diff --git a/INSTALL/INSTALL.md b/INSTALL/INSTALL.md
index f4cef5f..8a9c901 100644
--- a/INSTALL/INSTALL.md
+++ b/INSTALL/INSTALL.md
@@ -1,7 +1,9 @@
## Requirements
An Ubuntu server (18.04/20.04 should both work fine) - though other linux installations should work too.
+
- apache2 (or nginx), mysql/mariadb, sqlite need to be installed and running
+- php version 8+ is required
- php extensions for intl, mysql, sqlite3, mbstring, xml need to be installed and running
- php extention for curl (not required but makes composer run a little faster)
- composer
diff --git a/src/Controller/Component/CRUDComponent.php b/src/Controller/Component/CRUDComponent.php
index 1a1e733..14369ab 100644
--- a/src/Controller/Component/CRUDComponent.php
+++ b/src/Controller/Component/CRUDComponent.php
@@ -420,10 +420,16 @@ class CRUDComponent extends Component
}
$data = $this->Table->get($id, $params);
+ if (empty($data)) {
+ throw new NotFoundException(__('Invalid {0}.', $this->ObjectAlias));
+ }
$data = $this->attachMetaData($id, $data);
if (isset($params['afterFind'])) {
$data = $params['afterFind']($data);
}
+ if (empty($data)) {
+ throw new NotFoundException(__('Invalid {0}.', $this->ObjectAlias));
+ }
if ($this->Controller->ParamHandler->isRest()) {
$this->Controller->restResponsePayload = $this->RestResponse->viewData($data, 'json');
}
diff --git a/src/Controller/Open/IndividualsController.php b/src/Controller/Open/IndividualsController.php
index 28cd51d..79af257 100644
--- a/src/Controller/Open/IndividualsController.php
+++ b/src/Controller/Open/IndividualsController.php
@@ -11,13 +11,17 @@ use Cake\Http\Exception\NotFoundException;
use Cake\Http\Exception\MethodNotAllowedException;
use Cake\Http\Exception\ForbiddenException;
use Cake\Event\EventInterface;
+use Cake\Core\Configure;
class IndividualsController extends AppController
{
public function beforeFilter(EventInterface $event)
{
parent::beforeFilter($event);
- $this->Authentication->allowUnauthenticated(['index']);
+ $open = Configure::read('Cerebrate.open');
+ if (!empty($open) && in_array('individuals', $open)) {
+ $this->Authentication->allowUnauthenticated(['index']);
+ }
}
public function index()
diff --git a/src/Controller/Open/OrganisationsController.php b/src/Controller/Open/OrganisationsController.php
index ad22f42..facda8a 100644
--- a/src/Controller/Open/OrganisationsController.php
+++ b/src/Controller/Open/OrganisationsController.php
@@ -10,13 +10,17 @@ use Cake\Http\Exception\NotFoundException;
use Cake\Http\Exception\MethodNotAllowedException;
use Cake\Http\Exception\ForbiddenException;
use Cake\Event\EventInterface;
+use Cake\Core\Configure;
class OrganisationsController extends AppController
{
public function beforeFilter(EventInterface $event)
{
parent::beforeFilter($event);
- $this->Authentication->allowUnauthenticated(['index']);
+ $open = Configure::read('Cerebrate.open');
+ if (!empty($open) && in_array('organisations', $open)) {
+ $this->Authentication->allowUnauthenticated(['index']);
+ }
}
public function index()
diff --git a/src/Controller/SharingGroupsController.php b/src/Controller/SharingGroupsController.php
index 764f0e6..aa96cb4 100644
--- a/src/Controller/SharingGroupsController.php
+++ b/src/Controller/SharingGroupsController.php
@@ -7,6 +7,7 @@ use Cake\Utility\Hash;
use Cake\Utility\Text;
use \Cake\Database\Expression\QueryExpression;
use Cake\Error\Debugger;
+use Cake\Http\Exception\NotFoundException;
class SharingGroupsController extends AppController
{
@@ -54,8 +55,25 @@ class SharingGroupsController extends AppController
public function view($id)
{
+ $currentUser = $this->ACL->getUser();
$this->CRUD->view($id, [
- 'contain' => ['SharingGroupOrgs', 'Organisations', 'Users' => ['fields' => ['id', 'username']]]
+ 'contain' => ['SharingGroupOrgs', 'Organisations', 'Users' => ['fields' => ['id', 'username']]],
+ 'afterFind' => function($data) use ($currentUser) {
+ if (empty($currentUser['role']['perm_admin'])) {
+ $orgFround = false;
+ if (!empty($data['sharing_group_orgs'])) {
+ foreach ($data['sharing_group_orgs'] as $org) {
+ if ($org['id'] === $currentUser['organisation_id']) {
+ $orgFound = true;
+ }
+ }
+ }
+ if ($data['organisation_id'] !== $currentUser['organisation_id'] && !$orgFround) {
+ return null;
+ }
+ }
+ return $data;
+ }
]);
$responsePayload = $this->CRUD->getResponsePayload();
if (!empty($responsePayload)) {
@@ -87,7 +105,11 @@ class SharingGroupsController extends AppController
public function delete($id)
{
- $this->CRUD->delete($id);
+ $currentUser = $this->ACL->getUser();
+ if (empty($currentUser['role']['perm_admin'])) {
+ $params['conditions'] = ['organisation_id' => $currentUser['organisation_id']];
+ }
+ $this->CRUD->delete($id, $params);
$responsePayload = $this->CRUD->getResponsePayload();
if (!empty($responsePayload)) {
return $responsePayload;
@@ -97,9 +119,18 @@ class SharingGroupsController extends AppController
public function addOrg($id)
{
+ $currentUser = $this->ACL->getUser();
$sharingGroup = $this->SharingGroups->get($id, [
'contain' => 'SharingGroupOrgs'
]);
+ if (empty($currentUser['role']['perm_admin'])) {
+ if ($sharingGroup['organisation_id'] !== $currentUser['organisation_id']) {
+ $sharingGroup = null;
+ }
+ }
+ if (empty($sharingGroup)) {
+ throw new NotFoundException(__('Invalid SharingGroup.'));
+ }
$conditions = [];
$containedOrgIds = array_values(\Cake\Utility\Hash::extract($sharingGroup, 'sharing_group_orgs.{n}.id'));
if (!empty($containedOrgIds)) {
@@ -156,9 +187,18 @@ class SharingGroupsController extends AppController
public function removeOrg($id, $org_id)
{
+ $currentUser = $this->ACL->getUser();
$sharingGroup = $this->SharingGroups->get($id, [
'contain' => 'SharingGroupOrgs'
]);
+ if (empty($currentUser['role']['perm_admin'])) {
+ if ($sharingGroup['organisation_id'] !== $currentUser['organisation_id']) {
+ $sharingGroup = null;
+ }
+ }
+ if (empty($sharingGroup)) {
+ throw new NotFoundException(__('Invalid SharingGroup.'));
+ }
if ($this->request->is('post')) {
$org = $this->SharingGroups->SharingGroupOrgs->get($org_id);
$result = (bool)$this->SharingGroups->SharingGroupOrgs->unlink($sharingGroup, [$org]);
diff --git a/src/Controller/UserSettingsController.php b/src/Controller/UserSettingsController.php
index 02affce..7f9690a 100644
--- a/src/Controller/UserSettingsController.php
+++ b/src/Controller/UserSettingsController.php
@@ -36,9 +36,16 @@ class UserSettingsController extends AppController
return $responsePayload;
}
if (!empty($this->request->getQuery('Users_id'))) {
- $settingsForUser = $this->UserSettings->Users->find()->where([
+ $conditions = [
'id' => $this->request->getQuery('Users_id')
- ])->first();
+ ];
+ if (empty($currentUser['role']['perm_admin'])) {
+ $conditions['organisation_id'] = $currentUser['organisation_id'];
+ }
+ $settingsForUser = $this->UserSettings->Users->find()->where($conditions)->first();
+ if (empty($settingsForUser)) {
+ throw new NotFoundException(__('Invalid {0}.', __('user')));
+ }
$this->set('settingsForUser', $settingsForUser);
}
}
@@ -233,7 +240,7 @@ class UserSettingsController extends AppController
}
/**
- * isLoggedUserAllowedToEdit
+ * isLoggedUserAllowedToEdit
*
* @param int|\App\Model\Entity\UserSetting $setting
* @return boolean
diff --git a/templates/element/genericElements/Form/genericForm.php b/templates/element/genericElements/Form/genericForm.php
index 2e509ba..7d7552d 100644
--- a/templates/element/genericElements/Form/genericForm.php
+++ b/templates/element/genericElements/Form/genericForm.php
@@ -106,7 +106,7 @@
'%s%s%s%s%s%s',
empty($data['description']) ? '' : sprintf(
'%s
',
- $data['description']
+ h($data['description'])
),
$ajaxFlashMessage,
$formCreate,
@@ -131,7 +131,7 @@
'%s%s%s%s%s%s',
empty($data['description']) ? '' : sprintf(
'%s
',
- $data['description']
+ h($data['description'])
),
$ajaxFlashMessage,
$formCreate,
@@ -157,7 +157,7 @@
$ajaxFlashMessage,
empty($data['description']) ? '' : sprintf(
'%s
',
- $data['description']
+ h($data['description'])
),
sprintf('%s
', $fieldsString),
empty($metaTemplateString) ? '' : $this->element(