diff --git a/gulliver/system/class.rbac.php b/gulliver/system/class.rbac.php index 30ecd002b..2f79824ea 100644 --- a/gulliver/system/class.rbac.php +++ b/gulliver/system/class.rbac.php @@ -73,6 +73,80 @@ class RBAC public function __construct () { + $this->authorizedActions = array( + 'users_Ajax.php' => array( + 'availableUsers' => array('PM_FACTORY'), + 'assign' => array('PM_FACTORY'), + 'changeView' => array(), + 'ofToAssign' => array('PM_FACTORY'), + 'usersGroup' => array('PM_FACTORY'), + 'canDeleteUser' => array('PM_USERS'), + 'deleteUser' => array('PM_USERS'), + 'changeUserStatus' => array('PM_USERS'), + 'availableGroups' => array('PM_USERS'), + 'assignedGroups' => array('PM_USERS'), + 'assignGroupsToUserMultiple' => array('PM_USERS'), + 'deleteGroupsToUserMultiple' => array('PM_USERS'), + 'authSources' => array('PM_USERS'), + 'loadAuthSourceByUID' => array('PM_USERS'), + 'updateAuthServices' => array('PM_USERS'), + 'usersList' => array('PM_USERS'), + 'updatePageSize' => array(), + 'summaryUserData' => array('PM_USERS'), + 'verifyIfUserAssignedAsSupervisor' => array('PM_USERS') + ), + 'skin_Ajax.php' => array( + 'updatePageSize' => array(), + 'skinList' => array('PM_SETUP_SKIN'), + 'newSkin' => array('PM_SETUP_SKIN'), + 'importSkin' => array('PM_SETUP_SKIN'), + 'exportSkin' => array('PM_SETUP_SKIN'), + 'deleteSkin' => array('PM_SETUP_SKIN'), + 'streamSkin' => array('PM_SETUP_SKIN'), + 'addTarFolder' => array('PM_SETUP_SKIN'), + 'copy_skin_folder' => array('PM_SETUP_SKIN') + ), + 'processes_DownloadFile.php' => array( + 'downloadFileHash' => array('PM_FACTORY') + ), + 'processProxy.php' => array( + 'categoriesList' => array(), + 'getCategoriesList' => array(), + 'saveProcess' => array('PM_FACTORY'), + 'changeStatus' => array(), + 'changeDebugMode' => array(), + 'getUsers' => array(), + 'getGroups' => array(), + 'assignActorsTask' => array(), + 'removeActorsTask' => array(), + 'getActorsTask' => array(), + 'getProcessDetail' => array(), + 'getProperties' => array(), + 'saveProperties' => array(), + 'getCaledarList' => array(), + 'getPMVariables' => array(), + 'generateBpmn' => array() + ), + 'home.php' => array( + 'login' => array('PM_LOGIN'), + 'index' => array('PM_CASES'), + 'indexSingle' => array('PM_CASES'), + 'appList' => array('PM_CASES'), + 'appAdvancedSearch' => array('PM_ALLCASES'), + 'getApps' => array('PM_ALLCASES'), + 'getAppsData' => array('PM_ALLCASES'), + 'startCase' => array('PM_CASES'), + 'error' => array(), + 'getUserArray' => array('PM_ALLCASES'), + 'getCategoryArray' => array('PM_ALLCASES'), + 'getAllUsersArray' => array('PM_ALLCASES'), + 'getStatusArray' => array('PM_ALLCASES'), + 'getProcessArray' => array('PM_ALLCASES'), + 'getProcesses' => array('PM_ALLCASES'), + 'getUsers' => array('PM_ALLCASES') + ) + + ); } /** @@ -1440,5 +1514,37 @@ class RBAC } } } + + /** + * This function verify if the user allows to the file with a specific action + * If the action is not defined in the authorizedActions we give the allow + * @param string $file + * @param string $action + * + * @return void + */ + public function allows($file, $action) + { + $access = false; + if (isset($this->authorizedActions[$file][$action])) { + $permissions = $this->authorizedActions[$file][$action]; + $totalPermissions = count($permissions); + $countAccess = 0; + foreach ($permissions as $key => $value) { + if ($this->userCanAccess($value) == 1) { + $countAccess++; + } + } + //Check if the user has all permissions that needed + if ($countAccess == $totalPermissions) { + $access = true; + } + } + + if (!$access) { + G::header('Location: /errors/error403.php'); + die(); + } + } } diff --git a/workflow/engine/methods/users/users_Ajax.php b/workflow/engine/methods/users/users_Ajax.php index 1af7b427d..e010233f7 100644 --- a/workflow/engine/methods/users/users_Ajax.php +++ b/workflow/engine/methods/users/users_Ajax.php @@ -14,7 +14,6 @@ try { die(); break; } - G::LoadInclude('ajax'); if (isset($_POST['form'])) { $_POST = $_POST['form']; } @@ -28,7 +27,6 @@ try { switch ($value) { case 'availableUsers': //Classic process: list of users to assign in the task - G::LoadClass('processMap'); $oProcessMap = new ProcessMap(); global $G_PUBLISH; $G_PUBLISH = new Publisher(); @@ -37,7 +35,6 @@ try { break; case 'assign': //Classic process: assign users and groups in the task - G::LoadClass('tasks'); $oTasks = new Tasks(); switch ((int) $_POST['TU_RELATION']) { case 1: @@ -54,7 +51,6 @@ try { break; case 'ofToAssign': //Classic process: remove users and groups related a task - G::LoadClass('tasks'); $oTasks = new Tasks(); switch ((int) $_POST['TU_RELATION']) { case 1: @@ -73,7 +69,6 @@ try { break; case 'usersGroup': //Classic process: list of users in a group related a task - G::LoadClass('groups'); $oGroup = new Groups(); $aGroup = $oGroup->getUsersOfGroup($_POST['GRP_UID']); foreach ($aGroup as $iIndex => $aValues) { @@ -82,7 +77,6 @@ try { break; case 'canDeleteUser': //Check before delete a user - G::LoadClass('case'); $oProcessMap = new Cases(); $userUid = $_POST['uUID']; $total = 0; @@ -122,17 +116,14 @@ try { } //Remove from tasks - G::LoadClass('tasks'); $oTasks = new Tasks(); $oTasks->ofToAssignUserOfAllTasks($usrUid); //Remove from groups - G::LoadClass('groups'); $oGroups = new Groups(); $oGroups->removeUserOfAllGroups($usrUid); //Update the table Users - require_once 'classes/model/Users.php'; $RBAC->changeUserStatus($usrUid, 'CLOSED'); $RBAC->updateUser(array('USR_UID' => $usrUid,'USR_USERNAME' => ''), ''); $oUser = new Users(); @@ -143,7 +134,6 @@ try { $oUser->update($aFields); //Delete Dashboard - require_once 'classes/model/DashletInstance.php'; $criteria = new Criteria( 'workflow' ); $criteria->add( DashletInstancePeer::DAS_INS_OWNER_UID, $usrUid ); $criteria->add( DashletInstancePeer::DAS_INS_OWNER_TYPE , 'USER'); @@ -161,7 +151,6 @@ try { $response = new stdclass(); if (isset($_REQUEST['USR_UID']) && isset($_REQUEST['NEW_USR_STATUS'])) { $RBAC->changeUserStatus($_REQUEST['USR_UID'], ($_REQUEST['NEW_USR_STATUS'] == 'ACTIVE' ? 1 : 0)); - require_once 'classes/model/Users.php'; $userInstance = new Users(); $userData = $userInstance->load($_REQUEST['USR_UID']); $userData['USR_STATUS'] = $_REQUEST['NEW_USR_STATUS']; @@ -178,7 +167,6 @@ try { break; case 'availableGroups': //Get the available groups for assign to user - G::LoadClass('groups'); $filter = (isset($_POST['textFilter'])) ? $_POST['textFilter'] : ''; $groups = new Groups(); $criteria = $groups->getAvailableGroupsCriteria($_REQUEST['uUID'], $filter); @@ -192,7 +180,6 @@ try { break; case 'assignedGroups': //Get the groups related to user - G::LoadClass('groups'); $filter = (isset($_POST['textFilter'])) ? $_POST['textFilter'] : ''; $groups = new Groups(); $criteria = $groups->getAssignedGroupsCriteria($_REQUEST['uUID'], $filter); @@ -251,7 +238,6 @@ try { break; case 'loadAuthSourceByUID': //Get the authentication source assignment - require_once 'classes/model/Users.php'; $oCriteria = $RBAC->load($_POST['uUID']); $UID_AUTH = $oCriteria['UID_AUTH_SOURCE']; if (($UID_AUTH != '00000000000000000000000000000000') && ($UID_AUTH != '')) { @@ -302,7 +288,6 @@ try { case 'usersList': //Get the list of users //Read the configurations related to enviroments - G::LoadClass('configuration'); $co = new Configurations(); $config = $co->getConfiguration('usersList', 'pageSize', '', $_SESSION['USER_LOGGED']); $limit_size = isset($config['pageSize']) ? $config['pageSize'] : 20; @@ -331,10 +316,6 @@ try { break; case 'summaryUserData': //Get all information for the summary - require_once 'classes/model/Users.php'; - require_once 'classes/model/Department.php'; - require_once 'classes/model/AppCacheView.php'; - G::LoadClass('configuration'); $oUser = new Users(); $data = $oUser->loadDetailed($_REQUEST['USR_UID']); $data['USR_STATUS'] = G::LoadTranslation('ID_' . $data['USR_STATUS']);