chg: [acl] Move org index access to ACLComponent

2022-10-24 09:59:19 +02:00 · 2022-10-24 09:59:19 +02:00 · ecd3943e34
parent 2f63e89257
commit ecd3943e34
4 changed files with 10 additions and 6 deletions
--- a/app/Controller/Component/ACLComponent.php
+++ b/app/Controller/Component/ACLComponent.php
@ -468,7 +468,7 @@ class ACLComponent extends Component
                'fetchOrgsForSG' => array('perm_sharing_group'),
                'fetchSGOrgRow' => array('*'),
                'getUUIDs' => array('perm_sync'),
-                'index' => array('*'),
+                'index' => ['organisation_index'],
                'view' => array('*'),
            ),
            'pages' => array(
@ -854,6 +854,13 @@ class ACLComponent extends Component
        $this->dynamicChecks['not_read_only_authkey'] = function (array $user) {
            return !isset($user['authkey_read_only']) || !$user['authkey_read_only'];
        };
+        // If `Security.hide_organisation_index_from_users` is enabled, only user with sharing group permission can see org index
+        $this->dynamicChecks['organisation_index'] = function (array $user) {
+            if (Configure::read('Security.hide_organisation_index_from_users')) {
+                return $user['Role']['perm_sharing_group'];
+            }
+            return true;
+        };
    }

    /**
--- a/app/Controller/OrganisationsController.php
+++ b/app/Controller/OrganisationsController.php
@ -27,9 +27,6 @@ class OrganisationsController extends AppController

    public function index()
    {
-        if (!$this->Auth->user('Role')['perm_sharing_group'] && Configure::read('Security.hide_organisation_index_from_users')) {
-            throw new MethodNotAllowedException(__('This feature is disabled on this instance for normal users.'));
-        }
        $conditions = array();
        // We can either index all of the organisations existing on this instance (default)
        // or we can pass the 'external' keyword in the URL to look at the added external organisations
--- a/app/View/Elements/genericElements/SideMenu/side_menu.ctp
+++ b/app/View/Elements/genericElements/SideMenu/side_menu.ctp
@ -654,7 +654,7 @@ $divider = $this->element('/genericElements/SideMenu/side_menu_divider');
                        'url' => $baseurl . '/dashboards',
                        'text' => __('Dashboard')
                    ));
-                    if ($isAclSharingGroup || empty(Configure::read('Security.hide_organisation_index_from_users'))) {
+                    if ($this->Acl->canAccess('organisations', 'index')) {
                        echo $this->element('/genericElements/SideMenu/side_menu_link', array(
                            'element_id' => 'indexOrg',
                            'url' => $baseurl . '/organisations/index',
--- a/app/View/Elements/global_menu.ctp
+++ b/app/View/Elements/global_menu.ctp
@ -186,7 +186,7 @@
                    array(
                        'text' => __('Organisations'),
                        'url' => $baseurl . '/organisations/index',
-                        'requirement' => $isAclSharingGroup || empty(Configure::read('Security.hide_organisation_index_from_users'))
+                        'requirement' => $this->Acl->canAccess('organisations', 'index'),
                    ),
                    array(
                        'text' => __('Role Permissions'),