From ae61a1e5ebb952ba0fe2ed20af817adc52cabee1 Mon Sep 17 00:00:00 2001
From: Guillaume Lajarige <guillaume.lajarige@combodo.com>
Date: Thu, 2 Jun 2016 08:51:27 +0000
Subject: [PATCH] Customer portal : SecurityHelper now outputs to IssueLog on
 negative result when debug mode is enabled. Warning : This ca be extremely
 verbose ! Use debug mode smartly.

SVN:trunk[4172]
---
 .../src/helpers/securityhelper.class.inc.php  | 23 +++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/datamodels/2.x/itop-portal-base/portal/src/helpers/securityhelper.class.inc.php b/datamodels/2.x/itop-portal-base/portal/src/helpers/securityhelper.class.inc.php
index 30ee877a35..7731713e94 100644
--- a/datamodels/2.x/itop-portal-base/portal/src/helpers/securityhelper.class.inc.php
+++ b/datamodels/2.x/itop-portal-base/portal/src/helpers/securityhelper.class.inc.php
@@ -24,6 +24,7 @@ use \Silex\Application;
 use \utils;
 use \UserRights;
 use \Dict;
+use \IssueLog;
 use \MetaModel;
 use \DBObjectSet;
 use \FieldExpression;
@@ -52,9 +53,15 @@ class SecurityHelper
 	 */
 	public static function IsActionAllowed(Application $oApp, $sAction, $sObjectClass, $sObjectId = null)
 	{
+		$sDebugTracePrefix = __CLASS__ . ' / ' . __METHOD__ . ' : Returned false for action ' . $sAction . ' on ' . $sObjectClass . '::' . $sObjectId;
+
 		// Checking action type
 		if (!in_array($sAction, array(UR_ACTION_READ, UR_ACTION_MODIFY, UR_ACTION_CREATE)))
 		{
+			if ($oApp['debug'])
+			{
+				IssueLog::Info($sDebugTracePrefix . ' as the action value could not be understood (' . UR_ACTION_READ . '/' . UR_ACTION_MODIFY . '/' . UR_ACTION_CREATE . ' expected');
+			}
 			return false;
 		}
 
@@ -65,6 +72,10 @@ class SecurityHelper
 		$oScopeQuery = $oApp['scope_validator']->GetScopeFilterForProfiles(UserRights::ListProfiles(), $sObjectClass, $sScopeAction);
 		if ($oScopeQuery === null)
 		{
+			if ($oApp['debug'])
+			{
+				IssueLog::Info($sDebugTracePrefix . ' as there was no scope defined for action ' . $sScopeAction . ' and profiles ' . implode('/', UserRights::ListProfiles()));
+			}
 			return false;
 		}
 		// - If action != create we do some additionnal checks
@@ -89,6 +100,10 @@ class SecurityHelper
 			$oSet = new DBObjectSet($oScopeQuery);
 			if ($oSet->Count() === 0)
 			{
+				if ($oApp['debug'])
+				{
+					IssueLog::Info($sDebugTracePrefix . ' as there was no result for the following scope query : ' . $oScopeQuery->ToOQL(true));
+				}
 				return false;
 			}
 
@@ -98,6 +113,10 @@ class SecurityHelper
 				$oObject = MetaModel::GetObject($sObjectClass, $sObjectId, false /* MustBeFound */);
 				if ($oObject === null)
 				{
+					if ($oApp['debug'])
+					{
+						IssueLog::Info($sDebugTracePrefix . ' as object doesn\'t exists');
+					}
 					return false;
 				}
 				unset($oObject);
@@ -109,6 +128,10 @@ class SecurityHelper
 		{
 			// For security reasons, we don't want to give the user too many informations on why he cannot access the object.
 			//throw new SecurityException('User not allowed to view this object', array('class' => $sObjectClass, 'id' => $sObjectId));
+			if ($oApp['debug'])
+			{
+				IssueLog::Info($sDebugTracePrefix . ' as the user is not allowed to access this object according to the datamodel security (cf. Console settings)');
+			}
 			return false;
 		}