mirror of
https://github.com/Combodo/iTop.git
synced 2026-03-11 03:54:21 +01:00
(Retrofit from trunk) Allowed organizations Part I.
r4412 Portal : Missing AllDataAllowed --------------------- r4411 Portal : Typo --------------------- r4409 Portal : Allowed Organizations Part II. Made sur that the AllowAllData flag was passed everywhere it was necessary, only when it was necessary. This has been tested but needs MORE testing ! --------------------- r4406 Portal : Renamed <ignore_allowed_organizations> to <ignore_silos> for a more generic aproch --------------------- r4405 Portal : Allowed Organizations can now be applied on the portal scopes. Just set the <ignore_allowed_organizations> to true under the concerned <scope> tag. --------------------- SVN:2.3[4443]
This commit is contained in:
Guillaume Lajarige
@@ -64,7 +64,7 @@ class BrowseBrickController extends BrickController
|
||||
$aLevelsProperties = array();
|
||||
$aLevelsClasses = array();
|
||||
static::TreeToFlatLevelsProperties($oApp, $oBrick->GetLevels(), $aLevelsProperties);
|
||||
|
||||
|
||||
// Concistency checks
|
||||
if (!in_array($sBrowseMode, array_keys($aBrowseModes)))
|
||||
{
|
||||
@@ -281,7 +281,7 @@ class BrowseBrickController extends BrickController
|
||||
}
|
||||
}
|
||||
$oSet->OptimizeColumnLoad($aColumnAttrs);
|
||||
|
||||
|
||||
// Retrieving results and organizing them for templating
|
||||
$aItems = array();
|
||||
while ($aCurrentRow = $oSet->FetchAssoc())
|
||||
@@ -364,6 +364,12 @@ class BrowseBrickController extends BrickController
|
||||
// Restricting to the allowed scope
|
||||
$oScopeSearch = $oApp['scope_validator']->GetScopeFilterForProfiles(UserRights::ListProfiles(), $oSearch->GetClass(), UR_ACTION_READ);
|
||||
$oSearch = ($oScopeSearch !== null) ? $oSearch->Intersect($oScopeSearch) : null;
|
||||
// - Allowing all data if necessary
|
||||
if ($oScopeSearch->IsAllDataAllowed())
|
||||
{
|
||||
$oSearch->AllowAllData();
|
||||
}
|
||||
|
||||
if ($oSearch !== null)
|
||||
{
|
||||
$aLevelsProperties[$sCurrentLevelAlias] = array(
|
||||
|
||||
@@ -208,6 +208,11 @@ class ManageBrickController extends BrickController
|
||||
if ($oDistinctScopeQuery != null)
|
||||
{
|
||||
$oDistinctQuery = $oDistinctQuery->Intersect($oDistinctScopeQuery);
|
||||
// - Allowing all data if necessary
|
||||
if ($oDistinctScopeQuery->IsAllDataAllowed())
|
||||
{
|
||||
$oDistinctQuery->AllowAllData();
|
||||
}
|
||||
}
|
||||
// Adding grouping conditions
|
||||
$oFieldExp = new FieldExpression($sGroupingAreaAttCode, $sParentAlias);
|
||||
@@ -262,7 +267,19 @@ class ManageBrickController extends BrickController
|
||||
// Note : Will need to moved the scope restriction on queries elsewhere when we consider grouping on something else than finalclass
|
||||
// Note : We now get view scope instead of edit scope as we allowed users to view/edit objects in the brick regarding their rights
|
||||
$oScopeQuery = $oApp['scope_validator']->GetScopeFilterForProfiles(UserRights::ListProfiles(), $aGroupingAreasValue['value'], UR_ACTION_READ);
|
||||
$oAreaQuery = ($oScopeQuery !== null) ? $oAreaQuery->Intersect($oScopeQuery) : null;
|
||||
if ($oScopeQuery !== null)
|
||||
{
|
||||
$oAreaQuery = $oAreaQuery->Intersect($oScopeQuery);
|
||||
// - Allowing all data if necessary
|
||||
if ($oScopeQuery->IsAllDataAllowed())
|
||||
{
|
||||
$oAreaQuery->AllowAllData();
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
$oAreaQuery = null;
|
||||
}
|
||||
|
||||
$aQueries[$sKey] = $oAreaQuery;
|
||||
}
|
||||
|
||||
@@ -86,7 +86,7 @@ class ObjectController extends AbstractController
|
||||
}
|
||||
|
||||
// Retrieving object
|
||||
$oObject = MetaModel::GetObject($sObjectClass, $sObjectId, false /* MustBeFound */);
|
||||
$oObject = MetaModel::GetObject($sObjectClass, $sObjectId, false /* MustBeFound */, $oApp['scope_validator']->IsAllDataAllowedForScope(UserRights::ListProfiles(), $sObjectClass));
|
||||
if ($oObject === null)
|
||||
{
|
||||
// We should never be there as the secuirty helper makes sure that the object exists, but just in case.
|
||||
@@ -158,7 +158,7 @@ class ObjectController extends AbstractController
|
||||
}
|
||||
|
||||
// Retrieving object
|
||||
$oObject = MetaModel::GetObject($sObjectClass, $sObjectId, false /* MustBeFound */);
|
||||
$oObject = MetaModel::GetObject($sObjectClass, $sObjectId, false /* MustBeFound */, $oApp['scope_validator']->IsAllDataAllowedForScope(UserRights::ListProfiles(), $sObjectClass));
|
||||
if ($oObject === null)
|
||||
{
|
||||
// We should never be there as the secuirty helper makes sure that the object exists, but just in case.
|
||||
@@ -278,8 +278,9 @@ class ObjectController extends AbstractController
|
||||
}
|
||||
|
||||
// Retrieving origin object
|
||||
$oOriginObject = MetaModel::GetObject($sObjectClass, $sObjectId);
|
||||
|
||||
// Note : AllowAllData set to true here instead of checking scope's flag because we are displaying a value that has been set and validated
|
||||
$oOriginObject = MetaModel::GetObject($sObjectClass, $sObjectId, true, true);
|
||||
|
||||
// Retrieving target object (We check if the method is a simple function or if it's part of a class in which case only static function are supported)
|
||||
if (!strpos($sMethodName, '::'))
|
||||
{
|
||||
@@ -332,7 +333,7 @@ class ObjectController extends AbstractController
|
||||
// }
|
||||
|
||||
// Retrieving object
|
||||
$oObject = MetaModel::GetObject($sObjectClass, $sObjectId, false /* MustBeFound */);
|
||||
$oObject = MetaModel::GetObject($sObjectClass, $sObjectId, false /* MustBeFound */, $oApp['scope_validator']->IsAllDataAllowedForScope(UserRights::ListProfiles(), $sObjectClass));
|
||||
if ($oObject === null)
|
||||
{
|
||||
// We should never be there as the secuirty helper makes sure that the object exists, but just in case.
|
||||
@@ -461,7 +462,7 @@ class ObjectController extends AbstractController
|
||||
}
|
||||
else
|
||||
{
|
||||
$oObject = MetaModel::GetObject($sObjectClass, $sObjectId);
|
||||
$oObject = MetaModel::GetObject($sObjectClass, $sObjectId, true, $oApp['scope_validator']->IsAllDataAllowedForScope(UserRights::ListProfiles(), $sObjectClass));
|
||||
}
|
||||
|
||||
// Preparing transitions only if we are currently going through one
|
||||
@@ -666,7 +667,8 @@ class ObjectController extends AbstractController
|
||||
// Retrieving host object for future DBSearch parameters
|
||||
if ($sHostObjectId !== null)
|
||||
{
|
||||
$oHostObject = MetaModel::GetObject($sHostObjectClass, $sHostObjectId);
|
||||
// Note : AllowAllData set to true here instead of checking scope's flag because we are displaying a value that has been set and validated
|
||||
$oHostObject = MetaModel::GetObject($sHostObjectClass, $sHostObjectId, true, true);
|
||||
}
|
||||
else
|
||||
{
|
||||
@@ -737,7 +739,13 @@ class ObjectController extends AbstractController
|
||||
// It is the responsability of the template designer to write the right query so the user see only what he should.
|
||||
if ($oTargetAttDef->GetEditClass() !== 'CustomFields')
|
||||
{
|
||||
$oSearch = $oSearch->Intersect($oApp['scope_validator']->GetScopeFilterForProfiles(UserRights::ListProfiles(), $sTargetObjectClass, UR_ACTION_READ));
|
||||
$oScopeSearch = $oApp['scope_validator']->GetScopeFilterForProfiles(UserRights::ListProfiles(), $sTargetObjectClass, UR_ACTION_READ);
|
||||
$oSearch = $oSearch->Intersect($oScopeSearch);
|
||||
// - Allowing all data if necessary
|
||||
if ($oScopeSearch->IsAllDataAllowed())
|
||||
{
|
||||
$oSearch->AllowAllData();
|
||||
}
|
||||
}
|
||||
|
||||
// Retrieving results
|
||||
@@ -803,7 +811,8 @@ class ObjectController extends AbstractController
|
||||
// Retrieving host object for future DBSearch parameters
|
||||
if ($sHostObjectId !== null)
|
||||
{
|
||||
$oHostObject = MetaModel::GetObject($sHostObjectClass, $sHostObjectId);
|
||||
// Note : AllowAllData set to true here instead of checking scope's flag because we are displaying a value that has been set and validated
|
||||
$oHostObject = MetaModel::GetObject($sHostObjectClass, $sHostObjectId, true, true);
|
||||
}
|
||||
else
|
||||
{
|
||||
@@ -988,6 +997,11 @@ class ObjectController extends AbstractController
|
||||
if (($oScopeSearch !== null) && ($oTargetAttDef->GetEditClass() !== 'CustomFields'))
|
||||
{
|
||||
$oSearch = $oSearch->Intersect($oScopeSearch);
|
||||
// - Allowing all data if necessary
|
||||
if ($oScopeSearch->IsAllDataAllowed())
|
||||
{
|
||||
$oSearch->AllowAllData();
|
||||
}
|
||||
}
|
||||
|
||||
// Retrieving results
|
||||
@@ -1121,7 +1135,8 @@ class ObjectController extends AbstractController
|
||||
// Retrieving host object for future DBSearch parameters
|
||||
if ($sHostObjectId !== null)
|
||||
{
|
||||
$oHostObject = MetaModel::GetObject($sHostObjectClass, $sHostObjectId);
|
||||
// Note : AllowAllData set to true here instead of checking scope's flag because we are displaying a value that has been set and validated
|
||||
$oHostObject = MetaModel::GetObject($sHostObjectClass, $sHostObjectId, true, true);
|
||||
}
|
||||
else
|
||||
{
|
||||
@@ -1212,6 +1227,11 @@ class ObjectController extends AbstractController
|
||||
// }
|
||||
// - Intersecting with scope constraints
|
||||
$oSearch = $oSearch->Intersect($oScopeSearch);
|
||||
// - Allowing all data if necessary
|
||||
if ($oScopeSearch->IsAllDataAllowed())
|
||||
{
|
||||
$oSearch->AllowAllData();
|
||||
}
|
||||
|
||||
// Retrieving results
|
||||
// - Preparing object set
|
||||
@@ -1427,7 +1447,12 @@ class ObjectController extends AbstractController
|
||||
}
|
||||
|
||||
// Building the search
|
||||
$bIgnoreSilos = $oApp['scope_validator']->IsAllDataAllowedForScope(UserRights::ListProfiles(), $sObjectClass);
|
||||
$oSearch = DBObjectSearch::FromOQL("SELECT " . $sObjectClass . " WHERE id IN ('" . implode("','", $aObjectIds) . "')");
|
||||
if ($bIgnoreSilos === true)
|
||||
{
|
||||
$oSearch->AllowAllData();
|
||||
}
|
||||
$oSet = new DBObjectSet($oSearch);
|
||||
$oSet->OptimizeColumnLoad($aObjectAttCodes);
|
||||
|
||||
|
||||
@@ -94,7 +94,8 @@ class ObjectFormManager extends FormManager
|
||||
}
|
||||
else
|
||||
{
|
||||
$oObject = MetaModel::GetObject($sObjectClass, $aJson['formobject_id'], true);
|
||||
// Note : AllowAllData set to true here instead of checking scope's flag because we are displaying a value that has been set and validated
|
||||
$oObject = MetaModel::GetObject($sObjectClass, $aJson['formobject_id'], true, true);
|
||||
}
|
||||
$oFormManager->SetObject($oObject);
|
||||
|
||||
@@ -543,8 +544,16 @@ class ObjectFormManager extends FormManager
|
||||
IssueLog::Info(__METHOD__ . ' at line ' . __LINE__ . ' : User #' . UserRights::GetUserId() . ' has no scope query for ' . $oScopeOriginal->GetClass() . ' class.');
|
||||
$this->oApp->abort(404, Dict::S('UI:ObjectDoesNotExist'));
|
||||
}
|
||||
|
||||
IssueLog::Info('Applying scope on field #' . $sAttCode);
|
||||
IssueLog::Info('|-- AllowAllData on scope search ' . (($oScopeSearch->IsAllDataAllowed()) ? 'true' : 'false') . ' : ' . $oScopeSearch->ToOQL());
|
||||
IssueLog::Info('|-- AllowAllData on scope original ' . (($oScopeOriginal->IsAllDataAllowed()) ? 'true' : 'false'));
|
||||
$oScopeOriginal = $oScopeOriginal->Intersect($oScopeSearch);
|
||||
// Note : This is to skip the silo restriction on the final query
|
||||
if ($oScopeSearch->IsAllDataAllowed())
|
||||
{
|
||||
$oScopeOriginal->AllowAllData();
|
||||
}
|
||||
IssueLog::Info('|-- AllowAllData on result search ' . (($oScopeOriginal->IsAllDataAllowed()) ? 'true' : 'false'));
|
||||
$oScopeOriginal->SetInternalParams(array('this' => $this->oObject));
|
||||
$oField->SetSearch($oScopeOriginal);
|
||||
}
|
||||
@@ -937,7 +946,8 @@ class ObjectFormManager extends FormManager
|
||||
// LinkedSet
|
||||
if (!$oAttDef->IsIndirect())
|
||||
{
|
||||
$oLinkedObject = MetaModel::GetObject($sTargetClass, abs($iTargetId));
|
||||
// Note : AllowAllData set to true here instead of checking scope's flag because we are displaying a value that has been set and validated
|
||||
$oLinkedObject = MetaModel::GetObject($sTargetClass, abs($iTargetId), true, true);
|
||||
$oValueSet->AddObject($oLinkedObject);
|
||||
}
|
||||
// LinkedSetIndirect
|
||||
@@ -953,7 +963,8 @@ class ObjectFormManager extends FormManager
|
||||
// Existing relation
|
||||
else
|
||||
{
|
||||
$oLink = MetaModel::GetObject($sTargetClass, $iTargetId);
|
||||
// Note : AllowAllData set to true here instead of checking scope's flag because we are displaying a value that has been set and validated
|
||||
$oLink = MetaModel::GetObject($sTargetClass, $iTargetId, true, true);
|
||||
}
|
||||
$oValueSet->AddObject($oLink);
|
||||
}
|
||||
|
||||
@@ -36,6 +36,7 @@ class ScopeValidatorHelper
|
||||
const ENUM_TYPE_ALLOW = 'allow';
|
||||
const ENUM_TYPE_RESTRICT = 'restrict';
|
||||
const DEFAULT_GENERATED_CLASS = 'PortalScopesValues';
|
||||
const DEFAULT_IGNORE_SILOS = false;
|
||||
|
||||
protected $sCachePath;
|
||||
protected $sFilename;
|
||||
@@ -179,6 +180,9 @@ class ScopeValidatorHelper
|
||||
// Retrieving the edit query
|
||||
$oOqlEditNode = $oScopeNode->GetOptionalElement('oql_edit');
|
||||
$sOqlEdit = ( ($oOqlEditNode !== null) && ($oOqlEditNode->GetText() !== null) ) ? $oOqlEditNode->GetText() : null;
|
||||
// Retrieving ignore allowed org flag
|
||||
$oIgnoreSilosNode = $oScopeNode->GetOptionalElement('ignore_silos');
|
||||
$bIgnoreSilos = ( ($oIgnoreSilosNode !== null) && ($oIgnoreSilosNode->GetText() === 'true') ) ? true : static::DEFAULT_IGNORE_SILOS;
|
||||
|
||||
// Retrieving profiles for the scope
|
||||
$oProfilesNode = $oScopeNode->GetOptionalElement('allowed_profiles');
|
||||
@@ -221,13 +225,20 @@ class ScopeValidatorHelper
|
||||
$oExistingFilter = DBSearch::FromOQL($aProfiles[$sMatrixPrefix . static::ENUM_MODE_READ][$sOqlViewType]);
|
||||
$aFilters = array($oExistingFilter, $oViewFilter);
|
||||
$oResFilter = new DBUnionSearch($aFilters);
|
||||
|
||||
// Applying ignore_silos flag on result filter if necessary (As the union will remove it if it is not on all sub-queries)
|
||||
if ($aProfiles[$sMatrixPrefix . static::ENUM_MODE_READ]['ignore_silos'] === true)
|
||||
{
|
||||
$bIgnoreSilos = true;
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
$oResFilter = $oViewFilter;
|
||||
}
|
||||
$aProfiles[$sMatrixPrefix . static::ENUM_MODE_READ] = array(
|
||||
$sOqlViewType => $oResFilter->ToOQL()
|
||||
$sOqlViewType => $oResFilter->ToOQL(),
|
||||
'ignore_silos' => $bIgnoreSilos
|
||||
);
|
||||
// - Edit query
|
||||
if ($sOqlEdit !== null)
|
||||
@@ -264,7 +275,8 @@ class ScopeValidatorHelper
|
||||
$oResFilter = $oEditFilter;
|
||||
}
|
||||
$aProfiles[$sMatrixPrefix . static::ENUM_MODE_WRITE] = array(
|
||||
$sOqlViewType => $oResFilter->ToOQL()
|
||||
$sOqlViewType => $oResFilter->ToOQL(),
|
||||
'ignore_silos' => $bIgnoreSilos
|
||||
);
|
||||
}
|
||||
}
|
||||
@@ -273,7 +285,7 @@ class ScopeValidatorHelper
|
||||
$aProfileClasses[] = $sClass;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
// Filling the array with missing classes from MetaModel, so we can have an inheritance principle on the scope
|
||||
// For each class explicitly given in the scopes, we check if its child classes were also in the scope :
|
||||
// If not, we add them with the same OQL
|
||||
@@ -295,10 +307,14 @@ class ScopeValidatorHelper
|
||||
$aTmpProfile = $aProfiles[$iProfileId . '_' . $sProfileClass . '_' . $sAction];
|
||||
foreach ($aTmpProfile as $sType => $sOql)
|
||||
{
|
||||
$oTmpFilter = DBSearch::FromOQL($sOql);
|
||||
$oTmpFilter->ChangeClass($sChildClass);
|
||||
// IF condition is just to skip the 'ignore_silos' flag
|
||||
if (in_array($sType, array(static::ENUM_TYPE_ALLOW, static::ENUM_TYPE_RESTRICT)))
|
||||
{
|
||||
$oTmpFilter = DBSearch::FromOQL($sOql);
|
||||
$oTmpFilter->ChangeClass($sChildClass);
|
||||
|
||||
$aTmpProfile[$sType] = $oTmpFilter->ToOQL();
|
||||
