mirror of
https://github.com/Combodo/iTop.git
synced 2026-03-17 06:54:21 +01:00
(Retrofit from trunk) Allowed organizations Part I.
r4412 Portal : Missing AllDataAllowed --------------------- r4411 Portal : Typo --------------------- r4409 Portal : Allowed Organizations Part II. Made sur that the AllowAllData flag was passed everywhere it was necessary, only when it was necessary. This has been tested but needs MORE testing ! --------------------- r4406 Portal : Renamed <ignore_allowed_organizations> to <ignore_silos> for a more generic aproch --------------------- r4405 Portal : Allowed Organizations can now be applied on the portal scopes. Just set the <ignore_allowed_organizations> to true under the concerned <scope> tag. --------------------- SVN:2.3[4443]
This commit is contained in:
Guillaume Lajarige
@@ -64,7 +64,7 @@ class BrowseBrickController extends BrickController
|
|||||||
$aLevelsProperties = array();
|
$aLevelsProperties = array();
|
||||||
$aLevelsClasses = array();
|
$aLevelsClasses = array();
|
||||||
static::TreeToFlatLevelsProperties($oApp, $oBrick->GetLevels(), $aLevelsProperties);
|
static::TreeToFlatLevelsProperties($oApp, $oBrick->GetLevels(), $aLevelsProperties);
|
||||||
|
|
||||||
// Concistency checks
|
// Concistency checks
|
||||||
if (!in_array($sBrowseMode, array_keys($aBrowseModes)))
|
if (!in_array($sBrowseMode, array_keys($aBrowseModes)))
|
||||||
{
|
{
|
||||||
@@ -281,7 +281,7 @@ class BrowseBrickController extends BrickController
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
$oSet->OptimizeColumnLoad($aColumnAttrs);
|
$oSet->OptimizeColumnLoad($aColumnAttrs);
|
||||||
|
|
||||||
// Retrieving results and organizing them for templating
|
// Retrieving results and organizing them for templating
|
||||||
$aItems = array();
|
$aItems = array();
|
||||||
while ($aCurrentRow = $oSet->FetchAssoc())
|
while ($aCurrentRow = $oSet->FetchAssoc())
|
||||||
@@ -364,6 +364,12 @@ class BrowseBrickController extends BrickController
|
|||||||
// Restricting to the allowed scope
|
// Restricting to the allowed scope
|
||||||
$oScopeSearch = $oApp['scope_validator']->GetScopeFilterForProfiles(UserRights::ListProfiles(), $oSearch->GetClass(), UR_ACTION_READ);
|
$oScopeSearch = $oApp['scope_validator']->GetScopeFilterForProfiles(UserRights::ListProfiles(), $oSearch->GetClass(), UR_ACTION_READ);
|
||||||
$oSearch = ($oScopeSearch !== null) ? $oSearch->Intersect($oScopeSearch) : null;
|
$oSearch = ($oScopeSearch !== null) ? $oSearch->Intersect($oScopeSearch) : null;
|
||||||
|
// - Allowing all data if necessary
|
||||||
|
if ($oScopeSearch->IsAllDataAllowed())
|
||||||
|
{
|
||||||
|
$oSearch->AllowAllData();
|
||||||
|
}
|
||||||
|
|
||||||
if ($oSearch !== null)
|
if ($oSearch !== null)
|
||||||
{
|
{
|
||||||
$aLevelsProperties[$sCurrentLevelAlias] = array(
|
$aLevelsProperties[$sCurrentLevelAlias] = array(
|
||||||
|
|||||||
@@ -208,6 +208,11 @@ class ManageBrickController extends BrickController
|
|||||||
if ($oDistinctScopeQuery != null)
|
if ($oDistinctScopeQuery != null)
|
||||||
{
|
{
|
||||||
$oDistinctQuery = $oDistinctQuery->Intersect($oDistinctScopeQuery);
|
$oDistinctQuery = $oDistinctQuery->Intersect($oDistinctScopeQuery);
|
||||||
|
// - Allowing all data if necessary
|
||||||
|
if ($oDistinctScopeQuery->IsAllDataAllowed())
|
||||||
|
{
|
||||||
|
$oDistinctQuery->AllowAllData();
|
||||||
|
}
|
||||||
}
|
}
|
||||||
// Adding grouping conditions
|
// Adding grouping conditions
|
||||||
$oFieldExp = new FieldExpression($sGroupingAreaAttCode, $sParentAlias);
|
$oFieldExp = new FieldExpression($sGroupingAreaAttCode, $sParentAlias);
|
||||||
@@ -262,7 +267,19 @@ class ManageBrickController extends BrickController
|
|||||||
// Note : Will need to moved the scope restriction on queries elsewhere when we consider grouping on something else than finalclass
|
// Note : Will need to moved the scope restriction on queries elsewhere when we consider grouping on something else than finalclass
|
||||||
// Note : We now get view scope instead of edit scope as we allowed users to view/edit objects in the brick regarding their rights
|
// Note : We now get view scope instead of edit scope as we allowed users to view/edit objects in the brick regarding their rights
|
||||||
$oScopeQuery = $oApp['scope_validator']->GetScopeFilterForProfiles(UserRights::ListProfiles(), $aGroupingAreasValue['value'], UR_ACTION_READ);
|
$oScopeQuery = $oApp['scope_validator']->GetScopeFilterForProfiles(UserRights::ListProfiles(), $aGroupingAreasValue['value'], UR_ACTION_READ);
|
||||||
$oAreaQuery = ($oScopeQuery !== null) ? $oAreaQuery->Intersect($oScopeQuery) : null;
|
if ($oScopeQuery !== null)
|
||||||
|
{
|
||||||
|
$oAreaQuery = $oAreaQuery->Intersect($oScopeQuery);
|
||||||
|
// - Allowing all data if necessary
|
||||||
|
if ($oScopeQuery->IsAllDataAllowed())
|
||||||
|
{
|
||||||
|
$oAreaQuery->AllowAllData();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
$oAreaQuery = null;
|
||||||
|
}
|
||||||
|
|
||||||
$aQueries[$sKey] = $oAreaQuery;
|
$aQueries[$sKey] = $oAreaQuery;
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -86,7 +86,7 @@ class ObjectController extends AbstractController
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Retrieving object
|
// Retrieving object
|
||||||
$oObject = MetaModel::GetObject($sObjectClass, $sObjectId, false /* MustBeFound */);
|
$oObject = MetaModel::GetObject($sObjectClass, $sObjectId, false /* MustBeFound */, $oApp['scope_validator']->IsAllDataAllowedForScope(UserRights::ListProfiles(), $sObjectClass));
|
||||||
if ($oObject === null)
|
if ($oObject === null)
|
||||||
{
|
{
|
||||||
// We should never be there as the secuirty helper makes sure that the object exists, but just in case.
|
// We should never be there as the secuirty helper makes sure that the object exists, but just in case.
|
||||||
@@ -158,7 +158,7 @@ class ObjectController extends AbstractController
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Retrieving object
|
// Retrieving object
|
||||||
$oObject = MetaModel::GetObject($sObjectClass, $sObjectId, false /* MustBeFound */);
|
$oObject = MetaModel::GetObject($sObjectClass, $sObjectId, false /* MustBeFound */, $oApp['scope_validator']->IsAllDataAllowedForScope(UserRights::ListProfiles(), $sObjectClass));
|
||||||
if ($oObject === null)
|
if ($oObject === null)
|
||||||
{
|
{
|
||||||
// We should never be there as the secuirty helper makes sure that the object exists, but just in case.
|
// We should never be there as the secuirty helper makes sure that the object exists, but just in case.
|
||||||
@@ -278,8 +278,9 @@ class ObjectController extends AbstractController
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Retrieving origin object
|
// Retrieving origin object
|
||||||
$oOriginObject = MetaModel::GetObject($sObjectClass, $sObjectId);
|
// Note : AllowAllData set to true here instead of checking scope's flag because we are displaying a value that has been set and validated
|
||||||
|
$oOriginObject = MetaModel::GetObject($sObjectClass, $sObjectId, true, true);
|
||||||
|
|
||||||
// Retrieving target object (We check if the method is a simple function or if it's part of a class in which case only static function are supported)
|
// Retrieving target object (We check if the method is a simple function or if it's part of a class in which case only static function are supported)
|
||||||
if (!strpos($sMethodName, '::'))
|
if (!strpos($sMethodName, '::'))
|
||||||
{
|
{
|
||||||
@@ -332,7 +333,7 @@ class ObjectController extends AbstractController
|
|||||||
// }
|
// }
|
||||||
|
|
||||||
// Retrieving object
|
// Retrieving object
|
||||||
$oObject = MetaModel::GetObject($sObjectClass, $sObjectId, false /* MustBeFound */);
|
$oObject = MetaModel::GetObject($sObjectClass, $sObjectId, false /* MustBeFound */, $oApp['scope_validator']->IsAllDataAllowedForScope(UserRights::ListProfiles(), $sObjectClass));
|
||||||
if ($oObject === null)
|
if ($oObject === null)
|
||||||
{
|
{
|
||||||
// We should never be there as the secuirty helper makes sure that the object exists, but just in case.
|
// We should never be there as the secuirty helper makes sure that the object exists, but just in case.
|
||||||
@@ -461,7 +462,7 @@ class ObjectController extends AbstractController
|
|||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
$oObject = MetaModel::GetObject($sObjectClass, $sObjectId);
|
$oObject = MetaModel::GetObject($sObjectClass, $sObjectId, true, $oApp['scope_validator']->IsAllDataAllowedForScope(UserRights::ListProfiles(), $sObjectClass));
|
||||||
}
|
}
|
||||||
|
|
||||||
// Preparing transitions only if we are currently going through one
|
// Preparing transitions only if we are currently going through one
|
||||||
@@ -666,7 +667,8 @@ class ObjectController extends AbstractController
|
|||||||
// Retrieving host object for future DBSearch parameters
|
// Retrieving host object for future DBSearch parameters
|
||||||
if ($sHostObjectId !== null)
|
if ($sHostObjectId !== null)
|
||||||
{
|
{
|
||||||
$oHostObject = MetaModel::GetObject($sHostObjectClass, $sHostObjectId);
|
// Note : AllowAllData set to true here instead of checking scope's flag because we are displaying a value that has been set and validated
|
||||||
|
$oHostObject = MetaModel::GetObject($sHostObjectClass, $sHostObjectId, true, true);
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
@@ -737,7 +739,13 @@ class ObjectController extends AbstractController
|
|||||||
// It is the responsability of the template designer to write the right query so the user see only what he should.
|
// It is the responsability of the template designer to write the right query so the user see only what he should.
|
||||||
if ($oTargetAttDef->GetEditClass() !== 'CustomFields')
|
if ($oTargetAttDef->GetEditClass() !== 'CustomFields')
|
||||||
{
|
{
|
||||||
$oSearch = $oSearch->Intersect($oApp['scope_validator']->GetScopeFilterForProfiles(UserRights::ListProfiles(), $sTargetObjectClass, UR_ACTION_READ));
|
$oScopeSearch = $oApp['scope_validator']->GetScopeFilterForProfiles(UserRights::ListProfiles(), $sTargetObjectClass, UR_ACTION_READ);
|
||||||
|
$oSearch = $oSearch->Intersect($oScopeSearch);
|
||||||
|
// - Allowing all data if necessary
|
||||||
|
if ($oScopeSearch->IsAllDataAllowed())
|
||||||
|
{
|
||||||
|
$oSearch->AllowAllData();
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// Retrieving results
|
// Retrieving results
|
||||||
@@ -803,7 +811,8 @@ class ObjectController extends AbstractController
|
|||||||
// Retrieving host object for future DBSearch parameters
|
// Retrieving host object for future DBSearch parameters
|
||||||
if ($sHostObjectId !== null)
|
if ($sHostObjectId !== null)
|
||||||
{
|
{
|
||||||
$oHostObject = MetaModel::GetObject($sHostObjectClass, $sHostObjectId);
|
// Note : AllowAllData set to true here instead of checking scope's flag because we are displaying a value that has been set and validated
|
||||||
|
$oHostObject = MetaModel::GetObject($sHostObjectClass, $sHostObjectId, true, true);
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
@@ -988,6 +997,11 @@ class ObjectController extends AbstractController
|
|||||||
if (($oScopeSearch !== null) && ($oTargetAttDef->GetEditClass() !== 'CustomFields'))
|
if (($oScopeSearch !== null) && ($oTargetAttDef->GetEditClass() !== 'CustomFields'))
|
||||||
{
|
{
|
||||||
$oSearch = $oSearch->Intersect($oScopeSearch);
|
$oSearch = $oSearch->Intersect($oScopeSearch);
|
||||||
|
// - Allowing all data if necessary
|
||||||
|
if ($oScopeSearch->IsAllDataAllowed())
|
||||||
|
{
|
||||||
|
$oSearch->AllowAllData();
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// Retrieving results
|
// Retrieving results
|
||||||
@@ -1121,7 +1135,8 @@ class ObjectController extends AbstractController
|
|||||||
// Retrieving host object for future DBSearch parameters
|
// Retrieving host object for future DBSearch parameters
|
||||||
if ($sHostObjectId !== null)
|
if ($sHostObjectId !== null)
|
||||||
{
|
{
|
||||||
$oHostObject = MetaModel::GetObject($sHostObjectClass, $sHostObjectId);
|
// Note : AllowAllData set to true here instead of checking scope's flag because we are displaying a value that has been set and validated
|
||||||
|
$oHostObject = MetaModel::GetObject($sHostObjectClass, $sHostObjectId, true, true);
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
@@ -1212,6 +1227,11 @@ class ObjectController extends AbstractController
|
|||||||
// }
|
// }
|
||||||
// - Intersecting with scope constraints
|
// - Intersecting with scope constraints
|
||||||
$oSearch = $oSearch->Intersect($oScopeSearch);
|
$oSearch = $oSearch->Intersect($oScopeSearch);
|
||||||
|
// - Allowing all data if necessary
|
||||||
|
if ($oScopeSearch->IsAllDataAllowed())
|
||||||
|
{
|
||||||
|
$oSearch->AllowAllData();
|
||||||
|
}
|
||||||
|
|
||||||
// Retrieving results
|
// Retrieving results
|
||||||
// - Preparing object set
|
// - Preparing object set
|
||||||
@@ -1427,7 +1447,12 @@ class ObjectController extends AbstractController
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Building the search
|
// Building the search
|
||||||
|
$bIgnoreSilos = $oApp['scope_validator']->IsAllDataAllowedForScope(UserRights::ListProfiles(), $sObjectClass);
|
||||||
$oSearch = DBObjectSearch::FromOQL("SELECT " . $sObjectClass . " WHERE id IN ('" . implode("','", $aObjectIds) . "')");
|
$oSearch = DBObjectSearch::FromOQL("SELECT " . $sObjectClass . " WHERE id IN ('" . implode("','", $aObjectIds) . "')");
|
||||||
|
if ($bIgnoreSilos === true)
|
||||||
|
{
|
||||||
|
$oSearch->AllowAllData();
|
||||||
|
}
|
||||||
$oSet = new DBObjectSet($oSearch);
|
$oSet = new DBObjectSet($oSearch);
|
||||||
$oSet->OptimizeColumnLoad($aObjectAttCodes);
|
$oSet->OptimizeColumnLoad($aObjectAttCodes);
|
||||||
|
|
||||||
|
|||||||
@@ -94,7 +94,8 @@ class ObjectFormManager extends FormManager
|
|||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
$oObject = MetaModel::GetObject($sObjectClass, $aJson['formobject_id'], true);
|
// Note : AllowAllData set to true here instead of checking scope's flag because we are displaying a value that has been set and validated
|
||||||
|
$oObject = MetaModel::GetObject($sObjectClass, $aJson['formobject_id'], true, true);
|
||||||
}
|
}
|
||||||
$oFormManager->SetObject($oObject);
|
$oFormManager->SetObject($oObject);
|
||||||
|
|
||||||
@@ -543,8 +544,16 @@ class ObjectFormManager extends FormManager
|
|||||||
IssueLog::Info(__METHOD__ . ' at line ' . __LINE__ . ' : User #' . UserRights::GetUserId() . ' has no scope query for ' . $oScopeOriginal->GetClass() . ' class.');
|
IssueLog::Info(__METHOD__ . ' at line ' . __LINE__ . ' : User #' . UserRights::GetUserId() . ' has no scope query for ' . $oScopeOriginal->GetClass() . ' class.');
|
||||||
$this->oApp->abort(404, Dict::S('UI:ObjectDoesNotExist'));
|
$this->oApp->abort(404, Dict::S('UI:ObjectDoesNotExist'));
|
||||||
}
|
}
|
||||||
|
IssueLog::Info('Applying scope on field #' . $sAttCode);
|
||||||
|
IssueLog::Info('|-- AllowAllData on scope search ' . (($oScopeSearch->IsAllDataAllowed()) ? 'true' : 'false') . ' : ' . $oScopeSearch->ToOQL());
|
||||||
|
IssueLog::Info('|-- AllowAllData on scope original ' . (($oScopeOriginal->IsAllDataAllowed()) ? 'true' : 'false'));
|
||||||
$oScopeOriginal = $oScopeOriginal->Intersect($oScopeSearch);
|
$oScopeOriginal = $oScopeOriginal->Intersect($oScopeSearch);
|
||||||
|
// Note : This is to skip the silo restriction on the final query
|
||||||
|
if ($oScopeSearch->IsAllDataAllowed())
|
||||||
|
{
|
||||||
|
$oScopeOriginal->AllowAllData();
|
||||||
|
}
|
||||||
|
IssueLog::Info('|-- AllowAllData on result search ' . (($oScopeOriginal->IsAllDataAllowed()) ? 'true' : 'false'));
|
||||||
$oScopeOriginal->SetInternalParams(array('this' => $this->oObject));
|
$oScopeOriginal->SetInternalParams(array('this' => $this->oObject));
|
||||||
$oField->SetSearch($oScopeOriginal);
|
$oField->SetSearch($oScopeOriginal);
|
||||||
}
|
}
|
||||||
@@ -937,7 +946,8 @@ class ObjectFormManager extends FormManager
|
|||||||
// LinkedSet
|
// LinkedSet
|
||||||
if (!$oAttDef->IsIndirect())
|
if (!$oAttDef->IsIndirect())
|
||||||
{
|
{
|
||||||
$oLinkedObject = MetaModel::GetObject($sTargetClass, abs($iTargetId));
|
// Note : AllowAllData set to true here instead of checking scope's flag because we are displaying a value that has been set and validated
|
||||||
|
$oLinkedObject = MetaModel::GetObject($sTargetClass, abs($iTargetId), true, true);
|
||||||
$oValueSet->AddObject($oLinkedObject);
|
$oValueSet->AddObject($oLinkedObject);
|
||||||
}
|
}
|
||||||
// LinkedSetIndirect
|
// LinkedSetIndirect
|
||||||
@@ -953,7 +963,8 @@ class ObjectFormManager extends FormManager
|
|||||||
// Existing relation
|
// Existing relation
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
$oLink = MetaModel::GetObject($sTargetClass, $iTargetId);
|
// Note : AllowAllData set to true here instead of checking scope's flag because we are displaying a value that has been set and validated
|
||||||
|
$oLink = MetaModel::GetObject($sTargetClass, $iTargetId, true, true);
|
||||||
}
|
}
|
||||||
$oValueSet->AddObject($oLink);
|
$oValueSet->AddObject($oLink);
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -36,6 +36,7 @@ class ScopeValidatorHelper
|
|||||||
const ENUM_TYPE_ALLOW = 'allow';
|
const ENUM_TYPE_ALLOW = 'allow';
|
||||||
const ENUM_TYPE_RESTRICT = 'restrict';
|
const ENUM_TYPE_RESTRICT = 'restrict';
|
||||||
const DEFAULT_GENERATED_CLASS = 'PortalScopesValues';
|
const DEFAULT_GENERATED_CLASS = 'PortalScopesValues';
|
||||||
|
const DEFAULT_IGNORE_SILOS = false;
|
||||||
|
|
||||||
protected $sCachePath;
|
protected $sCachePath;
|
||||||
protected $sFilename;
|
protected $sFilename;
|
||||||
@@ -179,6 +180,9 @@ class ScopeValidatorHelper
|
|||||||
// Retrieving the edit query
|
// Retrieving the edit query
|
||||||
$oOqlEditNode = $oScopeNode->GetOptionalElement('oql_edit');
|
$oOqlEditNode = $oScopeNode->GetOptionalElement('oql_edit');
|
||||||
$sOqlEdit = ( ($oOqlEditNode !== null) && ($oOqlEditNode->GetText() !== null) ) ? $oOqlEditNode->GetText() : null;
|
$sOqlEdit = ( ($oOqlEditNode !== null) && ($oOqlEditNode->GetText() !== null) ) ? $oOqlEditNode->GetText() : null;
|
||||||
|
// Retrieving ignore allowed org flag
