mirror of
https://github.com/Combodo/iTop.git
synced 2026-04-24 02:58:43 +02:00
Improved user rights management: SELECT filtered on objects authorized for the current user (not yet fully implemented)
SVN:trunk[681]
This commit is contained in:
Romain Quetiez
@@ -34,6 +34,10 @@ class DBObjectSearch
|
||||
private $m_aReferencedBy;
|
||||
private $m_aRelatedTo;
|
||||
|
||||
// By default, some information may be hidden to the current user
|
||||
// But it may happen that we need to disable that feature
|
||||
private $m_bAllowAllData = false;
|
||||
|
||||
public function __construct($sClass, $sClassAlias = null)
|
||||
{
|
||||
if (is_null($sClassAlias)) $sClassAlias = $sClass;
|
||||
@@ -51,6 +55,9 @@ class DBObjectSearch
|
||||
$this->m_aRelatedTo = array();
|
||||
}
|
||||
|
||||
public function AllowAllData() {$this->m_bAllowAllData = true;}
|
||||
public function IsAllDataAllowed() {return $this->m_bAllowAllData;}
|
||||
|
||||
public function GetClassName($sAlias) {return $this->m_aClasses[$sAlias];}
|
||||
public function GetJoinedClasses() {return $this->m_aClasses;}
|
||||
|
||||
@@ -681,8 +688,25 @@ class DBObjectSearch
|
||||
}
|
||||
}
|
||||
|
||||
// Create a search definition that leads to 0 result, still a valid search object
|
||||
static public function FromEmptySet($sClass)
|
||||
{
|
||||
$oResultFilter = new DBObjectSearch($sClass);
|
||||
$oResultFilter->m_oSearchCondition = new FalseExpression;
|
||||
return $oResultFilter;
|
||||
}
|
||||
|
||||
static protected $m_aOQLQueries = array();
|
||||
|
||||
// Do not filter out depending on user rights
|
||||
// In particular when we are currently in the process of evaluating the user rights...
|
||||
static public function FromOQL_AllData($sQuery)
|
||||
{
|
||||
$oRes = self::FromOQL($sQuery);
|
||||
$oRes->AllowAllData();
|
||||
return $oRes;
|
||||
}
|
||||
|
||||
static public function FromOQL($sQuery)
|
||||
{
|
||||
if (empty($sQuery)) return null;
|
||||
|
||||
@@ -230,6 +230,19 @@ class TrueExpression extends ScalarExpression
|
||||
}
|
||||
}
|
||||
|
||||
class FalseExpression extends ScalarExpression
|
||||
{
|
||||
public function __construct()
|
||||
{
|
||||
parent::__construct(0);
|
||||
}
|
||||
|
||||
public function IsTrue()
|
||||
{
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
class FieldExpression extends UnaryExpression
|
||||
{
|
||||
protected $m_sParent;
|
||||
@@ -348,6 +361,16 @@ class ListExpression extends Expression
|
||||
$this->m_aExpressions = $aExpressions;
|
||||
}
|
||||
|
||||
public static function FromScalars($aScalars)
|
||||
{
|
||||
$aExpressions = array();
|
||||
foreach($aScalars as $value)
|
||||
{
|
||||
$aExpressions[] = new ScalarExpression($value);
|
||||
}
|
||||
return new ListExpression($aExpressions);
|
||||
}
|
||||
|
||||
public function IsTrue()
|
||||
{
|
||||
// return true if we are certain that it will be true
|
||||
|
||||
@@ -1509,6 +1509,27 @@ abstract class MetaModel
|
||||
|
||||
public static function MakeSelectQuery(DBObjectSearch $oFilter, $aOrderBy = array(), $aArgs = array())
|
||||
{
|
||||
// Hide objects that are not visible to the current user
|
||||
//
|
||||
if (!$oFilter->IsAllDataAllowed())
|
||||
{
|
||||
$oVisibleObjects = UserRights::GetSelectFilter($oFilter->GetClass());
|
||||
if ($oVisibleObjects === false)
|
||||
{
|
||||
// Make sure this is a valid search object, saying NO for all
|
||||
$oVisibleObjects = DBObjectSearch::FromEmptySet($oFilter->GetClass());
|
||||
}
|
||||
if (is_object($oVisibleObjects))
|
||||
{
|
||||
$oFilter->MergeWith($oVisibleObjects);
|
||||
}
|
||||
else
|
||||
{
|
||||
// should be true at this point, meaning that no additional filtering
|
||||
// is required
|
||||
}
|
||||
}
|
||||
|
||||
// Query caching
|
||||
//
|
||||
$bQueryCacheEnabled = true;
|
||||
|
||||
@@ -57,6 +57,8 @@ abstract class UserRightsAddOnAPI
|
||||
|
||||
// Cf UserContext...
|
||||
abstract public function GetFilter($sLogin, $sClass); // returns a filter object
|
||||
// Used to build select queries showing only objects visible for the given user
|
||||
abstract public function GetSelectFilter($sLogin, $sClass); // returns a filter object
|
||||
|
||||
abstract public function IsActionAllowed($oUser, $sClass, $iActionCode, /*dbObjectSet*/ $oInstanceSet = null);
|
||||
abstract public function IsStimulusAllowed($oUser, $sClass, $sStimulusCode, /*dbObjectSet*/ $oInstanceSet = null);
|
||||
@@ -494,6 +496,9 @@ class UserRights
|
||||
|
||||
public static function GetFilter($sClass)
|
||||
{
|
||||
// #@# to cleanup !
|
||||
return new DBObjectSearch($sClass);
|
||||
|
||||
if (!self::CheckLogin()) return false;
|
||||
if (self::IsAdministrator()) return new DBObjectSearch($sClass);
|
||||
|
||||
@@ -506,11 +511,35 @@ class UserRights
|
||||
return self::$m_oAddOn->GetFilter(self::$m_oUser->GetKey(), $sClass);
|
||||
}
|
||||
|
||||
public static function GetSelectFilter($sClass)
|
||||
{
|
||||
// Need to load some records before the login is performed (user preferences)
|
||||
if (MetaModel::HasCategory($sClass, 'alwaysreadable')) return true;
|
||||
|
||||
// ne marche pas... pourquoi?
|
||||
//if (!self::CheckLogin()) return false;
|
||||
|
||||
if (self::IsAdministrator()) return true;
|
||||
|
||||
// this module is forbidden for non admins.... BUT I NEED IT HERE TO DETERMINE USER RIGHTS
|
||||
if (MetaModel::HasCategory($sClass, 'addon/userrights')) return true;
|
||||
|
||||
// the rest is allowed (#@# to be improved)
|
||||
if (!MetaModel::HasCategory($sClass, 'bizmodel')) return true;
|
||||
|
||||
return self::$m_oAddOn->GetSelectFilter(self::$m_oUser, $sClass);
|
||||
}
|
||||
|
||||
public static function IsActionAllowed($sClass, $iActionCode, /*dbObjectSet*/ $oInstanceSet = null, $oUser = null)
|
||||
{
|
||||
if (!self::CheckLogin()) return false;
|
||||
if (self::IsAdministrator($oUser)) return true;
|
||||
|
||||
|
||||
// #@# Temporary?????
|
||||
// The read access is controlled in MetaModel::MakeSelectQuery()
|
||||
if ($iActionCode == UR_ACTION_READ) return true;
|
||||
|
||||
// this module is forbidden for non admins
|
||||
if (MetaModel::HasCategory($sClass, 'addon/userrights')) return false;
|
||||
|
||||
|
||||
@@ -93,19 +93,28 @@ class ValueSetObjects extends ValueSetDefinition
|
||||
protected $m_sFilterExpr; // in OQL
|
||||
protected $m_sValueAttCode;
|
||||
protected $m_aOrderBy;
|
||||
private $m_bAllowAllData;
|
||||
|
||||
public function __construct($sFilterExp, $sValueAttCode = '', $aOrderBy = array())
|
||||
public function __construct($sFilterExp, $sValueAttCode = '', $aOrderBy = array(), $bAllowAllData = false)
|
||||
{
|
||||
$this->m_sFilterExpr = $sFilterExp;
|
||||
$this->m_sValueAttCode = $sValueAttCode;
|
||||
$this->m_aOrderBy = $aOrderBy;
|
||||
$this->m_bAllowAllData = $bAllowAllData;
|
||||
}
|
||||
|
||||
protected function LoadValues($aArgs)
|
||||
{
|
||||
$this->m_aValues = array();
|
||||
|
||||
$oFilter = DBObjectSearch::FromOQL($this->m_sFilterExpr, $aArgs);
|
||||
if ($this->m_bAllowAllData)
|
||||
{
|
||||
$oFilter = DBObjectSearch::FromOQL_AllData($this->m_sFilterExpr, $aArgs);
|
||||
}
|
||||
else
|
||||
{
|
||||
$oFilter = DBObjectSearch::FromOQL($this->m_sFilterExpr, $aArgs);
|
||||
}
|
||||
if (!$oFilter) return false;
|
||||
|
||||
$oObjects = new DBObjectSet($oFilter, $this->m_aOrderBy, $aArgs);
|
||||
|
||||
Reference in New Issue
Block a user