Merged in bugfix/HOR-2820 (pull request #5511)

HOR-2820

Approved-by: Paula Quispe
Approved-by: Julio Cesar Laura Avendaño

workflow/engine/classes/model/AppDocument.php

@@ -598,5 +598,40 @@ class AppDocument extends BaseAppDocument
         }
         return false;
     }
+
+    /**
+     * Check if the user $userCanDownload can download the Output Document
+     *
+     * The user that generate the output document can download the same output document file
+     * A participated user or a supervisor must have the process permission "view" to be able to download the output document
+     * @param string $userGenerateDocument
+     * @param string $userCanDownload
+     * @param string $proUid
+     * @param string $appUid
+     * @param string $sAppDocUid
+     * @return boolean
+     */
+    public function canDownloadOutput($userGenerateDocument, $userCanDownload, $proUid, $appUid, $sAppDocUid)
+    {
+        //Check if the user Logged was generate the document
+        if ($userGenerateDocument !== $userCanDownload) {
+            $objCase = new \ProcessMaker\BusinessModel\Cases();
+            $aUserCanAccess = $objCase->userAuthorization(
+                $userCanDownload,
+                $proUid,
+                $appUid,
+                array(),
+                array('OUTPUT_DOCUMENTS'=>'VIEW')
+            );
+
+            //If the user does not have the process permission can not download
+            if (in_array($sAppDocUid, $aUserCanAccess['objectPermissions']['OUTPUT_DOCUMENTS'])) {
+                return true;
+            }
+        } else {
+            return true;
+        }
+        return false;
+    }
 }
 

workflow/engine/methods/cases/cases_ShowOutputDocument.php

@@ -1,8 +1,9 @@
 <?php
-if (!isset($_SESSION['USER_LOGGED'])) {
+if (isset($_REQUEST['actionAjax']) && $_REQUEST['actionAjax'] == "verifySession" ) {
+    if (!isset($_SESSION['USER_LOGGED'])) {
         if ((isset( $_POST['request'] )) && ($_POST['request'] == true)) {
             $response = new stdclass();
-        $response->message = G::LoadTranslation('ID_LOGIN_AGAIN1');
+            $response->message = G::LoadTranslation('ID_LOGIN_AGAIN');
             $response->lostSession = true;
             print G::json_encode( $response );
             die();
@@ -11,6 +12,11 @@ if (!isset($_SESSION['USER_LOGGED'])) {
             G::header("location: " . "/");
             die();
         }
+    } else {
+        $response = new stdclass();
+        print G::json_encode( $response );
+        die();
+    }
 }
 /**
  * cases_ShowOutputDocument.php
@@ -50,9 +56,21 @@ $sAppDocUid = $oAppDocument->getAppDocUid();
 $sDocUid = $oAppDocument->Fields['DOC_UID'];
 
 $oOutputDocument = new OutputDocument();
-$oOutputDocument->Fields = $oOutputDocument->getByUid( $sDocUid );
+$oOutputDocument->Fields = $oOutputDocument->getByUid($sDocUid);
 $download = $oOutputDocument->Fields['OUT_DOC_OPEN_TYPE'];
 
+//Check if the user can be download the Output Document
+if (!$oAppDocument->canDownloadOutput(
+    $oAppDocument->Fields['USR_UID'],
+    $_SESSION['USER_LOGGED'],
+    $oOutputDocument->Fields['PRO_UID'],
+    $oAppDocument->Fields['APP_UID'],
+    $sAppDocUid)
+) {
+   G::header('Location: /errors/error403.php');
+   die();
+}
+
 $info = pathinfo( $oAppDocument->getAppDocFilename() );
 if (! isset( $_GET['ext'] )) {
     $ext = $info['extension'];
@@ -83,7 +101,7 @@ if (file_exists( $realPath )) {
     $realPath = $realPath2;
 }
 
-if (! $sw_file_exists) {
+if (!$sw_file_exists) {
 
     $oPluginRegistry = & PMPluginRegistry::getSingleton();
     if ($oPluginRegistry->existsTrigger( PM_UPLOAD_DOCUMENT )) {
@@ -137,10 +155,6 @@ if (! $sw_file_exists) {
         if (!$downloadStatus) {
             G::streamFile( $realPath, $download, $nameFile); //download
         }
-
-        //die($realPath);
-        //G::streamFile( $realPath, $download, $info['basename'] . $ver . '.' . $ext );
     }
 }
-//G::streamFile ( $realPath, true);