$aTmpProfile[$sType] = $oTmpFilter->ToOQL();
|
||||
}
|
||||
}
|
||||
|
||||
$aProfiles[$iProfileId . '_' . $sChildClass . '_' . $sAction] = $aTmpProfile;
|
||||
@@ -471,6 +487,7 @@ class ScopeValidatorHelper
|
||||
$oSearch = null;
|
||||
$aAllowSearches = array();
|
||||
$aRestrictSearches = array();
|
||||
$bIgnoreSilos = static::DEFAULT_IGNORE_SILOS;
|
||||
|
||||
// Checking the default mode
|
||||
if ($iAction === null)
|
||||
@@ -498,6 +515,11 @@ class ScopeValidatorHelper
|
||||
{
|
||||
$aRestrictSearches[] = DBSearch::FromOQL($aProfileMatrix['restrict']);
|
||||
}
|
||||
// If a profile should ignore allowed org, we set it for all its queries no matter the profile
|
||||
if (isset($aProfileMatrix['ignore_silos']) && $aProfileMatrix['ignore_silos'] === true)
|
||||
{
|
||||
$bIgnoreSilos = true;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -514,10 +536,47 @@ class ScopeValidatorHelper
|
||||
$oSearch = new DBUnionSearch($aAllowSearches);
|
||||
$oSearch = $oSearch->RemoveDuplicateQueries();
|
||||
}
|
||||
|
||||
if ($bIgnoreSilos === true)
|
||||
{
|
||||
$oSearch->AllowAllData();
|
||||
}
|
||||
|
||||
return $oSearch;
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns true if at least one of the $aProfiles has the ignore_silos flag set to true for the $sClass.
|
||||
*
|
||||
* @param array $aProfiles
|
||||
* @param string $sClass
|
||||
* @return boolean
|
||||
*/
|
||||
public function IsAllDataAllowedForScope($aProfiles, $sClass)
|
||||
{
|
||||
$bIgnoreSilos = false;
|
||||
|
||||
// Iterating on profiles to retrieving the different OQLs parts
|
||||
foreach ($aProfiles as $sProfile)
|
||||
{
|
||||
// Retrieving matrix informtions
|
||||
$iProfileId = $this->GetProfileIdFromProfileName($sProfile);
|
||||
|
||||
// Retrieving profile OQLs
|
||||
$sScopeValuesClass = $this->sGeneratedClass;
|
||||
$aProfileMatrix = $sScopeValuesClass::GetProfileScope($iProfileId, $sClass, static::ENUM_MODE_READ);
|
||||
if ($aProfileMatrix !== null)
|
||||
{
|
||||
// If a profile should ignore allowed org, we set it for all its queries no matter the profile
|
||||
if (isset($aProfileMatrix['ignore_silos']) && $aProfileMatrix['ignore_silos'] === true)
|
||||
{
|
||||
$bIgnoreSilos = true;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return $bIgnoreSilos;
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the profile id from a string being either a constant or its name.
|
||||
*
|
||||
|
||||
@@ -112,7 +112,7 @@ class SecurityHelper
|
||||
// Checking if the cmdbAbstractObject exists if id is specified
|
||||
if ($sObjectId !== null)
|
||||
{
|
||||
$oObject = MetaModel::GetObject($sObjectClass, $sObjectId, false /* MustBeFound */);
|
||||
$oObject = MetaModel::GetObject($sObjectClass, $sObjectId, false /* MustBeFound */, $oApp['scope_validator']->IsAllDataAllowedForScope(UserRights::ListProfiles(), $sObjectClass));
|
||||
if ($oObject === null)
|
||||
{
|
||||
if ($oApp['debug'])
|
||||
|
||||
Reference in New Issue
Block a user