N°6251 - 1:n - Actions must not be proposed to user not allowed (#491)

2026-04-19 08:38:45 +02:00 · 2023-05-05 14:28:37 +02:00
parent d10e2ac25a
commit b9cfb62d1a
5 changed files with 178 additions and 107 deletions
--- a/sources/Application/UI/Links/Direct/BlockDirectLinkSetEditTable.php
+++ b/sources/Application/UI/Links/Direct/BlockDirectLinkSetEditTable.php
@@ -28,6 +28,7 @@ use iDBObjectSetIterator;
 use MetaModel;
 use MySQLException;
 use UILinksWidgetDirect;
+use UserRights;
 use utils;
 use WebPage;

@@ -68,6 +69,11 @@ class BlockDirectLinkSetEditTable extends UIContentBlock
 	/** @var string $sJSDoSearch */
 	public string $sJSDoSearch;

+	// User rights
+	private bool $bIsAllowCreate;
+	private bool $bIsAllowModify;
+	private bool $bIsAllowDelete;
+
 	/**
 	 * Constructor.
 	 *
@@ -114,6 +120,11 @@ class BlockDirectLinkSetEditTable extends UIContentBlock
 	private function Init()
 	{
 		$this->oAttributeLinkedSet = MetaModel::GetAttributeDef($this->oUILinksDirectWidget->GetClass(), $this->oUILinksDirectWidget->GetAttCode());
+
+		// User rights
+		$this->bIsAllowCreate = UserRights::IsActionAllowed($this->oAttributeLinkedSet->GetLinkedClass(), UR_ACTION_CREATE) == UR_ALLOWED_YES;
+		$this->bIsAllowModify = UserRights::IsActionAllowed($this->oAttributeLinkedSet->GetLinkedClass(), UR_ACTION_MODIFY) == UR_ALLOWED_YES;
+		$this->bIsAllowDelete = UserRights::IsActionAllowed($this->oAttributeLinkedSet->GetLinkedClass(), UR_ACTION_DELETE) == UR_ALLOWED_YES;
 	}

 	/**
@@ -192,38 +203,48 @@ class BlockDirectLinkSetEditTable extends UIContentBlock
 				break;

 			case LINKSET_EDITMODE_ADDONLY: // The only possible action is to open (in a new window) the form to create a new object
-				$oActionButtonCreate = ButtonUIBlockFactory::MakeNeutral(Dict::S('UI:Button:Create'));
-				$oActionButtonCreate->SetTooltip(Dict::Format('UI:ClickToCreateNew', MetaModel::GetName($this->oAttributeLinkedSet->GetLinkedClass())))
-									->AddDataAttribute('action', 'create')
-									->SetOnClickJsCode("$('#{$this->oUILinksDirectWidget->GetInputId()}').directlinks('createRow');");
-				$oToolbar->AddSubBlock($oActionButtonCreate);
+				if ($this->bIsAllowCreate) {
+					$oActionButtonCreate = ButtonUIBlockFactory::MakeNeutral(Dict::S('UI:Button:Create'));
+					$oActionButtonCreate->SetTooltip(Dict::Format('UI:ClickToCreateNew', MetaModel::GetName($this->oAttributeLinkedSet->GetLinkedClass())))
+						->AddDataAttribute('action', 'create')
+						->SetOnClickJsCode("$('#{$this->oUILinksDirectWidget->GetInputId()}').directlinks('createRow');");
+					$oToolbar->AddSubBlock($oActionButtonCreate);
+				}
 				break;

 			case LINKSET_EDITMODE_INPLACE: // The whole linkset can be edited 'in-place'
 			case LINKSET_EDITMODE_ACTIONS: // Show the usual 'Actions' popup menu
+			if ($this->bIsAllowCreate) {
 				$oActionButtonCreate = ButtonUIBlockFactory::MakeNeutral(Dict::S('UI:Button:Create'));
 				$oActionButtonCreate->SetTooltip(Dict::Format('UI:ClickToCreateNew', MetaModel::GetName($this->oAttributeLinkedSet->GetLinkedClass())))
-									->AddDataAttribute('action', 'create')
-									->SetOnClickJsCode("$('#{$this->oUILinksDirectWidget->GetInputId()}').directlinks('createRow');");
+					->AddDataAttribute('action', 'create')
+					->SetOnClickJsCode("$('#{$this->oUILinksDirectWidget->GetInputId()}').directlinks('createRow');");
 				$oToolbar->AddSubBlock($oActionButtonCreate);
-				
+			}
+
+			if ($this->bIsAllowDelete) {
 				$oActionButtonDelete = ButtonUIBlockFactory::MakeNeutral(Dict::S('UI:Button:Delete'));
 				$oActionButtonDelete->AddDataAttribute('action', 'delete')
-									->SetOnClickJsCode("$('#{$this->oUILinksDirectWidget->GetInputId()}').directlinks('deleteSelection');");
+					->SetOnClickJsCode("$('#{$this->oUILinksDirectWidget->GetInputId()}').directlinks('deleteSelection');");
 				$oToolbar->AddSubBlock($oActionButtonDelete);
+			}
 				break;

 			case LINKSET_EDITMODE_ADDREMOVE: // The whole linkset can be edited 'in-place'
-				$oActionButtonLink = ButtonUIBlockFactory::MakeNeutral(Dict::S('UI:Button:Add'));
-				$oActionButtonLink->SetTooltip(Dict::Format('UI:AddLinkedObjectsOf_Class', MetaModel::GetName($this->oAttributeLinkedSet->GetLinkedClass())))
-									->AddDataAttribute('action', 'add')
-									->SetOnClickJsCode("$('#{$this->oUILinksDirectWidget->GetInputId()}').directlinks('selectToAdd');");
-				$oToolbar->AddSubBlock($oActionButtonLink);
-				
-				$oActionButtonUnlink = ButtonUIBlockFactory::MakeNeutral(Dict::S('UI:Button:Remove'));
-				$oActionButtonUnlink->AddDataAttribute('action', 'detach')
-									->SetOnClickJsCode("$('#{$this->oUILinksDirectWidget->GetInputId()}').directlinks('removeSelection');");
-				$oToolbar->AddSubBlock($oActionButtonUnlink);
+				if ($this->bIsAllowCreate) {
+					$oActionButtonLink = ButtonUIBlockFactory::MakeNeutral(Dict::S('UI:Button:Add'));
+					$oActionButtonLink->SetTooltip(Dict::Format('UI:AddLinkedObjectsOf_Class', MetaModel::GetName($this->oAttributeLinkedSet->GetLinkedClass())))
+						->AddDataAttribute('action', 'add')
+						->SetOnClickJsCode("$('#{$this->oUILinksDirectWidget->GetInputId()}').directlinks('selectToAdd');");
+					$oToolbar->AddSubBlock($oActionButtonLink);
+				}
+
+				if ($this->bIsAllowDelete) {
+					$oActionButtonUnlink = ButtonUIBlockFactory::MakeNeutral(Dict::S('UI:Button:Remove'));
+					$oActionButtonUnlink->AddDataAttribute('action', 'detach')
+						->SetOnClickJsCode("$('#{$this->oUILinksDirectWidget->GetInputId()}').directlinks('removeSelection');");
+					$oToolbar->AddSubBlock($oActionButtonUnlink);
+				}
 				break;

 			default:
@@ -307,21 +328,25 @@ class BlockDirectLinkSetEditTable extends UIContentBlock

 			case LINKSET_EDITMODE_INPLACE: // The whole linkset can be edited 'in-place'
 			case LINKSET_EDITMODE_ACTIONS: // Show the usual 'Actions' popup menu
+			if ($this->bIsAllowDelete) {
 				$aRowActions[] = array(
 					'label'         => 'UI:Links:Delete:Button',
 					'tooltip'       => $sDeleteButtonTooltip,
 					'icon_classes'  => 'fas fa-trash',
 					'js_row_action' => "$('#{$this->oUILinksDirectWidget->GetInputId()}').directlinks('Remove', $(':checkbox', oTrElement));",
 				);
+			}
 				break;

 			case LINKSET_EDITMODE_ADDREMOVE: // The whole linkset can be edited 'in-place'
-				$aRowActions[] = array(
-					'label'         => 'UI:Links:Remove:Button',
-					'tooltip'       => $sRemoveButtonTooltip,
-					'icon_classes'  => 'fas fa-minus',
-					'js_row_action' => "$('#{$this->oUILinksDirectWidget->GetInputId()}').directlinks('Remove', $(':checkbox', oTrElement));",
-				);
+				if ($this->bIsAllowModify) {
+					$aRowActions[] = array(
+						'label'         => 'UI:Links:Remove:Button',
+						'tooltip'       => $sRemoveButtonTooltip,
+						'icon_classes'  => 'fas fa-minus',
+						'js_row_action' => "$('#{$this->oUILinksDirectWidget->GetInputId()}').directlinks('Remove', $(':checkbox', oTrElement));",
+					);
+				}
 				break;

 			default: