cerebrate-project
/
cerebrate
mirror of https://github.com/cerebrate-project/cerebrate
1
0
Fork 0
Code Issues Releases Wiki Activity

chg: [ACL] tightened ACL for several controllers 

- org admins now have access to new functionalities, added ACL for them
- Affected controllers:
  - Authkeys, encryptionkeys, users, sharinggroups
- sets defaults/restricts access accordingly
pull/79/head
iglocska 2021-11-24 01:32:05 +01:00
parent 0fe7f4f931
commit 22e4a90af0
No known key found for this signature in database
GPG Key ID: BEA224F1FEF113AC
4 changed files with 108 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
src/Controller/AuthKeysController.php
View File

@ -16,15 +16,25 @@ class AuthKeysController extends AppController
{
public $filterFields = ['Users.username', 'authkey', 'comment', 'Users.id'];
public $quickFilterFields = ['authkey', ['comment' => true]];
public $containFields = ['Users'];
public $containFields = ['Users' => ['fields' => ['id', 'username']]];
public function index()
{
$currentUser = $this->ACL->getUser();
$conditions = [];
if (empty($currentUser['role']['perm_admin'])) {
$conditions['Users.organisation_id'] = $currentUser['organisation_id'];
if (empty($currentUser['role']['perm_org_admin'])) {
$conditions['Users.id'] = $currentUser['id'];
}
}
$this->CRUD->index([
'filters' => $this->filterFields,
'quickFilters' => $this->quickFilterFields,
'contain' => $this->containFields,
'exclude_fields' => ['authkey']
'exclude_fields' => ['authkey'],
'conditions' => $conditions,
'hidden' => []
]);
$responsePayload = $this->CRUD->getResponsePayload();
if (!empty($responsePayload)) {
@ -35,7 +45,15 @@ class AuthKeysController extends AppController
public function delete($id)
{
$this->CRUD->delete($id);
$currentUser = $this->ACL->getUser();
$conditions = [];
if (empty($currentUser['role']['perm_admin'])) {
$conditions['Users.organisation_id'] = $currentUser['organisation_id'];
if (empty($currentUser['role']['perm_org_admin'])) {
$conditions['Users.id'] = $currentUser['id'];
}
}
$this->CRUD->delete($id, ['conditions' => $conditions, 'contain' => 'Users']);
$responsePayload = $this->CRUD->getResponsePayload();
if (!empty($responsePayload)) {
return $responsePayload;

36
src/Controller/EncryptionKeysController.php
View File

@ -49,7 +49,31 @@ class EncryptionKeysController extends AppController
public function add()
{
$this->CRUD->add(['redirect' => $this->referer()]);
$orgConditions = [];
$currentUser = $this->ACL->getUser();
$params = ['redirect' => $this->referer()];
if (empty($currentUser['role']['perm_admin'])) {
$params['beforeSave'] = function($entity) {
if ($entity['owner_model'] === 'organisation') {
$entity['owner_id'] = $currentUser['organisation_id'];
} else {
if ($currentUser['role']['perm_org_admin']) {
$validIndividuals = $this->Organisations->Alignments->find('list', [
'fields' => ['distinct(individual_id)'],
'conditions' => ['organisation_id' => $currentUser['organisation_id']]
]);
if (!in_array($entity['owner_id'], $validIndividuals)) {
throw new MethodNotAllowedException(__('Selected individual cannot be linked by the current user.'));
}
} else {
if ($entity['owner_id'] !== $currentUser['id']) {
throw new MethodNotAllowedException(__('Selected individual cannot be linked by the current user.'));
}
}
}
};
}
$this->CRUD->add($params);
$responsePayload = $this->CRUD->getResponsePayload();
if (!empty($responsePayload)) {
return $responsePayload;
@ -58,7 +82,8 @@ class EncryptionKeysController extends AppController
$this->loadModel('Individuals');
$dropdownData = [
'organisation' => $this->Organisations->find('list', [
'sort' => ['name' => 'asc']
'sort' => ['name' => 'asc'],
'conditions' => $orgConditions
]),
'individual' => $this->Individuals->find('list', [
'sort' => ['email' => 'asc']
@ -70,12 +95,19 @@ class EncryptionKeysController extends AppController
public function edit($id = false)
{
$conditions = [];
$currentUser = $this->ACL->getUser();
$params = [
'fields' => [
'type', 'encryption_key', 'revoked'
],
'redirect' => $this->referer()
];
if (empty($currentUser['role']['perm_admin'])) {
if (empty($currentUser['role']['perm_org_admin'])) {
}
}
$this->CRUD->edit($id, $params);
$responsePayload = $this->CRUD->getResponsePayload();
if (!empty($responsePayload)) {

19
src/Controller/SharingGroupsController.php
View File

@ -16,10 +16,16 @@ class SharingGroupsController extends AppController
public function index()
{
$currentUser = $this->ACL->getUser();
$conditions = [];
if (empty($currentUser['role']['perm_admin'])) {
$conditions['SharingGroups.organisation_id'] = $currentUser['organisation_id'];
}
$this->CRUD->index([
'contain' => $this->containFields,
'filters' => $this->filterFields,
'quickFilters' => $this->quickFilterFields
'quickFilters' => $this->quickFilterFields,
'conditions' => $conditions
]);
$responsePayload = $this->CRUD->getResponsePayload();
if (!empty($responsePayload)) {
@ -60,7 +66,12 @@ class SharingGroupsController extends AppController
public function edit($id = false)
{
$this->CRUD->edit($id);
$params = [];
$currentUser = $this->ACL->getUser();
if (empty($currentUser['role']['perm_admin'])) {
$params['conditions'] = ['organisation_id' => $currentUser['organisation_id']];
}
$this->CRUD->edit($id, $params);
$responsePayload = $this->CRUD->getResponsePayload();
if (!empty($responsePayload)) {
return $responsePayload;
@ -206,11 +217,11 @@ class SharingGroupsController extends AppController
$organisations = [];
if (!empty($user['role']['perm_admin'])) {
$organisations = $this->SharingGroups->Organisations->find('list')->order(['name' => 'ASC'])->toArray();
} else if (!empty($user['individual']['organisations'])) {
} else {
$organisations = $this->SharingGroups->Organisations->find('list', [
'sort' => ['name' => 'asc'],
'conditions' => [
'id IN' => array_values(\Cake\Utility\Hash::extract($user, 'individual.organisations.{n}.id'))
'id' => $user['organisation_id']
]
]);
}

44
src/Controller/UsersController.php
View File

@ -11,16 +11,22 @@ use Cake\Core\Configure;
class UsersController extends AppController
{
public $filterFields = ['Individuals.uuid', 'username', 'Individuals.email', 'Individuals.first_name', 'Individuals.last_name'];
public $filterFields = ['Individuals.uuid', 'username', 'Individuals.email', 'Individuals.first_name', 'Individuals.last_name', 'Organisations.name'];
public $quickFilterFields = ['Individuals.uuid', ['username' => true], ['Individuals.first_name' => true], ['Individuals.last_name' => true], 'Individuals.email'];
public $containFields = ['Individuals', 'Roles', 'UserSettings'];
public $containFields = ['Individuals', 'Roles', 'UserSettings', 'Organisations'];
public function index()
{
$currentUser = $this->ACL->getUser();
$conditions = [];
if (empty($currentUser['role']['perm_admin'])) {
$conditions['organisation_id'] = $currentUser['organisation_id'];
}
$this->CRUD->index([
'contain' => $this->containFields,
'filters' => $this->filterFields,
'quickFilters' => $this->quickFilterFields,
'conditions' => $conditions
]);
$responsePayload = $this->CRUD->getResponsePayload();
if (!empty($responsePayload)) {
@ -31,8 +37,12 @@ class UsersController extends AppController
public function add()
{
$currentUser = $this->ACL->getUser();
$this->CRUD->add([
'beforeSave' => function($data) {
'beforeSave' => function($data) use ($currentUser) {
if (!$currentUser['role']['perm_admin']) {
$data['organisation_id'] = $currentUser['organisation_id'];
}
$this->Users->enrollUserRouter($data);
return $data;
}
@ -41,12 +51,28 @@ class UsersController extends AppController
if (!empty($responsePayload)) {
return $responsePayload;
}
/*
$alignments = $this->Users->Individuals->Alignments->find('list', [
//'keyField' => 'id',
'valueField' => 'organisation_id',
'groupField' => 'individual_id'
])->toArray();
$alignments = array_map(function($value) { return array_values($value); }, $alignments);
*/
$org_conditions = [];
if (empty($currentUser['role']['perm_admin'])) {
$org_conditions = ['id' => $currentUser['organisation_id']];
}
$dropdownData = [
'role' => $this->Users->Roles->find('list', [
'sort' => ['name' => 'asc']
]),
'individual' => $this->Users->Individuals->find('list', [
'sort' => ['email' => 'asc']
]),
'organisation' => $this->Users->Organisations->find('list', [
'sort' => ['name' => 'asc'],
'conditions' => $org_conditions
])
];
$this->set(compact('dropdownData'));
@ -59,7 +85,7 @@ class UsersController extends AppController
$id = $this->ACL->getUser()['id'];
}
$this->CRUD->view($id, [
'contain' => ['Individuals' => ['Alignments' => 'Organisations'], 'Roles']
'contain' => ['Individuals' => ['Alignments' => 'Organisations'], 'Roles', 'Organisations']
]);
$responsePayload = $this->CRUD->getResponsePayload();
if (!empty($responsePayload)) {
@ -70,9 +96,11 @@ class UsersController extends AppController
public function edit($id = false)
{
if (empty($id) || empty($this->ACL->getUser()['role']['perm_admin'])) {
$id = $this->ACL->getUser()['id'];
$currentUser = $this->ACL->getUser();
if (empty($id) || (empty($currentUser['role']['perm_org_admin']) && empty($currentUser['role']['perm_site_admin']))) {
$id = $currentUser['id'];
}
$params = [
'get' => [
'fields' => [
@ -88,6 +116,7 @@ class UsersController extends AppController
];
if (!empty($this->ACL->getUser()['role']['perm_admin'])) {
$params['fields'][] = 'role_id';
$params['fields'][] = 'organisation_id';
}
$this->CRUD->edit($id, $params);
$responsePayload = $this->CRUD->getResponsePayload();
@ -100,6 +129,9 @@ class UsersController extends AppController
]),
'individual' => $this->Users->Individuals->find('list', [
'sort' => ['email' => 'asc']
]),
'organisation' => $this->Users->Organisations->find('list', [
'sort' => ['name' => 'asc']
])
];
$this->set(compact('dropdownData'));