From 642da0fca545d292a4a6bf87740411795307149e Mon Sep 17 00:00:00 2001 From: Jean-Yves Gaulier Date: Tue, 25 Oct 2016 17:15:20 +0200 Subject: [PATCH] PHRAS-508_acl-cache - wip --- .../Phrasea/Collection/CollectionService.php | 34 +-- .../Controller/Admin/DataboxesController.php | 4 +- .../Controller/Admin/RootController.php | 12 +- .../Phrasea/Controller/Api/V1Controller.php | 12 +- .../Phrasea/Controller/DatafileController.php | 2 +- .../Controller/PermalinkController.php | 2 +- .../Controller/Prod/FeedController.php | 6 +- .../Controller/Prod/LazaretController.php | 2 +- .../Prod/MoveCollectionController.php | 10 +- .../Controller/Prod/StoryController.php | 2 +- .../Controller/Prod/ToolsController.php | 4 +- .../Controller/Prod/UploadController.php | 4 +- .../Controller/Report/RootController.php | 2 +- .../ControllerProvider/Admin/Databox.php | 4 +- .../ControllerProvider/Admin/Feeds.php | 2 +- .../ControllerProvider/Admin/Fields.php | 2 +- .../ControllerProvider/Admin/Subdefs.php | 2 +- .../ControllerProvider/Admin/TaskManager.php | 2 +- .../ControllerProvider/Prod/Bridge.php | 2 +- .../Phrasea/ControllerProvider/Prod/Order.php | 2 +- .../Phrasea/ControllerProvider/Prod/Push.php | 2 +- .../Phrasea/ControllerProvider/Prod/Share.php | 2 +- .../Event/Subscriber/LazaretSubscriber.php | 2 +- lib/Alchemy/Phrasea/Helper/User/Edit.php | 137 +++++------ .../Model/Manipulator/ACLManipulator.php | 40 ++-- .../Order/Controller/ApiOrderController.php | 2 +- lib/Alchemy/Phrasea/Out/Module/PDF.php | 4 +- lib/Alchemy/Phrasea/Setup/Installer.php | 46 ++-- lib/classes/ACL.php | 222 ++++++++++-------- lib/classes/databox.php | 10 +- .../eventsmanager/notify/validationdone.php | 2 +- lib/classes/module/report/dashboard.php | 2 +- lib/classes/record/exportElement.php | 2 +- lib/classes/record/preview.php | 16 +- lib/classes/set/export.php | 2 +- templates/web/admin/databox/databox.html.twig | 8 +- templates/web/admin/editusers.html.twig | 25 +- .../web/admin/editusers_quotas.html.twig | 4 +- .../web/admin/publications/fiche.html.twig | 2 +- .../web/admin/publications/list.html.twig | 2 +- templates/web/admin/tree.html.twig | 10 +- templates/web/prod/Story/Create.html.twig | 2 +- templates/web/prod/WorkZone/Basket.html.twig | 6 +- templates/web/prod/WorkZone/Story.html.twig | 6 +- .../web/prod/preview/short_history.html.twig | 2 +- templates/web/prod/results/record.html.twig | 2 +- templates/web/prod/toolbar.html.twig | 6 +- .../Phrasea/Controller/Admin/DataboxTest.php | 6 +- .../Phrasea/Controller/Admin/UsersTest.php | 8 +- .../Phrasea/Controller/Prod/StoryTest.php | 4 +- .../Phrasea/Controller/RecordsRequestTest.php | 4 +- .../Model/Manipulator/ACLManipulatorTest.php | 52 ++-- tests/classes/ACLTest.php | 60 ++--- .../PhraseanetAuthenticatedWebTestCase.php | 8 +- tests/classes/PhraseanetTestCase.php | 38 +-- tests/classes/record/adapterTest.php | 6 +- 56 files changed, 446 insertions(+), 418 deletions(-) diff --git a/lib/Alchemy/Phrasea/Collection/CollectionService.php b/lib/Alchemy/Phrasea/Collection/CollectionService.php index 4f67046371..1676c0a5d6 100644 --- a/lib/Alchemy/Phrasea/Collection/CollectionService.php +++ b/lib/Alchemy/Phrasea/Collection/CollectionService.php @@ -269,23 +269,23 @@ class CollectionService public function grantAdminRights(CollectionReference $reference, User $user) { $rights = [ - \ACL::CANPUTINALBUM => "1", - \ACL::CANDWNLDHD => "1", - \ACL::NOWATERMARK => "1", - \ACL::CANDWNLDPREVIEW => "1", - \ACL::CANCMD => "1", - \ACL::CANADMIN => "1", - \ACL::ACTIF => "1", - \ACL::CANREPORT => "1", - \ACL::CANPUSH => "1", - "basusr_infousr" => "", - \ACL::CANADDRECORD => "1", - \ACL::CANMODIFRECORD => "1", - \ACL::CANDELETERECORD => "1", - \ACL::CHGSTATUS => "1", - \ACL::IMGTOOLS => "1", - \ACL::MANAGE => "1", - \ACL::MODIFY_STRUCT => "1" + \ACL::CANPUTINALBUM => "1", + \ACL::CANDWNLDHD => "1", + \ACL::NOWATERMARK => "1", + \ACL::CANDWNLDPREVIEW => "1", + \ACL::CANCMD => "1", + \ACL::CANADMIN => "1", + \ACL::ACTIF => "1", + \ACL::CANREPORT => "1", + \ACL::CANPUSH => "1", + "basusr_infousr" => "", + \ACL::CANADDRECORD => "1", + \ACL::CANMODIFRECORD => "1", + \ACL::CANDELETERECORD => "1", + \ACL::CHGSTATUS => "1", + \ACL::IMGTOOLS => "1", + \ACL::COLL_MANAGE => "1", + \ACL::COLL_MODIFY_STRUCT => "1" ]; $this->app->getAclForUser($user)->update_rights_to_base($reference->getBaseId(), $rights); diff --git a/lib/Alchemy/Phrasea/Controller/Admin/DataboxesController.php b/lib/Alchemy/Phrasea/Controller/Admin/DataboxesController.php index 63e9a05cec..fee5eef475 100644 --- a/lib/Alchemy/Phrasea/Controller/Admin/DataboxesController.php +++ b/lib/Alchemy/Phrasea/Controller/Admin/DataboxesController.php @@ -31,8 +31,8 @@ class DataboxesController extends Controller { $acl = $this->getAclForUser(); $sbasIds = array_merge( - array_keys($acl->get_granted_sbas(['bas_manage'])), - array_keys($acl->get_granted_sbas(['bas_modify_struct'])) + array_keys($acl->get_granted_sbas([\ACL::BAS_MANAGE])), + array_keys($acl->get_granted_sbas([\ACL::BAS_MODIFY_STRUCT])) ); $sbas = []; diff --git a/lib/Alchemy/Phrasea/Controller/Admin/RootController.php b/lib/Alchemy/Phrasea/Controller/Admin/RootController.php index 901d2efc95..7683573b89 100644 --- a/lib/Alchemy/Phrasea/Controller/Admin/RootController.php +++ b/lib/Alchemy/Phrasea/Controller/Admin/RootController.php @@ -88,7 +88,7 @@ class RootController extends Controller */ public function displayStatusBitAction($databox_id) { - if (!$this->getAclForUser()->has_right_on_sbas($databox_id, 'bas_modify_struct')) { + if (!$this->getAclForUser()->has_right_on_sbas($databox_id, \ACL::BAS_MODIFY_STRUCT)) { $this->app->abort(403); } @@ -105,7 +105,7 @@ class RootController extends Controller */ public function displayDataboxStructureAction(Request $request, $databox_id) { - if (!$this->getAclForUser()->has_right_on_sbas($databox_id, 'bas_modify_struct')) { + if (!$this->getAclForUser()->has_right_on_sbas($databox_id, \ACL::BAS_MODIFY_STRUCT)) { $this->app->abort(403); } @@ -132,7 +132,7 @@ class RootController extends Controller public function submitDatabaseStructureAction(Request $request, $databox_id) { - if (!$this->getAclForUser()->has_right_on_sbas($databox_id, 'bas_modify_struct')) { + if (!$this->getAclForUser()->has_right_on_sbas($databox_id, \ACL::BAS_MODIFY_STRUCT)) { $this->app->abort(403); } @@ -162,7 +162,7 @@ class RootController extends Controller public function displayDatabaseStatusBitFormAction(Request $request, $databox_id, $bit) { - if (!$this->getAclForUser()->has_right_on_sbas($databox_id, 'bas_modify_struct')) { + if (!$this->getAclForUser()->has_right_on_sbas($databox_id, \ACL::BAS_MODIFY_STRUCT)) { $this->app->abort(403); } @@ -220,7 +220,7 @@ class RootController extends Controller $this->app->abort(400, $this->app->trans('Bad request format, only JSON is allowed')); } - if (!$this->getAclForUser()->has_right_on_sbas($databox_id, 'bas_modify_struct')) { + if (!$this->getAclForUser()->has_right_on_sbas($databox_id, \ACL::BAS_MODIFY_STRUCT)) { $this->app->abort(403); } @@ -238,7 +238,7 @@ class RootController extends Controller } public function submitStatusBitAction(Request $request, $databox_id, $bit) { - if (!$this->getAclForUser()->has_right_on_sbas($databox_id, 'bas_modify_struct')) { + if (!$this->getAclForUser()->has_right_on_sbas($databox_id, \ACL::BAS_MODIFY_STRUCT)) { $this->app->abort(403); } diff --git a/lib/Alchemy/Phrasea/Controller/Api/V1Controller.php b/lib/Alchemy/Phrasea/Controller/Api/V1Controller.php index a1a2ad04a2..34b1e973ad 100644 --- a/lib/Alchemy/Phrasea/Controller/Api/V1Controller.php +++ b/lib/Alchemy/Phrasea/Controller/Api/V1Controller.php @@ -631,7 +631,7 @@ class V1Controller extends Controller $offset_start = max($request->get('offset_start', 0), 0); $per_page = min(max($request->get('per_page', 10), 1), 1000); - $baseIds = array_keys($this->getAclForUser()->get_granted_base(['canaddrecord'])); + $baseIds = array_keys($this->getAclForUser()->get_granted_base([\ACL::CANADDRECORD])); $lazaretFiles = []; @@ -666,7 +666,7 @@ class V1Controller extends Controller return Result::createError($request, 404, sprintf('Lazaret file id %d not found', $lazaret_id))->createResponse(); } - if (!$this->getAclForUser()->has_right_on_base($lazaretFile->getBaseId(), 'canaddrecord')) { + if (!$this->getAclForUser()->has_right_on_base($lazaretFile->getBaseId(), \ACL::CANADDRECORD)) { return Result::createError($request, 403, 'You do not have access to this quarantine item')->createResponse(); } @@ -905,7 +905,7 @@ class V1Controller extends Controller $collection = \collection::getByBaseId($this->app, $request->get('base_id')); - if (!$this->getAclForUser()->has_right_on_base($request->get('base_id'), 'canaddrecord')) { + if (!$this->getAclForUser()->has_right_on_base($request->get('base_id'), \ACL::CANADDRECORD)) { return Result::createError($request, 403, sprintf( 'You do not have access to collection %s', $collection->get_label($this->app['locale']) ))->createResponse(); @@ -1002,7 +1002,7 @@ class V1Controller extends Controller $record = $this->findDataboxById($request->get('databox_id'))->get_record($request->get('record_id')); $base_id = $record->getBaseId(); $collection = \collection::getByBaseId($this->app, $base_id); - if (!$this->getAclForUser()->has_right_on_base($base_id, 'canaddrecord')) { + if (!$this->getAclForUser()->has_right_on_base($base_id, \ACL::CANADDRECORD)) { return Result::createError($request, 403, sprintf( 'You do not have access to collection %s', $collection->get_label($this->app['locale.I18n']) )); @@ -2447,7 +2447,7 @@ class V1Controller extends Controller { $collection = \collection::getByBaseId($this->app, $data->{'base_id'}); - if (!$this->getAclForUser()->has_right_on_base($collection->get_base_id(), 'canaddrecord')) { + if (!$this->getAclForUser()->has_right_on_base($collection->get_base_id(), \ACL::CANADDRECORD)) { $this->app->abort(403, sprintf('You can not create a story on this collection %s', $collection->get_base_id())); } @@ -2838,7 +2838,7 @@ class V1Controller extends Controller { $user = $this->getApiAuthenticatedUser(); $databox = $this->findDataboxById($request->attributes->get('databox_id')); - if (!$this->getAclForUser($user)->has_right_on_sbas($databox->get_sbas_id(), 'bas_modify_struct')) { + if (!$this->getAclForUser($user)->has_right_on_sbas($databox->get_sbas_id(), \ACL::BAS_MODIFY_STRUCT)) { return Result::createError($request, 401, 'You are not authorized')->createResponse(); } diff --git a/lib/Alchemy/Phrasea/Controller/DatafileController.php b/lib/Alchemy/Phrasea/Controller/DatafileController.php index 15fb91a3ae..5f68956c8b 100644 --- a/lib/Alchemy/Phrasea/Controller/DatafileController.php +++ b/lib/Alchemy/Phrasea/Controller/DatafileController.php @@ -66,7 +66,7 @@ class DatafileController extends AbstractDelivery $stamp = false; $watermark = !$this->acl->get($this->authentication->getUser()) - ->has_right_on_base($record->getBaseId(), 'nowatermark'); + ->has_right_on_base($record->getBaseId(), \ACL::NOWATERMARK); if ($watermark && !$all_access) { $subdef_class = null; diff --git a/lib/Alchemy/Phrasea/Controller/PermalinkController.php b/lib/Alchemy/Phrasea/Controller/PermalinkController.php index d6d7279c7e..8a6bc586de 100644 --- a/lib/Alchemy/Phrasea/Controller/PermalinkController.php +++ b/lib/Alchemy/Phrasea/Controller/PermalinkController.php @@ -136,7 +136,7 @@ class PermalinkController extends AbstractDelivery } if ($this->authentication->isAuthenticated()) { - $watermark = !$this->acl->get($this->authentication->getUser())->has_right_on_base($record->getBaseId(), 'nowatermark'); + $watermark = !$this->acl->get($this->authentication->getUser())->has_right_on_base($record->getBaseId(), \ACL::NOWATERMARK); if ($watermark) { /** @var BasketElementRepository $repository */ diff --git a/lib/Alchemy/Phrasea/Controller/Prod/FeedController.php b/lib/Alchemy/Phrasea/Controller/Prod/FeedController.php index 6c51b0fe5c..26488f5a0b 100644 --- a/lib/Alchemy/Phrasea/Controller/Prod/FeedController.php +++ b/lib/Alchemy/Phrasea/Controller/Prod/FeedController.php @@ -37,7 +37,7 @@ class FeedController extends Controller public function publishRecordsAction(Request $request) { $feeds = $this->getFeedRepository()->getAllForUser($this->getAclForUser()); - $publishing = RecordsRequest::fromRequest($this->app, $request, true, [], ['bas_chupub']); + $publishing = RecordsRequest::fromRequest($this->app, $request, true, [], [\ACL::BAS_CHUPUB]); return $this->render( 'prod/actions/publish/publish.html.twig', @@ -76,7 +76,7 @@ class FeedController extends Controller $feed->addEntry($entry); - $publishing = RecordsRequest::fromRequest($this->app, $request, true, [], ['bas_chupub']); + $publishing = RecordsRequest::fromRequest($this->app, $request, true, [], [\ACL::BAS_CHUPUB]); $manager = $this->getEntityManager(); foreach ($publishing as $record) { $item = new FeedItem(); @@ -270,7 +270,7 @@ class FeedController extends Controller public function ensureUserHasPublishRight() { - $this->requireRight('bas_chupub'); + $this->requireRight(\ACL::BAS_CHUPUB); } /** diff --git a/lib/Alchemy/Phrasea/Controller/Prod/LazaretController.php b/lib/Alchemy/Phrasea/Controller/Prod/LazaretController.php index 465687a060..b78e691225 100644 --- a/lib/Alchemy/Phrasea/Controller/Prod/LazaretController.php +++ b/lib/Alchemy/Phrasea/Controller/Prod/LazaretController.php @@ -45,7 +45,7 @@ class LazaretController extends Controller */ public function listElement(Request $request) { - $baseIds = array_keys($this->getAclForUser()->get_granted_base(['canaddrecord'])); + $baseIds = array_keys($this->getAclForUser()->get_granted_base([\ACL::CANADDRECORD])); $lazaretFiles = null; $perPage = 10; diff --git a/lib/Alchemy/Phrasea/Controller/Prod/MoveCollectionController.php b/lib/Alchemy/Phrasea/Controller/Prod/MoveCollectionController.php index 14833a2edb..4386d3331b 100644 --- a/lib/Alchemy/Phrasea/Controller/Prod/MoveCollectionController.php +++ b/lib/Alchemy/Phrasea/Controller/Prod/MoveCollectionController.php @@ -17,13 +17,13 @@ class MoveCollectionController extends Controller { public function displayForm(Request $request) { - $records = RecordsRequest::fromRequest($this->app, $request, false, ['candeleterecord']); + $records = RecordsRequest::fromRequest($this->app, $request, false, [\ACL::CANDELETERECORD]); $sbas_ids = array_map(function (\databox $databox) { return $databox->get_sbas_id(); }, $records->databoxes()); - $collections = $this->getAclForUser()->get_granted_base(['canaddrecord'], $sbas_ids); + $collections = $this->getAclForUser()->get_granted_base([\ACL::CANADDRECORD], $sbas_ids); $parameters = [ 'records' => $records, @@ -37,7 +37,7 @@ class MoveCollectionController extends Controller public function apply(Request $request) { /** @var \record_adapter[] $records */ - $records = RecordsRequest::fromRequest($this->app, $request, false, ['candeleterecord']); + $records = RecordsRequest::fromRequest($this->app, $request, false, [\ACL::CANDELETERECORD]); $datas = [ 'success' => false, @@ -51,7 +51,7 @@ class MoveCollectionController extends Controller return $this->app->json($datas); } - if (!$this->getAclForUser()->has_right_on_base($request->request->get('base_id'), 'canaddrecord')) { + if (!$this->getAclForUser()->has_right_on_base($request->request->get('base_id'), \ACL::CANADDRECORD)) { $datas['message'] = $this->app->trans("You do not have the permission to move records to %collection%", ['%collection%', \phrasea::bas_labels($request->request->get('base_id'), $this->app)]); return $this->app->json($datas); @@ -71,7 +71,7 @@ class MoveCollectionController extends Controller if ($request->request->get("chg_coll_son") == "1") { /** @var \record_adapter $child */ foreach ($record->getChildren() as $child) { - if ($this->getAclForUser()->has_right_on_base($child->getBaseId(), 'candeleterecord')) { + if ($this->getAclForUser()->has_right_on_base($child->getBaseId(), \ACL::CANDELETERECORD)) { $child->move_to_collection($collection, $this->getApplicationBox()); } } diff --git a/lib/Alchemy/Phrasea/Controller/Prod/StoryController.php b/lib/Alchemy/Phrasea/Controller/Prod/StoryController.php index 96d3d5e537..9a65ed61fa 100644 --- a/lib/Alchemy/Phrasea/Controller/Prod/StoryController.php +++ b/lib/Alchemy/Phrasea/Controller/Prod/StoryController.php @@ -35,7 +35,7 @@ class StoryController extends Controller { $collection = \collection::getByBaseId($this->app, $request->request->get('base_id')); - if (!$this->getAclForUser()->has_right_on_base($collection->get_base_id(), 'canaddrecord')) { + if (!$this->getAclForUser()->has_right_on_base($collection->get_base_id(), \ACL::CANADDRECORD)) { throw new AccessDeniedHttpException('You can not create a story on this collection'); } diff --git a/lib/Alchemy/Phrasea/Controller/Prod/ToolsController.php b/lib/Alchemy/Phrasea/Controller/Prod/ToolsController.php index c8d4f44fa4..556d3d8c3a 100644 --- a/lib/Alchemy/Phrasea/Controller/Prod/ToolsController.php +++ b/lib/Alchemy/Phrasea/Controller/Prod/ToolsController.php @@ -51,7 +51,7 @@ class ToolsController extends Controller $acl = $this->getAclForUser(); - if ($acl->has_right('bas_chupub') + if ($acl->has_right(\ACL::BAS_CHUPUB) && $acl->has_right_on_base($record->getBaseId(), \ACL::CANMODIFRECORD) && $acl->has_right_on_base($record->getBaseId(), \ACL::IMGTOOLS) ) { @@ -340,7 +340,7 @@ class ToolsController extends Controller $state = $request->request->get('state') == 'true' ? true : false; $acl = $this->getAclForUser(); - if (!$acl->has_right('bas_chupub') + if (!$acl->has_right(\ACL::BAS_CHUPUB) || !$acl->has_right_on_base($record->getBaseId(), \ACL::CANMODIFRECORD) || !$acl->has_right_on_base($record->getBaseId(), \ACL::IMGTOOLS) || ('document' == $subdefName && !$acl->has_right_on_base($record->getBaseId(), \ACL::CANDWNLDHD)) diff --git a/lib/Alchemy/Phrasea/Controller/Prod/UploadController.php b/lib/Alchemy/Phrasea/Controller/Prod/UploadController.php index d800aacdb9..846b934fd7 100644 --- a/lib/Alchemy/Phrasea/Controller/Prod/UploadController.php +++ b/lib/Alchemy/Phrasea/Controller/Prod/UploadController.php @@ -115,7 +115,7 @@ class UploadController extends Controller throw new BadRequestHttpException('Missing base_id parameter'); } - if (!$this->getAclForUser()->has_right_on_base($base_id, 'canaddrecord')) { + if (!$this->getAclForUser()->has_right_on_base($base_id, \ACL::CANADDRECORD)) { throw new AccessDeniedHttpException('User is not allowed to add record on this collection'); } @@ -243,7 +243,7 @@ class UploadController extends Controller { $collections = []; - foreach ($acl->get_granted_base(['canaddrecord']) as $collection) { + foreach ($acl->get_granted_base([\ACL::CANADDRECORD]) as $collection) { $databox = $collection->get_databox(); if ( ! isset($collections[$databox->get_sbas_id()])) { diff --git a/lib/Alchemy/Phrasea/Controller/Report/RootController.php b/lib/Alchemy/Phrasea/Controller/Report/RootController.php index 552de7a5ed..8bb9006402 100644 --- a/lib/Alchemy/Phrasea/Controller/Report/RootController.php +++ b/lib/Alchemy/Phrasea/Controller/Report/RootController.php @@ -53,7 +53,7 @@ class RootController extends Controller $granted = []; - foreach ($this->getAclForUser()->get_granted_base(['canreport']) as $collection) { + foreach ($this->getAclForUser()->get_granted_base([\ACL::CANREPORT]) as $collection) { if (!isset($granted[$collection->get_sbas_id()])) { $granted[$collection->get_sbas_id()] = [ 'id' => $collection->get_sbas_id(), diff --git a/lib/Alchemy/Phrasea/ControllerProvider/Admin/Databox.php b/lib/Alchemy/Phrasea/ControllerProvider/Admin/Databox.php index b739965329..6f7c716422 100644 --- a/lib/Alchemy/Phrasea/ControllerProvider/Admin/Databox.php +++ b/lib/Alchemy/Phrasea/ControllerProvider/Admin/Databox.php @@ -135,11 +135,11 @@ class Databox implements ControllerProviderInterface, ServiceProviderInterface public function requireManageRightOnSbas(Request $request, Application $app) { - $this->getFirewall($app)->requireRightOnSbas($request->attributes->get('databox_id'), 'bas_manage'); + $this->getFirewall($app)->requireRightOnSbas($request->attributes->get('databox_id'), \ACL::BAS_MANAGE); } public function requireChangeSbasStructureRight(Request $request, Application $app) { - $this->getFirewall($app)->requireRightOnSbas($request->attributes->get('databox_id'), 'bas_modify_struct'); + $this->getFirewall($app)->requireRightOnSbas($request->attributes->get('databox_id'), \ACL::BAS_MODIFY_STRUCT); } } diff --git a/lib/Alchemy/Phrasea/ControllerProvider/Admin/Feeds.php b/lib/Alchemy/Phrasea/ControllerProvider/Admin/Feeds.php index f9b73e7f87..5e7c147f82 100644 --- a/lib/Alchemy/Phrasea/ControllerProvider/Admin/Feeds.php +++ b/lib/Alchemy/Phrasea/ControllerProvider/Admin/Feeds.php @@ -41,7 +41,7 @@ class Feeds implements ControllerProviderInterface, ServiceProviderInterface $controllers->before(function () use ($firewall) { $firewall ->requireAccessToModule('admin') - ->requireRight('bas_chupub'); + ->requireRight(\ACL::BAS_CHUPUB); }); $controllers->get('/list/', 'controller.admin.feeds:listFeedsAction') diff --git a/lib/Alchemy/Phrasea/ControllerProvider/Admin/Fields.php b/lib/Alchemy/Phrasea/ControllerProvider/Admin/Fields.php index b6f111a37a..205939fd62 100644 --- a/lib/Alchemy/Phrasea/ControllerProvider/Admin/Fields.php +++ b/lib/Alchemy/Phrasea/ControllerProvider/Admin/Fields.php @@ -51,7 +51,7 @@ class Fields implements ControllerProviderInterface, ServiceProviderInterface $controllers->before(function () use ($firewall) { $firewall ->requireAccessToModule('admin') - ->requireRight('bas_modify_struct'); + ->requireRight(\ACL::BAS_MODIFY_STRUCT); }); $controllers->get('/language.json', 'controller.admin.fields:getLanguage') diff --git a/lib/Alchemy/Phrasea/ControllerProvider/Admin/Subdefs.php b/lib/Alchemy/Phrasea/ControllerProvider/Admin/Subdefs.php index 0e5c8d06f4..91d8eb07c2 100644 --- a/lib/Alchemy/Phrasea/ControllerProvider/Admin/Subdefs.php +++ b/lib/Alchemy/Phrasea/ControllerProvider/Admin/Subdefs.php @@ -41,7 +41,7 @@ class Subdefs implements ControllerProviderInterface, ServiceProviderInterface $controllers->before(function (Request $request) use ($firewall) { $firewall->requireAccessToModule('admin') - ->requireRightOnSbas($request->attributes->get('sbas_id'), 'bas_modify_struct'); + ->requireRightOnSbas($request->attributes->get('sbas_id'), \ACL::BAS_MODIFY_STRUCT); }); $controllers->get('/{sbas_id}/', 'controller.admin.subdefs:indexAction') diff --git a/lib/Alchemy/Phrasea/ControllerProvider/Admin/TaskManager.php b/lib/Alchemy/Phrasea/ControllerProvider/Admin/TaskManager.php index f6ecd5f1fe..bd802f1558 100644 --- a/lib/Alchemy/Phrasea/ControllerProvider/Admin/TaskManager.php +++ b/lib/Alchemy/Phrasea/ControllerProvider/Admin/TaskManager.php @@ -46,7 +46,7 @@ class TaskManager implements ControllerProviderInterface, ServiceProviderInterfa }; $controllers->before(function () use ($firewall) { - $firewall->requireRight('taskmanager'); + $firewall->requireRight(\ACL::TASKMANAGER); }); $controllers diff --git a/lib/Alchemy/Phrasea/ControllerProvider/Prod/Bridge.php b/lib/Alchemy/Phrasea/ControllerProvider/Prod/Bridge.php index c3885150f4..e54d2044a5 100644 --- a/lib/Alchemy/Phrasea/ControllerProvider/Prod/Bridge.php +++ b/lib/Alchemy/Phrasea/ControllerProvider/Prod/Bridge.php @@ -40,7 +40,7 @@ class Bridge implements ControllerProviderInterface, ServiceProviderInterface $firewall = $this->getFirewall($app); $controllers->before(function () use ($firewall) { - $firewall->requireRight('bas_chupub'); + $firewall->requireRight(\ACL::BAS_CHUPUB); }); $controllers diff --git a/lib/Alchemy/Phrasea/ControllerProvider/Prod/Order.php b/lib/Alchemy/Phrasea/ControllerProvider/Prod/Order.php index c66c53956a..1db0fdfda9 100644 --- a/lib/Alchemy/Phrasea/ControllerProvider/Prod/Order.php +++ b/lib/Alchemy/Phrasea/ControllerProvider/Prod/Order.php @@ -72,7 +72,7 @@ class Order implements ControllerProviderInterface, ServiceProviderInterface }; $controllers->before(function () use ($firewall) { - $firewall->requireRight('order'); + $firewall->requireRight(\ACL::CANCMD); }); $controllers->get('/', 'controller.prod.order:displayOrders') diff --git a/lib/Alchemy/Phrasea/ControllerProvider/Prod/Push.php b/lib/Alchemy/Phrasea/ControllerProvider/Prod/Push.php index e787946c17..a3a99718bd 100644 --- a/lib/Alchemy/Phrasea/ControllerProvider/Prod/Push.php +++ b/lib/Alchemy/Phrasea/ControllerProvider/Prod/Push.php @@ -46,7 +46,7 @@ class Push implements ControllerProviderInterface, ServiceProviderInterface $firewall = $this->getFirewall($app); $controllers->before(function () use ($firewall) { - $firewall->requireRight('push'); + $firewall->requireRight(\ACL::CANPUSH); }); $controllers->post('/sendform/', 'controller.prod.push:postFormAction'); diff --git a/lib/Alchemy/Phrasea/ControllerProvider/Prod/Share.php b/lib/Alchemy/Phrasea/ControllerProvider/Prod/Share.php index 1fb7d1de43..e4e58e53b2 100644 --- a/lib/Alchemy/Phrasea/ControllerProvider/Prod/Share.php +++ b/lib/Alchemy/Phrasea/ControllerProvider/Prod/Share.php @@ -49,7 +49,7 @@ class Share implements ControllerProviderInterface, ServiceProviderInterface ->before(function (Request $request) use ($app, $firewall) { $firewall->requireRightOnSbas( \phrasea::sbasFromBas($app, $request->attributes->get('base_id')), - 'bas_chupub' + \ACL::BAS_CHUPUB ); }) ->bind('share_record'); diff --git a/lib/Alchemy/Phrasea/Core/Event/Subscriber/LazaretSubscriber.php b/lib/Alchemy/Phrasea/Core/Event/Subscriber/LazaretSubscriber.php index f4c0b95dde..0db6fa8794 100644 --- a/lib/Alchemy/Phrasea/Core/Event/Subscriber/LazaretSubscriber.php +++ b/lib/Alchemy/Phrasea/Core/Event/Subscriber/LazaretSubscriber.php @@ -38,7 +38,7 @@ class LazaretSubscriber extends AbstractNotificationSubscriber $query = $this->app['phraseanet.user-query']; $users = $query ->on_base_ids([$lazaretFile->getBaseId()]) - ->who_have_right(['canaddrecord']) + ->who_have_right([\ACL::CANADDRECORD]) ->execute() ->get_results(); diff --git a/lib/Alchemy/Phrasea/Helper/User/Edit.php b/lib/Alchemy/Phrasea/Helper/User/Edit.php index 8b9b292246..0466bba235 100644 --- a/lib/Alchemy/Phrasea/Helper/User/Edit.php +++ b/lib/Alchemy/Phrasea/Helper/User/Edit.php @@ -86,53 +86,52 @@ class Edit extends \Alchemy\Phrasea\Helper\Helper { $list = array_keys($this->app->getAclForUser($this->app->getAuthenticatedUser())->get_granted_base([\ACL::CANADMIN])); - $sql = "SELECT - b.sbas_id, - b.base_id, - sum(actif) as actif, - sum(canputinalbum) as canputinalbum, - sum(candwnldpreview) as candwnldpreview, - sum(candwnldhd) as candwnldhd, - sum(cancmd) as cancmd, - sum(nowatermark) as nowatermark, + $sql = "SELECT b.sbas_id, b.base_id,\n" - sum(canaddrecord) as canaddrecord, - sum(canmodifrecord) as canmodifrecord, - sum(chgstatus) as chgstatus, - sum(candeleterecord) as candeleterecord, - sum(imgtools) as imgtools, + . " SUM(actif) AS actif,\n" + . " SUM(canputinalbum) AS canputinalbum,\n" + . " SUM(candwnldpreview) AS candwnldpreview,\n" + . " SUM(candwnldhd) AS candwnldhd,\n" + . " SUM(cancmd) AS cancmd,\n" + . " SUM(nowatermark) AS nowatermark,\n" - sum(canadmin) as canadmin, - sum(canreport) as canreport, - sum(canpush) as canpush, - sum(manage) as manage, - sum(modify_struct) as modify_struct, + . " SUM(canaddrecord) AS canaddrecord,\n" + . " SUM(canmodifrecord) AS canmodifrecord,\n" + . " SUM(chgstatus) AS chgstatus,\n" + . " SUM(candeleterecord) AS candeleterecord,\n" + . " SUM(imgtools) AS imgtools,\n" - sum(sbu.bas_modif_th) as bas_modif_th, - sum(sbu.bas_manage) as bas_manage, - sum(sbu.bas_modify_struct) as bas_modify_struct, - sum(sbu.bas_chupub) as bas_chupub, + . " SUM(canadmin) AS canadmin,\n" + . " SUM(canreport) AS canreport,\n" + . " SUM(canpush) AS canpush,\n" + . " SUM(manage) AS manage,\n" + . " SUM(modify_struct) AS modify_struct,\n" - sum(time_limited) as time_limited, - DATE_FORMAT(limited_from,'%Y%m%d') as limited_from, - DATE_FORMAT(limited_to,'%Y%m%d') as limited_to, + . " SUM(sbu.bas_modif_th) AS bas_modif_th,\n" + . " SUM(sbu.bas_manage) AS bas_manage,\n" + . " SUM(sbu.bas_modify_struct) AS bas_modify_struct,\n" + . " SUM(sbu.bas_chupub) AS bas_chupub,\n" - sum(restrict_dwnld) as restrict_dwnld, - sum(remain_dwnld) as remain_dwnld, - sum(month_dwnld_max) as month_dwnld_max, + . " SUM(time_limited) AS time_limited,\n" + . " SUM(restrict_dwnld) AS restrict_dwnld,\n" - sum(mask_and + mask_xor) as masks + // --- wtf doing sum on non booleans ? + . " SUM(remain_dwnld) AS remain_dwnld,\n" + . " SUM(month_dwnld_max) AS month_dwnld_max,\n" + . " SUM(mask_and + mask_xor) AS masks,\n" + // --- - FROM (Users u, bas b, sbas s) - LEFT JOIN (basusr bu) - ON (bu.base_id = b.base_id AND u.id = bu.usr_id) - LEFT join sbasusr sbu - ON (sbu.sbas_id = b.sbas_id AND u.id = sbu.usr_id) - WHERE ( (u.id IN (:users) ) - AND b.sbas_id = s.sbas_id - AND (b.base_id IN (:bases))) - GROUP BY b.base_id - ORDER BY s.ord, s.sbas_id, b.ord, b.base_id "; + // -- wtf no aggregate fct ? + . " DATE_FORMAT(limited_from,'%Y%m%d') AS limited_from,\n" + . " DATE_FORMAT(limited_to,'%Y%m%d') AS limited_to\n" + // --- + + . " FROM (Users u, bas b, sbas s)\n" + . " LEFT JOIN (basusr bu) ON (bu.base_id = b.base_id AND u.id = bu.usr_id)\n" + . " LEFT join sbasusr sbu ON (sbu.sbas_id = b.sbas_id AND u.id = sbu.usr_id)\n" + . " WHERE ( (u.id IN (:users) ) AND b.sbas_id = s.sbas_id AND (b.base_id IN (:bases)))\n" + . " GROUP BY b.base_id\n" + . " ORDER BY s.ord, s.sbas_id, b.ord, b.base_id "; $rs = $this->app->getApplicationBox()->get_connection()->fetchAll( $sql, @@ -146,10 +145,10 @@ class Edit extends \Alchemy\Phrasea\Helper\Helper ] ); - $sql = 'SELECT base_id, sum(1) as access FROM basusr - WHERE (usr_id IN (:users)) - AND (base_id IN (:bases)) - GROUP BY base_id'; + $sql = "SELECT base_id, SUM(1) AS access FROM basusr\n" + . " WHERE (usr_id IN (:users)) AND (base_id IN (:bases))\n" + . " GROUP BY base_id"; + $access = $this->app->getApplicationBox()->get_connection()->fetchAll( $sql, [ @@ -164,12 +163,13 @@ class Edit extends \Alchemy\Phrasea\Helper\Helper $base_ids = []; foreach ($access as $acc) { - $base_ids[$acc['base_id']] = $acc; + $base_ids[$acc['base_id']] = $acc['access']; } unset($access); + // add a 'access' column foreach ($rs as $k => $row) { - $rs[$k]['access'] = array_key_exists($row['base_id'], $base_ids) ? $base_ids[$row['base_id']]['access'] : '0'; + $rs[$k]['access'] = array_key_exists($row['base_id'], $base_ids) ? $base_ids[$row['base_id']] : '0'; foreach ($row as $dk => $data) { if (is_null($data)) $rs[$k][$dk] = '0'; @@ -483,7 +483,7 @@ class Edit extends \Alchemy\Phrasea\Helper\Helper foreach ($base_ids as $base_id) { $rights = [ - 'access', + \ACL::ACCESS, \ACL::ACTIF, \ACL::CANPUTINALBUM, \ACL::NOWATERMARK, @@ -498,12 +498,12 @@ class Edit extends \Alchemy\Phrasea\Helper\Helper \ACL::CANADMIN, \ACL::CANREPORT, \ACL::CANPUSH, - \ACL::MANAGE, - \ACL::MODIFY_STRUCT + \ACL::COLL_MANAGE, + \ACL::COLL_MODIFY_STRUCT ]; foreach ($rights as $k => $right) { - if (($right == 'access' && !