Commit 09bbf26c6202a09244daa75de9e27c9cc2889bc3
Exists in
master
and in
1 other branch
Merge dev branch into master branch (v3.7.9.46)
Showing
4 changed files
with
150 additions
and
707 deletions
Show diff stats
README.md
... | ... | @@ -54,14 +54,13 @@ Logiciel testé et validé sur les configurations suivantes : |
54 | 54 | VERSION ACTUELLE |
55 | 55 | |
56 | 56 | Date: 25/06/2020 |
57 | -Version: 3.7.9.45 | |
57 | +Version: 3.7.9.46 | |
58 | 58 | Author: EP |
59 | 59 | Commentaire: |
60 | - - bugfix printLabel() : impression etiquette ne marchait plus !! | |
60 | + - Ajout d'un gros test générique de la vue index de Materiels (/materiels/index) qui teste le CONTENU de la vue | |
61 | + | |
61 | 62 | - Amélioration page /pages/acls |
62 | - | |
63 | 63 | - TODO1 : enrichir ce test |
64 | - - TODO2 : faire pareil pour tester la vue 'index' | |
65 | 64 | |
66 | 65 | - Tests génériques automatiques pour (presque) toutes les actions de (presque) tous les controleurs principaux (Materiels, Suivis, Emprunts, Users) mais aussi du controleur "quelconque" SurCategories (pour vérifier que ça marche aussi !!!) |
67 | 66 | - Dans ces tests génériques, on teste non seulement qu'une action s'exécute seulement quand elle y est autorisée, mais aussi qu'elle s'exécute correctement (au moins pour les actions CRUD : add,edit,delete...) |
... | ... | @@ -104,7 +103,9 @@ La liste ci-dessous est aussi en ligne ici : https://tinyurl.com/labinvent#headi |
104 | 103 | |
105 | 104 | ----------------------------------------------------------------------------------------------------------- |
106 | 105 | |
107 | -25/06/2020 v3.7.9.43-44 (EP) | |
106 | +25/06/2020 v3.7.9.43-45 (EP) | |
107 | + - bugfix printLabel() : impression etiquette ne marchait plus !! | |
108 | + - Amélioration page /pages/acls | |
108 | 109 | - Ajout d'un gros test générique de la vue détaillée de Materiels (/materiels/view) qui teste le CONTENU de la vue |
109 | 110 | - bugfixes : ce test, plus status-to-be-archived => status-tobearchived, plus SurcategoriesController => SurCategoriesController |
110 | 111 | - ... | ... | ... |
src/Controller/AppController.php
... | ... | @@ -518,36 +518,35 @@ class AppController extends Controller |
518 | 518 | if ($access_condition==='default') $access_condition = $this->is_authorized_action[$action]['default']; |
519 | 519 | return $access_condition; |
520 | 520 | } |
521 | + | |
521 | 522 | |
522 | - // php7: | |
523 | - //protected function isAuthorizedAction(string $action, int $id=null, bool $IS_RELATED_ENTITY_ID=false, $user=null) { | |
524 | - // php5: | |
525 | - //protected function isAuthorizedAction($action, $id=null, $IS_RELATED_ENTITY_ID=false, $user=null) { | |
526 | - //public function isAuthorizedAction($action, $id=null, $IS_RELATED_ENTITY_ID=false, $user=null) { | |
523 | + // @deprecated | |
527 | 524 | public function isAuthorizedAction($action, $id=null, $related_matos_id=null, $user=null) { |
528 | - //return $this->isAuthorizedActionForRole($this->user_role, $action, $id); | |
529 | - //return $this->isAuthorizedActionForRole($this->getUserRole($user), $action, $id, $IS_RELATED_ENTITY_ID, $user); | |
530 | - $this->d("IN isAuthorizedAction(): controleur $this->name, action $action"); | |
531 | - return $this->isAuthorizedActionForRole($this->getUserRole($user), $action, $id, $related_matos_id, $user); | |
525 | + return $this->isAuthorizedActionForCurrentUser($action, $id, $related_matos_id, $user); | |
532 | 526 | } |
533 | - | |
534 | 527 | /** |
535 | - * @param string $role | |
536 | 528 | * @param string $action |
537 | - * @param int $id => entity id (si not $IS_RELATED_ENTITY_ID) ou bien l'id d'une entité associée (materiel ou suivi...) (si $IS_RELATED_ENTITY_ID) | |
538 | - * @param boolean $IS_RELATED_ENTITY_ID | |
539 | - * | |
529 | + * @param int $id => entity id | |
530 | + * @param int $related_matos_id => related materiel id | |
531 | + * @param $user => Utilisateur courant (null par défaut car on prend celui de la session en cours ; si pas null on prend ce user (qui est quand meme l'utilisateur courant)) | |
532 | + * | |
540 | 533 | * @throws \ErrorException |
541 | 534 | * @throws \Exception |
542 | - * | |
535 | + * | |
543 | 536 | * @return boolean |
544 | 537 | */ |
545 | 538 | // php7: |
546 | - //protected function isAuthorizedActionForRole(string $role_long, string $action, int $id=null, bool $IS_RELATED_ENTITY_ID=false, $user=null) { | |
539 | + //protected function isAuthorizedAction(string $action, int $id=null, bool $IS_RELATED_ENTITY_ID=false, $user=null) { | |
547 | 540 | // php5: |
548 | - protected function isAuthorizedActionForRole($role_long, $action, $id=null, $related_matos_id=null, $user=null) { | |
549 | - //protected function isAuthorizedActionForRole($role_long, $action, $id=null, $IS_RELATED_ENTITY_ID=false, $user=null) { | |
550 | - //private function isAuthorizedActionForRole($role, $action, $id=null, Materiel $m = null) { | |
541 | + //protected function isAuthorizedAction($action, $id=null, $IS_RELATED_ENTITY_ID=false, $user=null) { | |
542 | + //public function isAuthorizedAction($action, $id=null, $IS_RELATED_ENTITY_ID=false, $user=null) { | |
543 | + public function isAuthorizedActionForCurrentUser($action, $id=null, $related_matos_id=null, $user=null) { | |
544 | + //return $this->isAuthorizedActionForRole($this->user_role, $action, $id); | |
545 | + //return $this->isAuthorizedActionForRole($this->getUserRole($user), $action, $id, $IS_RELATED_ENTITY_ID, $user); | |
546 | + $this->d("IN isAuthorizedActionForCurrentUser(): controleur $this->name, action $action"); | |
547 | + //return $this->isAuthorizedActionForRole($this->getUserRole($user), $action, $id, $related_matos_id, $user); | |
548 | + //return $this->isAuthorizedActionForCurrentUser($action, $id, $related_matos_id, $user); | |
549 | + $role_long = $this->getUserRole($user); | |
551 | 550 | $this->d("*************************** CONTROLEUR ".$this->name.", ACTION $action, ROLE $role_long, id=$id, related_matos_id=$related_matos_id"); |
552 | 551 | //$this->d("********* USER :"); $this->d2($user); |
553 | 552 | if ($this->SUPERADMIN_CAN_DO_EVERYTHING) return TRUE; | ... | ... |
src/Controller/MaterielsController.php
... | ... | @@ -517,135 +517,24 @@ class MaterielsController extends AppController { |
517 | 517 | //pr($this->u); |
518 | 518 | |
519 | 519 | if ($this->isLabinventDebugMode()) { |
520 | + debug($this->u); | |
521 | + | |
522 | + debug("user is xxx :"); | |
523 | + debug($this->u->is_user); | |
524 | + debug($this->u->is_resp); | |
525 | + debug($this->u->is_admin); | |
526 | + debug($this->u->is_adminplus); | |
527 | + debug($this->u->is_super); | |
520 | 528 | |
521 | - debug($this->u); | |
522 | - | |
523 | - debug("user is xxx :"); | |
524 | - debug($this->u->is_user); | |
525 | - debug($this->u->is_resp); | |
526 | - debug($this->u->is_admin); | |
527 | - debug($this->u->is_adminplus); | |
528 | - debug($this->u->is_super); | |
529 | - | |
530 | - debug("user is xxx or more :"); | |
531 | - debug($this->u->is_resp_or_more); | |
532 | - debug($this->u->is_admin_or_more); | |
533 | - | |
534 | - debug("user is xxx or less :"); | |
535 | - debug($this->u->is_resp_or_less); | |
536 | - debug($this->u->is_admin_or_less); | |
537 | - | |
538 | - } | |
539 | - | |
540 | - /* ICI C'EST OK | |
541 | - $toto="tititoto"; | |
542 | - $this->set(compact('toto')); | |
543 | - */ | |
544 | - | |
545 | - /* | |
546 | - $prefix = $this->request->getParam('prefix'); | |
547 | - $this->myDebug("- prefix is $prefix"); | |
548 | - */ | |
549 | - | |
550 | - /* (EP 202005) inutile | |
551 | - $this->userFromSession = $user; | |
552 | - //$configuration = $this->confLabinvent; | |
553 | - // ex: 'uid' | |
554 | - $this->userCname = $user[$this->confLabinvent->ldap_authenticationType][0]; | |
555 | - */ | |
556 | - | |
557 | - /* | |
558 | - * $role = TableRegistry::get('Users')->find() | |
559 | - * ->where(['username' => $user[$configuration->authentificationType_ldap][0]]) | |
560 | - * ->first()['role']; | |
561 | - */ | |
562 | - // (EP) deja set par beforeFilter() | |
563 | - //$role = $this->getUserRole($user); | |
564 | - //$this->userRole = $this->getUserRole($user); | |
565 | - | |
566 | - // $this->myDebug("role is ".$role); | |
567 | - // debug("role is ".$role); | |
568 | - | |
569 | - // BETTER: | |
570 | - // $action = $this->request->getAttribute('params')['action']; | |
571 | - // $action = $this->request->getParam('action'); | |
572 | - //$action = $this->getActionPassed(); | |
573 | - | |
574 | - // $id = (int) $this->request->getParam('pass.0'); | |
575 | - //$id = $this->getIdPassed(); | |
576 | - ///$this->e_id = $this->getIdPassed(); | |
577 | - //debug($id); | |
578 | - | |
579 | - // ACTIONS QUI SONT TOUJOURS AUTORISÉES QUELQUE SOIT LE PROFIL | |
580 | - /* | |
581 | - if (in_array($action, ['add', 'tags'])) { | |
582 | - return true; | |
583 | - } | |
584 | - */ | |
585 | - | |
586 | - // All other actions require a slug. | |
587 | - /* | |
588 | - $slug = $this->request->getParam('pass.0'); | |
589 | - if (!$slug) return false; | |
590 | - */ | |
591 | - | |
592 | - // Check that the article belongs to the current user. | |
593 | - /* | |
594 | - $article = $this->Articles->findBySlug($slug)->first(); | |
595 | - return $article->user_id === $user['id']; | |
596 | - */ | |
597 | - | |
598 | - ////$id = $this->e_id; | |
599 | - | |
600 | - /* (EP 20200430 déplacé dans isAuthorizedAction()) | |
601 | - // On autorise ou pas l’action demandée : | |
602 | - // - SUPERADMIN : par défaut il a TOUS les droits | |
603 | - // (sauf certaines actions afin de lui donner un comportement proche de ADMIN) | |
604 | - if ($this->USER_IS_SUPERADMIN) { | |
605 | - // edit ou add by copy => ssi CREATED | |
606 | - if ( $this->a =='edit' || ($this->a=='add' && $id>0) ) return $this->isCreated($id); | |
607 | - // archivage => admin only | |
608 | - //if ($this->a == 'statusArchived') return false; | |
609 | - // tout le reste => ok | |
610 | - return true; | |
529 | + debug("user is xxx or more :"); | |
530 | + debug($this->u->is_resp_or_more); | |
531 | + debug($this->u->is_admin_or_more); | |
532 | + | |
533 | + debug("user is xxx or less :"); | |
534 | + debug($this->u->is_resp_or_less); | |
535 | + debug($this->u->is_admin_or_less); | |
611 | 536 | } |
612 | - */ | |
613 | - /* | |
614 | - * @todo EP 08/2017 Nouvelle organisation des ACL avec $easyACL | |
615 | - * //return $this->isAuthorizedAction($this, $user, $role, $action, $id); | |
616 | - * Tout le reste en dessous de cette ligne devient inutile !!! | |
617 | - */ | |
618 | - ///////$this->myDebug("isAuthorizedAction ? " . $this->OLD_isAuthorizedAction2($this, $this->userRole, $this->a, $id, $user)); | |
619 | - //return $this->isAuthorizedAction(); | |
620 | - ////return $this->isAuthorizedAction($user=$user); | |
621 | - /* | |
622 | - return $this->isAuthorizedAction( | |
623 | - $this->userRole, | |
624 | - $this->a, $id, | |
625 | - $user, | |
626 | - $this->userCname | |
627 | - ); | |
628 | - */ | |
629 | - | |
630 | - //} // isAuthorized | |
631 | - | |
632 | 537 | |
633 | - /* | |
634 | - * EP defined function (18/5/19), date importante | |
635 | - * | |
636 | - * Fonction interne définie pour LabInvent. | |
637 | - * Elle return true ou false selon que l’action est autorisée ou pas. | |
638 | - * A la fin, si elle ne retourne rien, elle appellera la méthode isAuthorized() de AppController | |
639 | - * pour appliquer les règles par défaut. | |
640 | - * | |
641 | - * Avantage: TOUTES les ACL (droits des utilisateurs) sont définies en UN SEUL et UNIQUE endroit: ICI | |
642 | - * Les 3 niveaux successifs parcourus par cakephp (isAuthorized() puis beforeRender() puis la VUE) font tous appels à cette MEME fonction | |
643 | - * On ne définit et modifie les droits qu'ici et nulle part ailleurs (surtout pas dans les vues) !!! | |
644 | - * (Les vues ne font qu'utiliser des variables définies dans le controleur, elles n'ont pas d'intelligence propre) | |
645 | - * | |
646 | - */ | |
647 | - //private function isAuthorizedAction($action = null) { | |
648 | - //protected function isAuthorizedAction($action = null, $id=null, $role=null, $user=null, $userCname=null) { | |
649 | 538 | // Si paramètres nuls, passer les paramètres de l'action courante |
650 | 539 | if (!$action) $action = $this->a; |
651 | 540 | //$id = $this->getIdPassed(); |
... | ... | @@ -661,515 +550,9 @@ class MaterielsController extends AppController { |
661 | 550 | $this->myDebug("isAuthorizedAction ? " . $this->OLD_isAuthorizedAction2($this, $this->user_role, $this->a, $id, $user)); |
662 | 551 | //return $this->isAuthorizedActionForRole($role, $action, $id); // $user, $userCname |
663 | 552 | if ($action=='add' && $id>0) $action = 'add_by_copy'; |
664 | - return $this->isAuthorizedAction($action, $id); // $user, $userCname | |
665 | - | |
666 | - /* | |
667 | - //return $this->isAuthorizedActionFor($action, $this->getIdPassed(), $this->userRole, $this->userFromSession, $this->userCname); | |
668 | - return $this->isAuthorizedActionFor( | |
669 | - $action, | |
670 | - $id, | |
671 | - $role, | |
672 | - $user, $userCname | |
673 | - /S | |
674 | - $action ? $action : $this->a, | |
675 | - $this->e_id, | |
676 | - $this->userRole, | |
677 | - $this->userFromSession, $this->userCname | |
678 | - S/ | |
679 | - ); | |
680 | - */ | |
681 | - //private function isAuthorizedActionFor($action, $id, $role, $user, $userCname) { | |
682 | - | |
683 | - /* | |
684 | - * Structure mise en place: | |
685 | - * | |
686 | - * switch ACTION | |
687 | - * switch ROLE | |
688 | - * | |
689 | - */ | |
690 | - | |
691 | - // ICI C'EST PAS OK, why ??? | |
692 | - //$toto="tititoto"; | |
693 | - //$this->set(compact('toto')); | |
694 | - | |
695 | - /////$this->myDebug("step 2B (intermediaire): MaterielsController.isAuthorizedAction($role, action, id, user, userCname)"); | |
696 | - //debug("action $action, id $id"); | |
697 | - | |
698 | - //$this->myDebug("- user is ", $user); | |
699 | - | |
700 | - //debug($this->e->tititoto()); | |
701 | - // Raccourci pour SUPERADMIN : par défaut il a (presque) TOUS les droits, donc c'est vite vu ! | |
702 | - // (sauf certaines actions afin de lui donner un comportement proche de ADMIN) | |
703 | - if ($this->USER_IS_SUPERADMIN()) { | |
704 | - // !!!!!!!!!!!! !YES! !!!!!!!!!!!!!!! | |
705 | - //pr($this->Materiels->toto()); | |
706 | - // Il suffit de passer $this->SUPERADMIN_CAN_DO_EVERYTHING à true pour TOUT autoriser à superadmin : | |
707 | - if (! $this->SUPERADMIN_CAN_DO_EVERYTHING) { | |
708 | - $acl = [ | |
709 | - 'add' => "(id==0) || (id>0 && entity_is_created)", | |
710 | - 'edit' => "entity_is_created", | |
711 | - 'delete' => "entity_is_created", | |
712 | - 'statusValidated' => "entity_is_created", | |
713 | - 'statusTobearchived' => "entity_is_validated", | |
714 | - 'statusArchived' => "entity_is_tobearchived", | |
715 | - 'statusCreated' => "! entity_is_created", | |
716 | - 'printLabelRuban' => "config_has_printer && entity_is_validated", | |
717 | - // toutes les autres actions => ok | |
718 | - '*' => 'Y' | |
719 | - ]; | |
720 | - // On autorise à supprimer un matos archivé | |
721 | - if ( $action=='delete' && $this->isArchived($id) ) return true; | |
722 | - // add by copy, edit, ou delete => ssi CREATED | |
723 | - if ( ($action=='add' && $id>0) || in_array($action,['edit', 'delete', 'statusValidated']) ) { | |
724 | - return $this->isCreated($id); | |
725 | - } | |
726 | - //if ($this->a==’statusValidated’) return $this->isCreated($id); | |
727 | - if ($action=='statusTobearchived') return $this->isValidated($id); | |
728 | - if ($action=='statusArchived') return $this->isToBeArchived($id); | |
729 | - if ($action=='statusCreated') return ! $this->isCreated($id); | |
730 | - if ($action=='printLabelRuban') return $this->confLabinvent->hasPrinter && $this->isValidated($id); | |
731 | - } | |
732 | - // archivage => admin only | |
733 | - //if ($this->a == 'statusArchived') return false; | |
734 | - // tout le reste => ok | |
735 | - return true; | |
736 | - } // $this->USER_IS_SUPERADMIN | |
737 | - | |
738 | - // Pour chaque action de ce contrôleur, on return true ou false selon qu’on l’autorise ou pas | |
739 | - switch ($action) { | |
740 | - | |
741 | - // INDEX, VIEW, ADD, FIND | |
742 | - // ACL: Accessibles à tous ( cf parent::isAuthorized() ) | |
743 | - | |
744 | - | |
745 | - /* ADD, EDIT, ou DELETE : les conditions d'accès sont très semblables : | |
746 | - * SSi materiel CREATED, autoriser : | |
747 | - * - user : si createur de la fiche ou owner du materiel | |
748 | - * - resp : comme user ou bien aussi si responsable du groupe thematique ou metier de ce materiel | |
749 | - * - admin et + : toujours | |
750 | - */ | |
751 | - case 'add': | |
752 | - case 'edit': | |
753 | - case 'delete': | |
754 | - $acl = [ | |
755 | - // - DEFAULT (0) | |
756 | - "entity.status=='CREATED'", | |
757 | - // - USER (1) | |
758 | - "DEFAULT && user.isCreatorOrOwner", // creator or owner (isOwner) | |
759 | - // - RESPONSABLE (2) | |
760 | - "DEFAULT && (user.isCreatorOrOwner || user.isSameGroup)", // isSameGroup = isResp | |
761 | - // - ADMIN (3) | |
762 | - "DEFAULT", | |
763 | - // - ADMINPLUS (4) | |
764 | - "DEFAULT", | |
765 | - // - SUPERADMIN (5) | |
766 | - "DEFAULT" | |
767 | - ]; | |
768 | - // ADD : la règle par défaut (0) est différente | |
769 | - if ($action=='add') $acl[0] = "(id==0) || (id>0 && {$acl[0]})"; | |
770 | - // ADD standard (id=0) => par défaut, tout le monde peut faire cette action | |
771 | - if ($action=='add' && $id==0) return true; | |
772 | - // Pour tous les autres cas : | |
773 | - //return $this->isCreated($id) && $this->isManageableByUser($this->u, $id); | |
774 | - //if (! $this->isCreated($id)) return FALSE; | |
775 | - if ($action=='delete') | |
776 | - return $this->isDeleteableByCurrentUser($id); | |
777 | - //return $this->isDeleteableByUser($this->u, $id); | |
778 | - // 'add' (by copy) ou 'edit' | |
779 | - else | |
780 | - return $this->isEditableOrCopiableByCurrentUser($id); | |
781 | - //return $this->isEditableOrCopiableByUser($this->u, $id); | |
782 | - //return $this->isManageableByUser($this->u, $id); | |
783 | - | |
784 | - /* | |
785 | - // ADD par copie (id>0) => c'est la suite qui s'applique (même règles que pour edit et delete) : | |
786 | - // A partir d'ici, règle par défaut : ON AUTORISE SSI MATOS "CREATED" | |
787 | - if (! $this->isCreated($id)) return FALSE; | |
788 | - // Conditions supplémentaires pour profils User et Responsable : | |
789 | - if ( in_array($role, ['Utilisateur', 'Responsable']) ) { | |
790 | - //return $this->isOwnedBy($id, $user['sn'][0] . ' ' . $user['givenname'][0]); | |
791 | - //$isHis = $this->isHis($id, $user); | |
792 | - //$isHis = $this->isHis($id); | |
793 | - $isHis = $this->belongsToCurrentUser($id); | |
794 | - //return $role=='Utilisateur' ? $isHis : $isHis||$this->isRespGroup($id, $userCname); | |
795 | - //return $role=='Utilisateur' ? $isHis : $isHis||$this->isSameGroupAsUser($id, $userCname); | |
796 | - ///////return $role=='Utilisateur' ? $isHis : $isHis||$this->isSameGroupAsUser($userCname, $id); | |
797 | - return $role=='Utilisateur' ? $isHis : $isHis||$this->isSameGroupAsCurrentUser($id); | |
798 | - /S | |
799 | - if ($role=='Utilisateur') return $isHis; | |
800 | - // Responsable | |
801 | - return $isHis || $this->isRespGroup($id, $userCname); | |
802 | - S/ | |
803 | - } | |
804 | - // All other roles (Admin and more) => OK | |
805 | - return TRUE; | |
806 | - */ | |
807 | - // ADD, EDIT, ou DELETE | |
808 | - | |
809 | - | |
810 | - // (EP 20200430) : inutile de distinguer ADD, EDIT et DELETE, car conditions d'accès très semblables (donc regroupées ci-dessus) | |
811 | - /* | |
812 | - case 'add': | |
813 | - // voir le tableau $acl de l'action 'edit' pour plus de détail | |
814 | - $acl = [ | |
815 | - // - DEFAULT (0) | |
816 | - "(id==0) || (id>0 && entity.status=='CREATED')", | |
817 | - // - USER (1) | |
818 | - "DEFAULT && user.isCreatorOrOwner", // creator or owner (isOwner) | |
819 | - // - RESPONSABLE (2) | |
820 | - "DEFAULT && (user.isCreatorOrOwner || user.isSameGroup)", // isSameGroup = isResp | |
821 | - // - ADMIN (3) | |
822 | - "DEFAULT", | |
823 | - // - ADMINPLUS (4) | |
824 | - "DEFAULT", | |
825 | - // - SUPERADMIN (5) | |
826 | - "DEFAULT" | |
827 | - ]; | |
828 | - //debug("this is"); debug($this); | |
829 | - //debug($id); | |
830 | - // Par défaut, tout le monde peut faire cette action | |
831 | - if ($id == 0) return true; | |
832 | - // Sauf si c'est add PAR COPIE | |
833 | - else { | |
834 | - //if ($id > 0) { | |
835 | - // Règle par défaut : ON AUTORISE SEULEMENT LA COPIE D'UN MATOS "CREATED" | |
836 | - // not CREATED => pas le droit de copier un materiel pas CREATED | |
837 | - if (! $this->isCreated($id)) return FALSE; | |
838 | - // CREATED => ok, sous conditions | |
839 | - //debug("copie created"); | |
840 | - //if ($this->isCreated($id) || $this->isValidated($id)) { | |
841 | - /S | |
842 | - * if ($role == 'Utilisateur' && $this->isOwnedBy($id, $user['sn'][0] . ' ' . $user['givenname'][0])) { | |
843 | - * return true; | |
844 | - * } else if ($role == 'Responsable' && $this->isRespGroup($id, $user[$configuration->authentificationType_ldap][0])) { | |
845 | - * return true; | |
846 | - * } else if ($this->userHasRoleAtLeast('Administration')) { | |
847 | - * return true; | |
848 | - * } | |
849 | - S/ | |
850 | - /S | |
851 | - switch ($role) { | |
852 | - case 'Utilisateur': | |
853 | - //return $this->isOwnedBy($id, $user['sn'][0] . ' ' . $user['givenname'][0]); | |
854 | - return $this->isHis($id, $user); | |
855 | - case 'Responsable': | |
856 | - return ( $this->isHis($id, $user) || $this->isRespGroup($id, $userCname) ); | |
857 | - } | |
858 | - S/ | |
859 | - if ( in_array($role, ['Utilisateur', 'Responsable']) ) { | |
860 | - //return $this->isOwnedBy($id, $user['sn'][0] . ' ' . $user['givenname'][0]); | |
861 | - $autorized = $this->isHis($id, $user); | |
862 | - if ($role =='Responsable') $autorized = $autorized || $this->isRespGroup($id, $userCname); | |
863 | - return $autorized; | |
864 | - } | |
865 | - // All other roles (Admin and more) => OK | |
866 | - return TRUE; | |
867 | - } // ADD by COPIE ($id > 0) | |
868 | - //break; | |
869 | - // ADD | |
870 | - */ | |
871 | - | |
872 | - | |
873 | - // (EP 20200430) : inutile de distinguer ADD, EDIT et DELETE, car conditions d'accès très semblables (donc regroupées ci-dessus) | |
874 | - /* | |
875 | - // DELETE | |
876 | - case 'delete': | |
877 | - | |
878 | - // voir le tableau $acl de l'action 'edit' pour plus de détail | |
879 | - $acl = [ | |
880 | - // - DEFAULT (0) | |
881 | - "entity.status=='CREATED'", | |
882 | - // - USER (1) | |
883 | - "DEFAULT && user.isCreatorOrOwner", // creator or owner (isOwner) | |
884 | - // - RESPONSABLE (2) | |
885 | - "DEFAULT && (user.isCreatorOrOwner || user.isSameGroup)", // isSameGroup = isResp | |
886 | - // - ADMIN (3) | |
887 | - "DEFAULT", | |
888 | - // - ADMINPLUS (4) | |
889 | - "DEFAULT", | |
890 | - // - SUPERADMIN (5) | |
891 | - "DEFAULT" | |
892 | - ]; | |
893 | - /S | |
894 | - * (EP) ACL: | |
895 | - * SSi materiel CREATED, autoriser : | |
896 | - * - user : si createur de la fiche ou owner du materiel | |
897 | - * - resp : si responsable du groupe thematique ou metier de ce materiel | |
898 | - * - admin et + : toujours | |
899 | - S/ | |
900 | - if (! $this->isCreated($id)) return FALSE; | |
901 | - /S | |
902 | - * if ($role == 'Utilisateur' && $this->isOwnedBy($id, $user['sn'][0] . ' ' . $user['givenname'][0])) { | |
903 | - * return true; | |
904 | - * } else if ($role == 'Responsable' && $this->isRespGroup($id, $user[$configuration->authentificationType_ldap][0])) { | |
905 | - * return true; | |
906 | - * } else if ($this->userHasRoleAtLeast('Administration')) { | |
907 | - * return true; | |
908 | - * } | |
909 | - S/ | |
910 | - switch ($role) { | |
911 | - case 'Utilisateur': | |
912 | - //return ($this->isOwnedBy($id, $user['sn'][0] . ' ' . $user['givenname'][0])); | |
913 | - return $this->isHis($id, $user); | |
914 | - break; | |
915 | - case 'Responsable': | |
916 | - return ($this->isRespGroup($id, $userCname)); | |
917 | - break; | |
918 | - // All other roles : Admin and more | |
919 | - default: | |
920 | - return true; | |
921 | - break; | |
922 | - } | |
923 | - break; | |
924 | - // DELETE | |
925 | - */ | |
926 | - | |
927 | - | |
928 | - // (EP 20200430) : inutile de distinguer ADD, EDIT et DELETE, car conditions d'accès très semblables (donc regroupées ci-dessus) | |
929 | - /* | |
930 | - // UPDATE (edit) | |
931 | - // if ($action == 'edit') { | |
932 | - case 'edit': | |
933 | - /S | |
934 | - debug("entity is"); debug($this->e); | |
935 | - $this->getEntity(); | |
936 | - debug("entity is"); debug($this->e); | |
937 | - S/ | |
938 | - // BETTER: | |
939 | - // $id = (int) $this->request->getAttribute('params')['pass'][0]; | |
940 | - // /$id = (int) $this->request->getParam('pass.0'); | |
941 | - | |
942 | - // (EP) TODO: il me semble qu'on devrait ajouter ici | |
943 | - // || $this->isToBeArchived($id) | |
944 | - // ainsi qu'une autre règle pour isArchived($id) | |
945 | - // ??? | |
946 | - | |
947 | - /S | |
948 | - * (EP) ACL: | |
949 | - * | |
950 | - * - adminplus et superadmin sont autorisés par défaut dans tous les cas | |
951 | - * | |
952 | - * SSi materiel CREATED ou VALIDATED, autoriser : | |
953 | - * - user : si createur de la fiche ou owner du materiel | |
954 | - * - resp : si responsable du groupe thematique ou metier de ce materiel | |
955 | - * - admin et + : toujours | |
956 | - * | |
957 | - S/ | |
958 | - | |
959 | - // (EP 23/5/19) NEW optimization | |
960 | - $materiel = $this->Materiels->get($id, [ | |
961 | - 'contain' => [ | |
962 | - 'SurCategories', | |
963 | - 'Categories', | |
964 | - 'SousCategories', | |
965 | - 'GroupesThematiques', | |
966 | - 'GroupesMetiers', | |
967 | - 'Organismes', | |
968 | - 'Sites', | |
969 | - 'Documents', | |
970 | - 'Emprunts', | |
971 | - 'Suivis', | |
972 | - 'Fournisseurs' | |
973 | - ] | |
974 | - ]); | |
975 | - | |
976 | - $acl = [ | |
977 | - | |
978 | - // - DEFAULT (0) | |
979 | - //'ALL' => 'Y', // pas de condition par défaut | |
980 | - //'ALL' => 'N', // par défaut => pas autorisé | |
981 | - //'ALL' => 'isCreated', | |
982 | - //'DEFAULT' => "entity.status == 'CREATED'", | |
983 | - "entity.status == 'CREATED'", | |
984 | - | |
985 | - // - USER (1) | |
986 | - //'USER' => '&& isCreatorOrOwner', // creator or owner (isOwner) | |
987 | - //'USER' => "DEFAULT && user.isCreatorOrOwner", // creator or owner (isOwner) | |
988 | - "DEFAULT && user.isCreatorOrOwner", // creator or owner (isOwner) | |
989 | - | |
990 | - // - RESPONSABLE (2) | |
991 | - //'RESPONSABLE' => "DEFAULT && (user.isCreatorOrOwner || user.isSameGroup)", // isSameGroup = isResp | |
992 | - "DEFAULT && (user.isCreatorOrOwner || user.isSameGroup)", // isSameGroup = isResp | |
993 | - | |
994 | - // - ADMIN (3) | |
995 | - //'ADMIN' => "DEFAULT", | |
996 | - "DEFAULT", | |
997 | - | |
998 | - // - ADMINPLUS (4) | |
999 | - //'ADMINPLUS' => "DEFAULT" | |
1000 | - "DEFAULT", | |
1001 | - | |
1002 | - // - SUPERADMIN (5) | |
1003 | - //'SUPERADMIN' => "DEFAULT" | |
1004 | - "DEFAULT" | |
1005 | - | |
1006 | - ]; | |
1007 | - //return $this->isAuthorizedByAcl($acl); | |
1008 | - | |
1009 | - //$IS_CREATED = $this->isCreated($id); | |
1010 | - $IS_CREATED = $materiel->status == 'CREATED'; | |
1011 | - $USER_IS_CREATOR_OR_OWNER = in_array($this->userName, [ | |
1012 | - $materiel->nom_createur, | |
1013 | - $materiel->nom_responsable | |
1014 | - ]); | |
1015 | - // Current user is same group as current materiel | |
1016 | - $USER_IS_SAME_GROUP_AS_MATERIEL = ( | |
1017 | - ( isset($this->priviledgedUser->groupes_metier_id) && $this->priviledgedUser->groupes_metier_id != $this->idGmNa && $materiel->groupes_metier_id == $this->priviledgedUser->groupes_metier_id ) | |
1018 | - || | |
1019 | - ( isset($this->priviledgedUser->groupes_thematique_id) && $this->priviledgedUser->groupes_thematique_id != $this->idGtNa && $materiel->groupes_thematique_id == $this->priviledgedUser->groupes_thematique_id ) | |
1020 | - ); | |
1021 | - $CAN_EDIT = $IS_CREATED && ( | |
1022 | - $this->USER_IS_ADMIN_OR_MORE | |
1023 | - || | |
1024 | - $USER_IS_CREATOR_OR_OWNER | |
1025 | - || | |
1026 | - ($this->USER_IS_RESPONSABLE && $USER_IS_SAME_GROUP_AS_MATERIEL) | |
1027 | - ); | |
1028 | - return $CAN_EDIT; | |
1029 | - // edit | |
1030 | - */ | |
1031 | - | |
1032 | - | |
1033 | - | |
1034 | - | |
1035 | - // DE-VALIDATION d'un materiel (repasse à CREATED) | |
1036 | - case 'statusCreated': | |
1037 | - if ($this->isCreated($id)) return FALSE; | |
1038 | - if ($this->USER_IS_USER()) return FALSE; | |
1039 | - //if ($this->USER_IS_RESP()) return $this->isSameGroupAsUser($id, $userCname); | |
1040 | - /////if ($this->USER_IS_RESP()) return $this->isSameGroupAsUser($userCname, $id); | |
1041 | - if ($this->USER_IS_RESP()) return $this->isSameGroupAsCurrentUser($id); | |
1042 | - return true; | |
1043 | - | |
1044 | - // VALIDATION d'un materiel (passe à VALIDATED) | |
1045 | - case 'statusValidated': | |
1046 | - //$id = (int) $this->request->getAttribute('params')['pass'][0]; | |
1047 | - if (! $this->isCreated($id)) return FALSE; | |
1048 | - if ($this->USER_IS_USER()) return FALSE; | |
1049 | - //if ($this->USER_IS_RESP()) return $this->isSameGroupAsUser($userCname, $id); | |
1050 | - if ($this->USER_IS_RESP()) return $this->isSameGroupAsCurrentUser($id); | |
1051 | - return true; | |
1052 | - | |
1053 | - /* | |
1054 | - if ($this->USER_IS_USER()) return FALSE; | |
1055 | - if ($this->isCreated($id)) | |
1056 | - return $this->USER_IS_RESP() ? $this->isRespGroup($id, $userCname) : TRUE; | |
1057 | - /S | |
1058 | - if ($this->USER_IS_RESP()) return $this->isRespGroup($id, $userCname); | |
1059 | - return TRUE; | |
1060 | - S/ | |
1061 | - // sinon rejet | |
1062 | - return FALSE; | |
1063 | - */ | |
1064 | - /* | |
1065 | - if ($this->USER_IS_RESP() && $this->isRespGroup($id, $userCname)) { | |
1066 | - if ($this->isCreated($id)) { | |
1067 | - return true; | |
1068 | - } | |
1069 | - // } else if ($this->userHasRoleAtLeast('Administration')) { | |
1070 | - } else if ($this->USER_IS_ADMIN_AT_LEAST()) { | |
1071 | - if ($this->isCreated($id)) { | |
1072 | - return true; | |
1073 | - } | |
1074 | - } | |
1075 | - break; | |
1076 | - */ | |
1077 | - | |
1078 | - // Demande d'Archivage | |
1079 | - case 'statusTobearchived': | |
1080 | - if (! $this->isValidated($id)) return FALSE; | |
1081 | - if ($this->USER_IS_USER()) return FALSE; | |
1082 | - //if ($this->USER_IS_RESP()) return $this->isSameGroupAsUser($userCname, $id); | |
1083 | - if ($this->USER_IS_RESP()) return $this->isSameGroupAsCurrentUser($id); | |
1084 | - return TRUE; | |
1085 | - /* | |
1086 | - if ($this->isValidated($id)) | |
1087 | - return $this->USER_IS_RESP() ? $this->isRespGroup($id, $userCname) : TRUE; | |
1088 | - return FALSE; | |
1089 | - */ | |
1090 | - /* | |
1091 | - if ($this->USER_IS_RESP() && $this->isRespGroup($id, $userCname)) { | |
1092 | - if ($this->isValidated($id)) { | |
1093 | - return true; | |
1094 | - } | |
1095 | - // } else if ($this->userHasRoleAtLeast('Administration')) { | |
1096 | - } else if ($this->USER_IS_ADMIN_AT_LEAST()) { | |
1097 | - if ($this->isValidated($id)) { | |
1098 | - return true; | |
1099 | - } | |
1100 | - } | |
1101 | - break; | |
1102 | - */ | |
1103 | - | |
1104 | - // Archivage | |
1105 | - case 'statusArchived': | |
1106 | - //return $this->isToBeArchived($id) && $this->USER_IS_ADMIN_AT_LEAST(); | |
1107 | - if (! $this->isToBeArchived($id)) return FALSE; | |
1108 | - return $this->USER_IS_ADMIN_AT_LEAST(); | |
1109 | - // /$id = (int) $this->request->getAttribute('params')['pass'][0]; | |
1110 | - // if ($this->userHasRoleAtLeast('Administration')) { | |
1111 | - // if ($role == 'Super Administrateur') { | |
1112 | - /* | |
1113 | - if ( $this->isToBeArchived($id) && $this->USER_IS_ADMIN_AT_LEAST() ) { | |
1114 | - if ($this->USER_IS_SUPERADMIN()) return false; | |
1115 | - return true; | |
1116 | - } | |
1117 | - break; | |
1118 | - */ | |
1119 | - | |
1120 | - | |
1121 | - case 'printLabelRuban': | |
1122 | - return $this->confLabinvent->hasPrinter && $this->isValidated($id); | |
1123 | - //return $this->confLabinvent->hasPrinter && $this->isValidated($id) && $this->USER_IS_ADMIN_OR_MORE; | |
1124 | - /* | |
1125 | - //$materiel = $this->Materiels->get($id); | |
1126 | - $materiel = $this->getEntity($id); // getEntity() sans $id marcherait aussi... | |
1127 | - $IS_VALIDATED = ($materiel->status == 'VALIDATED'); | |
1128 | - return $IS_VALIDATED && $this->confLabinvent->hasPrinter && $this->USER_IS_ADMIN_OR_MORE; | |
1129 | - */ | |
1130 | - | |
1131 | - /* | |
1132 | - * if (in_array($action, [ | |
1133 | - * 'execActions', | |
1134 | - * 'setLabelIsPlaced', | |
1135 | - * 'setLabelIsPlacedOrNotPlaced', | |
1136 | - * 'setLabelIsNotPlaced', | |
1137 | - * 'printLabelRuban' | |
1138 | - * ])) { | |
1139 | - */ | |
1140 | - case 'execActions': | |
1141 | - return $this->USER_IS_ADMIN_AT_LEAST(); | |
1142 | - | |
1143 | - case 'export': | |
1144 | - // if ($this->userHasRoleAtLeast('Responsable')) { | |
1145 | - return $this->USER_IS_RESP_AT_LEAST(); | |
1146 | - | |
1147 | - case 'getDateGarantie': | |
1148 | - case 'setLabelIsPlaced': | |
1149 | - case 'setLabelIsNotPlaced': | |
1150 | - //case 'setLabelIsPlacedOrNotPlaced': | |
1151 | - return true; | |
1152 | - /* | |
1153 | - // if ($this->userHasRoleAtLeast('Administration')) { | |
1154 | - if ($this->USER_IS_ADMIN_AT_LEAST()) return true; | |
1155 | - break; | |
1156 | - */ | |
1157 | - | |
1158 | - /* | |
1159 | - * // Autorisations par defaut: | |
1160 | - * default: | |
1161 | - * return parent::isAuthorized($user); | |
1162 | - * break; | |
1163 | - */ | |
1164 | - } // end of switch case | |
1165 | - | |
1166 | - // Si aucune règle ci-dessus n'a return true (ou false) | |
1167 | - // => DEFAULT PARENT RULE | |
1168 | - // (on appelle la méthode isAuthorized() de AppController) | |
1169 | - /////return parent::isAuthorized($user); | |
1170 | - return parent::isAuthorized($user, $action); | |
553 | + return $this->isAuthorizedActionForCurrentUser($action, $id); // $user, $userCname | |
1171 | 554 | |
1172 | - } // isAuthorizedAction() | |
555 | + } // isAuthorized() | |
1173 | 556 | |
1174 | 557 | |
1175 | 558 | |
... | ... | @@ -1570,21 +953,21 @@ class MaterielsController extends AppController { |
1570 | 953 | // 1) DROITS SUR LE MATERIEL VU |
1571 | 954 | |
1572 | 955 | // - edit, copy, delete, etiquette |
1573 | - $CAN_EDIT = $this->isAuthorizedAction('edit', $id); | |
956 | + $CAN_EDIT = $this->isAuthorizedActionForCurrentUser('edit', $id); | |
1574 | 957 | //$CAN_EDIT = $this->isAuthorizedAction($this->userRole, 'edit', $id, $this->userFromSession, $this->userCname); |
1575 | 958 | $this->d("can edit ? "); $this->d2($CAN_EDIT); |
1576 | 959 | //$CAN_EDIT = $this->isAuthorized($u,'edit', $id); |
1577 | 960 | //pr("CAN_EDIT = ".(int)$CAN_EDIT." (pour id $id)"); |
1578 | 961 | //$CAN_EDIT = $IS_CREATED && $CAN_ATTACH_A_DOC; |
1579 | - $CAN_COPY = $this->isAuthorizedAction('add_by_copy', $id); | |
962 | + $CAN_COPY = $this->isAuthorizedActionForCurrentUser('add_by_copy', $id); | |
1580 | 963 | $this->d("can copy ? "); $this->d2($CAN_COPY); |
1581 | 964 | //$CAN_COPY = $CAN_EDIT; |
1582 | 965 | //$CAN_DELETE = $this->isAuthorized($u,'delete', $id); |
1583 | - $CAN_DELETE = $this->isAuthorizedAction('delete', $id); | |
966 | + $CAN_DELETE = $this->isAuthorizedActionForCurrentUser('delete', $id); | |
1584 | 967 | $this->d("can delete ? "); $this->d2($CAN_DELETE); |
1585 | 968 | //debug("can delete ? $CAN_DELETE"); |
1586 | 969 | //debug($CAN_DELETE); |
1587 | - $CAN_PRINT_LABEL = $this->isAuthorizedAction('printLabelRuban', $id); | |
970 | + $CAN_PRINT_LABEL = $this->isAuthorizedActionForCurrentUser('printLabelRuban', $id); | |
1588 | 971 | //$CAN_PRINT_LABEL = $this->isAuthorized($u,'printLabelRuban'); |
1589 | 972 | //$CAN_PRINT_LABEL = $IS_VALIDATED && $this->confLabinvent->hasPrinter && $this->USER_IS_ADMIN_OR_MORE; |
1590 | 973 | //$CAN_PRINT_LABEL = $this->isAuthorizedAction($this->userRole, 'printLabelRuban', $id, $this->userFromSession, $this->userCname); |
... | ... | @@ -1596,21 +979,21 @@ class MaterielsController extends AppController { |
1596 | 979 | $CAN_VALIDATE_OR_INVALIDATE = $this->USER_IS_ADMIN_OR_MORE || ( $materiel->materiel_administratif==0 && $USER_IS_RESPONSABLE_AND_SAME_GROUP_AS_MATERIEL ); |
1597 | 980 | $CAN_VALIDATE = $IS_CREATED && $CAN_VALIDATE_OR_INVALIDATE; |
1598 | 981 | */ |
1599 | - $CAN_VALIDATE = $this->isAuthorizedAction('statusValidated', $id); | |
982 | + $CAN_VALIDATE = $this->isAuthorizedActionForCurrentUser('statusValidated', $id); | |
1600 | 983 | //$CAN_VALIDATE = $this->isAuthorized($u,'statusValidated'); |
1601 | 984 | //$CAN_VALIDATE = $this->isAuthorizedAction('statusValidated'); |
1602 | 985 | $this->d("can validate ? "); $this->d2($CAN_VALIDATE); |
1603 | 986 | |
1604 | - $CAN_INVALIDATE = $this->isAuthorizedAction('statusCreated', $id); | |
987 | + $CAN_INVALIDATE = $this->isAuthorizedActionForCurrentUser('statusCreated', $id); | |
1605 | 988 | //$CAN_INVALIDATE = $this->isAuthorized($u,'statusCreated'); |
1606 | 989 | //$CAN_INVALIDATE = !$IS_CREATED && $CAN_VALIDATE_OR_INVALIDATE; |
1607 | 990 | $this->d("can invalidate ? "); $this->d2($CAN_INVALIDATE); |
1608 | - $CAN_TBA = $this->isAuthorizedAction('statusTobearchived', $id); | |
991 | + $CAN_TBA = $this->isAuthorizedActionForCurrentUser('statusTobearchived', $id); | |
1609 | 992 | //$CAN_TBA = $this->isAuthorized($u,'statusTobearchived'); |
1610 | 993 | //$CAN_TBA = $IS_VALIDATED && $CONTEXT1; |
1611 | 994 | $this->d("can CAN_TBA ? "); $this->d2($CAN_TBA); |
1612 | 995 | |
1613 | - $CAN_ARCHIVE = $this->isAuthorizedAction('statusArchived', $id); | |
996 | + $CAN_ARCHIVE = $this->isAuthorizedActionForCurrentUser('statusArchived', $id); | |
1614 | 997 | //$CAN_ARCHIVE = $this->isAuthorized($u,'statusArchived'); |
1615 | 998 | //$CAN_ARCHIVE = $IS_TOBEARCHIVED && $this->USER_IS_ADMIN_OR_MORE; |
1616 | 999 | $this->d("can CAN_ARCHIVE ? "); $this->d2($CAN_ARCHIVE); |
... | ... | @@ -1620,25 +1003,25 @@ class MaterielsController extends AppController { |
1620 | 1003 | //$CAN_LEND = $CAN_FOLLOW = true; |
1621 | 1004 | $ec = new EmpruntsController(); |
1622 | 1005 | //$CAN_LEND = $ec->isAuthorizedAction('add', $id, $IS_RELATED_ENTITY_ID=true, $u); |
1623 | - $CAN_LEND = $ec->isAuthorizedAction('add', null, $id, $u); | |
1006 | + $CAN_LEND = $ec->isAuthorizedActionForCurrentUser('add', null, $id, $u); | |
1624 | 1007 | $this->d("can CAN_LEND ? "); $this->d2($CAN_LEND); |
1625 | 1008 | $sc = new SuivisController(); |
1626 | 1009 | //$CAN_DO_SUIVI = $sc->isAuthorizedAction('add', $id, true, $u); |
1627 | - $CAN_DO_SUIVI = $sc->isAuthorizedAction('add', null, $id, $u); | |
1010 | + $CAN_DO_SUIVI = $sc->isAuthorizedActionForCurrentUser('add', null, $id, $u); | |
1628 | 1011 | $this->d("can CAN_DO_SUIVI ? "); $this->d2($CAN_DO_SUIVI); |
1629 | 1012 | // - Attacher un doc |
1630 | 1013 | $dc = new DocumentsController(); |
1631 | 1014 | //$CAN_ATTACH_A_DOC = $dc->isAuthorizedAction('add', $id, true, $u); |
1632 | - $CAN_ATTACH_A_DOC = $dc->isAuthorizedAction('add', null, $id, $u); | |
1015 | + $CAN_ATTACH_A_DOC = $dc->isAuthorizedActionForCurrentUser('add', null, $id, $u); | |
1633 | 1016 | $this->d("CAN_ATTACH_A_DOC ? "); $this->d2($CAN_ATTACH_A_DOC); |
1634 | 1017 | //$CAN_ATTACH_A_DOC = DocumentsController::isAuthorizedAction('add'); |
1635 | 1018 | //$CAN_ATTACH_A_DOC = $CONTEXT1; |
1636 | 1019 | // - Editer le doc d'admission |
1637 | 1020 | //$CAN_EDIT_DOC_ADMISSION = $dc->isAuthorizedAction('admission', $id, true, $u); |
1638 | - $CAN_EDIT_DOC_ADMISSION = $dc->isAuthorizedAction('admission', null, $id, $u); | |
1021 | + $CAN_EDIT_DOC_ADMISSION = $dc->isAuthorizedActionForCurrentUser('admission', null, $id, $u); | |
1639 | 1022 | $this->d("CAN_EDIT_DOC_ADMISSION ? "); $this->d2($CAN_EDIT_DOC_ADMISSION); |
1640 | 1023 | //$CAN_EDIT_DOC_SORTIE = $dc->isAuthorizedAction('sortie', $id, true, $u); |
1641 | - $CAN_EDIT_DOC_SORTIE = $dc->isAuthorizedAction('sortie', null, $id, $u); | |
1024 | + $CAN_EDIT_DOC_SORTIE = $dc->isAuthorizedActionForCurrentUser('sortie', null, $id, $u); | |
1642 | 1025 | $this->d("CAN_EDIT_DOC_SORTIE ? "); $this->d2($CAN_EDIT_DOC_SORTIE); |
1643 | 1026 | //$CAN_LEND = $CAN_DO_SUIVI = $CAN_ATTACH_A_DOC = $CAN_EDIT_DOC_ADMISSION = $CAN_EDIT_DOC_SORTIE = TRUE; |
1644 | 1027 | |
... | ... | @@ -1699,7 +1082,7 @@ class MaterielsController extends AppController { |
1699 | 1082 | if ($e->suivis) { |
1700 | 1083 | $suivi1 = $e->suivis[0]; |
1701 | 1084 | //$CAN_MANAGE_SUIVIS = $sc->isAuthorizedAction('edit', $suivi1->id, false, $u); |
1702 | - $CAN_MANAGE_SUIVIS = $sc->isAuthorizedAction('edit', $suivi1->id, null, $u); | |
1085 | + $CAN_MANAGE_SUIVIS = $sc->isAuthorizedActionForCurrentUser('edit', $suivi1->id, null, $u); | |
1703 | 1086 | // on peut faire de même avec l'action delete |
1704 | 1087 | //$CAN_MANAGE_SUIVIS = $sc->isAuthorized($u,'delete', $suivi1->id); |
1705 | 1088 | } |
... | ... | @@ -1721,7 +1104,7 @@ class MaterielsController extends AppController { |
1721 | 1104 | $emprunt1 = $e->emprunts[0]; |
1722 | 1105 | //debug($emprunt1); |
1723 | 1106 | //$CAN_MANAGE_EMPRUNTS = $ec->isAuthorizedAction('edit', $emprunt1->id, false, $u); |
1724 | - $CAN_MANAGE_EMPRUNTS = $ec->isAuthorizedAction('edit', $emprunt1->id, null, $u); | |
1107 | + $CAN_MANAGE_EMPRUNTS = $ec->isAuthorizedActionForCurrentUser('edit', $emprunt1->id, null, $u); | |
1725 | 1108 | // on peut faire de même avec l'action delete |
1726 | 1109 | //$CAN_MANAGE_EMPRUNTS = $sc->isAuthorized($u,'delete', $suivi1->id); |
1727 | 1110 | } | ... | ... |
tests/TestCase/Controller/MaterielsControllerTest.php
... | ... | @@ -8,6 +8,7 @@ use Cake\ORM\TableRegistry; |
8 | 8 | //use phpDocumentor\Reflection\Types\Self_; |
9 | 9 | use Cake\Core\Configure; |
10 | 10 | use App\Controller\AppController; |
11 | +use Cake\Utility\Inflector; | |
11 | 12 | //use phpDocumentor\Reflection\Types\Boolean; |
12 | 13 | |
13 | 14 | |
... | ... | @@ -1988,35 +1989,56 @@ class MaterielsControllerTest extends General { |
1988 | 1989 | foreach ([false,true] as $belong) { |
1989 | 1990 | foreach ([false,true] as $samegroup) { |
1990 | 1991 | $this->_updateMatosStatusAndBelongingWith($id, $status, $belong, $samegroup); |
1991 | - // Si l'action 'view' est autorisée, on l'exécute, puis on teste le contenue de la vue | |
1992 | - if ($cm->isAuthorizedAction('view', $id)) { | |
1992 | + // Si les actions 'view' ou/et 'index' sont autorisées, on les exécute, puis on teste le contenue de leur vue | |
1993 | + // 1) Check /materiels/view page | |
1994 | + if ($cm->isAuthorizedActionForCurrentUser('view', $id)) { | |
1993 | 1995 | $this->get("/materiels/view/$id"); |
1994 | 1996 | $this->assertResponseOk(); |
1995 | 1997 | foreach ($action_buttons as $action_name=>$action_label) { |
1996 | 1998 | //debug("action:");debug("$action_name => $action_label"); |
1997 | - $controller = $this->_getControllerForAction($action_name); | |
1999 | + // Par défaut, Materiels | |
2000 | + $controller_name = 'Materiels'; | |
2001 | + $controller = $cm; | |
2002 | + $args = explode('/', $action_name); | |
2003 | + if (count($args)==2) { | |
2004 | + $controller_name = $args[0]; | |
2005 | + $action_name = $args[1]; | |
2006 | + $controller = $this->_getControllerInstanceFromName($controller_name); | |
2007 | + } | |
1998 | 2008 | // Controleur materiel |
1999 | 2009 | //debug($controller->name); |
2000 | - //if ($controller==$cm) { | |
2001 | - if ($controller->name == 'Materiels') { | |
2002 | - $action_button_should_be_present = $controller->isAuthorizedAction($action_name, $id); | |
2010 | + //if ($controller_name == 'Materiels') | |
2011 | + if ($controller==$cm) | |
2012 | + $action_button_should_be_present = $controller->isAuthorizedActionForCurrentUser($action_name, $id); | |
2003 | 2013 | //if ($action_name=='setLabelIsPlaced') |
2004 | 2014 | //debug("action_button_should_be_present is"); debug($action_button_should_be_present); |
2005 | - } | |
2006 | 2015 | // Autre controleur |
2007 | - else { | |
2008 | - $action_name = explode('/',$action_name)[1]; | |
2009 | - | |
2010 | - $action_button_should_be_present = $controller->isAuthorizedAction($action_name, null, $id, $user); | |
2011 | - } | |
2016 | + else | |
2017 | + $action_button_should_be_present = $controller->isAuthorizedActionForCurrentUser($action_name, null, $id, $user); | |
2012 | 2018 | $this->_checkViewPageContainsThisActionButton($action_name, $action_label, $id, $action_button_should_be_present); |
2013 | 2019 | } |
2014 | 2020 | } |
2021 | + // 2) Check /materiels/index page | |
2022 | + if ($cm->isAuthorizedActionForCurrentUser('index')) { | |
2023 | + $this->get("/materiels/index"); | |
2024 | + $this->assertResponseOk(); | |
2025 | + $this->_checkIndexPageContainsThisLineForThisMaterielId($id,$role,$cm); | |
2026 | + } | |
2015 | 2027 | } // each samegroup |
2016 | 2028 | } // each belong |
2017 | 2029 | |
2018 | 2030 | } // testMaterielViewPage() |
2019 | - | |
2031 | + | |
2032 | + /* | |
2033 | + private function _getControllerFromName($controller_name) { | |
2034 | + if ($controller_name=='Materiels') | |
2035 | + return $this->_getController(); | |
2036 | + // Autre controleur | |
2037 | + else | |
2038 | + return $this->_getControllerInstanceFromName($controller_name); | |
2039 | + } | |
2040 | + */ | |
2041 | + /* | |
2020 | 2042 | private function _getControllerForAction($action_name) { |
2021 | 2043 | $args = explode('/', $action_name); |
2022 | 2044 | // Controleur materiel |
... | ... | @@ -2025,7 +2047,7 @@ class MaterielsControllerTest extends General { |
2025 | 2047 | // Autre controleur |
2026 | 2048 | else |
2027 | 2049 | return $this->_getControllerInstanceFromName($args[0]); |
2028 | - } | |
2050 | + }*/ | |
2029 | 2051 | |
2030 | 2052 | |
2031 | 2053 | private function _checkViewPageContainsThisActionButton($action_name, $action_label, $id, $action_button_should_be_present=true) { |
... | ... | @@ -2034,6 +2056,7 @@ class MaterielsControllerTest extends General { |
2034 | 2056 | else |
2035 | 2057 | $this->assertResponseNotContains($action_label, "La vue du matériel (/materiels/view/$id) contient le bouton '$action_label', alors qu'elle ne devrait PAS !"); |
2036 | 2058 | } |
2059 | + | |
2037 | 2060 | |
2038 | 2061 | |
2039 | 2062 | // Check du contenu de la vue view.ctp (surtout la présence ou non des boutons d'actions) |
... | ... | @@ -2068,36 +2091,73 @@ class MaterielsControllerTest extends General { |
2068 | 2091 | } // _checkViewPageContentForRoleAndMatos() |
2069 | 2092 | |
2070 | 2093 | // Check du contenu de la vue index.ctp (surtout la présence ou non des boutons d'actions) |
2071 | - private function OFF_checkIndexPageContentForRoleAndMatos($role, $matos_status, $i, $matos_id) { | |
2094 | + //private function OFF_checkIndexPageContentForRoleAndMatos($role, $matos_status, $i, $matos_id) { | |
2095 | + private function _checkIndexPageContainsThisLineForThisMaterielId($id,$role,$cm) { | |
2096 | + | |
2097 | + $m = $this->Materiels->get($id); | |
2098 | + //$content = $this->_getBodyAsString(); | |
2099 | + //debug("content len 0 is ".strlen($content)); | |
2072 | 2100 | |
2073 | 2101 | // Par défaut, les boutons sont absents |
2074 | - $bEdit = $bDelete = $bUpgrade = ''; | |
2102 | + //$bEdit = $bDelete = $bUpgrade = ''; | |
2075 | 2103 | |
2076 | - // bouton Edit présent ? | |
2104 | + //$frompos = 0; | |
2105 | + | |
2106 | + // 0) Nom du matos présent ? | |
2107 | + // Seul Admin+ a accès aux matériels archivés | |
2108 | + // Pour les autres profils, ce matos ne sera pas dans l'index => on zappe ce cas | |
2109 | + //debug("role is $role, status is $m->status"); | |
2110 | + //if ( in_array($role,['USER','RESP']) && $m->status=='ARCHIVED' ) return; | |
2111 | + if (!$this->USER_IS_ADMIN_AT_LEAST() && $m->status=='ARCHIVED') return; | |
2112 | + //debug("ici"); | |
2113 | + $matos_name = $m->designation; | |
2114 | + $this->assertResponseContains($matos_name, "La ligne du matériel d'id $m->id dans la vue 'index' des matériels (/materiels/index) NE contient PAS le nom du materiel '$matos_name' pourtant attendu !"); | |
2115 | + | |
2116 | + // 1) bouton Edit présent ? | |
2077 | 2117 | $action = 'edit'; |
2078 | - if ($this->isAuthorizedAction($action, $role, $matos_status, $i)) | |
2079 | - //$bEdit = "<i class=icon-pencil></i>"; | |
2080 | - $bEdit = '<i class="icon-pencil"></i>'; | |
2081 | - | |
2082 | - // bouton Upgrade présent ? | |
2083 | - $action = 'upgrade'; | |
2084 | - if ($this->isAuthorizedAction($action, $role, $matos_status, $i)) | |
2085 | - $bUpgrade = '<i class="icon-ok-sign"></i>'; | |
2086 | - | |
2087 | - // bouton Delete présent ? | |
2118 | + //$bEdit = '<i class="icon-pencil"></i>'; | |
2119 | + $this->_checkActionButtonIsPresentInIndexPage($action, $m->id, $cm); | |
2120 | + | |
2121 | + // 2) bouton Upgrade status présent ? | |
2122 | + //$action = 'upgrade'; | |
2123 | + //$status_actions = ['status-validated', 'status-tobearchived', 'status-archived']; | |
2124 | + $status_actions = ['statusValidated', 'statusTobearchived', 'statusArchived']; | |
2125 | + foreach ($status_actions as $action) $this->_checkActionButtonIsPresentInIndexPage($action, $m->id, $cm); | |
2126 | + | |
2127 | + // 3) bouton Delete présent ? | |
2088 | 2128 | $action = 'delete'; |
2089 | - if ($this->isAuthorizedAction($action, $role, $matos_status, $i)) | |
2090 | - $bDelete = '<i class="icon-trash"></i>'; | |
2091 | - | |
2092 | - $matos_name = "matos_${matos_status}$i"; | |
2093 | - $matos_line = $bEdit.'***'.$bUpgrade.'***'.$bDelete.'***'.$matos_name; | |
2129 | + //$bDelete = '<i class="icon-trash"></i>'; | |
2130 | + $this->_checkActionButtonIsPresentInIndexPage($action, $m->id, $cm); | |
2094 | 2131 | |
2095 | - $this->assertResponseOk(); | |
2096 | - $this->assertResponseContains($matos_line, "La ligne du matériel d'id $matos_id dans la vue 'index' des matériels (/materiels/index) ne contient pas les boutons attendus !"); | |
2132 | + //$this->assertResponseOk(); | |
2133 | + //$matos_line = $bEdit.'***'.$bUpgrade.'***'.$bDelete.'***'.$matos_name; | |
2134 | + //$this->assertResponseContains($matos_line, "La ligne du matériel d'id $m->id dans la vue 'index' des matériels (/materiels/index) ne contient pas les boutons attendus !"); | |
2135 | + //$this->assertResponseRegExp($pattern, "pas bon regex !"); | |
2097 | 2136 | |
2098 | 2137 | } // _checkIndexPageContentForRoleAndMatos() |
2099 | 2138 | |
2100 | 2139 | |
2140 | + private function _checkActionButtonIsPresentInIndexPage($action, $id, $cm) { | |
2141 | + $button_should_be_present = $cm->isAuthorizedActionForCurrentUser($action, $id); | |
2142 | + $action_link = Inflector::dasherize($action); // statusTobearchived => status-tobearchived | |
2143 | + $elem = '<a href="/materiels/'.$action_link.'/'.$id.'"'; // <a href="/materiels/status-tobearchived/12015" | |
2144 | + if ($button_should_be_present) | |
2145 | + $this->assertResponseContains($elem, "La ligne du matériel d'id $id dans la vue 'index' des matériels (/materiels/index) NE contient PAS le bouton '$action' ($action_link) pourtant attendu !"); | |
2146 | + else | |
2147 | + $this->assertResponseNotContains($elem, "La ligne du matériel d'id $id dans la vue 'index' des matériels (/materiels/index) contient le bouton '$action' ($action_link) pourtant inattendu !"); | |
2148 | + /* | |
2149 | + if ($cm->isAuthorizedActionForCurrentUser($action, $id)) { | |
2150 | + $elem = '<a href="/materiels/'.$action.'/'.$m->id.'"'; // <a href="/materiels/status-tobearchived/12015" | |
2151 | + $curpos = strpos($content, $elem); | |
2152 | + debug($curpos); | |
2153 | + $this->assertTrue($curpos!==false); | |
2154 | + $content = substr($content, $curpos); | |
2155 | + debug("content len 2 is ".strlen($content)); | |
2156 | + return []; | |
2157 | + } | |
2158 | + */ | |
2159 | + } | |
2160 | + | |
2101 | 2161 | /** |
2102 | 2162 | * Test (automatique) de (presque) TOUTES les actions de CE controleur |
2103 | 2163 | * | ... | ... |