Skip to content
GitLab
Verified Commit d5fbee28 authored by Cyril Vazquez's avatar Cyril Vazquez
Browse files

Remove temp fixes included to Maarch RM 2.6.8

parent 2cbf8c22
Hide whitespace changes
Inline Side-by-side
CHANGELOG.md
View file @ d5fbee28
# CHANGELOG
## Version 2.6.2
**Nécessite Maarch RM 2.6.8**
- `Changed` Suppression de la modification des vérification de droit dans la fonction de création d'un compte de service, incluse au socle
- `Changed` Suppression de la modification de la fonction vérifiant les droits, incluse au socle
## Version 2.6.1
- `Changed` Modification des vérification de droit dans la fonction de création d'un compte de service pour gain de performance
- `Changed` Modification de la fonction vérifiant les droits pour gain de performance
......
VERSION.md
View file @ d5fbee28
2.6.1
\ No newline at end of file
2.6.2
\ No newline at end of file
bundle/auth/Controller/serviceAccount.php deleted 100644 → 0
View file @ 2cbf8c22
<?php
/*
* Copyright (C) 2015 Maarch
*
* This file is part of bundle auth.
*
* Bundle auth is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Bundle auth is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with bundle auth. If not, see <http://www.gnu.org/licenses/>.
*/
namespace ext\digitalSafe\bundle\auth\Controller;
/**
* serviceAccount controller
*
* @package Auth
* @author Alexandre Morin <alexandre.morin@maarch.org>
*/
class serviceAccount extends \bundle\auth\Controller\serviceAccount
{
/**
* Record a new service
* @param auth/account $serviceAccount The service object
* @param string $orgId The organization identifier
* @param array $servicesURI Array of service URI
*
* @return auth/account The service object
*/
public function addService($serviceAccount, $orgId, $servicesURI = [])
{
$this->userAccountController->isAuthorized(['gen_admin', 'func_admin']);
$organizationController = \laabs::newController("organization/organization");
$accountToken = \laabs::getToken('AUTH');
$account = $this->read($accountToken->accountId);
if (isset($orgId) && !empty($orgId)) {
try {
$organization = $organizationController->read($orgId);
} catch (\Exception $e) {
throw new \core\Exception\NotFoundException("Organization unit identified by " . $orgId . " does not exist.");
}
}
if ($this->hasSecurityLevel) {
if ($account->getSecurityLevel() == $account::SECLEVEL_FUNCADMIN && array_search($account->ownerOrgId, array_column($this->organizationController->readParentOrg($orgId), 'orgId')) === false){
throw new \core\Exception\ForbiddenException("You are not allowed to add user in this organization");
}
$this->checkPrivilegesAccess($account, $serviceAccount);
}
if (!$serviceAccount->ownerOrgId && !empty($orgId)) {
if(!empty($serviceAccount->ownerOrgId) && $serviceAccount->ownerOrgId != $organization->ownerOrgId) {
throw new \core\Exception\NotFoundException("Organization identified by " . $serviceAccount->ownerOrgId . " is not the owner organization of the organization identified by " . $orgId);
}
$serviceAccount->ownerOrgId = $organization->ownerOrgId;
}
if ($serviceAccount->ownerOrgId) {
try {
$organizationController->read($serviceAccount->ownerOrgId);
} catch (\Exception $e) {
throw new \core\Exception\NotFoundException("Organization identified by " . $serviceAccount->ownerOrgId . " does not exist.");
}
}
$serviceAccount = \laabs::cast($serviceAccount, 'auth/account');
$serviceAccount->accountId = \laabs::newId();
if ($this->sdoFactory->exists('auth/account', array('accountName' => $serviceAccount->accountName))) {
throw \laabs::newException("auth/serviceAlreadyExistException");
}
$transactionControl = !$this->sdoFactory->inTransaction();
if ($transactionControl) {
$this->sdoFactory->beginTransaction();
}
try {
$this->sdoFactory->create($serviceAccount, 'auth/account');
$this->createServicePrivilege($servicesURI, $serviceAccount->accountId);
if (!$serviceAccount->isAdmin) {
$this->organizationController->addServicePosition($orgId, $serviceAccount->accountId);
}
} catch (\Exception $exception) {
if ($transactionControl) {
$this->sdoFactory->rollback();
}
throw $exception;
}
if ($transactionControl) {
$this->sdoFactory->commit();
}
return $serviceAccount;
}
/**
* Generate a service account token
* @param string $serviceAccountId The service account identifier
*
* @return object The credential
*/
public function generateToken($serviceAccountId)
{
// Check userAccount exists
$currentDate = \laabs::newTimestamp();
try {
$serviceAccount = $this->sdoFactory->read('auth/account', array('accountId' => $serviceAccountId));
} catch (\Exception $e) {
throw new \core\Exception\NotFoundException("Account identified by " . $serviceAccountId . " does not exist.");
}
$accountToken = \laabs::getToken('AUTH');
$ownAccount = $this->read($accountToken->accountId);
if ($accountToken->accountId != $serviceAccountId && $this->hasSecurityLevel) {
$organization = $this->sdoFactory->read('organization/organization', $serviceAccount->ownerOrgId);
$organizations = $this->organizationController->readDescendantOrg($organization->orgId);
$organizations[] = $organization;
if (array_search($serviceAccount->ownerOrgId, array_column($organizations, 'orgId')) === false){
throw new \core\Exception\ForbiddenException("You are not allowed to modify this service account");
}
$this->checkPrivilegesAccess($ownAccount, $serviceAccount);
}
$serviceAccount->salt = md5(microtime());
$serviceAccount->tokenDate = $currentDate;
$dataToken = new \StdClass();
$dataToken->accountId = $serviceAccount->accountId;
$dataToken->salt = $serviceAccount->salt;
$token = new \core\token($dataToken, 0);
$jsonToken = \json_encode($token);
$cryptedToken = \laabs::encrypt($jsonToken, \laabs::getCryptKey());
$cookieToken = base64_encode($cryptedToken);
$serviceAccount->password = $cookieToken;
$this->sdoFactory->update($serviceAccount, 'auth/account');
return $cookieToken;
}
}
bundle/recordsManagement/Controller/archive.php deleted 100644 → 0
View file @ 2cbf8c22
<?php
/*
* Copyright (C) 2015 Maarch
*
* This file is part of bundle recordsManagement.
*
* Bundle recordsManagement is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Bundle recordsManagement is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with bundle recordsManagement. If not, see <http://www.gnu.org/licenses/>.
*/
namespace ext\digitalSafe\bundle\recordsManagement\Controller;
/**
* Class for Records Management archives
*/
class archive extends \bundle\recordsManagement\Controller\archive
{
/**
* Check if the current user have the rights on an archive
*
* @param recordsManagement/archive $archive The archive object
* @throws
* @return boolean THe result of the operation
*/
public function checkRights($archive, $isCommunication = false)
{
$currentUserService = \laabs::getToken("ORGANIZATION");
$currentDate = \laabs::newDate();
if (!$currentUserService) {
return false;
}
$userPositionController = \laabs::newController('organization/userPosition');
$org = $this->organizationController->getOrgByRegNumber($archive->originatorOrgRegNumber);
$positionAncestors = $this->organizationController->readParentOrg($this->organizationController->getOrgByRegNumber($archive->originatorOrgRegNumber)->orgId);
$positionAncestors[] = $org;
$userServices[] = $currentUserService->registrationNumber;
// OWNER access
if (!is_null($currentUserService->orgRoleCodes)
&& \laabs\in_array('owner', $currentUserService->orgRoleCodes)) {
return true;
}
// ARCHIVER access
if (!is_null($currentUserService->orgRoleCodes)
&& \laabs\in_array('archiver', $currentUserService->orgRoleCodes)
&& $archive->archiverOrgRegNumber === $currentUserService->registrationNumber) {
return true;
}
// ORIGINATOR ACCESS
foreach ($positionAncestors as $orgUnit) {
if ($orgUnit->registrationNumber == $currentUserService->registrationNumber) {
return true;
}
}
// COMMUNICATION ACCESS
if (!is_null($archive->accessRuleComDate)
&& ($isCommunication)
&& ($archive->accessRuleComDate <= $currentDate)) {
return true;
}
// USER ACCESS
if (!empty($archive->userOrgRegNumbers)) {
foreach ($archive->userOrgRegNumbers as $userOrgRegNumber) {
if (\laabs\in_array($userOrgRegNumber, $userServices)) {
return true;
}
}
}
throw \laabs::newException('recordsManagement/accessDeniedException', "Permission denied");
}
}
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment