diff --git a/lib/Alchemy/Phrasea/Collection/CollectionService.php b/lib/Alchemy/Phrasea/Collection/CollectionService.php index 8a2a8bc2f1..4f67046371 100644 --- a/lib/Alchemy/Phrasea/Collection/CollectionService.php +++ b/lib/Alchemy/Phrasea/Collection/CollectionService.php @@ -269,23 +269,23 @@ class CollectionService public function grantAdminRights(CollectionReference $reference, User $user) { $rights = [ - "canputinalbum" => "1", - "candwnldhd" => "1", - "nowatermark" => "1", - "candwnldpreview" => "1", - "cancmd" => "1", - "canadmin" => "1", - "actif" => "1", - "canreport" => "1", - "canpush" => "1", - "basusr_infousr" => "", - "canaddrecord" => "1", - "canmodifrecord" => "1", - "candeleterecord" => "1", - "chgstatus" => "1", - "imgtools" => "1", - "manage" => "1", - "modify_struct" => "1" + \ACL::CANPUTINALBUM => "1", + \ACL::CANDWNLDHD => "1", + \ACL::NOWATERMARK => "1", + \ACL::CANDWNLDPREVIEW => "1", + \ACL::CANCMD => "1", + \ACL::CANADMIN => "1", + \ACL::ACTIF => "1", + \ACL::CANREPORT => "1", + \ACL::CANPUSH => "1", + "basusr_infousr" => "", + \ACL::CANADDRECORD => "1", + \ACL::CANMODIFRECORD => "1", + \ACL::CANDELETERECORD => "1", + \ACL::CHGSTATUS => "1", + \ACL::IMGTOOLS => "1", + \ACL::MANAGE => "1", + \ACL::MODIFY_STRUCT => "1" ]; $this->app->getAclForUser($user)->update_rights_to_base($reference->getBaseId(), $rights); @@ -318,18 +318,28 @@ class CollectionService $userQuery = $factory(); $result = $userQuery->on_base_ids([ $reference->getBaseId()] ) - ->who_have_right(['order_master']) + ->who_have_right([\ACL::ORDER_MASTER]) ->execute()->get_results(); /** @var ACLProvider $acl */ $acl = $this->app['acl']; foreach ($result as $user) { - $acl->get($user)->update_rights_to_base($reference->getBaseId(), ['order_master' => false]); + $acl->get($user)->update_rights_to_base( + $reference->getBaseId(), + [ + \ACL::ORDER_MASTER => false + ] + ); } foreach ($admins as $admin) { - $acl->get($admin)->update_rights_to_base($reference->getBaseId(), ['order_master' => true]); + $acl->get($admin)->update_rights_to_base( + $reference->getBaseId(), + [ + \ACL::ORDER_MASTER => true + ] + ); } $conn->commit(); diff --git a/lib/Alchemy/Phrasea/Controller/Admin/CollectionController.php b/lib/Alchemy/Phrasea/Controller/Admin/CollectionController.php index 2ebe77a408..3304a19de8 100644 --- a/lib/Alchemy/Phrasea/Controller/Admin/CollectionController.php +++ b/lib/Alchemy/Phrasea/Controller/Admin/CollectionController.php @@ -46,10 +46,10 @@ class CollectionController extends Controller $admins = []; - if ($this->getAclForUser()->has_right_on_base($bas_id, 'manage')) { + if ($this->getAclForUser()->has_right_on_base($bas_id, \ACL::COLL_MANAGE)) { $query = $this->createUserQuery(); $admins = $query->on_base_ids([$bas_id]) - ->who_have_right(['order_master']) + ->who_have_right([\ACL::ORDER_MASTER]) ->execute() ->get_results(); } diff --git a/lib/Alchemy/Phrasea/Controller/Admin/UserController.php b/lib/Alchemy/Phrasea/Controller/Admin/UserController.php index 606f72abaf..65da919edd 100644 --- a/lib/Alchemy/Phrasea/Controller/Admin/UserController.php +++ b/lib/Alchemy/Phrasea/Controller/Admin/UserController.php @@ -285,7 +285,7 @@ class UserController extends Controller $on_base = $request->request->get('base_id') ? : null; $on_sbas = $request->request->get('sbas_id') ? : null; - $eligible_users = $user_query->on_bases_where_i_am($this->getAclForConnectedUser(), ['canadmin']) + $eligible_users = $user_query->on_bases_where_i_am($this->getAclForConnectedUser(), [\ACL::CANADMIN]) ->like($like_field, $like_value) ->on_base_ids($on_base) ->on_sbas_ids($on_sbas); @@ -357,7 +357,7 @@ class UserController extends Controller $userRegistrations = []; /** @var RegistrationRepository $registrationRepository */ $registrationRepository = $this->app['repo.registrations']; - $collections = $this->getAclForConnectedUser()->get_granted_base(['canadmin']); + $collections = $this->getAclForConnectedUser()->get_granted_base([\ACL::CANADMIN]); $authenticatedUserId = $authenticatedUser->getId(); foreach ($registrationRepository->getPendingRegistrations($collections) as $registration) { $user = $registration->getUser(); @@ -689,7 +689,7 @@ class UserController extends Controller ]); } - $basList = array_keys($this->getAclForConnectedUser()->get_granted_base(['manage'])); + $basList = array_keys($this->getAclForConnectedUser()->get_granted_base([\ACL::COLL_MANAGE])); /** @var NativeQueryProvider $query */ $query = $this->app['orm.em.native-query']; $models = $query->getModelForUser($this->getAuthenticatedUser(), $basList); @@ -832,7 +832,7 @@ class UserController extends Controller $this->getAclForUser($newUser)->apply_model( $userRepository->find($model), - array_keys($this->getAclForConnectedUser()->get_granted_base(['manage'])) + array_keys($this->getAclForConnectedUser()->get_granted_base([\ACL::COLL_MANAGE])) ); $nbCreation++; diff --git a/lib/Alchemy/Phrasea/Controller/Api/V1Controller.php b/lib/Alchemy/Phrasea/Controller/Api/V1Controller.php index cafb22a062..a1a2ad04a2 100644 --- a/lib/Alchemy/Phrasea/Controller/Api/V1Controller.php +++ b/lib/Alchemy/Phrasea/Controller/Api/V1Controller.php @@ -485,7 +485,7 @@ class V1Controller extends Controller { $userQuery = new \User_Query($this->app); $orderMasters = $userQuery->on_base_ids([ $collection->get_base_id() ] ) - ->who_have_right(['order_master']) + ->who_have_right([\ACL::ORDER_MASTER]) ->execute() ->get_results() ->map(function (User $user) { @@ -1034,7 +1034,7 @@ class V1Controller extends Controller return null; } if ($media->get_name() === 'document' - && !$acl->has_right_on_base($record->getBaseId(), 'candwnldhd') + && !$acl->has_right_on_base($record->getBaseId(), \ACL::CANDWNLDHD) && !$acl->has_hd_grant($record) ) { return null; @@ -2769,9 +2769,11 @@ class V1Controller extends Controller $user = $this->getApiAuthenticatedUser(); $acl = $this->getAclForUser($user); - if (! $acl->has_access_to_module('admin') || ! $acl->has_right('manageusers')) { + if (! $acl->has_access_to_module('admin') || ! $acl->has_right(\ACL::CANADMIN)) { return Result::createError($request, 401, 'You are not authorized')->createResponse(); } + + return null; } public function ensureAccessToDatabox(Request $request) @@ -2813,7 +2815,7 @@ class V1Controller extends Controller public function ensureCanModifyRecord(Request $request) { $user = $this->getApiAuthenticatedUser(); - if (!$this->getAclForUser($user)->has_right('modifyrecord')) { + if (!$this->getAclForUser($user)->has_right(\ACL::CANMODIFRECORD)) { return Result::createError($request, 401, 'You are not authorized')->createResponse(); } @@ -2825,7 +2827,7 @@ class V1Controller extends Controller $user = $this->getApiAuthenticatedUser(); $record = $this->findDataboxById($request->attributes->get('databox_id')) ->get_record($request->attributes->get('record_id')); - if (!$this->getAclForUser($user)->has_right_on_base($record->getBaseId(), 'chgstatus')) { + if (!$this->getAclForUser($user)->has_right_on_base($record->getBaseId(), \ACL::CHGSTATUS)) { return Result::createError($request, 401, 'You are not authorized')->createResponse(); } @@ -2849,9 +2851,9 @@ class V1Controller extends Controller $record = $this->findDataboxById($request->attributes->get('databox_id')) ->get_record($request->attributes->get('record_id')); // TODO: Check comparison. seems to be a mismatch - if ((!$this->getAclForUser($user)->has_right('addrecord') - && !$this->getAclForUser($user)->has_right('deleterecord')) - || !$this->getAclForUser($user)->has_right_on_base($record->getBaseId(), 'candeleterecord') + if ((!$this->getAclForUser($user)->has_right(\ACL::CANADDRECORD) + && !$this->getAclForUser($user)->has_right(\ACL::CANDELETERECORD)) + || !$this->getAclForUser($user)->has_right_on_base($record->getBaseId(), \ACL::CANDELETERECORD) ) { return Result::createError($request, 401, 'You are not authorized')->createResponse(); } @@ -2865,7 +2867,7 @@ class V1Controller extends Controller $record = $this->findDataboxById($request->attributes->get('databox_id')) ->get_record($request->attributes->get('record_id')); - if (!$this->getAclForUser($user)->has_right_on_base($record->getBaseId(), 'candeleterecord')) { + if (!$this->getAclForUser($user)->has_right_on_base($record->getBaseId(), \ACL::CANDELETERECORD)) { return Result::createError($request, 401, 'You are not authorized')->createResponse(); } diff --git a/lib/Alchemy/Phrasea/Controller/Prod/EditController.php b/lib/Alchemy/Phrasea/Controller/Prod/EditController.php index d0730f9b03..9f91c372a3 100644 --- a/lib/Alchemy/Phrasea/Controller/Prod/EditController.php +++ b/lib/Alchemy/Phrasea/Controller/Prod/EditController.php @@ -38,7 +38,7 @@ class EditController extends Controller $this->app, $request, RecordsRequest::FLATTEN_YES_PRESERVE_STORIES, - ['canmodifrecord'] + [\ACL::CANMODIFRECORD] ); $thesaurus = false; @@ -120,7 +120,7 @@ class EditController extends Controller } // generate javascript status - if ($this->getAclForUser()->has_right('changestatus')) { + if ($this->getAclForUser()->has_right(\ACL::CHGSTATUS)) { $statusStructure = $databox->getStatusStructure(); foreach ($statusStructure as $statbit) { $bit = $statbit['bit']; @@ -156,7 +156,7 @@ class EditController extends Controller ]; $elements[$indice]['statbits'] = []; - if ($this->getAclForUser()->has_right_on_base($record->getBaseId(), 'chgstatus')) { + if ($this->getAclForUser()->has_right_on_base($record->getBaseId(), \ACL::CHGSTATUS)) { foreach ($status as $n => $s) { $tmp_val = substr(strrev($record->getStatus()), $n, 1); $elements[$indice]['statbits'][$n]['value'] = ($tmp_val == '1') ? '1' : '0'; @@ -273,7 +273,7 @@ class EditController extends Controller public function applyAction(Request $request) { - $records = RecordsRequest::fromRequest($this->app, $request, RecordsRequest::FLATTEN_YES_PRESERVE_STORIES, ['canmodifrecord']); + $records = RecordsRequest::fromRequest($this->app, $request, RecordsRequest::FLATTEN_YES_PRESERVE_STORIES, [\ACL::CANMODIFRECORD]); $databoxes = $records->databoxes(); if (count($databoxes) !== 1) { diff --git a/lib/Alchemy/Phrasea/Controller/Prod/PropertyController.php b/lib/Alchemy/Phrasea/Controller/Prod/PropertyController.php index 317aeb7cb7..ff834ab119 100644 --- a/lib/Alchemy/Phrasea/Controller/Prod/PropertyController.php +++ b/lib/Alchemy/Phrasea/Controller/Prod/PropertyController.php @@ -28,7 +28,7 @@ class PropertyController extends Controller $this->app->abort(400); } - $records = RecordsRequest::fromRequest($this->app, $request, false, ['chgstatus']); + $records = RecordsRequest::fromRequest($this->app, $request, false, [\ACL::CHGSTATUS]); $databoxes = $records->databoxes(); if (count($databoxes) > 1) { @@ -81,7 +81,7 @@ class PropertyController extends Controller $this->app->abort(400); } - $records = RecordsRequest::fromRequest($this->app, $request, false, ['canmodifrecord']); + $records = RecordsRequest::fromRequest($this->app, $request, false, [\ACL::CANMODIFRECORD]); $recordsType = []; @@ -115,7 +115,7 @@ class PropertyController extends Controller public function changeStatus(Request $request) { $applyStatusToChildren = $request->request->get('apply_to_children', []); - $records = RecordsRequest::fromRequest($this->app, $request, false, ['chgstatus']); + $records = RecordsRequest::fromRequest($this->app, $request, false, [\ACL::CHGSTATUS]); $updated = []; $postStatus = (array) $request->request->get('status'); @@ -149,7 +149,7 @@ class PropertyController extends Controller public function changeType(Request $request) { $typeLst = $request->request->get('types', []); - $records = RecordsRequest::fromRequest($this->app, $request, false, ['canmodifrecord']); + $records = RecordsRequest::fromRequest($this->app, $request, false, [\ACL::CANMODIFRECORD]); $mimeLst = $request->request->get('mimes', []); $forceType = $request->request->get('force_types', ''); $updated = []; diff --git a/lib/Alchemy/Phrasea/Controller/Prod/PushController.php b/lib/Alchemy/Phrasea/Controller/Prod/PushController.php index 60feb34658..59f443e90e 100644 --- a/lib/Alchemy/Phrasea/Controller/Prod/PushController.php +++ b/lib/Alchemy/Phrasea/Controller/Prod/PushController.php @@ -431,7 +431,7 @@ class PushController extends Controller $result = ['success' => false, 'message' => '', 'user' => null]; try { - if (!$this->getAclForUser($this->getAuthenticatedUser())->has_right('manageusers')) + if (!$this->getAclForUser($this->getAuthenticatedUser())->has_right(\ACL::CANADMIN)) throw new ControllerException($this->app->trans('You are not allowed to add users')); if (!$request->request->get('firstname')) diff --git a/lib/Alchemy/Phrasea/Controller/Prod/RecordController.php b/lib/Alchemy/Phrasea/Controller/Prod/RecordController.php index dece366e83..9765a1134b 100644 --- a/lib/Alchemy/Phrasea/Controller/Prod/RecordController.php +++ b/lib/Alchemy/Phrasea/Controller/Prod/RecordController.php @@ -121,9 +121,11 @@ class RecordController extends Controller public function doDeleteRecords(Request $request) { $flatten = (bool)($request->request->get('del_children')) ? RecordsRequest::FLATTEN_YES_PRESERVE_STORIES : RecordsRequest::FLATTEN_NO; - $records = RecordsRequest::fromRequest($this->app, $request, $flatten, [ - 'candeleterecord' - ]); + $records = RecordsRequest::fromRequest( + $this->app, + $request,$flatten, + [\ACL::CANDELETERECORD] + ); $basketElementsRepository = $this->getBasketElementRepository(); $StoryWZRepository = $this->getStoryWorkZoneRepository(); @@ -166,9 +168,12 @@ class RecordController extends Controller */ public function whatCanIDelete(Request $request) { - $records = RecordsRequest::fromRequest($this->app, $request, !!$request->request->get('del_children'), [ - 'candeleterecord', - ]); + $records = RecordsRequest::fromRequest( + $this->app, + $request, + !!$request->request->get('del_children'), + [\ACL::CANDELETERECORD] + ); return $this->render('prod/actions/delete_records_confirm.html.twig', [ 'records' => $records, diff --git a/lib/Alchemy/Phrasea/Controller/Prod/StoryController.php b/lib/Alchemy/Phrasea/Controller/Prod/StoryController.php index 39ffb95bf9..96d3d5e537 100644 --- a/lib/Alchemy/Phrasea/Controller/Prod/StoryController.php +++ b/lib/Alchemy/Phrasea/Controller/Prod/StoryController.php @@ -109,7 +109,7 @@ class StoryController extends Controller { $Story = new \record_adapter($this->app, $sbas_id, $record_id); - if (!$this->getAclForUser()->has_right_on_base($Story->getBaseId(), 'canmodifrecord')) { + if (!$this->getAclForUser()->has_right_on_base($Story->getBaseId(), \ACL::CANMODIFRECORD)) { throw new AccessDeniedHttpException('You can not add document to this Story'); } @@ -145,7 +145,7 @@ class StoryController extends Controller $story = new \record_adapter($this->app, $sbas_id, $record_id); $record = new \record_adapter($this->app, $child_sbas_id, $child_record_id); - if (!$this->getAclForUser()->has_right_on_base($story->getBaseId(), 'canmodifrecord')) { + if (!$this->getAclForUser()->has_right_on_base($story->getBaseId(), \ACL::CANMODIFRECORD)) { throw new AccessDeniedHttpException('You can not add document to this Story'); } @@ -188,7 +188,7 @@ class StoryController extends Controller throw new \Exception('This is not a story'); } - if (!$this->getAclForUser()->has_right_on_base($story->getBaseId(), 'canmodifrecord')) { + if (!$this->getAclForUser()->has_right_on_base($story->getBaseId(), \ACL::CANMODIFRECORD)) { throw new ControllerException($this->app->trans('You can not edit this story')); } diff --git a/lib/Alchemy/Phrasea/Controller/Prod/ToolsController.php b/lib/Alchemy/Phrasea/Controller/Prod/ToolsController.php index cd22dc8740..c8d4f44fa4 100644 --- a/lib/Alchemy/Phrasea/Controller/Prod/ToolsController.php +++ b/lib/Alchemy/Phrasea/Controller/Prod/ToolsController.php @@ -52,8 +52,8 @@ class ToolsController extends Controller $acl = $this->getAclForUser(); if ($acl->has_right('bas_chupub') - && $acl->has_right_on_base($record->getBaseId(), 'canmodifrecord') - && $acl->has_right_on_base($record->getBaseId(), 'imgtools') + && $acl->has_right_on_base($record->getBaseId(), \ACL::CANMODIFRECORD) + && $acl->has_right_on_base($record->getBaseId(), \ACL::IMGTOOLS) ) { $databoxSubdefs = $record->getDatabox()->get_subdef_structure()->getSubdefGroup($record->getType()); @@ -64,7 +64,7 @@ class ToolsController extends Controller } if ('document' == $subdefName) { - if (!$acl->has_right_on_base($record->getBaseId(), 'candwnldhd')) { + if (!$acl->has_right_on_base($record->getBaseId(), \ACL::CANDWNLDHD)) { continue; } $label = $this->app->trans('prod::tools: document'); @@ -147,7 +147,7 @@ class ToolsController extends Controller $force = $request->request->get('force_substitution') == '1'; - $selection = RecordsRequest::fromRequest($this->app, $request, false, array('canmodifrecord')); + $selection = RecordsRequest::fromRequest($this->app, $request, false, [\ACL::CANMODIFRECORD]); foreach ($selection as $record) { $substituted = false; @@ -341,9 +341,9 @@ class ToolsController extends Controller $acl = $this->getAclForUser(); if (!$acl->has_right('bas_chupub') - || !$acl->has_right_on_base($record->getBaseId(), 'canmodifrecord') - || !$acl->has_right_on_base($record->getBaseId(), 'imgtools') - || ('document' == $subdefName && !$acl->has_right_on_base($record->getBaseId(), 'candwnldhd')) + || !$acl->has_right_on_base($record->getBaseId(), \ACL::CANMODIFRECORD) + || !$acl->has_right_on_base($record->getBaseId(), \ACL::IMGTOOLS) + || ('document' == $subdefName && !$acl->has_right_on_base($record->getBaseId(), \ACL::CANDWNLDHD)) || ('document' != $subdefName && !$acl->has_access_to_subdef($record, $subdefName)) ) { $this->app->abort(403); diff --git a/lib/Alchemy/Phrasea/ControllerProvider/Admin/Collection.php b/lib/Alchemy/Phrasea/ControllerProvider/Admin/Collection.php index 915f1cd0d3..c92a16c4e8 100644 --- a/lib/Alchemy/Phrasea/ControllerProvider/Admin/Collection.php +++ b/lib/Alchemy/Phrasea/ControllerProvider/Admin/Collection.php @@ -45,7 +45,7 @@ class Collection implements ControllerProviderInterface, ServiceProviderInterfac $controllers->before(function (Request $request) use ($firewall) { $firewall ->requireAccessToModule('admin') - ->requireRightOnBase($request->attributes->get('bas_id'), 'canadmin'); + ->requireRightOnBase($request->attributes->get('bas_id'), \ACL::CANADMIN); }); $controllers->get('/{bas_id}/', 'controller.admin.collection:getCollection') diff --git a/lib/Alchemy/Phrasea/ControllerProvider/Admin/Users.php b/lib/Alchemy/Phrasea/ControllerProvider/Admin/Users.php index 23ffe894ba..39a5afa0aa 100644 --- a/lib/Alchemy/Phrasea/ControllerProvider/Admin/Users.php +++ b/lib/Alchemy/Phrasea/ControllerProvider/Admin/Users.php @@ -43,7 +43,7 @@ class Users implements ControllerProviderInterface, ServiceProviderInterface $controllers->before(function () use ($firewall) { $firewall->requireAccessToModule('admin') - ->requireRight('manageusers'); + ->requireRight(\ACL::CANADMIN); }); $controllers->match('/rights/', 'controller.admin.users:editRightsAction') diff --git a/lib/Alchemy/Phrasea/ControllerProvider/Prod/Edit.php b/lib/Alchemy/Phrasea/ControllerProvider/Prod/Edit.php index a9ed65e354..8fb6861088 100644 --- a/lib/Alchemy/Phrasea/ControllerProvider/Prod/Edit.php +++ b/lib/Alchemy/Phrasea/ControllerProvider/Prod/Edit.php @@ -47,7 +47,7 @@ class Edit implements ControllerProviderInterface, ServiceProviderInterface $controllers->before(function () use ($firewall) { $firewall ->requireNotGuest() - ->requireRight('modifyrecord'); + ->requireRight(\ACL::CANMODIFRECORD); }); $controllers->post('/', 'controller.prod.edit:submitAction'); diff --git a/lib/Alchemy/Phrasea/ControllerProvider/Prod/Lazaret.php b/lib/Alchemy/Phrasea/ControllerProvider/Prod/Lazaret.php index 011dbd8ab3..96d454439b 100644 --- a/lib/Alchemy/Phrasea/ControllerProvider/Prod/Lazaret.php +++ b/lib/Alchemy/Phrasea/ControllerProvider/Prod/Lazaret.php @@ -53,7 +53,7 @@ class Lazaret implements ControllerProviderInterface, ServiceProviderInterface $firewall = $this->getFirewall($app); $controllers->before(function () use ($firewall) { - $firewall->requireRight('addrecord'); + $firewall->requireRight(\ACL::CANADDRECORD); }); $controllers->get('/', 'controller.prod.lazaret:listElement') diff --git a/lib/Alchemy/Phrasea/ControllerProvider/Prod/MoveCollection.php b/lib/Alchemy/Phrasea/ControllerProvider/Prod/MoveCollection.php index a8c80e49bd..e6a835afaf 100644 --- a/lib/Alchemy/Phrasea/ControllerProvider/Prod/MoveCollection.php +++ b/lib/Alchemy/Phrasea/ControllerProvider/Prod/MoveCollection.php @@ -41,8 +41,8 @@ class MoveCollection implements ControllerProviderInterface, ServiceProviderInte $controllers->before(function () use ($firewall) { $firewall - ->requireRight('addrecord') - ->requireRight('deleterecord'); + ->requireRight(\ACL::CANADDRECORD) + ->requireRight(\ACL::CANDELETERECORD); }); $controllers->post('/', 'controller.prod.move-collection:displayForm') diff --git a/lib/Alchemy/Phrasea/ControllerProvider/Prod/Tools.php b/lib/Alchemy/Phrasea/ControllerProvider/Prod/Tools.php index 103e9aad51..de63ae1375 100644 --- a/lib/Alchemy/Phrasea/ControllerProvider/Prod/Tools.php +++ b/lib/Alchemy/Phrasea/ControllerProvider/Prod/Tools.php @@ -46,7 +46,7 @@ class Tools implements ControllerProviderInterface, ServiceProviderInterface $firewall = $this->getFirewall($app); $controllers->before(function () use ($firewall) { - $firewall->requireRight('doctools'); + $firewall->requireRight(\ACL::IMGTOOLS); }); $controllers->get('/', 'controller.prod.tools:indexAction'); diff --git a/lib/Alchemy/Phrasea/ControllerProvider/Prod/Upload.php b/lib/Alchemy/Phrasea/ControllerProvider/Prod/Upload.php index 1982ac8b73..985944957d 100644 --- a/lib/Alchemy/Phrasea/ControllerProvider/Prod/Upload.php +++ b/lib/Alchemy/Phrasea/ControllerProvider/Prod/Upload.php @@ -55,7 +55,7 @@ class Upload implements ControllerProviderInterface, ServiceProviderInterface $firewall = $this->getFirewall($app); $controllers->before(function () use ($firewall) { - $firewall->requireRight('addrecord'); + $firewall->requireRight(\ACL::CANADDRECORD); }); $controllers->get('/', 'controller.prod.upload:getUploadForm') diff --git a/lib/Alchemy/Phrasea/Core/Event/Subscriber/OrderSubscriber.php b/lib/Alchemy/Phrasea/Core/Event/Subscriber/OrderSubscriber.php index d17c725cd1..142537f418 100644 --- a/lib/Alchemy/Phrasea/Core/Event/Subscriber/OrderSubscriber.php +++ b/lib/Alchemy/Phrasea/Core/Event/Subscriber/OrderSubscriber.php @@ -48,7 +48,7 @@ class OrderSubscriber extends AbstractNotificationSubscriber $query = $this->app['phraseanet.user-query']; /** @var User[] $users */ $users = $query->on_base_ids($base_ids) - ->who_have_right(['order_master']) + ->who_have_right([\ACL::ORDER_MASTER]) ->execute()->get_results(); if (count($users) == 0) { diff --git a/lib/Alchemy/Phrasea/Helper/User/Edit.php b/lib/Alchemy/Phrasea/Helper/User/Edit.php index e8d0381dd2..8b9b292246 100644 --- a/lib/Alchemy/Phrasea/Helper/User/Edit.php +++ b/lib/Alchemy/Phrasea/Helper/User/Edit.php @@ -71,7 +71,7 @@ class Edit extends \Alchemy\Phrasea\Helper\Helper protected function delete_user(User $user) { - $list = array_keys($this->app->getAclForUser($this->app->getAuthenticatedUser())->get_granted_base(['canadmin'])); + $list = array_keys($this->app->getAclForUser($this->app->getAuthenticatedUser())->get_granted_base([\ACL::CANADMIN])); $this->app->getAclForUser($user)->revoke_access_from_bases($list); @@ -84,7 +84,7 @@ class Edit extends \Alchemy\Phrasea\Helper\Helper public function get_users_rights() { - $list = array_keys($this->app->getAclForUser($this->app->getAuthenticatedUser())->get_granted_base(['canadmin'])); + $list = array_keys($this->app->getAclForUser($this->app->getAuthenticatedUser())->get_granted_base([\ACL::CANADMIN])); $sql = "SELECT b.sbas_id, @@ -477,29 +477,29 @@ class Edit extends \Alchemy\Phrasea\Helper\Helper public function apply_rights() { $ACL = $this->app->getAclForUser($this->app->getAuthenticatedUser()); - $base_ids = array_keys($ACL->get_granted_base(['canadmin'])); + $base_ids = array_keys($ACL->get_granted_base([\ACL::CANADMIN])); $update = $create = $delete = $create_sbas = $update_sbas = []; foreach ($base_ids as $base_id) { $rights = [ 'access', - 'actif', - 'canputinalbum', - 'nowatermark', - 'candwnldpreview', - 'candwnldhd', - 'cancmd', - 'canaddrecord', - 'canmodifrecord', - 'chgstatus', - 'candeleterecord', - 'imgtools', - 'canadmin', - 'canreport', - 'canpush', - 'manage', - 'modify_struct' + \ACL::ACTIF, + \ACL::CANPUTINALBUM, + \ACL::NOWATERMARK, + \ACL::CANDWNLDPREVIEW, + \ACL::CANDWNLDHD, + \ACL::CANCMD, + \ACL::CANADDRECORD, + \ACL::CANMODIFRECORD, + \ACL::CHGSTATUS, + \ACL::CANDELETERECORD, + \ACL::IMGTOOLS, + \ACL::CANADMIN, + \ACL::CANREPORT, + \ACL::CANPUSH, + \ACL::MANAGE, + \ACL::MODIFY_STRUCT ]; foreach ($rights as $k => $right) { if (($right == 'access' && !$ACL->has_access_to_base($base_id)) @@ -688,7 +688,7 @@ class Edit extends \Alchemy\Phrasea\Helper\Helper throw new AccessDeniedHttpException('You are not the owner of the template'); } - $base_ids = array_keys($this->app->getAclForUser($this->app->getAuthenticatedUser())->get_granted_base(['canadmin'])); + $base_ids = array_keys($this->app->getAclForUser($this->app->getAuthenticatedUser())->get_granted_base([\ACL::CANADMIN])); foreach ($this->users as $usr_id) { $user = $this->app['repo.users']->find($usr_id); @@ -744,7 +744,7 @@ class Edit extends \Alchemy\Phrasea\Helper\Helper $activate = !!$this->request->get('limit'); - $base_ids = array_keys($this->app->getAclForUser($this->app->getAuthenticatedUser())->get_granted_base(['canadmin'])); + $base_ids = array_keys($this->app->getAclForUser($this->app->getAuthenticatedUser())->get_granted_base([\ACL::CANADMIN])); foreach ($this->users as $usr_id) { $user = $this->app['repo.users']->find($usr_id); @@ -763,7 +763,7 @@ class Edit extends \Alchemy\Phrasea\Helper\Helper public function resetRights() { - $base_ids = array_keys($this->app->getAclForUser($this->app->getAuthenticatedUser())->get_granted_base(['canadmin'])); + $base_ids = array_keys($this->app->getAclForUser($this->app->getAuthenticatedUser())->get_granted_base([\ACL::CANADMIN])); foreach ($this->users as $usr_id) { $user = $this->app['repo.users']->find($usr_id); diff --git a/lib/Alchemy/Phrasea/Helper/User/Manage.php b/lib/Alchemy/Phrasea/Helper/User/Manage.php index 979195fb10..bea053f56c 100644 --- a/lib/Alchemy/Phrasea/Helper/User/Manage.php +++ b/lib/Alchemy/Phrasea/Helper/User/Manage.php @@ -71,7 +71,7 @@ class Manage extends Helper ->last_model_is($this->query_parms['last_model']) ->get_inactives($this->query_parms['inactives']) ->include_templates(false) - ->on_bases_where_i_am($this->app->getAclForUser($this->app->getAuthenticatedUser()), ['canadmin']) + ->on_bases_where_i_am($this->app->getAclForUser($this->app->getAuthenticatedUser()), [\ACL::CANADMIN]) ->execute(); return $results->get_results(); @@ -109,7 +109,7 @@ class Manage extends Helper ->last_model_is($this->query_parms['last_model']) ->get_inactives($this->query_parms['inactives']) ->include_templates(true) - ->on_bases_where_i_am($this->app->getAclForUser($this->app->getAuthenticatedUser()), ['canadmin']) + ->on_bases_where_i_am($this->app->getAclForUser($this->app->getAuthenticatedUser()), [\ACL::CANADMIN]) ->limit($offset_start, $results_quantity) ->execute(); diff --git a/lib/Alchemy/Phrasea/Model/Manipulator/ACLManipulator.php b/lib/Alchemy/Phrasea/Model/Manipulator/ACLManipulator.php index 4a07f69524..4e6f87907b 100644 --- a/lib/Alchemy/Phrasea/Model/Manipulator/ACLManipulator.php +++ b/lib/Alchemy/Phrasea/Model/Manipulator/ACLManipulator.php @@ -101,23 +101,23 @@ class ACLManipulator implements ManipulatorInterface $acl->remove_quotas_on_base($baseId); $acl->set_masks_on_base($baseId, '0', '0', '0', '0'); $acl->update_rights_to_base($baseId, [ - 'canputinalbum' => '1', - 'candwnldhd' => '1', + \ACL::CANPUTINALBUM => '1', + \ACL::CANDWNLDHD => '1', 'candwnldsubdef' => '1', - 'nowatermark' => '1', - 'candwnldpreview' => '1', - 'cancmd' => '1', - 'canadmin' => '1', - 'canreport' => '1', - 'canpush' => '1', + \ACL::NOWATERMARK => '1', + \ACL::CANDWNLDPREVIEW => '1', + \ACL::CANCMD => '1', + \ACL::CANADMIN => '1', + \ACL::CANREPORT => '1', + \ACL::CANPUSH => '1', 'creationdate' => '1', - 'canaddrecord' => '1', - 'canmodifrecord' => '1', - 'candeleterecord' => '1', - 'chgstatus' => '1', - 'imgtools' => '1', - 'manage' => '1', - 'modify_struct' => '1', + \ACL::CANADDRECORD => '1', + \ACL::CANMODIFRECORD => '1', + \ACL::CANDELETERECORD => '1', + \ACL::CHGSTATUS => '1', + \ACL::IMGTOOLS => '1', + \ACL::MANAGE => '1', + \ACL::MODIFY_STRUCT => '1', 'bas_modify_struct' => '1' ]); } diff --git a/lib/Alchemy/Phrasea/Model/Manipulator/RegistrationManipulator.php b/lib/Alchemy/Phrasea/Model/Manipulator/RegistrationManipulator.php index ad85eef361..c40cbf2c18 100644 --- a/lib/Alchemy/Phrasea/Model/Manipulator/RegistrationManipulator.php +++ b/lib/Alchemy/Phrasea/Model/Manipulator/RegistrationManipulator.php @@ -82,11 +82,11 @@ class RegistrationManipulator implements ManipulatorInterface $this->aclProvider->get($user)->give_access_to_sbas([$collection->get_sbas_id()]); $this->aclProvider->get($user)->give_access_to_base([$collection->get_base_id()]); $this->aclProvider->get($user)->update_rights_to_base($collection->get_base_id(), [ - 'canputinalbum' => '1', - 'candwnldhd' => (string) (int) $grantHd, - 'nowatermark' => (string) (int) $grantWatermark, - 'candwnldpreview' => '1', - 'actif' => '1', + \ACL::CANPUTINALBUM => '1', + \ACL::CANDWNLDHD => (string) (int) $grantHd, + \ACL::NOWATERMARK => (string) (int) $grantWatermark, + \ACL::CANDWNLDPREVIEW => '1', + \ACL::ACTIF => '1' ]); $this->em->remove($registration); $this->em->flush(); diff --git a/lib/Alchemy/Phrasea/Model/NativeQueryProvider.php b/lib/Alchemy/Phrasea/Model/NativeQueryProvider.php index 83adb29da3..4226cc0395 100644 --- a/lib/Alchemy/Phrasea/Model/NativeQueryProvider.php +++ b/lib/Alchemy/Phrasea/Model/NativeQueryProvider.php @@ -32,16 +32,13 @@ class NativeQueryProvider $selectClause = $rsm->generateSelectClause(); - return $this->em->createNativeQuery(" - SELECT d.date_modif AS date_demand, d.base_id AS base_demand, " . $selectClause . " - FROM (demand d INNER JOIN Users u ON d.usr_id=u.id - AND d.en_cours=1 - AND u.deleted=0 - ) - WHERE (base_id='" . implode("' OR base_id='", $basList) . "') - ORDER BY d.usr_id DESC, d.base_id ASC - ", $rsm) - ->getResult(); + return $this->em->createNativeQuery( + "SELECT d.date_modif AS date_demand, d.base_id AS base_demand, " . $selectClause . "\n" + . " FROM (demand d INNER JOIN Users u ON d.usr_id=u.id AND d.en_cours=1 AND u.deleted=0)\n" + . " WHERE (base_id='" . implode("' OR base_id='", $basList) . "')\n" + . " ORDER BY d.usr_id DESC, d.base_id ASC", + $rsm + )->getResult(); } public function getModelForUser(User $user, array $basList) @@ -51,14 +48,14 @@ class NativeQueryProvider $selectClause = $rsm->generateSelectClause(); - $query = $this->em->createNativeQuery(" - SELECT " . $selectClause . " - FROM Users u - INNER JOIN basusr b ON (b.usr_id=u.id) - WHERE u.model_of = :user_id - AND b.base_id IN (" . implode(', ', $basList) . ") - AND u.deleted='0' - GROUP BY u.id", $rsm); + $query = $this->em->createNativeQuery( + "SELECT " . $selectClause . " FROM Users u INNER JOIN basusr b ON (b.usr_id=u.id)\n" + . " WHERE u.model_of = :user_id\n" + . " AND b.base_id IN (" . implode(', ', $basList) . ")\n" + . " AND u.deleted='0'\n" + . " GROUP BY u.id", + $rsm + ); $query->setParameter(':user_id', $user->getId()); @@ -72,14 +69,15 @@ class NativeQueryProvider $rsm->addScalarResult('base_id', 'base_id'); $selectClause = $rsm->generateSelectClause(); - $query = $this->em->createNativeQuery(' - SELECT b.base_id, '.$selectClause.' FROM Users u, basusr b - WHERE u.id = b.usr_id - AND b.base_id IN (' . implode(', ', $basList) . ') - AND u.model_of IS NULL - AND b.actif="1" - AND b.canadmin="1" - AND u.deleted="0"', $rsm + $query = $this->em->createNativeQuery( + "SELECT b.base_id, ".$selectClause." FROM Users u, basusr b\n" + . " WHERE u.id = b.usr_id\n" + . " AND b.base_id IN (" . implode(', ', $basList) . ")\n" + . " AND u.model_of IS NULL\n" + . " AND b.actif=1\n" + . " AND b.canadmin=1\n" + . " AND u.deleted=0", + $rsm ); return $query->getResult(); diff --git a/lib/Alchemy/Phrasea/Order/Controller/ProdOrderController.php b/lib/Alchemy/Phrasea/Order/Controller/ProdOrderController.php index 50830d3e07..1a86dc381d 100644 --- a/lib/Alchemy/Phrasea/Order/Controller/ProdOrderController.php +++ b/lib/Alchemy/Phrasea/Order/Controller/ProdOrderController.php @@ -109,7 +109,7 @@ class ProdOrderController extends BaseOrderController $sort = $request->query->get('sort'); - $baseIds = array_keys($this->getAclForUser()->get_granted_base(['order_master'])); + $baseIds = array_keys($this->getAclForUser()->get_granted_base([\ACL::ORDER_MASTER])); $ordersList = $this->getOrderRepository()->listOrders($baseIds, $offsetStart, $perPage, $sort); $total = $this->getOrderRepository()->countTotalOrders($baseIds); diff --git a/lib/Alchemy/Phrasea/Order/OrderValidator.php b/lib/Alchemy/Phrasea/Order/OrderValidator.php index 55339c2697..551958dc62 100644 --- a/lib/Alchemy/Phrasea/Order/OrderValidator.php +++ b/lib/Alchemy/Phrasea/Order/OrderValidator.php @@ -114,7 +114,7 @@ class OrderValidator $element->getRecordId() ); - $acl->grant_hd_on($recordReference, $user, 'order'); + $acl->grant_hd_on($recordReference, $user, \ACL::GRANT_ACTION_ORDER); } } diff --git a/lib/Alchemy/Phrasea/Search/SubdefTransformer.php b/lib/Alchemy/Phrasea/Search/SubdefTransformer.php index ecd43ff032..a2d23cb34f 100644 --- a/lib/Alchemy/Phrasea/Search/SubdefTransformer.php +++ b/lib/Alchemy/Phrasea/Search/SubdefTransformer.php @@ -53,7 +53,7 @@ class SubdefTransformer extends TransformerAbstract return null; } if ($media->get_name() === 'document' - && !$acl->has_right_on_base($record->getBaseId(), 'candwnldhd') + && !$acl->has_right_on_base($record->getBaseId(), \ACL::CANDWNLDHD) && !$acl->has_hd_grant($record) ) { return null; diff --git a/lib/Alchemy/Phrasea/SearchEngine/SearchEngineOptions.php b/lib/Alchemy/Phrasea/SearchEngine/SearchEngineOptions.php index 77bfecd071..75dc4cfa1d 100644 --- a/lib/Alchemy/Phrasea/SearchEngine/SearchEngineOptions.php +++ b/lib/Alchemy/Phrasea/SearchEngine/SearchEngineOptions.php @@ -639,9 +639,9 @@ class SearchEngineOptions $options->onCollections($bas); - if ($isAuthenticated && $acl->has_right('modifyrecord')) { + if ($isAuthenticated && $acl->has_right(\ACL::CANMODIFRECORD)) { $bf = array_filter($bas, function (\collection $collection) use ($acl) { - return $acl->has_right_on_base($collection->get_base_id(), 'canmodifrecord'); + return $acl->has_right_on_base($collection->get_base_id(), \ACL::CANMODIFRECORD); }); $options->allowBusinessFieldsOn($bf); diff --git a/lib/Alchemy/Phrasea/Security/Firewall.php b/lib/Alchemy/Phrasea/Security/Firewall.php index 836edd1ed8..2343a50b3e 100644 --- a/lib/Alchemy/Phrasea/Security/Firewall.php +++ b/lib/Alchemy/Phrasea/Security/Firewall.php @@ -146,7 +146,7 @@ class Firewall public function requireOrdersAdmin() { - if (empty($this->app->getAclForUser($this->app->getAuthenticatedUser())->get_granted_base(['order_master']))) { + if (empty($this->app->getAclForUser($this->app->getAuthenticatedUser())->get_granted_base([\ACL::ORDER_MASTER]))) { $this->app->abort(403, 'You are not an order admin'); } diff --git a/lib/Alchemy/Phrasea/Setup/Installer.php b/lib/Alchemy/Phrasea/Setup/Installer.php index 4c18e5eb5a..cc8c28f837 100644 --- a/lib/Alchemy/Phrasea/Setup/Installer.php +++ b/lib/Alchemy/Phrasea/Setup/Installer.php @@ -60,8 +60,10 @@ class Installer ->give_access_to_sbas([$databox->get_sbas_id()]) ->update_rights_to_sbas( $databox->get_sbas_id(), [ - 'bas_manage' => 1, 'bas_modify_struct' => 1, - 'bas_modif_th' => 1, 'bas_chupub' => 1 + 'bas_manage' => 1, + 'bas_modify_struct' => 1, + 'bas_modif_th' => 1, + 'bas_chupub' => 1 ] ); @@ -69,11 +71,22 @@ class Installer $this->app->getAclForUser($admin)->give_access_to_base([$collection->get_base_id()]); $this->app->getAclForUser($admin)->update_rights_to_base($collection->get_base_id(), [ - 'canpush' => 1, 'cancmd' => 1 - , 'canputinalbum' => 1, 'candwnldhd' => 1, 'candwnldpreview' => 1, 'canadmin' => 1 - , 'actif' => 1, 'canreport' => 1, 'canaddrecord' => 1, 'canmodifrecord' => 1 - , 'candeleterecord' => 1, 'chgstatus' => 1, 'imgtools' => 1, 'manage' => 1 - , 'modify_struct' => 1, 'nowatermark' => 1 + \ACL::CANPUSH => 1, + \ACL::CANCMD => 1, + \ACL::CANPUTINALBUM => 1, + \ACL::CANDWNLDHD => 1, + \ACL::CANDWNLDPREVIEW => 1, + \ACL::CANADMIN => 1, + \ACL::ACTIF => 1, + \ACL::CANREPORT => 1, + \ACL::CANADDRECORD => 1, + \ACL::CANMODIFRECORD => 1, + \ACL::CANDELETERECORD => 1, + \ACL::CHGSTATUS => 1, + \ACL::IMGTOOLS => 1, + \ACL::MANAGE => 1, + \ACL::MODIFY_STRUCT => 1, + \ACL::NOWATERMARK => 1 ] ); diff --git a/lib/Alchemy/Phrasea/Twig/PhraseanetExtension.php b/lib/Alchemy/Phrasea/Twig/PhraseanetExtension.php index a11b9d6ee6..62a42e46b3 100644 --- a/lib/Alchemy/Phrasea/Twig/PhraseanetExtension.php +++ b/lib/Alchemy/Phrasea/Twig/PhraseanetExtension.php @@ -133,7 +133,7 @@ class PhraseanetExtension extends \Twig_Extension $structure = $databox->getStatusStructure()->toArray(); - if (!$this->isGrantedOnCollection($record->getBaseId(), 'chgstatus')) { + if (!$this->isGrantedOnCollection($record->getBaseId(), \ACL::CHGSTATUS)) { $structure = array_filter($structure, function($status) { return (bool) $status['printable']; }); diff --git a/lib/Alchemy/Phrasea/Vocabulary/ControlProvider/UserProvider.php b/lib/Alchemy/Phrasea/Vocabulary/ControlProvider/UserProvider.php index 2c9af43bd3..a8a7224b1d 100644 --- a/lib/Alchemy/Phrasea/Vocabulary/ControlProvider/UserProvider.php +++ b/lib/Alchemy/Phrasea/Vocabulary/ControlProvider/UserProvider.php @@ -56,7 +56,7 @@ class UserProvider implements ControlProviderInterface ->like(\User_Query::LIKE_LOGIN, $query) ->like_match(\User_Query::LIKE_MATCH_OR) ->include_phantoms(true) - ->on_bases_where_i_am($this->app->getAclForUser($for_user), ['canadmin']) + ->on_bases_where_i_am($this->app->getAclForUser($for_user), [\ACL::CANADMIN]) ->limit(0, 50) ->execute()->get_results(); diff --git a/lib/classes/ACL.php b/lib/classes/ACL.php index 5a851a7dc4..e07bb62ee0 100644 --- a/lib/classes/ACL.php +++ b/lib/classes/ACL.php @@ -32,25 +32,42 @@ use Doctrine\DBAL\DBALException; class ACL implements cache_cacheableInterface { + const ACTIF = 'actif'; + const CANADDRECORD = 'canaddrecord'; + const CANADMIN = 'canadmin'; + const CANCMD = 'cancmd'; + const CANDELETERECORD = 'candeleterecord'; + const CANDWNLDHD = 'candwnldhd'; + const CANDWNLDPREVIEW = 'candwnldpreview'; + const CANMODIFRECORD = 'canmodifrecord'; + const CANPUSH = 'canpush'; + const CANPUTINALBUM = 'canputinalbum'; + const CANREPORT = 'canreport'; + const CHGSTATUS = 'chgstatus'; + const IMGTOOLS = 'imgtools'; + const COLL_MANAGE = 'manage'; + const COLL_MODIFY_STRUCT = 'modify_struct'; + const NOWATERMARK = 'nowatermark'; + const ORDER_MASTER = 'order_master'; protected static $bas_rights = [ 'actif', 'canaddrecord', - 'canadmin', + self::CANADMIN, 'cancmd', - 'candeleterecord', - 'candwnldhd', - 'candwnldpreview', - 'canmodifrecord', + self::CANDELETERECORD, + self::CANDWNLDHD, + self::CANDWNLDPREVIEW, + self::CANMODIFRECORD, 'canpush', - 'canputinalbum', + self::CANPUTINALBUM, 'canreport', - 'chgstatus', - 'imgtools', - 'manage', - 'modify_struct', + self::CHGSTATUS, + self::IMGTOOLS, + self::COLL_MANAGE, + self::COLL_MODIFY_STRUCT, 'nowatermark', - 'order_master', + self::ORDER_MASTER, ]; /** @@ -89,23 +106,23 @@ class ACL implements cache_cacheableInterface protected $is_admin; protected $_global_rights = [ - 'addrecord' => false, - 'addtoalbum' => false, + self::CANADDRECORD => false, + self::CANPUTINALBUM => false, 'bas_chupub' => false, 'bas_manage' => false, 'bas_modif_th' => false, 'bas_modify_struct' => false, - 'candwnldhd' => true, + self::CANDWNLDHD => true, 'candwnldpreview' => true, - 'changestatus' => false, - 'coll_manage' => false, - 'coll_modify_struct' => false, - 'deleterecord' => false, - 'doctools' => false, - 'manageusers' => false, - 'modifyrecord' => false, + self::CHGSTATUS => false, + self::COLL_MANAGE => false, + self::COLL_MODIFY_STRUCT => false, + self::CANDELETERECORD => false, + self::IMGTOOLS => false, + self::CANADMIN => false, + self::CANMODIFRECORD => false, 'order' => false, - 'order_master' => false, + self::ORDER_MASTER => false, 'push' => false, 'report' => false, 'taskmanager' => false, @@ -124,6 +141,7 @@ class ACL implements cache_cacheableInterface const CACHE_GLOBAL_RIGHTS = 'global_rights'; const GRANT_ACTION_PUSH = 'push'; const GRANT_ACTION_VALIDATE = 'validate'; + const GRANT_ACTION_ORDER = 'order'; /** * Constructor @@ -179,17 +197,16 @@ class ACL implements cache_cacheableInterface public function grant_hd_on(RecordReferenceInterface $record, User $pusher, $action) { - $sql = 'REPLACE INTO records_rights - (id, usr_id, sbas_id, record_id, document, `case`, pusher_usr_id) - VALUES - (null, :usr_id, :sbas_id, :record_id, 1, :case, :pusher)'; + $sql = "REPLACE INTO records_rights\n" + . "(id, usr_id, sbas_id, record_id, document, `case`, pusher_usr_id)\n" + . "VALUES (null, :usr_id, :sbas_id, :record_id, 1, :case, :pusher)"; $params = [ - ':usr_id' => $this->user->getId() - , ':sbas_id' => $record->getDataboxId() - , ':record_id' => $record->getRecordId() - , ':case' => $action - , ':pusher' => $pusher->getId() + ':usr_id' => $this->user->getId(), + ':sbas_id' => $record->getDataboxId(), + ':record_id' => $record->getRecordId(), + ':case' => $action, + ':pusher' => $pusher->getId() ]; $stmt = $this->app->getApplicationBox()->get_connection()->prepare($sql); @@ -203,10 +220,10 @@ class ACL implements cache_cacheableInterface public function grant_preview_on(RecordReferenceInterface $record, User $pusher, $action) { - $sql = 'REPLACE INTO records_rights - (id, usr_id, sbas_id, record_id, preview, `case`, pusher_usr_id) - VALUES - (null, :usr_id, :sbas_id, :record_id, 1, :case, :pusher)'; + $sql = "REPLACE INTO records_rights\n" + . " (id, usr_id, sbas_id, record_id, preview, `case`, pusher_usr_id)\n" + . " VALUES\n" + . " (null, :usr_id, :sbas_id, :record_id, 1, :case, :pusher)"; $params = [ ':usr_id' => $this->user->getId() @@ -279,11 +296,11 @@ class ACL implements cache_cacheableInterface if ($subdef_class == databox_subdef::CLASS_THUMBNAIL) { $granted = true; - } elseif ($subdef_class == databox_subdef::CLASS_PREVIEW && $this->has_right_on_base($record->getBaseId(), 'candwnldpreview')) { + } elseif ($subdef_class == databox_subdef::CLASS_PREVIEW && $this->has_right_on_base($record->getBaseId(), self::CANDWNLDPREVIEW)) { $granted = true; } elseif ($subdef_class == databox_subdef::CLASS_PREVIEW && $this->has_preview_grant($record)) { $granted = true; - } elseif ($subdef_class == databox_subdef::CLASS_DOCUMENT && $this->has_right_on_base($record->getBaseId(), 'candwnldhd')) { + } elseif ($subdef_class == databox_subdef::CLASS_DOCUMENT && $this->has_right_on_base($record->getBaseId(), self::CANDWNLDHD)) { $granted = true; } elseif ($subdef_class == databox_subdef::CLASS_DOCUMENT && $this->has_hd_grant($record)) { $granted = true; @@ -448,10 +465,10 @@ class ACL implements cache_cacheableInterface } /** - * - * @param int $base_id - * @param string $right - * @return boolean + * @param $base_id + * @param $right + * @return bool + * @throws Exception */ public function has_right_on_base($base_id, $right) { @@ -472,9 +489,8 @@ class ACL implements cache_cacheableInterface } /** - * - * @param $option - * @return + * @param string|null $option + * @return string */ public function get_cache_key($option = null) { @@ -482,9 +498,7 @@ class ACL implements cache_cacheableInterface } /** - * - * @param $option - * @return + * @param string|null $option */ public function delete_data_from_cache($option = null) { @@ -508,13 +522,12 @@ class ACL implements cache_cacheableInterface break; } - return $this->app->getApplicationBox()->delete_data_from_cache($this->get_cache_key($option)); + $this->app->getApplicationBox()->delete_data_from_cache($this->get_cache_key($option)); } /** - * - * @param $option - * @return + * @param string|null $option + * @return array */ public function get_data_from_cache($option = null) { @@ -522,11 +535,10 @@ class ACL implements cache_cacheableInterface } /** - * - * @param $value - * @param $option - * @param $duration - * @return + * @param $value + * @param string|null $option + * @param int $duration + * @return bool */ public function set_data_to_cache($value, $option = null, $duration = 0) { @@ -824,8 +836,7 @@ class ACL implements cache_cacheableInterface } catch (\Exception $e) { } - $sql = 'SELECT sbas_id, record_id, preview, document - FROM records_rights WHERE usr_id = :usr_id'; + $sql = "SELECT sbas_id, record_id, preview, document FROM records_rights WHERE usr_id = :usr_id"; $stmt = $this->app->getApplicationBox()->get_connection()->prepare($sql); $stmt->execute([':usr_id' => $this->user->getId()]); @@ -844,8 +855,8 @@ class ACL implements cache_cacheableInterface } $datas = [ - 'preview' => $this->_rights_records_preview - , 'document' => $this->_rights_records_document + 'preview' => $this->_rights_records_preview, + 'document' => $this->_rights_records_document ]; $this->set_data_to_cache($datas, self::CACHE_RIGHTS_RECORDS); @@ -883,9 +894,7 @@ class ACL implements cache_cacheableInterface } - $sql = 'SELECT sbasusr.* FROM sbasusr, sbas - WHERE usr_id= :usr_id - AND sbas.sbas_id = sbasusr.sbas_id'; + $sql = "SELECT sbasusr.* FROM sbasusr INNER JOIN sbas USING(sbas_id) WHERE usr_id= :usr_id"; $stmt = $this->app->getApplicationBox()->get_connection()->prepare($sql); $stmt->execute([':usr_id' => $this->user->getId()]); @@ -900,20 +909,12 @@ class ACL implements cache_cacheableInterface $this->_global_rights['bas_chupub'] = false; foreach ($rs as $row) { - - if ($row['bas_modif_th'] == '1') - $this->_global_rights['bas_modif_th'] = true; - if ($row['bas_modify_struct'] == '1') - $this->_global_rights['bas_modify_struct'] = true; - if ($row['bas_manage'] == '1') - $this->_global_rights['bas_manage'] = true; - if ($row['bas_chupub'] == '1') - $this->_global_rights['bas_chupub'] = true; - - $this->_rights_sbas[$row['sbas_id']]['bas_modify_struct'] = ($row['bas_modify_struct'] == '1'); - $this->_rights_sbas[$row['sbas_id']]['bas_manage'] = ($row['bas_manage'] == '1'); - $this->_rights_sbas[$row['sbas_id']]['bas_chupub'] = ($row['bas_chupub'] == '1'); - $this->_rights_sbas[$row['sbas_id']]['bas_modif_th'] = ($row['bas_modif_th'] == '1'); + $sbid = $row['sbas_id']; + $this->_rights_sbas[$sbid] = []; + $this->_global_rights['bas_modif_th'] |= ($this->_rights_sbas[$sbid]['bas_modif_th'] = ($row['bas_modif_th'] == '1')); + $this->_global_rights['bas_modify_struct'] |= ($this->_rights_sbas[$sbid]['bas_modify_struct'] = ($row['bas_modify_struct'] == '1')); + $this->_global_rights['bas_manage'] |= ($this->_rights_sbas[$sbid]['bas_manage'] = ($row['bas_manage'] == '1')); + $this->_global_rights['bas_chupub'] |= ($this->_rights_sbas[$sbid]['bas_chupub'] = ($row['bas_chupub'] == '1')); } $this->set_data_to_cache($this->_rights_sbas, self::CACHE_RIGHTS_SBAS); $this->set_data_to_cache($this->_global_rights, self::CACHE_GLOBAL_RIGHTS); @@ -956,9 +957,9 @@ class ACL implements cache_cacheableInterface } $sql = "SELECT u.* FROM basusr u, bas b, sbas s\n" - . "WHERE usr_id= :usr_id\n" - . "AND b.base_id = u.base_id\n" - . "AND s.sbas_id = b.sbas_id"; + . " WHERE usr_id= :usr_id\n" + . " AND b.base_id = u.base_id\n" + . " AND s.sbas_id = b.sbas_id"; $stmt = $this->app->getApplicationBox()->get_connection()->prepare($sql); $stmt->execute([':usr_id' => $this->user->getId()]); @@ -967,55 +968,25 @@ class ACL implements cache_cacheableInterface $this->_rights_bas = $this->_limited = []; - $this->_global_rights['manageusers'] = false; - $this->_global_rights['coll_manage'] = false; - $this->_global_rights['coll_modify_struct'] = false; + $this->_global_rights[self::CANADMIN] = false; + $this->_global_rights[self::COLL_MANAGE] = false; + $this->_global_rights[self::COLL_MODIFY_STRUCT] = false; $this->_global_rights['order'] = false; $this->_global_rights['push'] = false; - $this->_global_rights['addrecord'] = false; - $this->_global_rights['modifyrecord'] = false; - $this->_global_rights['changestatus'] = false; - $this->_global_rights['doctools'] = false; - $this->_global_rights['deleterecord'] = false; - $this->_global_rights['addtoalbum'] = false; + $this->_global_rights[self::CANADDRECORD] = false; + $this->_global_rights[self::CANMODIFRECORD] = false; + $this->_global_rights[self::CHGSTATUS] = false; + $this->_global_rights[self::IMGTOOLS] = false; + $this->_global_rights[self::CANDELETERECORD] = false; + $this->_global_rights[self::CANPUTINALBUM] = false; $this->_global_rights['report'] = false; - $this->_global_rights['candwnldpreview'] = false; - $this->_global_rights['candwnldhd'] = false; - $this->_global_rights['order_master'] = false; + $this->_global_rights[self::CANDWNLDPREVIEW] = false; + $this->_global_rights[self::CANDWNLDHD] = false; + $this->_global_rights[self::ORDER_MASTER] = false; foreach ($rs as $row) { - $this->_rights_bas[$row['base_id']]['actif'] = ($row['actif'] == '1'); - - if ($row['canadmin'] == '1') - $this->_global_rights['manageusers'] = true; - if ($row['manage'] == '1') - $this->_global_rights['coll_manage'] = true; - if ($row['modify_struct'] == '1') - $this->_global_rights['coll_modify_struct'] = true; - if ($row['cancmd'] == '1') - $this->_global_rights['order'] = true; - if ($row['canpush'] == '1') - $this->_global_rights['push'] = true; - if ($row['canaddrecord'] == '1') - $this->_global_rights['addrecord'] = true; - if ($row['canmodifrecord'] == '1') - $this->_global_rights['modifyrecord'] = true; - if ($row['chgstatus'] == '1') - $this->_global_rights['changestatus'] = true; - if ($row['imgtools'] == '1') - $this->_global_rights['doctools'] = true; - if ($row['candeleterecord'] == '1') - $this->_global_rights['deleterecord'] = true; - if ($row['canputinalbum'] == '1') - $this->_global_rights['addtoalbum'] = true; - if ($row['canreport'] == '1') - $this->_global_rights['report'] = true; - if ($row['candwnldpreview'] == '1') - $this->_global_rights['candwnldpreview'] = true; - if ($row['candwnldhd'] == '1') - $this->_global_rights['candwnldhd'] = true; - if ($row['order_master'] == '1') - $this->_global_rights['order_master'] = true; + $bid = $row['base_id']; + $this->_rights_bas[$bid]['actif'] = ($row['actif'] == '1'); $row['limited_from'] = $row['limited_from'] == '0000-00-00 00:00:00' ? '' : trim($row['limited_from']); $row['limited_to'] = $row['limited_to'] == '0000-00-00 00:00:00' ? '' : trim($row['limited_to']); @@ -1023,54 +994,41 @@ class ACL implements cache_cacheableInterface if ($row['time_limited'] == '1' && ($row['limited_from'] !== '' || $row['limited_to'] !