N°5971 - Prevent changing the Org of a Person having Portal User without the new Org allowed

2026-02-13 07:24:13 +01:00 · 2023-05-12 18:23:35 +02:00
parent b71cd2182f
commit c61faf453c
4 changed files with 58 additions and 0 deletions
--- a/core/dbobject.class.php
+++ b/core/dbobject.class.php
@@ -5962,7 +5962,22 @@ abstract class DBObject implements iDisplay
 	}

 	/**
+	 *
 	 * @api
+	 *
+	 * @param string $sWarning Warning message displayed when objet is redisplayed
+	 *
+	 * @return void
+	 * @since 3.1.0
+	 */
+	final public function AddCheckWarning(string $sWarning)
+	{
+		$this->m_aCheckWarnings[] = $sWarning;
+	}
+
+	/**
+	 * @api
+	 *
 	 * @param string $sIssue
 	 * @param bool $bIsSecurityIssue
 	 *
--- a/datamodels/2.x/itop-structure/datamodel.itop-structure.xml
+++ b/datamodels/2.x/itop-structure/datamodel.itop-structure.xml
@@ -642,6 +642,13 @@
          </rule>
        </uniqueness_rules>
      </properties>
+      <event_listeners>
+        <event_listener id="CheckUsersUpdate">
+          <event>EVENT_DB_CHECK_TO_WRITE</event>
+          <callback>CheckUsersOnUpdate</callback>
+          <rank>1</rank>
+        </event_listener>
+      </event_listeners>
      <fields>
        <field id="picture" xsi:type="AttributeImage">
          <display_max_width>96</display_max_width>
@@ -712,6 +719,40 @@
        </field>
      </fields>
      <methods>
+        <method id="CheckUsersOnUpdate">
+          <static>false</static>
+          <access>public</access>
+          <type>EventListener</type>
+          <code><![CDATA[  	public function CheckUsersOnUpdate(Combodo\iTop\Service\Events\EventData $oEventData)
+  	{
+        // This method can block the Person modification, by adding a Check Issue
+        $aChanges = $this->ListChanges();
+        // Current User may not be allowed to see User class, so we can't use $this->Get('user_list')
+        $oSearch = new DBObjectSearch('User');
+        $oSearch->AddCondition('contactid', $this->GetKey(), '=');
+        $oSearch->AllowAllData();
+        $oUserSet = new DBObjectSet($oSearch);
+
+        // The organization's person was changed and it has associated Users
+        if (array_key_exists('org_id', $aChanges) && ($oUserSet->Count() > 0)) {
+            while($oUser = $oUserSet->Fetch())
+            {
+                $oAddon = UserRights::GetModuleInstance();
+                $aOrgs = $oAddon->GetUserOrgs($oUser,'Organization');
+                $oSet = $oUser->Get('profile_list');
+                $aProfiles = $oSet->GetColumnAsArray('profile');
+
+                // User is not allowed on the new Organization and has 'Portal user' Profile and is enabled
+                if (!in_array($this->Get('org_id'), $aOrgs) &&  in_array('Portal user',$aProfiles) && ($oUser->Get('status') === 'enabled'))
+                {   // Let's block the Person modification,
+                    // replace by $this->AddCheckWarning(...) if you don't want to block the modification
+                    $this->AddCheckIssue(Dict::Format('Class:Person/Error:ChangingOrgDenied', $this->Get('org_id_friendlyname')));
+                }
+            }
+        }
+  	}
+]]></code>
+        </method>
        <method id="CheckToDelete">
          <static>false</static>
          <access>public</access>
--- a/datamodels/2.x/itop-structure/dictionaries/en.dict.itop-structure.php
+++ b/datamodels/2.x/itop-structure/dictionaries/en.dict.itop-structure.php
@@ -187,6 +187,7 @@ Dict::Add('EN US', 'English', 'English', array(
 	'Class:Person/UniquenessRule:employee_number' => 'there is already a person in \'$this->org_name$\' organization with the same employee number',
 	'Class:Person/UniquenessRule:name+' => 'The employee name should be unique inside its organization',
 	'Class:Person/UniquenessRule:name' => 'There is already a person in \'$this->org_name$\' organization with the same name',
+	'Class:Person/Error:ChangingOrgDenied' => 'Impossible to move this person under organization \'%1$s\' as it would break his access to the User Portal, his associated user not being allowed on this organization',
 ));

 //
--- a/datamodels/2.x/itop-structure/dictionaries/fr.dict.itop-structure.php
+++ b/datamodels/2.x/itop-structure/dictionaries/fr.dict.itop-structure.php
@@ -196,6 +196,7 @@ Dict::Add('FR FR', 'French', 'Français', array(
 	\'$this->org_name$\'',
 	'Class:Person/UniquenessRule:name+' => 'Le nom de l\'employé devrait être unique dans l\'organisation',
 	'Class:Person/UniquenessRule:name' => 'Il y a déjà une personne avec ce nom dans l\'organisation \'$this->org_name$\'',
+	'Class:Person/Error:ChangingOrgDenied' => 'Impossible de déplacer cette personne sous l\'organisation \'%1$s\', cela casserait son accès au portail utilisateur, car il n\'a pas le droit de voir cette organisation',
 ));

 //