composer/iTop
6
0
Fork 0
mirror of https://github.com/Combodo/iTop.git synced 2026-04-24 02:58:43 +02:00
Code Issues Packages Projects Releases Wiki Activity

N°1248 - User Management Portal

Browse Source 
* Added a new grant_by_profile category that allows to manage certain classes in addition to bizmodel with user profiles.
* The following classes have the new grant_by_profile category:
    User, UserInternal, UserLocal, UserLDAP, UserExternal, URP_UserProfile, URP_UserOrg
* For these classes, it is possible to manage access rights with user profiles for non-administrators.
* For these classes, the default behavior of SELECT requests changes from allowed to forbidden.
* For user profiles, the default behavior '*' is limited to the bizmodel category to keep the previous behavior of profiles, i. e. for classes in the grant_by_profile category, rights (including READ) must be given explicitly.
* New constraints have been added, so only an administrator can manage (attach or detach) the 'Administrator' profile.

SVN:trunk[5298]
This commit is contained in:
Eric Espié
2018-01-30 15:17:51 +00:00
parent 5144f62da9
commit 94d45fc77f
13 changed files with 157 additions and 102 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
application/cmdbabstract.class.inc.php
View File

@@ -1053,6 +1053,7 @@ EOF
$aExtraFieldsRaw = isset($aExtraParams['extra_fields']) ? explode(',', trim($aExtraParams['extra_fields'])) : array();
$aExtraFields = array();
$sAttCode = '';
foreach ($aExtraFieldsRaw as $sFieldName)
{
// Ignore attributes not of the main queried class
@@ -1077,7 +1078,7 @@ EOF
$aAuthorizedClasses = array();
foreach($aClasses as $sAlias => $sClassName)
{
if ( (UserRights::IsActionAllowed($sClassName, UR_ACTION_READ, $oSet) && (UR_ALLOWED_YES || UR_ALLOWED_DEPENDS)) &&
if ( (UserRights::IsActionAllowed($sClassName, UR_ACTION_READ, $oSet) != UR_ALLOWED_NO) &&
( (count($aDisplayAliases) == 0) || (in_array($sAlias, $aDisplayAliases))) )
{
$aAuthorizedClasses[$sAlias] = $sClassName;
@@ -1166,7 +1167,7 @@ EOF
$aAuthorizedClasses = array();
foreach($aClasses as $sAlias => $sClassName)
{
if (UserRights::IsActionAllowed($sClassName, UR_ACTION_READ, $oSet) && (UR_ALLOWED_YES || UR_ALLOWED_DEPENDS))
if (UserRights::IsActionAllowed($sClassName, UR_ACTION_READ, $oSet) != UR_ALLOWED_NO)
{
$aAuthorizedClasses[$sAlias] = $sClassName;
}
@@ -1302,7 +1303,7 @@ EOF
$aAuthorizedClasses = array();
foreach($aClasses as $sAlias => $sClassName)
{
if (UserRights::IsActionAllowed($sClassName, UR_ACTION_READ, $oSet) && (UR_ALLOWED_YES || UR_ALLOWED_DEPENDS))
if (UserRights::IsActionAllowed($sClassName, UR_ACTION_READ, $oSet) != UR_ALLOWED_NO)
{
$aAuthorizedClasses[$sAlias] = $sClassName;
}
@@ -1465,7 +1466,7 @@ EOF
$aAuthorizedClasses = array();
foreach($aClasses as $sAlias => $sClassName)
{
if (UserRights::IsActionAllowed($sClassName, UR_ACTION_READ, $oSet) && (UR_ALLOWED_YES || UR_ALLOWED_DEPENDS))
if (UserRights::IsActionAllowed($sClassName, UR_ACTION_READ, $oSet) != UR_ALLOWED_NO)
{
$aAuthorizedClasses[$sAlias] = $sClassName;
}

2
application/displayblock.class.inc.php
View File

@@ -602,7 +602,7 @@ class DisplayBlock
// Check the classes that can be read (i.e authorized) by this user...
foreach($aClasses as $sAlias => $sClassName)
{
if (UserRights::IsActionAllowed($sClassName, UR_ACTION_READ, $this->m_oSet) && (UR_ALLOWED_YES || UR_ALLOWED_DEPENDS))
if (UserRights::IsActionAllowed($sClassName, UR_ACTION_READ, $this->m_oSet) != UR_ALLOWED_NO)
{
$aAuthorizedClasses[$sAlias] = $sClassName;
}

2
application/excelexporter.class.inc.php
View File

@@ -462,7 +462,7 @@ class ExcelExporter
$this->aAuthorizedClasses = array();
foreach($aClasses as $sAlias => $sClassName)
{
if (UserRights::IsActionAllowed($sClassName, UR_ACTION_READ, $oSet) && (UR_ALLOWED_YES || UR_ALLOWED_DEPENDS))
if (UserRights::IsActionAllowed($sClassName, UR_ACTION_READ, $oSet) != UR_ALLOWED_NO)
{
$this->aAuthorizedClasses[$sAlias] = $sClassName;
}

2
application/utils.inc.php
View File

@@ -961,7 +961,7 @@ class utils
new URLPopupMenuItem('UI:Menu:EMail', Dict::S('UI:Menu:EMail'), "mailto:?body=".urlencode($sUrl).' '), // Add an extra space to make it work in Outlook
);
if (UserRights::IsActionAllowed($param->GetFilter()->GetClass(), UR_ACTION_BULK_READ, $param) && (UR_ALLOWED_YES || UR_ALLOWED_DEPENDS))
if (UserRights::IsActionAllowed($param->GetFilter()->GetClass(), UR_ACTION_BULK_READ, $param) != UR_ALLOWED_NO)
{
// Bulk export actions
$aResult[] = new JSPopupMenuItem('UI:Menu:CSVExport', Dict::S('UI:Menu:CSVExport'), "ExportListDlg('$sOQL', '$sDataTableId', 'csv', ".json_encode(Dict::S('UI:Menu:CSVExport')).")");