Commit 5dd3c072 authored by Cyril Vazquez's avatar Cyril Vazquez
Browse files

Merge branch 'Support/2.6.X' into 'master'

Support/2.6.x

See merge request !27
parents cb1f0b93 a356bf95
# CHANGELOG
## Version 2.6.2
**Nécessite Maarch RM 2.6.8**
- `Changed` Suppression de la modification des vérification de droit dans la fonction de création d'un compte de service, incluse au socle
- `Changed` Suppression de la modification de la fonction vérifiant les droits, incluse au socle
## Version 2.6.1
- `Changed` Modification des vérification de droit dans la fonction de création d'un compte de service pour gain de performance
- `Changed` Modification de la fonction vérifiant les droits pour gain de performance
- `Changed` Ajout du compte de service "ADMIN-G" dans le groupe administrateur dans le fichier de configuration
- `Changed` Ajout du privilège 'generate token' à "ADMIN-G"
- `Fixed` Correction du retour d'erreur lors de la génération du replyMessage
- `Added` Ajout d'un point de configuration pour l'activation d'un tiers horodateur
- `Added` Ajout de la dépendance timestamp dans le fichier vhost par défaut
- `Fixed` Correction d'une mauvaise comparaison dans la fonction de journalisation
- `Added` Ajout des événements de listage, comptage et lecture du journal lors de l'affichage du journal
- `Added` Ajout de l’événement de consultation sur les ressources lors de la lecture des métadonnées d'une archive
- `Changed` Autorisation de l'administrateur fonctionnel d'accéder ou non aux événements du cycle de vie
- `Changed` Ajout du compte de service "ADMIN-G" dans le fichier sql du jeu minimal
- `Fixed` Modification du securityLevel.ini pour autoriser les administrateurs généraux à accéder au planificateur de tâches
- `Fixed` Correction d'un cast d'objet d'archive lors de l'import
- `Fixed` Correction de la sélection de l'algorithme de hash lorsque celui-ci n'est pas défini dans la configuration
2.6
\ No newline at end of file
2.6.2
\ No newline at end of file
......@@ -87,24 +87,8 @@ class digitalSafe
$account = $this->accountController->get($accountToken->accountId);
$replyMessage->accountName = $account->accountName;
foreach ($archive->digitalResources as $resource) {
if ((isset($resource->hash) && !is_null($resource->hash))
&& (isset($resource->hashAlgorithm)
&& !is_null($resource->hashAlgorithm))
) {
try {
$this->checkHash($resource->handler, $resource->hash, $resource->hashAlgorithm);
} catch (\Exception $e) {
throw $this->getThrowable($e->getMessage(), 400, $replyMessage);
}
} elseif (!isset($resource->hash) && !isset($resource->hashAlgorithm)) {
continue;
} else {
throw $this->getThrowable("Hash or hash algorithm missing", 401, $replyMessage);
}
}
try {
$archive = \laabs::castMessage($archive, 'recordsManagement/archive');
$archiveId = $this->archiveController->receive($archive, false);
$archive = $this->sdoFactory->read('recordsManagement/archive', $archiveId);
} catch (\Exception $e) {
......@@ -258,6 +242,7 @@ class digitalSafe
$replyMessage->descriptionObject = $archive->descriptionObject;
foreach ($archive->digitalResources as $digitalResource) {
$this->archiveController->logConsultation($archive, $digitalResource);
unset($digitalResource->address);
}
......@@ -302,7 +287,7 @@ class digitalSafe
$replyMessage->depositDate = $archive->depositDate;
$replyMessage->originatorArchiveId = $archive->originatorArchiveId;
if (count($res['error']) > 1) {
if (count($res['error']) > 0) {
$replyMessage->operationResult = false;
$replyMessage->operationMessage = "No integrity";
return $replyMessage;
......@@ -335,21 +320,26 @@ class digitalSafe
$userAccountController = \laabs::newController('auth/userAccount');
$userAccountController->isAuthorized(['func_admin', 'user']);
try {
$organization = $this->organizationController->getOrgByRegNumber($originatorOwnerOrgRegNumber);
} catch (\Exception $exception) {
throw $this->getThrowable("Organization " . $originatorOwnerOrgRegNumber . " doesn't exist", 404, $replyMessage);
}
$accountToken = \laabs::getToken('AUTH');
$account = $this->sdoFactory->read("auth/account", $accountToken->accountId);
//$securityLevel = $account->getSecurityLevel();
if ($account->ownerOrgId != $originatorOwnerOrgRegNumber) {
if ($account->ownerOrgId != $organization->orgId) {
throw new \core\Exception\UnauthorizedException("You are not allowed to do this action");
}
// if ($securityLevel == $account::SECLEVEL_USER) {
// $position = $this->servicePositionController->getPosition($account->accountId);
//
// if (!$originatorOrgRegNumber || $originatorOrgRegNumber != $position->orgId) {
// throw new \core\Exception\UnauthorizedException("You are not allowed to do this action");
// }
// }
// if ($securityLevel == $account::SECLEVEL_USER) {
// $position = $this->servicePositionController->getPosition($account->accountId);
// if (!$originatorOrgRegNumber || $originatorOrgRegNumber != $position->orgId) {
// throw new \core\Exception\UnauthorizedException("You are not allowed to do this action");
// }
// }
$replyMessage = new \stdClass();
$replyMessage->originatorOwnerOrgRegNumber = $originatorOwnerOrgRegNumber;
......@@ -360,8 +350,18 @@ class digitalSafe
$query = array();
$queryParams = array();
$queryParams['objectClass'] = 'recordsManagement/archive';
$query['objectClass'] = "objectClass = :objectClass";
$eventsToFind = "(eventType = 'organization/listing' OR " .
"eventType = 'organization/counting' OR " .
"eventType = 'organization/journal' OR " .
"eventType = 'recordsManagement/consultation' OR " .
"eventType = 'recordsManagement/deposit' OR " .
"eventType = 'recordsManagement/depositNewResource' OR " .
"eventType = 'recordsManagement/integrityCheck' OR " .
"eventType = 'recordsManagement/destruction' OR " .
"eventType = 'recordsManagement/elimination' OR " .
"eventType = 'recordsManagement/periodicIntegrityCheck')";
$query['eventType'] = $eventsToFind;
$queryParams['originatorOwnerOrgRegNumber'] = $originatorOwnerOrgRegNumber;
$query['originatorOwnerOrgRegNumber'] = "orgRegNumber = :originatorOwnerOrgRegNumber";
......@@ -417,8 +417,8 @@ class digitalSafe
$replyMessage->lifeCycleEvents = [];
foreach ($events as $i => $event) {
$event = $this->lifeCycleJournalController->decodeEventFormat($event);
$event->accountName = $this->account->accountName;
$event->eventInfo = $this->lifeCycleJournalController->getObjectEvents($event->objectId, $event->objectClass);
$replyMessage->lifeCycleEvents[] = $event;
}
} catch (\Exception $e) {
......@@ -458,6 +458,12 @@ class digitalSafe
$archiveId = null,
$hasLog = true
) {
$currentUserService = \laabs::getToken("ORGANIZATION");
$org = $this->organizationController->getOrgByRegNumber($originatorOrgRegNumber);
$positionAncestors = $this->organizationController->readParentOrg($this->organizationController->getOrgByRegNumber($originatorOrgRegNumber)->orgId);
$positionAncestors[] = $org;
$queryParts = array();
$queryParams = array();
......@@ -477,20 +483,11 @@ class digitalSafe
throw $this->getThrowable("The organization must not be a organization unit", 403, $replyMessage);
}
$userPositions = $this->userPositionController->listPositions($this->account->accountId);
$userPositions[] = $this->servicePositionController->getPosition($this->account->accountId);
$userPosition = $this->servicePositionController->getPosition($this->account->accountId);
$organizations = $this->organizationController->readDescendantServices($organization->orgId);
$userOrganisations = [];
foreach ($organizations as $organization) {
if (is_null($originatorOrgRegNumber)
|| $originatorOrgRegNumber == $organization->registrationNumber) {
foreach ($userPositions as $userPosition) {
if ($userPosition->orgId == $organization->orgId) {
$userOrganisations[] = $organization;
}
}
foreach ($positionAncestors as $orgUnit) {
if ($orgUnit->registrationNumber == $currentUserService->registrationNumber) {
$userOrganisations[] = $org;
}
}
......@@ -678,9 +675,9 @@ class digitalSafe
/**
* Prepare a throwable
* @param string The message
* @param int The code
* @param int The code
* @param mixed The contextual data
*
*
* @return \Exception
*/
protected function getThrowable($message, $code, $context = [])
......@@ -691,7 +688,7 @@ class digitalSafe
$exception->{$name} = $value;
}
$exception->operationResult = false;
return $exception;
}
}
......@@ -5,7 +5,7 @@
@include menu.ini
; Default max result in search screens
maxResults = 200
maxResults = 500
; Public archive mode
publicArchives = false
......@@ -108,6 +108,7 @@ stopWordsFilePath = "%laabsDirectory%/data/stopwords/stopwords_fr.txt"
[audit]
; Chain journal with timestamp file. The timestamp dependency must be configured.
chainWithTimestamp = false;
; timestampService = dependency/timestamp/plugins/TsaClient
[medona]
; Enable or disable the transaction mode
......@@ -128,7 +129,7 @@ useSecurityLevel = true
passwordEncryption = SHA256
; Admin user account name
adminUsers = "['superadmin']"
adminUsers = "['superadmin', 'ADMIN-G']"
; Allow the user to modify his or her information
allowUserModification = true
......@@ -182,9 +183,9 @@ blacklistUserStories = "[
; 'cookieName' Name of the cookie whose value is the csrf token
; 'tokenLenght' Token size
; 'lifeTime' Token validity in seconds (defaults 3600)
csrfWhiteList = "['user/login', 'user/password', 'user/prompt', 'user/logout']"
csrfWhiteList = "['user/login', 'user/password', 'user/prompt', 'user/logout', 'user/generateResetToken']"
csrfConfig = '{
"cookieName" : "CSRF",
"cookieName" : "Csrf",
"tokenLength" : 32
}'
......@@ -273,6 +274,8 @@ chainJournalByOrganization = false;
; Chain journal with timestamp file. The timestamp dependency must be configured.
chainWithTimestamp = false;
; timestampService = dependency/timestamp/plugins/TsaClient
[organization]
......@@ -338,6 +341,33 @@ Password = %password%
signatureFile = "%laabsDirectory%/data/maarchRM/droidSignatureFiles/DROID_SignatureFile_V94.xml"
containerSignatureFile = "%laabsDirectory%/data/maarchRM/droidSignatureFiles/container-signature-20180920.xml"
; Path to libreOffice executable
;libreOfficeExecutable = "c:\Program Files (x86)\LibreOffice 5\program\soffice"
libreOfficeExecutable = "/usr/bin/libreoffice"
; Conversion paths
conversionServices = "[
{
'serviceName' : 'dependency/fileSystem/plugins/libreOffice',
'softwareName' : 'LibreOffice',
'softwareVersion' : '5.4.2.0',
'inputFormats' : ['fmt/412', 'fmt/291', 'fmt/293'],
'outputFormats' : {
'fmt/95' : {
'extension' : 'pdf',
'filter' : 'writer_pdf_Export',
'options': 'SelectPdfVersion=1'
},
'fmt/18' : {
'extension' : 'pdf'
}
}
}
]"
; Path of zip executable (only for Windows)
;zipExecutable = "C:\Program Files\7-Zip\7z.exe"
[dependency.html]
headers = "['dashboard/head.html']"
layout = "dashboard/layout.html"
......@@ -455,3 +485,15 @@ datetimeFormat = "YYYY-MM-DD HH24:MI:SS,US"
; 2 = trace queries
; 3 = dump queries
trace = 1
[dependency.timestamp]
; The URL of the TSA provider
; Somme open and free TSA test services :
; tsaUrl=http://zeitstempel.dfn.de
; tsaUrl=http://timestamp.entrust.net/TSS/RFC3161sha2TS
; tsaUrl=http://time.certum.pl
; The path to openssl, if not in PHP path
; pathToOpenSSL="C:\Program Files\OpenSSL-Win64\bin\openssl"
......@@ -22,6 +22,8 @@ privileges = "{
],
'2' : [
'journal/audit',
'journal/lifeCycleJournal',
'journal/searchLogArchive',
'adminArchive/*',
'adminTech/adminEventFormat',
'adminTech/adminFormat',
......@@ -45,7 +47,8 @@ privileges = "{
'adminFunc/adminOrganization',
'adminFunc/adminUseraccount',
'adminFunc/adminServiceaccount',
'adminFunc/adminAuthorization'
'adminFunc/adminAuthorization',
'adminFunc/batchScheduling'
]
}"
......
