diff --git a/bin/console b/bin/console index 0f315afa68..c49fc89052 100755 --- a/bin/console +++ b/bin/console @@ -57,6 +57,7 @@ use Alchemy\Phrasea\Command\User\UserCreateCommand; use Alchemy\Phrasea\Command\User\UserPasswordCommand; use Alchemy\Phrasea\Command\User\UserListCommand; use Alchemy\Phrasea\Command\UpgradeDBDatas; +use Alchemy\Phrasea\Command\ApplyRightsCommand; require_once __DIR__ . '/../lib/autoload.php'; @@ -93,6 +94,7 @@ $cli->command(new \module_console_aboutLicense('about:license')); $cli->command(new CheckConfig('check:config')); $cli->command(new UpgradeDBDatas('system:upgrade-datas')); +$cli->command(new ApplyRightsCommand('system:apply-rights')); $cli->command(new \module_console_systemMailCheck('system:mail-check')); $cli->command(new \module_console_systemBackupDB('system:backup-db')); diff --git a/lib/Alchemy/Phrasea/Command/ApplyRightsCommand.php b/lib/Alchemy/Phrasea/Command/ApplyRightsCommand.php new file mode 100644 index 0000000000..bcf0b3d0e7 --- /dev/null +++ b/lib/Alchemy/Phrasea/Command/ApplyRightsCommand.php @@ -0,0 +1,89 @@ +setDescription('Apply right on databox, inject appbox:basusr to dboxes:collusr') + ->addOption('user_id', null, InputOption::VALUE_REQUIRED, 'the user ID to apply rights') + ; + + return $this; + } + + protected function doExecute(InputInterface $input, OutputInterface $output) + { + $userId = $input->getOption('user_id'); + $userRepository = $this->container['repo.users']; + + if ($userId) { + if (($user = $userRepository->find($userId)) === null) { + $output->writeln('user not found!'); + + return 0; + } + + $this->injectRightsSbas($user); + } else { + foreach ($userRepository->findAll() as $user) { + $this->injectRightsSbas($user); + } + } + + $output->writeln('Apply right on databox finished!'); + + return 0; + } + + private function injectRightsSbas(User $user) + { + $userAcl = $this->container->getAclForUser($user); + + foreach ($userAcl->get_granted_sbas() as $databox) { + + $userAcl->delete_injected_rights_sbas($databox); + + $sql = "INSERT INTO collusr + (site, usr_id, coll_id, mask_and, mask_xor, ord) + VALUES (:site_id, :usr_id, :coll_id, :mask_and, :mask_xor, :ord)"; + $stmt = $databox->get_connection()->prepare($sql); + $iord = 0; + + // fix collusr if user has right on collection + foreach ($userAcl->get_granted_base([], [$databox->get_sbas_id()]) as $collection) { + try { + $stmt->execute([ + ':site_id' => $this->container['conf']->get(['main', 'key']), + ':usr_id' => $user->getId(), + ':coll_id' => $collection->get_coll_id(), + ':mask_and' => $userAcl->get_mask_and($collection->get_base_id()), + ':mask_xor' => $userAcl->get_mask_xor($collection->get_base_id()), + ':ord' => $iord++ + ]); + } catch (DBALException $e) { + + } + } + + $stmt->closeCursor(); + } + } +} diff --git a/lib/Alchemy/Phrasea/Helper/User/Edit.php b/lib/Alchemy/Phrasea/Helper/User/Edit.php index 5b73a879a4..970b2ec8e1 100644 --- a/lib/Alchemy/Phrasea/Helper/User/Edit.php +++ b/lib/Alchemy/Phrasea/Helper/User/Edit.php @@ -585,8 +585,8 @@ class Edit extends \Alchemy\Phrasea\Helper\Helper $user = $this->app['repo.users']->find($usr_id); $this->app->getAclForUser($user)->revoke_access_from_bases($delete) - ->give_access_to_base($create) - ->give_access_to_sbas($create_sbas); + ->give_access_to_sbas($create_sbas) // give access to sbas before bas + ->give_access_to_base($create); foreach ($update as $base_id => $rights) { $this->app->getAclForUser($user) diff --git a/lib/classes/record/adapter.php b/lib/classes/record/adapter.php index f58d54abea..9d94822566 100644 --- a/lib/classes/record/adapter.php +++ b/lib/classes/record/adapter.php @@ -1737,7 +1737,9 @@ class record_adapter implements RecordInterface, cache_cacheableInterface throw new Exception('This record is not a grouping'); } - $selections = $this->getDatabox()->getRecordRepository()->findChildren([$this->getRecordId()], null, $offset, $max_items); + $user = $this->getAuthenticatedUser(); + + $selections = $this->getDatabox()->getRecordRepository()->findChildren([$this->getRecordId()], $user, $offset, $max_items); return reset($selections); } @@ -1747,7 +1749,9 @@ class record_adapter implements RecordInterface, cache_cacheableInterface */ public function get_grouping_parents() { - $selections = $this->getDatabox()->getRecordRepository()->findParents([$this->getRecordId()]); + $user = $this->getAuthenticatedUser(); + + $selections = $this->getDatabox()->getRecordRepository()->findParents([$this->getRecordId()], $user); return reset($selections); } @@ -1950,4 +1954,15 @@ class record_adapter implements RecordInterface, cache_cacheableInterface { return $this->app['provider.repo.media_subdef']->getRepositoryForDatabox($this->getDataboxId()); } + + /** + * @return User|null + */ + protected function getAuthenticatedUser() + { + /** @var \Alchemy\Phrasea\Authentication\Authenticator $authenticator */ + $authenticator = $this->app['authentication']; + + return $authenticator->getUser(); + } }