== '')) { $this->_limited[$row['base_id']] = [ - 'dmin' => $row['limited_from'] ? new DateTime($row['limited_from']) : null - , 'dmax' => $row['limited_to'] ? new DateTime($row['limited_to']) : null + 'dmin' => $row['limited_from'] ? new DateTime($row['limited_from']) : null, + 'dmax' => $row['limited_to'] ? new DateTime($row['limited_to']) : null ]; } - $this->_rights_bas[$row['base_id']]['imgtools'] - = $row['imgtools'] == '1'; + $this->_global_rights[self::IMGTOOLS] |= ($this->_rights_bas[$bid][self::IMGTOOLS] = ($row['imgtools'] == '1')); + $this->_global_rights[self::CHGSTATUS] |= ($this->_rights_bas[$bid][self::CHGSTATUS] = ($row['chgstatus'] == '1')); + $this->_global_rights['order'] |= ($this->_rights_bas[$bid]['cancmd'] = ($row['cancmd'] == '1')); + $this->_global_rights[self::CANADDRECORD] |= ($this->_rights_bas[$bid][self::CANADDRECORD] = ($row['canaddrecord'] == '1')); + $this->_global_rights['push'] |= ($this->_rights_bas[$bid]['canpush'] = ($row['canpush'] == '1')); + $this->_global_rights[self::CANDELETERECORD] |= ($this->_rights_bas[$bid][self::CANDELETERECORD] = ($row['candeleterecord'] == '1')); + $this->_global_rights[self::CANADMIN] |= ($this->_rights_bas[$bid][self::CANADMIN] = ($row['canadmin'] == '1')); + $this->_global_rights[self::CANDWNLDPREVIEW] |= ($this->_rights_bas[$bid][self::CANDWNLDPREVIEW] = ($row['candwnldpreview'] == '1')); + $this->_global_rights[self::CANDWNLDHD] |= ($this->_rights_bas[$bid][self::CANDWNLDHD] = ($row['candwnldhd'] == '1')); + $this->_global_rights[self::CANMODIFRECORD] |= ($this->_rights_bas[$bid][self::CANMODIFRECORD] = ($row['canmodifrecord'] == '1')); + $this->_global_rights[self::CANPUTINALBUM] |= ($this->_rights_bas[$bid][self::CANPUTINALBUM] = ($row['canputinalbum'] == '1')); + $this->_global_rights['report'] |= ($this->_rights_bas[$bid]['canreport'] = ($row['canreport'] == '1')); + $this->_global_rights[self::COLL_MODIFY_STRUCT] |= ($this->_rights_bas[$bid][self::COLL_MODIFY_STRUCT] = ($row['modify_struct'] == '1')); + $this->_global_rights[self::COLL_MANAGE] |= ($this->_rights_bas[$bid][self::COLL_MANAGE] = ($row['manage'] == '1')); + $this->_global_rights[self::ORDER_MASTER] |= ($this->_rights_bas[$bid][self::ORDER_MASTER] = ($row[\ACL::ORDER_MASTER] == '1')); + $this->_rights_bas[$bid]['nowatermark'] = ($row['nowatermark'] == '1'); + $this->_rights_bas[$bid]['restrict_dwnld'] = ($row['restrict_dwnld'] == '1'); + $this->_rights_bas[$bid]['remain_dwnld'] = (int) $row['remain_dwnld']; + $this->_rights_bas[$bid]['mask_and'] = (int) $row['mask_and']; + $this->_rights_bas[$bid]['mask_xor'] = (int) $row['mask_xor']; - $this->_rights_bas[$row['base_id']]['chgstatus'] - = $row['chgstatus'] == '1'; - $this->_rights_bas[$row['base_id']]['cancmd'] - = $row['cancmd'] == '1'; - $this->_rights_bas[$row['base_id']]['canaddrecord'] - = $row['canaddrecord'] == '1'; - $this->_rights_bas[$row['base_id']]['canpush'] - = $row['canpush'] == '1'; - $this->_rights_bas[$row['base_id']]['candeleterecord'] - = $row['candeleterecord'] == '1'; - $this->_rights_bas[$row['base_id']]['canadmin'] - = $row['canadmin'] == '1'; - $this->_rights_bas[$row['base_id']]['chgstatus'] - = $row['chgstatus'] == '1'; - $this->_rights_bas[$row['base_id']]['candwnldpreview'] - = $row['candwnldpreview'] == '1'; - $this->_rights_bas[$row['base_id']]['candwnldhd'] - = $row['candwnldhd'] == '1'; - $this->_rights_bas[$row['base_id']]['nowatermark'] - = $row['nowatermark'] == '1'; - $this->_rights_bas[$row['base_id']]['restrict_dwnld'] - = $row['restrict_dwnld'] == '1'; - $this->_rights_bas[$row['base_id']]['remain_dwnld'] - = (int) $row['remain_dwnld']; - $this->_rights_bas[$row['base_id']]['canmodifrecord'] - = $row['canmodifrecord'] == '1'; - $this->_rights_bas[$row['base_id']]['canputinalbum'] - = $row['canputinalbum'] == '1'; - $this->_rights_bas[$row['base_id']]['canreport'] - = $row['canreport'] == '1'; - $this->_rights_bas[$row['base_id']]['mask_and'] - = (int) $row['mask_and']; - $this->_rights_bas[$row['base_id']]['mask_xor'] - = (int) $row['mask_xor']; - $this->_rights_bas[$row['base_id']]['modify_struct'] - = $row['modify_struct'] == '1'; - $this->_rights_bas[$row['base_id']]['manage'] - = $row['manage'] == '1'; - $this->_rights_bas[$row['base_id']]['order_master'] - = $row['order_master'] == '1'; + $row['limited_from'] = $row['limited_from'] == '0000-00-00 00:00:00' ? '' : trim($row['limited_from']); + $row['limited_to'] = $row['limited_to'] == '0000-00-00 00:00:00' ? '' : trim($row['limited_to']); + + if ($row['time_limited'] == '1' && ($row['limited_from'] !== '' || $row['limited_to'] !== '')) { + $this->_limited[$row['base_id']] = [ + 'dmin' => $row['limited_from'] ? new DateTime($row['limited_from']) : null, + 'dmax' => $row['limited_to'] ? new DateTime($row['limited_to']) : null + ]; + } } $this->set_data_to_cache($this->_global_rights, self::CACHE_GLOBAL_RIGHTS); @@ -1106,17 +1064,17 @@ class ACL implements cache_cacheableInterface case 'admin': return ( ($this->has_right('bas_modify_struct') || - $this->has_right('coll_modify_struct') || + $this->has_right(self::COLL_MODIFY_STRUCT) || $this->has_right('bas_manage') || - $this->has_right('coll_manage') || - $this->has_right('manageusers') || + $this->has_right(self::COLL_MANAGE) || + $this->has_right(self::CANADMIN) || $this->is_admin()) ); break; case 'thesaurus': return ($this->has_right('bas_modif_th') === true ); break; case 'upload': - return ($this->has_right('addrecord') === true); + return ($this->has_right(self::CANADDRECORD) === true); break; case 'report': return ($this->has_right('report') === true); @@ -1168,48 +1126,31 @@ class ACL implements cache_cacheableInterface */ public function give_access_to_base(Array $base_ids) { - $sql_ins = 'INSERT INTO basusr (id, base_id, usr_id, actif) - VALUES (null, :base_id, :usr_id, "1")'; - $stmt_ins = $this->app->getApplicationBox()->get_connection()->prepare($sql_ins); + $sql = "INSERT INTO basusr (id, base_id, usr_id, actif)\n" + . "VALUES (null, :base_id, :usr_id, '1')\n" + . "ON DUPLICATE KEY UPDATE actif='1"; + $stmt = $this->app->getApplicationBox()->get_connection()->prepare($sql); $usr_id = $this->user->getId(); - $to_update = []; + $this->load_rights_bas(); foreach ($base_ids as $base_id) { - if (!isset($this->_rights_bas[$base_id])) { - try { - $stmt_ins->execute([':base_id' => $base_id, ':usr_id' => $usr_id]); - } catch (DBALException $e) { -// if (null !== $e) { -// var_dump(get_class($e->getPrevious())); -// } - if (($e->getCode() == 23000)) { - $to_update[] = $base_id; - } + if (!isset($this->_rights_bas[$base_id]) || $this->_rights_bas[$base_id]['actif'] === false) { + $stmt->execute([':base_id' => $base_id, ':usr_id' => $usr_id]); + if($stmt->rowCount() > 0) { + $this->app['dispatcher']->dispatch( + AclEvents::ACCESS_TO_BASE_GRANTED, + new AccessToBaseGrantedEvent( + $this, + array( + 'base_id'=>$base_id + ) + ) + ); } - } elseif ($this->_rights_bas[$base_id]['actif'] === false) { - $to_update[] = $base_id; } } - $stmt_ins->closeCursor(); - - $sql_upd = 'UPDATE basusr SET actif="1" - WHERE usr_id = :usr_id AND base_id = :base_id'; - $stmt_upd = $this->app->getApplicationBox()->get_connection()->prepare($sql_upd); - foreach ($to_update as $base_id) { - $stmt_upd->execute([':usr_id' => $usr_id, ':base_id' => $base_id]); - - $this->app['dispatcher']->dispatch( - AclEvents::ACCESS_TO_BASE_GRANTED, - new AccessToBaseGrantedEvent( - $this, - array( - 'base_id'=>$base_id - ) - ) - ); - } - $stmt_upd->closeCursor(); + $stmt->closeCursor(); $this->delete_data_from_cache(self::CACHE_RIGHTS_BAS); $this->inject_rights(); @@ -1358,23 +1299,21 @@ class ACL implements cache_cacheableInterface $sql_args = []; $usr_id = $this->user->getId(); - $params = [':sbas_id' => $sbas_id, ':usr_id' => $usr_id]; foreach ($rights as $right => $v) { - $sql_args[] = " " . $right . " = :" . $right; - $params[':' . $right] = $v ? '1' : '0'; + $sql_args[] = "`" . $right . "`=" . ($v ? '1' : '0'); } if (count($sql_args) == 0) { return $this; } - $sql_up .= implode(', ', $sql_args) . ' - WHERE sbas_id = :sbas_id AND usr_id = :usr_id'; + $sql_up .= implode(', ', $sql_args) . "\n" + . " WHERE sbas_id = :sbas_id AND usr_id = :usr_id"; $stmt_up = $this->app->getApplicationBox()->get_connection()->prepare($sql_up); - if (!$stmt_up->execute($params)) { + if (!$stmt_up->execute([':sbas_id' => $sbas_id, ':usr_id' => $usr_id])) { throw new Exception('Error while updating some rights'); } $stmt_up->closeCursor(); @@ -1401,9 +1340,8 @@ class ACL implements cache_cacheableInterface */ public function remove_quotas_on_base($base_id) { - $sql = 'UPDATE basusr - SET remain_dwnld = 0, restrict_dwnld = 0, month_dwnld_max = 0 - WHERE usr_id = :usr_id AND base_id = :base_id '; + $sql = "UPDATE basusr SET remain_dwnld = 0, restrict_dwnld = 0, month_dwnld_max = 0\n" + . " WHERE usr_id = :usr_id AND base_id = :base_id"; $stmt = $this->app->getApplicationBox()->get_connection()->prepare($sql); $stmt->execute([':usr_id' => $this->user->getId(), ':base_id' => $base_id]); @@ -1427,16 +1365,15 @@ class ACL implements cache_cacheableInterface public function update_download_restrictions() { - $sql = 'UPDATE basusr SET remain_dwnld = month_dwnld_max - WHERE actif = 1 - AND usr_id = :usr_id - AND MONTH(lastconn) != MONTH(NOW()) AND restrict_dwnld = 1'; + $sql = "UPDATE basusr SET remain_dwnld = month_dwnld_max\n" + . " WHERE actif = 1" + . " AND usr_id = :usr_id" + . " AND MONTH(lastconn) != MONTH(NOW()) AND restrict_dwnld = 1'"; $stmt = $this->app->getApplicationBox()->get_connection()->prepare($sql); $stmt->execute([':usr_id' => $this->user->getId()]); $stmt->closeCursor(); - $sql = "UPDATE basusr SET lastconn=now() - WHERE usr_id = :usr_id AND actif = 1"; + $sql = "UPDATE basusr SET lastconn=now() WHERE usr_id = :usr_id AND actif = 1"; $stmt = $this->app->getApplicationBox()->get_connection()->prepare($sql); $stmt->execute([':usr_id' => $this->user->getId()]); $stmt->closeCursor(); @@ -1463,9 +1400,8 @@ class ACL implements cache_cacheableInterface */ public function set_quotas_on_base($base_id, $droits, $restes) { - $sql = 'UPDATE basusr - SET remain_dwnld = :restes, restrict_dwnld = 1, month_dwnld_max = :droits - WHERE usr_id = :usr_id AND base_id = :base_id '; + $sql = "UPDATE basusr SET remain_dwnld = :restes, restrict_dwnld = 1, month_dwnld_max = :droits\n" + . " WHERE usr_id = :usr_id AND base_id = :base_id"; $params = [ ':usr_id' => $this->user->getId(), @@ -1498,8 +1434,7 @@ class ACL implements cache_cacheableInterface public function duplicate_right_from_bas($base_id_from, $base_id_dest) { - $sql = 'SELECT * FROM basusr - WHERE base_id = :base_from AND usr_id = :usr_id'; + $sql = "SELECT * FROM basusr WHERE base_id = :base_from AND usr_id = :usr_id"; $params = [ ':base_from' => $base_id_from, @@ -1522,16 +1457,12 @@ class ACL implements cache_cacheableInterface 'mask_xor' => $row['mask_xor'], ]; - if ($row['canputinalbum']) - $rights['canputinalbum'] = true; - if ($row['candwnldhd']) - $rights['candwnldhd'] = true; - if ($row['candwnldpreview']) - $rights['candwnldpreview'] = true; + $rights[self::CANPUTINALBUM] = ($row['canputinalbum'] == '1'); + $rights[self::CANDWNLDHD] = ($row['candwnldhd'] == '1'); + $rights[self::CANDWNLDPREVIEW] = ($row['candwnldpreview'] == '1'); if ($row['cancmd']) $rights['cancmd'] = true; - if ($row['canadmin']) - $rights['canadmin'] = true; + $rights[self::CANADMIN] = ($row['canadmin'] == '1'); if ($row['canreport']) $rights['canreport'] = true; if ($row['canpush']) @@ -1540,18 +1471,12 @@ class ACL implements cache_cacheableInterface $rights['nowatermark'] = true; if ($row['canaddrecord']) $rights['canaddrecord'] = true; - if ($row['canmodifrecord']) - $rights['canmodifrecord'] = true; - if ($row['candeleterecord']) - $rights['candeleterecord'] = true; - if ($row['chgstatus']) - $rights['chgstatus'] = true; - if ($row['imgtools']) - $rights['imgtools'] = true; - if ($row['manage']) - $rights['manage'] = true; - if ($row['modify_struct']) - $rights['modify_struct'] = true; + $rights[self::CANMODIFRECORD] = ($row['canmodifrecord' == '1']); + $rights[self::CANDELETERECORD] = ($row['candeleterecord'] == '1'); + $rights[self::CHGSTATUS] = ($row['chgstatus'] == '1'); + $rights[self::IMGTOOLS] = ($row['imgtools'] == '1'); + $rights[self::COLL_MANAGE] = ($row['manage'] == '1'); + $rights[self::COLL_MODIFY_STRUCT] = ($row['modify_struct'] == '1'); $this->update_rights_to_base($base_id_dest, $rights); @@ -1695,6 +1620,13 @@ class ACL implements cache_cacheableInterface return $lim_max || $lim_min; } + /** + * returns date limits ['dmin'=>x, 'dmax'=>y] with x,y : NullableDateTime + * + * + * @param $base_id + * @return array|null + */ public function get_limits($base_id) { $this->load_rights_bas(); @@ -1753,7 +1685,7 @@ class ACL implements cache_cacheableInterface { // a user can see the business fields if he has at least the right on one collection to edit a record foreach($databox->get_collections() as $collection) { - if ($this->has_access_to_base($collection->get_base_id()) && $this->has_right_on_base($collection->get_base_id(), 'canmodifrecord')) { + if ($this->has_access_to_base($collection->get_base_id()) && $this->has_right_on_base($collection->get_base_id(), self::CANMODIFRECORD)) { return true; } } @@ -1768,7 +1700,7 @@ class ACL implements cache_cacheableInterface */ public function getOrderMasterCollectionsBaseIds() { - $sql = 'SELECT base_id FROM basusr WHERE order_master="1" AND usr_id= :usr_id'; + $sql = "SELECT base_id FROM basusr WHERE order_master='1' AND usr_id= :usr_id"; $result = $this->app->getApplicationBox() ->get_connection() ->executeQuery($sql, [':usr_id' => $this->user->getId()]) @@ -1819,8 +1751,7 @@ class ACL implements cache_cacheableInterface */ public function set_order_master(\collection $collection, $bool) { - $sql = 'UPDATE basusr SET order_master = :master - WHERE usr_id = :usr_id AND base_id = :base_id'; + $sql = "UPDATE basusr SET order_master = :master WHERE usr_id = :usr_id AND base_id = :base_id"; $stmt = $this->app->getApplicationBox()->get_connection()->prepare($sql); $stmt->execute([ diff --git a/lib/classes/databox.php b/lib/classes/databox.php index 9e8c32ad33..6d21264272 100644 --- a/lib/classes/databox.php +++ b/lib/classes/databox.php @@ -1155,22 +1155,22 @@ class databox extends base implements ThumbnailedElement foreach ($base_ids as $base_id) { $this->app->getAclForUser($user)->update_rights_to_base($base_id, [ - 'canpush' => 1, - 'cancmd' => 1, - 'canputinalbum' => 1, - 'candwnldhd' => 1, - 'candwnldpreview' => 1, - 'canadmin' => 1, - 'actif' => 1, - 'canreport' => 1, - 'canaddrecord' => 1, - 'canmodifrecord' => 1, - 'candeleterecord' => 1, - 'chgstatus' => 1, - 'imgtools' => 1, - 'manage' => 1, - 'modify_struct' => 1, - 'nowatermark' => 1 + \ACL::CANPUSH => 1, + \ACL::CANCMD => 1, + \ACL::CANPUTINALBUM => 1, + \ACL::CANDWNLDHD => 1, + \ACL::CANDWNLDPREVIEW => 1, + \ACL::CANADMIN => 1, + \ACL::ACTIF => 1, + \ACL::CANREPORT => 1, + \ACL::CANADDRECORD => 1, + \ACL::CANMODIFRECORD => 1, + \ACL::CANDELETERECORD => 1, + \ACL::CHGSTATUS => 1, + \ACL::IMGTOOLS => 1, + \ACL::MANAGE => 1, + \ACL::MODIFY_STRUCT => 1, + \ACL::NOWATERMARK => 1 ]); } diff --git a/lib/classes/databox/status.php b/lib/classes/databox/status.php index cf3a817ded..744041e034 100644 --- a/lib/classes/databox/status.php +++ b/lib/classes/databox/status.php @@ -24,7 +24,7 @@ class databox_status foreach ($app->getAclForUser($app->getAuthenticatedUser())->get_granted_sbas() as $databox) { $see_all = false; foreach ($databox->get_collections() as $collection) { - if ($app->getAclForUser($app->getAuthenticatedUser())->has_right_on_base($collection->get_base_id(), 'chgstatus')) { + if ($app->getAclForUser($app->getAuthenticatedUser())->has_right_on_base($collection->get_base_id(), \ACL::CHGSTATUS)) { $see_all = true; break; } diff --git a/lib/classes/eventsmanager/notify/autoregister.php b/lib/classes/eventsmanager/notify/autoregister.php index a4a609087b..d9749f8835 100644 --- a/lib/classes/eventsmanager/notify/autoregister.php +++ b/lib/classes/eventsmanager/notify/autoregister.php @@ -73,6 +73,6 @@ class eventsmanager_notify_autoregister extends eventsmanager_notifyAbstract return false; } - return $this->app->getAclForUser($user)->has_right('manageusers'); + return $this->app->getAclForUser($user)->has_right(\ACL::CANADMIN); } } diff --git a/lib/classes/eventsmanager/notify/order.php b/lib/classes/eventsmanager/notify/order.php index 734530fe6e..d5aca30998 100644 --- a/lib/classes/eventsmanager/notify/order.php +++ b/lib/classes/eventsmanager/notify/order.php @@ -75,6 +75,6 @@ class eventsmanager_notify_order extends eventsmanager_notifyAbstract */ public function is_available(User $user) { - return $this->app->getAclForUser($user)->has_right('order_master'); + return $this->app->getAclForUser($user)->has_right(\ACL::ORDER_MASTER); } } diff --git a/lib/classes/eventsmanager/notify/register.php b/lib/classes/eventsmanager/notify/register.php index 8d58b6f001..c0d7222251 100644 --- a/lib/classes/eventsmanager/notify/register.php +++ b/lib/classes/eventsmanager/notify/register.php @@ -75,6 +75,6 @@ class eventsmanager_notify_register extends eventsmanager_notifyAbstract return false; } - return $this->app->getAclForUser($user)->has_right('manageusers'); + return $this->app->getAclForUser($user)->has_right(\ACL::CANADMIN); } } diff --git a/lib/classes/eventsmanager/notify/uploadquarantine.php b/lib/classes/eventsmanager/notify/uploadquarantine.php index 4f1a82b57f..e44f2d66e3 100644 --- a/lib/classes/eventsmanager/notify/uploadquarantine.php +++ b/lib/classes/eventsmanager/notify/uploadquarantine.php @@ -75,6 +75,6 @@ class eventsmanager_notify_uploadquarantine extends eventsmanager_notifyAbstract */ public function is_available(User $user) { - return $this->app->getAclForUser($user)->has_right('addrecord'); + return $this->app->getAclForUser($user)->has_right(\ACL::CANADDRECORD); } } diff --git a/lib/classes/record/exportElement.php b/lib/classes/record/exportElement.php index ddae4ca66d..cf3f1b6d5f 100644 --- a/lib/classes/record/exportElement.php +++ b/lib/classes/record/exportElement.php @@ -99,10 +99,10 @@ class record_exportElement extends record_adapter 'thumbnail' => true ]; - if ($this->app->getAclForUser($this->app->getAuthenticatedUser())->has_right_on_base($this->getBaseId(), 'candwnldhd')) { + if ($this->app->getAclForUser($this->app->getAuthenticatedUser())->has_right_on_base($this->getBaseId(), \ACL::CANDWNLDHD)) { $go_dl['document'] = true; } - if ($this->app->getAclForUser($this->app->getAuthenticatedUser())->has_right_on_base($this->getBaseId(), 'candwnldpreview')) { + if ($this->app->getAclForUser($this->app->getAuthenticatedUser())->has_right_on_base($this->getBaseId(), \ACL::CANDWNLDPREVIEW)) { $go_dl['preview'] = true; } if ($this->app->getAclForUser($this->app->getAuthenticatedUser())->has_hd_grant($this)) { @@ -116,7 +116,7 @@ class record_exportElement extends record_adapter $query = $this->app['phraseanet.user-query']; $masters = $query->on_base_ids([$this->getBaseId()]) - ->who_have_right(['order_master']) + ->who_have_right([\ACL::ORDER_MASTER]) ->execute()->get_results(); $go_cmd = (count($masters) > 0 && $this->app->getAclForUser($this->app->getAuthenticatedUser())->has_right_on_base($this->getBaseId(), 'cancmd')); diff --git a/lib/classes/set/export.php b/lib/classes/set/export.php index 4eb955a930..5658b5645d 100644 --- a/lib/classes/set/export.php +++ b/lib/classes/set/export.php @@ -175,7 +175,7 @@ class set_export extends set_abstract /** @var record_exportElement $download_element */ foreach ($this->get_elements() as $download_element) { - if ($app->getAclForUser($app->getAuthenticatedUser())->has_right_on_base($download_element->getBaseId(), 'canmodifrecord')) { + if ($app->getAclForUser($app->getAuthenticatedUser())->has_right_on_base($download_element->getBaseId(), \ACL::CANMODIFRECORD)) { $this->businessFieldsAccess = true; } @@ -227,11 +227,11 @@ class set_export extends set_abstract $display_ftp = []; - $hasadminright = $app->getAclForUser($app->getAuthenticatedUser())->has_right('addrecord') - || $app->getAclForUser($app->getAuthenticatedUser())->has_right('deleterecord') - || $app->getAclForUser($app->getAuthenticatedUser())->has_right('modifyrecord') - || $app->getAclForUser($app->getAuthenticatedUser())->has_right('coll_manage') - || $app->getAclForUser($app->getAuthenticatedUser())->has_right('coll_modify_struct'); + $hasadminright = $app->getAclForUser($app->getAuthenticatedUser())->has_right(\ACL::CANADDRECORD) + || $app->getAclForUser($app->getAuthenticatedUser())->has_right(\ACL::CANDELETERECORD) + || $app->getAclForUser($app->getAuthenticatedUser())->has_right(\ACL::CANMODIFRECORD) + || $app->getAclForUser($app->getAuthenticatedUser())->has_right(\ACL::COLL_MANAGE) + || $app->getAclForUser($app->getAuthenticatedUser())->has_right(\ACL::COLL_MODIFY_STRUCT); $this->ftp_datas = []; @@ -419,7 +419,7 @@ class set_export extends set_abstract $BF = false; - if ($includeBusinessFields && $this->app->getAclForUser($user)->has_right_on_base($download_element->getBaseId(), 'canmodifrecord')) { + if ($includeBusinessFields && $this->app->getAclForUser($user)->has_right_on_base($download_element->getBaseId(), \ACL::CANMODIFRECORD)) { $BF = true; } diff --git a/templates/web/admin/collection/collection.html.twig b/templates/web/admin/collection/collection.html.twig index a7b2f747a3..72d5eff89e 100644 --- a/templates/web/admin/collection/collection.html.twig +++ b/templates/web/admin/collection/collection.html.twig @@ -35,7 +35,7 @@
  • {{ collection.get_record_amount() }} records {{ 'phraseanet:: details' | trans }}
    • -{% if app.getAclForUser(app.getAuthenticatedUser()).has_right_on_base(bas_id, 'manage') %} +{% if app.getAclForUser(app.getAuthenticatedUser()).has_right_on_base(bas_id, constant('\\ACL::COLL_MANAGE')) %}
    {{ 'admin::collection:: Gestionnaires des commandes' | trans }}
    @@ -144,7 +144,7 @@
    {{ 'admin::base:collection: minilogo actuel' | trans }}
    {% if collection.getLogo(bas_id, app) is not empty %}
    {{ collection.getLogo(bas_id, app) | raw }}
    - {% if app.getAclForUser(app.getAuthenticatedUser()).has_right_on_base(bas_id, 'manage') %} + {% if app.getAclForUser(app.getAuthenticatedUser()).has_right_on_base(bas_id, constant('\\ACL::COLL_MANAGE')) %}
    {% endif%} - {% elseif app.getAclForUser(app.getAuthenticatedUser()).has_right_on_base(bas_id, 'manage') %} + {% elseif app.getAclForUser(app.getAuthenticatedUser()).has_right_on_base(bas_id, constant('\\ACL::COLL_MANAGE')) %} {{ 'admin::base:collection: aucun fichier (minilogo, watermark ...)' | trans }}
    @@ -169,7 +169,7 @@
    {{ "Watermark" | trans }}
    {% if collection.getWatermark(bas_id) is not empty %}
    {{ collection.getWatermark(bas_id)| raw }}
    - {% if app.getAclForUser(app.getAuthenticatedUser()).has_right_on_base(bas_id, 'manage') %} + {% if app.getAclForUser(app.getAuthenticatedUser()).has_right_on_base(bas_id, constant('\\ACL::COLL_MANAGE')) %} {% endif%} - {% elseif app.getAclForUser(app.getAuthenticatedUser()).has_right_on_base(bas_id, 'manage') %} + {% elseif app.getAclForUser(app.getAuthenticatedUser()).has_right_on_base(bas_id, constant('\\ACL::COLL_MANAGE')) %} {{ 'admin::base:collection: aucun fichier (minilogo, watermark ...)' | trans }}
    @@ -194,7 +194,7 @@
    {{ "Stamp logo" | trans }}
    {% if collection.getStamp(bas_id) is not empty %}
    {{ collection.getStamp(bas_id)| raw }}
    - {% if app.getAclForUser(app.getAuthenticatedUser()).has_right_on_base(bas_id, 'manage') %} + {% if app.getAclForUser(app.getAuthenticatedUser()).has_right_on_base(bas_id, constant('\\ACL::COLL_MANAGE')) %} {% endif%} - {% elseif app.getAclForUser(app.getAuthenticatedUser()).has_right_on_base(bas_id, 'manage') %} + {% elseif app.getAclForUser(app.getAuthenticatedUser()).has_right_on_base(bas_id, constant('\\ACL::COLL_MANAGE')) %} {{ 'admin::base:collection: aucun fichier (minilogo, watermark ...)' | trans }}
    diff --git a/templates/web/admin/collection/create.html.twig b/templates/web/admin/collection/create.html.twig index 36cdca68b0..26c0039feb 100644 --- a/templates/web/admin/collection/create.html.twig +++ b/templates/web/admin/collection/create.html.twig @@ -32,10 +32,10 @@
    - {% if app.getAclForUser(app.getAuthenticatedUser()).get_granted_base(["canadmin"]) | length > 0 %} + {% if app.getAclForUser(app.getAuthenticatedUser()).get_granted_base([constant('\\ACL::CANADMIN')]) | length > 0 %} diff --git a/templates/web/admin/databox/databox.html.twig b/templates/web/admin/databox/databox.html.twig index 9182ac6787..fc89409480 100644 --- a/templates/web/admin/databox/databox.html.twig +++ b/templates/web/admin/databox/databox.html.twig @@ -155,7 +155,7 @@
  • {% trans with {'%name%' : name} %}Monter la collection %name%{% endtrans %}
    - {% if app.getAclForUser(app.getAuthenticatedUser()).get_granted_base(["canadmin"]) | length > 0 %} + {% if app.getAclForUser(app.getAuthenticatedUser()).get_granted_base([constant('\\ACL::CANADMIN')]) | length > 0 %}
    {{ 'Select a user in the list' | trans }}
    - {% if app.getAclForUser(app.getAuthenticatedUser()).has_right('manageusers') %} + {% if app.getAclForUser(app.getAuthenticatedUser()).has_right(constant('\\ACL::CANADMIN')) %} {{ 'or' | trans }} {{ 'Add user' | trans }} {% endif %} diff --git a/templates/web/prod/actions/edit_default.html.twig b/templates/web/prod/actions/edit_default.html.twig index 1cf5b739ae..32a12a6fd2 100644 --- a/templates/web/prod/actions/edit_default.html.twig +++ b/templates/web/prod/actions/edit_default.html.twig @@ -27,7 +27,7 @@ {% endif %} {% set class_status = 'nostatus' %} - {% if app.getAclForUser(app.getAuthenticatedUser()).has_right_on_base(record.get_base_id(), 'chgstatus') %} + {% if app.getAclForUser(app.getAuthenticatedUser()).has_right_on_base(record.get_base_id(), constant('\\ACL::CHGSTATUS')) %} {% set class_status = '' %} {% endif %} diff --git a/templates/web/prod/index.html.twig b/templates/web/prod/index.html.twig index d6e6ce422c..4e561bebb5 100644 --- a/templates/web/prod/index.html.twig +++ b/templates/web/prod/index.html.twig @@ -145,7 +145,7 @@ {{ 'Browse Baskets' | trans }}
    • - {% if app['conf'].get(['registry', 'modules', 'stories']) and app.getAclForUser(app.getAuthenticatedUser()).has_right('addrecord') %} + {% if app['conf'].get(['registry', 'modules', 'stories']) and app.getAclForUser(app.getAuthenticatedUser()).has_right(constant('\\ACL::CANADDRECORD')) %}
    diff --git a/templates/web/prod/preview/caption.html.twig b/templates/web/prod/preview/caption.html.twig index a966f22c91..792686f091 100644 --- a/templates/web/prod/preview/caption.html.twig +++ b/templates/web/prod/preview/caption.html.twig @@ -1,6 +1,6 @@ {% import 'common/macros.html.twig' as macro %} - {% set can_edit = granted_on_collection(record.baseId, 'canmodifrecord') %} + {% set can_edit = granted_on_collection(record.baseId, constant('\\ACL::CANMODIFRECORD')) %} {% set can_see_business = can_edit %} {% if can_edit %} diff --git a/templates/web/prod/preview/tools.html.twig b/templates/web/prod/preview/tools.html.twig index 422210e269..184c086712 100644 --- a/templates/web/prod/preview/tools.html.twig +++ b/templates/web/prod/preview/tools.html.twig @@ -1,5 +1,5 @@ -{% if (record.is_from_basket is empty) and app.getAclForUser(app.getAuthenticatedUser()).has_right_on_base(record.get_base_id(), 'canputinalbum') %} +{% if (record.is_from_basket is empty) and app.getAclForUser(app.getAuthenticatedUser()).has_right_on_base(record.get_base_id(), constant('\\ACL::CANPUTINALBUM')) %}
    @@ -21,7 +21,7 @@
    -{% if app.getAclForUser(app.getAuthenticatedUser()).has_right_on_base(record.get_base_id(), 'candwnldhd') or app.getAclForUser(app.getAuthenticatedUser()).has_right_on_base(record.get_base_id(), 'candwnldpreview') %} +{% if app.getAclForUser(app.getAuthenticatedUser()).has_right_on_base(record.get_base_id(), constant('\\ACL::CANDWNLDHD')) or app.getAclForUser(app.getAuthenticatedUser()).has_right_on_base(record.get_base_id(), constant('\\ACL::CANDWNLDPREVIEW')) %}
    {# #} diff --git a/templates/web/prod/results/list.html.twig b/templates/web/prod/results/list.html.twig index 7e24f19aaa..9a6a5c433e 100644 --- a/templates/web/prod/results/list.html.twig +++ b/templates/web/prod/results/list.html.twig @@ -13,7 +13,7 @@
    - {% set can_see_business = granted_on_collection(record.baseId, 'canmodifrecord') %} + {% set can_see_business = granted_on_collection(record.baseId, constant('\\ACL::CANMODIFRECORD')) %} {{ macro.caption(record, can_see_business) }}
    diff --git a/templates/web/prod/results/record.html.twig b/templates/web/prod/results/record.html.twig index eb29cc8243..b9512f7de0 100644 --- a/templates/web/prod/results/record.html.twig +++ b/templates/web/prod/results/record.html.twig @@ -18,7 +18,7 @@
    - {% set can_see_business = granted_on_collection(record.baseId, 'canmodifrecord') %} + {% set can_see_business = granted_on_collection(record.baseId, constant('\\ACL::CANMODIFRECORD')) %}
    - {% if granted_on_collection(record.baseId, 'canputinalbum') and not record.story %} + {% if granted_on_collection(record.baseId, constant('\\ACL::CANPUTINALBUM')) and not record.story %}
    @@ -113,7 +113,7 @@
    {% endif %} - {% if granted_on_collection(record.baseId, 'candwnldpreview') or granted_on_collection(record.baseId, 'candwnldhd') %} + {% if granted_on_collection(record.baseId, constant('\\ACL::CANDWNLDPREVIEW')) or granted_on_collection(record.baseId, constant('\\ACL::CANDWNLDHD')) %}
    diff --git a/templates/web/prod/toolbar.html.twig b/templates/web/prod/toolbar.html.twig index 229b9a587b..668a20b230 100644 --- a/templates/web/prod/toolbar.html.twig +++ b/templates/web/prod/toolbar.html.twig @@ -63,19 +63,19 @@ {% set actions = {} %} - {% if acl.has_right('modifyrecord') %} + {% if acl.has_right(constant('\\ACL::CANMODIFRECORD')) %} {% set label %} {{ 'action : editer' | trans }} {% endset %} {% set actions = actions|merge( { 'edit' : {'icon': "/assets/common/images/icons/ppen_history.png", 'class':'TOOL_ppen_btn', 'label' : label} }) %} {% endif %} - {% if acl.has_right('changestatus') %} + {% if acl.has_right(constant('\\ACL::CHGSTATUS')) %} {% set label %} {{ 'action : status' | trans }} {% endset %} {% set actions = actions|merge( { 'status' : {'icon': "/assets/common/images/icons/chgstatus_history.png", 'class':'TOOL_chgstatus_btn', 'label' : label} }) %} {% endif %} - {% if acl.has_right('deleterecord') and acl.has_right('addrecord') %} + {% if acl.has_right(constant('\\ACL::CANDELETERECORD')) and acl.has_right(constant('\\ACL::CANADDRECORD')) %} {% set label %} {{ 'action : collection' | trans }} {% endset %} @@ -287,7 +287,7 @@ {% endif %} - {% if acl.has_right('doctools') %} + {% if acl.has_right(constant('\\ACL::IMGTOOLS')) %}
    {% endif %} - {% if acl.has_right('deleterecord') %} + {% if acl.has_right(constant('\\ACL::CANDELETERECORD')) %}