$ACL->has_access_to_base($base_id)) - || ($right != 'access' && !$ACL->has_right_on_base($base_id, $right))) { + if (($right == \ACL::ACCESS && !$ACL->has_access_to_base($base_id)) + || ($right != \ACL::ACCESS && !$ACL->has_right_on_base($base_id, $right))) { unset($rights[$k]); continue; } @@ -520,7 +520,7 @@ class Edit extends \Alchemy\Phrasea\Helper\Helper $p = implode('_', $serial); - if ($p == 'access') { + if ($p == \ACL::ACCESS) { if ($v === '1') { $create_sbas[\phrasea::sbasFromBas($this->app, $base_id)] = \phrasea::sbasFromBas($this->app, $base_id); $create[] = $base_id; @@ -537,10 +537,10 @@ class Edit extends \Alchemy\Phrasea\Helper\Helper foreach ($sbas_ids as $databox) { $rights = [ - 'bas_modif_th', - 'bas_manage', - 'bas_modify_struct', - 'bas_chupub' + \ACL::BAS_MODIF_TH, + \ACL::BAS_MANAGE, + \ACL::BAS_MODIFY_STRUCT, + \ACL::BAS_CHUPUB ]; foreach ($rights as $k => $right) { if (!$ACL->has_right_on_sbas($databox->get_sbas_id(), $right)) { @@ -569,6 +569,7 @@ class Edit extends \Alchemy\Phrasea\Helper\Helper try { $this->app->getApplicationBox()->get_connection()->beginTransaction(); + /** @var User $user */ $user = $this->app['repo.users']->find($usr_id); $this->app->getAclForUser($user)->revoke_access_from_bases($delete) @@ -611,18 +612,18 @@ class Edit extends \Alchemy\Phrasea\Helper\Helper } $infos = [ - 'gender' - , 'first_name' - , 'last_name' - , 'email' - , 'address' - , 'zip' - , 'geonameid' - , 'function' - , 'company' - , 'activite' - , 'telephone' - , 'fax' + 'gender', + 'first_name', + 'last_name', + 'email', + 'address', + 'zip', + 'geonameid', + 'function', + 'company', + 'activite', + 'telephone', + 'fax' ]; $parm = $this->unserializedRequestData($this->request, $infos, 'user_infos'); diff --git a/lib/Alchemy/Phrasea/Model/Manipulator/ACLManipulator.php b/lib/Alchemy/Phrasea/Model/Manipulator/ACLManipulator.php index 4e6f87907b..4b168d3416 100644 --- a/lib/Alchemy/Phrasea/Model/Manipulator/ACLManipulator.php +++ b/lib/Alchemy/Phrasea/Model/Manipulator/ACLManipulator.php @@ -72,10 +72,10 @@ class ACLManipulator implements ManipulatorInterface $collections = $databox->get_collections(); $acl->update_rights_to_sbas($databox->get_sbas_id(), [ - 'bas_manage' => '1', - 'bas_modify_struct' => '1', - 'bas_modif_th' => '1', - 'bas_chupub' => '1' + \ACL::BAS_MANAGE => '1', + \ACL::BAS_MODIFY_STRUCT => '1', + \ACL::BAS_MODIF_TH => '1', + \ACL::BAS_CHUPUB => '1' ]); $acl->give_access_to_base(array_map(function (\collection $collection) { @@ -101,24 +101,24 @@ class ACLManipulator implements ManipulatorInterface $acl->remove_quotas_on_base($baseId); $acl->set_masks_on_base($baseId, '0', '0', '0', '0'); $acl->update_rights_to_base($baseId, [ - \ACL::CANPUTINALBUM => '1', - \ACL::CANDWNLDHD => '1', + \ACL::CANPUTINALBUM => '1', + \ACL::CANDWNLDHD => '1', 'candwnldsubdef' => '1', - \ACL::NOWATERMARK => '1', - \ACL::CANDWNLDPREVIEW => '1', - \ACL::CANCMD => '1', - \ACL::CANADMIN => '1', - \ACL::CANREPORT => '1', - \ACL::CANPUSH => '1', + \ACL::NOWATERMARK => '1', + \ACL::CANDWNLDPREVIEW => '1', + \ACL::CANCMD => '1', + \ACL::CANADMIN => '1', + \ACL::CANREPORT => '1', + \ACL::CANPUSH => '1', 'creationdate' => '1', - \ACL::CANADDRECORD => '1', - \ACL::CANMODIFRECORD => '1', - \ACL::CANDELETERECORD => '1', - \ACL::CHGSTATUS => '1', - \ACL::IMGTOOLS => '1', - \ACL::MANAGE => '1', - \ACL::MODIFY_STRUCT => '1', - 'bas_modify_struct' => '1' + \ACL::CANADDRECORD => '1', + \ACL::CANMODIFRECORD => '1', + \ACL::CANDELETERECORD => '1', + \ACL::CHGSTATUS => '1', + \ACL::IMGTOOLS => '1', + \ACL::COLL_MANAGE => '1', + \ACL::COLL_MODIFY_STRUCT => '1', + \ACL::BAS_MODIFY_STRUCT => '1' ]); } diff --git a/lib/Alchemy/Phrasea/Order/Controller/ApiOrderController.php b/lib/Alchemy/Phrasea/Order/Controller/ApiOrderController.php index 999c575e76..535b0d35a6 100644 --- a/lib/Alchemy/Phrasea/Order/Controller/ApiOrderController.php +++ b/lib/Alchemy/Phrasea/Order/Controller/ApiOrderController.php @@ -240,7 +240,7 @@ class ApiOrderController extends BaseOrderController $filtered = []; foreach ($records as $index => $record) { - if ($acl->has_right_on_base($record->getBaseId(), 'cancmd')) { + if ($acl->has_right_on_base($record->getBaseId(), \ACL::CANCMD)) { $filtered[$index] = $record; } } diff --git a/lib/Alchemy/Phrasea/Out/Module/PDF.php b/lib/Alchemy/Phrasea/Out/Module/PDF.php index ab62ce1aa4..6b59262dbc 100644 --- a/lib/Alchemy/Phrasea/Out/Module/PDF.php +++ b/lib/Alchemy/Phrasea/Out/Module/PDF.php @@ -166,7 +166,7 @@ class PDF $fimg = $subdef->getRealPath(); - if (!$this->app->getAclForUser($this->app->getAuthenticatedUser())->has_right_on_base($rec->getBaseId(), "nowatermark") + if (!$this->app->getAclForUser($this->app->getAuthenticatedUser())->has_right_on_base($rec->getBaseId(), \ACL::NOWATERMARK) && $subdef->get_type() == \media_subdef::TYPE_IMAGE) { $fimg = \recordutils_image::watermark($this->app, $subdef); } @@ -438,7 +438,7 @@ class PDF $f = $subdef->getRealPath(); - if (!$this->app->getAclForUser($this->app->getAuthenticatedUser())->has_right_on_base($rec->getBaseId(), "nowatermark") + if (!$this->app->getAclForUser($this->app->getAuthenticatedUser())->has_right_on_base($rec->getBaseId(), \ACL::NOWATERMARK) && $subdef->get_type() == \media_subdef::TYPE_IMAGE) $f = \recordutils_image::watermark($this->app, $subdef); diff --git a/lib/Alchemy/Phrasea/Setup/Installer.php b/lib/Alchemy/Phrasea/Setup/Installer.php index cc8c28f837..7823024b83 100644 --- a/lib/Alchemy/Phrasea/Setup/Installer.php +++ b/lib/Alchemy/Phrasea/Setup/Installer.php @@ -60,33 +60,35 @@ class Installer ->give_access_to_sbas([$databox->get_sbas_id()]) ->update_rights_to_sbas( $databox->get_sbas_id(), [ - 'bas_manage' => 1, - 'bas_modify_struct' => 1, - 'bas_modif_th' => 1, - 'bas_chupub' => 1 + \ACL::BAS_MANAGE => 1, + \ACL::BAS_MODIFY_STRUCT => 1, + \ACL::BAS_MODIF_TH => 1, + \ACL::BAS_CHUPUB => 1 ] ); $collection = \collection::create($this->app, $databox, $this->app['phraseanet.appbox'], 'test', $admin); - $this->app->getAclForUser($admin)->give_access_to_base([$collection->get_base_id()]); - $this->app->getAclForUser($admin)->update_rights_to_base($collection->get_base_id(), [ - \ACL::CANPUSH => 1, - \ACL::CANCMD => 1, - \ACL::CANPUTINALBUM => 1, - \ACL::CANDWNLDHD => 1, - \ACL::CANDWNLDPREVIEW => 1, - \ACL::CANADMIN => 1, - \ACL::ACTIF => 1, - \ACL::CANREPORT => 1, - \ACL::CANADDRECORD => 1, - \ACL::CANMODIFRECORD => 1, - \ACL::CANDELETERECORD => 1, - \ACL::CHGSTATUS => 1, - \ACL::IMGTOOLS => 1, - \ACL::MANAGE => 1, - \ACL::MODIFY_STRUCT => 1, - \ACL::NOWATERMARK => 1 + $this->app->getAclForUser($admin) + ->give_access_to_base([$collection->get_base_id()]); + $this->app->getAclForUser($admin) + ->update_rights_to_base($collection->get_base_id(), [ + \ACL::CANPUSH => 1, + \ACL::CANCMD => 1, + \ACL::CANPUTINALBUM => 1, + \ACL::CANDWNLDHD => 1, + \ACL::CANDWNLDPREVIEW => 1, + \ACL::CANADMIN => 1, + \ACL::ACTIF => 1, + \ACL::CANREPORT => 1, + \ACL::CANADDRECORD => 1, + \ACL::CANMODIFRECORD => 1, + \ACL::CANDELETERECORD => 1, + \ACL::CHGSTATUS => 1, + \ACL::IMGTOOLS => 1, + \ACL::COLL_MANAGE => 1, + \ACL::COLL_MODIFY_STRUCT => 1, + \ACL::NOWATERMARK => 1 ] ); diff --git a/lib/classes/ACL.php b/lib/classes/ACL.php index e07bb62ee0..10544d77b9 100644 --- a/lib/classes/ACL.php +++ b/lib/classes/ACL.php @@ -32,6 +32,12 @@ use Doctrine\DBAL\DBALException; class ACL implements cache_cacheableInterface { + const BAS_MODIF_TH = 'bas_modif_th'; + const BAS_MODIFY_STRUCT = 'bas_modify_struct'; + const BAS_MANAGE = 'bas_manage'; + const BAS_CHUPUB = 'bas_chupub'; + + const ACCESS = 'access'; const ACTIF = 'actif'; const CANADDRECORD = 'canaddrecord'; const CANADMIN = 'canadmin'; @@ -49,24 +55,27 @@ class ACL implements cache_cacheableInterface const COLL_MODIFY_STRUCT = 'modify_struct'; const NOWATERMARK = 'nowatermark'; const ORDER_MASTER = 'order_master'; + const RESTRICT_DWNLD = 'restrict_dwnld'; + + const TASKMANAGER = 'taskmanager'; protected static $bas_rights = [ - 'actif', - 'canaddrecord', + self::ACTIF, + self::CANADDRECORD, self::CANADMIN, - 'cancmd', + self::CANCMD, self::CANDELETERECORD, self::CANDWNLDHD, self::CANDWNLDPREVIEW, self::CANMODIFRECORD, - 'canpush', + self::CANPUSH, self::CANPUTINALBUM, - 'canreport', + self::CANREPORT, self::CHGSTATUS, self::IMGTOOLS, self::COLL_MANAGE, self::COLL_MODIFY_STRUCT, - 'nowatermark', + self::NOWATERMARK, self::ORDER_MASTER, ]; @@ -106,26 +115,28 @@ class ACL implements cache_cacheableInterface protected $is_admin; protected $_global_rights = [ - self::CANADDRECORD => false, - self::CANPUTINALBUM => false, - 'bas_chupub' => false, - 'bas_manage' => false, - 'bas_modif_th' => false, - 'bas_modify_struct' => false, + self::CANADDRECORD => false, + self::CANPUTINALBUM => false, self::CANDWNLDHD => true, - 'candwnldpreview' => true, - self::CHGSTATUS => false, + self::CANDWNLDPREVIEW => true, + self::CHGSTATUS => false, self::COLL_MANAGE => false, self::COLL_MODIFY_STRUCT => false, - self::CANDELETERECORD => false, + self::CANDELETERECORD => false, self::IMGTOOLS => false, - self::CANADMIN => false, - self::CANMODIFRECORD => false, - 'order' => false, + self::CANADMIN => false, + self::CANMODIFRECORD => false, + self::CANCMD => false, self::ORDER_MASTER => false, - 'push' => false, - 'report' => false, - 'taskmanager' => false, + self::CANPUSH => false, + self::CANREPORT => false, + + self::BAS_CHUPUB => false, + self::BAS_MANAGE => false, + self::BAS_MODIF_TH => false, + self::BAS_MODIFY_STRUCT => false, + + self::TASKMANAGER => false, ]; /** @@ -334,7 +345,12 @@ class ACL implements cache_cacheableInterface $sbas_ids = array_unique($sbas_ids); - $sbas_rights = ['bas_manage', 'bas_modify_struct', 'bas_modif_th', 'bas_chupub']; + $sbas_rights = [ + self::BAS_MANAGE, + self::BAS_MODIFY_STRUCT, + self::BAS_MODIF_TH, + self::BAS_CHUPUB + ]; $sbas_to_acces = []; $rights_to_give = []; @@ -559,7 +575,7 @@ class ACL implements cache_cacheableInterface return false; } - return $this->_rights_bas[$base_id]['restrict_dwnld']; + return $this->_rights_bas[$base_id][self::RESTRICT_DWNLD]; } /** @@ -689,7 +705,7 @@ class ACL implements cache_cacheableInterface $this->load_rights_bas(); return (isset($this->_rights_bas[$base_id]) && - $this->_rights_bas[$base_id]['actif'] === true); + $this->_rights_bas[$base_id][self::ACTIF] === true); } /** @@ -903,18 +919,18 @@ class ACL implements cache_cacheableInterface $this->_rights_sbas = []; - $this->_global_rights['bas_modif_th'] = false; - $this->_global_rights['bas_modify_struct'] = false; - $this->_global_rights['bas_manage'] = false; - $this->_global_rights['bas_chupub'] = false; + $this->_global_rights[self::BAS_MODIF_TH] = false; + $this->_global_rights[self::BAS_MODIFY_STRUCT] = false; + $this->_global_rights[self::BAS_MANAGE] = false; + $this->_global_rights[self::BAS_CHUPUB] = false; foreach ($rs as $row) { $sbid = $row['sbas_id']; $this->_rights_sbas[$sbid] = []; - $this->_global_rights['bas_modif_th'] |= ($this->_rights_sbas[$sbid]['bas_modif_th'] = ($row['bas_modif_th'] == '1')); - $this->_global_rights['bas_modify_struct'] |= ($this->_rights_sbas[$sbid]['bas_modify_struct'] = ($row['bas_modify_struct'] == '1')); - $this->_global_rights['bas_manage'] |= ($this->_rights_sbas[$sbid]['bas_manage'] = ($row['bas_manage'] == '1')); - $this->_global_rights['bas_chupub'] |= ($this->_rights_sbas[$sbid]['bas_chupub'] = ($row['bas_chupub'] == '1')); + $this->_global_rights[self::BAS_MODIF_TH] |= ($this->_rights_sbas[$sbid][self::BAS_MODIF_TH] = ($row['bas_modif_th'] == '1')); + $this->_global_rights[self::BAS_MODIFY_STRUCT] |= ($this->_rights_sbas[$sbid][self::BAS_MODIFY_STRUCT] = ($row['bas_modify_struct'] == '1')); + $this->_global_rights[self::BAS_MANAGE] |= ($this->_rights_sbas[$sbid][self::BAS_MANAGE] = ($row['bas_manage'] == '1')); + $this->_global_rights[self::BAS_CHUPUB] |= ($this->_rights_sbas[$sbid][self::BAS_CHUPUB] = ($row['bas_chupub'] == '1')); } $this->set_data_to_cache($this->_rights_sbas, self::CACHE_RIGHTS_SBAS); $this->set_data_to_cache($this->_global_rights, self::CACHE_GLOBAL_RIGHTS); @@ -971,15 +987,15 @@ class ACL implements cache_cacheableInterface $this->_global_rights[self::CANADMIN] = false; $this->_global_rights[self::COLL_MANAGE] = false; $this->_global_rights[self::COLL_MODIFY_STRUCT] = false; - $this->_global_rights['order'] = false; - $this->_global_rights['push'] = false; + $this->_global_rights[self::CANCMD] = false; + $this->_global_rights[self::CANPUSH] = false; $this->_global_rights[self::CANADDRECORD] = false; $this->_global_rights[self::CANMODIFRECORD] = false; $this->_global_rights[self::CHGSTATUS] = false; $this->_global_rights[self::IMGTOOLS] = false; $this->_global_rights[self::CANDELETERECORD] = false; $this->_global_rights[self::CANPUTINALBUM] = false; - $this->_global_rights['report'] = false; + $this->_global_rights[self::CANREPORT] = false; $this->_global_rights[self::CANDWNLDPREVIEW] = false; $this->_global_rights[self::CANDWNLDHD] = false; $this->_global_rights[self::ORDER_MASTER] = false; @@ -999,23 +1015,24 @@ class ACL implements cache_cacheableInterface ]; } - $this->_global_rights[self::IMGTOOLS] |= ($this->_rights_bas[$bid][self::IMGTOOLS] = ($row['imgtools'] == '1')); - $this->_global_rights[self::CHGSTATUS] |= ($this->_rights_bas[$bid][self::CHGSTATUS] = ($row['chgstatus'] == '1')); - $this->_global_rights['order'] |= ($this->_rights_bas[$bid]['cancmd'] = ($row['cancmd'] == '1')); - $this->_global_rights[self::CANADDRECORD] |= ($this->_rights_bas[$bid][self::CANADDRECORD] = ($row['canaddrecord'] == '1')); - $this->_global_rights['push'] |= ($this->_rights_bas[$bid]['canpush'] = ($row['canpush'] == '1')); - $this->_global_rights[self::CANDELETERECORD] |= ($this->_rights_bas[$bid][self::CANDELETERECORD] = ($row['candeleterecord'] == '1')); - $this->_global_rights[self::CANADMIN] |= ($this->_rights_bas[$bid][self::CANADMIN] = ($row['canadmin'] == '1')); - $this->_global_rights[self::CANDWNLDPREVIEW] |= ($this->_rights_bas[$bid][self::CANDWNLDPREVIEW] = ($row['candwnldpreview'] == '1')); - $this->_global_rights[self::CANDWNLDHD] |= ($this->_rights_bas[$bid][self::CANDWNLDHD] = ($row['candwnldhd'] == '1')); - $this->_global_rights[self::CANMODIFRECORD] |= ($this->_rights_bas[$bid][self::CANMODIFRECORD] = ($row['canmodifrecord'] == '1')); - $this->_global_rights[self::CANPUTINALBUM] |= ($this->_rights_bas[$bid][self::CANPUTINALBUM] = ($row['canputinalbum'] == '1')); - $this->_global_rights['report'] |= ($this->_rights_bas[$bid]['canreport'] = ($row['canreport'] == '1')); - $this->_global_rights[self::COLL_MODIFY_STRUCT] |= ($this->_rights_bas[$bid][self::COLL_MODIFY_STRUCT] = ($row['modify_struct'] == '1')); - $this->_global_rights[self::COLL_MANAGE] |= ($this->_rights_bas[$bid][self::COLL_MANAGE] = ($row['manage'] == '1')); - $this->_global_rights[self::ORDER_MASTER] |= ($this->_rights_bas[$bid][self::ORDER_MASTER] = ($row[\ACL::ORDER_MASTER] == '1')); - $this->_rights_bas[$bid]['nowatermark'] = ($row['nowatermark'] == '1'); - $this->_rights_bas[$bid]['restrict_dwnld'] = ($row['restrict_dwnld'] == '1'); + $this->_global_rights[self::IMGTOOLS] |= ($this->_rights_bas[$bid][self::IMGTOOLS] = ($row['imgtools'] == '1')); + $this->_global_rights[self::CHGSTATUS] |= ($this->_rights_bas[$bid][self::CHGSTATUS] = ($row['chgstatus'] == '1')); + $this->_global_rights[self::CANCMD] |= ($this->_rights_bas[$bid][self::CANCMD] = ($row['cancmd'] == '1')); + $this->_global_rights[self::CANADDRECORD] |= ($this->_rights_bas[$bid][self::CANADDRECORD] = ($row['canaddrecord'] == '1')); + $this->_global_rights[self::CANPUSH] |= ($this->_rights_bas[$bid][self::CANPUSH] = ($row['canpush'] == '1')); + $this->_global_rights[self::CANDELETERECORD] |= ($this->_rights_bas[$bid][self::CANDELETERECORD] = ($row['candeleterecord'] == '1')); + $this->_global_rights[self::CANADMIN] |= ($this->_rights_bas[$bid][self::CANADMIN] = ($row['canadmin'] == '1')); + $this->_global_rights[self::CANDWNLDPREVIEW] |= ($this->_rights_bas[$bid][self::CANDWNLDPREVIEW] = ($row['candwnldpreview'] == '1')); + $this->_global_rights[self::CANDWNLDHD] |= ($this->_rights_bas[$bid][self::CANDWNLDHD] = ($row['candwnldhd'] == '1')); + $this->_global_rights[self::CANMODIFRECORD] |= ($this->_rights_bas[$bid][self::CANMODIFRECORD] = ($row['canmodifrecord'] == '1')); + $this->_global_rights[self::CANPUTINALBUM] |= ($this->_rights_bas[$bid][self::CANPUTINALBUM] = ($row['canputinalbum'] == '1')); + $this->_global_rights[self::CANREPORT] |= ($this->_rights_bas[$bid][self::CANREPORT] = ($row['canreport'] == '1')); + $this->_global_rights[self::COLL_MODIFY_STRUCT] |= ($this->_rights_bas[$bid][self::COLL_MODIFY_STRUCT] = ($row['modify_struct'] == '1')); + $this->_global_rights[self::COLL_MANAGE] |= ($this->_rights_bas[$bid][self::COLL_MANAGE] = ($row['manage'] == '1')); + $this->_global_rights[self::ORDER_MASTER] |= ($this->_rights_bas[$bid][self::ORDER_MASTER] = ($row['order_master'] == '1')); + + $this->_rights_bas[$bid][self::NOWATERMARK] = ($row['nowatermark'] == '1'); + $this->_rights_bas[$bid][self::RESTRICT_DWNLD] = ($row['restrict_dwnld'] == '1'); $this->_rights_bas[$bid]['remain_dwnld'] = (int) $row['remain_dwnld']; $this->_rights_bas[$bid]['mask_and'] = (int) $row['mask_and']; $this->_rights_bas[$bid]['mask_xor'] = (int) $row['mask_xor']; @@ -1024,7 +1041,7 @@ class ACL implements cache_cacheableInterface $row['limited_to'] = $row['limited_to'] == '0000-00-00 00:00:00' ? '' : trim($row['limited_to']); if ($row['time_limited'] == '1' && ($row['limited_from'] !== '' || $row['limited_to'] !== '')) { - $this->_limited[$row['base_id']] = [ + $this->_limited[$bid] = [ 'dmin' => $row['limited_from'] ? new DateTime($row['limited_from']) : null, 'dmax' => $row['limited_to'] ? new DateTime($row['limited_to']) : null ]; @@ -1047,7 +1064,7 @@ class ACL implements cache_cacheableInterface { $this->load_rights_bas(); $this->load_rights_sbas(); - $this->_global_rights['taskmanager'] = $this->is_admin(); + $this->_global_rights[self::TASKMANAGER] = $this->is_admin(); return $this; } @@ -1063,21 +1080,21 @@ class ACL implements cache_cacheableInterface switch ($module_name) { case 'admin': return ( - ($this->has_right('bas_modify_struct') || + ($this->has_right(self::BAS_MODIFY_STRUCT) || $this->has_right(self::COLL_MODIFY_STRUCT) || - $this->has_right('bas_manage') || + $this->has_right(self::BAS_MANAGE) || $this->has_right(self::COLL_MANAGE) || $this->has_right(self::CANADMIN) || $this->is_admin()) ); break; case 'thesaurus': - return ($this->has_right('bas_modif_th') === true ); + return ($this->has_right(self::BAS_MODIF_TH) === true ); break; case 'upload': return ($this->has_right(self::CANADDRECORD) === true); break; case 'report': - return ($this->has_right('report') === true); + return ($this->has_right(self::CANREPORT) === true); break; default: break; @@ -1087,9 +1104,10 @@ class ACL implements cache_cacheableInterface } /** - * - * @param array $base_ids - * @return ACL + * @param array $base_ids + * @return $this + * @throws DBALException + * @throws Exception */ public function revoke_access_from_bases(Array $base_ids) { @@ -1126,31 +1144,40 @@ class ACL implements cache_cacheableInterface */ public function give_access_to_base(Array $base_ids) { - $sql = "INSERT INTO basusr (id, base_id, usr_id, actif)\n" - . "VALUES (null, :base_id, :usr_id, '1')\n" - . "ON DUPLICATE KEY UPDATE actif='1"; - $stmt = $this->app->getApplicationBox()->get_connection()->prepare($sql); - $usr_id = $this->user->getId(); - $this->load_rights_bas(); + $sql_i = "INSERT INTO basusr (base_id, usr_id, actif) VALUES (:base_id, :usr_id, '1')"; + $sql_u = "UPDATE basusr SET UPDATE actif='1' WHERE base_id = :base_id AND usr_id = :usr_id"; + $stmt_i = $this->app->getApplicationBox()->get_connection()->prepare($sql_i); + $stmt_u = $this->app->getApplicationBox()->get_connection()->prepare($sql_u); + + $usr_id = $this->user->getId(); foreach ($base_ids as $base_id) { - if (!isset($this->_rights_bas[$base_id]) || $this->_rights_bas[$base_id]['actif'] === false) { - $stmt->execute([':base_id' => $base_id, ':usr_id' => $usr_id]); - if($stmt->rowCount() > 0) { - $this->app['dispatcher']->dispatch( - AclEvents::ACCESS_TO_BASE_GRANTED, - new AccessToBaseGrantedEvent( - $this, - array( - 'base_id'=>$base_id + if (!isset($this->_rights_bas[$base_id]) || $this->_rights_bas[$base_id][self::ACTIF] === false) { + try { + $stmt_i->execute([':base_id' => $base_id, ':usr_id' => $usr_id]); + if($stmt_i->rowCount() > 0) { + $this->app['dispatcher']->dispatch( + AclEvents::ACCESS_TO_BASE_GRANTED, + new AccessToBaseGrantedEvent( + $this, + array( + 'base_id'=>$base_id + ) ) - ) - ); + ); + } + else { + $stmt_u->execute([':base_id' => $base_id, ':usr_id' => $usr_id]); + } + } + catch(\Exception $e) { + // no-opp } } } - $stmt->closeCursor(); + $stmt_u->closeCursor(); + $stmt_i->closeCursor(); $this->delete_data_from_cache(self::CACHE_RIGHTS_BAS); $this->inject_rights(); @@ -1368,12 +1395,12 @@ class ACL implements cache_cacheableInterface $sql = "UPDATE basusr SET remain_dwnld = month_dwnld_max\n" . " WHERE actif = 1" . " AND usr_id = :usr_id" - . " AND MONTH(lastconn) != MONTH(NOW()) AND restrict_dwnld = 1'"; + . " AND MONTH(lastconn) != MONTH(NOW()) AND restrict_dwnld = 1"; $stmt = $this->app->getApplicationBox()->get_connection()->prepare($sql); $stmt->execute([':usr_id' => $this->user->getId()]); $stmt->closeCursor(); - $sql = "UPDATE basusr SET lastconn=now() WHERE usr_id = :usr_id AND actif = 1"; + $sql = "UPDATE basusr SET lastconn=NOW() WHERE usr_id = :usr_id AND actif = 1"; $stmt = $this->app->getApplicationBox()->get_connection()->prepare($sql); $stmt->execute([':usr_id' => $this->user->getId()]); $stmt->closeCursor(); @@ -1457,25 +1484,20 @@ class ACL implements cache_cacheableInterface 'mask_xor' => $row['mask_xor'], ]; - $rights[self::CANPUTINALBUM] = ($row['canputinalbum'] == '1'); - $rights[self::CANDWNLDHD] = ($row['candwnldhd'] == '1'); - $rights[self::CANDWNLDPREVIEW] = ($row['candwnldpreview'] == '1'); - if ($row['cancmd']) - $rights['cancmd'] = true; - $rights[self::CANADMIN] = ($row['canadmin'] == '1'); - if ($row['canreport']) - $rights['canreport'] = true; - if ($row['canpush']) - $rights['canpush'] = true; - if ($row['nowatermark']) - $rights['nowatermark'] = true; - if ($row['canaddrecord']) - $rights['canaddrecord'] = true; - $rights[self::CANMODIFRECORD] = ($row['canmodifrecord' == '1']); - $rights[self::CANDELETERECORD] = ($row['candeleterecord'] == '1'); - $rights[self::CHGSTATUS] = ($row['chgstatus'] == '1'); - $rights[self::IMGTOOLS] = ($row['imgtools'] == '1'); - $rights[self::COLL_MANAGE] = ($row['manage'] == '1'); + $rights[self::CANPUTINALBUM] = ($row['canputinalbum'] == '1'); + $rights[self::CANDWNLDHD] = ($row['candwnldhd'] == '1'); + $rights[self::CANDWNLDPREVIEW] = ($row['candwnldpreview'] == '1'); + $rights[self::CANCMD] = ($row['cancmd'] == '1'); + $rights[self::CANADMIN] = ($row['canadmin'] == '1'); + $rights[self::CANREPORT] = ($row['canreport'] == '1'); + $rights[self::CANPUSH] = ($row['canpush'] == '1'); + $rights[self::NOWATERMARK] = ($row['nowatermark'] == '1'); + $rights[self::CANADDRECORD] = ($row['canaddrecord'] == '1'); + $rights[self::CANMODIFRECORD] = ($row['canmodifrecord' == '1']); + $rights[self::CANDELETERECORD] = ($row['candeleterecord'] == '1'); + $rights[self::CHGSTATUS] = ($row['chgstatus'] == '1'); + $rights[self::IMGTOOLS] = ($row['imgtools'] == '1'); + $rights[self::COLL_MANAGE] = ($row['manage'] == '1'); $rights[self::COLL_MODIFY_STRUCT] = ($row['modify_struct'] == '1'); $this->update_rights_to_base($base_id_dest, $rights); diff --git a/lib/classes/databox.php b/lib/classes/databox.php index 6d21264272..3b03b8fb29 100644 --- a/lib/classes/databox.php +++ b/lib/classes/databox.php @@ -1120,8 +1120,10 @@ class databox extends base implements ThumbnailedElement ->give_access_to_sbas([$this->id]) ->update_rights_to_sbas( $this->id, [ - 'bas_manage' => 1, 'bas_modify_struct' => 1, - 'bas_modif_th' => 1, 'bas_chupub' => 1 + \ACL::BAS_MANAGE => 1, + \ACL::BAS_MODIFY_STRUCT => 1, + \ACL::BAS_MODIF_TH => 1, + \ACL::BAS_CHUPUB => 1 ] ); @@ -1168,8 +1170,8 @@ class databox extends base implements ThumbnailedElement \ACL::CANDELETERECORD => 1, \ACL::CHGSTATUS => 1, \ACL::IMGTOOLS => 1, - \ACL::MANAGE => 1, - \ACL::MODIFY_STRUCT => 1, + \ACL::COLL_MANAGE => 1, + \ACL::COLL_MODIFY_STRUCT => 1, \ACL::NOWATERMARK => 1 ]); } diff --git a/lib/classes/eventsmanager/notify/validationdone.php b/lib/classes/eventsmanager/notify/validationdone.php index 99502ad6d5..6f231f90aa 100644 --- a/lib/classes/eventsmanager/notify/validationdone.php +++ b/lib/classes/eventsmanager/notify/validationdone.php @@ -90,6 +90,6 @@ class eventsmanager_notify_validationdone extends eventsmanager_notifyAbstract */ public function is_available(User $user) { - return $this->app->getAclForUser($user)->has_right('push'); + return $this->app->getAclForUser($user)->has_right(\ACL::CANPUSH); } } diff --git a/lib/classes/module/report/dashboard.php b/lib/classes/module/report/dashboard.php index 3e7b6b552a..ef9109c6bd 100644 --- a/lib/classes/module/report/dashboard.php +++ b/lib/classes/module/report/dashboard.php @@ -241,7 +241,7 @@ class module_report_dashboard implements module_report_dashboard_componentInterf { $all_coll = []; - $base_ids = $this->app->getAclForUser($this->usr)->get_granted_base(['canreport']); + $base_ids = $this->app->getAclForUser($this->usr)->get_granted_base([\ACL::CANREPORT]); foreach ($base_ids as $base_id => $collection) { $databox = $collection->get_databox(); diff --git a/lib/classes/record/exportElement.php b/lib/classes/record/exportElement.php index cf3f1b6d5f..8ac072035a 100644 --- a/lib/classes/record/exportElement.php +++ b/lib/classes/record/exportElement.php @@ -119,7 +119,7 @@ class record_exportElement extends record_adapter ->who_have_right([\ACL::ORDER_MASTER]) ->execute()->get_results(); - $go_cmd = (count($masters) > 0 && $this->app->getAclForUser($this->app->getAuthenticatedUser())->has_right_on_base($this->getBaseId(), 'cancmd')); + $go_cmd = (count($masters) > 0 && $this->app->getAclForUser($this->app->getAuthenticatedUser())->has_right_on_base($this->getBaseId(), \ACL::CANCMD)); $orderable['document'] = false; $downloadable['document'] = false; diff --git a/lib/classes/record/preview.php b/lib/classes/record/preview.php index 92e2b1bbed..210c4f1c5f 100644 --- a/lib/classes/record/preview.php +++ b/lib/classes/record/preview.php @@ -307,9 +307,10 @@ class record_preview extends record_adapter $tab = []; - $report = $this->app->getAclForUser($this->app->getAuthenticatedUser())->has_right_on_base($this->getBaseId(), 'canreport'); + $report = $this->app->getAclForUser($this->app->getAuthenticatedUser()) + ->has_right_on_base($this->getBaseId(), \ACL::CANREPORT); - $sql = 'SELECT d . * , l.user, l.usrid as usr_id, l.site + $sql = 'SELECT d.* , l.user, l.usrid as usr_id, l.site FROM log_docs d, log l WHERE d.log_id = l.id AND d.record_id = :record_id '; @@ -374,8 +375,8 @@ class record_preview extends record_adapter return $this->view_popularity; } - $report = $this->app->getAclForUser($this->app->getAuthenticatedUser())->has_right_on_base( - $this->getBaseId(), 'canreport'); + $report = $this->app->getAclForUser($this->app->getAuthenticatedUser()) + ->has_right_on_base($this->getBaseId(), \ACL::CANREPORT); if ( ! $report && ! $this->app['conf']->get(['registry', 'webservices', 'google-charts-enabled'])) { $this->view_popularity = false; @@ -458,8 +459,8 @@ class record_preview extends record_adapter return $this->refferer_popularity; } - $report = $this->app->getAclForUser($this->app->getAuthenticatedUser())->has_right_on_base( - $this->getBaseId(), 'canreport'); + $report = $this->app->getAclForUser($this->app->getAuthenticatedUser()) + ->has_right_on_base($this->getBaseId(), \ACL::CANREPORT); if ( ! $report && ! $this->app['conf']->get(['registry', 'webservices', 'google-charts-enabled'])) { $this->refferer_popularity = false; @@ -526,7 +527,8 @@ class record_preview extends record_adapter return $this->download_popularity; } - $report = $this->app->getAclForUser($this->app->getAuthenticatedUser())->has_right_on_base($this->getBaseId(), 'canreport'); + $report = $this->app->getAclForUser($this->app->getAuthenticatedUser()) + ->has_right_on_base($this->getBaseId(), \ACL::CANREPORT); $ret = false; if ( ! $report && ! $this->app['conf']->get(['registry', 'webservices', 'google-charts-enabled'])) { diff --git a/lib/classes/set/export.php b/lib/classes/set/export.php index 5658b5645d..50d3799510 100644 --- a/lib/classes/set/export.php +++ b/lib/classes/set/export.php @@ -512,7 +512,7 @@ class set_export extends set_abstract 'path' => $subdef->get_path(), 'file' => $subdef->get_file(), ]; - if (!$this->app->getAclForUser($user)->has_right_on_base($download_element->getBaseId(), "nowatermark") + if (!$this->app->getAclForUser($user)->has_right_on_base($download_element->getBaseId(), \ACL::NOWATERMARK) && !$this->app->getAclForUser($user)->has_preview_grant($download_element) && $subdef->get_type() == media_subdef::TYPE_IMAGE ) { diff --git a/templates/web/admin/databox/databox.html.twig b/templates/web/admin/databox/databox.html.twig index fc89409480..04273a27c3 100644 --- a/templates/web/admin/databox/databox.html.twig +++ b/templates/web/admin/databox/databox.html.twig @@ -30,7 +30,7 @@
  • {{ 'admin::base: Alias' | trans }} : {{ databox.get_label(app['locale']) }} - {% if app.getAclForUser(app.getAuthenticatedUser()).has_right_on_sbas(databox.get_sbas_id(), "bas_manage") %} + {% if app.getAclForUser(app.getAuthenticatedUser()).has_right_on_sbas(databox.get_sbas_id(), constant('\\ACL::BAS_MANAGE')) %} -{% if app.getAclForUser(app.getAuthenticatedUser()).has_right_on_sbas(databox.get_sbas_id(), "bas_manage") %} +{% if app.getAclForUser(app.getAuthenticatedUser()).has_right_on_sbas(databox.get_sbas_id(), constant('\\ACL::BAS_MANAGE')) %}
    • {% endif %} - {% if app.getAclForUser(app.getAuthenticatedUser()).has_right('bas_chupub') %} + {% if app.getAclForUser(app.getAuthenticatedUser()).has_right(constant('\\ACL::BAS_CHUPUB')) %}
  • @@ -60,7 +60,7 @@
    • {% endif %} - {% if app.getAclForUser(app.getAuthenticatedUser()).has_right('taskmanager') %} + {% if app.getAclForUser(app.getAuthenticatedUser()).has_right(constant('\\ACL::TASKMANAGER')) %}
  • @@ -110,7 +110,7 @@ - {% elseif acl.has_right('push') %} + {% elseif acl.has_right(constant('\\ACL::CANPUSH')) %}
    - {% elseif acl.has_right('bas_chupub') %} + {% elseif acl.has_right(constant('\\ACL::BAS_CHUPUB')) %}