PHRAS-508_acl-cache

- wip

lib/Alchemy/Phrasea/Collection/CollectionService.php

@@ -269,23 +269,23 @@ class CollectionService
     public function grantAdminRights(CollectionReference $reference, User $user)
     {
         $rights = [
-            "canputinalbum"   => "1",
-            "candwnldhd"      => "1",
-            "nowatermark"     => "1",
-            "candwnldpreview" => "1",
-            "cancmd"          => "1",
-            "canadmin"        => "1",
-            "actif"           => "1",
-            "canreport"       => "1",
-            "canpush"         => "1",
-            "basusr_infousr"  => "",
-            "canaddrecord"    => "1",
-            "canmodifrecord"  => "1",
-            "candeleterecord" => "1",
-            "chgstatus"       => "1",
-            "imgtools"        => "1",
-            "manage"          => "1",
-            "modify_struct"   => "1"
+            \ACL::CANPUTINALBUM   => "1",
+            \ACL::CANDWNLDHD      => "1",
+            \ACL::NOWATERMARK     => "1",
+            \ACL::CANDWNLDPREVIEW => "1",
+            \ACL::CANCMD          => "1",
+            \ACL::CANADMIN        => "1",
+            \ACL::ACTIF           => "1",
+            \ACL::CANREPORT       => "1",
+            \ACL::CANPUSH         => "1",
+            "basusr_infousr"      => "",
+            \ACL::CANADDRECORD    => "1",
+            \ACL::CANMODIFRECORD  => "1",
+            \ACL::CANDELETERECORD => "1",
+            \ACL::CHGSTATUS       => "1",
+            \ACL::IMGTOOLS        => "1",
+            \ACL::MANAGE          => "1",
+            \ACL::MODIFY_STRUCT   => "1"
         ];
 
         $this->app->getAclForUser($user)->update_rights_to_base($reference->getBaseId(), $rights);
@@ -318,18 +318,28 @@ class CollectionService
             $userQuery = $factory();
 
             $result = $userQuery->on_base_ids([ $reference->getBaseId()] )
-                ->who_have_right(['order_master'])
+                ->who_have_right([\ACL::ORDER_MASTER])
                 ->execute()->get_results();
 
             /** @var ACLProvider $acl */
             $acl = $this->app['acl'];
 
             foreach ($result as $user) {
-                $acl->get($user)->update_rights_to_base($reference->getBaseId(), ['order_master' => false]);
+                $acl->get($user)->update_rights_to_base(
+                    $reference->getBaseId(),
+                    [
+                        \ACL::ORDER_MASTER => false
+                    ]
+                );
             }
 
             foreach ($admins as $admin) {
-                $acl->get($admin)->update_rights_to_base($reference->getBaseId(), ['order_master' => true]);
+                $acl->get($admin)->update_rights_to_base(
+                    $reference->getBaseId(),
+                    [
+                        \ACL::ORDER_MASTER => true
+                    ]
+                );
             }
 
             $conn->commit();

lib/Alchemy/Phrasea/Controller/Admin/CollectionController.php

@@ -46,10 +46,10 @@ class CollectionController extends Controller
 
         $admins = [];
 
-        if ($this->getAclForUser()->has_right_on_base($bas_id, 'manage')) {
+        if ($this->getAclForUser()->has_right_on_base($bas_id, \ACL::COLL_MANAGE)) {
             $query = $this->createUserQuery();
             $admins = $query->on_base_ids([$bas_id])
-                ->who_have_right(['order_master'])
+                ->who_have_right([\ACL::ORDER_MASTER])
                 ->execute()
                 ->get_results();
         }

lib/Alchemy/Phrasea/Controller/Admin/UserController.php

@@ -285,7 +285,7 @@ class UserController extends Controller
         $on_base = $request->request->get('base_id') ? : null;
         $on_sbas = $request->request->get('sbas_id') ? : null;
 
-        $eligible_users = $user_query->on_bases_where_i_am($this->getAclForConnectedUser(), ['canadmin'])
+        $eligible_users = $user_query->on_bases_where_i_am($this->getAclForConnectedUser(), [\ACL::CANADMIN])
             ->like($like_field, $like_value)
             ->on_base_ids($on_base)
             ->on_sbas_ids($on_sbas);
@@ -357,7 +357,7 @@ class UserController extends Controller
         $userRegistrations = [];
         /** @var RegistrationRepository $registrationRepository */
         $registrationRepository = $this->app['repo.registrations'];
-        $collections = $this->getAclForConnectedUser()->get_granted_base(['canadmin']);
+        $collections = $this->getAclForConnectedUser()->get_granted_base([\ACL::CANADMIN]);
         $authenticatedUserId = $authenticatedUser->getId();
         foreach ($registrationRepository->getPendingRegistrations($collections) as $registration) {
             $user = $registration->getUser();
@@ -689,7 +689,7 @@ class UserController extends Controller
             ]);
         }
 
-        $basList = array_keys($this->getAclForConnectedUser()->get_granted_base(['manage']));
+        $basList = array_keys($this->getAclForConnectedUser()->get_granted_base([\ACL::COLL_MANAGE]));
         /** @var NativeQueryProvider $query */
         $query = $this->app['orm.em.native-query'];
         $models = $query->getModelForUser($this->getAuthenticatedUser(), $basList);
@@ -832,7 +832,7 @@ class UserController extends Controller
 
                     $this->getAclForUser($newUser)->apply_model(
                         $userRepository->find($model),
-                        array_keys($this->getAclForConnectedUser()->get_granted_base(['manage']))
+                        array_keys($this->getAclForConnectedUser()->get_granted_base([\ACL::COLL_MANAGE]))
                     );
 
                     $nbCreation++;

lib/Alchemy/Phrasea/Controller/Api/V1Controller.php

@@ -485,7 +485,7 @@ class V1Controller extends Controller
     {
         $userQuery = new \User_Query($this->app);
         $orderMasters = $userQuery->on_base_ids([ $collection->get_base_id() ] )
-            ->who_have_right(['order_master'])
+            ->who_have_right([\ACL::ORDER_MASTER])
             ->execute()
             ->get_results()
             ->map(function (User $user) {
@@ -1034,7 +1034,7 @@ class V1Controller extends Controller
                 return null;
             }
             if ($media->get_name() === 'document'
-                && !$acl->has_right_on_base($record->getBaseId(), 'candwnldhd')
+                && !$acl->has_right_on_base($record->getBaseId(), \ACL::CANDWNLDHD)
                 && !$acl->has_hd_grant($record)
             ) {
                 return null;
@@ -2769,9 +2769,11 @@ class V1Controller extends Controller
         $user = $this->getApiAuthenticatedUser();
         $acl = $this->getAclForUser($user);
 
-        if (! $acl->has_access_to_module('admin') || ! $acl->has_right('manageusers')) {
+        if (! $acl->has_access_to_module('admin') || ! $acl->has_right(\ACL::CANADMIN)) {
             return Result::createError($request, 401, 'You are not authorized')->createResponse();
         }
+
+        return null;
     }
 
     public function ensureAccessToDatabox(Request $request)
@@ -2813,7 +2815,7 @@ class V1Controller extends Controller
     public function ensureCanModifyRecord(Request $request)
     {
         $user = $this->getApiAuthenticatedUser();
-        if (!$this->getAclForUser($user)->has_right('modifyrecord')) {
+        if (!$this->getAclForUser($user)->has_right(\ACL::CANMODIFRECORD)) {
             return Result::createError($request, 401, 'You are not authorized')->createResponse();
         }
 
@@ -2825,7 +2827,7 @@ class V1Controller extends Controller
         $user = $this->getApiAuthenticatedUser();
         $record = $this->findDataboxById($request->attributes->get('databox_id'))
             ->get_record($request->attributes->get('record_id'));
-        if (!$this->getAclForUser($user)->has_right_on_base($record->getBaseId(), 'chgstatus')) {
+        if (!$this->getAclForUser($user)->has_right_on_base($record->getBaseId(), \ACL::CHGSTATUS)) {
             return Result::createError($request, 401, 'You are not authorized')->createResponse();
         }
 
@@ -2849,9 +2851,9 @@ class V1Controller extends Controller
         $record = $this->findDataboxById($request->attributes->get('databox_id'))
             ->get_record($request->attributes->get('record_id'));
         // TODO: Check comparison. seems to be a mismatch
-        if ((!$this->getAclForUser($user)->has_right('addrecord')
-                && !$this->getAclForUser($user)->has_right('deleterecord'))
-            || !$this->getAclForUser($user)->has_right_on_base($record->getBaseId(), 'candeleterecord')
+        if ((!$this->getAclForUser($user)->has_right(\ACL::CANADDRECORD)
+                && !$this->getAclForUser($user)->has_right(\ACL::CANDELETERECORD))
+            || !$this->getAclForUser($user)->has_right_on_base($record->getBaseId(), \ACL::CANDELETERECORD)
         ) {
             return Result::createError($request, 401, 'You are not authorized')->createResponse();
         }
@@ -2865,7 +2867,7 @@ class V1Controller extends Controller
         $record = $this->findDataboxById($request->attributes->get('databox_id'))
             ->get_record($request->attributes->get('record_id'));
 
-        if (!$this->getAclForUser($user)->has_right_on_base($record->getBaseId(), 'candeleterecord')) {
+        if (!$this->getAclForUser($user)->has_right_on_base($record->getBaseId(), \ACL::CANDELETERECORD)) {
             return Result::createError($request, 401, 'You are not authorized')->createResponse();
         }
 

lib/Alchemy/Phrasea/Controller/Prod/EditController.php

@@ -38,7 +38,7 @@ class EditController extends Controller
             $this->app,
             $request,
             RecordsRequest::FLATTEN_YES_PRESERVE_STORIES,
-            ['canmodifrecord']
+            [\ACL::CANMODIFRECORD]
         );
 
         $thesaurus = false;
@@ -120,7 +120,7 @@ class EditController extends Controller
             }
 
             // generate javascript status
-            if ($this->getAclForUser()->has_right('changestatus')) {
+            if ($this->getAclForUser()->has_right(\ACL::CHGSTATUS)) {
                 $statusStructure = $databox->getStatusStructure();
                 foreach ($statusStructure as $statbit) {
                     $bit = $statbit['bit'];
@@ -156,7 +156,7 @@ class EditController extends Controller
                 ];
 
                 $elements[$indice]['statbits'] = [];
-                if ($this->getAclForUser()->has_right_on_base($record->getBaseId(), 'chgstatus')) {
+                if ($this->getAclForUser()->has_right_on_base($record->getBaseId(), \ACL::CHGSTATUS)) {
                     foreach ($status as $n => $s) {
                         $tmp_val = substr(strrev($record->getStatus()), $n, 1);
                         $elements[$indice]['statbits'][$n]['value'] = ($tmp_val == '1') ? '1' : '0';
@@ -273,7 +273,7 @@ class EditController extends Controller
 
     public function applyAction(Request $request) {
 
-        $records = RecordsRequest::fromRequest($this->app, $request, RecordsRequest::FLATTEN_YES_PRESERVE_STORIES, ['canmodifrecord']);
+        $records = RecordsRequest::fromRequest($this->app, $request, RecordsRequest::FLATTEN_YES_PRESERVE_STORIES, [\ACL::CANMODIFRECORD]);
 
         $databoxes = $records->databoxes();
         if (count($databoxes) !== 1) {

lib/Alchemy/Phrasea/Controller/Prod/PropertyController.php

@@ -28,7 +28,7 @@ class PropertyController extends Controller
             $this->app->abort(400);
         }
 
-        $records = RecordsRequest::fromRequest($this->app, $request, false, ['chgstatus']);
+        $records = RecordsRequest::fromRequest($this->app, $request, false, [\ACL::CHGSTATUS]);
 
         $databoxes = $records->databoxes();
         if (count($databoxes) > 1) {
@@ -81,7 +81,7 @@ class PropertyController extends Controller
             $this->app->abort(400);
         }
 
-        $records = RecordsRequest::fromRequest($this->app, $request, false, ['canmodifrecord']);
+        $records = RecordsRequest::fromRequest($this->app, $request, false, [\ACL::CANMODIFRECORD]);
 
         $recordsType = [];
 
@@ -115,7 +115,7 @@ class PropertyController extends Controller
     public function changeStatus(Request $request)
     {
         $applyStatusToChildren = $request->request->get('apply_to_children', []);
-        $records = RecordsRequest::fromRequest($this->app, $request, false, ['chgstatus']);
+        $records = RecordsRequest::fromRequest($this->app, $request, false, [\ACL::CHGSTATUS]);
         $updated = [];
         $postStatus = (array) $request->request->get('status');
 
@@ -149,7 +149,7 @@ class PropertyController extends Controller
     public function changeType(Request $request)
     {
         $typeLst = $request->request->get('types', []);
-        $records = RecordsRequest::fromRequest($this->app, $request, false, ['canmodifrecord']);
+        $records = RecordsRequest::fromRequest($this->app, $request, false, [\ACL::CANMODIFRECORD]);
         $mimeLst = $request->request->get('mimes', []);
         $forceType = $request->request->get('force_types', '');
         $updated = [];

lib/Alchemy/Phrasea/Controller/Prod/PushController.php

@@ -431,7 +431,7 @@ class PushController extends Controller
         $result = ['success' => false, 'message' => '', 'user'    => null];
 
         try {
-            if (!$this->getAclForUser($this->getAuthenticatedUser())->has_right('manageusers'))
+            if (!$this->getAclForUser($this->getAuthenticatedUser())->has_right(\ACL::CANADMIN))
                 throw new ControllerException($this->app->trans('You are not allowed to add users'));
 
             if (!$request->request->get('firstname'))

lib/Alchemy/Phrasea/Controller/Prod/RecordController.php

@@ -121,9 +121,11 @@ class RecordController extends Controller
     public function doDeleteRecords(Request $request)
     {
         $flatten = (bool)($request->request->get('del_children')) ? RecordsRequest::FLATTEN_YES_PRESERVE_STORIES : RecordsRequest::FLATTEN_NO;
-        $records = RecordsRequest::fromRequest($this->app, $request, $flatten, [
-            'candeleterecord'
-        ]);
+        $records = RecordsRequest::fromRequest(
+            $this->app,
+            $request,$flatten,
+            [\ACL::CANDELETERECORD]
+        );
 
         $basketElementsRepository = $this->getBasketElementRepository();
         $StoryWZRepository = $this->getStoryWorkZoneRepository();
@@ -166,9 +168,12 @@ class RecordController extends Controller
      */
     public function whatCanIDelete(Request $request)
     {
-        $records = RecordsRequest::fromRequest($this->app, $request, !!$request->request->get('del_children'), [
-            'candeleterecord',
-        ]);
+        $records = RecordsRequest::fromRequest(
+            $this->app,
+            $request,
+            !!$request->request->get('del_children'),
+            [\ACL::CANDELETERECORD]
+        );
 
         return $this->render('prod/actions/delete_records_confirm.html.twig', [
             'records'   => $records,

lib/Alchemy/Phrasea/Controller/Prod/StoryController.php

@@ -109,7 +109,7 @@ class StoryController extends Controller
     {
         $Story = new \record_adapter($this->app, $sbas_id, $record_id);
 
-        if (!$this->getAclForUser()->has_right_on_base($Story->getBaseId(), 'canmodifrecord')) {
+        if (!$this->getAclForUser()->has_right_on_base($Story->getBaseId(), \ACL::CANMODIFRECORD)) {
             throw new AccessDeniedHttpException('You can not add document to this Story');
         }
 
@@ -145,7 +145,7 @@ class StoryController extends Controller
         $story = new \record_adapter($this->app, $sbas_id, $record_id);
         $record = new \record_adapter($this->app, $child_sbas_id, $child_record_id);
 
-        if (!$this->getAclForUser()->has_right_on_base($story->getBaseId(), 'canmodifrecord')) {
+        if (!$this->getAclForUser()->has_right_on_base($story->getBaseId(), \ACL::CANMODIFRECORD)) {
             throw new AccessDeniedHttpException('You can not add document to this Story');
         }
 
@@ -188,7 +188,7 @@ class StoryController extends Controller
                 throw new \Exception('This is not a story');
             }
 
-            if (!$this->getAclForUser()->has_right_on_base($story->getBaseId(), 'canmodifrecord')) {
+            if (!$this->getAclForUser()->has_right_on_base($story->getBaseId(), \ACL::CANMODIFRECORD)) {
                 throw new ControllerException($this->app->trans('You can not edit this story'));
             }
 

lib/Alchemy/Phrasea/Controller/Prod/ToolsController.php

@@ -52,8 +52,8 @@ class ToolsController extends Controller
             $acl = $this->getAclForUser();
 
             if ($acl->has_right('bas_chupub')
-                && $acl->has_right_on_base($record->getBaseId(), 'canmodifrecord')
-                && $acl->has_right_on_base($record->getBaseId(), 'imgtools')
+                && $acl->has_right_on_base($record->getBaseId(), \ACL::CANMODIFRECORD)
+                && $acl->has_right_on_base($record->getBaseId(), \ACL::IMGTOOLS)
             ) {
                 $databoxSubdefs = $record->getDatabox()->get_subdef_structure()->getSubdefGroup($record->getType());
 
@@ -64,7 +64,7 @@ class ToolsController extends Controller
                     }
 
                     if ('document' == $subdefName) {
-                        if (!$acl->has_right_on_base($record->getBaseId(), 'candwnldhd')) {
+                        if (!$acl->has_right_on_base($record->getBaseId(), \ACL::CANDWNLDHD)) {
                             continue;
                         }
                         $label = $this->app->trans('prod::tools: document');
@@ -147,7 +147,7 @@ class ToolsController extends Controller
 
         $force = $request->request->get('force_substitution') == '1';
 
-        $selection = RecordsRequest::fromRequest($this->app, $request, false, array('canmodifrecord'));
+        $selection = RecordsRequest::fromRequest($this->app, $request, false, [\ACL::CANMODIFRECORD]);
 
         foreach ($selection as $record) {
             $substituted = false;
@@ -341,9 +341,9 @@ class ToolsController extends Controller
 
         $acl = $this->getAclForUser();
         if (!$acl->has_right('bas_chupub')
-            || !$acl->has_right_on_base($record->getBaseId(), 'canmodifrecord')
-            || !$acl->has_right_on_base($record->getBaseId(), 'imgtools')
-            || ('document' == $subdefName && !$acl->has_right_on_base($record->getBaseId(), 'candwnldhd'))
+            || !$acl->has_right_on_base($record->getBaseId(), \ACL::CANMODIFRECORD)
+            || !$acl->has_right_on_base($record->getBaseId(), \ACL::IMGTOOLS)
+            || ('document' == $subdefName && !$acl->has_right_on_base($record->getBaseId(), \ACL::CANDWNLDHD))
             || ('document' != $subdefName && !$acl->has_access_to_subdef($record, $subdefName))
         ) {
             $this->app->abort(403);

lib/Alchemy/Phrasea/ControllerProvider/Admin/Collection.php

@@ -45,7 +45,7 @@ class Collection implements ControllerProviderInterface, ServiceProviderInterfac
         $controllers->before(function (Request $request) use ($firewall) {
             $firewall
                 ->requireAccessToModule('admin')
-                ->requireRightOnBase($request->attributes->get('bas_id'), 'canadmin');
+                ->requireRightOnBase($request->attributes->get('bas_id'), \ACL::CANADMIN);
         });
 
         $controllers->get('/{bas_id}/', 'controller.admin.collection:getCollection')

lib/Alchemy/Phrasea/ControllerProvider/Admin/Users.php

@@ -43,7 +43,7 @@ class Users implements ControllerProviderInterface, ServiceProviderInterface
 
         $controllers->before(function () use ($firewall) {
             $firewall->requireAccessToModule('admin')
-                ->requireRight('manageusers');
+                ->requireRight(\ACL::CANADMIN);
         });
 
         $controllers->match('/rights/', 'controller.admin.users:editRightsAction')

lib/Alchemy/Phrasea/ControllerProvider/Prod/Edit.php

@@ -47,7 +47,7 @@ class Edit implements ControllerProviderInterface, ServiceProviderInterface
         $controllers->before(function () use ($firewall) {
             $firewall
                 ->requireNotGuest()
-                ->requireRight('modifyrecord');
+                ->requireRight(\ACL::CANMODIFRECORD);
         });
 
         $controllers->post('/', 'controller.prod.edit:submitAction');

lib/Alchemy/Phrasea/ControllerProvider/Prod/Lazaret.php

@@ -53,7 +53,7 @@ class Lazaret implements ControllerProviderInterface, ServiceProviderInterface
         $firewall = $this->getFirewall($app);
 
         $controllers->before(function () use ($firewall) {
-            $firewall->requireRight('addrecord');
+            $firewall->requireRight(\ACL::CANADDRECORD);
         });
 
         $controllers->get('/', 'controller.prod.lazaret:listElement')

lib/Alchemy/Phrasea/ControllerProvider/Prod/MoveCollection.php

@@ -41,8 +41,8 @@ class MoveCollection implements ControllerProviderInterface, ServiceProviderInte
 
         $controllers->before(function () use ($firewall) {
             $firewall
-                ->requireRight('addrecord')
-                ->requireRight('deleterecord');
+                ->requireRight(\ACL::CANADDRECORD)
+                ->requireRight(\ACL::CANDELETERECORD);
         });
 
         $controllers->post('/', 'controller.prod.move-collection:displayForm')

lib/Alchemy/Phrasea/ControllerProvider/Prod/Tools.php

@@ -46,7 +46,7 @@ class Tools implements ControllerProviderInterface, ServiceProviderInterface
         $firewall = $this->getFirewall($app);
 
         $controllers->before(function () use ($firewall) {
-            $firewall->requireRight('doctools');
+            $firewall->requireRight(\ACL::IMGTOOLS);
         });
 
         $controllers->get('/', 'controller.prod.tools:indexAction');

lib/Alchemy/Phrasea/ControllerProvider/Prod/Upload.php

@@ -55,7 +55,7 @@ class Upload implements ControllerProviderInterface, ServiceProviderInterface
         $firewall = $this->getFirewall($app);
 
         $controllers->before(function () use ($firewall) {
-            $firewall->requireRight('addrecord');
+            $firewall->requireRight(\ACL::CANADDRECORD);
         });
 
         $controllers->get('/', 'controller.prod.upload:getUploadForm')

lib/Alchemy/Phrasea/Core/Event/Subscriber/OrderSubscriber.php

@@ -48,7 +48,7 @@ class OrderSubscriber extends AbstractNotificationSubscriber
         $query = $this->app['phraseanet.user-query'];
         /** @var User[] $users */
         $users = $query->on_base_ids($base_ids)
-            ->who_have_right(['order_master'])
+            ->who_have_right([\ACL::ORDER_MASTER])
             ->execute()->get_results();
 
         if (count($users) == 0) {

lib/Alchemy/Phrasea/Helper/User/Edit.php

@@ -71,7 +71,7 @@ class Edit extends \Alchemy\Phrasea\Helper\Helper
 
     protected function delete_user(User $user)
     {
-        $list = array_keys($this->app->getAclForUser($this->app->getAuthenticatedUser())->get_granted_base(['canadmin']));
+        $list = array_keys($this->app->getAclForUser($this->app->getAuthenticatedUser())->get_granted_base([\ACL::CANADMIN]));
 
         $this->app->getAclForUser($user)->revoke_access_from_bases($list);
 
@@ -84,7 +84,7 @@ class Edit extends \Alchemy\Phrasea\Helper\Helper
 
     public function get_users_rights()
     {
-        $list = array_keys($this->app->getAclForUser($this->app->getAuthenticatedUser())->get_granted_base(['canadmin']));
+        $list = array_keys($this->app->getAclForUser($this->app->getAuthenticatedUser())->get_granted_base([\ACL::CANADMIN]));
 
         $sql = "SELECT
             b.sbas_id,
@@ -477,29 +477,29 @@ class Edit extends \Alchemy\Phrasea\Helper\Helper
     public function apply_rights()
     {
         $ACL = $this->app->getAclForUser($this->app->getAuthenticatedUser());
-        $base_ids = array_keys($ACL->get_granted_base(['canadmin']));
+        $base_ids = array_keys($ACL->get_granted_base([\ACL::CANADMIN]));
 
         $update = $create = $delete = $create_sbas = $update_sbas = [];
 
         foreach ($base_ids as $base_id) {
             $rights = [
                 'access',
-                'actif',
-                'canputinalbum',
-                'nowatermark',
-                'candwnldpreview',
-                'candwnldhd',
-                'cancmd',
-                'canaddrecord',
-                'canmodifrecord',
-                'chgstatus',
-                'candeleterecord',
-                'imgtools',
-                'canadmin',
-                'canreport',
-                'canpush',
-                'manage',
-                'modify_struct'
+                \ACL::ACTIF,
+                \ACL::CANPUTINALBUM,
+                \ACL::NOWATERMARK,
+                \ACL::CANDWNLDPREVIEW,
+                \ACL::CANDWNLDHD,
+                \ACL::CANCMD,
+                \ACL::CANADDRECORD,
+                \ACL::CANMODIFRECORD,
+                \ACL::CHGSTATUS,
+                \ACL::CANDELETERECORD,
+                \ACL::IMGTOOLS,
+                \ACL::CANADMIN,
+                \ACL::CANREPORT,
+                \ACL::CANPUSH,
+                \ACL::MANAGE,
+                \ACL::MODIFY_STRUCT
             ];
             foreach ($rights as $k => $right) {
                 if (($right == 'access' && !$ACL->has_access_to_base($base_id))
@@ -688,7 +688,7 @@ class Edit extends \Alchemy\Phrasea\Helper\Helper
             throw new AccessDeniedHttpException('You are not the owner of the template');
         }
 
-        $base_ids = array_keys($this->app->getAclForUser($this->app->getAuthenticatedUser())->get_granted_base(['canadmin']));
+        $base_ids = array_keys($this->app->getAclForUser($this->app->getAuthenticatedUser())->get_granted_base([\ACL::CANADMIN]));
 
         foreach ($this->users as $usr_id) {
             $user = $this->app['repo.users']->find($usr_id);
@@ -744,7 +744,7 @@ class Edit extends \Alchemy\Phrasea\Helper\Helper
 
         $activate = !!$this->request->get('limit');
 
-        $base_ids = array_keys($this->app->getAclForUser($this->app->getAuthenticatedUser())->get_granted_base(['canadmin']));
+        $base_ids = array_keys($this->app->getAclForUser($this->app->getAuthenticatedUser())->get_granted_base([\ACL::CANADMIN]));
 
         foreach ($this->users as $usr_id) {
             $user = $this->app['repo.users']->find($usr_id);
@@ -763,7 +763,7 @@ class Edit extends \Alchemy\Phrasea\Helper\Helper
 
     public function resetRights()
     {
-        $base_ids = array_keys($this->app->getAclForUser($this->app->getAuthenticatedUser())->get_granted_base(['canadmin']));
+        $base_ids = array_keys($this->app->getAclForUser($this->app->getAuthenticatedUser())->get_granted_base([\ACL::CANADMIN]));
 
         foreach ($this->users as $usr_id) {
             $user = $this->app['repo.users']->find($usr_id);

lib/Alchemy/Phrasea/Helper/User/Manage.php

@@ -71,7 +71,7 @@ class Manage extends Helper
             ->last_model_is($this->query_parms['last_model'])
             ->get_inactives($this->query_parms['inactives'])
             ->include_templates(false)
-            ->on_bases_where_i_am($this->app->getAclForUser($this->app->getAuthenticatedUser()), ['canadmin'])
+            ->on_bases_where_i_am($this->app->getAclForUser($this->app->getAuthenticatedUser()), [\ACL::CANADMIN])
             ->execute();
 
         return $results->get_results();
@@ -109,7 +109,7 @@ class Manage extends Helper
             ->last_model_is($this->query_parms['last_model'])
             ->get_inactives($this->query_parms['inactives'])
             ->include_templates(true)
-            ->on_bases_where_i_am($this->app->getAclForUser($this->app->getAuthenticatedUser()), ['canadmin'])
+            ->on_bases_where_i_am($this->app->getAclForUser($this->app->getAuthenticatedUser()), [\ACL::CANADMIN])
             ->limit($offset_start, $results_quantity)
             ->execute();
 

lib/Alchemy/Phrasea/Model/Manipulator/ACLManipulator.php

@@ -101,23 +101,23 @@ class ACLManipulator implements ManipulatorInterface
         $acl->remove_quotas_on_base($baseId);
         $acl->set_masks_on_base($baseId, '0', '0', '0', '0');
         $acl->update_rights_to_base($baseId, [
-            'canputinalbum'     => '1',
-            'candwnldhd'        => '1',
+            \ACL::CANPUTINALBUM     => '1',
+            \ACL::CANDWNLDHD        => '1',
             'candwnldsubdef'    => '1',
-            'nowatermark'       => '1',
-            'candwnldpreview'   => '1',
-            'cancmd'            => '1',
-            'canadmin'          => '1',
-            'canreport'         => '1',
-            'canpush'           => '1',
+            \ACL::NOWATERMARK       => '1',
+            \ACL::CANDWNLDPREVIEW   => '1',
+            \ACL::CANCMD            => '1',
+            \ACL::CANADMIN          => '1',
+            \ACL::CANREPORT         => '1',
+            \ACL::CANPUSH           => '1',
             'creationdate'      => '1',
-            'canaddrecord'      => '1',
-            'canmodifrecord'    => '1',
-            'candeleterecord'   => '1',
-            'chgstatus'         => '1',
-            'imgtools'          => '1',
-            'manage'            => '1',
-            'modify_struct'     => '1',
+            \ACL::CANADDRECORD      => '1',
+            \ACL::CANMODIFRECORD    => '1',
+            \ACL::CANDELETERECORD   => '1',
+            \ACL::CHGSTATUS         => '1',
+            \ACL::IMGTOOLS          => '1',
+            \ACL::MANAGE            => '1',
+            \ACL::MODIFY_STRUCT     => '1',
             'bas_modify_struct' => '1'
         ]);
     }

lib/Alchemy/Phrasea/Model/Manipulator/RegistrationManipulator.php

@@ -82,11 +82,11 @@ class RegistrationManipulator implements ManipulatorInterface
         $this->aclProvider->get($user)->give_access_to_sbas([$collection->get_sbas_id()]);
         $this->aclProvider->get($user)->give_access_to_base([$collection->get_base_id()]);
         $this->aclProvider->get($user)->update_rights_to_base($collection->get_base_id(), [
-            'canputinalbum'   => '1',
-            'candwnldhd'      => (string) (int) $grantHd,
-            'nowatermark'     => (string) (int) $grantWatermark,
-            'candwnldpreview' => '1',
-            'actif'           => '1',
+            \ACL::CANPUTINALBUM   => '1',
+            \ACL::CANDWNLDHD      => (string) (int) $grantHd,
+            \ACL::NOWATERMARK     => (string) (int) $grantWatermark,
+            \ACL::CANDWNLDPREVIEW => '1',
+            \ACL::ACTIF           => '1'
         ]);
         $this->em->remove($registration);
         $this->em->flush();

lib/Alchemy/Phrasea/Model/NativeQueryProvider.php

@@ -32,16 +32,13 @@ class NativeQueryProvider
 
         $selectClause = $rsm->generateSelectClause();
 
-        return $this->em->createNativeQuery("
-            SELECT d.date_modif AS date_demand, d.base_id AS base_demand, " . $selectClause . "
-            FROM (demand d INNER JOIN Users u ON d.usr_id=u.id
-            AND d.en_cours=1
-            AND u.deleted=0
-            )
-            WHERE (base_id='" . implode("' OR base_id='", $basList) . "')
-            ORDER BY d.usr_id DESC, d.base_id ASC
-            ", $rsm)
-        ->getResult();
+        return $this->em->createNativeQuery(
+            "SELECT d.date_modif AS date_demand, d.base_id AS base_demand, " . $selectClause . "\n"
+            . " FROM (demand d INNER JOIN Users u ON d.usr_id=u.id AND d.en_cours=1 AND u.deleted=0)\n"
+            . " WHERE (base_id='" . implode("' OR base_id='", $basList) . "')\n"
+            . " ORDER BY d.usr_id DESC, d.base_id ASC",
+            $rsm
+        )->getResult();
     }
 
     public function getModelForUser(User $user, array $basList)
@@ -51,14 +48,14 @@ class NativeQueryProvider
 
         $selectClause = $rsm->generateSelectClause();
 
-        $query = $this->em->createNativeQuery("
-                SELECT " . $selectClause . "
-                FROM Users u
-                    INNER JOIN basusr b ON (b.usr_id=u.id)
-                WHERE u.model_of = :user_id
-                  AND b.base_id IN (" . implode(', ', $basList) . ")
-                  AND u.deleted='0'
-                GROUP BY u.id", $rsm);
+        $query = $this->em->createNativeQuery(
+            "SELECT " . $selectClause . " FROM Users u INNER JOIN basusr b ON (b.usr_id=u.id)\n"
+            . " WHERE u.model_of = :user_id\n"
+            . "  AND b.base_id IN (" . implode(', ', $basList) . ")\n"
+            . "  AND u.deleted='0'\n"
+            . " GROUP BY u.id",
+            $rsm
+        );
 
         $query->setParameter(':user_id', $user->getId());
 
@@ -72,14 +69,15 @@ class NativeQueryProvider
         $rsm->addScalarResult('base_id', 'base_id');
         $selectClause = $rsm->generateSelectClause();
 
-        $query = $this->em->createNativeQuery('
-            SELECT b.base_id, '.$selectClause.' FROM Users u, basusr b
-            WHERE u.id = b.usr_id
-                AND b.base_id IN (' . implode(', ', $basList) . ')
-                AND u.model_of IS NULL
-                AND b.actif="1"
-                AND b.canadmin="1"
-                AND u.deleted="0"', $rsm
+        $query = $this->em->createNativeQuery(
+            "SELECT b.base_id, ".$selectClause." FROM Users u, basusr b\n"
+            . " WHERE u.id = b.usr_id\n"
+            . "  AND b.base_id IN (" . implode(', ', $basList) . ")\n"
+            . "  AND u.model_of IS NULL\n"
+            . "  AND b.actif=1\n"
+            . "  AND b.canadmin=1\n"
+            . "  AND u.deleted=0",
+            $rsm
         );
 
         return $query->getResult();

lib/Alchemy/Phrasea/Order/Controller/ProdOrderController.php

@@ -109,7 +109,7 @@ class ProdOrderController extends BaseOrderController
 
         $sort = $request->query->get('sort');
 
-        $baseIds = array_keys($this->getAclForUser()->get_granted_base(['order_master']));
+        $baseIds = array_keys($this->getAclForUser()->get_granted_base([\ACL::ORDER_MASTER]));
 
