cerebrate-project
/
cerebrate
mirror of https://github.com/cerebrate-project/cerebrate
1
0
Fork 0
Code Issues Releases Wiki Activity

fix: [users] role based action filtering added 

- to avoid annoying clickable, but blocked actions for og admins
pull/92/head
iglocska 2022-01-25 11:34:22 +01:00
parent 932a28288d
commit 57e2c75352
No known key found for this signature in database
GPG Key ID: BEA224F1FEF113AC
2 changed files with 88 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

57
src/Controller/UsersController.php
View File

@ -33,16 +33,28 @@ class UsersController extends AppController
if (!empty($responsePayload)) {
return $responsePayload;
}
$this->set(
'validRoles',
$this->Users->Roles->find('list')->select(['id', 'name'])->order(['name' => 'asc'])->where(['perm_admin' => 0])->all()->toArray()
);
$this->set('metaGroup', $this->isAdmin ? 'Administration' : 'Cerebrate');
}
public function add()
{
$currentUser = $this->ACL->getUser();
$validRoles = [];
if (!$currentUser['role']['perm_admin']) {
$validRoles = $this->Users->Roles->find('list')->order(['name' => 'asc'])->all()->toArray();
}
$this->CRUD->add([
'beforeSave' => function($data) use ($currentUser) {
'beforeSave' => function($data) use ($currentUser, $validRoles) {
if (!$currentUser['role']['perm_admin']) {
$data['organisation_id'] = $currentUser['organisation_id'];
if (!in_array($data['role_id'], array_keys($validRoles))) {
throw new MethodNotAllowedException(__('You do not have permission to assign that role.'));
}
}
$this->Users->enrollUserRouter($data);
return $data;
@ -65,9 +77,7 @@ class UsersController extends AppController
$org_conditions = ['id' => $currentUser['organisation_id']];
}
$dropdownData = [
'role' => $this->Users->Roles->find('list', [
'sort' => ['name' => 'asc']
]),
'role' => $validRoles,
'individual' => $this->Users->Individuals->find('list', [
'sort' => ['email' => 'asc']
]),
@ -98,6 +108,10 @@ class UsersController extends AppController
public function edit($id = false)
{
$currentUser = $this->ACL->getUser();
$validRoles = [];
if (!$currentUser['role']['perm_admin']) {
$validRoles = $this->Users->Roles->find('list')->select(['id', 'name'])->order(['name' => 'asc'])->where(['perm_admin' => 0])->all()->toArray();
}
if (empty($id)) {
$id = $currentUser['id'];
} else {
@ -128,6 +142,20 @@ class UsersController extends AppController
$params['fields'][] = 'role_id';
$params['fields'][] = 'organisation_id';
$params['fields'][] = 'disabled';
} else if (!empty($this->ACL->getUser()['role']['perm_org_admin'])) {
$params['fields'][] = 'username';
$params['fields'][] = 'role_id';
$params['fields'][] = 'disabled';
if (!$currentUser['role']['perm_admin']) {
$params['afterFind'] = function ($data, &$params) use ($currentUser, $validRoles) {
if (!$currentUser['role']['perm_admin'] && $currentUser['role']['perm_org_admin']) {
if (!in_array($data['role_id'], array_keys($validRoles))) {
throw new MethodNotAllowedException(__('You cannot edit the given privileged user.'));
}
}
return $data;
};
}
}
$this->CRUD->edit($id, $params);
$responsePayload = $this->CRUD->getResponsePayload();
@ -135,9 +163,7 @@ class UsersController extends AppController
return $responsePayload;
}
$dropdownData = [
'role' => $this->Users->Roles->find('list', [
'sort' => ['name' => 'asc']
]),
'role' => $validRoles,
'individual' => $this->Users->Individuals->find('list', [
'sort' => ['email' => 'asc']
]),
@ -161,6 +187,23 @@ class UsersController extends AppController
public function delete($id)
{
$validRoles = [];
if (!$currentUser['role']['perm_admin']) {
$validRoles = $this->Users->Roles->find('list')->order(['name' => 'asc'])->all()->toArray();
}
$params = [
'beforeSave' => function($data) use ($currentUser, $validRoles) {
if (!$currentUser['role']['perm_admin']) {
if ($data['organisation_id'] !== $currentUser['organisation_id']) {
throw new MethodNotAllowedException(__('You do not have permission to remove the given user.'));
}
if (!in_array($data['role_id'], array_keys($validRoles))) {
throw new MethodNotAllowedException(__('You do not have permission to remove the given user.'));
}
}
return $data;
}
];
$this->CRUD->delete($id);
$responsePayload = $this->CRUD->getResponsePayload();
if (!empty($responsePayload)) {

40
templates/Users/index.php
View File

@ -102,12 +102,48 @@ echo $this->element('genericElements/IndexTable/index_table', [
[
'open_modal' => '/users/edit/[onclick_params_data_path]',
'modal_params_data_path' => 'id',
'icon' => 'edit'
'icon' => 'edit',
'complex_requirement' => [
'options' => [
'datapath' => [
'role_id' => 'role_id'
]
],
'function' => function ($row, $options) use ($loggedUser, $validRoles) {
if (empty($loggedUser['role']['perm_admin'])) {
if (empty($loggedUser['role']['perm_org_admin'])) {
return false;
}
if (!isset($validRoles[$options['datapath']['role_id']])) {
return false;
}
}
return true;
}
]
],
[
'open_modal' => '/users/delete/[onclick_params_data_path]',
'modal_params_data_path' => 'id',
'icon' => 'trash'
'icon' => 'trash',
'complex_requirement' => [
'options' => [
'datapath' => [
'role_id' => 'role_id'
]
],
'function' => function ($row, $options) use ($loggedUser, $validRoles) {
if (empty($loggedUser['role']['perm_admin'])) {
if (empty($loggedUser['role']['perm_org_admin'])) {
return false;
}
if (!isset($validRoles[$options['datapath']['role_id']])) {
return false;
}
}
return true;
}
]
],
]
]