noalyss-commit
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Noalyss-commit] [noalyss] 05/24: Security : management , profile access


From: Dany De Bontridder
Subject: [Noalyss-commit] [noalyss] 05/24: Security : management , profile access
Date: Tue, 12 Jul 2022 07:05:24 -0400 (EDT)

sparkyx pushed a commit to branch master
in repository noalyss.

commit 6c4a4156a49290fa1071312b6f20927b7e40e42a
Author: sparkyx <danydb@noalyss.eu>
AuthorDate: Tue May 3 22:41:00 2022 +0200

    Security : management , profile access
---
 include/action.common.inc.php                 | 11 +++-
 include/class/follow_up.class.php             | 18 +++---
 include/class/user.class.php                  | 50 ++++++++++++-----
 include/template/action_display_short.php     |  2 +-
 include/template/followup-show-action-add.php |  6 +-
 unit-test/include/class/userTest.php          | 79 +++++++++++++++++++++++++++
 6 files changed, 139 insertions(+), 27 deletions(-)

diff --git a/include/action.common.inc.php b/include/action.common.inc.php
index 4e05db6c1..b29687199 100644
--- a/include/action.common.inc.php
+++ b/include/action.common.inc.php
@@ -40,6 +40,15 @@ if (isset($_REQUEST['sb']))
        $supl_hidden.=HtmlInput::hidden('sb', $http->request("sb"));
 $supl_hidden.=HtmlInput::hidden('ac', $http->request("ac"));
 
+/**
+ * if no group available , then stop
+ */
+global $g_user;
+
+if ( empty ($g_user->get_readable_profile() ) ) {
+     echo_warning(_("Aucun profil disponible"));
+    return;
+}
 
 $correction = 0;
 $error_id=0;
@@ -343,7 +352,7 @@ if ($sub_action == "save_action_st2")
 }
 
//--------------------------------------------------------------------------------
 // Add an action
-if ($sub_action == "add_action")
+if ($sub_action == "add_action" && ! empty($g_user->get_writable_profile() ) )
 {
        $act = new Follow_Up($cn);
        $act->fromArray($_POST);
diff --git a/include/class/follow_up.class.php 
b/include/class/follow_up.class.php
index bd079d5a1..cdde6d324 100644
--- a/include/class/follow_up.class.php
+++ b/include/class/follow_up.class.php
@@ -109,10 +109,10 @@ class Follow_Up
         }
         if ($p_mode=='R')
         {
-            $sql=" (ag_dest in (select p_granted from user_sec_action_profile 
where p_id=$profile ) ) ";
+            $sql=" (ag_dest in (select p_granted from user_sec_action_profile 
where p_id=$profile and ua_right !='X' ) ) ";
         } else if ($p_mode=='W')
         {
-            $sql=" ( ag_dest in (select p_granted from user_sec_action_profile 
where p_id=$profile and ua_right='W' ) )";
+            $sql=" ( ag_dest in (select p_granted from user_sec_action_profile 
where p_id=$profile and ua_right in ('W','O') ) )";
         } else  {
             record_log(_('Securité'));
             throw new Exception(_('Securité'));
@@ -270,7 +270,7 @@ class Follow_Up
         // select profile
         $aAg_dest=$this->db->make_array("select  p_id as value, ".
                 "p_name as label ".
-                " from profile  where p_id in 
".$g_user->get_writable_profile()."order by 2");
+                " from profile  where p_id in 
".$g_user->sql_writable_profile()." order by 2");
 
         $ag_dest->value=$aAg_dest;
         $ag_dest->selected=$this->ag_dest;
@@ -1170,20 +1170,20 @@ class Follow_Up
         $aAg_dest=$cn->make_array("select  p_id as value, ".
                 "p_name as label ".
                 " from profile where p_id in ".
-                $g_user->get_readable_profile().
+                $g_user->sql_readable_profile().
                 "order by 2");
-        $aAg_dest[]=array('value'=>'-2', 'label'=>_('Tous les profiles'));
+        $aAg_dest[]=array('value'=>'-2', 'label'=>_('Tous les profils'));
         $ag_dest=new ISelect();
         $ag_dest->name="ag_dest_query";
         $ag_dest->value=$aAg_dest;
-        
$ag_dest->selected=(isset($_GET["ag_dest_query"]))?$_GET["ag_dest_query"]:-2;
+        $ag_dest->selected=$http->get("ag_dest_query","number",-2);
         $str_ag_dest=$ag_dest->input();
         $osag_ref=new IText("sag_ref");
-        $osag_ref->value=(isset($_GET['sag_ref']))?$_GET['sag_ref']:"";
+        $osag_ref->value=$http->get('sag_ref',"string","");
         $remind_date=new IDate('remind_date');
-        
$remind_date->value=(isset($_GET['remind_date']))?$_GET['remind_date']:"";
+        $remind_date->value=$http->get('remind_date',"string","");
         $remind_date_end=new IDate('remind_date_end');
-        
$remind_date_end->value=(isset($_GET['remind_date_end']))?$_GET['remind_date_end']:"";
+        $remind_date_end->value=$http->get('remind_date_end',"string","");
         $otag=new Tag($cn);
 
         // show the  action in
diff --git a/include/class/user.class.php b/include/class/user.class.php
index 405c96fa8..dee3e115b 100644
--- a/include/class/user.class.php
+++ b/include/class/user.class.php
@@ -1356,7 +1356,7 @@ class User
     }
 
     /**
-     * Audit action from the administration menu
+     * @brief Audit action from the administration menu
      * @param $p_module description of the action
      */
     static function audit_admin($p_module)
@@ -1412,62 +1412,82 @@ class User
     }
 
     /**
-     * return the profile (p_id)
+     * @brief  return the profile (p_id)
      * @return profile.p_id
      */
     function get_profile()
     {
         $profile=$this->db->get_value("select p_id from profile_user where
-                               lower(user_name)=lower($1)", 
array($this->login));
+                               lower(user_name)=lower($1) ", 
array($this->login));
         return $profile;
     }
 
     /**
-     * Compute the SQL string for the writable profile, 
+     * @brief Compute the SQL string for the writable profile, 
      * the subselect for p_id , example
-     * p_id in $g_user->get_writable_profile.
+     * p_id in $g_user->sql_writable_profile.
      * The administrator can access all the profiles
+     * R = Read Only W = Write and delete O = write and not delete
      * @return SQL string with the subselect for p_id 
      */
-    function get_writable_profile()
+    function sql_writable_profile()
     {
         if ($this->admin!=1)
         {
             $sql=" (select p_granted "
                     ."     from user_sec_action_profile "
-                    ."     where ua_right='W' and 
p_id=".$this->get_profile().") ";
+                    ."     where ua_right in ('W','O') and 
p_id=".$this->get_profile().") ";
         }
         else
         {
-            $sql="(select p_id from profile)";
+            $sql="(select p_id p_granted from profile)";
         }
         return $sql;
     }
-
     /**
-     * Compute the SQL string for the readable profile, 
+     * @brief return array of writable action_profile 
+     * 
+     */
+    function get_writable_profile()
+    {
+       $value=$this->db->get_array("select p_granted from 
".$this->sql_writable_profile()." as m") ;
+       $aGranted=array_column($value,"p_granted");
+       return $aGranted;
+    }
+    /**
+     * @brief return array of readable action_profile 
+     * 
+     */
+    function get_readable_profile()
+    {
+       $value=$this->db->get_array("select p_granted from 
".$this->sql_readable_profile()." as m") ;
+       $aGranted=array_column($value,"p_granted");
+       return $aGranted;
+    }
+    /**
+     *@brief  Compute the SQL string for the readable profile, 
      * the subselect for p_id , example
-     * p_id in $g_user->get_readable_profile.
+     * p_id in $g_user->sql_readable_profile.
      * The administrator can read all the profiles
      * @return SQL string with the subselect for p_id 
      */
-    function get_readable_profile()
+    function sql_readable_profile()
     {
         if ($this->admin!=1)
         {
             $sql=" (select p_granted "
                     ."     from user_sec_action_profile "
-                    ."     where ua_right in ('W','R') and 
p_id=".$this->get_profile().") ";
+                    ."     where ua_right in ('W','R','O') and 
p_id=".$this->get_profile().") ";
         }
         else
         {
-            $sql="(select p_id from profile)";
+            $sql="(select p_id p_granted from profile)";
         }
         return $sql;
     }
 
     /**
-     * Check if the current user can add an action in the profile given
+     * @brief Check if the current user can add an action in the profile given
      * in parameter
      * @param type $p_profile profile.p_id = action_gestion.ag_dest
      * @return boolean
diff --git a/include/template/action_display_short.php 
b/include/template/action_display_short.php
index 2afec0525..08b60c048 100644
--- a/include/template/action_display_short.php
+++ b/include/template/action_display_short.php
@@ -49,7 +49,7 @@ $profile->value=$cn->make_array("select  p_id as value, ".
                 " from profile  "
         . "where "
         . "p_id in "
-        . $g_user->get_writable_profile()
+        . $g_user->sql_writable_profile()
         . "order by 2");
 
 // priority
diff --git a/include/template/followup-show-action-add.php 
b/include/template/followup-show-action-add.php
index ebfb7c39b..2f749ff10 100644
--- a/include/template/followup-show-action-add.php
+++ b/include/template/followup-show-action-add.php
@@ -27,8 +27,12 @@ $cn=Dossier::connect();
  * @file
  * @brief display a button for adding an followup action
  */
-echo HtmlInput::button(uniqid(), _("Ajout action"),
+global $g_user;
+if ( ! empty ($g_user->get_writable_profile())) 
+{
+    echo HtmlInput::button(uniqid(), _("Ajout action"),
         
'onclick="document.getElementById(\'action_add_d\').style.display=\'block\';"');
+}
 ?>
 <div id="action_add_d" class="inner_box" 
style="width:25rem;display:none;top:10rem;">
     <?php echo HtmlInput::title_box(_("Choississez une action"), 
"action_add_d"); ?>
diff --git a/unit-test/include/class/userTest.php 
b/unit-test/include/class/userTest.php
index 4ee68bbd5..5825824d8 100644
--- a/unit-test/include/class/userTest.php
+++ b/unit-test/include/class/userTest.php
@@ -160,5 +160,84 @@ class UserTest extends TestCase
         
         
         
+    }
+    /**
+     * @brief test the writable profile : W (Read Write) and O (Read Write NO 
delete)
+     */
+    public function testsql_writable_profile()
+    {
+        $cn=Dossier::connect();
+        $user=new User($cn);
+         $_SESSION[SESSION_KEY.'use_admin']=0;
+         $user->admin=0;
+        $this->assertEquals(0 , $user->getAdmin()," Error user is admin");
+        
+        $sql=$user->sql_writable_profile();
+        $sql= " select count(*) from ".$sql." as a";
+        var_dump($sql);
+        
+        $this->assertEquals(3,$cn->get_value($sql),"Error writable profile 
must be = 3");
+        $this->assertEquals(3,count($user->get_writable_profile()),"Error 
writable profile must be = 3");
+        
+        $sql=$user->sql_readable_profile();
+        $sql= " select count(*) from ".$sql." as a";
+        
+        $this->assertEquals(3,$cn->get_value($sql),"Error readable profile 
must be = 3");
+        $this->assertEquals(3,count($user->get_writable_profile()),"Error 
readable profile must be = 3");
+        
+        // remove profile 1
+        $cn->exec_sql("delete from user_sec_action_profile where p_id=$1 and 
p_granted=$2",[$user->get_profile(),1]);
+            
+        $sql=$user->sql_writable_profile();
+        $sql= " select count(*) from ".$sql." as a";
+        var_dump($sql);
+        
+        $this->assertEquals(2,$cn->get_value($sql),"Error writable profile 
must be = 2 ");
+        $this->assertEquals(2,count($user->get_writable_profile()),"Error 
writable profile must be = 2");
+        
+        $sql=$user->sql_readable_profile();
+        $sql= " select count(*) from ".$sql." as a";
+        
+        $this->assertEquals(2,$cn->get_value($sql),"Error readable profile 
must be = 2");
+        $this->assertEquals(2,count($user->get_writable_profile()),"Error 
readable profile must be = 2");
+        
+        // add profile 1 read only
+         $cn->exec_sql("insert into 
user_sec_action_profile(p_id,p_granted,ua_right) values($1,$2,$3)"
+                 ,[$user->get_profile(),1,"R"]);
+        
+        $sql=$user->sql_writable_profile();
+        $sql= " select count(*) from ".$sql." as a";
+        
+        
+        $this->assertEquals(2,$cn->get_value($sql),"Error writable profile 
must be = ");
+        $this->assertEquals(2,count($user->get_writable_profile()),"Error 
writable profile must be = 2");
+        
+        $sql=$user->sql_readable_profile();
+        $sql= " select count(*) from ".$sql." as a";
+        var_dump($sql);
+        $this->assertEquals(3,$cn->get_value($sql),"Error readable profile 
must be = 3");
+        $this->assertEquals(3,count($user->get_readable_profile()),"Error 
readable profile must be = 3");
+        
+        // update  profile 1 O Write and no suppress
+         $cn->exec_sql("update user_sec_action_profile set ua_right = $3 where 
p_id =$1 and p_granted = $2"
+                 ,[$user->get_profile(),1,"O"]);
+        
+        $sql=$user->sql_writable_profile();
+        $sql= " select count(*) from ".$sql." as a";
+        
+        $this->assertEquals(3,$cn->get_value($sql),"Error writable profile 
must be = ");
+        $this->assertEquals(3,count($user->get_writable_profile()),"Error 
writable profile must be = 2");
+        
+        $sql=$user->sql_readable_profile();
+        $sql= " select count(*) from ".$sql." as a";
+        
+        $this->assertEquals(3,$cn->get_value($sql),"Error readable profile 
must be = 3");
+        $this->assertEquals(3,count($user->get_writable_profile()),"Error 
readable profile must be = 3");
+         
+        // update  profile 1 W Write 
+         $cn->exec_sql("update user_sec_action_profile set ua_right = $3 where 
p_id =$1 and p_granted = $2"
+                 ,[$user->get_profile(),1,"W"]);
+          $_SESSION[SESSION_KEY.'use_admin']=1;
+            $user->admin=1;
     }
 }



reply via email to

[Prev in Thread] Current Thread [Next in Thread]