Overview
Comment: | Restrict access to forms |
---|---|
Downloads: | Tarball | ZIP archive | SQL archive |
Timelines: | family | ancestors | descendants | both | templates |
Files: | files | file ages | folders |
SHA3-256: |
1a6a5f14ca757120b526d36d112c3389 |
User & Date: | bohwaz on 2022-07-09 23:54:18 |
Other Links: | branch diff | manifest | tags |
Context
2022-07-28
| ||
17:38 | Merge trunk check-in: ec57d1c9be user: bohwaz tags: templates | |
2022-07-09
| ||
23:54 | Restrict access to forms check-in: 1a6a5f14ca user: bohwaz tags: templates | |
23:54 | Go around PHP 8.1 warnings check-in: beb24cd76e user: bohwaz tags: templates | |
Changes
Modified src/include/lib/Garradin/Entities/Files/File.php from [ad63cf1eb1] to [7526fa0b8e].
︙ | ︙ | |||
88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 | const CONTEXT_DOCUMENTS = 'documents'; const CONTEXT_USER = 'user'; const CONTEXT_TRANSACTION = 'transaction'; const CONTEXT_CONFIG = 'config'; const CONTEXT_WEB = 'web'; const CONTEXT_SKELETON = 'skel'; const CONTEXTS_NAMES = [ self::CONTEXT_DOCUMENTS => 'Documents', self::CONTEXT_USER => 'Membre', self::CONTEXT_TRANSACTION => 'Écriture comptable', self::CONTEXT_CONFIG => 'Configuration', self::CONTEXT_WEB => 'Site web', self::CONTEXT_SKELETON => 'Squelettes', ]; const IMAGE_TYPES = [ 'image/png', 'image/gif', 'image/jpeg', 'image/webp', | > > | 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 | const CONTEXT_DOCUMENTS = 'documents'; const CONTEXT_USER = 'user'; const CONTEXT_TRANSACTION = 'transaction'; const CONTEXT_CONFIG = 'config'; const CONTEXT_WEB = 'web'; const CONTEXT_SKELETON = 'skel'; const CONTEXT_FORM = 'form'; const CONTEXTS_NAMES = [ self::CONTEXT_DOCUMENTS => 'Documents', self::CONTEXT_USER => 'Membre', self::CONTEXT_TRANSACTION => 'Écriture comptable', self::CONTEXT_CONFIG => 'Configuration', self::CONTEXT_WEB => 'Site web', self::CONTEXT_SKELETON => 'Squelettes', self::CONTEXT_FORM => 'Squelettes', ]; const IMAGE_TYPES = [ 'image/png', 'image/gif', 'image/jpeg', 'image/webp', |
︙ | ︙ | |||
828 829 830 831 832 833 834 | $context = $this->accessContext(); $ref = strtok(substr($this->path, strpos($this->path, '/')), '/'); if (null === $session || !$session->isLogged()) { return false; } | | | | 830 831 832 833 834 835 836 837 838 839 840 841 842 843 844 845 | $context = $this->accessContext(); $ref = strtok(substr($this->path, strpos($this->path, '/')), '/'); if (null === $session || !$session->isLogged()) { return false; } // All config and form files can be accessed by all logged-in users if ($context == self::CONTEXT_CONFIG || $context == self::CONTEXT_FORM) { return true; } elseif ($context == self::CONTEXT_TRANSACTION && $session->canAccess($session::SECTION_ACCOUNTING, $session::ACCESS_READ)) { return true; } // The user can access his own profile files else if ($context == self::CONTEXT_USER && $ref == $session->getUser()->id) { |
︙ | ︙ | |||
861 862 863 864 865 866 867 | return false; } switch ($this->accessContext()) { case self::CONTEXT_WEB: return $session->canAccess($session::SECTION_WEB, $session::ACCESS_WRITE); case self::CONTEXT_DOCUMENTS: | | > | 863 864 865 866 867 868 869 870 871 872 873 874 875 876 877 878 879 880 | return false; } switch ($this->accessContext()) { case self::CONTEXT_WEB: return $session->canAccess($session::SECTION_WEB, $session::ACCESS_WRITE); case self::CONTEXT_DOCUMENTS: // Only managers can change files return $session->canAccess($session::SECTION_DOCUMENTS, $session::ACCESS_WRITE); case self::CONTEXT_CONFIG: case self::CONTEXT_FORM: return $session->canAccess($session::SECTION_CONFIG, $session::ACCESS_ADMIN); case self::CONTEXT_TRANSACTION: return $session->canAccess($session::SECTION_ACCOUNTING, $session::ACCESS_WRITE); case self::CONTEXT_SKELETON: return $session->canAccess($session::SECTION_WEB, $session::ACCESS_ADMIN); case self::CONTEXT_USER: return $session->canAccess($session::SECTION_USERS, $session::ACCESS_WRITE); |
︙ | ︙ | |||
885 886 887 888 889 890 891 892 893 894 895 896 897 898 | if (null === $session) { return false; } switch ($this->accessContext()) { case self::CONTEXT_WEB: return $session->canAccess($session::SECTION_WEB, $session::ACCESS_WRITE); case self::CONTEXT_DOCUMENTS: // Only admins can delete files return $session->canAccess($session::SECTION_DOCUMENTS, $session::ACCESS_ADMIN); case self::CONTEXT_CONFIG: return $session->canAccess($session::SECTION_CONFIG, $session::ACCESS_ADMIN); case self::CONTEXT_TRANSACTION: return $session->canAccess($session::SECTION_ACCOUNTING, $session::ACCESS_ADMIN); | > > > < < > > < < | 888 889 890 891 892 893 894 895 896 897 898 899 900 901 902 903 904 905 906 907 908 909 910 911 912 913 914 915 916 917 918 919 920 921 922 923 924 925 926 927 928 929 930 931 932 933 934 935 936 937 | if (null === $session) { return false; } switch ($this->accessContext()) { case self::CONTEXT_WEB: return $session->canAccess($session::SECTION_WEB, $session::ACCESS_WRITE); case self::CONTEXT_SKELETON: return $session->canAccess($session::SECTION_WEB, $session::ACCESS_ADMIN); case self::CONTEXT_DOCUMENTS: // Only admins can delete files return $session->canAccess($session::SECTION_DOCUMENTS, $session::ACCESS_ADMIN); case self::CONTEXT_CONFIG: case self::CONTEXT_FORM: return $session->canAccess($session::SECTION_CONFIG, $session::ACCESS_ADMIN); case self::CONTEXT_TRANSACTION: return $session->canAccess($session::SECTION_ACCOUNTING, $session::ACCESS_ADMIN); case self::CONTEXT_USER: return $session->canAccess($session::SECTION_USERS, $session::ACCESS_WRITE); } return false; } static public function checkCreateAccess(string $path, ?Session $session): bool { if (null === $session) { return false; } $context = strtok($path, '/'); switch ($context) { case self::CONTEXT_SKELETON: case self::CONTEXT_WEB: return $session->canAccess($session::SECTION_WEB, $session::ACCESS_WRITE); case self::CONTEXT_DOCUMENTS: return $session->canAccess($session::SECTION_DOCUMENTS, $session::ACCESS_WRITE); case self::CONTEXT_CONFIG: case self::CONTEXT_FORM: return $session->canAccess($session::SECTION_CONFIG, $session::ACCESS_ADMIN); case self::CONTEXT_TRANSACTION: return $session->canAccess($session::SECTION_ACCOUNTING, $session::ACCESS_WRITE); case self::CONTEXT_USER: return $session->canAccess($session::SECTION_USERS, $session::ACCESS_WRITE); } return false; } |
︙ | ︙ |