......@@ -30,9 +30,11 @@
SetEnv LAABS_APP digitalSafe
SetEnv LAABS_BUNDLES digitalSafe;audit;auth;batchProcessing;contact;digitalResource;digitalSafe;lifeCycle;medona;mades;organization;recordsManagement;filePlan
SetEnv LAABS_EXTENSIONS digitalSafe
SetEnv LAABS_DEPENDENCIES repository;xml;html;localisation;datasource;sdo;json;fileSystem;notification;PDF;csrf;csv
SetEnv LAABS_DEPENDENCIES repository;xml;html;localisation;datasource;sdo;json;fileSystem;notification;PDF;csrf;csv;timestamp
SetEnv LAABS_PRESENTATION maarchRM
SetEnv SERVICE_CLIENT_TOKEN service
SetEnv LAABS_SESSION_START Off
#SetEnv LAABS_SECURE_COOKIE On
SetEnv LAABS_CONFIGURATION "../src/ext/digitalSafe/data/conf/configuration.ini"
SetEnv LAABS_LOG "../data/maarchRM/log.txt"
......
-- AUTH
-- AUTH USER
INSERT INTO auth.account ("accountId", "accountName", "displayName", "accountType", "emailAddress", enabled, password, "passwordChangeRequired", "passwordLastChange", locked, "lockDate", "badPasswordCount", "lastLogin", "lastIp", "replacingUserAccountId", "firstName", "lastName", title, salt, "tokenDate", authentication, preferences, "ownerOrgId", "isAdmin") VALUES
('maarchrmds_5jmpnhp7q-0000-pf4vjt', 'superadmin', 'super admin', 'user', 'support@maarch.fr', true, '186cf774c97b60a1c106ef718d10970a6a06e06bef89553d9ae65d938a886eae', false, NULL, false, NULL, 0, NULL, NULL, NULL, 'Admin', 'Super', 'M.', NULL, NULL, NULL, NULL, NULL, true);
-- AUTH SERVICE
INSERT INTO "auth"."account" ("accountId","accountName","displayName","accountType","emailAddress","enabled","password","passwordChangeRequired","passwordLastChange","locked","lockDate","badPasswordCount","lastLogin","lastIp","replacingUserAccountId","firstName","lastName","title","salt","tokenDate","authentication","preferences","ownerOrgId","isAdmin") VALUES
('maarchrmds_5jmpnt8go-0000-s791qn', 'ADMIN-G', 'ADMIN-G', 'service', '', true, 'phdF9WkJuTKkDuPXoqDZuPs4jdJfIZgYNAOiaya9vYxcKibaHOiJ1ZQ5f27UftAUh+ymwIbKpgJuRpUj1mg+1ndLFxFM4s9g0p+U20vcHhoeXvzoQ/jZq8ae/eX+G5lbewHr2CBuHzA7xCKWm8XGaNDfqwp5+aj/', true, NULL, false, NULL, 0, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, true);
-- ROLE
INSERT INTO "auth"."role"("roleId", "roleName", "description", "securityLevel", "enabled") VALUES
('maarchrmds_5jmpnhp7q-0000-pf4vww', 'Administrateur Général', 'Groupe administrateur général', 'gen_admin', true),
......@@ -11,7 +15,7 @@ INSERT INTO "auth"."role"("roleId", "roleName", "description", "securityLevel",
INSERT INTO "auth"."roleMember"("roleId", "userAccountId") VALUES
('maarchrmds_5jmpnhp7q-0000-pf4vww', 'maarchrmds_5jmpnhp7q-0000-pf4vjt');
-- privilege
-- user privileges
INSERT INTO "auth"."privilege"("roleId", "userStory") VALUES
('maarchrmds_5jmpnhp7q-0000-pf4vww', 'adminTech/*'),
('maarchrmds_5jmpnhp7q-0000-pf4vww', 'adminFunc/adminOrganization'),
......@@ -26,6 +30,21 @@ INSERT INTO "auth"."privilege"("roleId", "userStory") VALUES
('maarchrmds_5jmpnhp7q-0000-pf4ttt', 'adminFunc/adminServiceaccount'),
('maarchrmds_5jmpnhp7q-0000-pf4ttt', 'adminFunc/adminOrgUser');
--service privileges
INSERT INTO "auth"."servicePrivilege" ("accountId","serviceURI") VALUES
('maarchrmds_5jmpnt8go-0000-s791qn', 'organization/organization/create'),
('maarchrmds_5jmpnt8go-0000-s791qn', 'organization/organization/index'),
('maarchrmds_5jmpnt8go-0000-s791qn', 'organization/organization/update_orgId_'),
('maarchrmds_5jmpnt8go-0000-s791qn', 'auth/userAccount/create'),
('maarchrmds_5jmpnt8go-0000-s791qn', 'auth/userAccount/updateEnable_userAccountId_'),
('maarchrmds_5jmpnt8go-0000-s791qn', 'auth/userAccount/updateDisable_userAccountId_'),
('maarchrmds_5jmpnt8go-0000-s791qn', 'auth/serviceAccount/create'),
('maarchrmds_5jmpnt8go-0000-s791qn', 'auth/serviceAccount/update'),
('maarchrmds_5jmpnt8go-0000-s791qn', 'auth/serviceAccount/updateEnable_serviceAccountId_'),
('maarchrmds_5jmpnt8go-0000-s791qn', 'auth/serviceAccount/updateDisable_serviceAccountId_'),
('maarchrmds_5jmpnt8go-0000-s791qn', 'auth/serviceAccount/updateServicetoken_serviceAccountId_')
;
-- LIFECYCLE
INSERT INTO "lifeCycle"."eventFormat" (type, format, message, notification) VALUES
('recordsManagement/archivalProfileModification', 'archivalProfileReference', 'Modification du profil %6$s.', false),
......
......@@ -11,7 +11,7 @@ INSERT INTO "auth"."account" ("accountId","accountName","displayName","accountTy
('maarchrmds_5jmpnqfv9-0000-leb5cl', 'ADMIN-F-coffre-A', 'ADMIN-F-coffre-A', 'service', '', true, 'RJpzB36bmR+iuz/aHN9Zl9PDn8tZEtwb8PHWeRdfdZbZhWnoyiAnHYBhbXWFQ1k4jUfv1vXUmsiuYBfKM0LjuQvqukZbgs7rgseOzrBOnXwqAUerHOXVlbKeqrZw8wCNaLM=', true, NULL, false, NULL, 0, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, 'maarchrmds_5jmx41bs6-0000-dlmg8h', true),
('maarchrmds_5jmpntc9y-0000-r8vwtw', 'ADMIN-F-coffre-B', 'ADMIN-F-coffre-B', 'service', '', true, 'RJpzB36bmR+iuz/aHN9Zl9PDn8tZEtwb8PHWeRdfdZbZhWnoyiMnHYBhbXWFQ1k43xOz0fHUzZv8OkTNMEy24gq+vBFd0p2z0M2DnLYYz3cqAUerHOXVlbKeqrZw8wCNaLM=', true, NULL, false, NULL, 0, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, 'maarchrmds_5jmx41t30-0000-yr4m49', true),
('maarchrmds_5jmpnspb0-0000-sxzow6', 'ADMIN-F-maarch', 'ADMIN-F-maarch', 'service', '', true, 'RJpzB36bmR+iuz/aHN9Zl9PDn8tZEtwb8PHWeRdfe5jekXjlxU0nQsN+eDvLQwEvhEPu16fWnMyvbhWWOkKxvg7t6kZc1pvv08SCmuIR2jgkXg7xCfTXnbSWsbE9pxLK', true, NULL, false, NULL, 0, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, 'maarchrmds_5jmx3s8zh-0000-kffw4z', true),
('maarchrmds_5jmpnt8go-0000-s791qn', 'ADMIN-G', 'ADMIN-G', 'service', '', true, 'RJpzB36bmR+iuz/aHN9Zl9PDn8tZEtwb8PHWeRZQOtvMgnf5xVsnB8d2byqTVFIq3RfhgPHWkM7/OEOXYErl6lvrv0NYgsuoyNiUmqtYkTdpCALmF7+fzL0=', true, NULL, false, NULL, 0, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, true)
('maarchrmds_5jmpnt8go-0000-s791qn', 'ADMIN-G', 'ADMIN-G', 'service', '', true, 'RJpzB36bmR+iuz/aHN9Zl9PDn8tZEvA+3Mr7PCMfcorg1nHglw9xCcV9ISnBUVM3zxHvhLPci4bpKkPDd1m7+AK/7kJbgcu7g8LVneMRzXMwTF6+TvmSxPPGvOp+rBTWerPP/8mWNoxWVa56i/etEHT6', true, NULL, false, NULL, 0, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, true)
;
INSERT INTO "auth"."account" ("accountId","accountName","displayName","accountType","emailAddress","enabled","password","passwordChangeRequired","passwordLastChange","locked","lockDate","badPasswordCount","lastLogin","lastIp","replacingUserAccountId","firstName","lastName","title","salt","tokenDate","authentication","preferences","ownerOrgId","isAdmin") VALUES
......@@ -83,6 +83,7 @@ INSERT INTO "auth"."servicePrivilege" ("accountId","serviceURI") VALUES
INSERT INTO "auth"."servicePrivilege" ("accountId","serviceURI") VALUES
('maarchrmds_5jmpnt8go-0000-s791qn', 'organization/organization/create'),
('maarchrmds_5jmpnt8go-0000-s791qn', 'organization/organization/index'),
('maarchrmds_5jmpnt8go-0000-s791qn', 'organization/organization/update_orgId_'),
('maarchrmds_5jmpnt8go-0000-s791qn', 'auth/userAccount/create'),
('maarchrmds_5jmpnt8go-0000-s791qn', 'auth/userAccount/updateEnable_userAccountId_'),
......@@ -90,7 +91,8 @@ INSERT INTO "auth"."servicePrivilege" ("accountId","serviceURI") VALUES
('maarchrmds_5jmpnt8go-0000-s791qn', 'auth/serviceAccount/create'),
('maarchrmds_5jmpnt8go-0000-s791qn', 'auth/serviceAccount/update'),
('maarchrmds_5jmpnt8go-0000-s791qn', 'auth/serviceAccount/updateEnable_serviceAccountId_'),
('maarchrmds_5jmpnt8go-0000-s791qn', 'auth/serviceAccount/updateDisable_serviceAccountId_')
('maarchrmds_5jmpnt8go-0000-s791qn', 'auth/serviceAccount/updateDisable_serviceAccountId_'),
('maarchrmds_5jmpnt8go-0000-s791qn', 'auth/serviceAccount/updateServicetoken_serviceAccountId_')
;
INSERT INTO "auth"."servicePrivilege" ("accountId","serviceURI") VALUES
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment