diff --git a/apps/maarch_entreprise/xml/config.json.default b/apps/maarch_entreprise/xml/config.json.default
index fadf2e03c505155723b82863026a6c464d8d8f68..a9a3cb289530a98bd5f16ae3ea86dbccc25b3626 100644
--- a/apps/maarch_entreprise/xml/config.json.default
+++ b/apps/maarch_entreprise/xml/config.json.default
@@ -6,7 +6,8 @@
"timezone": "Europe/Paris",
"maarchDirectory" : "/var/www/html/MaarchCourrier/",
"customID" : "",
- "maarchUrl" : "http://preview.maarchcourrier.com/"
+ "maarchUrl" : "http://preview.maarchcourrier.com/",
+ "lockAdvancedPrivileges" : false
},
"database": [
{
diff --git a/src/app/group/controllers/GroupController.php b/src/app/group/controllers/GroupController.php
index 9f8942c18d285bea9ab20c68a92c1ac4adbddf1a..c8e380c0c5a154172cc804ed863b16ac00276490 100755
--- a/src/app/group/controllers/GroupController.php
+++ b/src/app/group/controllers/GroupController.php
@@ -11,6 +11,7 @@ use Respect\Validation\Validator;
use Slim\Http\Request;
use Slim\Http\Response;
use SrcCore\controllers\PreparedClauseController;
+use SrcCore\models\CoreConfigModel;
use SrcCore\models\ValidatorModel;
use User\controllers\UserController;
use User\models\UserEntityModel;
@@ -154,12 +155,13 @@ class GroupController
return $response->withStatus(400)->withJson(['errors' => 'Group not found']);
}
- $group['security'] = GroupModel::getSecurityByGroupId(['groupId' => $group['group_id']]);
- $group['users'] = GroupModel::getUsersById(['id' => $args['id'], 'select' => ['users.id', 'users.user_id', 'users.firstname', 'users.lastname', 'users.status']]);
- $group['baskets'] = GroupBasketModel::getBasketsByGroupId(['select' => ['baskets.basket_id', 'baskets.basket_name', 'baskets.basket_desc'], 'groupId' => $group['group_id']]);
- $group['canAdminUsers'] = PrivilegeController::hasPrivilege(['privilegeId' => 'admin_users', 'userId' => $GLOBALS['id']]);
- $group['canAdminBaskets'] = PrivilegeController::hasPrivilege(['privilegeId' => 'admin_baskets', 'userId' => $GLOBALS['id']]);
- $group['privileges'] = PrivilegeModel::getPrivilegesByGroupId(['groupId' => $args['id']]);
+ $group['security'] = GroupModel::getSecurityByGroupId(['groupId' => $group['group_id']]);
+ $group['users'] = GroupModel::getUsersById(['id' => $args['id'], 'select' => ['users.id', 'users.user_id', 'users.firstname', 'users.lastname', 'users.status']]);
+ $group['baskets'] = GroupBasketModel::getBasketsByGroupId(['select' => ['baskets.basket_id', 'baskets.basket_name', 'baskets.basket_desc'], 'groupId' => $group['group_id']]);
+ $group['canAdminUsers'] = PrivilegeController::hasPrivilege(['privilegeId' => 'admin_users', 'userId' => $GLOBALS['id']]);
+ $group['canAdminBaskets'] = PrivilegeController::hasPrivilege(['privilegeId' => 'admin_baskets', 'userId' => $GLOBALS['id']]);
+ $group['privileges'] = PrivilegeModel::getPrivilegesByGroupId(['groupId' => $args['id']]);
+ $group['lockAdvancedPrivileges'] = PrivilegeController::isAdvancedPrivilegesLocked();
$allowedUsers = [];
$isRoot = UserController::isRoot(['id' => $GLOBALS['id']]);
diff --git a/src/app/group/controllers/PrivilegeController.php b/src/app/group/controllers/PrivilegeController.php
index a41fa3332505b7a58b3910e8b063e7aca1ed7685..e4595b8a94ea142e9a306098ce94fd1c2f6190ce 100644
--- a/src/app/group/controllers/PrivilegeController.php
+++ b/src/app/group/controllers/PrivilegeController.php
@@ -14,6 +14,7 @@ use SignatureBook\controllers\SignatureBookController;
use Slim\Http\Request;
use Slim\Http\Response;
use SrcCore\controllers\PreparedClauseController;
+use SrcCore\models\CoreConfigModel;
use SrcCore\models\DatabaseModel;
use SrcCore\models\ValidatorModel;
use User\controllers\UserController;
@@ -35,6 +36,13 @@ class PrivilegeController
return $response->withStatus(400)->withJson(['errors' => 'Route privilegeId is empty or not an integer']);
}
+ if (in_array($args['privilegeId'], ['create_custom', 'admin_update_control'])) {
+ $config = CoreConfigModel::getJsonLoaded(['path' => 'apps/maarch_entreprise/xml/config.json']);
+ if (!empty($config['config']['lockAdvancedPrivileges'])) {
+ return $response->withStatus(403)->withJson(['errors' => 'Privilege forbidden']);
+ }
+ }
+
$group = GroupModel::getById(['id' => $args['id']]);
if (empty($group)) {
return $response->withStatus(400)->withJson(['errors' => 'Group not found']);
@@ -344,4 +352,11 @@ class PrivilegeController
return true;
}
+
+ public static function isAdvancedPrivilegesLocked()
+ {
+ $file = CoreConfigModel::getJsonLoaded(['path' => 'apps/maarch_entreprise/xml/config.json']);
+
+ return !empty($file['config']['lockAdvancedPrivileges']);
+ }
}
diff --git a/src/app/versionUpdate/controllers/VersionUpdateController.php b/src/app/versionUpdate/controllers/VersionUpdateController.php
index 33b0b46f4a4e21a253b0f072d261c68996fabe7f..7122844d3511b4a322f59b81433b08d851815795 100755
--- a/src/app/versionUpdate/controllers/VersionUpdateController.php
+++ b/src/app/versionUpdate/controllers/VersionUpdateController.php
@@ -29,7 +29,7 @@ class VersionUpdateController
{
public function get(Request $request, Response $response)
{
- if (!PrivilegeController::hasPrivilege(['privilegeId' => 'admin_update_control', 'userId' => $GLOBALS['id']])) {
+ if (!PrivilegeController::hasPrivilege(['privilegeId' => 'admin_update_control', 'userId' => $GLOBALS['id']]) || PrivilegeController::isAdvancedPrivilegesLocked()) {
return $response->withStatus(403)->withJson(['errors' => 'Service forbidden']);
}
@@ -110,7 +110,7 @@ class VersionUpdateController
*/
public function update(Request $request, Response $response)
{
- if (!PrivilegeController::hasPrivilege(['privilegeId' => 'admin_update_control', 'userId' => $GLOBALS['id']])) {
+ if (!PrivilegeController::hasPrivilege(['privilegeId' => 'admin_update_control', 'userId' => $GLOBALS['id']]) || PrivilegeController::isAdvancedPrivilegesLocked()) {
return $response->withStatus(403)->withJson(['errors' => 'Service forbidden']);
}
diff --git a/src/core/controllers/InstallerController.php b/src/core/controllers/InstallerController.php
index d2dc17ee9f1d537d8b8b6105b5e45c48362d2bb9..55fd30af044f1c77246f4d90ea24f4a3cfae420f 100644
--- a/src/core/controllers/InstallerController.php
+++ b/src/core/controllers/InstallerController.php
@@ -272,7 +272,7 @@ class InstallerController
public function createCustom(Request $request, Response $response)
{
- if (!empty($GLOBALS['id']) && !PrivilegeController::hasPrivilege(['privilegeId' => 'create_custom', 'userId' => $GLOBALS['id']])) {
+ if (!empty($GLOBALS['id']) && (!PrivilegeController::hasPrivilege(['privilegeId' => 'create_custom', 'userId' => $GLOBALS['id']]) || PrivilegeController::isAdvancedPrivilegesLocked())) {
return $response->withStatus(403)->withJson(['errors' => 'Route forbidden']);
}
@@ -332,7 +332,7 @@ class InstallerController
public function createDatabase(Request $request, Response $response)
{
- if (!empty($GLOBALS['id']) && !PrivilegeController::hasPrivilege(['privilegeId' => 'create_custom', 'userId' => $GLOBALS['id']])) {
+ if (!empty($GLOBALS['id']) && (!PrivilegeController::hasPrivilege(['privilegeId' => 'create_custom', 'userId' => $GLOBALS['id']]) || PrivilegeController::isAdvancedPrivilegesLocked())) {
return $response->withStatus(403)->withJson(['errors' => 'Route forbidden']);
}
@@ -433,7 +433,7 @@ class InstallerController
public function createDocservers(Request $request, Response $response)
{
- if (!empty($GLOBALS['id']) && !PrivilegeController::hasPrivilege(['privilegeId' => 'create_custom', 'userId' => $GLOBALS['id']])) {
+ if (!empty($GLOBALS['id']) && (!PrivilegeController::hasPrivilege(['privilegeId' => 'create_custom', 'userId' => $GLOBALS['id']]) || PrivilegeController::isAdvancedPrivilegesLocked())) {
return $response->withStatus(403)->withJson(['errors' => 'Route forbidden']);
}
@@ -518,7 +518,7 @@ class InstallerController
public function createCustomization(Request $request, Response $response)
{
- if (!empty($GLOBALS['id']) && !PrivilegeController::hasPrivilege(['privilegeId' => 'create_custom', 'userId' => $GLOBALS['id']])) {
+ if (!empty($GLOBALS['id']) && (!PrivilegeController::hasPrivilege(['privilegeId' => 'create_custom', 'userId' => $GLOBALS['id']]) || PrivilegeController::isAdvancedPrivilegesLocked())) {
return $response->withStatus(403)->withJson(['errors' => 'Route forbidden']);
}
@@ -595,7 +595,7 @@ class InstallerController
public function updateAdministrator(Request $request, Response $response)
{
- if (!empty($GLOBALS['id']) && !PrivilegeController::hasPrivilege(['privilegeId' => 'create_custom', 'userId' => $GLOBALS['id']])) {
+ if (!empty($GLOBALS['id']) && (!PrivilegeController::hasPrivilege(['privilegeId' => 'create_custom', 'userId' => $GLOBALS['id']]) || PrivilegeController::isAdvancedPrivilegesLocked())) {
return $response->withStatus(403)->withJson(['errors' => 'Route forbidden']);
}
@@ -662,7 +662,7 @@ class InstallerController
public function terminateInstaller(Request $request, Response $response)
{
- if (!empty($GLOBALS['id']) && !PrivilegeController::hasPrivilege(['privilegeId' => 'create_custom', 'userId' => $GLOBALS['id']])) {
+ if (!empty($GLOBALS['id']) && (!PrivilegeController::hasPrivilege(['privilegeId' => 'create_custom', 'userId' => $GLOBALS['id']]) || PrivilegeController::isAdvancedPrivilegesLocked())) {
return $response->withStatus(403)->withJson(['errors' => 'Route forbidden']);
}