Commit f28b5ccd authored by kroky6's avatar kroky6

[FIX] enforce tracker-level tiki_p_modify_object_categories permission if...

[FIX] enforce tracker-level tiki_p_modify_object_categories permission if global level is not enabled when modifying a tracker item
parent b871f7e0
......@@ -1663,7 +1663,7 @@ class CategLib extends ObjectLib
// Change an object's categories
// $objId: A unique identifier of an object of the given type, for example "Foo" for Wiki page Foo.
function update_object_categories($categories, $objId, $objType, $desc=NULL, $name=NULL, $href=NULL, $managedCategories = null, $override_perms = false)
function update_object_categories($categories, $objId, $objType, $desc=NULL, $name=NULL, $href=NULL, $managedCategories = null, $override_perms = false, $parent = null)
{
global $prefs, $user;
$userlib = TikiLib::lib('user');
......@@ -1675,7 +1675,7 @@ class CategLib extends ObjectLib
}
}
$manip = new Category_Manipulator($objType, $objId);
$manip = new Category_Manipulator($objType, $objId, $parent);
if ($override_perms) {
$manip->overrideChecks();
}
......
......@@ -9,6 +9,7 @@ class Category_Manipulator
{
private $objectType;
private $objectId;
private $parent;
private $current = array();
private $managed = array();
......@@ -22,10 +23,11 @@ class Category_Manipulator
private $overrides = array();
private $overrideAll = false;
function __construct($objectType, $objectId)
function __construct($objectType, $objectId, $parent = null)
{
$this->objectType = $objectType;
$this->objectId = $objectId;
$this->parent = $parent;
}
function addRequiredSet(array $categories, $default, $filter=null, $type=null)
......@@ -83,7 +85,8 @@ class Category_Manipulator
/*
* Check wether the given permission is allowed for the given categories.
* Note: The group in question requires also the _global_ permission 'modify_object_categories'.
* Note: The group in question requires also the _global_ permission 'modify_object_categories'
* which could be given to a parent object like parent Tracker of a TrackerItem.
* @param array $categories - requested categories
* @param string $permission - required permission for that category. Ie. 'add_category'
* @return array $authorizedCategories - filterd list of given $categories that have proper permissions set.
......@@ -92,6 +95,10 @@ class Category_Manipulator
{
$objectperms = Perms::get(array('type' => $this->objectType, 'object' => $this->objectId));
$canModifyObject = $objectperms->modify_object_categories;
if( !$canModifyObject && $this->parent ) {
$objectperms = Perms::get(array('type' => $this->parent['objectType'], 'object' => $this->parent['objectId']));
$canModifyObject = $objectperms->modify_object_categories;
}
$out = array();
foreach ($categories as $categ) {
......
......@@ -3429,7 +3429,7 @@ class TrackerLib extends TikiLib
);
}
$this->update_item_categories($itemId, $managed_categories, $ins_categs, $override_perms);
$this->update_item_categories($itemId, $managed_categories, $ins_categs, $override_perms, array('objectType' => 'tracker', 'objectId' => $trackerId));
$items = $this->findLinkedItems(
$itemId,
......@@ -3442,7 +3442,7 @@ class TrackerLib extends TikiLib
$index = $prefs['feature_search'] === 'y' && $prefs['unified_incremental_update'] === 'y';
foreach ($items as $child) {
$this->update_item_categories($child, $managed_categories, $ins_categs, $override_perms);
$this->update_item_categories($child, $managed_categories, $ins_categs, $override_perms, array('objectType' => 'tracker', 'objectId' => $trackerId));
if ($index) {
$searchlib->invalidateObject('trackeritem', $child);
......@@ -3450,7 +3450,7 @@ class TrackerLib extends TikiLib
}
}
private function update_item_categories($itemId, $managed_categories, $ins_categs, $override_perms)
private function update_item_categories($itemId, $managed_categories, $ins_categs, $override_perms, $parent)
{
$categlib = TikiLib::lib('categ');
$cat_desc = '';
......@@ -3461,7 +3461,7 @@ class TrackerLib extends TikiLib
// and used in tiki-browse_categories.php and other places
$cat_href = "tiki-view_tracker_item.php?itemId=$itemId";
$categlib->update_object_categories($ins_categs, $itemId, 'trackeritem', $cat_desc, $cat_name, $cat_href, $managed_categories, $override_perms);
$categlib->update_object_categories($ins_categs, $itemId, 'trackeritem', $cat_desc, $cat_name, $cat_href, $managed_categories, $override_perms, $parent);
}
public function move_up_last_fields($trackerId, $fieldId, $delta=1)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment