Commit 5783823f authored by nkoth's avatar nkoth

[FIX] Perms::get used for perms checking works inaccurately with trackeritems...

[FIX] Perms::get used for perms checking works inaccurately with trackeritems because it checks only the trackeritem's own (category) perms but not the tracker's perms, thus will default to global perms if nothing is set at the item level.
parent 26e1b24b
......@@ -15,8 +15,7 @@ $smarty = TikiLib::lib('smarty');
global $prefs;
$catobjperms = Perms::get(array( 'type' => $cat_type, 'object' => $cat_objid ));
$catobjperms = Perms::getCombined(array( 'type' => $cat_type, 'object' => $cat_objid ));
if ($prefs['feature_categories'] == 'y' && $catobjperms->modify_object_categories ) {
$categlib = TikiLib::lib('categ');
......
......@@ -17,7 +17,7 @@ $smarty = TikiLib::lib('smarty');
global $prefs;
$catobjperms = Perms::get(array( 'type' => $cat_type, 'object' => $cat_objid ));
$catobjperms = Perms::getCombined(array( 'type' => $cat_type, 'object' => $cat_objid ));
$smarty->assign('mandatory_category', '-1');
if ($prefs['feature_categories'] == 'y' && isset($cat_type) && isset($cat_objid)) {
......
......@@ -22,6 +22,13 @@
* }
*
* Global permissions may be obtained using Perms::get() without a context.
*
* Please note that the Perms will not be correct for checking of access for
* objects that depend on their parent, for example, even if a trackeritem has
* no object or category perms on itself, the tracker's perms should be considered
* in the checking. However, the Perms object with 'type' => 'trackeritem' will
* only get the perms of the object/it's categories itself and not take into
* account the parent tracker. To do so, use the new Perms::getCombined instead.
*
* The facade also provides a convenient way to filter lists based on
* permissions. Using the method will also used the underlying::bulk()
......@@ -129,6 +136,34 @@ class Perms
}
}
public static function getCombined( $context = array() ) {
if (! is_array($context)) {
$args = func_get_args();
$context = array(
'type' => $args[0],
'object' => $args[1],
);
}
if ($context['type'] == 'trackeritem') {
$perms = Perms::get('trackeritem', $context['object']);
$resolver = $perms->getResolver();
if (method_exists($resolver, 'from') && $resolver->from() != '') {
// Item permissions are valid if they are assigned directly to the object or category, otherwise
// tracker permissions are better than global ones.
return Perms::get($context);
} else {
$context['type'] = 'tracker';
$context['object'] = TikiLib::lib('trk')->get_tracker_for_item($context['object']);
return Perms::get($context);
}
}
return Perms::get($context);
}
public function getAccessor(array $context = array())
{
$accessor = new Perms_Accessor;
......
......@@ -87,7 +87,7 @@ class Services_Category_Controller
$type = $input->type->text();
$object = $input->object->text();
$perms = Perms::get($type, $object);
$perms = Perms::getCombined($type, $object);
if (! $perms->modify_object_categories) {
throw new Services_Exception_Denied('Not allowed to modify categories');
}
......@@ -173,7 +173,7 @@ class Services_Category_Controller
if (count($object) == 2) {
list($type, $id) = $object;
$objectPerms = Perms::get($type, $id);
$objectPerms = Perms::getCombined($type, $id);
if ($objectPerms->modify_object_categories) {
$out[] = array('type' => $type, 'id' => $id);
......
......@@ -33,7 +33,7 @@ class Services_Exception_Denied extends Services_Exception
public static function checkObject($perm, $type, $object)
{
$perms = Perms::get($type, $object);
$perms = Perms::getCombined($type, $object);
if (! $perms->$perm) {
throw new self(tr('Permission denied'));
}
......
......@@ -195,7 +195,7 @@ class Services_Language_TranslationController
private function canAttach($type, $object)
{
global $prefs, $user;
$perms = Perms::get($type, $object);
$perms = Perms::getCombined($type, $object);
if ($type == 'wiki page' && $perms->edit) {
return true;
......@@ -221,7 +221,7 @@ class Services_Language_TranslationController
private function canDetach($type, $object)
{
$perms = Perms::get($type, $object);
$perms = Perms::getCombined($type, $object);
return $perms->detach_translation;
}
......
......@@ -77,7 +77,7 @@ function smarty_function_permission_link( $params, $smarty )
$link = 'tiki-objectpermissions.php';
}
$perms = Perms::get($type, $id);
$perms = Perms::getCombined($type, $id);
$source = $perms->getResolver()->from();
return $smarty->fetch('permission_link.tpl', [
......
......@@ -164,7 +164,7 @@ class TikiAccessLib extends TikiLib
foreach ($permissions as $permission) {
if (false !== $objectType) {
$applicable = Perms::get($objectType, $objectId);
$applicable = Perms::getCombined($objectType, $objectId);
} else {
$applicable = Perms::get();
}
......@@ -205,7 +205,7 @@ class TikiAccessLib extends TikiLib
foreach ($permissions as $permission) {
if (false !== $objectType) {
$applicable = Perms::get($objectType, $objectId);
$applicable = Perms::getCombined($objectType, $objectId);
} else {
$applicable = Perms::get();
}
......
......@@ -3315,7 +3315,7 @@ class TikiLib extends TikiDb_Bridge
global $user;
if ($type && $object) {
$context = array( 'type' => $type, 'object' => $object );
$accessor = Perms::get($context);
$accessor = Perms::getCombined($context);
} else {
$accessor = Perms::get();
}
......
......@@ -1506,7 +1506,7 @@ function wikiplugin_img( $data, $params )
$perms = TikiLib::lib('tiki')->get_perm_object( $imgdata['fileId'], 'file', $dbinfo );
if ($imgdata['fromItemId']) {
if ($imgdata['checkItemPerms'] !== 'n') {
$perms_Accessor = Perms::get(array('type' => 'tracker item', 'object' => $imgdata['fromItemId']));
$perms_Accessor = Perms::getCombined(array('type' => 'trackeritem', 'object' => $imgdata['fromItemId']));
$trackerItemPerms = $perms_Accessor->modify_tracker_items;
} else {
$trackerItemPerms = true;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment