From 9861f110a44162644e6c5199f8a74735f7d63a6b Mon Sep 17 00:00:00 2001
From: Damien <damien.burel@maarch.org>
Date: Fri, 24 Jan 2020 14:47:29 +0100
Subject: [PATCH] FEAT #11882 TIME 0:15 History privileges

---
 bin/external/localeo/LocaleoScript.php           |  4 ++--
 .../history/controllers/HistoryController.php    | 16 ++++++++--------
 2 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/bin/external/localeo/LocaleoScript.php b/bin/external/localeo/LocaleoScript.php
index 708fd52252c..04281f32498 100644
--- a/bin/external/localeo/LocaleoScript.php
+++ b/bin/external/localeo/LocaleoScript.php
@@ -361,7 +361,7 @@ class LocaleoScript
                 'res_attachments.res_id_master = res_letterbox.res_id', "res_letterbox.external_id->>'localeoId' is not null",
                 "res_attachments.external_id->>'localeoId' is null", 'res_attachments.status not in (?)'
             ],
-            'data'      => [['DEL']]
+            'data'      => [['DEL', 'OBS']]
         ]);
 
         foreach ($attachments as $attachment) {
@@ -481,7 +481,7 @@ class LocaleoScript
         fclose($file);
 
         $resources = \Resource\models\ResModel::get([
-            'select'    => ['res_id', 'subject', 'format', 'path', 'filename', 'docserver_id', "external_id->>'localeoId' as \"localeoId\""],
+            'select'    => ['res_id', "external_id->>'localeoId' as \"localeoId\""],
             'where'     => $where,
             'data'      => $data
         ]);
diff --git a/src/app/history/controllers/HistoryController.php b/src/app/history/controllers/HistoryController.php
index b8025fe2adb..0419127c97a 100755
--- a/src/app/history/controllers/HistoryController.php
+++ b/src/app/history/controllers/HistoryController.php
@@ -35,10 +35,10 @@ class HistoryController
         if (!empty($queryParams['resId'])) {
             if (!Validator::intVal()->notEmpty()->validate($queryParams['resId']) || !ResController::hasRightByResId(['resId' => [$queryParams['resId']], 'userId' => $GLOBALS['id']])) {
                 return $response->withStatus(403)->withJson(['errors' => 'Document out of perimeter']);
-            } elseif (empty($queryParams['onlyActions']) && !PrivilegeController::hasPrivilege(['privilegeId' => 'view_full_history', 'userId' => $GLOBALS['id']])) {
-                return $response->withStatus(403)->withJson(['errors' => 'Service forbidden']);
-            } elseif (!PrivilegeController::hasPrivilege(['privilegeId' => 'view_doc_history', 'userId' => $GLOBALS['id']])) {
-                return $response->withStatus(403)->withJson(['errors' => 'Service forbidden']);
+            } elseif (!PrivilegeController::hasPrivilege(['privilegeId' => 'view_full_history', 'userId' => $GLOBALS['id']])) {
+                if (empty($queryParams['onlyActions']) || !PrivilegeController::hasPrivilege(['privilegeId' => 'view_doc_history', 'userId' => $GLOBALS['id']])) {
+                    return $response->withStatus(403)->withJson(['errors' => 'Service forbidden']);
+                }
             }
         } elseif (!PrivilegeController::hasPrivilege(['privilegeId' => 'view_history', 'userId' => $GLOBALS['id']])) {
             return $response->withStatus(403)->withJson(['errors' => 'Service forbidden']);
@@ -206,10 +206,10 @@ class HistoryController
         if (!empty($queryParams['resId'])) {
             if (!Validator::intVal()->notEmpty()->validate($queryParams['resId']) || !ResController::hasRightByResId(['resId' => [$queryParams['resId']], 'userId' => $GLOBALS['id']])) {
                 return $response->withStatus(403)->withJson(['errors' => 'Document out of perimeter']);
-            } elseif (empty($queryParams['onlyActions']) && !PrivilegeController::hasPrivilege(['privilegeId' => 'view_full_history', 'userId' => $GLOBALS['id']])) {
-                return $response->withStatus(403)->withJson(['errors' => 'Service forbidden']);
-            } elseif (!PrivilegeController::hasPrivilege(['privilegeId' => 'view_doc_history', 'userId' => $GLOBALS['id']])) {
-                return $response->withStatus(403)->withJson(['errors' => 'Service forbidden']);
+            } elseif (!PrivilegeController::hasPrivilege(['privilegeId' => 'view_full_history', 'userId' => $GLOBALS['id']])) {
+                if (empty($queryParams['onlyActions']) || !PrivilegeController::hasPrivilege(['privilegeId' => 'view_doc_history', 'userId' => $GLOBALS['id']])) {
+                    return $response->withStatus(403)->withJson(['errors' => 'Service forbidden']);
+                }
             }
         } elseif (!PrivilegeController::hasPrivilege(['privilegeId' => 'view_history', 'userId' => $GLOBALS['id']])) {
             return $response->withStatus(403)->withJson(['errors' => 'Service forbidden']);
-- 
GitLab