From 5945b3a094f3ab0c491dbfa4b56aa9f158921e2a Mon Sep 17 00:00:00 2001
From: Damien <damien.burel@maarch.org>
Date: Fri, 23 Oct 2020 16:21:13 +0200
Subject: [PATCH] FEAT #14214 TIME 1:20 Lock advanced privileges
---
apps/maarch_entreprise/xml/config.json.default | 3 ++-
src/app/group/controllers/GroupController.php | 14 ++++++++------
src/app/group/controllers/PrivilegeController.php | 15 +++++++++++++++
.../controllers/VersionUpdateController.php | 4 ++--
src/core/controllers/InstallerController.php | 12 ++++++------
5 files changed, 33 insertions(+), 15 deletions(-)
diff --git a/apps/maarch_entreprise/xml/config.json.default b/apps/maarch_entreprise/xml/config.json.default
index fadf2e03c50..a9a3cb28953 100644
--- a/apps/maarch_entreprise/xml/config.json.default
+++ b/apps/maarch_entreprise/xml/config.json.default
@@ -6,7 +6,8 @@
"timezone": "Europe/Paris",
"maarchDirectory" : "/var/www/html/MaarchCourrier/",
"customID" : "",
- "maarchUrl" : "http://preview.maarchcourrier.com/"
+ "maarchUrl" : "http://preview.maarchcourrier.com/",
+ "lockAdvancedPrivileges" : false
},
"database": [
{
diff --git a/src/app/group/controllers/GroupController.php b/src/app/group/controllers/GroupController.php
index 9f8942c18d2..c8e380c0c5a 100755
--- a/src/app/group/controllers/GroupController.php
+++ b/src/app/group/controllers/GroupController.php
@@ -11,6 +11,7 @@ use Respect\Validation\Validator;
use Slim\Http\Request;
use Slim\Http\Response;
use SrcCore\controllers\PreparedClauseController;
+use SrcCore\models\CoreConfigModel;
use SrcCore\models\ValidatorModel;
use User\controllers\UserController;
use User\models\UserEntityModel;
@@ -154,12 +155,13 @@ class GroupController
return $response->withStatus(400)->withJson(['errors' => 'Group not found']);
}
- $group['security'] = GroupModel::getSecurityByGroupId(['groupId' => $group['group_id']]);
- $group['users'] = GroupModel::getUsersById(['id' => $args['id'], 'select' => ['users.id', 'users.user_id', 'users.firstname', 'users.lastname', 'users.status']]);
- $group['baskets'] = GroupBasketModel::getBasketsByGroupId(['select' => ['baskets.basket_id', 'baskets.basket_name', 'baskets.basket_desc'], 'groupId' => $group['group_id']]);
- $group['canAdminUsers'] = PrivilegeController::hasPrivilege(['privilegeId' => 'admin_users', 'userId' => $GLOBALS['id']]);
- $group['canAdminBaskets'] = PrivilegeController::hasPrivilege(['privilegeId' => 'admin_baskets', 'userId' => $GLOBALS['id']]);
- $group['privileges'] = PrivilegeModel::getPrivilegesByGroupId(['groupId' => $args['id']]);
+ $group['security'] = GroupModel::getSecurityByGroupId(['groupId' => $group['group_id']]);
+ $group['users'] = GroupModel::getUsersById(['id' => $args['id'], 'select' => ['users.id', 'users.user_id', 'users.firstname', 'users.lastname', 'users.status']]);
+ $group['baskets'] = GroupBasketModel::getBasketsByGroupId(['select' => ['baskets.basket_id', 'baskets.basket_name', 'baskets.basket_desc'], 'groupId' => $group['group_id']]);
+ $group['canAdminUsers'] = PrivilegeController::hasPrivilege(['privilegeId' => 'admin_users', 'userId' => $GLOBALS['id']]);
+ $group['canAdminBaskets'] = PrivilegeController::hasPrivilege(['privilegeId' => 'admin_baskets', 'userId' => $GLOBALS['id']]);
+ $group['privileges'] = PrivilegeModel::getPrivilegesByGroupId(['groupId' => $args['id']]);
+ $group['lockAdvancedPrivileges'] = PrivilegeController::isAdvancedPrivilegesLocked();
$allowedUsers = [];
$isRoot = UserController::isRoot(['id' => $GLOBALS['id']]);
diff --git a/src/app/group/controllers/PrivilegeController.php b/src/app/group/controllers/PrivilegeController.php
index a41fa333250..e4595b8a94e 100644
--- a/src/app/group/controllers/PrivilegeController.php
+++ b/src/app/group/controllers/PrivilegeController.php
@@ -14,6 +14,7 @@ use SignatureBook\controllers\SignatureBookController;
use Slim\Http\Request;
use Slim\Http\Response;
use SrcCore\controllers\PreparedClauseController;
+use SrcCore\models\CoreConfigModel;
use SrcCore\models\DatabaseModel;
use SrcCore\models\ValidatorModel;
use User\controllers\UserController;
@@ -35,6 +36,13 @@ class PrivilegeController
return $response->withStatus(400)->withJson(['errors' => 'Route privilegeId is empty or not an integer']);
}
+ if (in_array($args['privilegeId'], ['create_custom', 'admin_update_control'])) {
+ $config = CoreConfigModel::getJsonLoaded(['path' => 'apps/maarch_entreprise/xml/config.json']);
+ if (!empty($config['config']['lockAdvancedPrivileges'])) {
+ return $response->withStatus(403)->withJson(['errors' => 'Privilege forbidden']);
+ }
+ }
+
$group = GroupModel::getById(['id' => $args['id']]);
if (empty($group)) {
return $response->withStatus(400)->withJson(['errors' => 'Group not found']);
@@ -344,4 +352,11 @@ class PrivilegeController
return true;
}
+
+ public static function isAdvancedPrivilegesLocked()
+ {
+ $file = CoreConfigModel::getJsonLoaded(['path' => 'apps/maarch_entreprise/xml/config.json']);
+
+ return !empty($file['config']['lockAdvancedPrivileges']);
+ }
}
diff --git a/src/app/versionUpdate/controllers/VersionUpdateController.php b/src/app/versionUpdate/controllers/VersionUpdateController.php
index 33b0b46f4a4..7122844d351 100755
--- a/src/app/versionUpdate/controllers/VersionUpdateController.php
+++ b/src/app/versionUpdate/controllers/VersionUpdateController.php
@@ -29,7 +29,7 @@ class VersionUpdateController
{
public function get(Request $request, Response $response)
{
- if (!PrivilegeController::hasPrivilege(['privilegeId' => 'admin_update_control', 'userId' => $GLOBALS['id']])) {
+ if (!PrivilegeController::hasPrivilege(['privilegeId' => 'admin_update_control', 'userId' => $GLOBALS['id']]) || PrivilegeController::isAdvancedPrivilegesLocked()) {
return $response->withStatus(403)->withJson(['errors' => 'Service forbidden']);
}
@@ -110,7 +110,7 @@ class VersionUpdateController
*/
public function update(Request $request, Response $response)
{
- if (!PrivilegeController::hasPrivilege(['privilegeId' => 'admin_update_control', 'userId' => $GLOBALS['id']])) {
+ if (!PrivilegeController::hasPrivilege(['privilegeId' => 'admin_update_control', 'userId' => $GLOBALS['id']]) || PrivilegeController::isAdvancedPrivilegesLocked()) {
return $response->withStatus(403)->withJson(['errors' => 'Service forbidden']);
}
diff --git a/src/core/controllers/InstallerController.php b/src/core/controllers/InstallerController.php
index d2dc17ee9f1..55fd30af044 100644
--- a/src/core/controllers/InstallerController.php
+++ b/src/core/controllers/InstallerController.php
@@ -272,7 +272,7 @@ class InstallerController
public function createCustom(Request $request, Response $response)
{
- if (!empty($GLOBALS['id']) && !PrivilegeController::hasPrivilege(['privilegeId' => 'create_custom', 'userId' => $GLOBALS['id']])) {
+ if (!empty($GLOBALS['id']) && (!PrivilegeController::hasPrivilege(['privilegeId' => 'create_custom', 'userId' => $GLOBALS['id']]) || PrivilegeController::isAdvancedPrivilegesLocked())) {
return $response->withStatus(403)->withJson(['errors' => 'Route forbidden']);
}
@@ -332,7 +332,7 @@ class InstallerController
public function createDatabase(Request $request, Response $response)
{
- if (!empty($GLOBALS['id']) && !PrivilegeController::hasPrivilege(['privilegeId' => 'create_custom', 'userId' => $GLOBALS['id']])) {
+ if (!empty($GLOBALS['id']) && (!PrivilegeController::hasPrivilege(['privilegeId' => 'create_custom', 'userId' => $GLOBALS['id']]) || PrivilegeController::isAdvancedPrivilegesLocked())) {
return $response->withStatus(403)->withJson(['errors' => 'Route forbidden']);
}
@@ -433,7 +433,7 @@ class InstallerController
public function createDocservers(Request $request, Response $response)
{
- if (!empty($GLOBALS['id']) && !PrivilegeController::hasPrivilege(['privilegeId' => 'create_custom', 'userId' => $GLOBALS['id']])) {
+ if (!empty($GLOBALS['id']) && (!PrivilegeController::hasPrivilege(['privilegeId' => 'create_custom', 'userId' => $GLOBALS['id']]) || PrivilegeController::isAdvancedPrivilegesLocked())) {
return $response->withStatus(403)->withJson(['errors' => 'Route forbidden']);
}
@@ -518,7 +518,7 @@ class InstallerController
public function createCustomization(Request $request, Response $response)
{
- if (!empty($GLOBALS['id']) && !PrivilegeController::hasPrivilege(['privilegeId' => 'create_custom', 'userId' => $GLOBALS['id']])) {
+ if (!empty($GLOBALS['id']) && (!PrivilegeController::hasPrivilege(['privilegeId' => 'create_custom', 'userId' => $GLOBALS['id']]) || PrivilegeController::isAdvancedPrivilegesLocked())) {
return $response->withStatus(403)->withJson(['errors' => 'Route forbidden']);
}
@@ -595,7 +595,7 @@ class InstallerController
public function updateAdministrator(Request $request, Response $response)
{
- if (!empty($GLOBALS['id']) && !PrivilegeController::hasPrivilege(['privilegeId' => 'create_custom', 'userId' => $GLOBALS['id']])) {
+ if (!empty($GLOBALS['id']) && (!PrivilegeController::hasPrivilege(['privilegeId' => 'create_custom', 'userId' => $GLOBALS['id']]) || PrivilegeController::isAdvancedPrivilegesLocked())) {
return $response->withStatus(403)->withJson(['errors' => 'Route forbidden']);
}
@@ -662,7 +662,7 @@ class InstallerController
public function terminateInstaller(Request $request, Response $response)
{
- if (!empty($GLOBALS['id']) && !PrivilegeController::hasPrivilege(['privilegeId' => 'create_custom', 'userId' => $GLOBALS['id']])) {
+ if (!empty($GLOBALS['id']) && (!PrivilegeController::hasPrivilege(['privilegeId' => 'create_custom', 'userId' => $GLOBALS['id']]) || PrivilegeController::isAdvancedPrivilegesLocked())) {
return $response->withStatus(403)->withJson(['errors' => 'Route forbidden']);
}
--
GitLab