From d52d9e4583f2da8d8dd63ce47f230c27016878a0 Mon Sep 17 00:00:00 2001 From: Etienne Pallier Date: Thu, 23 May 2019 13:46:34 +0200 Subject: [PATCH] simplification des vues et acl (materiel) --- src/Controller/AppController.php | 32 +++++++++++++++++++++++++++----- src/Controller/MaterielsController.php | 68 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++------------ src/Controller/PagesController.php | 8 ++++++++ src/Controller/UsersController.php | 2 ++ src/Template/Materiels/index.ctp | 7 +++++++ src/Template/Materiels/view.ctp | 7 +++++++ 6 files changed, 107 insertions(+), 17 deletions(-) diff --git a/src/Controller/AppController.php b/src/Controller/AppController.php index 6f15f42..8b4e7a1 100755 --- a/src/Controller/AppController.php +++ b/src/Controller/AppController.php @@ -362,6 +362,8 @@ class AppController extends Controller */ public function initialize() { + $this->myDebug("step AVANT 0: AppController.initialize()"); + parent::initialize(); $this->loadComponent('RequestHandler'); @@ -428,6 +430,8 @@ class AppController extends Controller */ public function isAuthorized($user) { + $this->myDebug("step 1: AppController.isAuthorized()"); + /* * // ATTENTION, normalement, on devrait tester si role est défini..., mais c'est sans doute pas utile * // cf https://book.cakephp.org/3.0/fr/tutorials-and-examples/blog-auth-example/auth.html @@ -596,6 +600,8 @@ class AppController extends Controller */ public function beforeFilter(Event $event) { + $this->myDebug("step 0: AppController.beforeFilter()"); + // !!! Ne jamais autoriser l'action 'login', sinon cela va créer des problèmes sur le fonctionnement normal de AuthComponent (cf doc) !!! // parent::beforeFilter($event); @@ -615,9 +621,10 @@ class AppController extends Controller // (EP 21/5/19) NEW - // TODO: (EP) A quoi ça sert ??? $configuration = $this->confLabinvent; - //$this->set('configuration', $configuration); + //$this->myDebug($configuration); + + // TODO: (EP) A quoi ça sert ??? $this->request->getSession()->write("authType", $configuration->ldap_authenticationType); // ATTENTION, $priviledgedUser = NULL si l'utilisateur courant n'est pas un utilisateur privilégié @@ -634,13 +641,13 @@ class AppController extends Controller $this->userName = $this->LdapAuth->user('sn')[0] . ' ' . $this->LdapAuth->user('givenname')[0]; //$this->set('username', $this->LdapAuth->user('sn')[0] . ' ' . $this->LdapAuth->user('givenname')[0]); - $this->USER_IS_UTILISATEUR = ($profile == self::PROFILE_USER); + $this->USER_IS_RESPONSABLE = ($profile == self::PROFILE_RESPONSABLE); $this->USER_IS_ADMIN = ($profile == self::PROFILE_ADMIN); $this->USER_IS_ADMINPLUS = ($profile == self::PROFILE_ADMINPLUS); $this->USER_IS_SUPERADMIN = ($profile == self::PROFILE_SUPERADMIN); + $this->USER_IS_RESPONSABLE_OR_MORE = ($profile >= self::PROFILE_RESPONSABLE); - $this->USER_IS_RESPONSABLE = ($profile == self::PROFILE_RESPONSABLE); $this->USER_IS_ADMIN_OR_MORE = ($profile >= self::PROFILE_ADMIN); $this->USER_IS_ADMINPLUS_OR_MORE = ($profile >= self::PROFILE_ADMINPLUS); @@ -675,7 +682,16 @@ class AppController extends Controller $this->set('USER_IS_ADMIN_OR_MORE', $this->USER_IS_ADMIN_OR_MORE); $this->set('USER_IS_ADMINPLUS_OR_MORE', $this->USER_IS_ADMINPLUS_OR_MORE); - $configuration = $this->confLabinvent; + // (EP) TODO: vraiment utile ??? A virer, non ? + $this->set('PROFILE_USER', self::PROFILE_USER); + $this->set('PROFILE_ADMIN', self::PROFILE_ADMIN); + $this->set('PROFILE_RESPONSABLE', self::PROFILE_RESPONSABLE); + $this->set('PROFILE_ADMINPLUS', self::PROFILE_ADMINPLUS); + $this->set('PROFILE_SUPERADMIN', self::PROFILE_SUPERADMIN); + // $this->set('allProfiles', $this->allProfiles); + $this->set('allProfiles', self::PROFILES); + + //$configuration = $this->confLabinvent; if ($configuration->mode_install) $this->LdapAuth->allow([ 'display', @@ -712,6 +728,10 @@ class AppController extends Controller */ public function beforeRender(Event $event) { + $this->myDebug("step 3: AppController.beforeRender()"); + + // (EP 23/5/19) moved to beforeFilter() + /* $this->set('PROFILE_USER', self::PROFILE_USER); $this->set('PROFILE_ADMIN', self::PROFILE_ADMIN); $this->set('PROFILE_RESPONSABLE', self::PROFILE_RESPONSABLE); @@ -719,7 +739,9 @@ class AppController extends Controller $this->set('PROFILE_SUPERADMIN', self::PROFILE_SUPERADMIN); // $this->set('allProfiles', $this->allProfiles); $this->set('allProfiles', self::PROFILES); + */ + // Ca sert à quoi ??? if (! array_key_exists('_serialize', $this->viewVars) && in_array($this->response->type(), [ 'application/json', 'application/xml' diff --git a/src/Controller/MaterielsController.php b/src/Controller/MaterielsController.php index 5a6f67a..6618e71 100755 --- a/src/Controller/MaterielsController.php +++ b/src/Controller/MaterielsController.php @@ -152,14 +152,18 @@ class MaterielsController extends AppController //use Cake\Event\Event; public function beforeFilter(\Cake\Event\Event $event) { - $this->myDebug("step 0: beforeFilter()"); + $this->myDebug("step 0: MaterielsController.beforeFilter()"); + // ICI CEST OK + /* $toto="tititoto"; $this->set(compact('toto')); + */ parent::beforeFilter($event); } + /* * EP added 13/6/17 * Set some useful global variables for all (Materiel) views @@ -173,7 +177,7 @@ class MaterielsController extends AppController */ public function beforeRender(\Cake\Event\Event $event) { - $this->myDebug("step 3: beforeRender()"); + $this->myDebug("step 3: MaterielsController.beforeRender()"); parent::beforeRender($event); @@ -234,7 +238,7 @@ class MaterielsController extends AppController public function isAuthorized($userFromSession) { //if (parent::isAuthorized($userFromSession)) return TRUE; - $this->myDebug("step 1: isAuthorized()"); + $this->myDebug("step 1: MaterielsController.isAuthorized()"); /* ICI C'EST OK $toto="tititoto"; @@ -366,11 +370,49 @@ class MaterielsController extends AppController * */ + // (EP 23/5/19) NEW optimization + $materiel = $this->Materiels->get($id, ['contain' => [ + 'SurCategories', + 'Categories', + 'SousCategories', + 'GroupesThematiques', + 'GroupesMetiers', + 'Organismes', + 'Sites', + 'Documents', + 'Emprunts', + 'Suivis', + 'Fournisseurs' + ] + ]); + + $IS_CREATED = $materiel->status == 'CREATED'; + $USER_IS_CREATOR_OR_OWNER = in_array($this->userName, [ + $materiel->nom_createur, + $materiel->nom_responsable + ]); + // Current user is same group as current materiel + $USER_IS_SAME_GROUP = ( + ( isset($this->priviledgedUser->groupes_metier_id) && $this->priviledgedUser->groupes_metier_id != $this->idGmNa && $materiel->groupes_metier_id == $this->priviledgedUser->groupes_metier_id ) + || + ( isset($this->priviledgedUser->groupe_thematique_id) && $this->priviledgedUser->groupe_thematique_id != $this->idGtNa && $materiel->groupes_thematique_id == $this->priviledgedUser->groupe_thematique_id ) + ); + $CAN_EDIT = $IS_CREATED && ( + $this->USER_IS_ADMIN_OR_MORE + || + $USER_IS_CREATOR_OR_OWNER + || + ($this->USER_IS_RESPONSABLE && $USER_IS_SAME_GROUP) + ); + return $CAN_EDIT; + + // (EP 23/5/19) OLD METHOD + /* // (EP 17/5/19) ON AUTORISE SEULEMENT LA MODIF D'UN MATOS CREATED // UN user Admin ou plus ne pourra le modifier qu'à condition de le "dé-valider" avant if ($this->isCreated($id)) { //if ($this->isCreated($id) || $this->isValidated($id)) { - /* + /STAR * if ($role == 'Utilisateur' && $this->isOwnedBy($id, $user['sn'][0] . ' ' . $user['givenname'][0])) { * return true; * } else if ($role == 'Responsable' && $this->isRespGroup($id, $user[$configuration->authentificationType_ldap][0])) { @@ -378,7 +420,7 @@ class MaterielsController extends AppController * } else if ($this->userHasRoleAtLeast('Administration')) { * return true; * } - */ + STAR/ switch ($role) { case 'Utilisateur': //return $this->isOwnedBy($id, $user['sn'][0] . ' ' . $user['givenname'][0]); @@ -394,13 +436,14 @@ class MaterielsController extends AppController break; } } - /* + /STAR (EP 17/5/19) : Ben non, pas le droit, faudra dé-valider avant, non mais !!! if ($this->userHasRoleAtLeast('Administration Plus')) { return true; } - */ + STAR/ break; // EDIT + */ // DELETE case 'delete': @@ -618,7 +661,7 @@ class MaterielsController extends AppController */ public function index() { - $this->myDebug("step 2: index()"); + $this->myDebug("step 2: MaterielsController.index()"); $condition = ''; if (isset($this->request->getAttribute('params')['pass'][0])) { @@ -758,7 +801,8 @@ class MaterielsController extends AppController */ public function view($id = null) { - $this->myDebug("step 2: view()"); + $this->myDebug("step 2: MaterielsController.view()"); + $materiel = $this->Materiels->get($id, [ 'contain' => [ 'SurCategories', @@ -832,9 +876,9 @@ class MaterielsController extends AppController // NEW // TODO: marche pas !!! - //$CAN_EDIT = $this->isAuthorizedAction($this->userRole, 'edit', $id, $this->userFromSession, $this->userCname); + $CAN_EDIT = $this->isAuthorizedAction($this->userRole, 'edit', $id, $this->userFromSession, $this->userCname); // OLD - $CAN_EDIT = $IS_CREATED && $CAN_ATTACH_A_DOC; + //$CAN_EDIT = $IS_CREATED && $CAN_ATTACH_A_DOC; $this->set(compact('CAN_EDIT')); $CAN_COPY = $CAN_EDIT; @@ -896,7 +940,7 @@ class MaterielsController extends AppController */ public function add_or_edit($is_add, $id=null, $valeurs=null, $erreurs=null) { - $this->myDebug("step 2: add_or_edit()"); + $this->myDebug("step 2: MaterielsController.add_or_edit()"); $usersTable = TableRegistry::getTableLocator()->get('Users'); diff --git a/src/Controller/PagesController.php b/src/Controller/PagesController.php index 73385bc..0d0142e 100755 --- a/src/Controller/PagesController.php +++ b/src/Controller/PagesController.php @@ -68,6 +68,14 @@ class PagesController extends AppController */ public function display() { + // (EP 21/5/19) + // On ne voit ce message que sur la page "about" + // En effet, les autres pages nécessitant un login, + // on est redirigé sur la page login et donc la methode login() du controleur UsersController + // Du coup, il faut décommenter la ligne "exit" juste après pour voir ce message (évite la redirection). + $this->myDebug("step 2: PagesController.display()"); + //exit; + $configuration = $this->confLabinvent; $path = func_get_args(); diff --git a/src/Controller/UsersController.php b/src/Controller/UsersController.php index 0f6a26f..8159c53 100755 --- a/src/Controller/UsersController.php +++ b/src/Controller/UsersController.php @@ -63,6 +63,8 @@ class UsersController extends AppController public function login() { + $this->myDebug("step 2: UsersController.login()"); + // Un utilisateur a essayé de se loguer if ($this->request->is('post')) { $user = $this->LdapAuth->connection(); diff --git a/src/Template/Materiels/index.ctp b/src/Template/Materiels/index.ctp index 8f1a206..431b98d 100644 --- a/src/Template/Materiels/index.ctp +++ b/src/Template/Materiels/index.ctp @@ -34,6 +34,13 @@ $USER_IS_ADMIN_OR_MORE = $USER_IS_ADMIN_OR_MORE; $USER_IS_ADMINPLUS = $USER_IS_ADMINPLUS; $USER_IS_ADMINPLUS_OR_MORE = $USER_IS_ADMINPLUS_OR_MORE; $USER_IS_SUPERADMIN = $USER_IS_SUPERADMIN; +// (EP) TODO: Vraiment utile ??? A virer je pense +$PROFILE_USER = $PROFILE_USER; +$PROFILE_ADMIN = $PROFILE_ADMIN; +$PROFILE_RESPONSABLE = $PROFILE_RESPONSABLE; +$PROFILE_ADMINPLUS = $PROFILE_ADMINPLUS; +$PROFILE_SUPERADMIN = $PROFILE_SUPERADMIN; +$allProfiles = $allProfiles; // - Fonctions : $displayElement = $displayElement; diff --git a/src/Template/Materiels/view.ctp b/src/Template/Materiels/view.ctp index 3cd4666..171a9ee 100755 --- a/src/Template/Materiels/view.ctp +++ b/src/Template/Materiels/view.ctp @@ -25,6 +25,13 @@ $USER_IS_ADMINPLUS_OR_MORE = $USER_IS_ADMINPLUS_OR_MORE; $USER_IS_SUPERADMIN = $USER_IS_SUPERADMIN; $USER_IS_CREATOR_OR_OWNER = $USER_IS_CREATOR_OR_OWNER; $USER_IS_SAME_GROUP = $USER_IS_SAME_GROUP; +// (EP) TODO: Vraiment utile ??? A virer je pense +$PROFILE_USER = $PROFILE_USER; +$PROFILE_ADMIN = $PROFILE_ADMIN; +$PROFILE_RESPONSABLE = $PROFILE_RESPONSABLE; +$PROFILE_ADMINPLUS = $PROFILE_ADMINPLUS; +$PROFILE_SUPERADMIN = $PROFILE_SUPERADMIN; +$allProfiles = $allProfiles; // - Materiel status: $idGmNa = $idGmNa; -- libgit2 0.21.2