IsAdministrator() && ($this->Get('profile') === ADMIN_PROFILE_NAME))
|
||||
{
|
||||
throw new SecurityException(Dict::Format('UI:Login:Error:AccessAdmin'));
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
class URP_UserOrg extends UserRightsBaseClassGUI
|
||||
@@ -292,7 +320,7 @@ class URP_UserOrg extends UserRightsBaseClassGUI
|
||||
{
|
||||
$aParams = array
|
||||
(
|
||||
"category" => "addon/userrights",
|
||||
"category" => "addon/userrights,grant_by_profile",
|
||||
"key_type" => "autoincrement",
|
||||
"name_attcode" => "userid",
|
||||
"state_attcode" => "",
|
||||
|
||||
@@ -1053,6 +1053,7 @@ EOF
|
||||
|
||||
$aExtraFieldsRaw = isset($aExtraParams['extra_fields']) ? explode(',', trim($aExtraParams['extra_fields'])) : array();
|
||||
$aExtraFields = array();
|
||||
$sAttCode = '';
|
||||
foreach ($aExtraFieldsRaw as $sFieldName)
|
||||
{
|
||||
// Ignore attributes not of the main queried class
|
||||
@@ -1077,7 +1078,7 @@ EOF
|
||||
$aAuthorizedClasses = array();
|
||||
foreach($aClasses as $sAlias => $sClassName)
|
||||
{
|
||||
if ( (UserRights::IsActionAllowed($sClassName, UR_ACTION_READ, $oSet) && (UR_ALLOWED_YES || UR_ALLOWED_DEPENDS)) &&
|
||||
if ( (UserRights::IsActionAllowed($sClassName, UR_ACTION_READ, $oSet) != UR_ALLOWED_NO) &&
|
||||
( (count($aDisplayAliases) == 0) || (in_array($sAlias, $aDisplayAliases))) )
|
||||
{
|
||||
$aAuthorizedClasses[$sAlias] = $sClassName;
|
||||
@@ -1166,7 +1167,7 @@ EOF
|
||||
$aAuthorizedClasses = array();
|
||||
foreach($aClasses as $sAlias => $sClassName)
|
||||
{
|
||||
if (UserRights::IsActionAllowed($sClassName, UR_ACTION_READ, $oSet) && (UR_ALLOWED_YES || UR_ALLOWED_DEPENDS))
|
||||
if (UserRights::IsActionAllowed($sClassName, UR_ACTION_READ, $oSet) != UR_ALLOWED_NO)
|
||||
{
|
||||
$aAuthorizedClasses[$sAlias] = $sClassName;
|
||||
}
|
||||
@@ -1302,7 +1303,7 @@ EOF
|
||||
$aAuthorizedClasses = array();
|
||||
foreach($aClasses as $sAlias => $sClassName)
|
||||
{
|
||||
if (UserRights::IsActionAllowed($sClassName, UR_ACTION_READ, $oSet) && (UR_ALLOWED_YES || UR_ALLOWED_DEPENDS))
|
||||
if (UserRights::IsActionAllowed($sClassName, UR_ACTION_READ, $oSet) != UR_ALLOWED_NO)
|
||||
{
|
||||
$aAuthorizedClasses[$sAlias] = $sClassName;
|
||||
}
|
||||
@@ -1465,7 +1466,7 @@ EOF
|
||||
$aAuthorizedClasses = array();
|
||||
foreach($aClasses as $sAlias => $sClassName)
|
||||
{
|
||||
if (UserRights::IsActionAllowed($sClassName, UR_ACTION_READ, $oSet) && (UR_ALLOWED_YES || UR_ALLOWED_DEPENDS))
|
||||
if (UserRights::IsActionAllowed($sClassName, UR_ACTION_READ, $oSet) != UR_ALLOWED_NO)
|
||||
{
|
||||
$aAuthorizedClasses[$sAlias] = $sClassName;
|
||||
}
|
||||
|
||||
@@ -602,7 +602,7 @@ class DisplayBlock
|
||||
// Check the classes that can be read (i.e authorized) by this user...
|
||||
foreach($aClasses as $sAlias => $sClassName)
|
||||
{
|
||||
if (UserRights::IsActionAllowed($sClassName, UR_ACTION_READ, $this->m_oSet) && (UR_ALLOWED_YES || UR_ALLOWED_DEPENDS))
|
||||
if (UserRights::IsActionAllowed($sClassName, UR_ACTION_READ, $this->m_oSet) != UR_ALLOWED_NO)
|
||||
{
|
||||
$aAuthorizedClasses[$sAlias] = $sClassName;
|
||||
}
|
||||
|
||||
@@ -462,7 +462,7 @@ class ExcelExporter
|
||||
$this->aAuthorizedClasses = array();
|
||||
foreach($aClasses as $sAlias => $sClassName)
|
||||
{
|
||||
if (UserRights::IsActionAllowed($sClassName, UR_ACTION_READ, $oSet) && (UR_ALLOWED_YES || UR_ALLOWED_DEPENDS))
|
||||
if (UserRights::IsActionAllowed($sClassName, UR_ACTION_READ, $oSet) != UR_ALLOWED_NO)
|
||||
{
|
||||
$this->aAuthorizedClasses[$sAlias] = $sClassName;
|
||||
}
|
||||
|
||||
@@ -961,7 +961,7 @@ class utils
|
||||
new URLPopupMenuItem('UI:Menu:EMail', Dict::S('UI:Menu:EMail'), "mailto:?body=".urlencode($sUrl).' '), // Add an extra space to make it work in Outlook
|
||||
);
|
||||
|
||||
if (UserRights::IsActionAllowed($param->GetFilter()->GetClass(), UR_ACTION_BULK_READ, $param) && (UR_ALLOWED_YES || UR_ALLOWED_DEPENDS))
|
||||
if (UserRights::IsActionAllowed($param->GetFilter()->GetClass(), UR_ACTION_BULK_READ, $param) != UR_ALLOWED_NO)
|
||||
{
|
||||
// Bulk export actions
|
||||
$aResult[] = new JSPopupMenuItem('UI:Menu:CSVExport', Dict::S('UI:Menu:CSVExport'), "ExportListDlg('$sOQL', '$sDataTableId', 'csv', ".json_encode(Dict::S('UI:Menu:CSVExport')).")");
|
||||
|
||||
@@ -188,7 +188,7 @@ abstract class TabularBulkExport extends BulkExport
|
||||
$aAuthorizedClasses = array();
|
||||
foreach($aSelectedClasses as $sAlias => $sClassName)
|
||||
{
|
||||
if (UserRights::IsActionAllowed($sClassName, UR_ACTION_BULK_READ, $oSet) && (UR_ALLOWED_YES || UR_ALLOWED_DEPENDS))
|
||||
if (UserRights::IsActionAllowed($sClassName, UR_ACTION_BULK_READ, $oSet) != UR_ALLOWED_NO)
|
||||
{
|
||||
$aAuthorizedClasses[$sAlias] = $sClassName;
|
||||
}
|
||||
|
||||
@@ -168,7 +168,7 @@ abstract class User extends cmdbAbstractObject
|
||||
{
|
||||
$aParams = array
|
||||
(
|
||||
"category" => "core",
|
||||
"category" => "core,grant_by_profile",
|
||||
"key_type" => "autoincrement",
|
||||
"name_attcode" => "login",
|
||||
"state_attcode" => "",
|
||||
@@ -422,7 +422,7 @@ abstract class UserInternal extends User
|
||||
{
|
||||
$aParams = array
|
||||
(
|
||||
"category" => "core",
|
||||
"category" => "core,grant_by_profile",
|
||||
"key_type" => "autoincrement",
|
||||
"name_attcode" => "login",
|
||||
"state_attcode" => "",
|
||||
@@ -568,7 +568,7 @@ class UserRights
|
||||
return $bRes;
|
||||
}
|
||||
|
||||
protected static function IsLoggedIn()
|
||||
public static function IsLoggedIn()
|
||||
{
|
||||
if (self::$m_oUser == null)
|
||||
{
|
||||
@@ -710,6 +710,7 @@ class UserRights
|
||||
}
|
||||
else
|
||||
{
|
||||
$oUser->AllowWrite(true);
|
||||
return $oUser->ChangePassword($sOldPassword, $sNewPassword);
|
||||
}
|
||||
}
|
||||
@@ -929,7 +930,7 @@ class UserRights
|
||||
|
||||
if (self::IsAdministrator()) return true;
|
||||
|
||||
if (MetaModel::HasCategory($sClass, 'bizmodel'))
|
||||
if (MetaModel::HasCategory($sClass, 'bizmodel') || MetaModel::HasCategory($sClass, 'grant_by_profile'))
|
||||
{
|
||||
return self::$m_oAddOn->GetSelectFilter(self::$m_oUser, $sClass, $aSettings);
|
||||
}
|
||||
@@ -939,18 +940,25 @@ class UserRights
|
||||
}
|
||||
}
|
||||
|
||||
public static function IsActionAllowed($sClass, $iActionCode, /*dbObjectSet*/ $oInstanceSet = null, $oUser = null)
|
||||
/**
|
||||
* @param string $sClass
|
||||
* @param int $iActionCode
|
||||
* @param DBObjectSet $oInstanceSet
|
||||
* @param User $oUser
|
||||
* @return int (UR_ALLOWED_YES|UR_ALLOWED_NO|UR_ALLOWED_DEPENDS)
|
||||
*/
|
||||
public static function IsActionAllowed($sClass, $iActionCode, /*dbObjectSet*/$oInstanceSet = null, $oUser = null)
|
||||
{
|
||||
// When initializing, we need to let everything pass trough
|
||||
if (!self::CheckLogin()) return true;
|
||||
if (!self::CheckLogin()) return UR_ALLOWED_YES;
|
||||
|
||||
if (MetaModel::DBIsReadOnly())
|
||||
{
|
||||
if ($iActionCode == UR_ACTION_CREATE) return false;
|
||||
if ($iActionCode == UR_ACTION_MODIFY) return false;
|
||||
if ($iActionCode == UR_ACTION_BULK_MODIFY) return false;
|
||||
if ($iActionCode == UR_ACTION_DELETE) return false;
|
||||
if ($iActionCode == UR_ACTION_BULK_DELETE) return false;
|
||||
if ($iActionCode == UR_ACTION_CREATE) return UR_ALLOWED_NO;
|
||||
if ($iActionCode == UR_ACTION_MODIFY) return UR_ALLOWED_NO;
|
||||
if ($iActionCode == UR_ACTION_BULK_MODIFY) return UR_ALLOWED_NO;
|
||||
if ($iActionCode == UR_ACTION_DELETE) return UR_ALLOWED_NO;
|
||||
if ($iActionCode == UR_ACTION_BULK_DELETE) return UR_ALLOWED_NO;
|
||||
}
|
||||
|
||||
$aPredefinedObjects = call_user_func(array($sClass, 'GetPredefinedObjects'));
|
||||
@@ -959,14 +967,14 @@ class UserRights
|
||||
// As opposed to the read-only DB, modifying an object is allowed
|
||||
// (the constant columns will be marked as read-only)
|
||||
//
|
||||
if ($iActionCode == UR_ACTION_CREATE) return false;
|
||||
if ($iActionCode == UR_ACTION_DELETE) return false;
|
||||
if ($iActionCode == UR_ACTION_BULK_DELETE) return false;
|
||||
if ($iActionCode == UR_ACTION_CREATE) return UR_ALLOWED_NO;
|
||||
if ($iActionCode == UR_ACTION_DELETE) return UR_ALLOWED_NO;
|
||||
if ($iActionCode == UR_ACTION_BULK_DELETE) return UR_ALLOWED_NO;
|
||||
}
|
||||
|
||||
if (self::IsAdministrator($oUser)) return true;
|
||||
if (self::IsAdministrator($oUser)) return UR_ALLOWED_YES;
|
||||
|
||||
if (MetaModel::HasCategory($sClass, 'bizmodel'))
|
||||
if (MetaModel::HasCategory($sClass, 'bizmodel') || MetaModel::HasCategory($sClass, 'grant_by_profile'))
|
||||
{
|
||||
if (is_null($oUser))
|
||||
{
|
||||
@@ -982,12 +990,12 @@ class UserRights
|
||||
}
|
||||
elseif(($iActionCode == UR_ACTION_READ) && MetaModel::HasCategory($sClass, 'view_in_gui'))
|
||||
{
|
||||
return true;
|
||||
return UR_ALLOWED_YES;
|
||||
}
|
||||
else
|
||||
{
|
||||
// Other classes could be edited/listed by the administrators
|
||||
return false;
|
||||
return UR_ALLOWED_NO;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1018,32 +1026,45 @@ class UserRights
|
||||
}
|
||||
}
|
||||
|
||||
public static function IsActionAllowedOnAttribute($sClass, $sAttCode, $iActionCode, /*dbObjectSet*/ $oInstanceSet = null, $oUser = null)
|
||||
/**
|
||||
* @param string $sClass
|
||||
* @param string $sAttCode
|
||||
* @param int $iActionCode
|
||||
* @param DBObjectSet $oInstanceSet
|
||||
* @param User $oUser
|
||||
* @return int (UR_ALLOWED_YES|UR_ALLOWED_NO)
|
||||
*/
|
||||
public static function IsActionAllowedOnAttribute($sClass, $sAttCode, $iActionCode, /*dbObjectSet*/$oInstanceSet = null, $oUser = null)
|
||||
{
|
||||
// When initializing, we need to let everything pass trough
|
||||
if (!self::CheckLogin()) return true;
|
||||
if (!self::CheckLogin()) return UR_ALLOWED_YES;
|
||||
|
||||
if (MetaModel::DBIsReadOnly())
|
||||
{
|
||||
if ($iActionCode == UR_ACTION_MODIFY) return false;
|
||||
if ($iActionCode == UR_ACTION_DELETE) return false;
|
||||
if ($iActionCode == UR_ACTION_BULK_MODIFY) return false;
|
||||
if ($iActionCode == UR_ACTION_BULK_DELETE) return false;
|
||||
if ($iActionCode == UR_ACTION_MODIFY) return UR_ALLOWED_NO;
|
||||
if ($iActionCode == UR_ACTION_DELETE) return UR_ALLOWED_NO;
|
||||
if ($iActionCode == UR_ACTION_BULK_MODIFY) return falUR_ALLOWED_NOse;
|
||||
if ($iActionCode == UR_ACTION_BULK_DELETE) return UR_ALLOWED_NO;
|
||||
}
|
||||
|
||||
if (self::IsAdministrator($oUser)) return true;
|
||||
if (self::IsAdministrator($oUser)) return UR_ALLOWED_YES;
|
||||
|
||||
if (MetaModel::HasCategory($sClass, 'bizmodel') || MetaModel::HasCategory($sClass, 'grant_by_profile'))
|
||||
{
|
||||
if (is_null($oUser))
|
||||
{
|
||||
$oUser = self::$m_oUser;
|
||||
}
|
||||
return self::$m_oAddOn->IsActionAllowedOnAttribute($oUser, $sClass, $sAttCode, $iActionCode, $oInstanceSet);
|
||||
}
|
||||
|
||||
// this module is forbidden for non admins
|
||||
if (MetaModel::HasCategory($sClass, 'addon/userrights')) return false;
|
||||
if (MetaModel::HasCategory($sClass, 'addon/userrights')) return UR_ALLOWED_NO;
|
||||
|
||||
// the rest is allowed
|
||||
return UR_ALLOWED_YES;
|
||||
|
||||
// the rest is allowed (#@# to be improved)
|
||||
if (!MetaModel::HasCategory($sClass, 'bizmodel')) return true;
|
||||
|
||||
if (is_null($oUser))
|
||||
{
|
||||
$oUser = self::$m_oUser;
|
||||
}
|
||||
return self::$m_oAddOn->IsActionAllowedOnAttribute($oUser, $sClass, $sAttCode, $iActionCode, $oInstanceSet);
|
||||
}
|
||||
|
||||
protected static $m_aAdmins = array();
|
||||
|
||||
@@ -108,7 +108,7 @@ class XMLBulkExport extends BulkExport
|
||||
$aClass2Attributes = array();
|
||||
foreach($aClasses as $sAlias => $sClassName)
|
||||
{
|
||||
if (UserRights::IsActionAllowed($sClassName, UR_ACTION_BULK_READ, $oSet) && (UR_ALLOWED_YES || UR_ALLOWED_DEPENDS))
|
||||
if (UserRights::IsActionAllowed($sClassName, UR_ACTION_BULK_READ, $oSet) != UR_ALLOWED_NO)
|
||||
{
|
||||
$aAuthorizedClasses[$sAlias] = $sClassName;
|
||||
$aAttributes = array();
|
||||
|
||||
@@ -37,7 +37,7 @@ class UserExternal extends User
|
||||
{
|
||||
$aParams = array
|
||||
(
|
||||
"category" => "addon/authentication",
|
||||
"category" => "addon/authentication,grant_by_profile",
|
||||
"key_type" => "autoincrement",
|
||||
"name_attcode" => "login",
|
||||
"state_attcode" => "",
|
||||
|
||||
@@ -32,7 +32,7 @@ class UserLDAP extends UserInternal
|
||||
{
|
||||
$aParams = array
|
||||
(
|
||||
"category" => "addon/authentication",
|
||||
"category" => "addon/authentication,grant_by_profile",
|
||||
"key_type" => "autoincrement",
|
||||
"name_attcode" => "login",
|
||||
"state_attcode" => "",
|
||||
|
||||
@@ -32,7 +32,7 @@ class UserLocal extends UserInternal
|
||||
{
|
||||
$aParams = array
|
||||
(
|
||||
"category" => "addon/authentication",
|
||||
"category" => "addon/authentication,grant_by_profile",
|
||||
"key_type" => "autoincrement",
|
||||
"name_attcode" => "login",
|
||||
"state_attcode" => "",
|
||||
|
||||
@@ -2167,16 +2167,21 @@ class ProfilesConfig
|
||||
if (!\$bAllow) return false;
|
||||
}
|
||||
|
||||
// 4 - All
|
||||
// 4 - All (only for bizmodel)
|
||||
// As the profiles now manage also grant_by_profile category,
|
||||
// '*' is restricted to bizmodel to avoid openning the access for the existing profiles.
|
||||
//
|
||||
\$sGrantKey = \$iProfileId.'_*_'.\$sAction;
|
||||
if (isset(self::\$aGRANTS[\$sGrantKey]))
|
||||
{
|
||||
\$bAllow = self::\$aGRANTS[\$sGrantKey];
|
||||
if (\$bLegacyBehavior) return \$bAllow;
|
||||
if (!\$bAllow) return false;
|
||||
if (MetaModel::HasCategory(\$sClass, 'bizmodel'))
|
||||
{
|
||||
\$sGrantKey = \$iProfileId.'_*_'.\$sAction;
|
||||
if (isset(self::\$aGRANTS[\$sGrantKey]))
|
||||
{
|
||||
\$bAllow = self::\$aGRANTS[\$sGrantKey];
|
||||
if (\$bLegacyBehavior) return \$bAllow;
|
||||
if (!\$bAllow) return false;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
// null or true
|
||||
return \$bAllow;
|
||||
}
|
||||
|
||||
@@ -136,46 +136,46 @@ class UserRightsTest extends ItopDataTestCase
|
||||
{
|
||||
return array(
|
||||
/* Administrator (7 = UR_ACTION_CREATE) */
|
||||
array(1 , array('class' => 'FunctionalCI', 'action' => 7, 'res' => true)),
|
||||
array(1 , array('class' => 'UserRequest', 'action' => 7, 'res' => true)),
|
||||
array(1 , array('class' => 'URP_UserProfile', 'action' => 7, 'res' => true)),
|
||||
array(1 , array('class' => 'UserLocal', 'action' => 7, 'res' => true)),
|
||||
array(1 , array('class' => 'ModuleInstallation', 'action' => 7, 'res' => true)),
|
||||
'Administrator FunctionalCI write' => array(1 , array('class' => 'FunctionalCI', 'action' => 7, 'res' => true)),
|
||||
'Administrator UserRequest write' => array(1 , array('class' => 'UserRequest', 'action' => 7, 'res' => true)),
|
||||
'Administrator URP_UserProfile write' => array(1 , array('class' => 'URP_UserProfile', 'action' => 7, 'res' => true)),
|
||||
'Administrator UserLocal write' => array(1 , array('class' => 'UserLocal', 'action' => 7, 'res' => true)),
|
||||
'Administrator ModuleInstallation write' => array(1 , array('class' => 'ModuleInstallation', 'action' => 7, 'res' => true)),
|
||||
|
||||
/* User Portal (7 = UR_ACTION_CREATE) */
|
||||
array(2 , array('class' => 'FunctionalCI', 'action' => 7, 'res' => false)),
|
||||
array(2 , array('class' => 'UserRequest', 'action' => 7, 'res' => true)),
|
||||
array(2 , array('class' => 'URP_UserProfile', 'action' => 7, 'res' => false)),
|
||||
array(2 , array('class' => 'UserLocal', 'action' => 7, 'res' => false)),
|
||||
array(2 , array('class' => 'ModuleInstallation', 'action' => 7, 'res' => false)),
|
||||
'User Portal FunctionalCI write' => array(2 , array('class' => 'FunctionalCI', 'action' => 7, 'res' => false)),
|
||||
'User Portal UserRequest write' => array(2 , array('class' => 'UserRequest', 'action' => 7, 'res' => true)),
|
||||
'User Portal URP_UserProfile write' => array(2 , array('class' => 'URP_UserProfile', 'action' => 7, 'res' => false)),
|
||||
'User Portal UserLocal write' => array(2 , array('class' => 'UserLocal', 'action' => 7, 'res' => false)),
|
||||
'User Portal ModuleInstallation write' => array(2 , array('class' => 'ModuleInstallation', 'action' => 7, 'res' => false)),
|
||||
|
||||
/* Configuration manager (7 = UR_ACTION_CREATE) */
|
||||
array(3 , array('class' => 'FunctionalCI', 'action' => 7, 'res' => true)),
|
||||
array(3 , array('class' => 'UserRequest', 'action' => 7, 'res' => false)),
|
||||
array(3 , array('class' => 'URP_UserProfile', 'action' => 7, 'res' => false)),
|
||||
array(3 , array('class' => 'UserLocal', 'action' => 7, 'res' => false)),
|
||||
array(3 , array('class' => 'ModuleInstallation', 'action' => 7, 'res' => false)),
|
||||
'Configuration manager FunctionalCI write' => array(3 , array('class' => 'FunctionalCI', 'action' => 7, 'res' => true)),
|
||||
'Configuration manager UserRequest write' => array(3 , array('class' => 'UserRequest', 'action' => 7, 'res' => false)),
|
||||
'Configuration manager URP_UserProfile write' => array(3 , array('class' => 'URP_UserProfile', 'action' => 7, 'res' => false)),
|
||||
'Configuration manager UserLocal write' => array(3 , array('class' => 'UserLocal', 'action' => 7, 'res' => false)),
|
||||
'Configuration manager ModuleInstallation write' => array(3 , array('class' => 'ModuleInstallation', 'action' => 7, 'res' => false)),
|
||||
|
||||
/* Administrator (1 = UR_ACTION_READ) */
|
||||
array(1 , array('class' => 'FunctionalCI', 'action' => 1, 'res' => true)),
|
||||
array(1 , array('class' => 'UserRequest', 'action' => 1, 'res' => true)),
|
||||
array(1 , array('class' => 'URP_UserProfile', 'action' => 1, 'res' => true)),
|
||||
array(1 , array('class' => 'UserLocal', 'action' => 1, 'res' => true)),
|
||||
array(1 , array('class' => 'ModuleInstallation', 'action' => 1, 'res' => true)),
|
||||
'Administrator FunctionalCI read' => array(1 , array('class' => 'FunctionalCI', 'action' => 1, 'res' => true)),
|
||||
'Administrator UserRequest read' => array(1 , array('class' => 'UserRequest', 'action' => 1, 'res' => true)),
|
||||
'Administrator URP_UserProfile read' => array(1 , array('class' => 'URP_UserProfile', 'action' => 1, 'res' => true)),
|
||||
'Administrator UserLocal read' => array(1 , array('class' => 'UserLocal', 'action' => 1, 'res' => true)),
|
||||
'Administrator ModuleInstallation read' => array(1 , array('class' => 'ModuleInstallation', 'action' => 1, 'res' => true)),
|
||||
|
||||
/* User Portal (1 = UR_ACTION_READ) */
|
||||
array(2 , array('class' => 'FunctionalCI', 'action' => 1, 'res' => true)),
|
||||
array(2 , array('class' => 'UserRequest', 'action' => 1, 'res' => true)),
|
||||
array(2 , array('class' => 'URP_UserProfile', 'action' => 1, 'res' => false)),
|
||||
array(2 , array('class' => 'UserLocal', 'action' => 1, 'res' => false)),
|
||||
array(2 , array('class' => 'ModuleInstallation', 'action' => 1, 'res' => true)),
|
||||
'User Portal FunctionalCI read' => array(2 , array('class' => 'FunctionalCI', 'action' => 1, 'res' => true)),
|
||||
'User Portal UserRequest read' => array(2 , array('class' => 'UserRequest', 'action' => 1, 'res' => true)),
|
||||
'User Portal URP_UserProfile read' => array(2 , array('class' => 'URP_UserProfile', 'action' => 1, 'res' => false)),
|
||||
'User Portal UserLocal read' => array(2 , array('class' => 'UserLocal', 'action' => 1, 'res' => false)),
|
||||
'User Portal ModuleInstallation read' => array(2 , array('class' => 'ModuleInstallation', 'action' => 1, 'res' => true)),
|
||||
|
||||
/* Configuration manager (1 = UR_ACTION_READ) */
|
||||
array(3 , array('class' => 'FunctionalCI', 'action' => 1, 'res' => true)),
|
||||
array(3 , array('class' => 'UserRequest', 'action' => 1, 'res' => true)),
|
||||
array(3 , array('class' => 'URP_UserProfile', 'action' => 1, 'res' => false)),
|
||||
array(3 , array('class' => 'UserLocal', 'action' => 1, 'res' => false)),
|
||||
array(3 , array('class' => 'ModuleInstallation', 'action' => 1, 'res' => true)),
|
||||
'Configuration manager FunctionalCI read' => array(3 , array('class' => 'FunctionalCI', 'action' => 1, 'res' => true)),
|
||||
'Configuration manager UserRequest read' => array(3 , array('class' => 'UserRequest', 'action' => 1, 'res' => true)),
|
||||
'Configuration manager URP_UserProfile read' => array(3 , array('class' => 'URP_UserProfile', 'action' => 1, 'res' => false)),
|
||||
'Configuration manager UserLocal read' => array(3 , array('class' => 'UserLocal', 'action' => 1, 'res' => false)),
|
||||
'Configuration manager ModuleInstallation read' =>array(3 , array('class' => 'ModuleInstallation', 'action' => 1, 'res' => true)),
|
||||
);
|
||||
}
|
||||
|
||||
@@ -200,8 +200,8 @@ class UserRightsTest extends ItopDataTestCase
|
||||
/*
|
||||
* FunctionalCI => bizmodel searchable
|
||||
* UserRequest => bizmodel searchable requestmgmt
|
||||
* URP_UserProfile => addon/userrights
|
||||
* UserLocal => addon/authentication
|
||||
* URP_UserProfile => addon/userrights grant_by_profile
|
||||
* UserLocal => addon/authentication grant_by_profile
|
||||
* ModuleInstallation => core view_in_gui
|
||||
*
|
||||
*/
|
||||
@@ -209,25 +209,25 @@ class UserRightsTest extends ItopDataTestCase
|
||||
{
|
||||
$aClassActionResult = array(
|
||||
/* Administrator (2 = UR_ACTION_MODIFY) */
|
||||
array(1 , array('class' => 'FunctionalCI', 'action' => 2, 'res' => true)),
|
||||
array(1 , array('class' => 'UserRequest', 'action' => 2, 'res' => true)),
|
||||
array(1 , array('class' => 'URP_UserProfile', 'action' => 2, 'res' => true)),
|
||||
array(1 , array('class' => 'UserLocal', 'action' => 2, 'res' => true)),
|
||||
array(1 , array('class' => 'ModuleInstallation', 'action' => 2, 'res' => true)),
|
||||
'Administrator FunctionalCI' => array(1 , array('class' => 'FunctionalCI', 'action' => 2, 'res' => true)),
|
||||
'Administrator UserRequest' => array(1 , array('class' => 'UserRequest', 'action' => 2, 'res' => true)),
|
||||
'Administrator URP_UserProfile' => array(1 , array('class' => 'URP_UserProfile', 'action' => 2, 'res' => true)),
|
||||
'Administrator UserLocal' => array(1 , array('class' => 'UserLocal', 'action' => 2, 'res' => true)),
|
||||
'Administrator ModuleInstallation' => array(1 , array('class' => 'ModuleInstallation', 'action' => 2, 'res' => true)),
|
||||
|
||||
/* User Portal (2 = UR_ACTION_MODIFY) */
|
||||
array(2 , array('class' => 'FunctionalCI', 'action' => 2, 'res' => false)),
|
||||
array(2 , array('class' => 'UserRequest', 'action' => 2, 'res' => true)),
|
||||
array(2 , array('class' => 'URP_UserProfile', 'action' => 2, 'res' => true)),
|
||||
array(2 , array('class' => 'UserLocal', 'action' => 2, 'res' => true)),
|
||||
array(2 , array('class' => 'ModuleInstallation', 'action' => 2, 'res' => true)),
|
||||
'User Portal FunctionalCI' => array(2 , array('class' => 'FunctionalCI', 'action' => 2, 'res' => false)),
|
||||
'User Portal UserRequest' => array(2 , array('class' => 'UserRequest', 'action' => 2, 'res' => true)),
|
||||
'User Portal URP_UserProfile' => array(2 , array('class' => 'URP_UserProfile', 'action' => 2, 'res' => false)),
|
||||
'User Portal UserLocal' => array(2 , array('class' => 'UserLocal', 'action' => 2, 'res' => false)),
|
||||
'User Portal ModuleInstallation' => array(2 , array('class' => 'ModuleInstallation', 'action' => 2, 'res' => true)),
|
||||
|
||||
/* Configuration manager (2 = UR_ACTION_MODIFY) */
|
||||
array(3 , array('class' => 'FunctionalCI', 'action' => 2, 'res' => true)),
|
||||
array(3 , array('class' => 'UserRequest', 'action' => 2, 'res' => false)),
|
||||
array(3 , array('class' => 'URP_UserProfile', 'action' => 2, 'res' => true)),
|
||||
array(3 , array('class' => 'UserLocal', 'action' => 2, 'res' => true)),
|
||||
array(3 , array('class' => 'ModuleInstallation', 'action' => 2, 'res' => true)),
|
||||
'Configuration manager FunctionalCI' => array(3 , array('class' => 'FunctionalCI', 'action' => 2, 'res' => true)),
|
||||
'Configuration manager UserRequest' => array(3 , array('class' => 'UserRequest', 'action' => 2, 'res' => false)),
|
||||
'Configuration manager URP_UserProfile' => array(3 , array('class' => 'URP_UserProfile', 'action' => 2, 'res' => false)),
|
||||
'Configuration manager UserLocal' => array(3 , array('class' => 'UserLocal', 'action' => 2, 'res' => false)),
|
||||
'Configuration manager ModuleInstallation' => array(3 , array('class' => 'ModuleInstallation', 'action' => 2, 'res' => true)),
|
||||
);
|
||||
|
||||
return $aClassActionResult;
|
||||
|
||||
Reference in New Issue
Block a user