From 7d99f1e69e02872b10bddeaac759374672792b35 Mon Sep 17 00:00:00 2001 From: davidcallizaya Date: Thu, 5 Oct 2017 12:20:25 -0400 Subject: [PATCH] HOR-3956 + Enable access to guest user to use the PM_CASES. + Add PM_DASHBOARD permission to KPIs. + Add internal permission alias: RBAC->userCanAccess() * Verify if the user has a right over the permission. Ex. * $rbac->userCanAccess("PM_CASES"); * * Alias of permissions: * PM_CASES has alias: PM_GUES_CASE * This means that a role with PM_GUES_CASE could access like one with PM_CASES * unless the permission is required as strict, like this: * $rbac->userCanAccess("PM_CASES/strict"); --- gulliver/system/class.rbac.php | 42 ++++++++++++++----- rbac/engine/classes/model/RbacUsers.php | 2 +- workflow/engine/classes/WsBase.php | 2 +- workflow/engine/methods/cases/main.php | 2 +- .../engine/methods/login/authentication.php | 2 +- workflow/engine/methods/services/soap2.php | 9 +--- .../methods/strategicDashboard/main.php | 1 + 7 files changed, 37 insertions(+), 23 deletions(-) diff --git a/gulliver/system/class.rbac.php b/gulliver/system/class.rbac.php index 01e28a9c2..14a042a4d 100644 --- a/gulliver/system/class.rbac.php +++ b/gulliver/system/class.rbac.php @@ -82,6 +82,8 @@ class RBAC private static $instance = null; public $authorizedActions = array(); + private $aliasPermissions = []; + /** * To enable compatibility with soap login. * @var bool @@ -146,13 +148,13 @@ class RBAC ), 'home.php' => array( 'login' => array('PM_LOGIN'), - 'index' => array('PM_CASES'), - 'indexSingle' => array('PM_CASES'), - 'appList' => array('PM_CASES'), + 'index' => array('PM_CASES/strict'), + 'indexSingle' => array('PM_CASES/strict'), + 'appList' => array('PM_CASES/strict'), 'appAdvancedSearch' => array('PM_ALLCASES'), 'getApps' => array('PM_ALLCASES'), 'getAppsData' => array('PM_ALLCASES'), - 'startCase' => array('PM_CASES'), + 'startCase' => array('PM_CASES/strict'), 'error' => array(), 'getUserArray' => array('PM_ALLCASES'), 'getCategoryArray' => array('PM_ALLCASES'), @@ -187,6 +189,8 @@ class RBAC 'TEST' => array('PM_SETUP') ) ); + $this->aliasPermissions['PM_CASES'] = [self::PM_GUEST_CASE]; + $this->aliasPermissions['PM_LOGIN'] = [self::PM_GUEST_CASE]; } /** @@ -760,28 +764,44 @@ class RBAC } /** - * Verify if the user has a right over the permission + * Verify if the user has a right over the permission. Ex. + * $rbac->userCanAccess("PM_CASES"); + * + * Alias of permissions: + * PM_CASES has alias: PM_GUES_CASE + * This means that a role with PM_GUES_CASE could access like one with PM_CASES + * unless the permission is required as strict, like this: + * $rbac->userCanAccess("PM_CASES/strict"); * - * @author Fernando Ontiveros * @access public - * * @param string $uid id of user * @param string $system Code of System - * @param string $perm id of Permissions + * @param string $permBase id of Permissions * @return int 1: If it is ok * -1: System doesn't exists * -2: The User has not a Role * -3: The User has not this Permission. */ - public function userCanAccess ($perm) + public function userCanAccess($permBase) { - if (isset( $this->aUserInfo[$this->sSystem]['PERMISSIONS'] )) { + $strict = substr($permBase, -7, 7) === '/strict'; + $perm = $strict ? substr($permBase, 0, -7) : $permBase; + if (isset($this->aUserInfo[$this->sSystem]['PERMISSIONS'])) { $res = - 3; - //if ( !isset ( $this->aUserInfo[ $this->sSystem ]['ROLE'. 'x'] ) ) $res = -2; foreach ($this->aUserInfo[$this->sSystem]['PERMISSIONS'] as $key => $val) { if ($perm == $val['PER_CODE']) { $res = 1; } + $hasAliasPermission = !$strict + && isset($this->aliasPermissions[$perm]) + && array_search( + $val['PER_CODE'], + $this->aliasPermissions[$perm] + ) !== false; + if ($hasAliasPermission) { + $res = 1; + break; + } } } else { $res = - 1; diff --git a/rbac/engine/classes/model/RbacUsers.php b/rbac/engine/classes/model/RbacUsers.php index 9e76fd516..904ac16ab 100644 --- a/rbac/engine/classes/model/RbacUsers.php +++ b/rbac/engine/classes/model/RbacUsers.php @@ -87,7 +87,7 @@ class RbacUsers extends BaseRbacUsers if ($aFields['USR_DUE_DATE'] < date('Y-m-d')) { return -4; } - if ($aFields['USR_STATUS'] != 1) { + if ($aFields['USR_STATUS'] != 1 && $aFields['USR_UID']!== RBAC::GUEST_USER_UID) { return -3; } $role = $this->getUserRole($aFields['USR_UID']); diff --git a/workflow/engine/classes/WsBase.php b/workflow/engine/classes/WsBase.php index 6455e8f68..047b14385 100644 --- a/workflow/engine/classes/WsBase.php +++ b/workflow/engine/classes/WsBase.php @@ -72,7 +72,7 @@ class WsBase $RBAC->loadUserRolePermission($RBAC->sSystem, $uid); $res = $RBAC->userCanAccess("PM_LOGIN"); - if ($res != 1) { + if ($res != 1 && $uid!== RBAC::GUEST_USER_UID) { $wsResponse = new WsResponse(2, G::loadTranslation('ID_USER_HAVENT_RIGHTS_SYSTEM')); throw (new Exception(serialize($wsResponse))); } diff --git a/workflow/engine/methods/cases/main.php b/workflow/engine/methods/cases/main.php index 6ba9c640f..183638749 100644 --- a/workflow/engine/methods/cases/main.php +++ b/workflow/engine/methods/cases/main.php @@ -22,7 +22,7 @@ * Coral Gables, FL, 33134, USA, or email info@colosa.com. */ -$RBAC->requirePermissions( 'PM_CASES' ); +$RBAC->requirePermissions( 'PM_CASES/strict' ); $G_MAIN_MENU = 'processmaker'; $G_ID_MENU_SELECTED = 'CASES'; diff --git a/workflow/engine/methods/login/authentication.php b/workflow/engine/methods/login/authentication.php index d6abdd619..906825422 100644 --- a/workflow/engine/methods/login/authentication.php +++ b/workflow/engine/methods/login/authentication.php @@ -293,7 +293,7 @@ try { // Assign the uid of user to userloggedobj $RBAC->loadUserRolePermission($RBAC->sSystem, $uid); - $res = $RBAC->userCanAccess('PM_LOGIN'); + $res = $RBAC->userCanAccess('PM_LOGIN/strict'); if ($res != 1 ) { if ($res == -2) { G::SendTemporalMessage ('ID_USER_HAVENT_RIGHTS_SYSTEM', "error"); diff --git a/workflow/engine/methods/services/soap2.php b/workflow/engine/methods/services/soap2.php index 45520398d..80c645310 100644 --- a/workflow/engine/methods/services/soap2.php +++ b/workflow/engine/methods/services/soap2.php @@ -981,14 +981,7 @@ function ifPermission($sessionId, $permission) $oRBAC = RBAC::getSingleton(); $oRBAC->loadUserRolePermission($oRBAC->sSystem, $user['USR_UID']); - $aPermissions = $oRBAC->aUserInfo[$oRBAC->sSystem]['PERMISSIONS']; - $sw = 0; - - foreach ($aPermissions as $aPermission) { - if ($aPermission['PER_CODE'] == $permission) { - $sw = 1; - } - } + $sw = $oRBAC->userCanAccess($permission) === 1 ? 1 : 0; return $sw; } diff --git a/workflow/engine/methods/strategicDashboard/main.php b/workflow/engine/methods/strategicDashboard/main.php index e239d2420..4bed42b11 100644 --- a/workflow/engine/methods/strategicDashboard/main.php +++ b/workflow/engine/methods/strategicDashboard/main.php @@ -22,6 +22,7 @@ * Coral Gables, FL, 33134, USA, or email info@colosa.com. */ +$RBAC->requirePermissions( 'PM_DASHBOARD' ); $licensedFeatures = & PMLicensedFeatures::getSingleton(); if (!$licensedFeatures->verifyfeature('r19Vm5DK1UrT09MenlLYjZxejlhNUZ1b1NhV0JHWjBsZEJ6dnpJa3dTeWVLVT0=')) { G::SendTemporalMessage( 'ID_USER_HAVENT_RIGHTS_PAGE', 'error', 'labels' );