From f084c88bfd824e789572a5cc1acb8fa0b19796f8 Mon Sep 17 00:00:00 2001 From: Etienne Pallier Date: Tue, 29 Aug 2017 18:13:28 +0200 Subject: [PATCH] Gros bugfix + simplification ACL (authorizations) --- README-LABINVENT.md | 6 ++++-- src/Controller/AppController.php | 104 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++------------ src/Controller/CategoriesController.php | 43 +++++++++++++++++++++++++++++-------------- src/Controller/ConfigurationsController.php | 19 ++++++++++--------- src/Controller/DocumentsController.php | 31 ++++++++++++++++++------------- src/Controller/EmpruntsController.php | 25 ++++++++++++++----------- src/Controller/FichemetrologiquesController.php | 9 +++++---- src/Controller/FormulesController.php | 28 ++++++++++++++++------------ src/Controller/FournisseursController.php | 42 ++++++++++++++++++++++++++++-------------- src/Controller/GroupesMetiersController.php | 52 ++++++++++++++++++++++++++++++++++++---------------- src/Controller/GroupesThematiquesController.php | 43 ++++++++++++++++++++++++++----------------- src/Controller/MaterielsController.php | 19 +++++++++++++++---- src/Controller/OrganismesController.php | 28 ++++++++++++++++++++-------- src/Controller/PagesController.php | 5 ++++- src/Controller/QrCodesController.php | 1 + src/Controller/SitesController.php | 18 ++++++++++++------ src/Controller/SousCategoriesController.php | 14 +++++++++----- src/Controller/SuivisController.php | 15 +++++++++++---- src/Controller/SurCategoriesController.php | 6 ++++-- src/Controller/TypeDocumentsController.php | 6 ++++-- src/Controller/TypeSuivisController.php | 6 ++++-- src/Controller/UnitesController.php | 6 ++++-- src/Controller/UsersController.php | 44 ++++++++++++++++++++++++-------------------- src/Model/Table/LdapConnectionsTable.php | 45 ++++++++++++++++++++++++++++++++++----------- src/Template/Layout/default.ctp | 2 +- tests/TestCase/Controller/General.php | 17 ++++++++++++++--- tests/TestCase/Controller/MaterielsControllerTest.php | 12 +++++++++--- 27 files changed, 448 insertions(+), 198 deletions(-) diff --git a/README-LABINVENT.md b/README-LABINVENT.md index 1806ef6..9edced4 100755 --- a/README-LABINVENT.md +++ b/README-LABINVENT.md @@ -48,8 +48,10 @@ Logiciel testé et validé sur les configurations suivantes : VERSION ACTUELLE Date: 29/08/2017 -Version: 2.7.7 - Grosse amelioration des tests (refactorisation, généralisation) +Version: 2.7.8 + - Bugfix important sur détection du role "Utilisateur" pour les personnes du ldap qui ne sont pas dans la table utilisateurs !!! + - Creation d'un fake utilisateur pour simuler un utilisateur qui n'est pas dans la table utilisateurs (et tester le cas ci-dessus) + - Ajout de tests avec cet utilisateur Version majeure en cours (2.7): https://projects.irap.omp.eu/versions/162 diff --git a/src/Controller/AppController.php b/src/Controller/AppController.php index b8f74a5..34c998c 100755 --- a/src/Controller/AppController.php +++ b/src/Controller/AppController.php @@ -59,6 +59,19 @@ class AppController extends Controller { //debug("role is" .$role); return self::PROFILES[$role]; } + + public function getActionPassed() { + // BETTER: + //return $this->request->getAttribute('params')['action']; + return $this->request->getParam('action'); + } + + public function getIdPassed() { + //return (int) $this->request->getAttribute('params')['pass'][0]; + return (int) $this->request->getParam('pass.0'); + } + + /** * Initialization hook method. @@ -81,28 +94,69 @@ class AppController extends Controller { $this->confLabinvent = TableRegistry::get('Configurations')->find()->where(['id =' => 1])->first(); } + + /** + * Autorisations fréquentes utilisées par bcp de isAuthorized() de controlleurs + * Ca évite de répéter 10 fois la meme chose !!! + */ + public function isAuthorizedCommons() { + $action = $this->getActionPassed(); + //$role = $this->getUserRole($user); + + // Seul Administration (et +) peut ajouter, supprimer ou modifier un organisme + if( in_array($action,['add','delete','edit'])) { + if ($this->USER_IS_ADMIN_AT_LEAST()) return true; + // Les autres n'y ont pas accès + return false; + } + + // By default + return parent::isAuthorized($user); + } + /** * @param $user * @return boolean + * + * isAuthorized is located in the Auth component + * Check whether a LOGGED in user has a set of permissions to perform a given action * Give authorization in general + * + * 2) Autorisation APRES connexion + * (Avant, c'est beforeFilter() qui s'en occupe) */ public function isAuthorized($user) { + /* + // ATTENTION, normalement, on devrait tester si role est défini..., mais c'est sans doute pas utile + // cf https://book.cakephp.org/3.0/fr/tutorials-and-examples/blog-auth-example/auth.html + if (isset($user['role']) && $user['role'] === 'admin') { + return true; + } + */ + $configuration = $this->confLabinvent; + $role = $this->getUserRole($user); + /* $role = TableRegistry::get('Users')->find() ->where(['username' => $user[$configuration->authentificationType_ldap][0]]) ->first()['role']; + */ + $this->myDebug("role is ".