Commit f084c88bfd824e789572a5cc1acb8fa0b19796f8
1 parent
ba708244
Exists in
master
and in
3 other branches
Gros bugfix + simplification ACL (authorizations)
- Gros Bugfix : un utilisateur du ldap sans privilège n'était souvent pas reconnu comme ‘Utilisateur' - Dans tous les controleurs, refactorisation, simplification, harmonisation, rationalisation, suppression des redondances
Showing
27 changed files
with
448 additions
and
198 deletions
Show diff stats
README-LABINVENT.md
@@ -48,8 +48,10 @@ Logiciel testé et validé sur les configurations suivantes : | @@ -48,8 +48,10 @@ Logiciel testé et validé sur les configurations suivantes : | ||
48 | VERSION ACTUELLE | 48 | VERSION ACTUELLE |
49 | 49 | ||
50 | Date: 29/08/2017 | 50 | Date: 29/08/2017 |
51 | -Version: 2.7.7 | ||
52 | - Grosse amelioration des tests (refactorisation, généralisation) | 51 | +Version: 2.7.8 |
52 | + - Bugfix important sur détection du role "Utilisateur" pour les personnes du ldap qui ne sont pas dans la table utilisateurs !!! | ||
53 | + - Creation d'un fake utilisateur pour simuler un utilisateur qui n'est pas dans la table utilisateurs (et tester le cas ci-dessus) | ||
54 | + - Ajout de tests avec cet utilisateur | ||
53 | 55 | ||
54 | Version majeure en cours (2.7): https://projects.irap.omp.eu/versions/162 | 56 | Version majeure en cours (2.7): https://projects.irap.omp.eu/versions/162 |
55 | 57 |
src/Controller/AppController.php
@@ -59,6 +59,19 @@ class AppController extends Controller { | @@ -59,6 +59,19 @@ class AppController extends Controller { | ||
59 | //debug("role is" .$role); | 59 | //debug("role is" .$role); |
60 | return self::PROFILES[$role]; | 60 | return self::PROFILES[$role]; |
61 | } | 61 | } |
62 | + | ||
63 | + public function getActionPassed() { | ||
64 | + // BETTER: | ||
65 | + //return $this->request->getAttribute('params')['action']; | ||
66 | + return $this->request->getParam('action'); | ||
67 | + } | ||
68 | + | ||
69 | + public function getIdPassed() { | ||
70 | + //return (int) $this->request->getAttribute('params')['pass'][0]; | ||
71 | + return (int) $this->request->getParam('pass.0'); | ||
72 | + } | ||
73 | + | ||
74 | + | ||
62 | 75 | ||
63 | /** | 76 | /** |
64 | * Initialization hook method. | 77 | * Initialization hook method. |
@@ -81,28 +94,69 @@ class AppController extends Controller { | @@ -81,28 +94,69 @@ class AppController extends Controller { | ||
81 | $this->confLabinvent = TableRegistry::get('Configurations')->find()->where(['id =' => 1])->first(); | 94 | $this->confLabinvent = TableRegistry::get('Configurations')->find()->where(['id =' => 1])->first(); |
82 | } | 95 | } |
83 | 96 | ||
97 | + | ||
98 | + /** | ||
99 | + * Autorisations fréquentes utilisées par bcp de isAuthorized() de controlleurs | ||
100 | + * Ca évite de répéter 10 fois la meme chose !!! | ||
101 | + */ | ||
102 | + public function isAuthorizedCommons() { | ||
103 | + $action = $this->getActionPassed(); | ||
104 | + //$role = $this->getUserRole($user); | ||
105 | + | ||
106 | + // Seul Administration (et +) peut ajouter, supprimer ou modifier un organisme | ||
107 | + if( in_array($action,['add','delete','edit'])) { | ||
108 | + if ($this->USER_IS_ADMIN_AT_LEAST()) return true; | ||
109 | + // Les autres n'y ont pas accès | ||
110 | + return false; | ||
111 | + } | ||
112 | + | ||
113 | + // By default | ||
114 | + return parent::isAuthorized($user); | ||
115 | + } | ||
116 | + | ||
84 | /** | 117 | /** |
85 | * @param $user | 118 | * @param $user |
86 | * @return boolean | 119 | * @return boolean |
120 | + * | ||
121 | + * isAuthorized is located in the Auth component | ||
122 | + * Check whether a LOGGED in user has a set of permissions to perform a given action | ||
87 | * Give authorization in general | 123 | * Give authorization in general |
124 | + * | ||
125 | + * 2) Autorisation APRES connexion | ||
126 | + * (Avant, c'est beforeFilter() qui s'en occupe) | ||
88 | */ | 127 | */ |
89 | public function isAuthorized($user) { | 128 | public function isAuthorized($user) { |
129 | + /* | ||
130 | + // ATTENTION, normalement, on devrait tester si role est défini..., mais c'est sans doute pas utile | ||
131 | + // cf https://book.cakephp.org/3.0/fr/tutorials-and-examples/blog-auth-example/auth.html | ||
132 | + if (isset($user['role']) && $user['role'] === 'admin') { | ||
133 | + return true; | ||
134 | + } | ||
135 | + */ | ||
136 | + | ||
90 | $configuration = $this->confLabinvent; | 137 | $configuration = $this->confLabinvent; |
138 | + $role = $this->getUserRole($user); | ||
139 | + /* | ||
91 | $role = TableRegistry::get('Users')->find() | 140 | $role = TableRegistry::get('Users')->find() |
92 | ->where(['username' => $user[$configuration->authentificationType_ldap][0]]) | 141 | ->where(['username' => $user[$configuration->authentificationType_ldap][0]]) |
93 | ->first()['role']; | 142 | ->first()['role']; |
143 | + */ | ||
144 | + $this->myDebug("role is ".$role); | ||
94 | 145 | ||
95 | - $action = $this->request->getAttribute('params')['action']; | ||
96 | - | 146 | + //BETTER: |
147 | + //$action = $this->request->getAttribute('params')['action']; | ||
148 | + //$action = $this->request->getParam('action'); | ||
149 | + $action = $this->getActionPassed(); | ||
150 | + | ||
97 | // error_log($action); | 151 | // error_log($action); |
98 | 152 | ||
99 | - // ACL : Super-Admin peut accéder à chaque action | ||
100 | - if ($role == 'Super Administrateur') | ||
101 | - return true; | ||
102 | - | ||
103 | - // ACL : Pour tout le monde | 153 | + // ACL : Actions accessibles à tous les roles (profils) |
104 | if (in_array($action, ['index', 'view', 'add', 'find', 'creer', 'getNextDate', 'getDateGarantie'])) | 154 | if (in_array($action, ['index', 'view', 'add', 'find', 'creer', 'getNextDate', 'getDateGarantie'])) |
105 | return true; | 155 | return true; |
156 | + | ||
157 | + // ACL : Super-Admin peut accéder à toutes les actions | ||
158 | + if ($role == 'Super Administrateur') | ||
159 | + return true; | ||
106 | 160 | ||
107 | // ACL : Par défaut refuser | 161 | // ACL : Par défaut refuser |
108 | return false; | 162 | return false; |
@@ -113,17 +167,22 @@ class AppController extends Controller { | @@ -113,17 +167,22 @@ class AppController extends Controller { | ||
113 | if (! $this->CURRENT_USER) { | 167 | if (! $this->CURRENT_USER) { |
114 | $configuration = $this->confLabinvent; | 168 | $configuration = $this->confLabinvent; |
115 | $username = $user ? $user[$configuration->authentificationType_ldap][0] : $this->LdapAuth->user($configuration->authentificationType_ldap)[0]; | 169 | $username = $user ? $user[$configuration->authentificationType_ldap][0] : $this->LdapAuth->user($configuration->authentificationType_ldap)[0]; |
116 | - $this->CURRENT_USER = TableRegistry::get('Users') | 170 | + $priviledgedUser = TableRegistry::get('Users') |
117 | ->find() | 171 | ->find() |
118 | ->where(['username' => $username]) | 172 | ->where(['username' => $username]) |
119 | //->where(['username' => $this->LdapAuth->user('cn')[0]]) | 173 | //->where(['username' => $this->LdapAuth->user('cn')[0]]) |
120 | ->first(); | 174 | ->first(); |
175 | + //if (! $priviledgedUser) $priviledgedUser = "Unpriviledged User (not in table utilisateurs)"; | ||
176 | + $this->CURRENT_USER = $priviledgedUser; | ||
121 | } | 177 | } |
122 | return $this->CURRENT_USER; | 178 | return $this->CURRENT_USER; |
123 | } | 179 | } |
124 | public function getUserRole($user=null) { return $this->getPriviledgedUserRole($user); } | 180 | public function getUserRole($user=null) { return $this->getPriviledgedUserRole($user); } |
125 | public function getPriviledgedUserRole($user=null) { | 181 | public function getPriviledgedUserRole($user=null) { |
126 | - return $this->getTablePriviledgedUserFromCurrentSessionUser($user)['role']; | 182 | + $priviledgedUser = $this->getTablePriviledgedUserFromCurrentSessionUser($user); |
183 | + // default role is "Utilisateur" (for people who are not in the table utilisateurs) | ||
184 | + if (! $priviledgedUser) return 'Utilisateur'; | ||
185 | + return $priviledgedUser['role']; | ||
127 | /* | 186 | /* |
128 | if (! $this->CURRENT_ROLE) { | 187 | if (! $this->CURRENT_ROLE) { |
129 | $configuration = $this->confLabinvent; | 188 | $configuration = $this->confLabinvent; |
@@ -137,7 +196,7 @@ class AppController extends Controller { | @@ -137,7 +196,7 @@ class AppController extends Controller { | ||
137 | */ | 196 | */ |
138 | } | 197 | } |
139 | 198 | ||
140 | - public function userHasRole($expectedRole, $ORMORE=false) { | 199 | + private function userHasRole($expectedRole, $ORMORE=false) { |
141 | $role = $this->getUserRole(); | 200 | $role = $this->getUserRole(); |
142 | if (! $ORMORE) return ($role == $expectedRole); | 201 | if (! $ORMORE) return ($role == $expectedRole); |
143 | return ($this->getRoleLevel($role) >= $this->getRoleLevel($expectedRole)); | 202 | return ($this->getRoleLevel($role) >= $this->getRoleLevel($expectedRole)); |
@@ -163,7 +222,7 @@ class AppController extends Controller { | @@ -163,7 +222,7 @@ class AppController extends Controller { | ||
