Commit 64758123 authored by Arnaud Pauget's avatar Arnaud Pauget
Browse files

Merge branch 'feat/18594_prevent_archive_access_from_owner' into 'develop'

Feat/18594 prevent archive access from owner

See merge request !710
parents aee098d4 53b96e65
Pipeline #16769 failed with stages
in 32 seconds
......@@ -46,6 +46,10 @@ css = "/presentation/css/style.css"
displayableFormat = "['application/pdf', 'image/jpeg', 'image/png', 'text/plain']"
[recordsManagement]
; Allow the owner org to have access to other org units archives
ownerIsSuperUser = false
; Profile directory for rng profile
profilesDirectory = "%laabsDirectory%/data/maarchRM/profiles"
refDirectory = "%laabsDirectory%/data/maarchRM/ref"
......
......@@ -921,11 +921,16 @@ trait archiveAccessTrait
$this->userPositionController->readDescandantService((string) $currentService->orgId)
);
$ownerIsSuperUser = true;
if (isset(\laabs::configuration("recordsManagement")['ownerIsSuperUser'])) {
$ownerIsSuperUser = (bool) \laabs::configuration("recordsManagement")['ownerIsSuperUser'];
}
foreach ($userServiceOrgRegNumbers as $userServiceOrgRegNumber) {
$userService = $this->organizationController->getOrgByRegNumber($userServiceOrgRegNumber);
// User orgUnit is owner
if (isset($userService->orgRoleCodes) && (strpos((string) $userService->orgRoleCodes, 'owner') !== false)) {
if (isset($userService->orgRoleCodes) && (strpos((string) $userService->orgRoleCodes, 'owner') !== false) && $ownerIsSuperUser) {
return true;
}
......@@ -1129,9 +1134,14 @@ trait archiveAccessTrait
$this->userPositionController->readDescandantService((string) $currentService->orgId)
);
$ownerIsSuperUser = true;
if (isset(\laabs::configuration("recordsManagement")['ownerIsSuperUser'])) {
$ownerIsSuperUser = (bool) \laabs::configuration("recordsManagement")['ownerIsSuperUser'];
}
foreach ($userServiceOrgRegNumbers as $userServiceOrgRegNumber) {
$userService = $this->organizationController->getOrgByRegNumber($userServiceOrgRegNumber);
if (isset($userService->orgRoleCodes) && $userService->orgRoleCodes->contains('owner')) {
if (isset($userService->orgRoleCodes) && $userService->orgRoleCodes->contains('owner') && $ownerIsSuperUser) {
return;
}
}
......@@ -1362,7 +1372,6 @@ trait archiveAccessTrait
if (!$currentUserService) {
return false;
}
$userPositionController = \laabs::newController('organization/userPosition');
$org = $this->organizationController->getOrgByRegNumber($archive->originatorOrgRegNumber);
$positionAncestors = $this->organizationController->readParentOrg($this->organizationController->getOrgByRegNumber($archive->originatorOrgRegNumber)->orgId);
......@@ -1370,9 +1379,16 @@ trait archiveAccessTrait
$userServices[] = $currentUserService->registrationNumber;
// OWNER access
$ownerIsSuperUser = true;
if (isset(\laabs::configuration("recordsManagement")['ownerIsSuperUser'])) {
$ownerIsSuperUser = (bool) \laabs::configuration("recordsManagement")['ownerIsSuperUser'];
}
if (
!is_null($currentUserService->orgRoleCodes)
&& \laabs\in_array('owner', $currentUserService->orgRoleCodes)
&& $ownerIsSuperUser
) {
return true;
}
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment