diff --git a/addons/userrights/userrightsprofile.class.inc.php b/addons/userrights/userrightsprofile.class.inc.php index 339298243f..6fb431b527 100644 --- a/addons/userrights/userrightsprofile.class.inc.php +++ b/addons/userrights/userrightsprofile.class.inc.php @@ -437,11 +437,15 @@ class UserRightsProfile extends UserRightsAddOnAPI /** * Read and cache organizations allowed to the given user - * - * @param oUser - * @param sClass -not used here but can be used in overloads + * + * @param $oUser + * @param $sClass (not used here but can be used in overloads) + * + * @return array + * @throws \CoreException + * @throws \Exception */ - protected function GetUserOrgs($oUser, $sClass) + public function GetUserOrgs($oUser, $sClass) { $iUser = $oUser->GetKey(); if (!array_key_exists($iUser, $this->m_aUserOrgs)) @@ -455,7 +459,6 @@ class UserRightsProfile extends UserRightsAddOnAPI $oUserOrgSet = new DBObjectSet(DBObjectSearch::FromOQL_AllData($sUserOrgQuery), array(), array('userid' => $iUser)); while ($aRow = $oUserOrgSet->FetchAssoc()) { - $oUserOrg = $aRow['UserOrg']; $oOrg = $aRow['Org']; $this->m_aUserOrgs[$iUser][] = $oOrg->GetKey(); } diff --git a/addons/userrights/userrightsprofile.db.class.inc.php b/addons/userrights/userrightsprofile.db.class.inc.php index 40bd6ba396..7873c79bfd 100644 --- a/addons/userrights/userrightsprofile.db.class.inc.php +++ b/addons/userrights/userrightsprofile.db.class.inc.php @@ -613,11 +613,15 @@ class UserRightsProfile extends UserRightsAddOnAPI /** * Read and cache organizations allowed to the given user - * - * @param oUser - * @param sClass -not used here but can be used in overloads + * + * @param $oUser + * @param $sClass (not used here but can be used in overloads) + * + * @return array + * @throws \CoreException + * @throws \Exception */ - protected function GetUserOrgs($oUser, $sClass) + public function GetUserOrgs($oUser, $sClass) { $iUser = $oUser->GetKey(); if (!array_key_exists($iUser, $this->m_aUserOrgs)) @@ -631,7 +635,6 @@ class UserRightsProfile extends UserRightsAddOnAPI $oUserOrgSet = new DBObjectSet(DBObjectSearch::FromOQL_AllData($sUserOrgQuery), array(), array('userid' => $iUser)); while ($aRow = $oUserOrgSet->FetchAssoc()) { - $oUserOrg = $aRow['UserOrg']; $oOrg = $aRow['Org']; $this->m_aUserOrgs[$iUser][] = $oOrg->GetKey(); } diff --git a/core/userrights.class.inc.php b/core/userrights.class.inc.php index 26d833c620..5f56c57741 100644 --- a/core/userrights.class.inc.php +++ b/core/userrights.class.inc.php @@ -256,8 +256,10 @@ abstract class User extends cmdbAbstractObject } /** - * Overload the standard behavior. - */ + * Overload the standard behavior. + * + * @throws \CoreException + */ public function DoCheckToWrite() { parent::DoCheckToWrite(); @@ -290,9 +292,37 @@ abstract class User extends cmdbAbstractObject // Only administrators can manage administrators if (UserRights::IsAdministrator($this) && !UserRights::IsAdministrator()) { - $this->m_aCheckIssues[] = Dict::Format('UI:Login:Error:AccessRestricted'); } + // Check users with restricted organizations + if (!UserRights::IsAdministrator()) + { + $oUser = UserRights::GetUserObject(); + $oAddon = UserRights::GetModuleInstance(); + if (method_exists($oAddon, 'GetUserOrgs')) + { + $aOrgs = $oAddon->GetUserOrgs($oUser, ''); + if (count($aOrgs) > 0) + { + /** @var ORMLinkset $oSet */ + $oSet = $this->Get('allowed_org_list'); + if ($oSet->Count() == 0) + { + $this->m_aCheckIssues[] = Dict::Format('Class:User/Error:AtLeastOneOrganizationIsNeeded'); + } + else + { + while ($oUserOrg = $oSet->Fetch()) + { + if (!in_array($oUserOrg->Get('allowed_org_id'), $aOrgs)) + { + $this->m_aCheckIssues[] = Dict::Format('Class:User/Error:OrganizationNotAllowed'); + } + } + } + } + } + } } function GetGrantAsHtml($sClass, $iAction) diff --git a/dictionaries/en.dictionary.itop.ui.php b/dictionaries/en.dictionary.itop.ui.php index 991c3278f5..8c8c572ef9 100644 --- a/dictionaries/en.dictionary.itop.ui.php +++ b/dictionaries/en.dictionary.itop.ui.php @@ -138,7 +138,8 @@ Dict::Add('EN US', 'English', 'English', array( 'Class:User/Error:LoginMustBeUnique' => 'Login must be unique - "%1s" is already being used.', 'Class:User/Error:AtLeastOneProfileIsNeeded' => 'At least one profile must be assigned to this user.', - + 'Class:User/Error:AtLeastOneOrganizationIsNeeded' => 'At least one organization must be assigned to this user.', + 'Class:User/Error:OrganizationNotAllowed' => 'Organization not allowed.', 'Class:UserInternal' => 'User Internal', 'Class:UserInternal+' => 'User defined within iTop', )); diff --git a/dictionaries/fr.dictionary.itop.ui.php b/dictionaries/fr.dictionary.itop.ui.php index 362019ea3a..818836de88 100644 --- a/dictionaries/fr.dictionary.itop.ui.php +++ b/dictionaries/fr.dictionary.itop.ui.php @@ -162,6 +162,8 @@ Dict::Add('FR FR', 'French', 'Français', array( 'Class:User/Attribute:status/Value:disabled' => 'Désactivé', 'Class:User/Error:LoginMustBeUnique' => 'Le login doit être unique - "%1s" est déjà utilisé.', 'Class:User/Error:AtLeastOneProfileIsNeeded' => 'L\'utilisateur doit avoir au moins un profil.', + 'Class:User/Error:AtLeastOneOrganizationIsNeeded' => 'L\'utilisateur doit avoir au moins une organisation.', + 'Class:User/Error:OrganizationNotAllowed' => 'Organisation non autorisée.', 'Class:UserInternal' => 'Utilisateur interne', 'Class:UserInternal+' => 'Utilisateur défini dans iTop', 'Class:URP_Dimensions' => 'Dimension',