$role); - $action = $this->request->getAttribute('params')['action']; - + //BETTER: + //$action = $this->request->getAttribute('params')['action']; + //$action = $this->request->getParam('action'); + $action = $this->getActionPassed(); + // error_log($action); - // ACL : Super-Admin peut accéder à chaque action - if ($role == 'Super Administrateur') - return true; - - // ACL : Pour tout le monde + // ACL : Actions accessibles à tous les roles (profils) if (in_array($action, ['index', 'view', 'add', 'find', 'creer', 'getNextDate', 'getDateGarantie'])) return true; + + // ACL : Super-Admin peut accéder à toutes les actions + if ($role == 'Super Administrateur') + return true; // ACL : Par défaut refuser return false; @@ -113,17 +167,22 @@ class AppController extends Controller { if (! $this->CURRENT_USER) { $configuration = $this->confLabinvent; $username = $user ? $user[$configuration->authentificationType_ldap][0] : $this->LdapAuth->user($configuration->authentificationType_ldap)[0]; - $this->CURRENT_USER = TableRegistry::get('Users') + $priviledgedUser = TableRegistry::get('Users') ->find() ->where(['username' => $username]) //->where(['username' => $this->LdapAuth->user('cn')[0]]) ->first(); + //if (! $priviledgedUser) $priviledgedUser = "Unpriviledged User (not in table utilisateurs)"; + $this->CURRENT_USER = $priviledgedUser; } return $this->CURRENT_USER; } public function getUserRole($user=null) { return $this->getPriviledgedUserRole($user); } public function getPriviledgedUserRole($user=null) { - return $this->getTablePriviledgedUserFromCurrentSessionUser($user)['role']; + $priviledgedUser = $this->getTablePriviledgedUserFromCurrentSessionUser($user); + // default role is "Utilisateur" (for people who are not in the table utilisateurs) + if (! $priviledgedUser) return 'Utilisateur'; + return $priviledgedUser['role']; /* if (! $this->CURRENT_ROLE) { $configuration = $this->confLabinvent; @@ -137,7 +196,7 @@ class AppController extends Controller { */ } - public function userHasRole($expectedRole, $ORMORE=false) { + private function userHasRole($expectedRole, $ORMORE=false) { $role = $this->getUserRole(); if (! $ORMORE) return ($role == $expectedRole); return ($this->getRoleLevel($role) >= $this->getRoleLevel($expectedRole)); @@ -163,7 +222,7 @@ class AppController extends Controller { return $false; */ } - public function userHasRoleAtLeast($expectedRole) { + private function userHasRoleAtLeast($expectedRole) { return $this->userHasRole($expectedRole, true); } public function USER_IS_ADMIN_AT_LEAST() { return $this->userHasRoleAtLeast('Administration'); } @@ -178,9 +237,26 @@ class AppController extends Controller { * {@inheritdoc} * * @see \Cake\Controller\Controller::beforeFilter() + * + * 1) Autorisations SANS (ou AVANT) connexion + * 2) Ensuite, c'est isAuthorized qui gère + * */ public function beforeFilter(Event $event) { // !!! Ne jamais autoriser l'action 'login', sinon cela va créer des problèmes sur le fonctionnement normal de AuthComponent (cf doc) !!! + //parent::beforeFilter($event); + + /* EXEMPLES d'utilisation: + // to allow all access to all actions: + if (isset($this->Auth)) { + $this->Auth->allow('*'); + } + // Allow access to index & view actions: + if (isset($this->Auth)) { + $this->Auth->allowedActions = array('index', 'view'); + } + */ + $configuration = $this->confLabinvent; if ($configuration->mode_install) @@ -224,13 +300,17 @@ class AppController extends Controller { $this->set('configuration', $configuration); $this->request->session()->write("authType", $configuration->authentificationType_ldap); + //TODO: mettre ca au propre, le cas ou l'utilisateur a un role UTILISATEUR doit etre traité AVANT, en amont, et pas ici, bien trop tard + $user = $this->getUser(); + $role = $this->getUserRole(); + /* $user = TableRegistry::get('Users')->find() ->where(['username' => $this->LdapAuth->user($configuration->authentificationType_ldap)[0]]) ->first(); - $role = $user['role']; if ($role == null) $role = 'Utilisateur'; + */ $this->set('role', $role); //$profile = $this->allProfiles["$role"]; diff --git a/src/Controller/CategoriesController.php b/src/Controller/CategoriesController.php index 616c0cc..fc8220a 100755 --- a/src/Controller/CategoriesController.php +++ b/src/Controller/CategoriesController.php @@ -19,32 +19,47 @@ class CategoriesController extends AppController /** * @param $user + * @return boolean * * Give authorization for categories * - * @return boolean */ public function isAuthorized($user) { - $configuration = $this->confLabinvent; - $role = TableRegistry::get('Users')->find()->where(['username' => $user[$configuration->authentificationType_ldap][0]])->first()['role']; - $action = $this->request->getAttribute('params')['action']; + //$configuration = $this->confLabinvent; + //$role = TableRegistry::get('Users')->find()->where(['username' => $user[$configuration->authentificationType_ldap][0]])->first()['role']; + //$action = $this->request->getAttribute('params')['action']; + $action = $this->getActionPassed(); + $role = $this->getUserRole($user); + // Actions autorisées pour tous les profils + //if (in_array($action, ['getBySurCategorie', 'getAll', 'view', 'index'])) { + if (in_array($action, ['getBySurCategorie', 'getAll'])) { + return true; + } + + /* // Super-Admin peut accéder à chaque action - if($role == 'Super Administrateur') return true; + if($role == 'Super Administrateur') return true; + */ - // Administration peut ajouter, supprimer ou modifier une categorie - if($role == 'Administration' && in_array($action,['add','delete','edit'])) return true; - if (in_array($action, ['getBySurCategorie', 'getAll', 'view', 'index'])) { - return true; - } - - if($this->userHasRoleAtLeast('Administration Plus')) { - if($action != 'delete') return true; + /* + // Administration peut ajouter, supprimer ou modifier une categorie + //if($role == 'Administration' && in_array($action,['add','delete','edit'])) return true; + if( in_array($action,['add','delete','edit'])) { + //if ($role == 'Administration') return true; + if ($this->USER_IS_ADMIN_AT_LEAST()) return true; + // Les autres n'y ont pas accès + return false; } + */ + + // Par défaut + //return false; + //return parent::isAuthorized($user); - return false; + return $this->isAuthorizedCommons(); } /** diff --git a/src/Controller/ConfigurationsController.php b/src/Controller/ConfigurationsController.php index eca68bf..687ea78 100644 --- a/src/Controller/ConfigurationsController.php +++ b/src/Controller/ConfigurationsController.php @@ -27,24 +27,25 @@ class ConfigurationsController extends AppController /** * @param $user + * @return boolean * * Give authorization for configuration - * - * @return boolean */ public function