From 20ce2d7489a220f86203b592a5164819a09e89a8 Mon Sep 17 00:00:00 2001
From: Charlotte Bataille <charlotte.bataille@xelians.fr>
Date: Wed, 2 Mar 2022 16:33:23 +0100
Subject: [PATCH 1/3] feat/18594 : prevent owner from viewing other org
 archives

---
 .../Controller/archiveAccessTrait.php         | 22 ++++++++++++++++---
 1 file changed, 19 insertions(+), 3 deletions(-)

diff --git a/src/bundle/recordsManagement/Controller/archiveAccessTrait.php b/src/bundle/recordsManagement/Controller/archiveAccessTrait.php
index 5943a5488..ec329933d 100755
--- a/src/bundle/recordsManagement/Controller/archiveAccessTrait.php
+++ b/src/bundle/recordsManagement/Controller/archiveAccessTrait.php
@@ -921,11 +921,16 @@ trait archiveAccessTrait
             $this->userPositionController->readDescandantService((string) $currentService->orgId)
         );
 
+        $ownerIsSuperUser = false;
+        if (isset(\laabs::configuration("recordsManagement")['ownerIsSuperUser'])) {
+            $ownerIsSuperUser = (bool) \laabs::configuration("recordsManagement")['ownerIsSuperUser'];
+        }
+
         foreach ($userServiceOrgRegNumbers as $userServiceOrgRegNumber) {
             $userService = $this->organizationController->getOrgByRegNumber($userServiceOrgRegNumber);
 
             // User orgUnit is owner
-            if (isset($userService->orgRoleCodes) && (strpos((string) $userService->orgRoleCodes, 'owner') !== false)) {
+            if (isset($userService->orgRoleCodes) && (strpos((string) $userService->orgRoleCodes, 'owner') !== false) && $ownerIsSuperUser) {
                 return true;
             }
 
@@ -1129,9 +1134,14 @@ trait archiveAccessTrait
             $this->userPositionController->readDescandantService((string) $currentService->orgId)
         );
 
+        $ownerIsSuperUser = false;
+        if (isset(\laabs::configuration("recordsManagement")['ownerIsSuperUser'])) {
+            $ownerIsSuperUser = (bool) \laabs::configuration("recordsManagement")['ownerIsSuperUser'];
+        }
+
         foreach ($userServiceOrgRegNumbers as $userServiceOrgRegNumber) {
             $userService = $this->organizationController->getOrgByRegNumber($userServiceOrgRegNumber);
-            if (isset($userService->orgRoleCodes) && $userService->orgRoleCodes->contains('owner')) {
+            if (isset($userService->orgRoleCodes) && $userService->orgRoleCodes->contains('owner') && $ownerIsSuperUser) {
                 return;
             }
         }
@@ -1362,7 +1372,6 @@ trait archiveAccessTrait
         if (!$currentUserService) {
             return false;
         }
-
         $userPositionController = \laabs::newController('organization/userPosition');
         $org = $this->organizationController->getOrgByRegNumber($archive->originatorOrgRegNumber);
         $positionAncestors = $this->organizationController->readParentOrg($this->organizationController->getOrgByRegNumber($archive->originatorOrgRegNumber)->orgId);
@@ -1370,9 +1379,16 @@ trait archiveAccessTrait
         $userServices[] = $currentUserService->registrationNumber;
 
         // OWNER access
+        $ownerIsSuperUser = false;
+
+        if (isset(\laabs::configuration("recordsManagement")['ownerIsSuperUser'])) {
+            $ownerIsSuperUser = (bool) \laabs::configuration("recordsManagement")['ownerIsSuperUser'];
+        }
+
         if (
             !is_null($currentUserService->orgRoleCodes)
             && \laabs\in_array('owner', $currentUserService->orgRoleCodes)
+            && $ownerIsSuperUser
         ) {
             return true;
         }
-- 
GitLab


From e8207252cd61ef541c6a07491c3b91d0edbcf39c Mon Sep 17 00:00:00 2001
From: Charlotte Bataille <charlotte.bataille@xelians.fr>
Date: Wed, 2 Mar 2022 17:16:17 +0100
Subject: [PATCH 2/3] feat/18594 :  fix default value conf ownerIsSuperUser

---
 data/maarchRM/conf/configuration.ini.default | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/data/maarchRM/conf/configuration.ini.default b/data/maarchRM/conf/configuration.ini.default
index 96e56aac3..30d32b8f6 100755
--- a/data/maarchRM/conf/configuration.ini.default
+++ b/data/maarchRM/conf/configuration.ini.default
@@ -46,6 +46,10 @@ css = "/presentation/css/style.css"
 displayableFormat = "['application/pdf', 'image/jpeg', 'image/png', 'text/plain']"
 
 [recordsManagement]
+
+; Allow the owner org to have access to other org units archives
+ownerIsSuperUser = true
+
 ; Profile directory for rng profile
 profilesDirectory = "%laabsDirectory%/data/maarchRM/profiles"
 refDirectory = "%laabsDirectory%/data/maarchRM/ref"
-- 
GitLab


From 53b96e65751e64e4c3adf5e1a1e3ff6f3aa89afb Mon Sep 17 00:00:00 2001
From: Charlotte Bataille <charlotte.bataille@xelians.fr>
Date: Thu, 3 Mar 2022 10:41:06 +0100
Subject: [PATCH 3/3] feat/18594 : fix default value for ownerIsSuperUser

---
 data/maarchRM/conf/configuration.ini.default                | 2 +-
 .../recordsManagement/Controller/archiveAccessTrait.php     | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/data/maarchRM/conf/configuration.ini.default b/data/maarchRM/conf/configuration.ini.default
index 30d32b8f6..109dacbf8 100755
--- a/data/maarchRM/conf/configuration.ini.default
+++ b/data/maarchRM/conf/configuration.ini.default
@@ -48,7 +48,7 @@ displayableFormat = "['application/pdf', 'image/jpeg', 'image/png', 'text/plain'
 [recordsManagement]
 
 ; Allow the owner org to have access to other org units archives
-ownerIsSuperUser = true
+ownerIsSuperUser = false
 
 ; Profile directory for rng profile
 profilesDirectory = "%laabsDirectory%/data/maarchRM/profiles"
diff --git a/src/bundle/recordsManagement/Controller/archiveAccessTrait.php b/src/bundle/recordsManagement/Controller/archiveAccessTrait.php
index ec329933d..ebcea7ba0 100755
--- a/src/bundle/recordsManagement/Controller/archiveAccessTrait.php
+++ b/src/bundle/recordsManagement/Controller/archiveAccessTrait.php
@@ -921,7 +921,7 @@ trait archiveAccessTrait
             $this->userPositionController->readDescandantService((string) $currentService->orgId)
         );
 
-        $ownerIsSuperUser = false;
+        $ownerIsSuperUser = true;
         if (isset(\laabs::configuration("recordsManagement")['ownerIsSuperUser'])) {
             $ownerIsSuperUser = (bool) \laabs::configuration("recordsManagement")['ownerIsSuperUser'];
         }
@@ -1134,7 +1134,7 @@ trait archiveAccessTrait
             $this->userPositionController->readDescandantService((string) $currentService->orgId)
         );
 
-        $ownerIsSuperUser = false;
+        $ownerIsSuperUser = true;
         if (isset(\laabs::configuration("recordsManagement")['ownerIsSuperUser'])) {
             $ownerIsSuperUser = (bool) \laabs::configuration("recordsManagement")['ownerIsSuperUser'];
         }
@@ -1379,7 +1379,7 @@ trait archiveAccessTrait
         $userServices[] = $currentUserService->registrationNumber;
 
         // OWNER access
-        $ownerIsSuperUser = false;
+        $ownerIsSuperUser = true;
 
         if (isset(\laabs::configuration("recordsManagement")['ownerIsSuperUser'])) {
             $ownerIsSuperUser = (bool) \laabs::configuration("recordsManagement")['ownerIsSuperUser'];
-- 
GitLab