From 2dc1b9408f659fe2b0029399d9b2babea7f591a1 Mon Sep 17 00:00:00 2001
From: davidcallizaya <david.callizaya@processmaker.com>
Date: Thu, 7 Dec 2017 12:04:00 -0400
Subject: [PATCH 1/4] HOR-4155 Fix access control validation of endpoints using
 RBAC.

---
 .../ProcessMaker/Policies/AccessControl.php   | 81 ++++++++++++++-----
 1 file changed, 60 insertions(+), 21 deletions(-)

diff --git a/workflow/engine/src/ProcessMaker/Policies/AccessControl.php b/workflow/engine/src/ProcessMaker/Policies/AccessControl.php
index f7358b31d..dbc0aa853 100644
--- a/workflow/engine/src/ProcessMaker/Policies/AccessControl.php
+++ b/workflow/engine/src/ProcessMaker/Policies/AccessControl.php
@@ -1,14 +1,15 @@
 <?php
 namespace ProcessMaker\Policies;
 
-use \Luracast\Restler\iAuthenticate;
-use \Luracast\Restler\RestException;
-use \Luracast\Restler\Defaults;
-use \Luracast\Restler\Util;
-use \Luracast\Restler\Scope;
-use \OAuth2\Request;
-use \ProcessMaker\Services\OAuth2\Server;
-use \ProcessMaker\BusinessModel\User;
+use Luracast\Restler\iAuthenticate;
+use Luracast\Restler\RestException;
+use Luracast\Restler\Defaults;
+use Luracast\Restler\Util;
+use Luracast\Restler\Scope;
+use OAuth2\Request;
+use ProcessMaker\Services\OAuth2\Server;
+use ProcessMaker\BusinessModel\User;
+use RBAC;
 
 class AccessControl implements iAuthenticate
 {
@@ -18,6 +19,13 @@ class AccessControl implements iAuthenticate
     private $userUid = null;
     private $oUser;
 
+    /**
+     * @var RBAC $rbac
+     */
+    private $rbac;
+
+    const SYSTEM = 'PROCESSMAKER';
+
     /**
      * This method checks if an endpoint permission or permissions access
      *
@@ -33,14 +41,16 @@ class AccessControl implements iAuthenticate
         $request = Request::createFromGlobals();
         $allowed = $server->verifyResourceRequest($request);
         $this->userUid = $oServerOauth->getUserId();
-        $this->oUser->loadUserRolePermission('PROCESSMAKER', $this->userUid);
+        $this->oUser->loadUserRolePermission(self::SYSTEM, $this->userUid);
+        $this->loadRbacUser($this->userUid);
         $metadata = Util::nestedValue($this->restler, 'apiMethodInfo', 'metadata');
+        $permissions = $this->getPermissions();
         if ($allowed && !empty($this->userUid) && (!empty($metadata['access']) && $metadata['access'] == 'protected')) {
             $parameters = Util::nestedValue($this->restler, 'apiMethodInfo', 'parameters');
             if (!is_null(self::$className) && is_string(self::$className)) {
                 $authObj = Scope::get(self::$className);
                 $authObj->parameters = $parameters;
-                $authObj->permission = self::$permission;
+                $authObj->permission = $permissions;
                 if (!method_exists($authObj, Defaults::$authenticationMethod)) {
                     throw new RestException (
                         500,
@@ -48,7 +58,7 @@ class AccessControl implements iAuthenticate
                 } elseif (!$authObj->{Defaults::$authenticationMethod}()) {
                     throw new RestException(403, "You don't have permission to access this endpoint or resource on this server.");
                 }
-            } elseif (!$this->verifyAccess(self::$permission)) {
+            } elseif (!$this->verifyAccess($permissions)) {
                 throw new RestException(401);
             }
         }
@@ -64,6 +74,8 @@ class AccessControl implements iAuthenticate
     }
 
     /**
+     * Verify the permissions required to access the endpoint.
+     *
      * @param $permissions
      * @return bool
      */
@@ -87,19 +99,46 @@ class AccessControl implements iAuthenticate
         return $response;
     }
 
+    /**
+     * Verify if the user has a right over the permission.
+     *
+     * @param string $perm
+     * @return int
+     */
     public function userCanAccess($perm)
     {
-        $res = -1;
-        $permissions = Util::nestedValue($this->oUser, 'aUserInfo', 'PROCESSMAKER', 'PERMISSIONS');
-        if (isset($permissions)) {
-            $res = -3;
-            foreach ($permissions as $key => $val) {
-                if ($perm == $val['PER_CODE']) {
-                    $res = 1;
-                    break;
-                }
+        return $this->rbac->userCanAccess($perm);
+    }
+
+    /**
+     * Get the required permission(s) of the endpoint.
+     *
+     * @return mixed
+     */
+    private function getPermissions()
+    {
+        if (is_string(self::$permission)) {
+            $permission = trim(self::$permission);
+        } elseif (is_array(self::$permission)) {
+            $permission = [];
+            foreach (self::$permission as $perm) {
+                $permission[] = trim($perm);
             }
+        } else {
+            $permission = self::$permission;
         }
-        return $res;
+        return $permission;
+    }
+
+    /**
+     * Load the RBAC object to validate the user permissions.
+     *
+     * @param string $userUid
+     */
+    private function loadRbacUser($userUid)
+    {
+        $this->rbac = new RBAC;
+        $this->rbac->initRBAC();
+        $this->rbac->loadUserRolePermission(self::SYSTEM, $userUid);
     }
 }

From 1421873bad3da0f4b4cc488d3c2f138b16b718d3 Mon Sep 17 00:00:00 2001
From: davidcallizaya <david.callizaya@processmaker.com>
Date: Mon, 11 Dec 2017 11:17:10 -0400
Subject: [PATCH 2/4] HOR-4155 Validate if logen user is not guest. Close
 previous session if webentry is anonymous.

---
 workflow/engine/methods/services/webentry/anonymousLogin.php | 1 +
 workflow/engine/methods/webentry/access.php                  | 3 ++-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/workflow/engine/methods/services/webentry/anonymousLogin.php b/workflow/engine/methods/services/webentry/anonymousLogin.php
index 0b228c7a7..16c924c46 100644
--- a/workflow/engine/methods/services/webentry/anonymousLogin.php
+++ b/workflow/engine/methods/services/webentry/anonymousLogin.php
@@ -24,6 +24,7 @@ try {
         throw new Exception('WebEntry User not found');
     }
 
+    $_SESSION = [];
     initUserSession($userUid, $userInfo->getUsrUsername());
 
     $result = [
diff --git a/workflow/engine/methods/webentry/access.php b/workflow/engine/methods/webentry/access.php
index 62304030e..f042c3d9e 100644
--- a/workflow/engine/methods/webentry/access.php
+++ b/workflow/engine/methods/webentry/access.php
@@ -187,6 +187,7 @@ $webEntryModel = \WebEntryPeer::retrieveByPK($weUid);
                 var weUid = <?php echo  G::json_encode($webEntryModel->getWeUid()); ?>;
                 var forceLogin = <?php echo  G::json_encode($webEntryModel->getWeAuthentication()==='LOGIN_REQUIRED'); ?>;
                 var isLogged = <?php echo  G::json_encode(!empty($_SESSION['USER_LOGGED'])); ?>;
+                var currentLoggedIsGuest = <?php echo G::json_encode(!empty($_SESSION['USER_LOGGED']) && $_SESSION['USER_LOGGED'] === RBAC::GUEST_USER_UID); ?>;
                 var closeSession = <?php echo  G::json_encode($webEntryModel->getWeCallback()==='CUSTOM_CLEAR'); ?>;
                 var hideInformationBar = <?php echo  G::json_encode(!!$webEntryModel->getWeHideInformationBar()); ?>;
                 if (!forceLogin) {
@@ -263,7 +264,7 @@ $webEntryModel = \WebEntryPeer::retrieveByPK($weUid);
                 };
                 var login = function () {
                     return new Promise(function (logged, failure) {
-                        if (!isLogged) {
+                        if (!isLogged || currentLoggedIsGuest) {
                             log("login");
                             open('../login/login?inIFrame=1&u=' + encodeURIComponent(location.pathname + '/../../webentry/logged'))
                               .then(function (userInformation) {

From 5e9ec332f81821bc7979e1537acd5916a0f3ed8e Mon Sep 17 00:00:00 2001
From: davidcallizaya <david.callizaya@processmaker.com>
Date: Tue, 12 Dec 2017 08:03:48 -0400
Subject: [PATCH 3/4] HOR-4155 Change method to obtain user information,
 because guest user is hidden.

---
 workflow/engine/methods/webentry/logged.php | 31 +++++++++++++--------
 1 file changed, 20 insertions(+), 11 deletions(-)

diff --git a/workflow/engine/methods/webentry/logged.php b/workflow/engine/methods/webentry/logged.php
index b9e88309d..d21ff6c42 100644
--- a/workflow/engine/methods/webentry/logged.php
+++ b/workflow/engine/methods/webentry/logged.php
@@ -5,19 +5,28 @@
 /**
  * This page is redirected from the login page.
  */
-G::LoadClass('pmFunctions');
 $userUid = $_SESSION['USER_LOGGED'];
-$userInfo = PMFInformationUser($userUid);
-$result = [
-    'user_logged' => $userUid,
-    'userName'    => $userInfo['username'],
-    'firstName'   => $userInfo['firstname'],
-    'lastName'    => $userInfo['lastname'],
-    'mail'        => $userInfo['mail'],
-    'image'       => '../users/users_ViewPhoto?t='.microtime(true),
-];
+$userInfo = UsersPeer::retrieveByPK($userUid);
+if (empty($userInfo)) {
+    $result = [
+        'user_logged' => $userUid,
+        'userName'    => '',
+        'firstName'   => '',
+        'lastName'    => '',
+        'mail'        => '',
+        'image'       => '../users/users_ViewPhoto?t=' . microtime(true),
+    ];
+} else {
+    $result = [
+        'user_logged' => $userUid,
+        'userName'    => $userInfo->getUsrUsername(),
+        'firstName'   => $userInfo->getUsrFirstName(),
+        'lastName'    => $userInfo->getUsrLastName(),
+        'mail'        => $userInfo->getUsrEmail(),
+        'image'       => '../users/users_ViewPhoto?t=' . microtime(true),
+    ];
 ?>
-            parent.fullfill(<?= G::json_encode($result) ?>);
+                parent.fullfill(<?= G::json_encode($result) ?>);
         </script>
     </head>
 </html>
\ No newline at end of file

From b6d0dcd850f454554a9723cdd8eadcc4b353b442 Mon Sep 17 00:00:00 2001
From: davidcallizaya <david.callizaya@processmaker.com>
Date: Tue, 12 Dec 2017 11:39:49 -0400
Subject: [PATCH 4/4] HOR-4155 Fix missing }

---
 workflow/engine/methods/webentry/logged.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/workflow/engine/methods/webentry/logged.php b/workflow/engine/methods/webentry/logged.php
index d21ff6c42..d65d9aef0 100644
--- a/workflow/engine/methods/webentry/logged.php
+++ b/workflow/engine/methods/webentry/logged.php
@@ -25,6 +25,7 @@ if (empty($userInfo)) {
         'mail'        => $userInfo->getUsrEmail(),
         'image'       => '../users/users_ViewPhoto?t=' . microtime(true),
     ];
+}
 ?>
                 parent.fullfill(<?= G::json_encode($result) ?>);
         </script>