Merged in bugfix/HOR-4155 (pull request #6224)

HOR-4155 Approved-by: Julio Cesar Laura Avendaño <contact@julio-laura.com> Approved-by: Paula Quispe <paula.quispe@processmaker.com>
2017-12-12 17:04:18 +00:00
parent 89ee4ee0d8 b6d0dcd850
commit dca0ecb0bf
4 changed files with 84 additions and 33 deletions
--- a/workflow/engine/methods/services/webentry/anonymousLogin.php
+++ b/workflow/engine/methods/services/webentry/anonymousLogin.php
@@ -24,6 +24,7 @@ try {
        throw new Exception('WebEntry User not found');
    }

+    $_SESSION = [];
    initUserSession($userUid, $userInfo->getUsrUsername());

    $result = [
--- a/workflow/engine/methods/webentry/access.php
+++ b/workflow/engine/methods/webentry/access.php
@@ -187,6 +187,7 @@ $webEntryModel = \WebEntryPeer::retrieveByPK($weUid);
                var weUid = <?php echo  G::json_encode($webEntryModel->getWeUid()); ?>;
                var forceLogin = <?php echo  G::json_encode($webEntryModel->getWeAuthentication()==='LOGIN_REQUIRED'); ?>;
                var isLogged = <?php echo  G::json_encode(!empty($_SESSION['USER_LOGGED'])); ?>;
+                var currentLoggedIsGuest = <?php echo G::json_encode(!empty($_SESSION['USER_LOGGED']) && $_SESSION['USER_LOGGED'] === RBAC::GUEST_USER_UID); ?>;
                var closeSession = <?php echo  G::json_encode($webEntryModel->getWeCallback()==='CUSTOM_CLEAR'); ?>;
                var hideInformationBar = <?php echo  G::json_encode(!!$webEntryModel->getWeHideInformationBar()); ?>;
                if (!forceLogin) {
@@ -263,7 +264,7 @@ $webEntryModel = \WebEntryPeer::retrieveByPK($weUid);
                };
                var login = function () {
                    return new Promise(function (logged, failure) {
-                        if (!isLogged) {
+                        if (!isLogged || currentLoggedIsGuest) {
                            log("login");
                            open('../login/login?inIFrame=1&u=' + encodeURIComponent(location.pathname + '/../../webentry/logged'))
                              .then(function (userInformation) {
--- a/workflow/engine/methods/webentry/logged.php
+++ b/workflow/engine/methods/webentry/logged.php
@@ -5,19 +5,29 @@
 /**
 * This page is redirected from the login page.
 */
-G::LoadClass('pmFunctions');
 $userUid = $_SESSION['USER_LOGGED'];
-$userInfo = PMFInformationUser($userUid);
-$result = [
-    'user_logged' => $userUid,
-    'userName'    => $userInfo['username'],
-    'firstName'   => $userInfo['firstname'],
-    'lastName'    => $userInfo['lastname'],
-    'mail'        => $userInfo['mail'],
-    'image'       => '../users/users_ViewPhoto?t='.microtime(true),
-];
+$userInfo = UsersPeer::retrieveByPK($userUid);
+if (empty($userInfo)) {
+    $result = [
+        'user_logged' => $userUid,
+        'userName'    => '',
+        'firstName'   => '',
+        'lastName'    => '',
+        'mail'        => '',
+        'image'       => '../users/users_ViewPhoto?t=' . microtime(true),
+    ];
+} else {
+    $result = [
+        'user_logged' => $userUid,
+        'userName'    => $userInfo->getUsrUsername(),
+        'firstName'   => $userInfo->getUsrFirstName(),
+        'lastName'    => $userInfo->getUsrLastName(),
+        'mail'        => $userInfo->getUsrEmail(),
+        'image'       => '../users/users_ViewPhoto?t=' . microtime(true),
+    ];
+}
 ?>
-            parent.fullfill(<?= G::json_encode($result) ?>);
+                parent.fullfill(<?= G::json_encode($result) ?>);
        </script>
    </head>
 </html>
--- a/workflow/engine/src/ProcessMaker/Policies/AccessControl.php
+++ b/workflow/engine/src/ProcessMaker/Policies/AccessControl.php
@@ -1,14 +1,15 @@
 <?php
 namespace ProcessMaker\Policies;

-use \Luracast\Restler\iAuthenticate;
-use \Luracast\Restler\RestException;
-use \Luracast\Restler\Defaults;
-use \Luracast\Restler\Util;
-use \Luracast\Restler\Scope;
-use \OAuth2\Request;
-use \ProcessMaker\Services\OAuth2\Server;
-use \ProcessMaker\BusinessModel\User;
+use Luracast\Restler\iAuthenticate;
+use Luracast\Restler\RestException;
+use Luracast\Restler\Defaults;
+use Luracast\Restler\Util;
+use Luracast\Restler\Scope;
+use OAuth2\Request;
+use ProcessMaker\Services\OAuth2\Server;
+use ProcessMaker\BusinessModel\User;
+use RBAC;

 class AccessControl implements iAuthenticate
 {
@@ -18,6 +19,13 @@ class AccessControl implements iAuthenticate
    private $userUid = null;
    private $oUser;

+    /**
+     * @var RBAC $rbac
+     */
+    private $rbac;
+
+    const SYSTEM = 'PROCESSMAKER';
+
    /**
     * This method checks if an endpoint permission or permissions access
     *
@@ -33,14 +41,16 @@ class AccessControl implements iAuthenticate
        $request = Request::createFromGlobals();
        $allowed = $server->verifyResourceRequest($request);
        $this->userUid = $oServerOauth->getUserId();
-        $this->oUser->loadUserRolePermission('PROCESSMAKER', $this->userUid);
+        $this->oUser->loadUserRolePermission(self::SYSTEM, $this->userUid);
+        $this->loadRbacUser($this->userUid);
        $metadata = Util::nestedValue($this->restler, 'apiMethodInfo', 'metadata');
+        $permissions = $this->getPermissions();
        if ($allowed && !empty($this->userUid) && (!empty($metadata['access']) && $metadata['access'] == 'protected')) {
            $parameters = Util::nestedValue($this->restler, 'apiMethodInfo', 'parameters');
            if (!is_null(self::$className) && is_string(self::$className)) {
                $authObj = Scope::get(self::$className);
                $authObj->parameters = $parameters;
-                $authObj->permission = self::$permission;
+                $authObj->permission = $permissions;
                if (!method_exists($authObj, Defaults::$authenticationMethod)) {
                    throw new RestException (
                        500,
@@ -48,7 +58,7 @@ class AccessControl implements iAuthenticate
                } elseif (!$authObj->{Defaults::$authenticationMethod}()) {
                    throw new RestException(403, "You don't have permission to access this endpoint or resource on this server.");
                }
-            } elseif (!$this->verifyAccess(self::$permission)) {
+            } elseif (!$this->verifyAccess($permissions)) {
                throw new RestException(401);
            }
        }
@@ -64,6 +74,8 @@ class AccessControl implements iAuthenticate
    }

    /**
+     * Verify the permissions required to access the endpoint.
+     *
     * @param $permissions
     * @return bool
     */
@@ -87,19 +99,46 @@ class AccessControl implements iAuthenticate
        return $response;
    }

+    /**
+     * Verify if the user has a right over the permission.
+     *
+     * @param string $perm
+     * @return int
+     */
    public function userCanAccess($perm)
    {
-        $res = -1;
-        $permissions = Util::nestedValue($this->oUser, 'aUserInfo', 'PROCESSMAKER', 'PERMISSIONS');
-        if (isset($permissions)) {
-            $res = -3;
-            foreach ($permissions as $key => $val) {
-                if ($perm == $val['PER_CODE']) {
-                    $res = 1;
-                    break;
-                }
+        return $this->rbac->userCanAccess($perm);
+    }
+
+    /**
+     * Get the required permission(s) of the endpoint.
+     *
+     * @return mixed
+     */
+    private function getPermissions()
+    {
+        if (is_string(self::$permission)) {
+            $permission = trim(self::$permission);
+        } elseif (is_array(self::$permission)) {
+            $permission = [];
+            foreach (self::$permission as $perm) {
+                $permission[] = trim($perm);
            }
+        } else {
+            $permission = self::$permission;
        }
-        return $res;
+        return $permission;
+    }
+
+    /**
+     * Load the RBAC object to validate the user permissions.
+     *
+     * @param string $userUid
+     */
+    private function loadRbacUser($userUid)
+    {
+        $this->rbac = new RBAC;
+        $this->rbac->initRBAC();
+        $this->rbac->loadUserRolePermission(self::SYSTEM, $userUid);
    }
 }