163 | return $false; | 222 | return $false; |
164 | */ | 223 | */ |
165 | } | 224 | } |
166 | - public function userHasRoleAtLeast($expectedRole) { | 225 | + private function userHasRoleAtLeast($expectedRole) { |
167 | return $this->userHasRole($expectedRole, true); | 226 | return $this->userHasRole($expectedRole, true); |
168 | } | 227 | } |
169 | public function USER_IS_ADMIN_AT_LEAST() { return $this->userHasRoleAtLeast('Administration'); } | 228 | public function USER_IS_ADMIN_AT_LEAST() { return $this->userHasRoleAtLeast('Administration'); } |
@@ -178,9 +237,26 @@ class AppController extends Controller { | @@ -178,9 +237,26 @@ class AppController extends Controller { | ||
178 | * {@inheritdoc} | 237 | * {@inheritdoc} |
179 | * | 238 | * |
180 | * @see \Cake\Controller\Controller::beforeFilter() | 239 | * @see \Cake\Controller\Controller::beforeFilter() |
240 | + * | ||
241 | + * 1) Autorisations SANS (ou AVANT) connexion | ||
242 | + * 2) Ensuite, c'est isAuthorized qui gère | ||
243 | + * | ||
181 | */ | 244 | */ |
182 | public function beforeFilter(Event $event) { | 245 | public function beforeFilter(Event $event) { |
183 | // !!! Ne jamais autoriser l'action 'login', sinon cela va créer des problèmes sur le fonctionnement normal de AuthComponent (cf doc) !!! | 246 | // !!! Ne jamais autoriser l'action 'login', sinon cela va créer des problèmes sur le fonctionnement normal de AuthComponent (cf doc) !!! |
247 | + //parent::beforeFilter($event); | ||
248 | + | ||
249 | + /* EXEMPLES d'utilisation: | ||
250 | + // to allow all access to all actions: | ||
251 | + if (isset($this->Auth)) { | ||
252 | + $this->Auth->allow('*'); | ||
253 | + } | ||
254 | + // Allow access to index & view actions: | ||
255 | + if (isset($this->Auth)) { | ||
256 | + $this->Auth->allowedActions = array('index', 'view'); | ||
257 | + } | ||
258 | + */ | ||
259 | + | ||
184 | $configuration = $this->confLabinvent; | 260 | $configuration = $this->confLabinvent; |
185 | 261 | ||
186 | if ($configuration->mode_install) | 262 | if ($configuration->mode_install) |
@@ -224,13 +300,17 @@ class AppController extends Controller { | @@ -224,13 +300,17 @@ class AppController extends Controller { | ||
224 | $this->set('configuration', $configuration); | 300 | $this->set('configuration', $configuration); |
225 | $this->request->session()->write("authType", $configuration->authentificationType_ldap); | 301 | $this->request->session()->write("authType", $configuration->authentificationType_ldap); |
226 | 302 | ||
303 | + //TODO: mettre ca au propre, le cas ou l'utilisateur a un role UTILISATEUR doit etre traité AVANT, en amont, et pas ici, bien trop tard | ||
304 | + $user = $this->getUser(); | ||
305 | + $role = $this->getUserRole(); | ||
306 | + /* | ||
227 | $user = TableRegistry::get('Users')->find() | 307 | $user = TableRegistry::get('Users')->find() |
228 | ->where(['username' => $this->LdapAuth->user($configuration->authentificationType_ldap)[0]]) | 308 | ->where(['username' => $this->LdapAuth->user($configuration->authentificationType_ldap)[0]]) |
229 | ->first(); | 309 | ->first(); |
230 | - | ||
231 | $role = $user['role']; | 310 | $role = $user['role']; |
232 | if ($role == null) | 311 | if ($role == null) |
233 | $role = 'Utilisateur'; | 312 | $role = 'Utilisateur'; |
313 | + */ | ||
234 | $this->set('role', $role); | 314 | $this->set('role', $role); |
235 | 315 | ||
236 | //$profile = $this->allProfiles["$role"]; | 316 | //$profile = $this->allProfiles["$role"]; |
src/Controller/CategoriesController.php
@@ -19,32 +19,47 @@ class CategoriesController extends AppController | @@ -19,32 +19,47 @@ class CategoriesController extends AppController | ||
19 | 19 | ||
20 | /** | 20 | /** |
21 | * @param $user | 21 | * @param $user |
22 | + * @return boolean | ||
22 | * | 23 | * |
23 | * Give authorization for categories | 24 | * Give authorization for categories |
24 | * | 25 | * |
25 | - * @return boolean | ||
26 | */ | 26 | */ |
27 | public function isAuthorized($user) | 27 | public function isAuthorized($user) |
28 | { | 28 | { |
29 | - $configuration = $this->confLabinvent; | ||
30 | - $role = TableRegistry::get('Users')->find()->where(['username' => $user[$configuration->authentificationType_ldap][0]])->first()['role']; | ||
31 | - $action = $this->request->getAttribute('params')['action']; | 29 | + //$configuration = $this->confLabinvent; |
30 | + //$role = TableRegistry::get('Users')->find()->where(['username' => $user[$configuration->authentificationType_ldap][0]])->first()['role']; | ||
31 | + //$action = $this->request->getAttribute('params')['action']; | ||
32 | + $action = $this->getActionPassed(); | ||
33 | + $role = $this->getUserRole($user); | ||
32 | 34 | ||
35 | + // Actions autorisées pour tous les profils | ||
36 | + //if (in_array($action, ['getBySurCategorie', 'getAll', 'view', 'index'])) { | ||
37 | + if (in_array($action, ['getBySurCategorie', 'getAll'])) { | ||
38 | + return true; | ||
39 | + } | ||
40 | + | ||
41 | + /* | ||
33 | // Super-Admin peut accéder à chaque action | 42 | // Super-Admin peut accéder à chaque action |
34 | - if($role == 'Super Administrateur') return true; | 43 | + if($role == 'Super Administrateur') return true; |
44 | + */ | ||
35 | 45 | ||
36 | - // Administration peut ajouter, supprimer ou modifier une categorie | ||
37 | - if($role == 'Administration' && in_array($action,['add','delete','edit'])) return true; | ||
38 | 46 | ||
39 | - if (in_array($action, ['getBySurCategorie', 'getAll', 'view', 'index'])) { | ||
40 | - return true; | ||
41 | - } | ||
42 | - | ||
43 | - if($this->userHasRoleAtLeast('Administration Plus')) { | ||
44 | - if($action != 'delete') return true; | 47 | + /* |
48 | + // Administration peut ajouter, supprimer ou modifier une categorie | ||
49 | + //if($role == 'Administration' && in_array($action,['add','delete','edit'])) return true; | ||
50 | + if( in_array($action,['add','delete','edit'])) { | ||
51 | + //if ($role == 'Administration') return true; | ||
52 | + if ($this->USER_IS_ADMIN_AT_LEAST()) return true; | ||
53 | + // Les autres n'y ont pas accès | ||
54 | + return false; | ||
45 | } | 55 | } |
56 | + */ | ||
57 | + | ||
58 | + // Par défaut | ||
59 | + //return false; | ||
60 | + //return parent::isAuthorized($user); | ||
46 | 61 | ||
47 | - return false; | 62 | + return $this->isAuthorizedCommons(); |
48 | } | 63 | } |
49 | 64 | ||
50 | /** | 65 | /** |
src/Controller/ConfigurationsController.php
@@ -27,24 +27,25 @@ class ConfigurationsController extends AppController | @@ -27,24 +27,25 @@ class ConfigurationsController extends AppController | ||
27 | 27 | ||
28 | /** | 28 | /** |
29 | * @param $user | 29 | * @param $user |
30 | + * @return boolean | ||
30 | * | 31 | * |
31 | * Give authorization for configuration | 32 | * Give authorization for configuration |
32 | - * | ||
33 | - * @return boolean | ||
34 | */ | 33 | */ |
35 | public function isAuthorized($user) | 34 | public function isAuthorized($user) |
36 | { | 35 | { |
37 | - $configuration = $this->confLabinvent; | ||
38 | - $role = TableRegistry::get('Users')->find()->where(['username' => $user[$configuration->authentificationType_ldap][0]])->first()['role']; | 36 | + //$configuration = $this->confLabinvent; |
37 | + //$role = TableRegistry::get('Users')->find()->where(['username' => $user[$configuration->authentificationType_ldap][0]])->first()['role']; | ||
39 | $action = $this->request->getAttribute('params')['action']; | 38 | $action = $this->request->getAttribute('params')['action']; |
39 | + $role = $this->getUserRole($user); | ||
40 | 40 | ||
41 | - // Super-Admin peut accéder à chaque action | ||
42 | - if($role == 'Super Administrateur') return true; | 41 | + // TOUS |
42 | + //if ($action == 'view') return true; | ||
43 | 43 | ||
44 | - if($action == 'view') return true; | 44 | + // Super-Admin peut accéder à chaque action |
45 | + //if ($role == 'Super Administrateur') return true; | ||
45 | 46 | ||
46 | - // Par défaut refuser | ||
47 | - return false; | 47 | + //return false; |
48 | + return parent::isAuthorized($user); | ||
48 | } | 49 | } |
49 | 50 | ||
50 | /** | 51 | /** |
src/Controller/DocumentsController.php
@@ -14,21 +14,33 @@ use FPDF; | @@ -14,21 +14,33 @@ use FPDF; | ||
14 | class DocumentsController extends AppController { | 14 | class DocumentsController extends AppController { |
15 | 15 | ||
16 | /** | 16 | /** |
17 | + * Give authorization for documents | ||
17 | * | 18 | * |
18 | - * @param $user Give | ||
19 | - * authorization for documents | 19 | + * @param $user |
20 | * @return boolean | 20 | * @return boolean |
21 | */ | 21 | */ |
22 | public function isAuthorized($user) { | 22 | public function isAuthorized($user) { |
23 | - $configuration = $this->confLabinvent; | 23 | + //$configuration = $this->confLabinvent; |
24 | + $action = $this->request->getAttribute('params')['action']; | ||
25 | + $role = $this->getUserRole($user); | ||
26 | + /* | ||
24 | $role = TableRegistry::get('Users')->find() | 27 | $role = TableRegistry::get('Users')->find() |
