fernando/luos
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

HOR-3956

Browse Source 
+ Enable access to guest user to use the PM_CASES.
+ Add PM_DASHBOARD permission to KPIs.
+ Add internal permission alias:
RBAC->userCanAccess()
     * Verify if the user has a right over the permission. Ex.
     *      $rbac->userCanAccess("PM_CASES");
     *
     * Alias of permissions:
     *      PM_CASES has alias: PM_GUES_CASE
     * This means that a role with PM_GUES_CASE could access like one with PM_CASES
     * unless the permission is required as strict, like this:
     *      $rbac->userCanAccess("PM_CASES/strict");
This commit is contained in:
davidcallizaya
2017-10-05 12:20:25 -04:00
parent 49bd973e21
commit 7d99f1e69e
7 changed files with 37 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
gulliver/system/class.rbac.php
View File

@@ -82,6 +82,8 @@ class RBAC
private static $instance = null; private static $instance = null;
public $authorizedActions = array(); public $authorizedActions = array();
private $aliasPermissions = [];
/** /**
* To enable compatibility with soap login. * To enable compatibility with soap login.
* @var bool * @var bool
@@ -146,13 +148,13 @@ class RBAC
), ),
'home.php' => array( 'home.php' => array(
'login' => array('PM_LOGIN'), 'login' => array('PM_LOGIN'),
'index' => array('PM_CASES'), 'index' => array('PM_CASES/strict'),
'indexSingle' => array('PM_CASES'), 'indexSingle' => array('PM_CASES/strict'),
'appList' => array('PM_CASES'), 'appList' => array('PM_CASES/strict'),
'appAdvancedSearch' => array('PM_ALLCASES'), 'appAdvancedSearch' => array('PM_ALLCASES'),
'getApps' => array('PM_ALLCASES'), 'getApps' => array('PM_ALLCASES'),
'getAppsData' => array('PM_ALLCASES'), 'getAppsData' => array('PM_ALLCASES'),
'startCase' => array('PM_CASES'), 'startCase' => array('PM_CASES/strict'),
'error' => array(), 'error' => array(),
'getUserArray' => array('PM_ALLCASES'), 'getUserArray' => array('PM_ALLCASES'),
'getCategoryArray' => array('PM_ALLCASES'), 'getCategoryArray' => array('PM_ALLCASES'),
@@ -187,6 +189,8 @@ class RBAC
'TEST' => array('PM_SETUP') 'TEST' => array('PM_SETUP')
) )
); );
$this->aliasPermissions['PM_CASES'] = [self::PM_GUEST_CASE];
$this->aliasPermissions['PM_LOGIN'] = [self::PM_GUEST_CASE];
} }
/** /**
@@ -760,28 +764,44 @@ class RBAC
} }
/** /**
* Verify if the user has a right over the permission * Verify if the user has a right over the permission. Ex.
* $rbac->userCanAccess("PM_CASES");
*
* Alias of permissions:
* PM_CASES has alias: PM_GUES_CASE
* This means that a role with PM_GUES_CASE could access like one with PM_CASES
* unless the permission is required as strict, like this:
* $rbac->userCanAccess("PM_CASES/strict");
* *
* @author Fernando Ontiveros
* @access public * @access public
*
* @param string $uid id of user * @param string $uid id of user
* @param string $system Code of System * @param string $system Code of System
* @param string $perm id of Permissions * @param string $permBase id of Permissions
* @return int 1: If it is ok * @return int 1: If it is ok
* -1: System doesn't exists * -1: System doesn't exists
* -2: The User has not a Role * -2: The User has not a Role
* -3: The User has not this Permission. * -3: The User has not this Permission.
*/ */
public function userCanAccess ($perm) public function userCanAccess($permBase)
{ {
$strict = substr($permBase, -7, 7) === '/strict';
$perm = $strict ? substr($permBase, 0, -7) : $permBase;
if (isset($this->aUserInfo[$this->sSystem]['PERMISSIONS'])) { if (isset($this->aUserInfo[$this->sSystem]['PERMISSIONS'])) {
$res = - 3; $res = - 3;
//if ( !isset ( $this->aUserInfo[ $this->sSystem ]['ROLE'. 'x'] ) ) $res = -2;
foreach ($this->aUserInfo[$this->sSystem]['PERMISSIONS'] as $key => $val) { foreach ($this->aUserInfo[$this->sSystem]['PERMISSIONS'] as $key => $val) {
if ($perm == $val['PER_CODE']) { if ($perm == $val['PER_CODE']) {
$res = 1; $res = 1;
} }
$hasAliasPermission = !$strict
&& isset($this->aliasPermissions[$perm])
&& array_search(
$val['PER_CODE'],
$this->aliasPermissions[$perm]
) !== false;
if ($hasAliasPermission) {
$res = 1;
break;
}
} }
} else { } else {
$res = - 1; $res = - 1;

2
rbac/engine/classes/model/RbacUsers.php
View File

@@ -87,7 +87,7 @@ class RbacUsers extends BaseRbacUsers
if ($aFields['USR_DUE_DATE'] < date('Y-m-d')) { if ($aFields['USR_DUE_DATE'] < date('Y-m-d')) {
return -4; return -4;
} }
if ($aFields['USR_STATUS'] != 1) { if ($aFields['USR_STATUS'] != 1 && $aFields['USR_UID']!== RBAC::GUEST_USER_UID) {
return -3; return -3;
} }
$role = $this->getUserRole($aFields['USR_UID']); $role = $this->getUserRole($aFields['USR_UID']);

2
workflow/engine/classes/WsBase.php
View File

@@ -72,7 +72,7 @@ class WsBase
$RBAC->loadUserRolePermission($RBAC->sSystem, $uid); $RBAC->loadUserRolePermission($RBAC->sSystem, $uid);
$res = $RBAC->userCanAccess("PM_LOGIN"); $res = $RBAC->userCanAccess("PM_LOGIN");
if ($res != 1) { if ($res != 1 && $uid!== RBAC::GUEST_USER_UID) {
$wsResponse = new WsResponse(2, G::loadTranslation('ID_USER_HAVENT_RIGHTS_SYSTEM')); $wsResponse = new WsResponse(2, G::loadTranslation('ID_USER_HAVENT_RIGHTS_SYSTEM'));
throw (new Exception(serialize($wsResponse))); throw (new Exception(serialize($wsResponse)));
} }

2
workflow/engine/methods/cases/main.php
View File

@@ -22,7 +22,7 @@
* Coral Gables, FL, 33134, USA, or email info@colosa.com. * Coral Gables, FL, 33134, USA, or email info@colosa.com.
*/ */
$RBAC->requirePermissions( 'PM_CASES' ); $RBAC->requirePermissions( 'PM_CASES/strict' );
$G_MAIN_MENU = 'processmaker'; $G_MAIN_MENU = 'processmaker';
$G_ID_MENU_SELECTED = 'CASES'; $G_ID_MENU_SELECTED = 'CASES';

2
workflow/engine/methods/login/authentication.php
View File

@@ -293,7 +293,7 @@ try {
// Assign the uid of user to userloggedobj // Assign the uid of user to userloggedobj
$RBAC->loadUserRolePermission($RBAC->sSystem, $uid); $RBAC->loadUserRolePermission($RBAC->sSystem, $uid);
$res = $RBAC->userCanAccess('PM_LOGIN'); $res = $RBAC->userCanAccess('PM_LOGIN/strict');
if ($res != 1 ) { if ($res != 1 ) {
if ($res == -2) { if ($res == -2) {
G::SendTemporalMessage ('ID_USER_HAVENT_RIGHTS_SYSTEM', "error"); G::SendTemporalMessage ('ID_USER_HAVENT_RIGHTS_SYSTEM', "error");

9
workflow/engine/methods/services/soap2.php
View File

@@ -981,14 +981,7 @@ function ifPermission($sessionId, $permission)
$oRBAC = RBAC::getSingleton(); $oRBAC = RBAC::getSingleton();
$oRBAC->loadUserRolePermission($oRBAC->sSystem, $user['USR_UID']); $oRBAC->loadUserRolePermission($oRBAC->sSystem, $user['USR_UID']);
$aPermissions = $oRBAC->aUserInfo[$oRBAC->sSystem]['PERMISSIONS']; $sw = $oRBAC->userCanAccess($permission) === 1 ? 1 : 0;
$sw = 0;
foreach ($aPermissions as $aPermission) {
if ($aPermission['PER_CODE'] == $permission) {
$sw = 1;
}
}
return $sw; return $sw;
} }

1
workflow/engine/methods/strategicDashboard/main.php
View File

@@ -22,6 +22,7 @@
* Coral Gables, FL, 33134, USA, or email info@colosa.com. * Coral Gables, FL, 33134, USA, or email info@colosa.com.
*/ */
$RBAC->requirePermissions( 'PM_DASHBOARD' );
$licensedFeatures = & PMLicensedFeatures::getSingleton(); $licensedFeatures = & PMLicensedFeatures::getSingleton();
if (!$licensedFeatures->verifyfeature('r19Vm5DK1UrT09MenlLYjZxejlhNUZ1b1NhV0JHWjBsZEJ6dnpJa3dTeWVLVT0=')) { if (!$licensedFeatures->verifyfeature('r19Vm5DK1UrT09MenlLYjZxejlhNUZ1b1NhV0JHWjBsZEJ6dnpJa3dTeWVLVT0=')) {
G::SendTemporalMessage( 'ID_USER_HAVENT_RIGHTS_PAGE', 'error', 'labels' ); G::SendTemporalMessage( 'ID_USER_HAVENT_RIGHTS_PAGE', 'error', 'labels' );