chg: [tags:org/individual] Relaxed ACL on tagging
- Before only `site_admin` could add tags. - Now `org_admins` can add tags for their orgs and individuals - Regular users can self manage their own individual tagrefacto/CRUDComponent
parent
cbdf64a784
commit
af8f1e9e74
|
@ -90,8 +90,8 @@ class ACLComponent extends Component
|
|||
'edit' => ['perm_admin', 'perm_org_admin'],
|
||||
'filtering' => ['*'],
|
||||
'index' => ['*'],
|
||||
'tag' => ['perm_tagger'],
|
||||
'untag' => ['perm_tagger'],
|
||||
'tag' => ['*'],
|
||||
'untag' => ['*'],
|
||||
'view' => ['*'],
|
||||
'viewTags' => ['*']
|
||||
],
|
||||
|
@ -152,8 +152,8 @@ class ACLComponent extends Component
|
|||
'edit' => ['perm_admin'],
|
||||
'filtering' => ['*'],
|
||||
'index' => ['*'],
|
||||
'tag' => ['perm_tagger'],
|
||||
'untag' => ['perm_tagger'],
|
||||
'tag' => ['perm_org_admin'],
|
||||
'untag' => ['perm_org_admin'],
|
||||
'view' => ['*'],
|
||||
'viewTags' => ['*']
|
||||
],
|
||||
|
|
|
@ -68,25 +68,15 @@ class IndividualsController extends AppController
|
|||
if (!empty($responsePayload)) {
|
||||
return $responsePayload;
|
||||
}
|
||||
$this->set('canEdit', $this->canEdit($id));
|
||||
}
|
||||
|
||||
public function edit($id)
|
||||
{
|
||||
$currentUser = $this->ACL->getUser();
|
||||
if (!$currentUser['role']['perm_admin']) {
|
||||
$validIndividuals = $this->Individuals->getValidIndividualsToEdit($currentUser);
|
||||
if (!in_array($id, $validIndividuals)) {
|
||||
if (!$this->canEdit($id)) {
|
||||
throw new MethodNotAllowedException(__('You cannot modify that individual.'));
|
||||
}
|
||||
}
|
||||
$currentUser = $this->ACL->getUser();
|
||||
$validIndividualIds = [];
|
||||
if (!$currentUser['role']['perm_admin']) {
|
||||
$validIndividualIds = $this->Individuals->getValidIndividualsToEdit($currentUser);
|
||||
if (!in_array($id, $validIndividualIds)) {
|
||||
throw new NotFoundException(__('Invalid individual.'));
|
||||
}
|
||||
}
|
||||
$this->CRUD->edit($id, [
|
||||
'beforeSave' => function($data) use ($currentUser) {
|
||||
if ($currentUser['role']['perm_admin'] && isset($data['uuid'])) {
|
||||
|
@ -113,6 +103,9 @@ class IndividualsController extends AppController
|
|||
|
||||
public function tag($id)
|
||||
{
|
||||
if (!$this->canEdit($id)) {
|
||||
throw new MethodNotAllowedException(__('You cannot tag that individual.'));
|
||||
}
|
||||
$this->CRUD->tag($id);
|
||||
$responsePayload = $this->CRUD->getResponsePayload();
|
||||
if (!empty($responsePayload)) {
|
||||
|
@ -122,6 +115,9 @@ class IndividualsController extends AppController
|
|||
|
||||
public function untag($id)
|
||||
{
|
||||
if (!$this->canEdit($id)) {
|
||||
throw new MethodNotAllowedException(__('You cannot untag that individual.'));
|
||||
}
|
||||
$this->CRUD->untag($id);
|
||||
$responsePayload = $this->CRUD->getResponsePayload();
|
||||
if (!empty($responsePayload)) {
|
||||
|
@ -137,4 +133,17 @@ class IndividualsController extends AppController
|
|||
return $responsePayload;
|
||||
}
|
||||
}
|
||||
|
||||
public function canEdit($indId): bool
|
||||
{
|
||||
$currentUser = $this->ACL->getUser();
|
||||
if ($currentUser['role']['perm_admin']) {
|
||||
return true;
|
||||
}
|
||||
$validIndividuals = $this->Individuals->getValidIndividualsToEdit($currentUser);
|
||||
if (in_array($indId, $validIndividuals)) {
|
||||
return true;
|
||||
}
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
|
|
@ -101,7 +101,6 @@ class OrganisationsController extends AppController
|
|||
if (!empty($responsePayload)) {
|
||||
return $responsePayload;
|
||||
}
|
||||
$this->set('metaGroup', 'ContactDB');
|
||||
}
|
||||
|
||||
public function view($id)
|
||||
|
@ -111,16 +110,12 @@ class OrganisationsController extends AppController
|
|||
if (!empty($responsePayload)) {
|
||||
return $responsePayload;
|
||||
}
|
||||
$this->set('metaGroup', 'ContactDB');
|
||||
$this->set('canEdit', $this->canEdit($id));
|
||||
}
|
||||
|
||||
public function edit($id)
|
||||
{
|
||||
$currentUser = $this->ACL->getUser();
|
||||
if (
|
||||
!($currentUser['organisation']['id'] == $id && $currentUser['role']['perm_org_admin']) &&
|
||||
!$currentUser['role']['perm_admin']
|
||||
) {
|
||||
if (!$this->canEdit($id)) {
|
||||
throw new MethodNotAllowedException(__('You cannot modify that organisation.'));
|
||||
}
|
||||
$this->CRUD->edit($id);
|
||||
|
@ -144,6 +139,9 @@ class OrganisationsController extends AppController
|
|||
|
||||
public function tag($id)
|
||||
{
|
||||
if (!$this->canEdit($id)) {
|
||||
throw new MethodNotAllowedException(__('You cannot tag that organisation.'));
|
||||
}
|
||||
$this->CRUD->tag($id);
|
||||
$responsePayload = $this->CRUD->getResponsePayload();
|
||||
if (!empty($responsePayload)) {
|
||||
|
@ -153,6 +151,9 @@ class OrganisationsController extends AppController
|
|||
|
||||
public function untag($id)
|
||||
{
|
||||
if (!$this->canEdit($id)) {
|
||||
throw new MethodNotAllowedException(__('You cannot untag that organisation.'));
|
||||
}
|
||||
$this->CRUD->untag($id);
|
||||
$responsePayload = $this->CRUD->getResponsePayload();
|
||||
if (!empty($responsePayload)) {
|
||||
|
@ -168,4 +169,16 @@ class OrganisationsController extends AppController
|
|||
return $responsePayload;
|
||||
}
|
||||
}
|
||||
|
||||
public function canEdit($orgId): bool
|
||||
{
|
||||
$currentUser = $this->ACL->getUser();
|
||||
if ($currentUser['role']['perm_admin']) {
|
||||
return true;
|
||||
}
|
||||
if ($currentUser['role']['perm_org_admin'] && $currentUser['organisation']['id'] == $orgId) {
|
||||
return true;
|
||||
}
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
|
|
@ -31,6 +31,7 @@ echo $this->element(
|
|||
[
|
||||
'key' => __('Tags'),
|
||||
'type' => 'tags',
|
||||
'editable' => $canEdit,
|
||||
],
|
||||
[
|
||||
'key' => __('Alignments'),
|
||||
|
|
|
@ -40,6 +40,7 @@ echo $this->element(
|
|||
[
|
||||
'key' => __('Tags'),
|
||||
'type' => 'tags',
|
||||
'editable' => $canEdit,
|
||||
],
|
||||
[
|
||||
'key' => __('Alignments'),
|
||||
|
|
Loading…
Reference in New Issue