25 | ->where(['username' => $user[$configuration->authentificationType_ldap][0]]) | 28 | ->where(['username' => $user[$configuration->authentificationType_ldap][0]]) |
26 | ->first()['role']; | 29 | ->first()['role']; |
27 | - $action = $this->request->getAttribute('params')['action']; | 30 | + */ |
28 | 31 | ||
32 | + // Pour tout le monde | ||
33 | + if (in_array($action, [ | ||
34 | + //'view', | ||
35 | + //'add', | ||
36 | + 'ficheMateriel' | ||
37 | + ])) return true; | ||
38 | + | ||
29 | // Super-Admin peut accéder à chaque action | 39 | // Super-Admin peut accéder à chaque action |
40 | + /* | ||
30 | if ($role == 'Super Administrateur') | 41 | if ($role == 'Super Administrateur') |
31 | return true; | 42 | return true; |
43 | + */ | ||
32 | 44 | ||
33 | if (in_array($action, [ | 45 | if (in_array($action, [ |
34 | 'admission', | 46 | 'admission', |
@@ -114,15 +126,8 @@ class DocumentsController extends AppController { | @@ -114,15 +126,8 @@ class DocumentsController extends AppController { | ||
114 | } | 126 | } |
115 | } | 127 | } |
116 | 128 | ||
117 | - // Pour tout le monde | ||
118 | - if (in_array($action, [ | ||
119 | - 'view', | ||
120 | - 'add', | ||
121 | - 'ficheMateriel' | ||
122 | - ])) | ||
123 | - return true; | ||
124 | - | ||
125 | - return false; | 129 | + //return false; |
130 | + return parent::isAuthorized($user); | ||
126 | } | 131 | } |
127 | 132 | ||
128 | /** | 133 | /** |
src/Controller/EmpruntsController.php
@@ -18,26 +18,29 @@ class EmpruntsController extends AppController | @@ -18,26 +18,29 @@ class EmpruntsController extends AppController | ||
18 | 18 | ||
19 | /** | 19 | /** |
20 | * @param $user | 20 | * @param $user |
21 | + * @return boolean | ||
21 | * | 22 | * |
22 | * Give authorization for emprunts | 23 | * Give authorization for emprunts |
23 | - * | ||
24 | - * @return boolean | ||
25 | */ | 24 | */ |
26 | public function isAuthorized($user) | 25 | public function isAuthorized($user) |
27 | { | 26 | { |
28 | - $configuration = $this->confLabinvent; | ||
29 | - $role = TableRegistry::get('Users')->find()->where(['username' => $user[$configuration->authentificationType_ldap][0]])->first()['role']; | 27 | + //$configuration = $this->confLabinvent; |
28 | + //$action = $this->request->getAttribute('params')['action']; | ||
29 | + //$role = TableRegistry::get('Users')->find()->where(['username' => $user[$configuration->authentificationType_ldap][0]])->first()['role']; | ||
30 | + $action = $this->getActionPassed(); | ||
31 | + $role = $this->getUserRole($user); | ||
30 | 32 | ||
31 | - $action = $this->request->getAttribute('params')['action']; | ||
32 | - | ||
33 | - if($this->userHasRoleAtLeast('Responsable')) return true; | ||
34 | - | ||
35 | - //Pour un "utilisateur" | 33 | + // Responsable + peut tout faire |
34 | + //if ($this->userHasRoleAtLeast('Responsable')) return true; | ||
35 | + if ($this->USER_IS_RESP_AT_LEAST()) return true; | ||
36 | + | ||
37 | + // Pour un "utilisateur" | ||
36 | if (in_array($action, ['edit', 'delete'])) { | 38 | if (in_array($action, ['edit', 'delete'])) { |
37 | - $id = (int)$this->request->getAttribute('params')['pass'][0]; | ||
38 | - if($this->isOwnedBy($id, $user['sn'][0].' '.$user['givenname'][0])) return true; | 39 | + //$id = (int)$this->request->getAttribute('params')['pass'][0]; |
40 | + if($this->isOwnedBy($this->getIdPassed(), $user['sn'][0].' '.$user['givenname'][0])) return true; | ||
39 | } | 41 | } |
40 | 42 | ||
43 | + // Par défaut | ||
41 | return parent::isAuthorized($user); | 44 | return parent::isAuthorized($user); |
42 | } | 45 | } |
43 | 46 |
src/Controller/FichemetrologiquesController.php
@@ -15,10 +15,9 @@ class FichemetrologiquesController extends AppController | @@ -15,10 +15,9 @@ class FichemetrologiquesController extends AppController | ||
15 | //public $helpers = array('GoogleCharts.GoogleCharts'); | 15 | //public $helpers = array('GoogleCharts.GoogleCharts'); |
16 | 16 | ||
17 | /** | 17 | /** |
18 | - * @param $user | ||
19 | - * | ||
20 | * Give authorization for fichemetrologiques | 18 | * Give authorization for fichemetrologiques |
21 | - * | 19 | + * |
20 | + * @param $user | ||
22 | * @return boolean | 21 | * @return boolean |
23 | */ | 22 | */ |
24 | public function isAuthorized($user) | 23 | public function isAuthorized($user) |
@@ -38,8 +37,10 @@ class FichemetrologiquesController extends AppController | @@ -38,8 +37,10 @@ class FichemetrologiquesController extends AppController | ||
38 | if($role == 'Responsable' && $this->isRespGroup($id, $user[$configuration->authentificationType_ldap][0])) return true; | 37 | if($role == 'Responsable' && $this->isRespGroup($id, $user[$configuration->authentificationType_ldap][0])) return true; |
39 | } | 38 | } |
40 | 39 | ||
41 | - return parent::isAuthorized($user); | 40 | + //return parent::isAuthorized($user); |
42 | */ | 41 | */ |
42 | + | ||
43 | + // Tout profil peut tout faire !!! (A affiner, non ?) | ||
43 | return true; | 44 | return true; |
44 | } | 45 | } |
45 | 46 |
src/Controller/FormulesController.php
@@ -12,28 +12,32 @@ class FormulesController extends AppController | @@ -12,28 +12,32 @@ class FormulesController extends AppController | ||
12 | { | 12 | { |
13 | 13 | ||
14 | /** | 14 | /** |
15 | - * @param $user | ||
16 | - * | ||
17 | * Give authorization for formules | 15 | * Give authorization for formules |
18 | - * | 16 | + * |
17 | + * @param $user | ||
19 | * @return boolean | 18 | * @return boolean |
20 | */ | 19 | */ |
21 | public function isAuthorized($user) | 20 | public function isAuthorized($user) |
22 | { | 21 | { |
23 | - $configuration = $this->confLabinvent; | ||
24 | - $role = TableRegistry::get('Users')->find()->where(['username' => $user[$configuration->authentificationType_ldap][0]])->first()['role']; | ||
25 | - | ||
26 | - $action = $this->request->getAttribute('params')['action']; | 22 | + //$configuration = $this->confLabinvent; |
23 | + //$action = $this->request->getAttribute('params')['action']; | ||
24 | + $action = $this->getActionPassed(); | ||
25 | + //$role = TableRegistry::get('Users')->find()->where(['username' => $user[$configuration->authentificationType_ldap][0]])->first()['role']; | ||
26 | + $role = $this->getUserRole($user); | ||
27 | 27 | ||
28 | - if($this->userHasRoleAtLeast('Administration')) return true; | 28 | + // Admin + peut tout faire |
29 | + //if($this->userHasRoleAtLeast('Administration')) return true; | ||
30 | + if ($this->USER_IS_ADMIN_AT_LEAST()) return true; | ||
29 | 31 | ||
30 | - //Pour un "utilisateur" | 32 | + // Les autres users |
31 | if (in_array($action, ['edit', 'delete'])) { | 33 | if (in_array($action, ['edit', 'delete'])) { |
32 | - $id = (int)$this->request->getAttribute('params')['pass'][0]; | ||
33 | - if($this->isOwnedBy($id, $user['sn'][0].' '.$user['givenname'][0])) return true; | ||
34 | - if($role == 'Responsable' && $this->isRespGroup($id, $user[$configuration->authentificationType_ldap][0])) return true; | 34 | + //$id = (int)$this->request->getAttribute('params')['pass'][0]; |
35 | + $id = $this->getIdPassed(); | ||
36 | + if ($this->isOwnedBy($id, $user['sn'][0].' '.$user['givenname'][0])) return true; | ||
37 | + if ($role == 'Responsable' && $this->isRespGroup($id, $user[$configuration->authentificationType_ldap][0])) return true; | ||
35 | } | 38 | } |
36 | 39 | ||
40 | + // Par défaut | ||
37 | return parent::isAuthorized($user); | 41 | return parent::isAuthorized($user); |
38 | } | 42 | } |
39 | 43 |
src/Controller/FournisseursController.php
@@ -13,32 +13,46 @@ class FournisseursController extends AppController | @@ -13,32 +13,46 @@ class FournisseursController extends AppController | ||
13 | { | 13 | { |
14 | 14 | ||
15 | /** | 15 | /** |
16 | - * @param $user | ||
17 | - * | ||
18 | * Give authorization for unite | 16 | * Give authorization for unite |
19 | * | 17 | * |
18 | + * @param $user | ||
20 | * @return boolean | 19 | * @return boolean |
21 | */ | 20 | */ |
22 | public function isAuthorized($user) | 21 | public function isAuthorized($user) |
23 | { | 22 | { |
24 | - $configuration = $this->confLabinvent; | ||
25 | - $role = TableRegistry::get('Users')->find()->where(['username' => $user[$configuration->authentificationType_ldap][0]])->first()['role']; | ||
26 | - $action = $this->request->getAttribute('params')['action']; | 23 | + //$configuration = $this->confLabinvent; |
24 | + //$action = $this->request->getAttribute('params')['action']; | ||
25 | + //$role = TableRegistry::get('Users')->find()->where(['username' => $user[$configuration->authentificationType_ldap][0]])->first()['role']; | ||
26 | + $action = $this->getActionPassed(); | ||
27 | + $role = $this->getUserRole($user); | ||
27 | 28 | ||
28 | - // Super-Admin peut accéder à chaque action | ||
29 | - if($role == 'Super Administrateur') return true; | ||
30 | - | ||
31 | - // Administration peut ajouter, supprimer ou modifier un fournisseur | ||
32 | - if($role == 'Administration' && in_array($action,['add','delete','edit'])) return true; | 29 | + // TOUS |
30 | + /* | ||
33 | if (in_array($action, ['view', 'index'])) { | 31 | if (in_array($action, ['view', 'index'])) { |
34 | return true; | 32 | return true; |
35 | } | 33 | } |
36 | - | ||
37 | - if($this->userHasRoleAtLeast('Administration Plus')) { | ||
38 | - if($action != 'delete') return true; | 34 | + */ |
35 | + | ||
36 | + // Super-Admin peut accéder à chaque action | ||
37 | + //if($role == 'Super Administrateur') return true; | ||
38 | + | ||
39 | + /* | ||
40 | + // Administration + peut ajouter, supprimer ou modifier | ||
41 | + if( in_array($action,['add','delete','edit'])) { | ||
42 | + if ($this->USER_IS_ADMIN_AT_LEAST()) return true; | ||
43 | + return false; | ||
39 | } | 44 | } |
45 | + */ | ||
46 | + | ||
47 | + // Administration peut ajouter, supprimer ou modifier un fournisseur | ||
48 | + //if($role == 'Administration' && in_array($action,['add','delete','edit'])) return true; | ||
49 | + | ||
50 | + // Par défaut | ||
51 | + //return false; | ||
52 | + //return parent::isAuthorized($user); | ||
53 | + | ||
54 | + return $this->isAuthorizedCommons(); | ||
40 | 55 | ||
41 | - return false; | ||
42 | } | 56 | } |
43 | 57 | ||
44 | 58 |
src/Controller/GroupesMetiersController.php
@@ -13,33 +13,53 @@ class GroupesMetiersController extends AppController | @@ -13,33 +13,53 @@ class GroupesMetiersController extends AppController | ||
13 | { | 13 | { |
14 | 14 | ||
15 | /** | 15 | /** |
16 | - * @param $user | ||
17 | - * | ||
18 | * Give authorization for groupes metiers | 16 | * Give authorization for groupes metiers |
19 | * | 17 | * |
18 | + * @param $user | ||
20 | * @return boolean | 19 | * @return boolean |
21 | */ | 20 | */ |
22 | public function isAuthorized($user) | 21 | public function isAuthorized($user) |
23 | { | 22 | { |
24 | - $configuration = $this->confLabinvent; | ||
25 | - $role = TableRegistry::get('Users')->find()->where(['username' => $user[$configuration->authentificationType_ldap][0]])->first()['role']; | ||
26 | - $action = $this->request->getAttribute('params')['action']; | ||
27 | - | ||
28 | - // Super-Admin peut accéder à chaque action | ||
29 | - if($role == 'Super Administrateur') return true; | ||
30 | - | ||
31 | - // Administration peut ajouter, supprimer ou modifier un métier | ||
32 | - if($role == 'Administration' && in_array($action,['add','delete','edit'])) return true; | ||
33 | - | 23 | + //$action = $this->request->getAttribute('params')['action']; |
24 | + //$configuration = $this->confLabinvent; | ||
25 | + //$role = TableRegistry::get('Users')->find()->where(['username' => $user[$configuration->authentificationType_ldap][0]])->first()['role']; | ||
26 | + $action = $this->getActionPassed(); | ||
27 | + $role = $this->getUserRole($user); | ||
28 | + | ||
29 | + /* | ||
30 | + // TOUS | ||
34 | if (in_array($action, ['view', 'index'])) { | 31 | if (in_array($action, ['view', 'index'])) { |
35 | return true; | 32 | return true; |
36 | } | 33 | } |
37 | - | ||
38 | - if($this->userHasRoleAtLeast('Administration Plus')) { | ||
39 | - if($action != 'delete') return true; | 34 | + */ |
35 | + | ||
36 | + // Super-Admin peut accéder à chaque action | ||
37 | + //if ($role == 'Super Administrateur') return true; | ||
38 | + | ||
39 | + /* | ||
40 | + // AdministrationPlus peut tout faire sauf delete | ||
41 | + if ($this->userHasRole('Administration Plus')) { | ||
42 | + if ($action != 'delete') return true; | ||
40 | } | 43 | } |
44 | + */ | ||
45 | + | ||
46 | + /* | ||
47 | + // Action add, ... seulement pour Admin et + | ||
48 | + //if($role == 'Administration' && in_array($action,['add','delete','edit'])) return true; | ||
49 | + if( in_array($action,['add','delete','edit'])) { | ||
50 | + //if ($role == 'Administration') return true; | ||
51 | + if ($this->USER_IS_ADMIN_AT_LEAST()) return true; | ||
52 | + // Les autres n'y ont pas accès | ||
53 | + return false; | ||
54 | + } | ||
55 | + */ | ||
41 | 56 | ||
42 | - return false; | 57 | + // Par défaut |
58 | + //return false; | ||
59 | + //return parent::isAuthorized($user); | ||
60 | + | ||
61 | + return $this->isAuthorizedCommons(); | ||
62 | + | ||
43 | } | 63 | } |
44 | 64 | ||
45 | 65 |
src/Controller/GroupesThematiquesController.php
@@ -14,33 +14,42 @@ class GroupesThematiquesController extends AppController | @@ -14,33 +14,42 @@ class GroupesThematiquesController extends AppController | ||
14 | 14 | ||
15 | 15 | ||
16 | /** | 16 | /** |
17 | - * @param $user | ||
18 | - * | ||
19 | * Give authorization for groupes thematiques | 17 | * Give authorization for groupes thematiques |
20 | * | 18 | * |
19 | + * @param $user | ||
21 | * @return boolean | 20 | * @return boolean |
22 | */ | 21 | */ |
23 | public function isAuthorized($user) | 22 | public function isAuthorized($user) |
24 | { | 23 | { |
25 | - $configuration = $this->confLabinvent; | ||
26 | - $role = TableRegistry::get('Users')->find()->where(['username' => $user[$configuration->authentificationType_ldap][0]])->first()['role']; | ||
27 | - $action = $this->request->getAttribute('params')['action']; | ||
28 | - | ||
29 | - // Super-Admin peut accéder à chaque action | ||
30 | - if($role == 'Super Administrateur') return true; | ||
31 | - | ||
32 | - // Administration peut ajouter, supprimer ou modifier une thematique | ||
33 | - if($role == 'Administration' && in_array($action,['add','delete','edit'])) return true; | ||
34 | - | 24 | + //return (new GroupesMetiersController())->isAuthorized($user); |
25 | + | ||
26 | + //$configuration = $this->confLabinvent; | ||
27 | + //$role = TableRegistry::get('Users')->find()->where(['username' => $user[$configuration->authentificationType_ldap][0]])->first()['role']; | ||
28 | + //$action = $this->request->getAttribute('params')['action']; | ||
29 | + $action = $this->getActionPassed(); | ||
30 | + $role = $this->getUserRole($user); | ||
31 | + | ||
32 | + /* | ||
35 | if (in_array($action, ['view', 'index'])) { | 33 | if (in_array($action, ['view', 'index'])) { |
36 | return true; | 34 | return true; |
37 | } | 35 | } |
38 | - | ||
39 | - if($this->userHasRoleAtLeast('Administration Plus')) { | ||
40 | - if($action != 'delete') return true; | 36 | + */ |
37 | + | ||
38 | + // Super-Admin peut accéder à chaque action | ||
39 | + //if($role == 'Super Administrateur') return true; | ||
40 | + | ||
41 | + /* | ||
42 | + // Administration + peut ajouter, supprimer ou modifier | ||
43 | + if( in_array($action,['add','delete','edit'])) { | ||
44 | + if ($this->USER_IS_ADMIN_AT_LEAST()) return true; | ||
45 | + return false; | ||
41 | } | 46 | } |
42 | - | ||
43 | - return false; | 47 | + */ |
48 | + | ||
49 | + // Par défaut | ||
50 | + //return false; | ||
51 | + //return parent::isAuthorized($user); | ||
52 | + return $this->isAuthorizedCommons(); | ||
44 | } | 53 | } |
45 | 54 | ||
46 | 55 |
src/Controller/MaterielsController.php
@@ -64,12 +64,14 @@ class MaterielsController extends AppController { | @@ -64,12 +64,14 @@ class MaterielsController extends AppController { | ||
64 | ->first()['role']; | 64 | ->first()['role']; |
65 | */ | 65 | */ |
66 | $role = $this->getUserRole($user); | 66 | $role = $this->getUserRole($user); |
67 | - $this->myDebug("role is ".$role); | ||
68 | - debug("role is ".$role); | 67 | + //$this->myDebug("role is ".$role); |
68 | + //debug("role is ".$role); | ||
69 | //BETTER: | 69 | //BETTER: |
70 | //$action = $this->request->getAttribute('params')['action']; | 70 | //$action = $this->request->getAttribute('params')['action']; |
71 | - $action = $this->request->getParam('action'); | ||
72 | - $id = (int) $this->request->getParam('pass.0'); | 71 | + //$action = $this->request->getParam('action'); |
72 | + $action = $this->getActionPassed(); | ||
73 | + //$id = (int) $this->request->getParam('pass.0'); | ||
74 | + $id = $this->getIdPassed(); | ||
73 | 75 | ||
74 | /* | 76 | /* |
75 | * Structure mise en place: | 77 | * Structure mise en place: |
@@ -251,14 +253,23 @@ class MaterielsController extends AppController { | @@ -251,14 +253,23 @@ class MaterielsController extends AppController { | ||
251 | if ($this->USER_IS_ADMIN_AT_LEAST()) return true; | 253 | if ($this->USER_IS_ADMIN_AT_LEAST()) return true; |
252 | break; | 254 | break; |
253 | 255 | ||
256 | + /* | ||
254 | // Autorisations par defaut: | 257 | // Autorisations par defaut: |
255 | default: | 258 | default: |
256 | return parent::isAuthorized($user); | 259 | return parent::isAuthorized($user); |
257 | break; | 260 | break; |
261 | + */ | ||
262 | + | ||
258 | } // end of switch case | 263 | } // end of switch case |
264 | + | ||
265 | + return parent::isAuthorized($userFromSession); | ||
259 | } | 266 | } |
260 | 267 | ||
261 | 268 | ||
269 | + /* | ||
270 | + * @todo A déplacer dans Model/Table/TableMateriels | ||
271 | + * cf https://book.cakephp.org/3.0/fr/tutorials-and-examples/blog-auth-example/auth.html | ||
272 | + */ | ||
262 | public function isOwnedBy($id, $nomCreateur) { | 273 | public function isOwnedBy($id, $nomCreateur) { |
263 | return ( | 274 | return ( |
264 | $this->Materiels->exists([ | 275 | $this->Materiels->exists([ |
src/Controller/OrganismesController.php
@@ -17,33 +17,45 @@ class OrganismesController extends AppController | @@ -17,33 +17,45 @@ class OrganismesController extends AppController | ||
17 | } | 17 | } |
18 | 18 | ||
19 | /** | 19 | /** |
20 | - * @param $user | ||
21 | - * | ||
22 | * Give authorization for organismes | 20 | * Give authorization for organismes |
23 | * | 21 | * |
22 | + * @param $user | ||
24 | * @return boolean | 23 | * @return boolean |
25 | */ | 24 | */ |
26 | public function isAuthorized($user) | 25 | public function isAuthorized($user) |
27 | { | 26 | { |
27 | + /* | ||
28 | + /* | ||
28 | $configuration = $this->confLabinvent; | 29 | $configuration = $this->confLabinvent; |
29 | $role = TableRegistry::get('Users')->find()->where(['username' => $user[$configuration->authentificationType_ldap][0]])->first()['role']; | 30 | $role = TableRegistry::get('Users')->find()->where(['username' => $user[$configuration->authentificationType_ldap][0]])->first()['role']; |
30 | $action = $this->request->getAttribute('params')['action']; | 31 | $action = $this->request->getAttribute('params')['action']; |
32 | + */ /* | ||
33 | + $action = $this->getActionPassed(); | ||
34 | + $role = $this->getUserRole($user); | ||
31 | 35 | ||
32 | // Super-Admin peut accéder à chaque action | 36 | // Super-Admin peut accéder à chaque action |
33 | - if($role == 'Super Administrateur') return true; | 37 | + //if($role == 'Super Administrateur') return true; |
34 | 38 | ||
35 | // Administration peut ajouter, supprimer ou modifier un organisme | 39 | // Administration peut ajouter, supprimer ou modifier un organisme |
36 | - if($role == 'Administration' && in_array($action,['add','delete','edit'])) return true; | ||
37 | - | 40 | + //if($role == 'Administration' && in_array($action,['add','delete','edit'])) return true; |
41 | + if( in_array($action,['add','delete','edit'])) { | ||
42 | + if ($this->USER_IS_ADMIN_AT_LEAST()) return true; | ||
43 | + return false; | ||
44 | + } | ||
45 | + | ||
46 | + /* | ||
38 | if (in_array($action, ['view', 'index'])) { | 47 | if (in_array($action, ['view', 'index'])) { |
39 | return true; | 48 | return true; |
40 | } | 49 | } |
41 | - | ||
42 | if($this->userHasRoleAtLeast('Administration Plus')) { | 50 | if($this->userHasRoleAtLeast('Administration Plus')) { |
43 | if($action != 'delete') return true; | 51 | if($action != 'delete') return true; |
44 | } | 52 | } |
45 | - | ||
46 | - return false; | 53 | + */ |
54 | + | ||
55 | + // Par défaut | ||
56 | + //return false; | ||
57 | + //return parent::isAuthorized($user); | ||
58 | + return $this->isAuthorizedCommons(); | ||
47 | } | 59 | } |
48 | 60 | ||
49 | /** | 61 | /** |
src/Controller/PagesController.php
@@ -77,6 +77,7 @@ class PagesController extends AppController | @@ -77,6 +77,7 @@ class PagesController extends AppController | ||
77 | } | 77 | } |
78 | $this->myDebug($path); | 78 | $this->myDebug($path); |
79 | 79 | ||
80 | + // @todo : faire plus proprement, dans isAuthorized() | ||
80 | //Si l'utilisateur n'est pas connecté, on le redirige vers la page login.ctp | 81 | //Si l'utilisateur n'est pas connecté, on le redirige vers la page login.ctp |
81 | //sauf si l'action demandée est 'about' ou si le mode install est activé | 82 | //sauf si l'action demandée est 'about' ou si le mode install est activé |
82 | if (!($this->LdapAuth->user($configuration->authentificationType_ldap)[0]) && $path[0] != 'about' && !($configuration->mode_install)) { | 83 | if (!($this->LdapAuth->user($configuration->authentificationType_ldap)[0]) && $path[0] != 'about' && !($configuration->mode_install)) { |
@@ -96,9 +97,11 @@ class PagesController extends AppController | @@ -96,9 +97,11 @@ class PagesController extends AppController | ||
96 | $subpage = $path[1]; | 97 | $subpage = $path[1]; |
97 | } | 98 | } |
98 | 99 | ||
100 | + // @todo : faire plus proprement, avec isAuthorized() | ||
99 | if ($page == 'tools') { | 101 | if ($page == 'tools') { |
100 | // Autoriser seulement à partir du role ADMIN et + | 102 | // Autoriser seulement à partir du role ADMIN et + |
101 | - if (! $this->userHasRoleAtLeast('Administration')) { | 103 | + //if (! $this->userHasRoleAtLeast('Administration')) { |
104 | + if (! $this->USER_IS_ADMIN_AT_LEAST()) { | ||
102 | return $this->redirect('/'); | 105 | return $this->redirect('/'); |
103 | } | 106 | } |
104 | } | 107 | } |
src/Controller/QrCodesController.php
@@ -7,6 +7,7 @@ use \PHPQRCode\QRcode; | @@ -7,6 +7,7 @@ use \PHPQRCode\QRcode; | ||
7 | class QrCodesController extends AppController | 7 | class QrCodesController extends AppController |
8 | { | 8 | { |
9 | 9 | ||
10 | + // @todo Autoriser "creer" dans isAuthorized de ce controleur, et non pas dans celui de AppController !!! | ||
10 | public function creer($message = null) { | 11 | public function creer($message = null) { |
11 | 12 | ||
12 | $fileName = $this->request->session()->id().'.png'; | 13 | $fileName = $this->request->session()->id().'.png'; |
src/Controller/SitesController.php
@@ -13,24 +13,28 @@ class SitesController extends AppController | @@ -13,24 +13,28 @@ class SitesController extends AppController | ||
13 | { | 13 | { |
14 | 14 | ||
15 | /** | 15 | /** |
16 | - * @param $user | ||
17 | - * | ||
18 | * Give authorization for sites | 16 | * Give authorization for sites |
19 | - * | 17 | + * |
18 | + * @param $user | ||
20 | * @return boolean | 19 | * @return boolean |
21 | */ | 20 | */ |
22 | public function isAuthorized($user) | 21 | public function isAuthorized($user) |
23 | { | 22 | { |
23 | + /* | ||
24 | $configuration = $this->confLabinvent; | 24 | $configuration = $this->confLabinvent; |
25 | $role = TableRegistry::get('Users')->find()->where(['username' => $user[$configuration->authentificationType_ldap][0]])->first()['role']; | 25 | $role = TableRegistry::get('Users')->find()->where(['username' => $user[$configuration->authentificationType_ldap][0]])->first()['role']; |
26 | $action = $this->request->getAttribute('params')['action']; | 26 | $action = $this->request->getAttribute('params')['action']; |
27 | + */ | ||
28 | + $action = $this->getActionPassed(); | ||
29 | + $role = $this->getUserRole($user); | ||
27 | 30 | ||
28 | // Super-Admin peut accéder à chaque action | 31 | // Super-Admin peut accéder à chaque action |
29 | - if($role == 'Super Administrateur') return true; | 32 | + //if($role == 'Super Administrateur') return true; |
30 | 33 | ||
31 | // Administration peut ajouter, supprimer ou modifier un site | 34 | // Administration peut ajouter, supprimer ou modifier un site |
32 | - if($role == 'Administration' && in_array($action,['add','delete','edit'])) return true; | 35 | + //if($role == 'Administration' && in_array($action,['add','delete','edit'])) return true; |
33 | 36 | ||
37 | + /* | ||
34 | if (in_array($action, ['view', 'index'])) { | 38 | if (in_array($action, ['view', 'index'])) { |
35 | return true; | 39 | return true; |
36 | } | 40 | } |
@@ -38,8 +42,10 @@ class SitesController extends AppController | @@ -38,8 +42,10 @@ class SitesController extends AppController | ||
38 | if($this->userHasRoleAtLeast('Administration Plus')) { | 42 | if($this->userHasRoleAtLeast('Administration Plus')) { |
39 | if($action != 'delete') return true; | 43 | if($action != 'delete') return true; |
40 | } | 44 | } |
45 | + */ | ||
41 | 46 | ||
42 | - return false; | 47 | + //return false; |
48 | + return $this->isAuthorizedCommons(); | ||
43 | } | 49 | } |
44 | 50 | ||
45 | 51 |
src/Controller/SousCategoriesController.php
@@ -16,14 +16,15 @@ class SousCategoriesController extends AppController | @@ -16,14 +16,15 @@ class SousCategoriesController extends AppController | ||
16 | } | 16 | } |
17 | 17 | ||
18 | /** | 18 | /** |
19 | - * @param $user | ||
20 | - * | ||
21 | * Give authorization for sous categories | 19 | * Give authorization for sous categories |
22 | * | 20 | * |
21 | + * @param $user | ||
23 | * @return boolean | 22 | * @return boolean |
24 | */ | 23 | */ |
25 | public function isAuthorized($user) | 24 | public function isAuthorized($user) |
26 | { | 25 | { |
26 | + $action = $this->getActionPassed(); | ||
27 | + /* | ||
27 | $configuration = $this->confLabinvent; | 28 | $configuration = $this->confLabinvent; |
28 | $role = TableRegistry::get('Users')->find()->where(['username' => $user[$configuration->authentificationType_ldap][0]])->first()['role']; | 29 | $role = TableRegistry::get('Users')->find()->where(['username' => $user[$configuration->authentificationType_ldap][0]])->first()['role']; |
29 | $action = $this->request->getAttribute('params')['action']; | 30 | $action = $this->request->getAttribute('params')['action']; |
@@ -33,16 +34,19 @@ class SousCategoriesController extends AppController | @@ -33,16 +34,19 @@ class SousCategoriesController extends AppController | ||
33 | 34 | ||
34 | // Administration peut ajouter, supprimer ou modifier une sous categorie | 35 | // Administration peut ajouter, supprimer ou modifier une sous categorie |
35 | if($role == 'Administration' && in_array($action,['add','delete','edit'])) return true; | 36 | if($role == 'Administration' && in_array($action,['add','delete','edit'])) return true; |
37 | + */ | ||
36 | 38 | ||
37 | - if (in_array($action, ['getByCategorie', 'view', 'index'])) { | ||
38 | - return true; | ||
39 | - } | 39 | + //if (in_array($action, ['getByCategorie', 'view', 'index'])) { |
40 | + if (in_array($action, ['getByCategorie'])) return true; | ||
40 | 41 | ||
42 | + /* | ||
41 | if($this->userHasRoleAtLeast('Administration Plus')) { | 43 | if($this->userHasRoleAtLeast('Administration Plus')) { |
42 | if($action != 'delete') return true; | 44 | if($action != 'delete') return true; |
43 | } | 45 | } |
44 | 46 | ||
45 | return false; | 47 | return false; |
48 | + */ | ||
49 | + return $this->isAuthorizedCommons(); | ||
46 | } | 50 | } |
47 | 51 | ||
48 | 52 |
src/Controller/SuivisController.php
@@ -18,21 +18,28 @@ class SuivisController extends AppController { | @@ -18,21 +18,28 @@ class SuivisController extends AppController { | ||
18 | * @return boolean | 18 | * @return boolean |
19 | */ | 19 | */ |
20 | public function isAuthorized($user) { | 20 | public function isAuthorized($user) { |
21 | - $configuration = $this->confLabinvent; | 21 | + //$configuration = $this->confLabinvent; |
22 | + /* | ||
22 | $role = TableRegistry::get('Users')->find() | 23 | $role = TableRegistry::get('Users')->find() |
23 | ->where([ | 24 | ->where([ |
24 | 'username' => $user[$configuration->authentificationType_ldap][0] | 25 | 'username' => $user[$configuration->authentificationType_ldap][0] |
25 | ]) | 26 | ]) |
26 | ->first()['role']; | 27 | ->first()['role']; |
27 | $action = $this->request->getAttribute('params')['action']; | 28 | $action = $this->request->getAttribute('params')['action']; |
28 | - if ($this->userHasRoleAtLeast('Administration')) | ||
29 | - return true; | 29 | + */ |
30 | + $action = $this->getActionPassed(); | ||
31 | + $role = $this->getUserRole($user); | ||
32 | + | ||
33 | + //if ($this->userHasRoleAtLeast('Administration')) | ||
34 | + if ($this->USER_IS_ADMIN_AT_LEAST()) return true; | ||
35 | + | ||
30 | // Pour un "utilisateur" | 36 | // Pour un "utilisateur" |
31 | if (in_array($action, [ | 37 | if (in_array($action, [ |
32 | 'edit', | 38 | 'edit', |
33 | 'delete' | 39 | 'delete' |
34 | ])) { | 40 | ])) { |
35 | - $id = (int) $this->request->getAttribute('params')['pass'][0]; | 41 | + //$id = (int) $this->request->getAttribute('params')['pass'][0]; |
42 | + $id = $this->getIdPassed(); | ||
36 | if ($this->isOwnedBy($id, $user['sn'][0] . ' ' . $user['givenname'][0])) | 43 | if ($this->isOwnedBy($id, $user['sn'][0] . ' ' . $user['givenname'][0])) |
37 | return true; | 44 | return true; |
38 | if ($role == 'Responsable' && $this->isRespGroup($id, $user[$configuration->authentificationType_ldap][0])) | 45 | if ($role == 'Responsable' && $this->isRespGroup($id, $user[$configuration->authentificationType_ldap][0])) |
src/Controller/SurCategoriesController.php
@@ -17,14 +17,14 @@ class SurCategoriesController extends AppController | @@ -17,14 +17,14 @@ class SurCategoriesController extends AppController | ||
17 | 17 | ||
18 | 18 | ||
19 | /** | 19 | /** |
20 | - * @param $user | ||
21 | - * | ||
22 | * Give authorization for sur categories | 20 | * Give authorization for sur categories |
23 | * | 21 | * |
22 | + * @param $user | ||
24 | * @return boolean | 23 | * @return boolean |
25 | */ | 24 | */ |
26 | public function isAuthorized($user) | 25 | public function isAuthorized($user) |
27 | { | 26 | { |
27 | + /* | ||
28 | $configuration = $this->confLabinvent; | 28 | $configuration = $this->confLabinvent; |
29 | $role = TableRegistry::get('Users')->find()->where(['username' => $user[$configuration->authentificationType_ldap][0]])->first()['role']; | 29 | $role = TableRegistry::get('Users')->find()->where(['username' => $user[$configuration->authentificationType_ldap][0]])->first()['role']; |
30 | $action = $this->request->getAttribute('params')['action']; | 30 | $action = $this->request->getAttribute('params')['action']; |
@@ -44,6 +44,8 @@ class SurCategoriesController extends AppController | @@ -44,6 +44,8 @@ class SurCategoriesController extends AppController | ||
44 | } | 44 | } |
45 | 45 | ||
46 | return false; | 46 | return false; |
47 | + */ | ||
48 | + return $this->isAuthorizedCommons(); | ||
47 | } | 49 | } |
48 | 50 | ||
49 | 51 |
src/Controller/TypeDocumentsController.php
@@ -13,14 +13,14 @@ class TypeDocumentsController extends AppController | @@ -13,14 +13,14 @@ class TypeDocumentsController extends AppController | ||
13 | { | 13 | { |
14 | 14 | ||
15 | /** | 15 | /** |
16 | - * @param $user | ||
17 | - * | ||
18 | * Give authorization for types suivis | 16 | * Give authorization for types suivis |
19 | * | 17 | * |
18 | + * @param $user | ||
20 | * @return boolean | 19 | * @return boolean |
21 | */ | 20 | */ |
22 | public function isAuthorized($user) | 21 | public function isAuthorized($user) |
23 | { | 22 | { |
23 | + /* | ||
24 | $configuration = $this->confLabinvent; | 24 | $configuration = $this->confLabinvent; |
25 | $role = TableRegistry::get('Users')->find()->where(['username' => $user[$configuration->authentificationType_ldap][0]])->first()['role']; | 25 | $role = TableRegistry::get('Users')->find()->where(['username' => $user[$configuration->authentificationType_ldap][0]])->first()['role']; |
26 | $action = $this->request->getAttribute('params')['action']; | 26 | $action = $this->request->getAttribute('params')['action']; |
@@ -40,6 +40,8 @@ class TypeDocumentsController extends AppController | @@ -40,6 +40,8 @@ class TypeDocumentsController extends AppController | ||
40 | } | 40 | } |
41 | 41 | ||
42 | return false; | 42 | return false; |
43 | + */ | ||
44 | + return $this->isAuthorizedCommons(); | ||
43 | } | 45 | } |
44 | 46 | ||
45 | 47 |
src/Controller/TypeSuivisController.php
@@ -13,14 +13,14 @@ class TypeSuivisController extends AppController | @@ -13,14 +13,14 @@ class TypeSuivisController extends AppController | ||
13 | { | 13 | { |
14 | 14 | ||
15 | /** | 15 | /** |
16 | - * @param $user | ||
17 | - * | ||
18 | * Give authorization for types suivis | 16 | * Give authorization for types suivis |
19 | * | 17 | * |
18 | + * @param $user | ||
20 | * @return boolean | 19 | * @return boolean |
21 | */ | 20 | */ |
22 | public function isAuthorized($user) | 21 | public function isAuthorized($user) |
23 | { | 22 | { |
23 | + /* | ||
24 | $configuration = $this->confLabinvent; | 24 | $configuration = $this->confLabinvent; |
25 | $role = TableRegistry::get('Users')->find()->where(['username' => $user[$configuration->authentificationType_ldap][0]])->first()['role']; | 25 | $role = TableRegistry::get('Users')->find()->where(['username' => $user[$configuration->authentificationType_ldap][0]])->first()['role']; |
26 | $action = $this->request->getAttribute('params')['action']; | 26 | $action = $this->request->getAttribute('params')['action']; |
@@ -40,6 +40,8 @@ class TypeSuivisController extends AppController | @@ -40,6 +40,8 @@ class TypeSuivisController extends AppController | ||
40 | } | 40 | } |
41 | 41 | ||
42 | return false; | 42 | return false; |
43 | + */ | ||
44 | + return $this->isAuthorizedCommons(); | ||
43 | } | 45 | } |
44 | 46 | ||
45 | 47 |
src/Controller/UnitesController.php
@@ -13,14 +13,14 @@ class UnitesController extends AppController | @@ -13,14 +13,14 @@ class UnitesController extends AppController | ||
13 | { | 13 | { |
14 | 14 | ||
15 | /** | 15 | /** |
16 | - * @param $user | ||
17 | - * | ||
18 | * Give authorization for unites | 16 | * Give authorization for unites |
19 | * | 17 | * |
18 | + * @param $user | ||
20 | * @return boolean | 19 | * @return boolean |
21 | */ | 20 | */ |
22 | public function isAuthorized($user) | 21 | public function isAuthorized($user) |
23 | { | 22 | { |
23 | + /* | ||
24 | $configuration = $this->confLabinvent; | 24 | $configuration = $this->confLabinvent; |
25 | $role = TableRegistry::get('Users')->find()->where(['username' => $user[$configuration->authentificationType_ldap][0]])->first()['role']; | 25 | $role = TableRegistry::get('Users')->find()->where(['username' => $user[$configuration->authentificationType_ldap][0]])->first()['role']; |
26 | $action = $this->request->getAttribute('params')['action']; | 26 | $action = $this->request->getAttribute('params')['action']; |
@@ -39,6 +39,8 @@ class UnitesController extends AppController | @@ -39,6 +39,8 @@ class UnitesController extends AppController | ||
39 | } | 39 | } |
40 | 40 | ||
41 | return false; | 41 | return false; |
42 | + */ | ||
43 | + return $this->isAuthorizedCommons(); | ||
42 | } | 44 | } |
43 | 45 | ||
44 | 46 |
src/Controller/UsersController.php
@@ -17,44 +17,48 @@ class UsersController extends AppController | @@ -17,44 +17,48 @@ class UsersController extends AppController | ||
17 | return "L'"; | 17 | return "L'"; |
18 | } | 18 | } |
19 | 19 | ||
20 | + // 1) AVANT connexion | ||
21 | + public function beforeFilter(Event $event) | ||
22 | + { | ||
23 | + parent::beforeFilter($event); | ||
24 | + $this->LdapAuth->allow(['logout']); | ||
25 | + } | ||
26 | + | ||
20 | 27 | ||
28 | + // 2) APRES connexion | ||
21 | /** | 29 | /** |
22 | - * @param $user | ||
23 | - * | ||
24 | * Give authorization for users | 30 | * Give authorization for users |
25 | - * | 31 | + * @param $user |
26 | * @return boolean | 32 | * @return boolean |
27 | */ | 33 | */ |
28 | public function isAuthorized($user) | 34 | public function isAuthorized($user) |
29 | { | 35 | { |
30 | - $configuration = $this->confLabinvent; | ||
31 | - $role = $this->Users->find()->where(['username' => $user[$configuration->authentificationType_ldap][0]])->first()['role']; | ||
32 | - | ||
33 | - $action = $this->request->getAttribute('params')['action']; | ||
34 | - | ||
35 | - // Super-Admin peut accéder à chaque action | ||
36 | - if($role == 'Super Administrateur') return true; | ||
37 | - | ||
38 | - //Pour tout le monde | ||
39 | - if (in_array($action, ['index', 'view', 'getLdapLogin', 'getLdapEmail','indexRecap'])) return true; | ||
40 | - | 36 | + //$configuration = $this->confLabinvent; |
37 | + //$role = $this->Users->find()->where(['username' => $user[$configuration->authentificationType_ldap][0]])->first()['role']; | ||
38 | + //$action = $this->request->getAttribute('params')['action']; | ||
39 | + $action = $this->getActionPassed(); | ||
41 | 40 | ||
41 | + // Actions de CE controleur accessibles à tous les profils | ||
42 | + //if (in_array($action, ['index', 'view', 'getLdapLogin', 'getLdapEmail','indexRecap'])) return true; | ||
43 | + if (in_array($action, ['getLdapLogin', 'getLdapEmail','indexRecap'])) return true; | ||
44 | + | ||
45 | + // Inutile car déjà dit dans parent::isAuthorized() | ||
46 | + // Super-Admin peut accéder à toutes les actions de CE controleur | ||
47 | + //if ($role == 'Super Administrateur') return true; | ||
48 | + | ||
42 | // Par défaut refuser | 49 | // Par défaut refuser |
43 | - return false; | 50 | + //return false; |
51 | + return parent::isAuthorized($user); | ||
44 | } | 52 | } |
45 | 53 | ||
46 | 54 | ||
47 | - public function beforeFilter(Event $event) | ||
48 | - { | ||
49 | - parent::beforeFilter($event); | ||
50 | - $this->LdapAuth->allow(['logout']); | ||
51 | - } | ||
52 | 55 | ||
53 | public function login() | 56 | public function login() |
54 | { | 57 | { |
55 | if ($this->request->is('post')) { | 58 | if ($this->request->is('post')) { |
56 | 59 | ||
57 | $user = $this->LdapAuth->connection(); | 60 | $user = $this->LdapAuth->connection(); |
61 | + //debug($user); | ||
58 | 62 | ||
59 | if ($user != FALSE) { | 63 | if ($user != FALSE) { |
60 | $this->LdapAuth->setUser($user); | 64 | $this->LdapAuth->setUser($user); |
src/Model/Table/LdapConnectionsTable.php
@@ -62,13 +62,23 @@ class LdapConnectionsTable extends AppTable { | @@ -62,13 +62,23 @@ class LdapConnectionsTable extends AppTable { | ||
62 | } | 62 | } |
63 | } | 63 | } |
64 | 64 | ||
65 | - $prefix = "_NouvelUtilisateur_"; | 65 | + //EP (aout 2017) |
66 | + // ATTENTION : Utilisateur IMPORTANT. | ||
67 | + // Avec cet utilisateur, on simule un utilisateur qui n'est PAS dans la table utilisateurs | ||
68 | + // Il devrait donc se voir attribuer un role "Utilisateur" sans pour autant que ça soit écrit dans la table !!! | ||
69 | + // login = '_NouvelUtilisateur_username' | ||
70 | + // pass = '_NouvelUtilisateur_password' | ||
71 | + //$prefix = "_NouvelUtilisateur_"; | ||
66 | $ldapUsers[] = [ | 72 | $ldapUsers[] = [ |
67 | - 'sn' => ['NOUVEL'], | ||
68 | - 'givenname' => ['UTILISATEUR'], | ||
69 | - 'mail' => [$prefix.'email'], | ||
70 | - $this->authenticationType => [$prefix.'username'], | ||
71 | - 'userpassword' => [$prefix.'password'], | 73 | + 'sn' => ['UTILISATEUR'], |
74 | + 'givenname' => ['FAKE_LDAP'], | ||
75 | + //'mail' => [$login.'email'], | ||
76 | + 'mail' => ['fakeldapuser@domain.fr'], | ||
77 | + //$this->authenticationType => [$prefix.'username'], | ||
78 | + $this->authenticationType => [$this->getTheFakeLdapUser()['login']], | ||
79 | + //$this->authenticationType => ['usere'], | ||
80 | + 'userpassword' => [$this->getTheFakeLdapUser()['pass']], | ||
81 | + //'userpassword' => ['toto'], | ||
72 | ]; | 82 | ]; |
73 | 83 | ||
74 | 84 | ||
@@ -86,6 +96,7 @@ class LdapConnectionsTable extends AppTable { | @@ -86,6 +96,7 @@ class LdapConnectionsTable extends AppTable { | ||
86 | if (empty($this->fakeLDAPUsers)) $this->fakeLDAPUsers = $this->buildFakeLdapUsers(); | 96 | if (empty($this->fakeLDAPUsers)) $this->fakeLDAPUsers = $this->buildFakeLdapUsers(); |
87 | return true; | 97 | return true; |
88 | } | 98 | } |
99 | + //debug($this->fakeLDAPUsers); | ||
89 | 100 | ||
90 | $ldapConfig = $config->toArray(); | 101 | $ldapConfig = $config->toArray(); |
91 | 102 | ||
@@ -254,13 +265,21 @@ class LdapConnectionsTable extends AppTable { | @@ -254,13 +265,21 @@ class LdapConnectionsTable extends AppTable { | ||
254 | return $nbUsers; | 265 | return $nbUsers; |
255 | } | 266 | } |
256 | 267 | ||
268 | + // Utilisateur du ldap qui n'est pas dans la table utilisateurs | ||
269 | + // => il a donc le role "Utilisateur" PAR DEFAUT | ||
270 | + private function getTheFakeLdapUser() { | ||
271 | + return [ | ||
272 | + 'login' => '_ldap_user_', | ||
273 | + 'pass' => '_ldap_user_pass', | ||
274 | + ]; | ||
275 | + } | ||
257 | public function ldapAuthentication($login, $password) { | 276 | public function ldapAuthentication($login, $password) { |
258 | 277 | ||
259 | try { | 278 | try { |
260 | if($this->checkConfiguration()) { | 279 | if($this->checkConfiguration()) { |
261 | 280 | ||
262 | if ($this->USE_LDAP) { | 281 | if ($this->USE_LDAP) { |
263 | - if (strlen(trim($password))==0) return FALSE; | 282 | + if (strlen(trim($password))==0) return FALSE; |
264 | $ldapConnection = ldap_connect($this->host, $this->port); | 283 | $ldapConnection = ldap_connect($this->host, $this->port); |
265 | ldap_set_option($ldapConnection, LDAP_OPT_PROTOCOL_VERSION, 3); | 284 | ldap_set_option($ldapConnection, LDAP_OPT_PROTOCOL_VERSION, 3); |
266 | if (@ldap_bind($ldapConnection, $this->authenticationType . '=' . $login . ',' . $this->baseDn, $password)) { | 285 | if (@ldap_bind($ldapConnection, $this->authenticationType . '=' . $login . ',' . $this->baseDn, $password)) { |
@@ -273,10 +292,14 @@ class LdapConnectionsTable extends AppTable { | @@ -273,10 +292,14 @@ class LdapConnectionsTable extends AppTable { | ||
273 | } | 292 | } |
274 | else { | 293 | else { |
275 | $user = $this->getFakeLdapUser($login); | 294 | $user = $this->getFakeLdapUser($login); |
276 | - if ($user != false && (new DefaultPasswordHasher)->check($password, $user['userpassword'][0])) { | ||
277 | - //if ($user != false && $user['userpassword'][0] == $password) { | ||
278 | - return $user; | ||
279 | - } | 295 | + //debug($user); |
296 | + if ($user === false) return FALSE; | ||
297 | + // $this->authenticationType peut valoir "uid" ou "cn"... (par défaut "uid" pour le fake ldap, à confirmer...) | ||
298 | + //if ($user['uid'][0] == "_NouvelUtilisateur_username" && $user['userpassword'][0] == "_NouvelUtilisateur_password") return $user; | ||
299 | + //if ($user[$this->authenticationType][0] == "_NouvelUtilisateur_username" && $user['userpassword'][0] == "_NouvelUtilisateur_password") return $user; | ||
300 | + if ($user[$this->authenticationType][0] == $this->getTheFakeLdapUser()['login'] && $user['userpassword'][0] == $this->getTheFakeLdapUser()['pass']) return $user; | ||
301 | + if ((new DefaultPasswordHasher)->check($password, $user['userpassword'][0])) return $user; | ||
302 | + //if ($user != false && $user['userpassword'][0] == $password) { | ||
280 | } | 303 | } |
281 | } | 304 | } |
282 | } | 305 | } |
src/Template/Layout/default.ctp
@@ -115,7 +115,7 @@ $cakeDescription = 'Labinvent 2'; | @@ -115,7 +115,7 @@ $cakeDescription = 'Labinvent 2'; | ||
115 | </i></td> | 115 | </i></td> |
116 | <td id="version"> | 116 | <td id="version"> |
117 | <!-- VERSION M.m.f.b (version (M)ajeure, version (m)ineure, numero de nouvelle (f)onctionnalite, numero de (b)ugfix) --> | 117 | <!-- VERSION M.m.f.b (version (M)ajeure, version (m)ineure, numero de nouvelle (f)onctionnalite, numero de (b)ugfix) --> |
118 | - <font color="black">VERSION 2.7.7 (29/08/2017)</font> | 118 | + <font color="black">VERSION 2.7.8 (29/08/2017)</font> |
119 | <br/> | 119 | <br/> |
120 | <font color="black"><a href="<?php | 120 | <font color="black"><a href="<?php |
121 | 121 |
tests/TestCase/Controller/General.php
@@ -75,7 +75,9 @@ class General extends IntegrationTestCase { | @@ -75,7 +75,9 @@ class General extends IntegrationTestCase { | ||
75 | //'username' => 'user1_SUPER' | 75 | //'username' => 'user1_SUPER' |
76 | 'username' => $this->_session['Auth']['User']['cn'][0] | 76 | 'username' => $this->_session['Auth']['User']['cn'][0] |
77 | ])->first(); | 77 | ])->first(); |
78 | - $this->CURRENT_ROLE = $user['role']; | 78 | + // Unpriviledged user |
79 | + $role = $user ? $user['role'] : "Utilisateur"; | ||
80 | + $this->CURRENT_ROLE = $role; | ||
79 | } | 81 | } |
80 | return $this->CURRENT_ROLE; | 82 | return $this->CURRENT_ROLE; |
81 | } | 83 | } |
@@ -112,8 +114,12 @@ class General extends IntegrationTestCase { | @@ -112,8 +114,12 @@ class General extends IntegrationTestCase { | ||
112 | 114 | ||
113 | public function authAs($role) { | 115 | public function authAs($role) { |
114 | switch ($role) { | 116 | switch ($role) { |
117 | + case 'USER_from_ldap': | ||
118 | + $this->authUtilisateurFromLdap(); | ||
119 | + //$this->CURRENT_ROLE = 'Utilisateur'; | ||
120 | + break; | ||
115 | case 'USER': | 121 | case 'USER': |
116 | - $this->authUtilisateur(); | 122 | + $this->authUtilisateurFromTable(); |
117 | //$this->CURRENT_ROLE = 'Utilisateur'; | 123 | //$this->CURRENT_ROLE = 'Utilisateur'; |
118 | break; | 124 | break; |
119 | case 'RESP': | 125 | case 'RESP': |
@@ -308,9 +314,14 @@ class General extends IntegrationTestCase { | @@ -308,9 +314,14 @@ class General extends IntegrationTestCase { | ||
308 | } | 314 | } |
309 | */ | 315 | */ |
310 | 316 | ||
311 | - public function authUtilisateur() { | 317 | + public function authUtilisateur() { $this->authUtilisateurFromTable(); } |
318 | + public function authUtilisateurFromTable() { | ||
312 | $this->authUser('user5_USER', 'test9', 'test0'); | 319 | $this->authUser('user5_USER', 'test9', 'test0'); |
313 | } | 320 | } |
321 | + public function authUtilisateurFromLdap() { | ||
322 | + //$this->authUser('_NouvelUtilisateur_username', 'NOUVEL', 'UTILISATEUR'); | ||
323 | + $this->authUser('_ldap_user_', 'FAKE_LDAP', 'UTILISATEUR'); | ||
324 | + } | ||
314 | /* | 325 | /* |
315 | $user = [ | 326 | $user = [ |
316 | 'Auth' => [ | 327 | 'Auth' => [ |
tests/TestCase/Controller/MaterielsControllerTest.php
@@ -147,7 +147,8 @@ class MaterielsControllerTest extends General { | @@ -147,7 +147,8 @@ class MaterielsControllerTest extends General { | ||
147 | foreach ($this->ROLES as $role) $this->_testMatReadAllAs($role); | 147 | foreach ($this->ROLES as $role) $this->_testMatReadAllAs($role); |
148 | } | 148 | } |
149 | */ | 149 | */ |
150 | - public function testMat20ReadAllAsUser() { $this->_testMatReadAllAs('USER'); } | 150 | + public function testMat20ReadAllAsUserFromLdap() { $this->_testMatReadAllAs('USER_from_ldap'); } |
151 | + public function testMat20ReadAllAsUserFromTable() { $this->_testMatReadAllAs('USER'); } | ||
151 | public function testMat20ReadAllAsResp() { $this->_testMatReadAllAs('RESP'); } | 152 | public function testMat20ReadAllAsResp() { $this->_testMatReadAllAs('RESP'); } |
152 | public function testMat20ReadAllAsAdmin() { $this->_testMatReadAllAs('ADMIN'); } | 153 | public function testMat20ReadAllAsAdmin() { $this->_testMatReadAllAs('ADMIN'); } |
153 | public function testMat20ReadAllAsAdminP() { $this->_testMatReadAllAs('ADMINP'); } | 154 | public function testMat20ReadAllAsAdminP() { $this->_testMatReadAllAs('ADMINP'); } |
@@ -172,7 +173,7 @@ class MaterielsControllerTest extends General { | @@ -172,7 +173,7 @@ class MaterielsControllerTest extends General { | ||
172 | $this->assertResponseContains("Liste des matériels (6)", 'Le profil '.$role.' ne devrait PAS voir les matériels archivés.'); | 173 | $this->assertResponseContains("Liste des matériels (6)", 'Le profil '.$role.' ne devrait PAS voir les matériels archivés.'); |
173 | $this->assertResponseNotContains("A valider", 'Le profil '.$role.' ne devrait PAS avoir accès à des filtres par statut.'); | 174 | $this->assertResponseNotContains("A valider", 'Le profil '.$role.' ne devrait PAS avoir accès à des filtres par statut.'); |
174 | } | 175 | } |
175 | - $this->assertResponseContainsIf($role, ($role != 'USER'), ["Exporter la liste complete"=>"un bouton Exporter"]); | 176 | + $this->assertResponseContainsIf($role, ($this->getUserRole() != 'Utilisateur'), ["Exporter la liste complete"=>"un bouton Exporter"]); |
176 | 177 | ||
177 | $this->get('/materiels/index/CREATED'); | 178 | $this->get('/materiels/index/CREATED'); |
178 | //TODO: il faudrait remplacer "false" par "true" dans ce test | 179 | //TODO: il faudrait remplacer "false" par "true" dans ce test |
@@ -229,7 +230,8 @@ class MaterielsControllerTest extends General { | @@ -229,7 +230,8 @@ class MaterielsControllerTest extends General { | ||
229 | } | 230 | } |
230 | */ | 231 | */ |
231 | // test VIEW action | 232 | // test VIEW action |
232 | - public function testMat10ReadOneAsUser() { $this->_testMatReadOneAs('USER'); } | 233 | + public function testMat10ReadOneAsUserFromLdap() { $this->_testMatReadOneAs('USER_from_ldap'); } |
234 | + public function testMat10ReadOneAsUserFromTable() { $this->_testMatReadOneAs('USER'); } | ||
233 | public function testMat10ReadOneAsResp() { $this->_testMatReadOneAs('RESP'); } | 235 | public function testMat10ReadOneAsResp() { $this->_testMatReadOneAs('RESP'); } |
234 | public function testMat10ReadOneAsAdmin() { $this->_testMatReadOneAs('ADMIN'); } | 236 | public function testMat10ReadOneAsAdmin() { $this->_testMatReadOneAs('ADMIN'); } |
235 | public function testMat10ReadOneAsAdminPlus() { $this->_testMatReadOneAs('ADMINP'); } | 237 | public function testMat10ReadOneAsAdminPlus() { $this->_testMatReadOneAs('ADMINP'); } |
@@ -280,6 +282,7 @@ class MaterielsControllerTest extends General { | @@ -280,6 +282,7 @@ class MaterielsControllerTest extends General { | ||
280 | foreach ($this->ROLES as $role) $this->_testMatAccessCreateFormAs($role); | 282 | foreach ($this->ROLES as $role) $this->_testMatAccessCreateFormAs($role); |
281 | } | 283 | } |
282 | */ | 284 | */ |
285 | + public function testMat30AccessCreateFormAsUserFromLdap() { $this->_testMatAccessCreateFormAs('USER_from_ldap'); } | ||
283 | public function testMat30AccessCreateFormAsUser() { $this->_testMatAccessCreateFormAs('USER'); } | 286 | public function testMat30AccessCreateFormAsUser() { $this->_testMatAccessCreateFormAs('USER'); } |
284 | public function testMat30AccessCreateFormAsResp() { $this->_testMatAccessCreateFormAs('RESP'); } | 287 | public function testMat30AccessCreateFormAsResp() { $this->_testMatAccessCreateFormAs('RESP'); } |
285 | public function testMat30AccessCreateFormAsAdmin() { $this->_testMatAccessCreateFormAs('ADMIN'); } | 288 | public function testMat30AccessCreateFormAsAdmin() { $this->_testMatAccessCreateFormAs('ADMIN'); } |
@@ -313,11 +316,13 @@ class MaterielsControllerTest extends General { | @@ -313,11 +316,13 @@ class MaterielsControllerTest extends General { | ||
313 | * | 316 | * |
314 | * @return void | 317 | * @return void |
315 | */ | 318 | */ |
319 | + | ||
316 | public function testMat31CreateAsSuper() { $this->_testMatCreateAs('SUPER'); } | 320 | public function testMat31CreateAsSuper() { $this->_testMatCreateAs('SUPER'); } |
317 | public function testMat31CreateAsAdminp() { $this->_testMatCreateAs('ADMINP'); } | 321 | public function testMat31CreateAsAdminp() { $this->_testMatCreateAs('ADMINP'); } |
318 | public function testMat31CreateAsAdmin() { $this->_testMatCreateAs('ADMIN'); } | 322 | public function testMat31CreateAsAdmin() { $this->_testMatCreateAs('ADMIN'); } |
319 | public function testMat31CreateAsResp() { $this->_testMatCreateAs('RESP'); } | 323 | public function testMat31CreateAsResp() { $this->_testMatCreateAs('RESP'); } |
320 | public function testMat31CreateAsUser() { $this->_testMatCreateAs('USER'); } | 324 | public function testMat31CreateAsUser() { $this->_testMatCreateAs('USER'); } |
325 | + public function testMat31CreateAsUserFromLdap() { $this->_testMatCreateAs('USER_from_ldap'); } | ||
321 | 326 | ||
322 | public function testMat32CreateAdministratifOrTechnicalAsSuper() { $this->_testMatCreateAdministratifOrTechnicalAs('SUPER'); } | 327 | public function testMat32CreateAdministratifOrTechnicalAsSuper() { $this->_testMatCreateAdministratifOrTechnicalAs('SUPER'); } |
323 | private function _testMatCreateAdministratifOrTechnicalAs($role) { | 328 | private function _testMatCreateAdministratifOrTechnicalAs($role) { |
@@ -421,6 +426,7 @@ class MaterielsControllerTest extends General { | @@ -421,6 +426,7 @@ class MaterielsControllerTest extends General { | ||
421 | */ | 426 | */ |
422 | public function testMat33CreateFailsAsSuper() { $this->_testMatCreateFailsAs('SUPER'); } | 427 | public function testMat33CreateFailsAsSuper() { $this->_testMatCreateFailsAs('SUPER'); } |
423 | public function testMat33CreateFailsAsUser() { $this->_testMatCreateFailsAs('USER'); } | 428 | public function testMat33CreateFailsAsUser() { $this->_testMatCreateFailsAs('USER'); } |
429 | + public function testMat33CreateFailsAsUserFromLdap() { $this->_testMatCreateFailsAs('USER_from_ldap'); } | ||
424 | private function _testMatCreateFailsAs($role) { | 430 | private function _testMatCreateFailsAs($role) { |
425 | // test with each mandatory field except materiel_administratif and materiel_technique | 431 | // test with each mandatory field except materiel_administratif and materiel_technique |
426 | foreach (self::mandatoryFieldsForCreation as $mandatoryField) { | 432 | foreach (self::mandatoryFieldsForCreation as $mandatoryField) { |