|
||||||
|
$oIgnoreSilosNode = $oScopeNode->GetOptionalElement('ignore_silos');
|
||||||
|
$bIgnoreSilos = ( ($oIgnoreSilosNode !== null) && ($oIgnoreSilosNode->GetText() === 'true') ) ? true : static::DEFAULT_IGNORE_SILOS;
|
||||||
|
|
||||||
// Retrieving profiles for the scope
|
// Retrieving profiles for the scope
|
||||||
$oProfilesNode = $oScopeNode->GetOptionalElement('allowed_profiles');
|
$oProfilesNode = $oScopeNode->GetOptionalElement('allowed_profiles');
|
||||||
@@ -221,13 +225,20 @@ class ScopeValidatorHelper
|
|||||||
$oExistingFilter = DBSearch::FromOQL($aProfiles[$sMatrixPrefix . static::ENUM_MODE_READ][$sOqlViewType]);
|
$oExistingFilter = DBSearch::FromOQL($aProfiles[$sMatrixPrefix . static::ENUM_MODE_READ][$sOqlViewType]);
|
||||||
$aFilters = array($oExistingFilter, $oViewFilter);
|
$aFilters = array($oExistingFilter, $oViewFilter);
|
||||||
$oResFilter = new DBUnionSearch($aFilters);
|
$oResFilter = new DBUnionSearch($aFilters);
|
||||||
|
|
||||||
|
// Applying ignore_silos flag on result filter if necessary (As the union will remove it if it is not on all sub-queries)
|
||||||
|
if ($aProfiles[$sMatrixPrefix . static::ENUM_MODE_READ]['ignore_silos'] === true)
|
||||||
|
{
|
||||||
|
$bIgnoreSilos = true;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
$oResFilter = $oViewFilter;
|
$oResFilter = $oViewFilter;
|
||||||
}
|
}
|
||||||
$aProfiles[$sMatrixPrefix . static::ENUM_MODE_READ] = array(
|
$aProfiles[$sMatrixPrefix . static::ENUM_MODE_READ] = array(
|
||||||
$sOqlViewType => $oResFilter->ToOQL()
|
$sOqlViewType => $oResFilter->ToOQL(),
|
||||||
|
'ignore_silos' => $bIgnoreSilos
|
||||||
);
|
);
|
||||||
// - Edit query
|
// - Edit query
|
||||||
if ($sOqlEdit !== null)
|
if ($sOqlEdit !== null)
|
||||||
@@ -264,7 +275,8 @@ class ScopeValidatorHelper
|
|||||||
$oResFilter = $oEditFilter;
|
$oResFilter = $oEditFilter;
|
||||||
}
|
}
|
||||||
$aProfiles[$sMatrixPrefix . static::ENUM_MODE_WRITE] = array(
|
$aProfiles[$sMatrixPrefix . static::ENUM_MODE_WRITE] = array(
|
||||||
$sOqlViewType => $oResFilter->ToOQL()
|
$sOqlViewType => $oResFilter->ToOQL(),
|
||||||
|
'ignore_silos' => $bIgnoreSilos
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -273,7 +285,7 @@ class ScopeValidatorHelper
|
|||||||
$aProfileClasses[] = $sClass;
|
$aProfileClasses[] = $sClass;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// Filling the array with missing classes from MetaModel, so we can have an inheritance principle on the scope
|
// Filling the array with missing classes from MetaModel, so we can have an inheritance principle on the scope
|
||||||
// For each class explicitly given in the scopes, we check if its child classes were also in the scope :
|
// For each class explicitly given in the scopes, we check if its child classes were also in the scope :
|
||||||
// If not, we add them with the same OQL
|
// If not, we add them with the same OQL
|
||||||
@@ -295,10 +307,14 @@ class ScopeValidatorHelper
|
|||||||
$aTmpProfile = $aProfiles[$iProfileId . '_' . $sProfileClass . '_' . $sAction];
|
$aTmpProfile = $aProfiles[$iProfileId . '_' . $sProfileClass . '_' . $sAction];
|
||||||
foreach ($aTmpProfile as $sType => $sOql)
|
foreach ($aTmpProfile as $sType => $sOql)
|
||||||
{
|
{
|
||||||
$oTmpFilter = DBSearch::FromOQL($sOql);
|
// IF condition is just to skip the 'ignore_silos' flag
|
||||||
$oTmpFilter->ChangeClass($sChildClass);
|
if (in_array($sType, array(static::ENUM_TYPE_ALLOW, static::ENUM_TYPE_RESTRICT)))
|
||||||
|
{
|
||||||
|
$oTmpFilter = DBSearch::FromOQL($sOql);
|
||||||
|
$oTmpFilter->ChangeClass($sChildClass);
|
||||||
|
|
||||||
$aTmpProfile[$sType] = $oTmpFilter->ToOQL();
|
$aTmpProfile[$sType] = $oTmpFilter->ToOQL();
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
$aProfiles[$iProfileId . '_' . $sChildClass . '_' . $sAction] = $aTmpProfile;
|
$aProfiles[$iProfileId . '_' . $sChildClass . '_' . $sAction] = $aTmpProfile;
|
||||||
@@ -471,6 +487,7 @@ class ScopeValidatorHelper
|
|||||||
$oSearch = null;
|
$oSearch = null;
|
||||||
$aAllowSearches = array();
|
$aAllowSearches = array();
|
||||||
$aRestrictSearches = array();
|
$aRestrictSearches = array();
|
||||||
|
$bIgnoreSilos = static::DEFAULT_IGNORE_SILOS;
|
||||||
|
|
||||||
// Checking the default mode
|
// Checking the default mode
|
||||||
if ($iAction === null)
|
if ($iAction === null)
|
||||||
@@ -498,6 +515,11 @@ class ScopeValidatorHelper
|
|||||||
{
|
{
|
||||||
$aRestrictSearches[] = DBSearch::FromOQL($aProfileMatrix['restrict']);
|
$aRestrictSearches[] = DBSearch::FromOQL($aProfileMatrix['restrict']);
|
||||||
}
|
}
|
||||||
|
// If a profile should ignore allowed org, we set it for all its queries no matter the profile
|
||||||
|
if (isset($aProfileMatrix['ignore_silos']) && $aProfileMatrix['ignore_silos'] === true)
|
||||||
|
{
|
||||||
|
$bIgnoreSilos = true;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -514,10 +536,47 @@ class ScopeValidatorHelper
|
|||||||
$oSearch = new DBUnionSearch($aAllowSearches);
|
$oSearch = new DBUnionSearch($aAllowSearches);
|
||||||
$oSearch = $oSearch->RemoveDuplicateQueries();
|
$oSearch = $oSearch->RemoveDuplicateQueries();
|
||||||
}
|
}
|
||||||
|
if ($bIgnoreSilos === true)
|
||||||
|
{
|
||||||
|
$oSearch->AllowAllData();
|
||||||
|
}
|
||||||
|
|
||||||
return $oSearch;
|
return $oSearch;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Returns true if at least one of the $aProfiles has the ignore_silos flag set to true for the $sClass.
|
||||||
|
*
|
||||||
|
* @param array $aProfiles
|
||||||
|
* @param string $sClass
|
||||||
|
* @return boolean
|
||||||
|
*/
|
||||||
|
public function IsAllDataAllowedForScope($aProfiles, $sClass)
|
||||||
|
{
|
||||||
|
$bIgnoreSilos = false;
|
||||||
|
|
||||||
|
// Iterating on profiles to retrieving the different OQLs parts
|
||||||
|
foreach ($aProfiles as $sProfile)
|
||||||
|
{
|
||||||
|
// Retrieving matrix informtions
|
||||||
|
$iProfileId = $this->GetProfileIdFromProfileName($sProfile);
|
||||||
|
|
||||||
|
// Retrieving profile OQLs
|
||||||
|
$sScopeValuesClass = $this->sGeneratedClass;
|
||||||
|
$aProfileMatrix = $sScopeValuesClass::GetProfileScope($iProfileId, $sClass, static::ENUM_MODE_READ);
|
||||||
|
if ($aProfileMatrix !== null)
|
||||||
|
{
|
||||||
|
// If a profile should ignore allowed org, we set it for all its queries no matter the profile
|
||||||
|
if (isset($aProfileMatrix['ignore_silos']) && $aProfileMatrix['ignore_silos'] === true)
|
||||||
|
{
|
||||||
|
$bIgnoreSilos = true;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return $bIgnoreSilos;
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Returns the profile id from a string being either a constant or its name.
|
* Returns the profile id from a string being either a constant or its name.
|
||||||
*
|
*
|
||||||
|
|||||||
@@ -112,7 +112,7 @@ class SecurityHelper
|
|||||||
// Checking if the cmdbAbstractObject exists if id is specified
|
// Checking if the cmdbAbstractObject exists if id is specified
|
||||||
if ($sObjectId !== null)
|
if ($sObjectId !== null)
|
||||||
{
|
{
|
||||||
$oObject = MetaModel::GetObject($sObjectClass, $sObjectId, false /* MustBeFound */);
|
$oObject = MetaModel::GetObject($sObjectClass, $sObjectId, false /* MustBeFound */, $oApp['scope_validator']->IsAllDataAllowedForScope(UserRights::ListProfiles(), $sObjectClass));
|
||||||
if ($oObject === null)
|
if ($oObject === null)
|
||||||
{
|
{
|
||||||
if ($oApp['debug'])
|
if ($oApp['debug'])
|
||||||
|
|||||||
@@ -229,6 +229,8 @@ EOF
|
|||||||
$sDeleteBtn = Dict::S('Portal:Button:Delete');
|
$sDeleteBtn = Dict::S('Portal:Button:Delete');
|
||||||
|
|
||||||
$oSearch = DBObjectSearch::FromOQL("SELECT Attachment WHERE item_class = :class AND item_id = :item_id");
|
$oSearch = DBObjectSearch::FromOQL("SELECT Attachment WHERE item_class = :class AND item_id = :item_id");
|
||||||
|
// Note : AllowAllData set to true here instead of checking scope's flag because we are displaying a value that has been set and validated
|
||||||
|
$oSearch->AllowAllData();
|
||||||
$oSet = new DBObjectSet($oSearch, array(), array('class' => $sObjectClass, 'item_id' => $this->oField->GetObject()->GetKey()));
|
$oSet = new DBObjectSet($oSearch, array(), array('class' => $sObjectClass, 'item_id' => $this->oField->GetObject()->GetKey()));
|
||||||
|
|
||||||
// If in read only and no attachments, we display a short message
|
// If in read only and no attachments, we display a short message
|
||||||
|
|||||||
@@ -479,7 +479,8 @@ EOF
|
|||||||
// In case of indirect linked set, we must retrieve the remote object
|
// In case of indirect linked set, we must retrieve the remote object
|
||||||
if ($this->oField->IsIndirect())
|
if ($this->oField->IsIndirect())
|
||||||
{
|
{
|
||||||
$oRemoteItem = MetaModel::GetObject($this->oField->GetTargetClass(), $oItem->Get($this->oField->GetExtKeyToRemote()));
|
// Note : AllowAllData set to true here instead of checking scope's flag because we are displaying a value that has been set and validated
|
||||||
|
$oRemoteItem = MetaModel::GetObject($this->oField->GetTargetClass(), $oItem->Get($this->oField->GetExtKeyToRemote()), true, true);
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
|
|||||||
@@ -143,7 +143,8 @@ EOF
|
|||||||
{
|
{
|
||||||
try
|
try
|
||||||
{
|
{
|
||||||
$oFieldValue = MetaModel::GetObject($sFieldValueClass, $this->oField->GetCurrentValue());
|
// Note : AllowAllData set to true here instead of checking scope's flag because we are displaying a value that has been set and validated
|
||||||
|
$oFieldValue = MetaModel::GetObject($sFieldValueClass, $this->oField->GetCurrentValue(), true, true);
|
||||||
}
|
}
|
||||||
catch (CoreException $e)
|
catch (CoreException $e)
|
||||||
{
|
{
|
||||||
@@ -304,7 +305,8 @@ EOF
|
|||||||
// Retrieving field value
|
// Retrieving field value
|
||||||
if ($this->oField->GetCurrentValue() !== null && $this->oField->GetCurrentValue() !== 0 && $this->oField->GetCurrentValue() !== '')
|
if ($this->oField->GetCurrentValue() !== null && $this->oField->GetCurrentValue() !== 0 && $this->oField->GetCurrentValue() !== '')
|
||||||
{
|
{
|
||||||
$oFieldValue = MetaModel::GetObject($sFieldValueClass, $this->oField->GetCurrentValue());
|
// Note : AllowAllData set to true here instead of checking scope's flag because we are displaying a value that has been set and validated
|
||||||
|
$oFieldValue = MetaModel::GetObject($sFieldValueClass, $this->oField->GetCurrentValue(), true, true);
|
||||||
$sFieldValue = $oFieldValue->GetName();
|
$sFieldValue = $oFieldValue->GetName();
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
|
|||||||
Reference in New Issue
Block a user