diff --git a/addons/userrights/userrightsprofile.class.inc.php b/addons/userrights/userrightsprofile.class.inc.php index a7e87d19c..7325661c0 100644 --- a/addons/userrights/userrightsprofile.class.inc.php +++ b/addons/userrights/userrightsprofile.class.inc.php @@ -239,7 +239,7 @@ class URP_UserProfile extends UserRightsBaseClassGUI { $aParams = array ( - "category" => "addon/userrights", + "category" => "addon/userrights,grant_by_profile", "key_type" => "autoincrement", "name_attcode" => "userid", "state_attcode" => "", @@ -284,6 +284,34 @@ class URP_UserProfile extends UserRightsBaseClassGUI } return parent::CheckToDelete($oDeletionPlan); } + + protected function OnInsert() + { + $this->CheckIfProfileIsAllowed(UR_ACTION_CREATE); + } + + protected function OnUpdate() + { + $this->CheckIfProfileIsAllowed(UR_ACTION_MODIFY); + } + + protected function OnDelete() + { + $this->CheckIfProfileIsAllowed(UR_ACTION_DELETE); + } + + protected function CheckIfProfileIsAllowed($iActionCode) + { + if (!UserRights::IsActionAllowed(get_class($this), $iActionCode, DBObjectSet::FromObject($this))) + { + throw new SecurityException(Dict::Format('UI:Error:ObjectCannotBeUpdated')); + } + if (UserRights::IsLoggedIn() && !UserRights::IsAdministrator() && ($this->Get('profile') === ADMIN_PROFILE_NAME)) + { + throw new SecurityException(Dict::Format('UI:Login:Error:AccessAdmin')); + } + } + } class URP_UserOrg extends UserRightsBaseClassGUI @@ -292,7 +320,7 @@ class URP_UserOrg extends UserRightsBaseClassGUI { $aParams = array ( - "category" => "addon/userrights", + "category" => "addon/userrights,grant_by_profile", "key_type" => "autoincrement", "name_attcode" => "userid", "state_attcode" => "", diff --git a/application/cmdbabstract.class.inc.php b/application/cmdbabstract.class.inc.php index 306f23cc3..296dbd531 100644 --- a/application/cmdbabstract.class.inc.php +++ b/application/cmdbabstract.class.inc.php @@ -1053,6 +1053,7 @@ EOF $aExtraFieldsRaw = isset($aExtraParams['extra_fields']) ? explode(',', trim($aExtraParams['extra_fields'])) : array(); $aExtraFields = array(); + $sAttCode = ''; foreach ($aExtraFieldsRaw as $sFieldName) { // Ignore attributes not of the main queried class @@ -1077,7 +1078,7 @@ EOF $aAuthorizedClasses = array(); foreach($aClasses as $sAlias => $sClassName) { - if ( (UserRights::IsActionAllowed($sClassName, UR_ACTION_READ, $oSet) && (UR_ALLOWED_YES || UR_ALLOWED_DEPENDS)) && + if ( (UserRights::IsActionAllowed($sClassName, UR_ACTION_READ, $oSet) != UR_ALLOWED_NO) && ( (count($aDisplayAliases) == 0) || (in_array($sAlias, $aDisplayAliases))) ) { $aAuthorizedClasses[$sAlias] = $sClassName; @@ -1166,7 +1167,7 @@ EOF $aAuthorizedClasses = array(); foreach($aClasses as $sAlias => $sClassName) { - if (UserRights::IsActionAllowed($sClassName, UR_ACTION_READ, $oSet) && (UR_ALLOWED_YES || UR_ALLOWED_DEPENDS)) + if (UserRights::IsActionAllowed($sClassName, UR_ACTION_READ, $oSet) != UR_ALLOWED_NO) { $aAuthorizedClasses[$sAlias] = $sClassName; } @@ -1302,7 +1303,7 @@ EOF $aAuthorizedClasses = array(); foreach($aClasses as $sAlias => $sClassName) { - if (UserRights::IsActionAllowed($sClassName, UR_ACTION_READ, $oSet) && (UR_ALLOWED_YES || UR_ALLOWED_DEPENDS)) + if (UserRights::IsActionAllowed($sClassName, UR_ACTION_READ, $oSet) != UR_ALLOWED_NO) { $aAuthorizedClasses[$sAlias] = $sClassName; } @@ -1465,7 +1466,7 @@ EOF $aAuthorizedClasses = array(); foreach($aClasses as $sAlias => $sClassName) { - if (UserRights::IsActionAllowed($sClassName, UR_ACTION_READ, $oSet) && (UR_ALLOWED_YES || UR_ALLOWED_DEPENDS)) + if (UserRights::IsActionAllowed($sClassName, UR_ACTION_READ, $oSet) != UR_ALLOWED_NO) { $aAuthorizedClasses[$sAlias] = $sClassName; } diff --git a/application/displayblock.class.inc.php b/application/displayblock.class.inc.php index 3b22de966..ab12d90a8 100644 --- a/application/displayblock.class.inc.php +++ b/application/displayblock.class.inc.php @@ -602,7 +602,7 @@ class DisplayBlock // Check the classes that can be read (i.e authorized) by this user... foreach($aClasses as $sAlias => $sClassName) { - if (UserRights::IsActionAllowed($sClassName, UR_ACTION_READ, $this->m_oSet) && (UR_ALLOWED_YES || UR_ALLOWED_DEPENDS)) + if (UserRights::IsActionAllowed($sClassName, UR_ACTION_READ, $this->m_oSet) != UR_ALLOWED_NO) { $aAuthorizedClasses[$sAlias] = $sClassName; } diff --git a/application/excelexporter.class.inc.php b/application/excelexporter.class.inc.php index f3b8da9ad..7ddbfd71e 100644 --- a/application/excelexporter.class.inc.php +++ b/application/excelexporter.class.inc.php @@ -462,7 +462,7 @@ class ExcelExporter $this->aAuthorizedClasses = array(); foreach($aClasses as $sAlias => $sClassName) { - if (UserRights::IsActionAllowed($sClassName, UR_ACTION_READ, $oSet) && (UR_ALLOWED_YES || UR_ALLOWED_DEPENDS)) + if (UserRights::IsActionAllowed($sClassName, UR_ACTION_READ, $oSet) != UR_ALLOWED_NO) { $this->aAuthorizedClasses[$sAlias] = $sClassName; } diff --git a/application/utils.inc.php b/application/utils.inc.php index 229d41d4c..019e2f50f 100644 --- a/application/utils.inc.php +++ b/application/utils.inc.php @@ -961,7 +961,7 @@ class utils new URLPopupMenuItem('UI:Menu:EMail', Dict::S('UI:Menu:EMail'), "mailto:?body=".urlencode($sUrl).' '), // Add an extra space to make it work in Outlook ); - if (UserRights::IsActionAllowed($param->GetFilter()->GetClass(), UR_ACTION_BULK_READ, $param) && (UR_ALLOWED_YES || UR_ALLOWED_DEPENDS)) + if (UserRights::IsActionAllowed($param->GetFilter()->GetClass(), UR_ACTION_BULK_READ, $param) != UR_ALLOWED_NO) { // Bulk export actions $aResult[] = new JSPopupMenuItem('UI:Menu:CSVExport', Dict::S('UI:Menu:CSVExport'), "ExportListDlg('$sOQL', '$sDataTableId', 'csv', ".json_encode(Dict::S('UI:Menu:CSVExport')).")"); diff --git a/core/tabularbulkexport.class.inc.php b/core/tabularbulkexport.class.inc.php index fc0e07256..1d1d90212 100644 --- a/core/tabularbulkexport.class.inc.php +++ b/core/tabularbulkexport.class.inc.php @@ -188,7 +188,7 @@ abstract class TabularBulkExport extends BulkExport $aAuthorizedClasses = array(); foreach($aSelectedClasses as $sAlias => $sClassName) { - if (UserRights::IsActionAllowed($sClassName, UR_ACTION_BULK_READ, $oSet) && (UR_ALLOWED_YES || UR_ALLOWED_DEPENDS)) + if (UserRights::IsActionAllowed($sClassName, UR_ACTION_BULK_READ, $oSet) != UR_ALLOWED_NO) { $aAuthorizedClasses[$sAlias] = $sClassName; } diff --git a/core/userrights.class.inc.php b/core/userrights.class.inc.php index aff9b63d7..604bdf463 100644 --- a/core/userrights.class.inc.php +++ b/core/userrights.class.inc.php @@ -168,7 +168,7 @@ abstract class User extends cmdbAbstractObject { $aParams = array ( - "category" => "core", + "category" => "core,grant_by_profile", "key_type" => "autoincrement", "name_attcode" => "login", "state_attcode" => "", @@ -422,7 +422,7 @@ abstract class UserInternal extends User { $aParams = array ( - "category" => "core", + "category" => "core,grant_by_profile", "key_type" => "autoincrement", "name_attcode" => "login", "state_attcode" => "", @@ -568,7 +568,7 @@ class UserRights return $bRes; } - protected static function IsLoggedIn() + public static function IsLoggedIn() { if (self::$m_oUser == null) { @@ -710,6 +710,7 @@ class UserRights } else { + $oUser->AllowWrite(true); return $oUser->ChangePassword($sOldPassword, $sNewPassword); } } @@ -929,7 +930,7 @@ class UserRights if (self::IsAdministrator()) return true; - if (MetaModel::HasCategory($sClass, 'bizmodel')) + if (MetaModel::HasCategory($sClass, 'bizmodel') || MetaModel::HasCategory($sClass, 'grant_by_profile')) { return self::$m_oAddOn->GetSelectFilter(self::$m_oUser, $sClass, $aSettings); } @@ -939,18 +940,25 @@ class UserRights } } - public static function IsActionAllowed($sClass, $iActionCode, /*dbObjectSet*/ $oInstanceSet = null, $oUser = null) + /** + * @param string $sClass + * @param int $iActionCode + * @param DBObjectSet $oInstanceSet + * @param User $oUser + * @return int (UR_ALLOWED_YES|UR_ALLOWED_NO|UR_ALLOWED_DEPENDS) + */ + public static function IsActionAllowed($sClass, $iActionCode, /*dbObjectSet*/$oInstanceSet = null, $oUser = null) { // When initializing, we need to let everything pass trough - if (!self::CheckLogin()) return true; + if (!self::CheckLogin()) return UR_ALLOWED_YES; if (MetaModel::DBIsReadOnly()) { - if ($iActionCode == UR_ACTION_CREATE) return false; - if ($iActionCode == UR_ACTION_MODIFY) return false; - if ($iActionCode == UR_ACTION_BULK_MODIFY) return false; - if ($iActionCode == UR_ACTION_DELETE) return false; - if ($iActionCode == UR_ACTION_BULK_DELETE) return false; + if ($iActionCode == UR_ACTION_CREATE) return UR_ALLOWED_NO; + if ($iActionCode == UR_ACTION_MODIFY) return UR_ALLOWED_NO; + if ($iActionCode == UR_ACTION_BULK_MODIFY) return UR_ALLOWED_NO; + if ($iActionCode == UR_ACTION_DELETE) return UR_ALLOWED_NO; + if ($iActionCode == UR_ACTION_BULK_DELETE) return UR_ALLOWED_NO; } $aPredefinedObjects = call_user_func(array($sClass, 'GetPredefinedObjects')); @@ -959,14 +967,14 @@ class UserRights // As opposed to the read-only DB, modifying an object is allowed // (the constant columns will be marked as read-only) // - if ($iActionCode == UR_ACTION_CREATE) return false; - if ($iActionCode == UR_ACTION_DELETE) return false; - if ($iActionCode == UR_ACTION_BULK_DELETE) return false; + if ($iActionCode == UR_ACTION_CREATE) return UR_ALLOWED_NO; + if ($iActionCode == UR_ACTION_DELETE) return UR_ALLOWED_NO; + if ($iActionCode == UR_ACTION_BULK_DELETE) return UR_ALLOWED_NO; } - if (self::IsAdministrator($oUser)) return true; + if (self::IsAdministrator($oUser)) return UR_ALLOWED_YES; - if (MetaModel::HasCategory($sClass, 'bizmodel')) + if (MetaModel::HasCategory($sClass, 'bizmodel') || MetaModel::HasCategory($sClass, 'grant_by_profile')) { if (is_null($oUser)) { @@ -982,12 +990,12 @@ class UserRights } elseif(($iActionCode == UR_ACTION_READ) && MetaModel::HasCategory($sClass, 'view_in_gui')) { - return true; + return UR_ALLOWED_YES; } else { // Other classes could be edited/listed by the administrators - return false; + return UR_ALLOWED_NO; } } @@ -1018,32 +1026,45 @@ class UserRights } } - public static function IsActionAllowedOnAttribute($sClass, $sAttCode, $iActionCode, /*dbObjectSet*/ $oInstanceSet = null, $oUser = null) + /** + * @param string $sClass + * @param string $sAttCode + * @param int $iActionCode + * @param DBObjectSet $oInstanceSet + * @param User $oUser + * @return int (UR_ALLOWED_YES|UR_ALLOWED_NO) + */ + public static function IsActionAllowedOnAttribute($sClass, $sAttCode, $iActionCode, /*dbObjectSet*/$oInstanceSet = null, $oUser = null) { // When initializing, we need to let everything pass trough - if (!self::CheckLogin()) return true; + if (!self::CheckLogin()) return UR_ALLOWED_YES; if (MetaModel::DBIsReadOnly()) { - if ($iActionCode == UR_ACTION_MODIFY) return false; - if ($iActionCode == UR_ACTION_DELETE) return false; - if ($iActionCode == UR_ACTION_BULK_MODIFY) return false; - if ($iActionCode == UR_ACTION_BULK_DELETE) return false; + if ($iActionCode == UR_ACTION_MODIFY) return UR_ALLOWED_NO; + if ($iActionCode == UR_ACTION_DELETE) return UR_ALLOWED_NO; + if ($iActionCode == UR_ACTION_BULK_MODIFY) return falUR_ALLOWED_NOse; + if ($iActionCode == UR_ACTION_BULK_DELETE) return UR_ALLOWED_NO; } - if (self::IsAdministrator($oUser)) return true; + if (self::IsAdministrator($oUser)) return UR_ALLOWED_YES; + + if (MetaModel::HasCategory($sClass, 'bizmodel') || MetaModel::HasCategory($sClass, 'grant_by_profile')) + { + if (is_null($oUser)) + { + $oUser = self::$m_oUser; + } + return self::$m_oAddOn->IsActionAllowedOnAttribute($oUser, $sClass, $sAttCode, $iActionCode, $oInstanceSet); + } // this module is forbidden for non admins - if (MetaModel::HasCategory($sClass, 'addon/userrights')) return false; + if (MetaModel::HasCategory($sClass, 'addon/userrights')) return UR_ALLOWED_NO; + + // the rest is allowed + return UR_ALLOWED_YES; - // the rest is allowed (#@# to be improved) - if (!MetaModel::HasCategory($sClass, 'bizmodel')) return true; - if (is_null($oUser)) - { - $oUser = self::$m_oUser; - } - return self::$m_oAddOn->IsActionAllowedOnAttribute($oUser, $sClass, $sAttCode, $iActionCode, $oInstanceSet); } protected static $m_aAdmins = array(); diff --git a/core/xmlbulkexport.class.inc.php b/core/xmlbulkexport.class.inc.php index afa9f9f10..a94ecef1e 100644 --- a/core/xmlbulkexport.class.inc.php +++ b/core/xmlbulkexport.class.inc.php @@ -108,7 +108,7 @@ class XMLBulkExport extends BulkExport $aClass2Attributes = array(); foreach($aClasses as $sAlias => $sClassName) { - if (UserRights::IsActionAllowed($sClassName, UR_ACTION_BULK_READ, $oSet) && (UR_ALLOWED_YES || UR_ALLOWED_DEPENDS)) + if (UserRights::IsActionAllowed($sClassName, UR_ACTION_BULK_READ, $oSet) != UR_ALLOWED_NO) { $aAuthorizedClasses[$sAlias] = $sClassName; $aAttributes = array(); diff --git a/datamodels/2.x/authent-external/model.authent-external.php b/datamodels/2.x/authent-external/model.authent-external.php index 84737db9c..75114df66 100755 --- a/datamodels/2.x/authent-external/model.authent-external.php +++ b/datamodels/2.x/authent-external/model.authent-external.php @@ -37,7 +37,7 @@ class UserExternal extends User { $aParams = array ( - "category" => "addon/authentication", + "category" => "addon/authentication,grant_by_profile", "key_type" => "autoincrement", "name_attcode" => "login", "state_attcode" => "", diff --git a/datamodels/2.x/authent-ldap/model.authent-ldap.php b/datamodels/2.x/authent-ldap/model.authent-ldap.php index 673ac541d..a5f30bf39 100755 --- a/datamodels/2.x/authent-ldap/model.authent-ldap.php +++ b/datamodels/2.x/authent-ldap/model.authent-ldap.php @@ -32,7 +32,7 @@ class UserLDAP extends UserInternal { $aParams = array ( - "category" => "addon/authentication", + "category" => "addon/authentication,grant_by_profile", "key_type" => "autoincrement", "name_attcode" => "login", "state_attcode" => "", diff --git a/datamodels/2.x/authent-local/model.authent-local.php b/datamodels/2.x/authent-local/model.authent-local.php index 0317890bb..ec1a6915e 100755 --- a/datamodels/2.x/authent-local/model.authent-local.php +++ b/datamodels/2.x/authent-local/model.authent-local.php @@ -32,7 +32,7 @@ class UserLocal extends UserInternal { $aParams = array ( - "category" => "addon/authentication", + "category" => "addon/authentication,grant_by_profile", "key_type" => "autoincrement", "name_attcode" => "login", "state_attcode" => "", diff --git a/setup/compiler.class.inc.php b/setup/compiler.class.inc.php index d6ae081b3..c8fb54121 100644 --- a/setup/compiler.class.inc.php +++ b/setup/compiler.class.inc.php @@ -2167,16 +2167,21 @@ class ProfilesConfig if (!\$bAllow) return false; } - // 4 - All + // 4 - All (only for bizmodel) + // As the profiles now manage also grant_by_profile category, + // '*' is restricted to bizmodel to avoid openning the access for the existing profiles. // - \$sGrantKey = \$iProfileId.'_*_'.\$sAction; - if (isset(self::\$aGRANTS[\$sGrantKey])) - { - \$bAllow = self::\$aGRANTS[\$sGrantKey]; - if (\$bLegacyBehavior) return \$bAllow; - if (!\$bAllow) return false; + if (MetaModel::HasCategory(\$sClass, 'bizmodel')) + { + \$sGrantKey = \$iProfileId.'_*_'.\$sAction; + if (isset(self::\$aGRANTS[\$sGrantKey])) + { + \$bAllow = self::\$aGRANTS[\$sGrantKey]; + if (\$bLegacyBehavior) return \$bAllow; + if (!\$bAllow) return false; + } } - + // null or true return \$bAllow; } diff --git a/test/core/UserRightsTest.php b/test/core/UserRightsTest.php index 0cf4db292..384804494 100644 --- a/test/core/UserRightsTest.php +++ b/test/core/UserRightsTest.php @@ -136,46 +136,46 @@ class UserRightsTest extends ItopDataTestCase { return array( /* Administrator (7 = UR_ACTION_CREATE) */ - array(1 , array('class' => 'FunctionalCI', 'action' => 7, 'res' => true)), - array(1 , array('class' => 'UserRequest', 'action' => 7, 'res' => true)), - array(1 , array('class' => 'URP_UserProfile', 'action' => 7, 'res' => true)), - array(1 , array('class' => 'UserLocal', 'action' => 7, 'res' => true)), - array(1 , array('class' => 'ModuleInstallation', 'action' => 7, 'res' => true)), + 'Administrator FunctionalCI write' => array(1 , array('class' => 'FunctionalCI', 'action' => 7, 'res' => true)), + 'Administrator UserRequest write' => array(1 , array('class' => 'UserRequest', 'action' => 7, 'res' => true)), + 'Administrator URP_UserProfile write' => array(1 , array('class' => 'URP_UserProfile', 'action' => 7, 'res' => true)), + 'Administrator UserLocal write' => array(1 , array('class' => 'UserLocal', 'action' => 7, 'res' => true)), + 'Administrator ModuleInstallation write' => array(1 , array('class' => 'ModuleInstallation', 'action' => 7, 'res' => true)), /* User Portal (7 = UR_ACTION_CREATE) */ - array(2 , array('class' => 'FunctionalCI', 'action' => 7, 'res' => false)), - array(2 , array('class' => 'UserRequest', 'action' => 7, 'res' => true)), - array(2 , array('class' => 'URP_UserProfile', 'action' => 7, 'res' => false)), - array(2 , array('class' => 'UserLocal', 'action' => 7, 'res' => false)), - array(2 , array('class' => 'ModuleInstallation', 'action' => 7, 'res' => false)), + 'User Portal FunctionalCI write' => array(2 , array('class' => 'FunctionalCI', 'action' => 7, 'res' => false)), + 'User Portal UserRequest write' => array(2 , array('class' => 'UserRequest', 'action' => 7, 'res' => true)), + 'User Portal URP_UserProfile write' => array(2 , array('class' => 'URP_UserProfile', 'action' => 7, 'res' => false)), + 'User Portal UserLocal write' => array(2 , array('class' => 'UserLocal', 'action' => 7, 'res' => false)), + 'User Portal ModuleInstallation write' => array(2 , array('class' => 'ModuleInstallation', 'action' => 7, 'res' => false)), /* Configuration manager (7 = UR_ACTION_CREATE) */ - array(3 , array('class' => 'FunctionalCI', 'action' => 7, 'res' => true)), - array(3 , array('class' => 'UserRequest', 'action' => 7, 'res' => false)), - array(3 , array('class' => 'URP_UserProfile', 'action' => 7, 'res' => false)), - array(3 , array('class' => 'UserLocal', 'action' => 7, 'res' => false)), - array(3 , array('class' => 'ModuleInstallation', 'action' => 7, 'res' => false)), + 'Configuration manager FunctionalCI write' => array(3 , array('class' => 'FunctionalCI', 'action' => 7, 'res' => true)), + 'Configuration manager UserRequest write' => array(3 , array('class' => 'UserRequest', 'action' => 7, 'res' => false)), + 'Configuration manager URP_UserProfile write' => array(3 , array('class' => 'URP_UserProfile', 'action' => 7, 'res' => false)), + 'Configuration manager UserLocal write' => array(3 , array('class' => 'UserLocal', 'action' => 7, 'res' => false)), + 'Configuration manager ModuleInstallation write' => array(3 , array('class' => 'ModuleInstallation', 'action' => 7, 'res' => false)), /* Administrator (1 = UR_ACTION_READ) */ - array(1 , array('class' => 'FunctionalCI', 'action' => 1, 'res' => true)), - array(1 , array('class' => 'UserRequest', 'action' => 1, 'res' => true)), - array(1 , array('class' => 'URP_UserProfile', 'action' => 1, 'res' => true)), - array(1 , array('class' => 'UserLocal', 'action' => 1, 'res' => true)), - array(1 , array('class' => 'ModuleInstallation', 'action' => 1, 'res' => true)), + 'Administrator FunctionalCI read' => array(1 , array('class' => 'FunctionalCI', 'action' => 1, 'res' => true)), + 'Administrator UserRequest read' => array(1 , array('class' => 'UserRequest', 'action' => 1, 'res' => true)), + 'Administrator URP_UserProfile read' => array(1 , array('class' => 'URP_UserProfile', 'action' => 1, 'res' => true)), + 'Administrator UserLocal read' => array(1 , array('class' => 'UserLocal', 'action' => 1, 'res' => true)), + 'Administrator ModuleInstallation read' => array(1 , array('class' => 'ModuleInstallation', 'action' => 1, 'res' => true)), /* User Portal (1 = UR_ACTION_READ) */ - array(2 , array('class' => 'FunctionalCI', 'action' => 1, 'res' => true)), - array(2 , array('class' => 'UserRequest', 'action' => 1, 'res' => true)), - array(2 , array('class' => 'URP_UserProfile', 'action' => 1, 'res' => false)), - array(2 , array('class' => 'UserLocal', 'action' => 1, 'res' => false)), - array(2 , array('class' => 'ModuleInstallation', 'action' => 1, 'res' => true)), + 'User Portal FunctionalCI read' => array(2 , array('class' => 'FunctionalCI', 'action' => 1, 'res' => true)), + 'User Portal UserRequest read' => array(2 , array('class' => 'UserRequest', 'action' => 1, 'res' => true)), + 'User Portal URP_UserProfile read' => array(2 , array('class' => 'URP_UserProfile', 'action' => 1, 'res' => false)), + 'User Portal UserLocal read' => array(2 , array('class' => 'UserLocal', 'action' => 1, 'res' => false)), + 'User Portal ModuleInstallation read' => array(2 , array('class' => 'ModuleInstallation', 'action' => 1, 'res' => true)), /* Configuration manager (1 = UR_ACTION_READ) */ - array(3 , array('class' => 'FunctionalCI', 'action' => 1, 'res' => true)), - array(3 , array('class' => 'UserRequest', 'action' => 1, 'res' => true)), - array(3 , array('class' => 'URP_UserProfile', 'action' => 1, 'res' => false)), - array(3 , array('class' => 'UserLocal', 'action' => 1, 'res' => false)), - array(3 , array('class' => 'ModuleInstallation', 'action' => 1, 'res' => true)), + 'Configuration manager FunctionalCI read' => array(3 , array('class' => 'FunctionalCI', 'action' => 1, 'res' => true)), + 'Configuration manager UserRequest read' => array(3 , array('class' => 'UserRequest', 'action' => 1, 'res' => true)), + 'Configuration manager URP_UserProfile read' => array(3 , array('class' => 'URP_UserProfile', 'action' => 1, 'res' => false)), + 'Configuration manager UserLocal read' => array(3 , array('class' => 'UserLocal', 'action' => 1, 'res' => false)), + 'Configuration manager ModuleInstallation read' =>array(3 , array('class' => 'ModuleInstallation', 'action' => 1, 'res' => true)), ); } @@ -200,8 +200,8 @@ class UserRightsTest extends ItopDataTestCase /* * FunctionalCI => bizmodel searchable * UserRequest => bizmodel searchable requestmgmt - * URP_UserProfile => addon/userrights - * UserLocal => addon/authentication + * URP_UserProfile => addon/userrights grant_by_profile + * UserLocal => addon/authentication grant_by_profile * ModuleInstallation => core view_in_gui * */ @@ -209,25 +209,25 @@ class UserRightsTest extends ItopDataTestCase { $aClassActionResult = array( /* Administrator (2 = UR_ACTION_MODIFY) */ - array(1 , array('class' => 'FunctionalCI', 'action' => 2, 'res' => true)), - array(1 , array('class' => 'UserRequest', 'action' => 2, 'res' => true)), - array(1 , array('class' => 'URP_UserProfile', 'action' => 2, 'res' => true)), - array(1 , array('class' => 'UserLocal', 'action' => 2, 'res' => true)), - array(1 , array('class' => 'ModuleInstallation', 'action' => 2, 'res' => true)), + 'Administrator FunctionalCI' => array(1 , array('class' => 'FunctionalCI', 'action' => 2, 'res' => true)), + 'Administrator UserRequest' => array(1 , array('class' => 'UserRequest', 'action' => 2, 'res' => true)), + 'Administrator URP_UserProfile' => array(1 , array('class' => 'URP_UserProfile', 'action' => 2, 'res' => true)), + 'Administrator UserLocal' => array(1 , array('class' => 'UserLocal', 'action' => 2, 'res' => true)), + 'Administrator ModuleInstallation' => array(1 , array('class' => 'ModuleInstallation', 'action' => 2, 'res' => true)), /* User Portal (2 = UR_ACTION_MODIFY) */ - array(2 , array('class' => 'FunctionalCI', 'action' => 2, 'res' => false)), - array(2 , array('class' => 'UserRequest', 'action' => 2, 'res' => true)), - array(2 , array('class' => 'URP_UserProfile', 'action' => 2, 'res' => true)), - array(2 , array('class' => 'UserLocal', 'action' => 2, 'res' => true)), - array(2 , array('class' => 'ModuleInstallation', 'action' => 2, 'res' => true)), + 'User Portal FunctionalCI' => array(2 , array('class' => 'FunctionalCI', 'action' => 2, 'res' => false)), + 'User Portal UserRequest' => array(2 , array('class' => 'UserRequest', 'action' => 2, 'res' => true)), + 'User Portal URP_UserProfile' => array(2 , array('class' => 'URP_UserProfile', 'action' => 2, 'res' => false)), + 'User Portal UserLocal' => array(2 , array('class' => 'UserLocal', 'action' => 2, 'res' => false)), + 'User Portal ModuleInstallation' => array(2 , array('class' => 'ModuleInstallation', 'action' => 2, 'res' => true)), /* Configuration manager (2 = UR_ACTION_MODIFY) */ - array(3 , array('class' => 'FunctionalCI', 'action' => 2, 'res' => true)), - array(3 , array('class' => 'UserRequest', 'action' => 2, 'res' => false)), - array(3 , array('class' => 'URP_UserProfile', 'action' => 2, 'res' => true)), - array(3 , array('class' => 'UserLocal', 'action' => 2, 'res' => true)), - array(3 , array('class' => 'ModuleInstallation', 'action' => 2, 'res' => true)), + 'Configuration manager FunctionalCI' => array(3 , array('class' => 'FunctionalCI', 'action' => 2, 'res' => true)), + 'Configuration manager UserRequest' => array(3 , array('class' => 'UserRequest', 'action' => 2, 'res' => false)), + 'Configuration manager URP_UserProfile' => array(3 , array('class' => 'URP_UserProfile', 'action' => 2, 'res' => false)), + 'Configuration manager UserLocal' => array(3 , array('class' => 'UserLocal', 'action' => 2, 'res' => false)), + 'Configuration manager ModuleInstallation' => array(3 , array('class' => 'ModuleInstallation', 'action' => 2, 'res' => true)), ); return $aClassActionResult;