         $ordersList = $this->getOrderRepository()->listOrders($baseIds, $offsetStart, $perPage, $sort);
         $total = $this->getOrderRepository()->countTotalOrders($baseIds);

lib/Alchemy/Phrasea/Order/OrderValidator.php

@@ -114,7 +114,7 @@ class OrderValidator
                 $element->getRecordId()
             );
 
-            $acl->grant_hd_on($recordReference, $user, 'order');
+            $acl->grant_hd_on($recordReference, $user, \ACL::GRANT_ACTION_ORDER);
         }
     }
 

lib/Alchemy/Phrasea/Search/SubdefTransformer.php

@@ -53,7 +53,7 @@ class SubdefTransformer extends TransformerAbstract
             return null;
         }
         if ($media->get_name() === 'document'
-            && !$acl->has_right_on_base($record->getBaseId(), 'candwnldhd')
+            && !$acl->has_right_on_base($record->getBaseId(), \ACL::CANDWNLDHD)
             && !$acl->has_hd_grant($record)
         ) {
             return null;

lib/Alchemy/Phrasea/SearchEngine/SearchEngineOptions.php

@@ -639,9 +639,9 @@ class SearchEngineOptions
 
         $options->onCollections($bas);
 
-        if ($isAuthenticated && $acl->has_right('modifyrecord')) {
+        if ($isAuthenticated && $acl->has_right(\ACL::CANMODIFRECORD)) {
             $bf = array_filter($bas, function (\collection $collection) use ($acl) {
-                return $acl->has_right_on_base($collection->get_base_id(), 'canmodifrecord');
+                return $acl->has_right_on_base($collection->get_base_id(), \ACL::CANMODIFRECORD);
             });
 
             $options->allowBusinessFieldsOn($bf);

lib/Alchemy/Phrasea/Security/Firewall.php

@@ -146,7 +146,7 @@ class Firewall
 
     public function requireOrdersAdmin()
     {
-        if (empty($this->app->getAclForUser($this->app->getAuthenticatedUser())->get_granted_base(['order_master']))) {
+        if (empty($this->app->getAclForUser($this->app->getAuthenticatedUser())->get_granted_base([\ACL::ORDER_MASTER]))) {
             $this->app->abort(403, 'You are not an order admin');
         }
 

lib/Alchemy/Phrasea/Setup/Installer.php

@@ -60,8 +60,10 @@ class Installer
             ->give_access_to_sbas([$databox->get_sbas_id()])
             ->update_rights_to_sbas(
                 $databox->get_sbas_id(), [
-                    'bas_manage'        => 1, 'bas_modify_struct' => 1,
-                    'bas_modif_th'      => 1, 'bas_chupub'        => 1
+                    'bas_manage'        => 1,
+                    'bas_modify_struct' => 1,
+                    'bas_modif_th'      => 1,
+                    'bas_chupub'        => 1
                 ]
         );
 
@@ -69,11 +71,22 @@ class Installer
 
         $this->app->getAclForUser($admin)->give_access_to_base([$collection->get_base_id()]);
         $this->app->getAclForUser($admin)->update_rights_to_base($collection->get_base_id(), [
-            'canpush'           => 1, 'cancmd'          => 1
-            , 'canputinalbum'   => 1, 'candwnldhd'      => 1, 'candwnldpreview' => 1, 'canadmin'        => 1
-            , 'actif'           => 1, 'canreport'       => 1, 'canaddrecord'    => 1, 'canmodifrecord'  => 1
-            , 'candeleterecord' => 1, 'chgstatus'       => 1, 'imgtools'        => 1, 'manage'          => 1
-            , 'modify_struct'   => 1, 'nowatermark'     => 1
+                \ACL::CANPUSH         => 1,
+                \ACL::CANCMD          => 1,
+                \ACL::CANPUTINALBUM   => 1,
+                \ACL::CANDWNLDHD      => 1,
+                \ACL::CANDWNLDPREVIEW => 1,
+                \ACL::CANADMIN        => 1,
+                \ACL::ACTIF           => 1,
+                \ACL::CANREPORT       => 1,
+                \ACL::CANADDRECORD    => 1,
+                \ACL::CANMODIFRECORD  => 1,
+                \ACL::CANDELETERECORD => 1,
+                \ACL::CHGSTATUS       => 1,
+                \ACL::IMGTOOLS        => 1,
+                \ACL::MANAGE          => 1,
+                \ACL::MODIFY_STRUCT   => 1,
+                \ACL::NOWATERMARK     => 1
             ]
         );
 

lib/Alchemy/Phrasea/Twig/PhraseanetExtension.php

@@ -133,7 +133,7 @@ class PhraseanetExtension extends \Twig_Extension
 
         $structure = $databox->getStatusStructure()->toArray();
 
-        if (!$this->isGrantedOnCollection($record->getBaseId(), 'chgstatus')) {
+        if (!$this->isGrantedOnCollection($record->getBaseId(), \ACL::CHGSTATUS)) {
             $structure = array_filter($structure, function($status) {
                 return  (bool) $status['printable'];
             });

lib/Alchemy/Phrasea/Vocabulary/ControlProvider/UserProvider.php

@@ -56,7 +56,7 @@ class UserProvider implements ControlProviderInterface
                 ->like(\User_Query::LIKE_LOGIN, $query)
                 ->like_match(\User_Query::LIKE_MATCH_OR)
                 ->include_phantoms(true)
-                ->on_bases_where_i_am($this->app->getAclForUser($for_user), ['canadmin'])
+                ->on_bases_where_i_am($this->app->getAclForUser($for_user), [\ACL::CANADMIN])
                 ->limit(0, 50)
                 ->execute()->get_results();
 

lib/classes/ACL.php

@@ -32,25 +32,42 @@ use Doctrine\DBAL\DBALException;
 
 class ACL implements cache_cacheableInterface
 {
+    const ACTIF = 'actif';
+    const CANADDRECORD = 'canaddrecord';
+    const CANADMIN = 'canadmin';
+    const CANCMD = 'cancmd';
+    const CANDELETERECORD = 'candeleterecord';
+    const CANDWNLDHD = 'candwnldhd';
+    const CANDWNLDPREVIEW = 'candwnldpreview';
+    const CANMODIFRECORD = 'canmodifrecord';
+    const CANPUSH = 'canpush';
+    const CANPUTINALBUM = 'canputinalbum';
+    const CANREPORT = 'canreport';
+    const CHGSTATUS = 'chgstatus';
+    const IMGTOOLS = 'imgtools';
+    const COLL_MANAGE = 'manage';
+    const COLL_MODIFY_STRUCT = 'modify_struct';
+    const NOWATERMARK = 'nowatermark';
+    const ORDER_MASTER = 'order_master';
 
     protected static $bas_rights = [
         'actif',
         'canaddrecord',
-        'canadmin',
+        self::CANADMIN,
         'cancmd',
-        'candeleterecord',
-        'candwnldhd',
-        'candwnldpreview',
-        'canmodifrecord',
+        self::CANDELETERECORD,
+        self::CANDWNLDHD,
+        self::CANDWNLDPREVIEW,
+        self::CANMODIFRECORD,
         'canpush',
-        'canputinalbum',
+        self::CANPUTINALBUM,
         'canreport',
-        'chgstatus',
-        'imgtools',
-        'manage',
-        'modify_struct',
+        self::CHGSTATUS,
+        self::IMGTOOLS,
+        self::COLL_MANAGE,
+        self::COLL_MODIFY_STRUCT,
         'nowatermark',
-        'order_master',
+        self::ORDER_MASTER,
     ];
 
     /**
@@ -89,23 +106,23 @@ class ACL implements cache_cacheableInterface
     protected $is_admin;
 
     protected $_global_rights = [
-        'addrecord'          => false,
-        'addtoalbum'         => false,
+        self::CANADDRECORD          => false,
+        self::CANPUTINALBUM         => false,
         'bas_chupub'         => false,
         'bas_manage'         => false,
         'bas_modif_th'       => false,
         'bas_modify_struct'  => false,
-        'candwnldhd'         => true,
+        self::CANDWNLDHD         => true,
         'candwnldpreview'    => true,
-        'changestatus'       => false,
-        'coll_manage'        => false,
-        'coll_modify_struct' => false,
-        'deleterecord'       => false,
-        'doctools'           => false,
-        'manageusers'        => false,
-        'modifyrecord'       => false,
+        self::CHGSTATUS       => false,
+        self::COLL_MANAGE        => false,
+        self::COLL_MODIFY_STRUCT => false,
+        self::CANDELETERECORD       => false,
+        self::IMGTOOLS           => false,
+        self::CANADMIN        => false,
+        self::CANMODIFRECORD       => false,
         'order'              => false,
-        'order_master'       => false,
+        self::ORDER_MASTER       => false,
         'push'               => false,
         'report'             => false,
         'taskmanager'        => false,
@@ -124,6 +141,7 @@ class ACL implements cache_cacheableInterface
     const CACHE_GLOBAL_RIGHTS = 'global_rights';
     const GRANT_ACTION_PUSH = 'push';
     const GRANT_ACTION_VALIDATE = 'validate';
+    const GRANT_ACTION_ORDER = 'order';
 
     /**
      * Constructor
@@ -179,17 +197,16 @@ class ACL implements cache_cacheableInterface
 
     public function grant_hd_on(RecordReferenceInterface $record, User $pusher, $action)
     {
-        $sql = 'REPLACE INTO records_rights
-            (id, usr_id, sbas_id, record_id, document, `case`, pusher_usr_id)
-            VALUES
-            (null, :usr_id, :sbas_id, :record_id, 1, :case, :pusher)';
+        $sql = "REPLACE INTO records_rights\n"
+            . "(id, usr_id, sbas_id, record_id, document, `case`, pusher_usr_id)\n"
+            . "VALUES (null, :usr_id, :sbas_id, :record_id, 1, :case, :pusher)";
 
         $params = [
-            ':usr_id'    => $this->user->getId()
-            , ':sbas_id'   => $record->getDataboxId()
-            , ':record_id' => $record->getRecordId()
-            , ':case'      => $action
-            , ':pusher'    => $pusher->getId()
+            ':usr_id'    => $this->user->getId(),
+            ':sbas_id'   => $record->getDataboxId(),
+            ':record_id' => $record->getRecordId(),
+            ':case'      => $action,
+            ':pusher'    => $pusher->getId()
         ];
 
         $stmt = $this->app->getApplicationBox()->get_connection()->prepare($sql);
@@ -203,10 +220,10 @@ class ACL implements cache_cacheableInterface
 
     public function grant_preview_on(RecordReferenceInterface $record, User $pusher, $action)
     {
-        $sql = 'REPLACE INTO records_rights
-            (id, usr_id, sbas_id, record_id, preview, `case`, pusher_usr_id)
-            VALUES
-            (null, :usr_id, :sbas_id, :record_id, 1, :case, :pusher)';
+        $sql = "REPLACE INTO records_rights\n"
+            . " (id, usr_id, sbas_id, record_id, preview, `case`, pusher_usr_id)\n"
+            . " VALUES\n"
+            . " (null, :usr_id, :sbas_id, :record_id, 1, :case, :pusher)";
 
         $params = [
             ':usr_id'    => $this->user->getId()
@@ -279,11 +296,11 @@ class ACL implements cache_cacheableInterface
 
         if ($subdef_class == databox_subdef::CLASS_THUMBNAIL) {
             $granted = true;
-        } elseif ($subdef_class == databox_subdef::CLASS_PREVIEW && $this->has_right_on_base($record->getBaseId(), 'candwnldpreview')) {
+        } elseif ($subdef_class == databox_subdef::CLASS_PREVIEW && $this->has_right_on_base($record->getBaseId(), self::CANDWNLDPREVIEW)) {
             $granted = true;
         } elseif ($subdef_class == databox_subdef::CLASS_PREVIEW && $this->has_preview_grant($record)) {
             $granted = true;
-        } elseif ($subdef_class == databox_subdef::CLASS_DOCUMENT && $this->has_right_on_base($record->getBaseId(), 'candwnldhd')) {
+        } elseif ($subdef_class == databox_subdef::CLASS_DOCUMENT && $this->has_right_on_base($record->getBaseId(), self::CANDWNLDHD)) {
             $granted = true;
         } elseif ($subdef_class == databox_subdef::CLASS_DOCUMENT && $this->has_hd_grant($record)) {
             $granted = true;
@@ -448,10 +465,10 @@ class ACL implements cache_cacheableInterface
     }
 
     /**
-     *
-     * @param  int     $base_id
-     * @param  string  $right
-     * @return boolean
+     * @param $base_id
+     * @param $right
+     * @return bool
+     * @throws Exception
      */
     public function has_right_on_base($base_id, $right)
     {
@@ -472,9 +489,8 @@ class ACL implements cache_cacheableInterface
     }
 
     /**
-     *
-     * @param  <type> $option
-     * @return <type>
+     * @param string|null $option
+     * @return string
      */
     public function get_cache_key($option = null)
     {
@@ -482,9 +498,7 @@ class ACL implements cache_cacheableInterface
     }
 
     /**
-     *
-     * @param  <type> $option
-     * @return <type>
+     * @param string|null $option
      */
     public function delete_data_from_cache($option = null)
     {
@@ -508,13 +522,12 @@ class ACL implements cache_cacheableInterface
                 break;
         }
 
-        return $this->app->getApplicationBox()->delete_data_from_cache($this->get_cache_key($option));
+        $this->app->getApplicationBox()->delete_data_from_cache($this->get_cache_key($option));
     }
 
     /**
-     *
-     * @param  <type> $option
-     * @return <type>
+     * @param  string|null $option
+     * @return array
      */
     public function get_data_from_cache($option = null)
     {
@@ -522,11 +535,10 @@ class ACL implements cache_cacheableInterface
     }
 
     /**
-     *
-     * @param  <type> $value
-     * @param  <type> $option
-     * @param  <type> $duration
-     * @return <type>
+     * @param $value
+     * @param string|null $option
+     * @param int $duration
+     * @return bool
      */
     public function set_data_to_cache($value, $option = null, $duration = 0)
     {
@@ -824,8 +836,7 @@ class ACL implements cache_cacheableInterface
         } catch (\Exception $e) {
 
         }
-        $sql = 'SELECT sbas_id, record_id, preview, document
-            FROM records_rights WHERE usr_id = :usr_id';
+        $sql = "SELECT sbas_id, record_id, preview, document FROM records_rights WHERE usr_id = :usr_id";
 
         $stmt = $this->app->getApplicationBox()->get_connection()->prepare($sql);
         $stmt->execute([':usr_id' => $this->user->getId()]);
@@ -844,8 +855,8 @@ class ACL implements cache_cacheableInterface
         }
 
         $datas = [
-            'preview'  => $this->_rights_records_preview
-            , 'document' => $this->_rights_records_document
+            'preview'  => $this->_rights_records_preview,
+            'document' => $this->_rights_records_document
         ];
 
         $this->set_data_to_cache($datas, self::CACHE_RIGHTS_RECORDS);
@@ -883,9 +894,7 @@ class ACL implements cache_cacheableInterface
 
         }
 
-        $sql = 'SELECT sbasusr.* FROM sbasusr, sbas
-            WHERE usr_id= :usr_id
-              AND sbas.sbas_id = sbasusr.sbas_id';
+        $sql = "SELECT sbasusr.* FROM sbasusr INNER JOIN sbas USING(sbas_id) WHERE usr_id= :usr_id";
 
         $stmt = $this->app->getApplicationBox()->get_connection()->prepare($sql);
         $stmt->execute([':usr_id' => $this->user->getId()]);
@@ -900,20 +909,12 @@ class ACL implements cache_cacheableInterface
         $this->_global_rights['bas_chupub'] = false;
 
         foreach ($rs as $row) {
-
-            if ($row['bas_modif_th'] == '1')
-                $this->_global_rights['bas_modif_th'] = true;
-            if ($row['bas_modify_struct'] == '1')
-                $this->_global_rights['bas_modify_struct'] = true;
-            if ($row['bas_manage'] == '1')
-                $this->_global_rights['bas_manage'] = true;
-            if ($row['bas_chupub'] == '1')
-                $this->_global_rights['bas_chupub'] = true;
-
-            $this->_rights_sbas[$row['sbas_id']]['bas_modify_struct'] = ($row['bas_modify_struct'] == '1');
-            $this->_rights_sbas[$row['sbas_id']]['bas_manage'] = ($row['bas_manage'] == '1');
-            $this->_rights_sbas[$row['sbas_id']]['bas_chupub'] = ($row['bas_chupub'] == '1');
-            $this->_rights_sbas[$row['sbas_id']]['bas_modif_th'] = ($row['bas_modif_th'] == '1');
+            $sbid = $row['sbas_id'];
+            $this->_rights_sbas[$sbid] = [];
+            $this->_global_rights['bas_modif_th']      |= ($this->_rights_sbas[$sbid]['bas_modif_th']      = ($row['bas_modif_th'] == '1'));
+            $this->_global_rights['bas_modify_struct'] |= ($this->_rights_sbas[$sbid]['bas_modify_struct'] = ($row['bas_modify_struct'] == '1'));
+            $this->_global_rights['bas_manage']        |= ($this->_rights_sbas[$sbid]['bas_manage']        = ($row['bas_manage'] == '1'));
+            $this->_global_rights['bas_chupub']        |= ($this->_rights_sbas[$sbid]['bas_chupub']        = ($row['bas_chupub'] == '1'));
         }
         $this->set_data_to_cache($this->_rights_sbas, self::CACHE_RIGHTS_SBAS);
         $this->set_data_to_cache($this->_global_rights, self::CACHE_GLOBAL_RIGHTS);
@@ -956,9 +957,9 @@ class ACL implements cache_cacheableInterface
         }
 
         $sql = "SELECT  u.* FROM basusr u, bas b, sbas s\n"
-            . "WHERE usr_id= :usr_id\n"
-            . "AND b.base_id = u.base_id\n"
-            . "AND s.sbas_id = b.sbas_id";
+            . " WHERE usr_id= :usr_id\n"
+            . " AND b.base_id = u.base_id\n"
+            . " AND s.sbas_id = b.sbas_id";
 
         $stmt = $this->app->getApplicationBox()->get_connection()->prepare($sql);
         $stmt->execute([':usr_id' => $this->user->getId()]);
@@ -967,55 +968,25 @@ class ACL implements cache_cacheableInterface
 
         $this->_rights_bas = $this->_limited = [];
 
-        $this->_global_rights['manageusers'] = false;
-        $this->_global_rights['coll_manage'] = false;
-        $this->_global_rights['coll_modify_struct'] = false;
+        $this->_global_rights[self::CANADMIN] = false;
+        $this->_global_rights[self::COLL_MANAGE] = false;
+        $this->_global_rights[self::COLL_MODIFY_STRUCT] = false;
         $this->_global_rights['order'] = false;
         $this->_global_rights['push'] = false;
-        $this->_global_rights['addrecord'] = false;
-        $this->_global_rights['modifyrecord'] = false;
-        $this->_global_rights['changestatus'] = false;
-        $this->_global_rights['doctools'] = false;
-        $this->_global_rights['deleterecord'] = false;
-        $this->_global_rights['addtoalbum'] = false;
+        $this->_global_rights[self::CANADDRECORD] = false;
+        $this->_global_rights[self::CANMODIFRECORD] = false;
+        $this->_global_rights[self::CHGSTATUS] = false;
+        $this->_global_rights[self::IMGTOOLS] = false;
+        $this->_global_rights[self::CANDELETERECORD] = false;
+        $this->_global_rights[self::CANPUTINALBUM] = false;
         $this->_global_rights['report'] = false;
-        $this->_global_rights['candwnldpreview'] = false;
-        $this->_global_rights['candwnldhd'] = false;
-        $this->_global_rights['order_master'] = false;
+        $this->_global_rights[self::CANDWNLDPREVIEW] = false;
+        $this->_global_rights[self::CANDWNLDHD] = false;
+        $this->_global_rights[self::ORDER_MASTER] = false;
 
         foreach ($rs as $row) {
-            $this->_rights_bas[$row['base_id']]['actif'] = ($row['actif'] == '1');
-
-            if ($row['canadmin'] == '1')
-                $this->_global_rights['manageusers'] = true;
-            if ($row['manage'] == '1')
-                $this->_global_rights['coll_manage'] = true;
-            if ($row['modify_struct'] == '1')
-                $this->_global_rights['coll_modify_struct'] = true;
-            if ($row['cancmd'] == '1')
-                $this->_global_rights['order'] = true;
-            if ($row['canpush'] == '1')
-                $this->_global_rights['push'] = true;
-            if ($row['canaddrecord'] == '1')
-                $this->_global_rights['addrecord'] = true;
-            if ($row['canmodifrecord'] == '1')
-                $this->_global_rights['modifyrecord'] = true;
-            if ($row['chgstatus'] == '1')
-                $this->_global_rights['changestatus'] = true;
-            if ($row['imgtools'] == '1')
-                $this->_global_rights['doctools'] = true;
-            if ($row['candeleterecord'] == '1')
-                $this->_global_rights['deleterecord'] = true;
-            if ($row['canputinalbum'] == '1')
-                $this->_global_rights['addtoalbum'] = true;
-            if ($row['canreport'] == '1')
-                $this->_global_rights['report'] = true;
-            if ($row['candwnldpreview'] == '1')
-                $this->_global_rights['candwnldpreview'] = true;
-            if ($row['candwnldhd'] == '1')
-                $this->_global_rights['candwnldhd'] = true;
-            if ($row['order_master'] == '1')
-                $this->_global_rights['order_master'] = true;
+            $bid = $row['base_id'];
+            $this->_rights_bas[$bid]['actif'] = ($row['actif'] == '1');
 
             $row['limited_from'] = $row['limited_from'] == '0000-00-00 00:00:00' ? '' : trim($row['limited_from']);
             $row['limited_to'] = $row['limited_to'] == '0000-00-00 00:00:00' ? '' : trim($row['limited_to']);
@@ -1023,54 +994,41 @@ class ACL implements cache_cacheableInterface
             if ($row['time_limited'] == '1'
                 && ($row['limited_from'] !== '' || $row['limited_to'] !== '')) {
                 $this->_limited[$row['base_id']] = [
-                    'dmin' => $row['limited_from'] ? new DateTime($row['limited_from']) : null
-                    , 'dmax' => $row['limited_to'] ? new DateTime($row['limited_to']) : null
+                    'dmin' => $row['limited_from'] ? new DateTime($row['limited_from']) : null,
+                    'dmax' => $row['limited_to'] ? new DateTime($row['limited_to']) : null
                 ];
             }
 
-            $this->_rights_bas[$row['base_id']]['imgtools']
-                = $row['imgtools'] == '1';
+            $this->_global_rights[self::IMGTOOLS]           |= ($this->_rights_bas[$bid][self::IMGTOOLS]        = ($row['imgtools'] == '1'));
+            $this->_global_rights[self::CHGSTATUS]       |= ($this->_rights_bas[$bid][self::CHGSTATUS]       = ($row['chgstatus'] == '1'));
+            $this->_global_rights['order']              |= ($this->_rights_bas[$bid]['cancmd']          = ($row['cancmd'] == '1'));
+            $this->_global_rights[self::CANADDRECORD]          |= ($this->_rights_bas[$bid][self::CANADDRECORD]    = ($row['canaddrecord'] == '1'));
+            $this->_global_rights['push']               |= ($this->_rights_bas[$bid]['canpush']         = ($row['canpush'] == '1'));
+            $this->_global_rights[self::CANDELETERECORD]       |= ($this->_rights_bas[$bid][self::CANDELETERECORD] = ($row['candeleterecord'] == '1'));
+            $this->_global_rights[self::CANADMIN]        |= ($this->_rights_bas[$bid][self::CANADMIN]        = ($row['canadmin'] == '1'));
+            $this->_global_rights[self::CANDWNLDPREVIEW]    |= ($this->_rights_bas[$bid][self::CANDWNLDPREVIEW] = ($row['candwnldpreview'] == '1'));
+            $this->_global_rights[self::CANDWNLDHD]         |= ($this->_rights_bas[$bid][self::CANDWNLDHD]      = ($row['candwnldhd'] == '1'));
+            $this->_global_rights[self::CANMODIFRECORD]       |= ($this->_rights_bas[$bid][self::CANMODIFRECORD]  = ($row['canmodifrecord'] == '1'));
+            $this->_global_rights[self::CANPUTINALBUM]         |= ($this->_rights_bas[$bid][self::CANPUTINALBUM]   = ($row['canputinalbum'] == '1'));
+            $this->_global_rights['report']             |= ($this->_rights_bas[$bid]['canreport']       = ($row['canreport'] == '1'));
+            $this->_global_rights[self::COLL_MODIFY_STRUCT] |= ($this->_rights_bas[$bid][self::COLL_MODIFY_STRUCT]   = ($row['modify_struct'] == '1'));
+            $this->_global_rights[self::COLL_MANAGE]        |= ($this->_rights_bas[$bid][self::COLL_MANAGE]          = ($row['manage'] == '1'));
+            $this->_global_rights[self::ORDER_MASTER]       |= ($this->_rights_bas[$bid][self::ORDER_MASTER]    = ($row[\ACL::ORDER_MASTER] == '1'));
+            $this->_rights_bas[$bid]['nowatermark']    = ($row['nowatermark'] == '1');
+            $this->_rights_bas[$bid]['restrict_dwnld'] = ($row['restrict_dwnld'] == '1');
+            $this->_rights_bas[$bid]['remain_dwnld']   = (int) $row['remain_dwnld'];
+            $this->_rights_bas[$bid]['mask_and']       = (int) $row['mask_and'];
+            $this->_rights_bas[$bid]['mask_xor']       = (int) $row['mask_xor'];
 
-            $this->_rights_bas[$row['base_id']]['chgstatus']
-                = $row['chgstatus'] == '1';
-            $this->_rights_bas[$row['base_id']]['cancmd']
-                = $row['cancmd'] == '1';
-            $this->_rights_bas[$row['base_id']]['canaddrecord']
-                = $row['canaddrecord'] == '1';
-            $this->_rights_bas[$row['base_id']]['canpush']
-                = $row['canpush'] == '1';
-            $this->_rights_bas[$row['base_id']]['candeleterecord']
-                = $row['candeleterecord'] == '1';
-            $this->_rights_bas[$row['base_id']]['canadmin']
-                = $row['canadmin'] == '1';
-            $this->_rights_bas[$row['base_id']]['chgstatus']
-                = $row['chgstatus'] == '1';
-            $this->_rights_bas[$row['base_id']]['candwnldpreview']
-                = $row['candwnldpreview'] == '1';
-            $this->_rights_bas[$row['base_id']]['candwnldhd']
-                = $row['candwnldhd'] == '1';
-            $this->_rights_bas[$row['base_id']]['nowatermark']
-                = $row['nowatermark'] == '1';
-            $this->_rights_bas[$row['base_id']]['restrict_dwnld']
-                = $row['restrict_dwnld'] == '1';
-            $this->_rights_bas[$row['base_id']]['remain_dwnld']
-                = (int) $row['remain_dwnld'];
-            $this->_rights_bas[$row['base_id']]['canmodifrecord']
-                = $row['canmodifrecord'] == '1';
-            $this->_rights_bas[$row['base_id']]['canputinalbum']
-                = $row['canputinalbum'] == '1';
-            $this->_rights_bas[$row['base_id']]['canreport']
-                = $row['canreport'] == '1';
-            $this->_rights_bas[$row['base_id']]['mask_and']
-                = (int) $row['mask_and'];
-            $this->_rights_bas[$row['base_id']]['mask_xor']
-                = (int) $row['mask_xor'];
-            $this->_rights_bas[$row['base_id']]['modify_struct']
-                = $row['modify_struct'] == '1';
-            $this->_rights_bas[$row['base_id']]['manage']
-                = $row['manage'] == '1';
-            $this->_rights_bas[$row['base_id']]['order_master']
-                = $row['order_master'] == '1';
+            $row['limited_from'] = $row['limited_from'] == '0000-00-00 00:00:00' ? '' : trim($row['limited_from']);
+            $row['limited_to']   = $row['limited_to']   == '0000-00-00 00:00:00' ? '' : trim($row['limited_to']);
+
+            if ($row['time_limited'] == '1' && ($row['limited_from'] !== '' || $row['limited_to'] !== '')) {
+                $this->_limited[$row['base_id']] = [
+                    'dmin' => $row['limited_from'] ? new DateTime($row['limited_from']) : null,
+                    'dmax' => $row['limited_to'] ? new DateTime($row['limited_to']) : null
+                ];
+            }
         }
 
         $this->set_data_to_cache($this->_global_rights, self::CACHE_GLOBAL_RIGHTS);
@@ -1106,17 +1064,17 @@ class ACL implements cache_cacheableInterface
             case 'admin':
                 return (
                     ($this->has_right('bas_modify_struct') ||
-                    $this->has_right('coll_modify_struct') ||
+                    $this->has_right(self::COLL_MODIFY_STRUCT) ||
                     $this->has_right('bas_manage') ||
-                    $this->has_right('coll_manage') ||
-                    $this->has_right('manageusers') ||
+                    $this->has_right(self::COLL_MANAGE) ||
+                    $this->has_right(self::CANADMIN) ||
                     $this->is_admin()) );
                 break;
             case 'thesaurus':
                 return ($this->has_right('bas_modif_th') === true );
                 break;
             case 'upload':
-                return ($this->has_right('addrecord') === true);
+                return ($this->has_right(self::CANADDRECORD) === true);
                 break;
             case 'report':
                 return ($this->has_right('report') === true);
@@ -1168,48 +1126,31 @@ class ACL implements cache_cacheableInterface
      */
     public function give_access_to_base(Array $base_ids)
     {
-        $sql_ins = 'INSERT INTO basusr (id, base_id, usr_id, actif)
-                VALUES (null, :base_id, :usr_id, "1")';
-        $stmt_ins = $this->app->getApplicationBox()->get_connection()->prepare($sql_ins);
+        $sql = "INSERT INTO basusr (id, base_id, usr_id, actif)\n"
+            . "VALUES (null, :base_id, :usr_id, '1')\n"
+            . "ON DUPLICATE KEY UPDATE actif='1";
+        $stmt = $this->app->getApplicationBox()->get_connection()->prepare($sql);
         $usr_id = $this->user->getId();
-        $to_update = [];
+
         $this->load_rights_bas();
 
         foreach ($base_ids as $base_id) {
-            if (!isset($this->_rights_bas[$base_id])) {
-                try {
-                    $stmt_ins->execute([':base_id' => $base_id, ':usr_id'  => $usr_id]);
-                } catch (DBALException $e) {
-//                    if (null !== $e) {
-//                        var_dump(get_class($e->getPrevious()));
-//                    }
-                    if (($e->getCode() == 23000)) {
-                        $to_update[] = $base_id;
-                    }
+            if (!isset($this->_rights_bas[$base_id]) || $this->_rights_bas[$base_id]['actif'] === false) {
+                $stmt->execute([':base_id' => $base_id, ':usr_id'  => $usr_id]);
+                if($stmt->rowCount() > 0) {
+                    $this->app['dispatcher']->dispatch(
+                        AclEvents::ACCESS_TO_BASE_GRANTED,
+                        new AccessToBaseGrantedEvent(
+                            $this,
+                            array(
+                                'base_id'=>$base_id
+                            )
+                        )
+                    );
                 }
-            } elseif ($this->_rights_bas[$base_id]['actif'] === false) {
-                $to_update[] = $base_id;
             }
         }
-        $stmt_ins->closeCursor();
-
-        $sql_upd = 'UPDATE basusr SET actif="1"
-                  WHERE usr_id = :usr_id AND base_id = :base_id';
-        $stmt_upd = $this->app->getApplicationBox()->get_connection()->prepare($sql_upd);
-        foreach ($to_update as $base_id) {
-            $stmt_upd->execute([':usr_id'  => $usr_id, ':base_id' => $base_id]);
-
-            $this->app['dispatcher']->dispatch(
-                AclEvents::ACCESS_TO_BASE_GRANTED,
-                new AccessToBaseGrantedEvent(
-                    $this,
-                    array(
-                        'base_id'=>$base_id
-                    )
-                )
-            );
-        }
-        $stmt_upd->closeCursor();
+        $stmt->closeCursor();
 
         $this->delete_data_from_cache(self::CACHE_RIGHTS_BAS);
         $this->inject_rights();
@@ -1358,23 +1299,21 @@ class ACL implements cache_cacheableInterface
 
         $sql_args = [];
         $usr_id = $this->user->getId();
-        $params = [':sbas_id' => $sbas_id, ':usr_id'  => $usr_id];
 
         foreach ($rights as $right => $v) {
-            $sql_args[] = " " . $right . " = :" . $right;
-            $params[':' . $right] = $v ? '1' : '0';
+            $sql_args[] = "`" . $right . "`=" . ($v ? '1' : '0');
         }
 
         if (count($sql_args) == 0) {
             return $this;
         }
 
-        $sql_up .= implode(', ', $sql_args) . '
-                WHERE sbas_id = :sbas_id AND usr_id = :usr_id';
+        $sql_up .= implode(', ', $sql_args) . "\n"
+            . " WHERE sbas_id = :sbas_id AND usr_id = :usr_id";
 
         $stmt_up = $this->app->getApplicationBox()->get_connection()->prepare($sql_up);
 
-        if (!$stmt_up->execute($params)) {
+        if (!$stmt_up->execute([':sbas_id' => $sbas_id, ':usr_id'  => $usr_id])) {
             throw new Exception('Error while updating some rights');
         }
         $stmt_up->closeCursor();
@@ -1401,9 +1340,8 @@ class ACL implements cache_cacheableInterface
      */
     public function remove_quotas_on_base($base_id)
     {
-        $sql = 'UPDATE basusr
-      SET remain_dwnld = 0, restrict_dwnld = 0, month_dwnld_max = 0
-      WHERE usr_id = :usr_id AND base_id = :base_id ';
+        $sql = "UPDATE basusr SET remain_dwnld = 0, restrict_dwnld = 0, month_dwnld_max = 0\n"
+            . " WHERE usr_id = :usr_id AND base_id = :base_id";
 
         $stmt = $this->app->getApplicationBox()->get_connection()->prepare($sql);
         $stmt->execute([':usr_id'  => $this->user->getId(), ':base_id' => $base_id]);
@@ -1427,16 +1365,15 @@ class ACL implements cache_cacheableInterface
 
     public function update_download_restrictions()
     {
-        $sql = 'UPDATE basusr SET remain_dwnld = month_dwnld_max
-            WHERE actif = 1
-            AND usr_id = :usr_id
-            AND MONTH(lastconn) != MONTH(NOW()) AND restrict_dwnld = 1';
+        $sql = "UPDATE basusr SET remain_dwnld = month_dwnld_max\n"
+            . " WHERE actif = 1"
+            . " AND usr_id = :usr_id"
+            . " AND MONTH(lastconn) != MONTH(NOW()) AND restrict_dwnld = 1'";
         $stmt = $this->app->getApplicationBox()->get_connection()->prepare($sql);
         $stmt->execute([':usr_id' => $this->user->getId()]);
         $stmt->closeCursor();
 
-        $sql = "UPDATE basusr SET lastconn=now()
-            WHERE usr_id = :usr_id AND actif = 1";
+        $sql = "UPDATE basusr SET lastconn=now() WHERE usr_id = :usr_id AND actif = 1";
         $stmt = $this->app->getApplicationBox()->get_connection()->prepare($sql);
         $stmt->execute([':usr_id' => $this->user->getId()]);
         $stmt->closeCursor();
@@ -1463,9 +1400,8 @@ class ACL implements cache_cacheableInterface
      */
     public function set_quotas_on_base($base_id, $droits, $restes)
     {
-        $sql = 'UPDATE basusr
-      SET remain_dwnld = :restes, restrict_dwnld = 1, month_dwnld_max = :droits
-      WHERE usr_id = :usr_id AND base_id = :base_id ';
+        $sql = "UPDATE basusr SET remain_dwnld = :restes, restrict_dwnld = 1, month_dwnld_max = :droits\n"
+            . " WHERE usr_id = :usr_id AND base_id = :base_id";
 
         $params = [
             ':usr_id'  => $this->user->getId(),
@@ -1498,8 +1434,7 @@ class ACL implements cache_cacheableInterface
 
     public function duplicate_right_from_bas($base_id_from, $base_id_dest)
     {
-        $sql = 'SELECT * FROM basusr
-              WHERE base_id = :base_from AND usr_id = :usr_id';
+        $sql = "SELECT * FROM basusr WHERE base_id = :base_from AND usr_id = :usr_id";
 
         $params = [
             ':base_from' => $base_id_from,
@@ -1522,16 +1457,12 @@ class ACL implements cache_cacheableInterface
             'mask_xor' => $row['mask_xor'],
         ];
 
-        if ($row['canputinalbum'])
-            $rights['canputinalbum'] = true;
-        if ($row['candwnldhd'])
-            $rights['candwnldhd'] = true;
-        if ($row['candwnldpreview'])
-            $rights['candwnldpreview'] = true;
+        $rights[self::CANPUTINALBUM] = ($row['canputinalbum'] == '1');
+        $rights[self::CANDWNLDHD] = ($row['candwnldhd'] == '1');
+        $rights[self::CANDWNLDPREVIEW] = ($row['candwnldpreview'] == '1');
         if ($row['cancmd'])
             $rights['cancmd'] = true;
-        if ($row['canadmin'])
-            $rights['canadmin'] = true;
+        $rights[self::CANADMIN] = ($row['canadmin'] == '1');
         if ($row['canreport'])
             $rights['canreport'] = true;
         if ($row['canpush'])
@@ -1540,18 +1471,12 @@ class ACL implements cache_cacheableInterface
             $rights['nowatermark'] = true;
         if ($row['canaddrecord'])
             $rights['canaddrecord'] = true;
-        if ($row['canmodifrecord'])
-            $rights['canmodifrecord'] = true;
-        if ($row['candeleterecord'])
-            $rights['candeleterecord'] = true;
-        if ($row['chgstatus'])
-            $rights['chgstatus'] = true;
-        if ($row['imgtools'])
-            $rights['imgtools'] = true;
-        if ($row['manage'])
-            $rights['manage'] = true;
-        if ($row['modify_struct'])
-            $rights['modify_struct'] = true;
+        $rights[self::CANMODIFRECORD] = ($row['canmodifrecord' == '1']);
+        $rights[self::CANDELETERECORD] = ($row['candeleterecord'] == '1');
+        $rights[self::CHGSTATUS] = ($row['chgstatus'] == '1');
+        $rights[self::IMGTOOLS] = ($row['imgtools'] == '1');
+        $rights[self::COLL_MANAGE] = ($row['manage'] == '1');
+        $rights[self::COLL_MODIFY_STRUCT] = ($row['modify_struct'] == '1');
 
         $this->update_rights_to_base($base_id_dest, $rights);
 
@@ -1695,6 +1620,13 @@ class ACL implements cache_cacheableInterface
         return $lim_max || $lim_min;
     }
 
+    /**
+     * returns date limits ['dmin'=>x, 'dmax'=>y] with x,y : NullableDateTime
+     *
+     *
+     * @param $base_id
+     * @return array|null
+     */
     public function get_limits($base_id)
     {
         $this->load_rights_bas();
@@ -1753,7 +1685,7 @@ class ACL implements cache_cacheableInterface
     {
         // a user can see the business fields if he has at least the right on one collection to edit a record
         foreach($databox->get_collections() as $collection) {
-            if ($this->has_access_to_base($collection->get_base_id()) && $this->has_right_on_base($collection->get_base_id(), 'canmodifrecord')) {
+            if ($this->has_access_to_base($collection->get_base_id()) && $this->has_right_on_base($collection->get_base_id(), self::CANMODIFRECORD)) {
                 return true;
             }
         }
@@ -1768,7 +1700,7 @@ class ACL implements cache_cacheableInterface
      */
     public function getOrderMasterCollectionsBaseIds()
     {
-        $sql = 'SELECT base_id FROM basusr WHERE order_master="1" AND usr_id= :usr_id';
+        $sql = "SELECT base_id FROM basusr WHERE order_master='1' AND usr_id= :usr_id";
         $result = $this->app->getApplicationBox()
             ->get_connection()
             ->executeQuery($sql, [':usr_id' => $this->user->getId()])
@@ -1819,8 +1751,7 @@ class ACL implements cache_cacheableInterface
      */
     public function set_order_master(\collection $collection, $bool)
     {
-        $sql = 'UPDATE basusr SET order_master = :master
-                WHERE usr_id = :usr_id AND base_id = :base_id';
+        $sql = "UPDATE basusr SET order_master = :master WHERE usr_id = :usr_id AND base_id = :base_id";
 
         $stmt = $this->app->getApplicationBox()->get_connection()->prepare($sql);
         $stmt->execute([

lib/classes/databox.php

@@ -1155,22 +1155,22 @@ class databox extends base implements ThumbnailedElement
 
         foreach ($base_ids as $base_id) {
             $this->app->getAclForUser($user)->update_rights_to_base($base_id, [
-                'canpush' => 1,
-                'cancmd' => 1,
-                'canputinalbum' => 1,
-                'candwnldhd' => 1,
-                'candwnldpreview' => 1,
-                'canadmin' => 1,
-                'actif' => 1,
-                'canreport' => 1,
-                'canaddrecord' => 1,
-                'canmodifrecord' => 1,
-                'candeleterecord' => 1,
-                'chgstatus' => 1,
-                'imgtools' => 1,
-                'manage' => 1,
-                'modify_struct' => 1,
-                'nowatermark' => 1
+                \ACL::CANPUSH => 1,
+                \ACL::CANCMD => 1,
+                \ACL::CANPUTINALBUM => 1,
+                \ACL::CANDWNLDHD => 1,
+                \ACL::CANDWNLDPREVIEW => 1,
+                \ACL::CANADMIN => 1,
+                \ACL::ACTIF => 1,
+                \ACL::CANREPORT => 1,
+                \ACL::CANADDRECORD => 1,
+                \ACL::CANMODIFRECORD => 1,
+                \ACL::CANDELETERECORD => 1,
+                \ACL::CHGSTATUS => 1,
+                \ACL::IMGTOOLS => 1,
+                \ACL::MANAGE => 1,
+                \ACL::MODIFY_STRUCT => 1,
+                \ACL::NOWATERMARK => 1
             ]);
         }
 

lib/classes/databox/status.php

@@ -24,7 +24,7 @@ class databox_status
         foreach ($app->getAclForUser($app->getAuthenticatedUser())->get_granted_sbas() as $databox) {
             $see_all = false;
             foreach ($databox->get_collections() as $collection) {
-                if ($app->getAclForUser($app->getAuthenticatedUser())->has_right_on_base($collection->get_base_id(), 'chgstatus')) {
+                if ($app->getAclForUser($app->getAuthenticatedUser())->has_right_on_base($collection->get_base_id(), \ACL::CHGSTATUS)) {
                     $see_all = true;
                     break;
                 }

lib/classes/eventsmanager/notify/autoregister.php

@@ -73,6 +73,6 @@ class eventsmanager_notify_autoregister extends eventsmanager_notifyAbstract
             return false;
         }
 
-        return $this->app->getAclForUser($user)->has_right('manageusers');
+        return $this->app->getAclForUser($user)->has_right(\ACL::CANADMIN);
     }
 }

lib/classes/eventsmanager/notify/order.php

@@ -75,6 +75,6 @@ class eventsmanager_notify_order extends eventsmanager_notifyAbstract
      */
     public function is_available(User $user)
     {
-        return $this->app->getAclForUser($user)->has_right('order_master');
+        return $this->app->getAclForUser($user)->has_right(\ACL::ORDER_MASTER);
     }
 }

lib/classes/eventsmanager/notify/register.php

@@ -75,6 +75,6 @@ class eventsmanager_notify_register extends eventsmanager_notifyAbstract
             return false;
         }
 
-        return $this->app->getAclForUser($user)->has_right('manageusers');
+        return $this->app->getAclForUser($user)->has_right(\ACL::CANADMIN);
     }
 }

lib/classes/eventsmanager/notify/uploadquarantine.php

@@ -75,6 +75,6 @@ class eventsmanager_notify_uploadquarantine extends eventsmanager_notifyAbstract
      */
     public function is_available(User $user)
     {
-        return $this->app->getAclForUser($user)->has_right('addrecord');
+        return $this->app->getAclForUser($user)->has_right(\ACL::CANADDRECORD);
     }
 }

lib/classes/record/exportElement.php

@@ -99,10 +99,10 @@ class record_exportElement extends record_adapter
             'thumbnail' => true
         ];
 
-        if ($this->app->getAclForUser($this->app->getAuthenticatedUser())->has_right_on_base($this->getBaseId(), 'candwnldhd')) {
+        if ($this->app->getAclForUser($this->app->getAuthenticatedUser())->has_right_on_base($this->getBaseId(), \ACL::CANDWNLDHD)) {
             $go_dl['document'] = true;
         }
-        if ($this->app->getAclForUser($this->app->getAuthenticatedUser())->has_right_on_base($this->getBaseId(), 'candwnldpreview')) {
+        if ($this->app->getAclForUser($this->app->getAuthenticatedUser())->has_right_on_base($this->getBaseId(), \ACL::CANDWNLDPREVIEW)) {
             $go_dl['preview'] = true;
         }
         if ($this->app->getAclForUser($this->app->getAuthenticatedUser())->has_hd_grant($this)) {
@@ -116,7 +116,7 @@ class record_exportElement extends record_adapter
         $query = $this->app['phraseanet.user-query'];
 
         $masters = $query->on_base_ids([$this->getBaseId()])
-                ->who_have_right(['order_master'])
+                ->who_have_right([\ACL::ORDER_MASTER])
                 ->execute()->get_results();
 
         $go_cmd = (count($masters) > 0 && $this->app->getAclForUser($this->app->getAuthenticatedUser())->has_right_on_base($this->getBaseId(), 'cancmd'));

lib/classes/set/export.php

@@ -175,7 +175,7 @@ class set_export extends set_abstract
 
         /** @var record_exportElement $download_element */
         foreach ($this->get_elements() as $download_element) {
-            if ($app->getAclForUser($app->getAuthenticatedUser())->has_right_on_base($download_element->getBaseId(), 'canmodifrecord')) {
+            if ($app->getAclForUser($app->getAuthenticatedUser())->has_right_on_base($download_element->getBaseId(), \ACL::CANMODIFRECORD)) {
                 $this->businessFieldsAccess = true;
             }
 
@@ -227,11 +227,11 @@ class set_export extends set_abstract
 
         $display_ftp = [];
 
-        $hasadminright = $app->getAclForUser($app->getAuthenticatedUser())->has_right('addrecord')
-            || $app->getAclForUser($app->getAuthenticatedUser())->has_right('deleterecord')
-            || $app->getAclForUser($app->getAuthenticatedUser())->has_right('modifyrecord')
-            || $app->getAclForUser($app->getAuthenticatedUser())->has_right('coll_manage')
-            || $app->getAclForUser($app->getAuthenticatedUser())->has_right('coll_modify_struct');
+        $hasadminright = $app->getAclForUser($app->getAuthenticatedUser())->has_right(\ACL::CANADDRECORD)
+            || $app->getAclForUser($app->getAuthenticatedUser())->has_right(\ACL::CANDELETERECORD)
+            || $app->getAclForUser($app->getAuthenticatedUser())->has_right(\ACL::CANMODIFRECORD)
+            || $app->getAclForUser($app->getAuthenticatedUser())->has_right(\ACL::COLL_MANAGE)
+            || $app->getAclForUser($app->getAuthenticatedUser())->has_right(\ACL::COLL_MODIFY_STRUCT);
 
         $this->ftp_datas = [];
 
@@ -419,7 +419,7 @@ class set_export extends set_abstract
 
             $BF = false;
 
-            if ($includeBusinessFields && $this->app->getAclForUser($user)->has_right_on_base($download_element->getBaseId(), 'canmodifrecord')) {
+            if ($includeBusinessFields && $this->app->getAclForUser($user)->has_right_on_base($download_element->getBaseId(), \ACL::CANMODIFRECORD)) {
                 $BF = true;
             }
 

templates/web/admin/collection/collection.html.twig

@@ -35,7 +35,7 @@
     <li>{{ collection.get_record_amount() }} records <a class="ajax" target="rights" href="{{ path('admin_collection_display_document_details', { 'bas_id' : collection.get_base_id() }) }}">{{ 'phraseanet:: details' | trans }}</a></li>
 </ul>
 
-{% if app.getAclForUser(app.getAuthenticatedUser()).has_right_on_base(bas_id, 'manage') %}
+{% if app.getAclForUser(app.getAuthenticatedUser()).has_right_on_base(bas_id, constant('\\ACL::COLL_MANAGE')) %}
 <div class="well well-small">
     <h5>{{ 'admin::collection:: Gestionnaires des commandes' | trans }}</h5>
     <form id="admin_adder" action="{{ path('admin_collection_submit_order_admins', { 'bas_id' : bas_id }) }}" method="post" style="margin:0;">
@@ -144,7 +144,7 @@
     <h5>{{ 'admin::base:collection: minilogo actuel' | trans }}</h5>
     {% if collection.getLogo(bas_id, app) is not empty %}
         <div class="thumbnail" style="width:120px;height:24px;margin-top:5px;margin-bottom:5px">{{ collection.getLogo(bas_id, app) | raw }}</div>
-        {% if app.getAclForUser(app.getAuthenticatedUser()).has_right_on_base(bas_id, 'manage') %}
+        {% if app.getAclForUser(app.getAuthenticatedUser()).has_right_on_base(bas_id, constant('\\ACL::COLL_MANAGE')) %}
             <form method="post" action="{{ path('admin_collection_delete_logo', { 'bas_id' : bas_id }) }}" style="margin:0;">
                 <button class="btn btn-danger btn-mini" >
                     <i class="icon-trash icon-white"></i>
@@ -152,7 +152,7 @@
                 </button>
             </form>
         {% endif%}
-    {% elseif app.getAclForUser(app.getAuthenticatedUser()).has_right_on_base(bas_id, 'manage') %}
+    {% elseif app.getAclForUser(app.getAuthenticatedUser()).has_right_on_base(bas_id, constant('\\ACL::COLL_MANAGE')) %}
         <span>{{ 'admin::base:collection: aucun fichier (minilogo, watermark ...)' | trans }}</span>
         <form class="fileupload no-ajax" enctype="multipart/form-data" method="post" action="{{ path('admin_collection_submit_logo', { 'bas_id' : bas_id }) }}" style="margin:0;">
             <span class="btn btn-success fileinput-button">
@@ -169,7 +169,7 @@
     <h5>{{ "Watermark" | trans }}</h5>
     {% if collection.getWatermark(bas_id) is not empty %}
         <div class="thumbnail">{{ collection.getWatermark(bas_id)| raw }}</div>
-        {% if app.getAclForUser(app.getAuthenticatedUser()).has_right_on_base(bas_id, 'manage') %}
+        {% if app.getAclForUser(app.getAuthenticatedUser()).has_right_on_base(bas_id, constant('\\ACL::COLL_MANAGE')) %}
             <form method="post" action="{{ path('admin_collection_delete_watermark', { 'bas_id' : bas_id }) }}" style="margin:0;">
                 <button class="btn btn-danger btn-mini">
                     <i class="icon-trash icon-white"></i>
@@ -177,7 +177,7 @@
                 </button>
             </form>
         {% endif%}
-    {% elseif app.getAclForUser(app.getAuthenticatedUser()).has_right_on_base(bas_id, 'manage') %}
+    {% elseif app.getAclForUser(app.getAuthenticatedUser()).has_right_on_base(bas_id, constant('\\ACL::COLL_MANAGE')) %}
         <span>{{ 'admin::base:collection: aucun fichier (minilogo, watermark ...)' | trans }}</span>
         <form class="fileupload no-ajax" enctype="multipart/form-data" method="post" action="{{ path('admin_collection_submit_watermark', { 'bas_id' : bas_id }) }}" style="margin:0;">
             <span class="btn btn-success fileinput-button">
@@ -194,7 +194,7 @@
     <h5>{{ "Stamp logo" | trans }}</h5>
     {% if collection.getStamp(bas_id) is not empty %}
         <div class="thumbnail" style="max-height:120px;max-width:260px">{{ collection.getStamp(bas_id)| raw }}</div>
-        {% if app.getAclForUser(app.getAuthenticatedUser()).has_right_on_base(bas_id, 'manage') %}
+        {% if app.getAclForUser(app.getAuthenticatedUser()).has_right_on_base(bas_id, constant('\\ACL::COLL_MANAGE')) %}
             <form method="post" action="{{ path('admin_collection_delete_stamp', { 'bas_id' : bas_id }) }}" style="margin:0;">
                 <button class="btn btn-danger btn-mini">
                     <i class="icon-trash icon-white"></i>
@@ -202,7 +202,7 @@
                 </button>
             </form>
         {% endif%}
-    {% elseif app.getAclForUser(app.getAuthenticatedUser()).has_right_on_base(bas_id, 'manage') %}
+    {% elseif app.getAclForUser(app.getAuthenticatedUser()).has_right_on_base(bas_id, constant('\\ACL::COLL_MANAGE')) %}
         <span>{{ 'admin::base:collection: aucun fichier (minilogo, watermark ...)' | trans }}</span>
         <form class="fileupload no-ajax" enctype="multipart/form-data" method="post" action="{{ path('admin_collection_submit_stamp', { 'bas_id' : bas_id }) }}" style="margin:0;">
             <span class="btn btn-success fileinput-button">

templates/web/admin/collection/create.html.twig

@@ -32,10 +32,10 @@
             </div>
             <div class="control-group">
                 <div class="controls">
-                     {% if app.getAclForUser(app.getAuthenticatedUser()).get_granted_base(["canadmin"]) | length > 0 %}
+                     {% if app.getAclForUser(app.getAuthenticatedUser()).get_granted_base([constant('\\ACL::CANADMIN')]) | length > 0 %}
                         <select id="othcollsel" name="othcollsel" disabled>
                             <option>{{ "choisir" | trans }}</option>
-                            {% for collection in app.getAclForUser(app.getAuthenticatedUser()).get_granted_base(["canadmin"]) %}
+                            {% for collection in app.getAclForUser(app.getAuthenticatedUser()).get_granted_base([constant('\\ACL::CANADMIN')]) %}
                                <option value="{{ collection.get_base_id() }}">{{ collection.get_label(app['locale']) }}</option>
                             {% endfor %}
                         </select>

templates/web/admin/databox/databox.html.twig

@@ -155,7 +155,7 @@
                     <li>
                         <form class="form-inline" method="post" action="{{ path('admin_database_mount_collection', {'databox_id': databox.get_sbas_id(), 'collection_id' : collId }) }}">
                             {% trans with {'%name%' : name} %}Monter la collection %name%{% endtrans %}<br/>
-                            {% if app.getAclForUser(app.getAuthenticatedUser()).get_granted_base(["canadmin"]) | length > 0 %}
+                            {% if app.getAclForUser(app.getAuthenticatedUser()).get_granted_base([constant('\\ACL::CANADMIN')]) | length > 0 %}
                                 <label for="othcollsel">{{ "admin::base:collection: Vous pouvez choisir une collection de reference pour donenr des acces" | trans }}</label>
                                 <select id="othcollsel" name="othcollsel" >
                                     <option value="">{{ "choisir" | trans }}</option>

templates/web/admin/editusers.html.twig

@@ -347,16 +347,16 @@
                   {{_self.format_checkbox(app.getAuthenticatedUser(), rights, 'actif', users, 'base')}}
                 </td>
                 <td class="users_col case_right_canputinalbum" title="{{ 'Allowed to add in basket' | trans }}">
-                  {{_self.format_checkbox(app.getAuthenticatedUser(), rights, 'canputinalbum', users, 'base')}}
+                  {{_self.format_checkbox(app.getAuthenticatedUser(), rights, constant('\\ACL::CANPUTINALBUM'), users, 'base')}}
                 </td>
                 <td class="users_col case_right_candwnldpreview" title="{{ 'Access to preview' | trans }}">
-                  {{_self.format_checkbox(app.getAuthenticatedUser(), rights, 'candwnldpreview', users, 'base')}}
+                  {{_self.format_checkbox(app.getAuthenticatedUser(), rights, constant('\\ACL::CANDWNLDPREVIEW'), users, 'base')}}
                 </td>
                 <td class="users_col case_right_nowatermark" title="{{ 'Remove watermark' | trans }}">
                   {{_self.format_checkbox(app.getAuthenticatedUser(), rights, 'nowatermark', users, 'base')}}
                 </td>
                 <td class="users_col case_right_candwnldhd" title="{{ 'Access to HD' | trans }}">
-                  {{_self.format_checkbox(app.getAuthenticatedUser(), rights, 'candwnldhd', users, 'base')}}
+                  {{_self.format_checkbox(app.getAuthenticatedUser(), rights, constant('\\ACL::CANDWNLDHD'), users, 'base')}}
                 </td>
                 <td class="users_col case_right_cancmd" title="{{ 'Allowed to order' | trans }}">
                   {{_self.format_checkbox(app.getAuthenticatedUser(), rights, 'cancmd', users, 'base')}}
@@ -395,34 +395,34 @@
                 <td style="text-align:center;width:100px;"></td>
 
                 <td class="users_col case_right_canaddrecord" title="{{ 'Allowed to add' | trans }}">
-                  {{_self.format_checkbox(app.getAuthenticatedUser(), rights, 'canaddrecord', users, 'base')}}
+                  {{_self.format_checkbox(app.getAuthenticatedUser(), rights, constant('\\ACL::CANADDRECORD'), users, 'base')}}
                 </td>
                 <td class="users_col case_right_canmodifrecord" title="{{ 'Allowed to edit' | trans }}">
-                  {{_self.format_checkbox(app.getAuthenticatedUser(), rights, 'canmodifrecord', users, 'base')}}
+                  {{_self.format_checkbox(app.getAuthenticatedUser(), rights, constant('\\ACL::CANMODIFRECORD'), users, 'base')}}
                 </td>
                 <td class="users_col case_right_chgstatus" title="{{ 'Allowed to change statuses' | trans }}">
-                  {{_self.format_checkbox(app.getAuthenticatedUser(), rights, 'chgstatus', users, 'base')}}
+                  {{_self.format_checkbox(app.getAuthenticatedUser(), rights, constant('\\ACL::CHGSTATUS'), users, 'base')}}
                 </td>
                 <td class="users_col case_right_candeleterecord" title="{{ 'Allowed to delete' | trans }}">
-                  {{_self.format_checkbox(app.getAuthenticatedUser(), rights, 'candeleterecord', users, 'base')}}
+                  {{_self.format_checkbox(app.getAuthenticatedUser(), rights, constant('\\ACL::CANDELETERECORD'), users, 'base')}}
                 </td>
                 <td class="users_col case_right_imgtools" title="{{ 'Access to image tools' | trans }}">
-                  {{_self.format_checkbox(app.getAuthenticatedUser(), rights, 'imgtools', users, 'base')}}
+                  {{_self.format_checkbox(app.getAuthenticatedUser(), rights, constant('\\ACL::IMGTOOLS'), users, 'base')}}
                 </td>
                 <td class="users_col case_right_canadmin" title="{{ 'Manage users' | trans }}">
-                  {{_self.format_checkbox(app.getAuthenticatedUser(), rights, 'canadmin', users, 'base')}}
+                  {{_self.format_checkbox(app.getAuthenticatedUser(), rights, constant('\\ACL::CANADMIN'), users, 'base')}}
                 </td>
                 <td class="users_col case_right_canreport" title="{{ 'Allowed to access report' | trans }}">
-                  {{_self.format_checkbox(app.getAuthenticatedUser(), rights, 'canreport', users, 'base')}}
+                  {{_self.format_checkbox(app.getAuthenticatedUser(), rights, constant('\\ACL::CANREPORT'), users, 'base')}}
                 </td>
                 <td class="users_col case_right_canpush" title="{{ 'Allowed to push' | trans }}">
-                  {{_self.format_checkbox(app.getAuthenticatedUser(), rights, 'canpush', users, 'base')}}
+                  {{_self.format_checkbox(app.getAuthenticatedUser(), rights, constant('\\ACL::CANPUSH'), users, 'base')}}
                 </td>
                 <td class="users_col case_right_manage" title="{{ 'Manage collection' | trans }}">
-                  {{_self.format_checkbox(app.getAuthenticatedUser(), rights, 'manage', users, 'base')}}
+                  {{_self.format_checkbox(app.getAuthenticatedUser(), rights, constant('\\ACL::MANAGE'), users, 'base')}}
                 </td>
                 <td class="users_col case_right_modify" title="{{ 'Manage values lists' | trans }}">
-                  {{_self.format_checkbox(app.getAuthenticatedUser(), rights, 'modify_struct', users, 'base')}}
+                  {{_self.format_checkbox(app.getAuthenticatedUser(), rights, constant('\\ACL::MODIFY_STRUCT'), users, 'base')}}
                 </td>
                 <td colspan="5">
 

templates/web/admin/tree.html.twig

@@ -36,7 +36,7 @@
     </a>
   </li>
 
-  {% if app.getAclForUser(app.getAuthenticatedUser()).has_right('manageusers') %}
+  {% if app.getAclForUser(app.getAuthenticatedUser()).has_right(constant('\\ACL::CANADMIN')) %}
   <li class="{% if feature == 'users' %}selected{% endif %}">
     <a target="right" href="{{ path('admin_users_search') }}" class="ajax zone_editusers">
       <img src="/assets/admin/images/Users.png" />
@@ -152,7 +152,7 @@
         {% set seeUsrGene = false %}
 
         {% for coll in databox.get_collections() %}
-          {% if app.getAclForUser(app.getAuthenticatedUser()).has_right_on_base( coll.get_base_id() , 'canadmin') %}
+          {% if app.getAclForUser(app.getAuthenticatedUser()).has_right_on_base( coll.get_base_id() , constant('\\ACL::CANADMIN')) %}
             {% set seeUsrGene = true %}
           {% endif %}
         {% endfor %}
@@ -167,9 +167,9 @@
         {% endif %}
 
         {% for collection in databox.get_collections()|sort_collections %}
-          {% if (collection.get_base_id() in app.getAclForUser(app.getAuthenticatedUser()).get_granted_base(['canadmin'])|keys
-              or collection.get_base_id() in app.getAclForUser(app.getAuthenticatedUser()).get_granted_base(['manage'])|keys
-              or collection.get_base_id() in app.getAclForUser(app.getAuthenticatedUser()).get_granted_base(['modify_struct'])|keys) %}
+          {% if (collection.get_base_id() in app.getAclForUser(app.getAuthenticatedUser()).get_granted_base([constant('\\ACL::CANADMIN')])|keys
+              or collection.get_base_id() in app.getAclForUser(app.getAuthenticatedUser()).get_granted_base([constant('\\ACL::MANAGE')])|keys
+              or collection.get_base_id() in app.getAclForUser(app.getAuthenticatedUser()).get_granted_base([constant('\\ACL::MODIFY_STRUCT')])|keys) %}
 
           {% if feature == 'collection' and featured == collection.get_base_id() %}
               {% set coll_selected = true %}
@@ -185,7 +185,7 @@
             </div>
             <ul>
 
-            {% if (app.getAclForUser(app.getAuthenticatedUser()).has_right_on_base(collection.get_base_id(), 'modify_struct')) %}
+            {% if (app.getAclForUser(app.getAuthenticatedUser()).has_right_on_base(collection.get_base_id(), constant('\\ACL::COLL_MODIFY_STRUCT'))) %}
               <li>
                 <a target="right" href="{{ path('admin_collection_display_suggested_values', { 'bas_id' : collection.get_base_id() }) }}" class="ajax">
                   <img src="/assets/common/images/icons/foldph20open_0.gif"/>
@@ -194,7 +194,7 @@
               </li>
             {% endif %}
 
-            {% if app.getAclForUser(app.getAuthenticatedUser()).has_right_on_base(collection.get_base_id(), 'canadmin') %}
+            {% if app.getAclForUser(app.getAuthenticatedUser()).has_right_on_base(collection.get_base_id(), constant('\\ACL::CANADMIN')) %}
               <li>
                 <a target="right" href="{{ path('admin_users_search', { 'base_id' : [ collection.get_base_id() ] }) }}" class="ajax">
                   <img src="/assets/admin/images/Users.png"/>

templates/web/common/caption.html.twig

@@ -1,6 +1,6 @@
 {% import 'common/macros.html.twig' as macro %}
 
-{% set business = granted_on_collection(record.baseId, 'canmodifrecord') %}
+{% set business = granted_on_collection(record.baseId, constant('\\ACL::CANMODIFRECORD')) %}
 {% set display_exif = true %}
 
 {% if view == 'answer' %}

templates/web/common/menubar.html.twig

@@ -87,7 +87,7 @@
           </li>
           {% endif %}
 
-          {% if module is defined and module == "prod" and app.getAclForUser(app.getAuthenticatedUser()).has_right('order_master') %}
+          {% if module is defined and module == "prod" and app.getAclForUser(app.getAuthenticatedUser()).has_right(constant('\\ACL::ORDER_MASTER')) %}
           <li>
             <a href="{{ path('prod_orders') }}" class="dialog full-dialog" title="{{ 'Orders manager' | trans }}">
               <span>

templates/web/lightbox/IE6/feed.html.twig

@@ -82,7 +82,7 @@
                 <div class="right_column_wrapper right_column_wrapper_caption left unselectable" style="width:230px;height:auto;">
                     <div id="record_infos">
                         <div class="lightbox_container">
-              {% set business = app.getAclForUser(app.getAuthenticatedUser()).has_right_on_base(first_item.getRecord(app).get_base_id(), 'canmodifrecord') %}
+              {% set business = app.getAclForUser(app.getAuthenticatedUser()).has_right_on_base(first_item.getRecord(app).get_base_id(), constant('\\ACL::CANMODIFRECORD')) %}
               {% if first_item %}
                 {{macro.caption(first_item.getRecord(app), business, false)}}
               {% endif %}

templates/web/lightbox/IE6/validate.html.twig

@@ -94,7 +94,7 @@
                     <div id="record_infos">
                         <div class="lightbox_container">
               {% if basket_element %}
-                {% set business = app.getAclForUser(app.getAuthenticatedUser()).has_right_on_base(basket_element.getRecord(app).get_base_id(), 'canmodifrecord') %}
+                {% set business = app.getAclForUser(app.getAuthenticatedUser()).has_right_on_base(basket_element.getRecord(app).get_base_id(), constant('\\ACL::CANMODIFRECORD')) %}
                 {{macro.caption(basket_element.getRecord(app), business, false)}}
               {% endif %}
             </div>

templates/web/lightbox/feed.html.twig

@@ -79,7 +79,7 @@
                 <div class="right_column_wrapper caption right_column_wrapper_caption PNB">
                     <div id="record_infos" class="PNB">
                         <div class="lightbox_container PNB">
-              {% set business = app.getAclForUser(app.getAuthenticatedUser()).has_right_on_base(first_item.getRecord(app).get_base_id(), 'canmodifrecord') %}
+              {% set business = app.getAclForUser(app.getAuthenticatedUser()).has_right_on_base(first_item.getRecord(app).get_base_id(), constant('\\ACL::CANMODIFRECORD')) %}
               {% if first_item %}
                 {{macro.caption(first_item.getRecord(app), business, false, true)}}
               {% endif %}

templates/web/lightbox/validate.html.twig

@@ -94,7 +94,7 @@
                     <div id="record_infos" class="PNB">
                         <div class="lightbox_container PNB">
               {% if basket_element %}
-                {% set business =  app.getAclForUser(app.getAuthenticatedUser()).has_right_on_base(basket_element.getRecord(app).get_base_id(), 'canmodifrecord') %}
+                {% set business =  app.getAclForUser(app.getAuthenticatedUser()).has_right_on_base(basket_element.getRecord(app).get_base_id(), constant('\\ACL::CANMODIFRECORD')) %}
                 {{macro.caption(basket_element.getRecord(app), business, false, true)}}
               {% endif %}
             </div>

templates/web/prod/WorkZone/Basket.html.twig

@@ -11,19 +11,19 @@
         <img src="/assets/common/images/icons/print_history.png"/>
       </button>
 
-      {% if app.getAclForUser(app.getAuthenticatedUser()).has_right('modifyrecord') %}
+      {% if app.getAclForUser(app.getAuthenticatedUser()).has_right(constant('\\ACL::CANMODIFRECORD')) %}
       <button class="ui-corner-all TOOL_ppen_btn basket_window" title="{{ 'action : editer' | trans }}">
         <img src="/assets/common/images/icons/ppen_history.png"/>
       </button>
       {% endif %}
 
-      {% if app.getAclForUser(app.getAuthenticatedUser()).has_right('changestatus') %}
+      {% if app.getAclForUser(app.getAuthenticatedUser()).has_right(constant('\\ACL::CHGSTATUS')) %}
       <button class="ui-corner-all TOOL_chgstatus_btn basket_window" title="{{ 'action : status' | trans }}">
         <img src="/assets/common/images/icons/chgstatus_history.png"/>
       </button>
       {% endif %}
 
-      {% if app.getAclForUser(app.getAuthenticatedUser()).has_right('deleterecord') and app.getAclForUser(app.getAuthenticatedUser()).has_right('addrecord') %}
+      {% if app.getAclForUser(app.getAuthenticatedUser()).has_right(constant('\\ACL::CANDELETERECORD')) and app.getAclForUser(app.getAuthenticatedUser()).has_right(constant('\\ACL::CANADDRECORD')) %}
       <button class="ui-corner-all TOOL_chgcoll_btn basket_window" title="{{ 'action : collection' | trans }}">
         <img src="/assets/common/images/icons/chgcoll_history.png"/>
       </button>
@@ -49,7 +49,7 @@
       </button>
       {% endif %}
 
-      {% if app.getAclForUser(app.getAuthenticatedUser()).has_right('doctools') %}
+      {% if app.getAclForUser(app.getAuthenticatedUser()).has_right(constant('\\ACL::IMGTOOLS')) %}
       <button class="ui-corner-all TOOL_imgtools_btn basket_window" title="{{ 'action : outils' | trans }}">
         <img src="/assets/common/images/icons/imgtools_history.png"/>
       </button>

templates/web/prod/WorkZone/Macros.html.twig

@@ -48,7 +48,7 @@
                              onclick="downloadThis('ssel={{basket.getId()}}');">{{ 'action::exporter' | trans }}
                         </div>
                       </div>
-                        {% if app.getAclForUser(app.getAuthenticatedUser()).has_right('modifyrecord') %}
+                        {% if app.getAclForUser(app.getAuthenticatedUser()).has_right(constant('\\ACL::CANMODIFRECORD')) %}
                           <div title="" class="context-menu-item menu3-custom-item">
                             <div onclick="editThis('SSTT','{{basket.getId()}}');" style=""
                                  class="context-menu-item-inner">{{ 'edit' | trans }}
@@ -230,7 +230,7 @@
                              onclick="downloadThis('lst={{story.getRecord(app).get_serialize_key()}}');">{{ 'action::exporter' | trans }}
                         </div>
                       </div>
-                        {% if app.getAclForUser(app.getAuthenticatedUser()).has_right('modifyrecord') %}
+                        {% if app.getAclForUser(app.getAuthenticatedUser()).has_right(constant('\\ACL::CANMODIFRECORD')) %}
                       <div title="" class="context-menu-item menu3-custom-item">
                         <div onclick="editThis('IMGT','{{story.getRecord(app).get_serialize_key()}}');" style=""
                              class="context-menu-item-inner">{{ 'action::editer' | trans }}

templates/web/prod/WorkZone/Story.html.twig

@@ -11,19 +11,19 @@
         <img src="/assets/common/images/icons/print_history.png"/>
       </button>
 
-      {% if app.getAclForUser(app.getAuthenticatedUser()).has_right('modifyrecord') %}
+      {% if app.getAclForUser(app.getAuthenticatedUser()).has_right(constant('\\ACL::CANMODIFRECORD')) %}
       <button class="ui-corner-all TOOL_ppen_btn story_window" title="{{ 'action : editer' | trans }}">
         <img src="/assets/common/images/icons/ppen_history.png"/>
       </button>
       {% endif %}
 
-      {% if app.getAclForUser(app.getAuthenticatedUser()).has_right('changestatus') %}
+      {% if app.getAclForUser(app.getAuthenticatedUser()).has_right(constant('\\ACL::CHGSTATUS')) %}
       <button class="ui-corner-all TOOL_chgstatus_btn story_window" title="{{ 'action : status' | trans }}">
         <img src="/assets/common/images/icons/chgstatus_history.png"/>
       </button>
       {% endif %}
 
-      {% if app.getAclForUser(app.getAuthenticatedUser()).has_right('deleterecord') and app.getAclForUser(app.getAuthenticatedUser()).has_right('addrecord') %}
+      {% if app.getAclForUser(app.getAuthenticatedUser()).has_right(constant('\\ACL::CANDELETERECORD')) and app.getAclForUser(app.getAuthenticatedUser()).has_right(constant('\\ACL::CANADDRECORD')) %}
       <button class="ui-corner-all TOOL_chgcoll_btn story_window" title="{{ 'action : collection' | trans }}">
         <img src="/assets/common/images/icons/chgcoll_history.png"/>
       </button>
@@ -49,7 +49,7 @@
       </button>
       {% endif %}
 
-      {% if app.getAclForUser(app.getAuthenticatedUser()).has_right('doctools') %}
+      {% if app.getAclForUser(app.getAuthenticatedUser()).has_right(constant('\\ACL::IMGTOOLS')) %}
       <button class="ui-corner-all TOOL_imgtools_btn story_window" title="{{ 'action : outils' | trans }}">
         <img src="/assets/common/images/icons/imgtools_history.png"/>
       </button>

templates/web/prod/actions/Push.html.twig

@@ -87,7 +87,7 @@
                                 <input class="search" name="users-search" placeholder="{{ 'Users' | trans }}" type="text" style="width:210px;"/>
                                 <br/>
                                 {{ 'Select a user in the list' | trans }} <br/>
-                                {% if app.getAclForUser(app.getAuthenticatedUser()).has_right('manageusers') %}
+                                {% if app.getAclForUser(app.getAuthenticatedUser()).has_right(constant('\\ACL::CANADMIN')) %}
                                     {{ 'or' | trans }}
                                     <a href="{{ path('prod_push_add_user') }}" class="user_adder btn btn-mini">{{ 'Add user' | trans }}</a>
                                 {% endif %}

templates/web/prod/actions/edit_default.html.twig

@@ -27,7 +27,7 @@
     {% endif %}
 
     {% set class_status = 'nostatus' %}
-    {% if app.getAclForUser(app.getAuthenticatedUser()).has_right_on_base(record.get_base_id(), 'chgstatus') %}
+    {% if app.getAclForUser(app.getAuthenticatedUser()).has_right_on_base(record.get_base_id(), constant('\\ACL::CHGSTATUS')) %}
         {% set class_status = '' %}
     {% endif %}
 

templates/web/prod/index.html.twig

@@ -145,7 +145,7 @@
                                 {{ 'Browse Baskets' | trans }}
                             </a>
                         </div>
-                        {% if app['conf'].get(['registry', 'modules', 'stories']) and app.getAclForUser(app.getAuthenticatedUser()).has_right('addrecord') %}
+                        {% if app['conf'].get(['registry', 'modules', 'stories']) and app.getAclForUser(app.getAuthenticatedUser()).has_right(constant('\\ACL::CANADDRECORD')) %}
                             <div class="context-menu-item-inner">
                                 <a title="{{ 'action:: nouveau reportage' | trans }}" class="dialog small-dialog" href="{{ path('prod_stories_create') }}">
                                     <img style="cursor:pointer;" src="/assets/common/images/icons/mtadd_0.gif" title="{{ 'action:: nouveau reportage' | trans }}" />

templates/web/prod/preview/caption.html.twig

@@ -1,6 +1,6 @@
 {% import 'common/macros.html.twig' as macro %}
 
-  {% set can_edit = granted_on_collection(record.baseId, 'canmodifrecord') %}
+  {% set can_edit = granted_on_collection(record.baseId, constant('\\ACL::CANMODIFRECORD')) %}
   {% set can_see_business = can_edit %}
 
   {% if can_edit %}

templates/web/prod/preview/tools.html.twig

@@ -1,5 +1,5 @@
 
-{% if (record.is_from_basket is empty) and app.getAclForUser(app.getAuthenticatedUser()).has_right_on_base(record.get_base_id(), 'canputinalbum') %}
+{% if (record.is_from_basket is empty) and app.getAclForUser(app.getAuthenticatedUser()).has_right_on_base(record.get_base_id(), constant('\\ACL::CANPUTINALBUM')) %}
   <div sbas="{{record.get_sbas_id()}}" id="PREV_BASKADD_{{record.get_serialize_key}}"
        class="baskAdder" title="{{ 'action : ajouter au panier' | trans }}"
        onclick="evt_add_in_chutier('{{record.get_sbas_id()}}','{{record.get_record_id()}}',false,this);return(false);">
@@ -21,7 +21,7 @@
       <img src="/assets/common/images/icons/print_history.png" height="16" width="16" class="btn-image" title="'{{ 'action : print' | trans }}">
   </div>
 
-{% if app.getAclForUser(app.getAuthenticatedUser()).has_right_on_base(record.get_base_id(), 'candwnldhd') or app.getAclForUser(app.getAuthenticatedUser()).has_right_on_base(record.get_base_id(), 'candwnldpreview') %}
+{% if app.getAclForUser(app.getAuthenticatedUser()).has_right_on_base(record.get_base_id(), constant('\\ACL::CANDWNLDHD')) or app.getAclForUser(app.getAuthenticatedUser()).has_right_on_base(record.get_base_id(), constant('\\ACL::CANDWNLDPREVIEW')) %}
     <div onclick="evt_dwnl('{{record.get_sbas_id()}}_{{record.get_record_id()}}');return(false);">
         <img src="/assets/common/images/icons/disktt_history.png" height="16" width="16" class="btn-image" title="{{ 'action : exporter' | trans }}">
        {# <img style="vertical-align:middle" src="/assets/common/images/icons/basket.png" width="16">#}

templates/web/prod/results/list.html.twig

@@ -13,7 +13,7 @@
                 <td valign="middle">
                     <div class='desc' style='max-height:{{ settings.images_size + 70 }}px;overflow-y:auto;'>
                         <div class="fixeddesc">
-                            {% set can_see_business = granted_on_collection(record.baseId, 'canmodifrecord') %}
+                            {% set can_see_business = granted_on_collection(record.baseId, constant('\\ACL::CANMODIFRECORD')) %}
                             {{ macro.caption(record, can_see_business) }}
                         </div>
                     </div>

templates/web/prod/results/record.html.twig

@@ -18,7 +18,7 @@
             </div>
         </div>
 
-        {% set can_see_business = granted_on_collection(record.baseId, 'canmodifrecord') %}
+        {% set can_see_business = granted_on_collection(record.baseId, constant('\\ACL::CANMODIFRECORD')) %}
 
         <div class="thumb captionTips"
              {% if settings.rollover_thumbnail == 'caption' %}title="{{ macro.caption(record, can_see_business, false) | e }}"{% endif %}
@@ -105,7 +105,7 @@
                             <tr>
                                 <td>
                                     <div class="context-menu context-menu-theme-vista">
-                                        {% if granted_on_collection(record.baseId, 'canputinalbum') and not record.story %}
+                                        {% if granted_on_collection(record.baseId, constant('\\ACL::CANPUTINALBUM')) and not record.story %}
                                             <div title="" class="context-menu-item">
                                                 <div class="context-menu-item-inner"
                                                      onclick="evt_add_in_chutier('{{record.databoxId}}','{{record.recordId}}',false,this);return(false);">
@@ -113,7 +113,7 @@
                                                 </div>
                                             </div>
                                         {% endif %}
-                                        {% if granted_on_collection(record.baseId, 'candwnldpreview') or granted_on_collection(record.baseId, 'candwnldhd') %}
+                                        {% if granted_on_collection(record.baseId, constant('\\ACL::CANDWNLDPREVIEW')) or granted_on_collection(record.baseId, constant('\\ACL::CANDWNLDHD')) %}
                                             <div title="" class="context-menu-item">
                                                 <div class="context-menu-item-inner"
                                                      onclick="evt_dwnl('{{record.id}}',false,this);return(false);">

templates/web/prod/toolbar.html.twig

@@ -63,19 +63,19 @@
     </span>
 
     {% set actions = {} %}
-    {% if acl.has_right('modifyrecord') %}
+    {% if acl.has_right(constant('\\ACL::CANMODIFRECORD')) %}
         {% set label %}
         {{ 'action : editer' | trans }}
         {% endset %}
         {% set actions = actions|merge( { 'edit' : {'icon': "/assets/common/images/icons/ppen_history.png", 'class':'TOOL_ppen_btn', 'label' : label} }) %}
     {% endif %}
-    {% if acl.has_right('changestatus') %}
+    {% if acl.has_right(constant('\\ACL::CHGSTATUS')) %}
         {% set label %}
         {{ 'action : status' | trans }}
         {% endset %}
         {% set actions = actions|merge( { 'status' : {'icon': "/assets/common/images/icons/chgstatus_history.png", 'class':'TOOL_chgstatus_btn', 'label' : label} }) %}
     {% endif %}
-    {% if acl.has_right('deleterecord') and acl.has_right('addrecord') %}
+    {% if acl.has_right(constant('\\ACL::CANDELETERECORD')) and acl.has_right(constant('\\ACL::CANADDRECORD')) %}
         {% set label %}
         {{ 'action : collection' | trans }}
         {% endset %}
@@ -287,7 +287,7 @@
         </span>
     {% endif %}
 
-    {% if acl.has_right('doctools') %}
+    {% if acl.has_right(constant('\\ACL::IMGTOOLS')) %}
         <span class="classicButton">
             <div class="btn-group">
                 <button class="TOOL_imgtools_btn results_window btn btn-inverse">
@@ -296,7 +296,7 @@
             </div>
         </span>
     {% endif %}
-    {% if acl.has_right('deleterecord') %}
+    {% if acl.has_right(constant('\\ACL::CANDELETERECORD')) %}
         <span class="classicButton">
             <div class="btn-group">
                 <button class="TOOL_trash_btn results_window btn btn-inverse">

templates/web/prod/upload/lazaret.html.twig

@@ -383,8 +383,8 @@
                 {% for record in records %}
                     {% set reasons = record['reasons'] %}
                     {% set record = record['record'] %}
-                    {% if app.getAclForUser(app.getAuthenticatedUser()).has_right_on_base(record.get_base_id(), "canaddrecord")
-                        and app.getAclForUser(app.getAuthenticatedUser()).has_right_on_base(record.get_base_id(), "candeleterecord") %}
+                    {% if app.getAclForUser(app.getAuthenticatedUser()).has_right_on_base(record.get_base_id(), constant('\\ACL::CANADDRECORD'))
+                        and app.getAclForUser(app.getAuthenticatedUser()).has_right_on_base(record.get_base_id(), constant('\\ACL::CANDELETERECORD')) %}
                         <li class="records-subititution span3" style="width:210px">
                             {% include 'prod/results/record.html.twig' with {
                             'record': record,

tests/Alchemy/Tests/Phrasea/Controller/Admin/AdminCollectionTest.php

@@ -283,7 +283,7 @@ class AdminCollectionTest extends \PhraseanetAuthenticatedWebTestCase
 
         $this->checkRedirection(self::$DI['client']->getResponse(), '/admin/collection/' . self::$DI['collection']->get_base_id() . '/?success=1');
 
-        $this->assertTrue(self::$DI['app']->getAclForUser(self::$DI['user_alt1'])->has_right_on_base(self::$DI['collection']->get_base_id(), 'order_master'));
+        $this->assertTrue(self::$DI['app']->getAclForUser(self::$DI['user_alt1'])->has_right_on_base(self::$DI['collection']->get_base_id(), \ACL::ORDER_MASTER));
     }
 
     /**

tests/Alchemy/Tests/Phrasea/Controller/Admin/UsersTest.php

@@ -70,9 +70,9 @@ class UsersTest extends \PhraseanetAuthenticatedWebTestCase
         $datas = json_decode($response->getContent());
         $this->assertFalse($datas->error);
 
-        $this->assertTrue(self::$DI['app']->getAclForUser($user)->has_right_on_base(self::$DI['collection']->get_base_id(), "manage"));
-        $this->assertTrue(self::$DI['app']->getAclForUser($user)->has_right_on_base(self::$DI['collection']->get_base_id(), "canpush"));
-        $this->assertTrue(self::$DI['app']->getAclForUser($user)->has_right_on_base(self::$DI['collection']->get_base_id(), "canreport"));
+        $this->assertTrue(self::$DI['app']->getAclForUser($user)->has_right_on_base(self::$DI['collection']->get_base_id(), \ACL::COLL_MANAGE));
+        $this->assertTrue(self::$DI['app']->getAclForUser($user)->has_right_on_base(self::$DI['collection']->get_base_id(), \ACL::CANPUSH));
+        $this->assertTrue(self::$DI['app']->getAclForUser($user)->has_right_on_base(self::$DI['collection']->get_base_id(), \ACL::CANREPORT));
 
         self::$DI['app']['orm.em']->refresh($user);
         self::$DI['app']['manipulator.user']->delete($user);
@@ -355,10 +355,10 @@ class UsersTest extends \PhraseanetAuthenticatedWebTestCase
                 self::$DI['app']->getAclForUser($user)->give_access_to_base([$base_id]);
 
                 $rights = [
-                    'canputinalbum'  => '1'
-                    , 'candwnldhd'     => '1'
-                    , 'candwnldsubdef' => '1'
-                    , 'nowatermark'    => '1'
+                    \ACL::CANPUTINALBUM  => '1',
+                    \ACL::CANDWNLDHD     => '1',
+                    'candwnldsubdef' => '1',
+                    \ACL::NOWATERMARK    => '1'
                 ];
 
                 self::$DI['app']->getAclForUser($user)->update_rights_to_base($collection->get_base_id(), $rights);

tests/Alchemy/Tests/Phrasea/Controller/Api/ApiJsonTest.php

@@ -1010,10 +1010,12 @@ class ApiJsonTest extends ApiTestCase
             $collection->set_public_presentation('none');
         }
         $app->getAclForUser(self::$DI['user_notAdmin'])->update_rights_to_base(
-            $collection->get_base_id(), array(
-            'candwnldpreview' => 1,
-            'candwnldhd' => 1
-        ));
+            $collection->get_base_id(),
+            [
+                \ACL::CANDWNLDPREVIEW => 1,
+                \ACL::CANDWNLDHD      => 1
+            ]
+        );
 
         /** @var \record_adapter $record_1 */
         $record_1 = self::$DI['record_1'];
@@ -1052,8 +1054,8 @@ class ApiJsonTest extends ApiTestCase
         $this->setToken($this->userAccessToken);
 
         self::$DI['app']->getAclForUser(self::$DI['user_notAdmin'])->update_rights_to_base(self::$DI['collection']->get_base_id(), array(
-            'candwnldpreview' => 1,
-            'candwnldhd' => 0
+            \ACL::CANDWNLDPREVIEW => 1,
+            \ACL::CANDWNLDHD      => 0
         ));
 
         $route = '/api/v1/records/' . self::$DI['record_1']->get_sbas_id() . '/' . self::$DI['record_1']->get_record_id() . '/embed/';
@@ -1075,10 +1077,13 @@ class ApiJsonTest extends ApiTestCase
     {
         $this->setToken($this->userAccessToken);
 
-        self::$DI['app']->getAclForUser(self::$DI['user_notAdmin'])->update_rights_to_base(self::$DI['collection']->get_base_id(), array(
-            'candwnldpreview' => 0,
-            'candwnldhd' => 0
-        ));
+        self::$DI['app']->getAclForUser(self::$DI['user_notAdmin'])->update_rights_to_base(
+            self::$DI['collection']->get_base_id(),
+            [
+                \ACL::CANDWNLDPREVIEW => 0,
+                \ACL::CANDWNLDHD => 0
+            ]
+        );
 
         $route = '/api/v1/records/' . self::$DI['record_1']->get_sbas_id() . '/' . self::$DI['record_1']->get_record_id() . '/embed/';
 

tests/Alchemy/Tests/Phrasea/Controller/Prod/PropertyTest.php

@@ -85,11 +85,11 @@ class PropertyTest extends \PhraseanetAuthenticatedWebTestCase
             ->will($this->returnValue(true));
         $acl->expects($this->any())
             ->method('has_right_on_base')
-            ->with($this->isType(\PHPUnit_Framework_Constraint_IsType::TYPE_INT), $this->equalTo('chgstatus'))
+            ->with($this->isType(\PHPUnit_Framework_Constraint_IsType::TYPE_INT), $this->equalTo(\ACL::CHGSTATUS))
             ->will($this->returnValue(true));
         $acl->expects($this->any())
             ->method('has_right_on_sbas')
-            ->with($this->isType(\PHPUnit_Framework_Constraint_IsType::TYPE_INT), $this->equalTo('chgstatus'))
+            ->with($this->isType(\PHPUnit_Framework_Constraint_IsType::TYPE_INT), $this->equalTo(\ACL::CHGSTATUS))
             ->will($this->returnValue(true));
 
         $aclProvider = $this->getMockBuilder('Alchemy\Phrasea\Authentication\ACLProvider')

tests/Alchemy/Tests/Phrasea/Controller/RecordsRequestTest.php

@@ -105,7 +105,10 @@ class RecordsRequestTest extends \PhraseanetAuthenticatedTestCase
     public function testSimpleWithoutBasRights()
     {
         self::$DI['app']->getAclForUser(self::$DI['app']->getAuthenticatedUser())
-            ->update_rights_to_base(self::$DI['record_2']->get_base_id(), ['chgstatus' => 0]);
+            ->update_rights_to_base(
+                self::$DI['record_2']->get_base_id(),
+                [\ACL::CHGSTATUS => 0]
+            );
 
         $request = new Request([
             'lst' => implode(';', [
@@ -113,7 +116,7 @@ class RecordsRequestTest extends \PhraseanetAuthenticatedTestCase
             ])
         ]);
 
-        $records = RecordsRequest::fromRequest(self::$DI['app'], $request, false, ['chgstatus']);
+        $records = RecordsRequest::fromRequest(self::$DI['app'], $request, false, [\ACL::CHGSTATUS]);
 
         $this->assertEquals(0, count($records));
         $this->assertEquals(1, count($records->received()));

tests/Alchemy/Tests/Phrasea/Model/Manipulator/ACLManipulatorTest.php

@@ -32,23 +32,23 @@ class ACLManipulatorTest extends \PhraseanetTestCase
                 $acl->set_masks_on_base($baseId, '1', '1', '1', '1');
 
                 $acl->update_rights_to_base($baseId, [
-                    'canputinalbum'     => '0',
-                    'candwnldhd'        => '0',
+                    \ACL::CANPUTINALBUM     => '0',
+                    \ACL::CANDWNLDHD        => '0',
                     'candwnldsubdef'    => '0',
-                    'nowatermark'       => '0',
-                    'candwnldpreview'   => '0',
-                    'cancmd'            => '0',
-                    'canadmin'          => '0',
-                    'canreport'         => '0',
-                    'canpush'           => '0',
+                    \ACL::NOWATERMARK       => '0',
+                    \ACL::CANDWNLDPREVIEW   => '0',
+                    \ACL::CANCMD            => '0',
+                    \ACL::CANADMIN          => '0',
+                    \ACL::CANREPORT         => '0',
+                    \ACL::CANPUSH           => '0',
                     'creationdate'      => '0',
-                    'canaddrecord'      => '0',
-                    'canmodifrecord'    => '0',
-                    'candeleterecord'   => '0',
-                    'chgstatus'         => '0',
-                    'imgtools'          => '0',
-                    'manage'            => '0',
-                    'modify_struct'     => '0',
+                    \ACL::CANADDRECORD      => '0',
+                    \ACL::CANMODIFRECORD    => '0',
+                    \ACL::CANDELETERECORD   => '0',
+                    \ACL::CHGSTATUS         => '0',
+                    \ACL::IMGTOOLS          => '0',
+                    \ACL::MANAGE            => '0',
+                    \ACL::MODIFY_STRUCT     => '0',
                     'bas_modify_struct' => '0'
                 ]);
 
@@ -70,21 +70,21 @@ class ACLManipulatorTest extends \PhraseanetTestCase
         $this->assertTrue($acl->has_right_on_sbas($databoxId, 'bas_modif_th'));
         $this->assertTrue($acl->has_right_on_sbas($databoxId, 'bas_chupub'));
 
-        $this->assertTrue($acl->has_right_on_base($baseId, 'canputinalbum'));
-        $this->assertTrue($acl->has_right_on_base($baseId, 'candwnldhd'));
-        $this->assertTrue($acl->has_right_on_base($baseId, 'nowatermark'));
-        $this->assertTrue($acl->has_right_on_base($baseId, 'candwnldpreview'));
-        $this->assertTrue($acl->has_right_on_base($baseId, 'cancmd'));
-        $this->assertTrue($acl->has_right_on_base($baseId, 'canadmin'));
-        $this->assertTrue($acl->has_right_on_base($baseId, 'canreport'));
-        $this->assertTrue($acl->has_right_on_base($baseId, 'canpush'));
-        $this->assertTrue($acl->has_right_on_base($baseId, 'canaddrecord'));
-        $this->assertTrue($acl->has_right_on_base($baseId, 'canmodifrecord'));
-        $this->assertTrue($acl->has_right_on_base($baseId, 'candeleterecord'));
-        $this->assertTrue($acl->has_right_on_base($baseId, 'chgstatus'));
-        $this->assertTrue($acl->has_right_on_base($baseId, 'imgtools'));
-        $this->assertTrue($acl->has_right_on_base($baseId, 'manage'));
-        $this->assertTrue($acl->has_right_on_base($baseId, 'modify_struct'));
+        $this->assertTrue($acl->has_right_on_base($baseId, \ACL::CANPUTINALBUM));
+        $this->assertTrue($acl->has_right_on_base($baseId, \ACL::CANDWNLDHD));
+        $this->assertTrue($acl->has_right_on_base($baseId, \ACL::NOWATERMARK));
+        $this->assertTrue($acl->has_right_on_base($baseId, \ACL::CANDWNLDPREVIEW));
+        $this->assertTrue($acl->has_right_on_base($baseId, \ACL::CANCMD));
+        $this->assertTrue($acl->has_right_on_base($baseId, \ACL::CANADMIN));
+        $this->assertTrue($acl->has_right_on_base($baseId, \ACL::CANREPORT));
+        $this->assertTrue($acl->has_right_on_base($baseId, \ACL::CANPUSH));
+        $this->assertTrue($acl->has_right_on_base($baseId, \ACL::CANADDRECORD));
+        $this->assertTrue($acl->has_right_on_base($baseId, \ACL::CANMODIFRECORD));
+        $this->assertTrue($acl->has_right_on_base($baseId, \ACL::CANDELETERECORD));
+        $this->assertTrue($acl->has_right_on_base($baseId, \ACL::CHGSTATUS));
+        $this->assertTrue($acl->has_right_on_base($baseId, \ACL::IMGTOOLS));
+        $this->assertTrue($acl->has_right_on_base($baseId, \ACL::MANAGE));
+        $this->assertTrue($acl->has_right_on_base($baseId, \ACL::MODIFY_STRUCT));
 
         $this->assertEquals(0, $acl->get_limits($baseId));
         $this->assertEquals(0, $acl->get_limits($acl->get_mask_xor($baseId)));

tests/Alchemy/Tests/Phrasea/Model/Manipulator/RegistrationManipulatorTest.php

@@ -40,11 +40,11 @@ class RegistrationManipulatorTest extends \PhraseanetTestCase
         $aclMock->expects($this->once())->method('give_access_to_sbas')->with($this->equalTo([self::$DI['collection']->get_sbas_id()]));
         $aclMock->expects($this->once())->method('give_access_to_base')->with($this->equalTo([self::$DI['collection']->get_base_id()]));
         $aclMock->expects($this->once())->method('update_rights_to_base')->with($this->equalTo(self::$DI['collection']->get_base_id()), $this->equalTo([
-            'canputinalbum'   => '1',
-            'candwnldhd'      => '1',
-            'nowatermark'     => '0',
-            'candwnldpreview' => '1',
-            'actif'           => '1',
+            \ACL::CANPUTINALBUM   => '1',
+            \ACL::CANDWNLDHD      => '1',
+            \ACL::NOWATERMARK     => '0',
+            \ACL::CANDWNLDPREVIEW => '1',
+            \ACL::ACTIF           => '1',
         ]));
 
         $aclProviderMock = $this->getMockBuilder('Alchemy\Phrasea\Authentication\ACLProvider')->disableOriginalConstructor()->getMock();

tests/classes/ACLTest.php

@@ -189,16 +189,21 @@ class ACLTest extends \PhraseanetTestCase
                 $this->object->give_access_to_base([$base_id]);
 
                 if ($first) {
-                    $this->object->update_rights_to_base($base_id, ['imgtools'      => true, 'chgstatus'     => true, 'canaddrecord'  => true, 'canputinalbum' => true]);
+                    $this->object->update_rights_to_base($base_id, [
+                        \ACL::IMGTOOLS      => true,
+                        \ACL::CHGSTATUS     => true,
+                        \ACL::CANADDRECORD  => true,
+                        \ACL::CANPUTINALBUM => true
+                    ]);
                     $base_ref = $base_id;
                 } else {
                     $this->object->duplicate_right_from_bas($base_ref, $base_id);
                 }
 
-                $this->assertTrue($this->object->has_right_on_base($base_id, 'imgtools'));
-                $this->assertTrue($this->object->has_right_on_base($base_id, 'chgstatus'));
-                $this->assertTrue($this->object->has_right_on_base($base_id, 'canaddrecord'));
-                $this->assertTrue($this->object->has_right_on_base($base_id, 'canputinalbum'));
+                $this->assertTrue($this->object->has_right_on_base($base_id, \ACL::IMGTOOLS));
+                $this->assertTrue($this->object->has_right_on_base($base_id, \ACL::CHGSTATUS));
+                $this->assertTrue($this->object->has_right_on_base($base_id, \ACL::CANADDRECORD));
+                $this->assertTrue($this->object->has_right_on_base($base_id, \ACL::CANPUTINALBUM));
 
                 $first = false;
             }
@@ -216,16 +221,16 @@ class ACLTest extends \PhraseanetTestCase
     public function testHasRightOnBase()
     {
         $rights_false = [
-            'imgtools'      => false,
-            'chgstatus'     => false,
-            'canaddrecord'  => false,
-            'canputinalbum' => false,
+            \ACL::IMGTOOLS      => false,
+            \ACL::CHGSTATUS     => false,
+            \ACL::CANADDRECORD  => false,
+            \ACL::CANPUTINALBUM => false,
         ];
 
         $rights_true = [
-            'imgtools'     => true,
-            'chgstatus'    => true,
-            'canaddrecord' => true,
+            \ACL::IMGTOOLS     => true,
+            \ACL::CHGSTATUS    => true,
+            \ACL::CANADDRECORD => true,
         ];
 
         foreach (self::$DI['app']->getDataboxes() as $databox) {
@@ -233,20 +238,20 @@ class ACLTest extends \PhraseanetTestCase
                 $base_id = $collection->get_base_id();
                 $this->object->give_access_to_base([$base_id]);
                 $this->object->update_rights_to_base($base_id, $rights_false);
-                $this->assertFalse($this->object->has_right_on_base($base_id, 'imgtools'));
-                $this->assertFalse($this->object->has_right_on_base($base_id, 'chgstatus'));
-                $this->assertFalse($this->object->has_right_on_base($base_id, 'canaddrecord'));
-                $this->assertFalse($this->object->has_right_on_base($base_id, 'canputinalbum'));
+                $this->assertFalse($this->object->has_right_on_base($base_id, \ACL::IMGTOOLS));
+                $this->assertFalse($this->object->has_right_on_base($base_id, \ACL::CHGSTATUS));
+                $this->assertFalse($this->object->has_right_on_base($base_id, \ACL::CANADDRECORD));
+                $this->assertFalse($this->object->has_right_on_base($base_id, \ACL::CANPUTINALBUM));
                 $this->object->update_rights_to_base($base_id, $rights_true);
-                $this->assertTrue($this->object->has_right_on_base($base_id, 'imgtools'));
-                $this->assertTrue($this->object->has_right_on_base($base_id, 'chgstatus'));
-                $this->assertTrue($this->object->has_right_on_base($base_id, 'canaddrecord'));
-                $this->assertFalse($this->object->has_right_on_base($base_id, 'canputinalbum'));
+                $this->assertTrue($this->object->has_right_on_base($base_id, \ACL::IMGTOOLS));
+                $this->assertTrue($this->object->has_right_on_base($base_id, \ACL::CHGSTATUS));
+                $this->assertTrue($this->object->has_right_on_base($base_id, \ACL::CANADDRECORD));
+                $this->assertFalse($this->object->has_right_on_base($base_id, \ACL::CANPUTINALBUM));
                 $this->object->update_rights_to_base($base_id, $rights_false);
-                $this->assertFalse($this->object->has_right_on_base($base_id, 'imgtools'));
-                $this->assertFalse($this->object->has_right_on_base($base_id, 'chgstatus'));
-                $this->assertFalse($this->object->has_right_on_base($base_id, 'canaddrecord'));
-                $this->assertFalse($this->object->has_right_on_base($base_id, 'canputinalbum'));
+                $this->assertFalse($this->object->has_right_on_base($base_id, \ACL::IMGTOOLS));
+                $this->assertFalse($this->object->has_right_on_base($base_id, \ACL::CHGSTATUS));
+                $this->assertFalse($this->object->has_right_on_base($base_id, \ACL::CANADDRECORD));
+                $this->assertFalse($this->object->has_right_on_base($base_id, \ACL::CANPUTINALBUM));
             }
         }
     }

tests/classes/PhraseanetTestCase.php

@@ -594,27 +594,27 @@ abstract class PhraseanetTestCase extends WebTestCase
 
                 $app->getAclForUser($user)->delete_data_from_cache(\ACL::CACHE_RIGHTS_BAS);
                 $app->getAclForUser($user)->give_access_to_base([$base_id]);
-                $app->getAclForUser($user)->update_rights_to_base($base_id, ['order_master' => true]);
+                $app->getAclForUser($user)->update_rights_to_base($base_id, [\ACL::ORDER_MASTER => true]);
 
                 $rights = [
-                    'canputinalbum'     => '1'
-                    , 'candwnldhd'        => '1'
-                    , 'candwnldsubdef'    => '1'
-                    , 'nowatermark'       => '1'
-                    , 'candwnldpreview'   => '1'
-                    , 'cancmd'            => '1'
-                    , 'canadmin'          => '1'
-                    , 'canreport'         => '1'
-                    , 'canpush'           => '1'
-                    , 'creationdate'      => '1'
-                    , 'canaddrecord'      => '1'
-                    , 'canmodifrecord'    => '1'
-                    , 'candeleterecord'   => '1'
-                    , 'chgstatus'         => '1'
-                    , 'imgtools'          => '1'
-                    , 'manage'            => '1'
-                    , 'modify_struct'     => '1'
-                    , 'bas_modify_struct' => '1'
+                    \ACL::CANPUTINALBUM     => '1',
+                    \ACL::CANDWNLDHD        => '1',
+                    'candwnldsubdef'    => '1',
+                    \ACL::NOWATERMARK       => '1',
+                    \ACL::CANDWNLDPREVIEW   => '1',
+                    \ACL::CANCMD            => '1',
+                    \ACL::CANADMIN          => '1',
+                    \ACL::CANREPORT         => '1',
+                    \ACL::CANPUSH           => '1',
+                    'creationdate'      => '1',
+                    \ACL::CANADDRECORD      => '1',
+                    \ACL::CANMODIFRECORD    => '1',
+                    \ACL::CANDELETERECORD   => '1',
+                    \ACL::CHGSTATUS         => '1',
+                    \ACL::IMGTOOLS          => '1',
+                    \ACL::MANAGE            => '1',
+                    \ACL::MODIFY_STRUCT     => '1',
+                    'bas_modify_struct' => '1'
                 ];
 
                 $app->getAclForUser($user)->update_rights_to_base($collection->get_base_id(), $rights);