isAuthorized($user) { - $configuration = $this->confLabinvent; - $role = TableRegistry::get('Users')->find()->where(['username' => $user[$configuration->authentificationType_ldap][0]])->first()['role']; + //$configuration = $this->confLabinvent; + //$role = TableRegistry::get('Users')->find()->where(['username' => $user[$configuration->authentificationType_ldap][0]])->first()['role']; $action = $this->request->getAttribute('params')['action']; + $role = $this->getUserRole($user); - // Super-Admin peut accéder à chaque action - if($role == 'Super Administrateur') return true; + // TOUS + //if ($action == 'view') return true; - if($action == 'view') return true; + // Super-Admin peut accéder à chaque action + //if ($role == 'Super Administrateur') return true; - // Par défaut refuser - return false; + //return false; + return parent::isAuthorized($user); } /** diff --git a/src/Controller/DocumentsController.php b/src/Controller/DocumentsController.php index 3c7e7fc..8b18d81 100755 --- a/src/Controller/DocumentsController.php +++ b/src/Controller/DocumentsController.php @@ -14,21 +14,33 @@ use FPDF; class DocumentsController extends AppController { /** + * Give authorization for documents * - * @param $user Give - * authorization for documents + * @param $user * @return boolean */ public function isAuthorized($user) { - $configuration = $this->confLabinvent; + //$configuration = $this->confLabinvent; + $action = $this->request->getAttribute('params')['action']; + $role = $this->getUserRole($user); + /* $role = TableRegistry::get('Users')->find() ->where(['username' => $user[$configuration->authentificationType_ldap][0]]) ->first()['role']; - $action = $this->request->getAttribute('params')['action']; + */ + // Pour tout le monde + if (in_array($action, [ + //'view', + //'add', + 'ficheMateriel' + ])) return true; + // Super-Admin peut accéder à chaque action + /* if ($role == 'Super Administrateur') return true; + */ if (in_array($action, [ 'admission', @@ -114,15 +126,8 @@ class DocumentsController extends AppController { } } - // Pour tout le monde - if (in_array($action, [ - 'view', - 'add', - 'ficheMateriel' - ])) - return true; - - return false; + //return false; + return parent::isAuthorized($user); } /** diff --git a/src/Controller/EmpruntsController.php b/src/Controller/EmpruntsController.php index 9206392..7dfba43 100755 --- a/src/Controller/EmpruntsController.php +++ b/src/Controller/EmpruntsController.php @@ -18,26 +18,29 @@ class EmpruntsController extends AppController /** * @param $user + * @return boolean * * Give authorization for emprunts - * - * @return boolean */ public function isAuthorized($user) { - $configuration = $this->confLabinvent; - $role = TableRegistry::get('Users')->find()->where(['username' => $user[$configuration->authentificationType_ldap][0]])->first()['role']; + //$configuration = $this->confLabinvent; + //$action = $this->request->getAttribute('params')['action']; + //$role = TableRegistry::get('Users')->find()->where(['username' => $user[$configuration->authentificationType_ldap][0]])->first()['role']; + $action = $this->getActionPassed(); + $role = $this->getUserRole($user); - $action = $this->request->getAttribute('params')['action']; - - if($this->userHasRoleAtLeast('Responsable')) return true; - - //Pour un "utilisateur" + // Responsable + peut tout faire + //if ($this->userHasRoleAtLeast('Responsable')) return true; + if ($this->USER_IS_RESP_AT_LEAST()) return true; + + // Pour un "utilisateur" if (in_array($action, ['edit', 'delete'])) { - $id = (int)$this->request->getAttribute('params')['pass'][0]; - if($this->isOwnedBy($id, $user['sn'][0].' '.$user['givenname'][0])) return true; + //$id = (int)$this->request->getAttribute('params')['pass'][0]; + if($this->isOwnedBy($this->getIdPassed(), $user['sn'][0].' '.$user['givenname'][0])) return true; } + // Par défaut return parent::isAuthorized($user); } diff --git a/src/Controller/FichemetrologiquesController.php b/src/Controller/FichemetrologiquesController.php index e4c7dc2..a9d9293 100644 --- a/src/Controller/FichemetrologiquesController.php +++ b/src/Controller/FichemetrologiquesController.php @@ -15,10 +15,9 @@ class FichemetrologiquesController extends AppController //public $helpers = array('GoogleCharts.GoogleCharts'); /** - * @param $user - * * Give authorization for fichemetrologiques - * + * + * @param $user * @return boolean */ public function isAuthorized($user) @@ -38,8 +37,10 @@ class FichemetrologiquesController extends AppController if($role == 'Responsable' && $this->isRespGroup($id, $user[$configuration->authentificationType_ldap][0])) return true; } - return parent::isAuthorized($user); + //return parent::isAuthorized($user); */ + + // Tout profil peut tout faire !!! (A affiner, non ?) return true; } diff --git a/src/Controller/FormulesController.php b/src/Controller/FormulesController.php index b72d145..617a972 100644 --- a/src/Controller/FormulesController.php +++ b/src/Controller/FormulesController.php @@ -12,28 +12,32 @@ class FormulesController extends AppController { /** - * @param $user - * * Give authorization for formules - * + * + * @param $user * @return boolean */ public function isAuthorized($user) { - $configuration = $this->confLabinvent; - $role = TableRegistry::get('Users')->find()->where(['username' => $user[$configuration->authentificationType_ldap][0]])->first()['role']; - - $action = $this->request->getAttribute('params')['action']; + //$configuration = $this->confLabinvent; + //$action = $this->request->getAttribute('params')['action']; + $action = $this->getActionPassed(); + //$role = TableRegistry::get('Users')->find()->where(['username' => $user[$configuration->authentificationType_ldap][0]])->first()['role']; + $role = $this->getUserRole($user); - if($this->userHasRoleAtLeast('Administration')) return true; + // Admin + peut tout faire + //if($this->userHasRoleAtLeast('Administration')) return true; + if ($this->USER_IS_ADMIN_AT_LEAST()) return true; - //Pour un "utilisateur" + // Les autres users if (in_array($action, ['edit', 'delete'])) { - $id = (int)$this->request->getAttribute('params')['pass'][0]; - if($this->isOwnedBy($id, $user['sn'][0].' '.$user['givenname'][0])) return true; - if($role == 'Responsable' && $this->isRespGroup($id, $user[$configuration->authentificationType_ldap][0])) return true; + //$id = (int)$this->request->getAttribute('params')['pass'][0]; + $id = $this->getIdPassed(); + if ($this->isOwnedBy($id, $user['sn'][0].' '.$user['givenname'][0])) return true; + if ($role == 'Responsable' && $this->isRespGroup($id, $user[$configuration->authentificationType_ldap][0])) return true; } + // Par défaut return parent::isAuthorized($user); } diff --git a/src/Controller/FournisseursController.php b/src/Controller/FournisseursController.php index 277dd28..8c75791 100644 --- a/src/Controller/FournisseursController.php +++ b/src/Controller/FournisseursController.php @@ -13,32 +13,46 @@ class FournisseursController extends AppController { /** - * @param $user - * * Give authorization for unite * + * @param $user * @return boolean */ public function isAuthorized($user) { - $configuration = $this->confLabinvent; - $role = TableRegistry::get('Users')->find()->where(['username' => $user[$configuration->authentificationType_ldap][0]])->first()['role']; - $action = $this->request->getAttribute('params')['action']; + //$configuration = $this->confLabinvent; + //$action = $this->request->getAttribute('params')['action']; + //$role = TableRegistry::get('Users')->find()->where(['username' => $user[$configuration->authentificationType_ldap][0]])->first()['role']; + $action = $this->getActionPassed(); + $role = $this->getUserRole($user); - // Super-Admin peut accéder à chaque action - if($role == 'Super Administrateur') return true; - - // Administration peut ajouter, supprimer ou modifier un fournisseur - if($role == 'Administration' && in_array($action,['add','delete','edit'])) return true; + // TOUS + /* if (in_array($action, ['view', 'index'])) { return true; } - - if($this->userHasRoleAtLeast('Administration Plus')) { - if($action != 'delete') return true; + */ + + // Super-Admin peut accéder à chaque action + //if($role == 'Super Administrateur') return true; + + /* + // Administration + peut ajouter, supprimer ou modifier + if( in_array($action,['add','delete','edit'])) { + if ($this->USER_IS_ADMIN_AT_LEAST()) return true; + return false; } + */ + + // Administration peut ajouter, supprimer ou modifier un fournisseur + //if($role == 'Administration' && in_array($action,['add','delete','edit'])) return true; + + // Par défaut + //return false; + //return parent::isAuthorized($user); + + return $this->isAuthorizedCommons(); - return false; } diff --git a/src/Controller/GroupesMetiersController.php b/src/Controller/GroupesMetiersController.php index 82fb650..d4d32c4 100755 --- a/src/Controller/GroupesMetiersController.php +++ b/src/Controller/GroupesMetiersController.php @@ -13,33 +13,53 @@ class GroupesMetiersController extends AppController { /** - * @param $user - * * Give authorization for groupes metiers * + * @param $user * @return boolean */ public function isAuthorized($user) { - $configuration = $this->confLabinvent; - $role = TableRegistry::get('Users')->find()->where(['username' => $user[$configuration->authentificationType_ldap][0]])->first()['role']; - $action = $this->request->getAttribute('params')['action']; - - // Super-Admin peut accéder à chaque action - if($role == 'Super Administrateur') return true; - - // Administration peut ajouter, supprimer ou modifier un métier - if($role == 'Administration' && in_array($action,['add','delete','edit'])) return true; - + //$action = $this->request->getAttribute('params')['action']; + //$configuration = $this->confLabinvent; + //$role = TableRegistry::get('Users')->find()->where(['username' => $user[$configuration->authentificationType_ldap][0]])->first()['role']; + $action = $this->getActionPassed(); + $role = $this->getUserRole($user); + + /* + // TOUS if (in_array($action, ['view', 'index'])) { return true; } - - if($this->userHasRoleAtLeast('Administration Plus')) { - if($action != 'delete') return true; + */ + + // Super-Admin peut accéder à chaque action + //if ($role == 'Super Administrateur') return true; + + /* + // AdministrationPlus peut tout faire sauf delete + if ($this->userHasRole('Administration Plus')) { + if ($action != 'delete') return true; } + */ + + /* + // Action add, ... seulement pour Admin et + + //if($role == 'Administration' && in_array($action,['add','delete','edit'])) return true; + if( in_array($action,['add','delete','edit'])) { + //if ($role == 'Administration') return true; + if ($this->USER_IS_ADMIN_AT_LEAST()) return true; + // Les autres n'y ont pas accès + return false; + } + */ - return false; + // Par défaut + //return false; + //return parent::isAuthorized($user); + + return $this->isAuthorizedCommons(); + } diff --git a/src/Controller/GroupesThematiquesController.php b/src/Controller/GroupesThematiquesController.php index a691f06..0ffa8d1 100755 --- a/src/Controller/GroupesThematiquesController.php +++ b/src/Controller/GroupesThematiquesController.php @@ -14,33 +14,42 @@ class GroupesThematiquesController extends AppController /** - * @param $user - * * Give authorization for groupes thematiques * + * @param $user * @return boolean */ public function isAuthorized($user) { - $configuration = $this->confLabinvent; - $role = TableRegistry::get('Users')->find()->where(['username' => $user[$configuration->authentificationType_ldap][0]])->first()['role']; - $action = $this->request->getAttribute('params')['action']; - - // Super-Admin peut accéder à chaque action - if($role == 'Super Administrateur') return true; - - // Administration peut ajouter, supprimer ou modifier une thematique - if($role == 'Administration' && in_array($action,['add','delete','edit'])) return true; - + //return (new GroupesMetiersController())->isAuthorized($user); + + //$configuration = $this->confLabinvent; + //$role = TableRegistry::get('Users')->find()->where(['username' => $user[$configuration->authentificationType_ldap][0]])->first()['role']; + //$action = $this->request->getAttribute('params')['action']; + $action = $this->getActionPassed(); + $role = $this->getUserRole($user); + + /* if (in_array($action, ['view', 'index'])) { return true; } - - if($this->userHasRoleAtLeast('Administration Plus')) { - if($action != 'delete') return true; + */ + + // Super-Admin peut accéder à chaque action + //if($role == 'Super Administrateur') return true; + + /* + // Administration + peut ajouter, supprimer ou modifier + if( in_array($action,['add','delete','edit'])) { + if ($this->USER_IS_ADMIN_AT_LEAST()) return true; + return false; } - - return false; + */ + + // Par défaut + //return false; + //return parent::isAuthorized($user); + return $this->isAuthorizedCommons(); } diff --git a/src/Controller/MaterielsController.php b/src/Controller/MaterielsController.php index 09887bf..6ab7bb9 100755 --- a/src/Controller/MaterielsController.php +++ b/src/Controller/MaterielsController.php @@ -64,12 +64,14 @@ class MaterielsController extends AppController { ->first()['role']; */ $role = $this->getUserRole($user); - $this->myDebug("role is ".$role); - debug("role is ".$role); + //$this->myDebug("role is ".$role); + //debug("role is ".$role); //BETTER: //$action = $this->request->getAttribute('params')['action']; - $action = $this->request->getParam('action'); - $id = (int) $this->request->getParam('pass.0'); + //$action = $this->request->getParam('action'); + $action = $this->getActionPassed(); + //$id = (int) $this->request->getParam('pass.0'); + $id = $this->getIdPassed(); /* * Structure mise en place: @@ -251,14 +253,23 @@ class MaterielsController extends AppController { if ($this->USER_IS_ADMIN_AT_LEAST()) return true; break; + /* // Autorisations par defaut: default: return parent::isAuthorized($user); break; + */ + } // end of switch case + + return parent::isAuthorized($userFromSession); } + /* + * @todo A déplacer dans Model/Table/TableMateriels + * cf https://book.cakephp.org/3.0/fr/tutorials-and-examples/blog-auth-example/auth.html + */ public function isOwnedBy($id, $nomCreateur) { return ( $this->Materiels->exists([ diff --git a/src/Controller/OrganismesController.php b/src/Controller/OrganismesController.php index 315cc91..e1326b7 100755 --- a/src/Controller/OrganismesController.php +++ b/src/Controller/OrganismesController.php @@ -17,33 +17,45 @@ class OrganismesController extends AppController } /** - * @param $user - * * Give authorization for organismes * + * @param $user * @return boolean */ public function isAuthorized($user) { + /* + /* $configuration = $this->confLabinvent; $role = TableRegistry::get('Users')->find()->where(['username' => $user[$configuration->authentificationType_ldap][0]])->first()['role']; $action = $this->request->getAttribute('params')['action']; + */ /* + $action = $this->getActionPassed(); + $role = $this->getUserRole($user); // Super-Admin peut accéder à chaque action - if($role == 'Super Administrateur') return true; + //if($role == 'Super Administrateur') return true; // Administration peut ajouter, supprimer ou modifier un organisme - if($role == 'Administration' && in_array($action,['add','delete','edit'])) return true; - + //if($role == 'Administration' && in_array($action,['add','delete','edit'])) return true; + if( in_array($action,['add','delete','edit'])) { + if ($this->USER_IS_ADMIN_AT_LEAST()) return true; + return false; + } + + /* if (in_array($action, ['view', 'index'])) { return true; } - if($this->userHasRoleAtLeast('Administration Plus')) { if($action != 'delete') return true; } - - return false; + */ + + // Par défaut + //return false; + //return parent::isAuthorized($user); + return $this->isAuthorizedCommons(); } /** diff --git a/src/Controller/PagesController.php b/src/Controller/PagesController.php index 3115bc9..b95d572 100755 --- a/src/Controller/PagesController.php +++ b/src/Controller/PagesController.php @@ -77,6 +77,7 @@ class PagesController extends AppController } $this->myDebug($path); + // @todo : faire plus proprement, dans isAuthorized() //Si l'utilisateur n'est pas connecté, on le redirige vers la page login.ctp //sauf si l'action demandée est 'about' ou si le mode install est activé if (!($this->LdapAuth->user($configuration->authentificationType_ldap)[0]) && $path[0] != 'about' && !($configuration->mode_install)) { @@ -96,9 +97,11 @@ class PagesController extends AppController $subpage = $path[1]; } + // @todo : faire plus proprement, avec isAuthorized() if ($page == 'tools') { // Autoriser seulement à partir du role ADMIN et + - if (! $this->userHasRoleAtLeast('Administration')) { + //if (! $this->userHasRoleAtLeast('Administration')) { + if (! $this->USER_IS_ADMIN_AT_LEAST()) { return $this->redirect('/'); } } diff --git a/src/Controller/QrCodesController.php b/src/Controller/QrCodesController.php index 53ce904..d41d1b7 100644 --- a/src/Controller/QrCodesController.php +++ b/src/Controller/QrCodesController.php @@ -7,6 +7,7 @@ use \PHPQRCode\QRcode; class QrCodesController extends AppController { + // @todo Autoriser "creer" dans isAuthorized de ce controleur, et non pas dans celui de AppController !!! public function creer($message = null) { $fileName = $this->request->session()->id().'.png'; diff --git a/src/Controller/SitesController.php b/src/Controller/SitesController.php index dd37769..fe7ec17 100755 --- a/src/Controller/SitesController.php +++ b/src/Controller/SitesController.php @@ -13,24 +13,28 @@ class SitesController extends AppController { /** - * @param $user - * * Give authorization for sites - * + * + * @param $user * @return boolean */ public function isAuthorized($user) { + /* $configuration = $this->confLabinvent; $role = TableRegistry::get('Users')->find()->where(['username' => $user[$configuration->authentificationType_ldap][0]])->first()['role']; $action = $this->request->getAttribute('params')['action']; + */ + $action = $this->getActionPassed(); + $role = $this->getUserRole($user); // Super-Admin peut accéder à chaque action - if($role == 'Super Administrateur') return true; + //if($role == 'Super Administrateur') return true; // Administration peut ajouter, supprimer ou modifier un site - if($role == 'Administration' && in_array($action,['add','delete','edit'])) return true; + //if($role == 'Administration' && in_array($action,['add','delete','edit'])) return true; + /* if (in_array($action, ['view', 'index'])) { return true; } @@ -38,8 +42,10 @@ class SitesController extends AppController if($this->userHasRoleAtLeast('Administration Plus')) { if($action != 'delete') return true; } + */ - return false; + //return false; + return $this->isAuthorizedCommons(); } diff --git a/src/Controller/SousCategoriesController.php b/src/Controller/SousCategoriesController.php index 79e7fff..18da378 100755 --- a/src/Controller/SousCategoriesController.php +++ b/src/Controller/SousCategoriesController.php @@ -16,14 +16,15 @@ class SousCategoriesController extends AppController } /** - * @param $user - * * Give authorization for sous categories * + * @param $user * @return boolean */ public function isAuthorized($user) { + $action = $this->getActionPassed(); + /* $configuration = $this->confLabinvent; $role = TableRegistry::get('Users')->find()->where(['username' => $user[$configuration->authentificationType_ldap][0]])->first()['role']; $action = $this->request->getAttribute('params')['action']; @@ -33,16 +34,19 @@ class SousCategoriesController extends AppController // Administration peut ajouter, supprimer ou modifier une sous categorie if($role == 'Administration' && in_array($action,['add','delete','edit'])) return true; + */ - if (in_array($action, ['getByCategorie', 'view', 'index'])) { - return true; - } + //if (in_array($action, ['getByCategorie', 'view', 'index'])) { + if (in_array($action, ['getByCategorie'])) return true; + /* if($this->userHasRoleAtLeast('Administration Plus')) { if($action != 'delete') return true; } return false; + */ + return $this->isAuthorizedCommons(); } diff --git a/src/Controller/SuivisController.php b/src/Controller/SuivisController.php index d93423c..cf4ac85 100755 --- a/src/Controller/SuivisController.php +++ b/src/Controller/SuivisController.php @@ -18,21 +18,28 @@ class SuivisController extends AppController { * @return boolean */ public function isAuthorized($user) { - $configuration = $this->confLabinvent; + //$configuration = $this->confLabinvent; + /* $role = TableRegistry::get('Users')->find() ->where([ 'username' => $user[$configuration->authentificationType_ldap][0] ]) ->first()['role']; $action = $this->request->getAttribute('params')['action']; - if ($this->userHasRoleAtLeast('Administration')) - return true; + */ + $action = $this->getActionPassed(); + $role = $this->getUserRole($user); + + //if ($this->userHasRoleAtLeast('Administration')) + if ($this->USER_IS_ADMIN_AT_LEAST()) return true; + // Pour un "utilisateur" if (in_array($action, [ 'edit', 'delete' ])) { - $id = (int) $this->request->getAttribute('params')['pass'][0]; + //$id = (int) $this->request->getAttribute('params')['pass'][0]; + $id = $this->getIdPassed(); if ($this->isOwnedBy($id, $user['sn'][0] . ' ' . $user['givenname'][0])) return true; if ($role == 'Responsable' && $this->isRespGroup($id, $user[$configuration->authentificationType_ldap][0])) diff --git a/src/Controller/SurCategoriesController.php b/src/Controller/SurCategoriesController.php index b1025be..49dc0ee 100755 --- a/src/Controller/SurCategoriesController.php +++ b/src/Controller/SurCategoriesController.php @@ -17,14 +17,14 @@ class SurCategoriesController extends AppController /** - * @param $user - * * Give authorization for sur categories * + * @param $user * @return boolean */ public function isAuthorized($user) { + /* $configuration = $this->confLabinvent; $role = TableRegistry::get('Users')->find()->where(['username' => $user[$configuration->authentificationType_ldap][0]])->first()['role']; $action = $this->request->getAttribute('params')['action']; @@ -44,6 +44,8 @@ class SurCategoriesController extends AppController } return false; + */ + return $this->isAuthorizedCommons(); } diff --git a/src/Controller/TypeDocumentsController.php b/src/Controller/TypeDocumentsController.php index 6c21cb9..18df540 100755 --- a/src/Controller/TypeDocumentsController.php +++ b/src/Controller/TypeDocumentsController.php @@ -13,14 +13,14 @@ class TypeDocumentsController extends AppController { /** - * @param $user - * * Give authorization for types suivis * + * @param $user * @return boolean */ public function isAuthorized($user) { + /* $configuration = $this->confLabinvent; $role = TableRegistry::get('Users')->find()->where(['username' => $user[$configuration->authentificationType_ldap][0]])->first()['role']; $action = $this->request->getAttribute('params')['action']; @@ -40,6 +40,8 @@ class TypeDocumentsController extends AppController } return false; + */ + return $this->isAuthorizedCommons(); } diff --git a/src/Controller/TypeSuivisController.php b/src/Controller/TypeSuivisController.php index 4c5631c..114400b 100755 --- a/src/Controller/TypeSuivisController.php +++ b/src/Controller/TypeSuivisController.php @@ -13,14 +13,14 @@ class TypeSuivisController extends AppController { /** - * @param $user - * * Give authorization for types suivis * + * @param $user * @return boolean */ public function isAuthorized($user) { + /* $configuration = $this->confLabinvent; $role = TableRegistry::get('Users')->find()->where(['username' => $user[$configuration->authentificationType_ldap][0]])->first()['role']; $action = $this->request->getAttribute('params')['action']; @@ -40,6 +40,8 @@ class TypeSuivisController extends AppController } return false; + */ + return $this->isAuthorizedCommons(); } diff --git a/src/Controller/UnitesController.php b/src/Controller/UnitesController.php index a061529..98bee05 100644 --- a/src/Controller/UnitesController.php +++ b/src/Controller/UnitesController.php @@ -13,14 +13,14 @@ class UnitesController extends AppController { /** - * @param $user - * * Give authorization for unites * + * @param $user * @return boolean */ public function isAuthorized($user) { + /* $configuration = $this->confLabinvent; $role = TableRegistry::get('Users')->find()->where(['username' => $user[$configuration->authentificationType_ldap][0]])->first()['role']; $action = $this->request->getAttribute('params')['action']; @@ -39,6 +39,8 @@ class UnitesController extends AppController } return false; + */ + return $this->isAuthorizedCommons(); } diff --git a/src/Controller/UsersController.php b/src/Controller/UsersController.php index fa64a39..b467290 100755 --- a/src/Controller/UsersController.php +++ b/src/Controller/UsersController.php @@ -17,44 +17,48 @@ class UsersController extends AppController return "L'"; } + // 1) AVANT connexion + public function beforeFilter(Event $event) + { + parent::beforeFilter($event); + $this->LdapAuth->allow(['logout']); + } + + // 2) APRES connexion /** - * @param $user - * * Give authorization for users - * + * @param $user * @return boolean */ public function isAuthorized($user) { - $configuration = $this->confLabinvent; - $role = $this->Users->find()->where(['username' => $user[$configuration->authentificationType_ldap][0]])->first()['role']; - - $action = $this->request->getAttribute('params')['action']; - - // Super-Admin peut accéder à chaque action - if($role == 'Super Administrateur') return true; - - //Pour tout le monde - if (in_array($action, ['index', 'view', 'getLdapLogin', 'getLdapEmail','indexRecap'])) return true; - + //$configuration = $this->confLabinvent; + //$role = $this->Users->find()->where(['username' => $user[$configuration->authentificationType_ldap][0]])->first()['role']; + //$action = $this->request->getAttribute('params')['action']; + $action = $this->getActionPassed(); + // Actions de CE controleur accessibles à tous les profils + //if (in_array($action, ['index', 'view', 'getLdapLogin', 'getLdapEmail','indexRecap'])) return true; + if (in_array($action, ['getLdapLogin', 'getLdapEmail','indexRecap'])) return true; + + // Inutile car déjà dit dans parent::isAuthorized() + // Super-Admin peut accéder à toutes les actions de CE controleur + //if ($role == 'Super Administrateur') return true; + // Par défaut refuser - return false; + //return false; + return parent::isAuthorized($user); } - public function beforeFilter(Event $event) - { - parent::beforeFilter($event); - $this->LdapAuth->allow(['logout']); - } public function login() { if ($this->request->is('post')) { $user = $this->LdapAuth->connection(); + //debug($user); if ($user != FALSE) { $this->LdapAuth->setUser($user); diff --git a/src/Model/Table/LdapConnectionsTable.php b/src/Model/Table/LdapConnectionsTable.php index 4156cf7..dffcd4a 100755 --- a/src/Model/Table/LdapConnectionsTable.php +++ b/src/Model/Table/LdapConnectionsTable.php @@ -62,13 +62,23 @@ class LdapConnectionsTable extends AppTable { } } - $prefix = "_NouvelUtilisateur_"; + //EP (aout 2017) + // ATTENTION : Utilisateur IMPORTANT. + // Avec cet utilisateur, on simule un utilisateur qui n'est PAS dans la table utilisateurs + // Il devrait donc se voir attribuer un role "Utilisateur" sans pour autant que ça soit écrit dans la table !!! + // login = '_NouvelUtilisateur_username' + // pass = '_NouvelUtilisateur_password' + //$prefix = "_NouvelUtilisateur_"; $ldapUsers[] = [ - 'sn' => ['NOUVEL'], - 'givenname' => ['UTILISATEUR'], - 'mail' => [$prefix.'email'], - $this->authenticationType => [$prefix.'username'], - 'userpassword' => [$prefix.'password'], + 'sn' => ['UTILISATEUR'], + 'givenname' => ['FAKE_LDAP'], + //'mail' => [$login.'email'], + 'mail' => ['fakeldapuser@domain.fr'], + //$this->authenticationType => [$prefix.'username'], + $this->authenticationType => [$this->getTheFakeLdapUser()['login']], + //$this->authenticationType => ['usere'], + 'userpassword' => [$this->getTheFakeLdapUser()['pass']], + //'userpassword' => ['toto'], ]; @@ -86,6 +96,7 @@ class LdapConnectionsTable extends AppTable { if (empty($this->fakeLDAPUsers)) $this->fakeLDAPUsers = $this->buildFakeLdapUsers(); return true; } + //debug($this->fakeLDAPUsers); $ldapConfig = $config->toArray(); @@ -254,13 +265,21 @@ class LdapConnectionsTable extends AppTable { return $nbUsers; } + // Utilisateur du ldap qui n'est pas dans la table utilisateurs + // => il a donc le role "Utilisateur" PAR DEFAUT + private function getTheFakeLdapUser() { + return [ + 'login' => '_ldap_user_', + 'pass' => '_ldap_user_pass', + ]; + } public function ldapAuthentication($login, $password) { try { if($this->checkConfiguration()) { if ($this->USE_LDAP) { - if (strlen(trim($password))==0) return FALSE; + if (strlen(trim($password))==0) return FALSE; $ldapConnection = ldap_connect($this->host, $this->port); ldap_set_option($ldapConnection, LDAP_OPT_PROTOCOL_VERSION, 3); if (@ldap_bind($ldapConnection, $this->authenticationType . '=' . $login . ',' . $this->baseDn, $password)) { @@ -273,10 +292,14 @@ class LdapConnectionsTable extends AppTable { } else { $user = $this->getFakeLdapUser($login); - if ($user != false && (new DefaultPasswordHasher)->check($password, $user['userpassword'][0])) { - //if ($user != false && $user['userpassword'][0] == $password) { - return $user; - } + //debug($user); + if ($user === false) return FALSE; + // $this->authenticationType peut valoir "uid" ou "cn"... (par défaut "uid" pour le fake ldap, à confirmer...) + //if ($user['uid'][0] == "_NouvelUtilisateur_username" && $user['userpassword'][0] == "_NouvelUtilisateur_password") return $user; + //if ($user[$this->authenticationType][0] == "_NouvelUtilisateur_username" && $user['userpassword'][0] == "_NouvelUtilisateur_password") return $user; + if ($user[$this->authenticationType][0] == $this->getTheFakeLdapUser()['login'] && $user['userpassword'][0] == $this->getTheFakeLdapUser()['pass']) return $user; + if ((new DefaultPasswordHasher)->check($password, $user['userpassword'][0])) return $user; + //if ($user != false && $user['userpassword'][0] == $password) { } } } diff --git a/src/Template/Layout/default.ctp b/src/Template/Layout/default.ctp index 80653aa..8588190 100755 --- a/src/Template/Layout/default.ctp +++ b/src/Template/Layout/default.ctp @@ -115,7 +115,7 @@ $cakeDescription = 'Labinvent 2'; - VERSION 2.7.7 (29/08/2017) + VERSION 2.7.8 (29/08/2017)
CURRENT_ROLE = $role; } return $this->CURRENT_ROLE; } @@ -112,8 +114,12 @@ class General extends IntegrationTestCase { public function authAs($role) { switch ($role) { + case 'USER_from_ldap': + $this->authUtilisateurFromLdap(); + //$this->CURRENT_ROLE = 'Utilisateur'; + break; case 'USER': - $this->authUtilisateur(); + $this->authUtilisateurFromTable(); //$this->CURRENT_ROLE = 'Utilisateur'; break; case 'RESP': @@ -308,9 +314,14 @@ class General extends IntegrationTestCase { } */ - public function authUtilisateur() { + public function authUtilisateur() { $this->authUtilisateurFromTable(); } + public function authUtilisateurFromTable() { $this->authUser('user5_USER', 'test9', 'test0'); } + public function authUtilisateurFromLdap() { + //$this->authUser('_NouvelUtilisateur_username', 'NOUVEL', 'UTILISATEUR'); + $this->authUser('_ldap_user_', 'FAKE_LDAP', 'UTILISATEUR'); + } /* $user = [ 'Auth' => [ diff --git a/tests/TestCase/Controller/MaterielsControllerTest.php b/tests/TestCase/Controller/MaterielsControllerTest.php index 2f73c03..be64912 100755 --- a/tests/TestCase/Controller/MaterielsControllerTest.php +++ b/tests/TestCase/Controller/MaterielsControllerTest.php @@ -147,7 +147,8 @@ class MaterielsControllerTest extends General { foreach ($this->ROLES as $role) $this->_testMatReadAllAs($role); } */ - public function testMat20ReadAllAsUser() { $this->_testMatReadAllAs('USER'); } + public function testMat20ReadAllAsUserFromLdap() { $this->_testMatReadAllAs('USER_from_ldap'); } + public function testMat20ReadAllAsUserFromTable() { $this->_testMatReadAllAs('USER'); } public function testMat20ReadAllAsResp() { $this->_testMatReadAllAs('RESP'); } public function testMat20ReadAllAsAdmin() { $this->_testMatReadAllAs('ADMIN'); } public function testMat20ReadAllAsAdminP() { $this->_testMatReadAllAs('ADMINP'); } @@ -172,7 +173,7 @@ class MaterielsControllerTest extends General { $this->assertResponseContains("Liste des matériels (6)", 'Le profil '.$role.' ne devrait PAS voir les matériels archivés.'); $this->assertResponseNotContains("A valider", 'Le profil '.$role.' ne devrait PAS avoir accès à des filtres par statut.'); } - $this->assertResponseContainsIf($role, ($role != 'USER'), ["Exporter la liste complete"=>"un bouton Exporter"]); + $this->assertResponseContainsIf($role, ($this->getUserRole() != 'Utilisateur'), ["Exporter la liste complete"=>"un bouton Exporter"]); $this->get('/materiels/index/CREATED'); //TODO: il faudrait remplacer "false" par "true" dans ce test @@ -229,7 +230,8 @@ class MaterielsControllerTest extends General { } */ // test VIEW action - public function testMat10ReadOneAsUser() { $this->_testMatReadOneAs('USER'); } + public function testMat10ReadOneAsUserFromLdap() { $this->_testMatReadOneAs('USER_from_ldap'); } + public function testMat10ReadOneAsUserFromTable() { $this->_testMatReadOneAs('USER'); } public function testMat10ReadOneAsResp() { $this->_testMatReadOneAs('RESP'); } public function testMat10ReadOneAsAdmin() { $this->_testMatReadOneAs('ADMIN'); } public function testMat10ReadOneAsAdminPlus() { $this->_testMatReadOneAs('ADMINP'); } @@ -280,6 +282,7 @@ class MaterielsControllerTest extends General { foreach ($this->ROLES as $role) $this->_testMatAccessCreateFormAs($role); } */ + public function testMat30AccessCreateFormAsUserFromLdap() { $this->_testMatAccessCreateFormAs('USER_from_ldap'); } public function testMat30AccessCreateFormAsUser() { $this->_testMatAccessCreateFormAs('USER'); } public function testMat30AccessCreateFormAsResp() { $this->_testMatAccessCreateFormAs('RESP'); } public function testMat30AccessCreateFormAsAdmin() { $this->_testMatAccessCreateFormAs('ADMIN'); } @@ -313,11 +316,13 @@ class MaterielsControllerTest extends General { * * @return void */ + public function testMat31CreateAsSuper() { $this->_testMatCreateAs('SUPER'); } public function testMat31CreateAsAdminp() { $this->_testMatCreateAs('ADMINP'); } public function testMat31CreateAsAdmin() { $this->_testMatCreateAs('ADMIN'); } public function testMat31CreateAsResp() { $this->_testMatCreateAs('RESP'); } public function testMat31CreateAsUser() { $this->_testMatCreateAs('USER'); } + public function testMat31CreateAsUserFromLdap() { $this->_testMatCreateAs('USER_from_ldap'); } public function testMat32CreateAdministratifOrTechnicalAsSuper() { $this->_testMatCreateAdministratifOrTechnicalAs('SUPER'); } private function _testMatCreateAdministratifOrTechnicalAs($role) { @@ -421,6 +426,7 @@ class MaterielsControllerTest extends General { */ public function testMat33CreateFailsAsSuper() { $this->_testMatCreateFailsAs('SUPER'); } public function testMat33CreateFailsAsUser() { $this->_testMatCreateFailsAs('USER'); } + public function testMat33CreateFailsAsUserFromLdap() { $this->_testMatCreateFailsAs('USER_from_ldap'); } private function _testMatCreateFailsAs($role) { // test with each mandatory field except materiel_administratif and materiel_technique foreach (self::mandatoryFieldsForCreation as $mandatoryField) { -- libgit2 0.21.2