Verified Commit d5fbee28 authored by Cyril Vazquez's avatar Cyril Vazquez
Browse files

Remove temp fixes included to Maarch RM 2.6.8

parent 2cbf8c22
# CHANGELOG
## Version 2.6.2
**Nécessite Maarch RM 2.6.8**
- `Changed` Suppression de la modification des vérification de droit dans la fonction de création d'un compte de service, incluse au socle
- `Changed` Suppression de la modification de la fonction vérifiant les droits, incluse au socle
## Version 2.6.1
- `Changed` Modification des vérification de droit dans la fonction de création d'un compte de service pour gain de performance
- `Changed` Modification de la fonction vérifiant les droits pour gain de performance
......
2.6.1
\ No newline at end of file
2.6.2
\ No newline at end of file
<?php
/*
* Copyright (C) 2015 Maarch
*
* This file is part of bundle auth.
*
* Bundle auth is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Bundle auth is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with bundle auth. If not, see <http://www.gnu.org/licenses/>.
*/
namespace ext\digitalSafe\bundle\auth\Controller;
/**
* serviceAccount controller
*
* @package Auth
* @author Alexandre Morin <alexandre.morin@maarch.org>
*/
class serviceAccount extends \bundle\auth\Controller\serviceAccount
{
/**
* Record a new service
* @param auth/account $serviceAccount The service object
* @param string $orgId The organization identifier
* @param array $servicesURI Array of service URI
*
* @return auth/account The service object
*/
public function addService($serviceAccount, $orgId, $servicesURI = [])
{
$this->userAccountController->isAuthorized(['gen_admin', 'func_admin']);
$organizationController = \laabs::newController("organization/organization");
$accountToken = \laabs::getToken('AUTH');
$account = $this->read($accountToken->accountId);
if (isset($orgId) && !empty($orgId)) {
try {
$organization = $organizationController->read($orgId);
} catch (\Exception $e) {
throw new \core\Exception\NotFoundException("Organization unit identified by " . $orgId . " does not exist.");
}
}
if ($this->hasSecurityLevel) {
if ($account->getSecurityLevel() == $account::SECLEVEL_FUNCADMIN && array_search($account->ownerOrgId, array_column($this->organizationController->readParentOrg($orgId), 'orgId')) === false){
throw new \core\Exception\ForbiddenException("You are not allowed to add user in this organization");
}
$this->checkPrivilegesAccess($account, $serviceAccount);
}
if (!$serviceAccount->ownerOrgId && !empty($orgId)) {
if(!empty($serviceAccount->ownerOrgId) && $serviceAccount->ownerOrgId != $organization->ownerOrgId) {
throw new \core\Exception\NotFoundException("Organization identified by " . $serviceAccount->ownerOrgId . " is not the owner organization of the organization identified by " . $orgId);
}
$serviceAccount->ownerOrgId = $organization->ownerOrgId;
}
if ($serviceAccount->ownerOrgId) {
try {
$organizationController->read($serviceAccount->ownerOrgId);
} catch (\Exception $e) {
throw new \core\Exception\NotFoundException("Organization identified by " . $serviceAccount->ownerOrgId . " does not exist.");
}
}
$serviceAccount = \laabs::cast($serviceAccount, 'auth/account');
$serviceAccount->accountId = \laabs::newId();
if ($this->sdoFactory->exists('auth/account', array('accountName' => $serviceAccount->accountName))) {
throw \laabs::newException("auth/serviceAlreadyExistException");
}
$transactionControl = !$this->sdoFactory->inTransaction();
if ($transactionControl) {
$this->sdoFactory->beginTransaction();
}
try {
$this->sdoFactory->create($serviceAccount, 'auth/account');
$this->createServicePrivilege($servicesURI, $serviceAccount->accountId);
if (!$serviceAccount->isAdmin) {
$this->organizationController->addServicePosition($orgId, $serviceAccount->accountId);
}
} catch (\Exception $exception) {
if ($transactionControl) {
$this->sdoFactory->rollback();
}
throw $exception;
}
if ($transactionControl) {
$this->sdoFactory->commit();
}
return $serviceAccount;
}
/**
* Generate a service account token
* @param string $serviceAccountId The service account identifier
*
* @return object The credential
*/
public function generateToken($serviceAccountId)
{
// Check userAccount exists
$currentDate = \laabs::newTimestamp();
try {
$serviceAccount = $this->sdoFactory->read('auth/account', array('accountId' => $serviceAccountId));
} catch (\Exception $e) {
throw new \core\Exception\NotFoundException("Account identified by " . $serviceAccountId . " does not exist.");
}
$accountToken = \laabs::getToken('AUTH');
$ownAccount = $this->read($accountToken->accountId);
if ($accountToken->accountId != $serviceAccountId && $this->hasSecurityLevel) {
$organization = $this->sdoFactory->read('organization/organization', $serviceAccount->ownerOrgId);
$organizations = $this->organizationController->readDescendantOrg($organization->orgId);
$organizations[] = $organization;
if (array_search($serviceAccount->ownerOrgId, array_column($organizations, 'orgId')) === false){
throw new \core\Exception\ForbiddenException("You are not allowed to modify this service account");
}
$this->checkPrivilegesAccess($ownAccount, $serviceAccount);
}
$serviceAccount->salt = md5(microtime());
$serviceAccount->tokenDate = $currentDate;
$dataToken = new \StdClass();
$dataToken->accountId = $serviceAccount->accountId;
$dataToken->salt = $serviceAccount->salt;
$token = new \core\token($dataToken, 0);
$jsonToken = \json_encode($token);
$cryptedToken = \laabs::encrypt($jsonToken, \laabs::getCryptKey());
$cookieToken = base64_encode($cryptedToken);
$serviceAccount->password = $cookieToken;
$this->sdoFactory->update($serviceAccount, 'auth/account');
return $cookieToken;
}
}
<?php
/*
* Copyright (C) 2015 Maarch
*
* This file is part of bundle recordsManagement.
*
* Bundle recordsManagement is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Bundle recordsManagement is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with bundle recordsManagement. If not, see <http://www.gnu.org/licenses/>.
*/
namespace ext\digitalSafe\bundle\recordsManagement\Controller;
/**
* Class for Records Management archives
*/
class archive extends \bundle\recordsManagement\Controller\archive
{
/**
* Check if the current user have the rights on an archive
*
* @param recordsManagement/archive $archive The archive object
* @throws
* @return boolean THe result of the operation
*/
public function checkRights($archive, $isCommunication = false)
{
$currentUserService = \laabs::getToken("ORGANIZATION");
$currentDate = \laabs::newDate();
if (!$currentUserService) {
return false;
}
$userPositionController = \laabs::newController('organization/userPosition');
$org = $this->organizationController->getOrgByRegNumber($archive->originatorOrgRegNumber);
$positionAncestors = $this->organizationController->readParentOrg($this->organizationController->getOrgByRegNumber($archive->originatorOrgRegNumber)->orgId);
$positionAncestors[] = $org;
$userServices[] = $currentUserService->registrationNumber;
// OWNER access
if (!is_null($currentUserService->orgRoleCodes)
&& \laabs\in_array('owner', $currentUserService->orgRoleCodes)) {
return true;
}
// ARCHIVER access
if (!is_null($currentUserService->orgRoleCodes)
&& \laabs\in_array('archiver', $currentUserService->orgRoleCodes)
&& $archive->archiverOrgRegNumber === $currentUserService->registrationNumber) {
return true;
}
// ORIGINATOR ACCESS
foreach ($positionAncestors as $orgUnit) {
if ($orgUnit->registrationNumber == $currentUserService->registrationNumber) {
return true;
}
}
// COMMUNICATION ACCESS
if (!is_null($archive->accessRuleComDate)
&& ($isCommunication)
&& ($archive->accessRuleComDate <= $currentDate)) {
return true;
}
// USER ACCESS
if (!empty($archive->userOrgRegNumbers)) {
foreach ($archive->userOrgRegNumbers as $userOrgRegNumber) {
if (\laabs\in_array($userOrgRegNumber, $userServices)) {
return true;
}
}
}
throw \laabs::newException('recordsManagement/accessDeniedException', "Permission denied");
}
}
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment