N°1248 - User Management Portal

* Added a new grant_by_profile category that allows to manage certain classes in addition to bizmodel with user profiles.
* The following classes have the new grant_by_profile category:
    User, UserInternal, UserLocal, UserLDAP, UserExternal, URP_UserProfile, URP_UserOrg
* For these classes, it is possible to manage access rights with user profiles for non-administrators.
* For these classes, the default behavior of SELECT requests changes from allowed to forbidden.
* For user profiles, the default behavior '*' is limited to the bizmodel category to keep the previous behavior of profiles, i. e. for classes in the grant_by_profile category, rights (including READ) must be given explicitly.
* New constraints have been added, so only an administrator can manage (attach or detach) the 'Administrator' profile.

SVN:trunk[5298]

setup/compiler.class.inc.php

@@ -2167,16 +2167,21 @@ class ProfilesConfig
 			if (!\$bAllow) return false;
 		}
 
-		// 4 - All
+		// 4 - All (only for bizmodel)
+		// As the profiles now manage also grant_by_profile category,
+		// '*' is restricted to bizmodel to avoid openning the access for the existing profiles.
 		// 
-		\$sGrantKey = \$iProfileId.'_*_'.\$sAction;
-		if (isset(self::\$aGRANTS[\$sGrantKey]))
-		{
-			\$bAllow = self::\$aGRANTS[\$sGrantKey];
-			if (\$bLegacyBehavior) return \$bAllow;
-			if (!\$bAllow) return false;
+		if (MetaModel::HasCategory(\$sClass, 'bizmodel'))
+		{ 
+			\$sGrantKey = \$iProfileId.'_*_'.\$sAction;
+			if (isset(self::\$aGRANTS[\$sGrantKey]))
+			{
+				\$bAllow = self::\$aGRANTS[\$sGrantKey];
+				if (\$bLegacyBehavior) return \$bAllow;
+				if (!\$bAllow) return false;
+			}
 		}
-
+		
 		// null or true
 		return \$bAllow;
 	}