Merge pull request #3403 from alchemy-fr/PHRAS-2979-41-fix-right-access

PHRAS-2979 #comment  4.1 The content of a story is not displayed even for users with appropriate on the collection

bin/console

@@ -57,6 +57,7 @@ use Alchemy\Phrasea\Command\User\UserCreateCommand;
 use Alchemy\Phrasea\Command\User\UserPasswordCommand;
 use Alchemy\Phrasea\Command\User\UserListCommand;
 use Alchemy\Phrasea\Command\UpgradeDBDatas;
+use Alchemy\Phrasea\Command\ApplyRightsCommand;
 
 require_once __DIR__ . '/../lib/autoload.php';
 
@@ -93,6 +94,7 @@ $cli->command(new \module_console_aboutLicense('about:license'));
 $cli->command(new CheckConfig('check:config'));
 
 $cli->command(new UpgradeDBDatas('system:upgrade-datas'));
+$cli->command(new ApplyRightsCommand('system:apply-rights'));
 
 $cli->command(new \module_console_systemMailCheck('system:mail-check'));
 $cli->command(new \module_console_systemBackupDB('system:backup-db'));

lib/Alchemy/Phrasea/Command/ApplyRightsCommand.php

@@ -0,0 +1,89 @@
+<?php
+
+/**
+ * This file is part of Phraseanet
+ *
+ * (c) 2005-2020 Alchemy
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Alchemy\Phrasea\Command;
+
+use Symfony\Component\Console\Input\InputOption;
+use Symfony\Component\Console\Input\InputInterface;
+use Symfony\Component\Console\Output\OutputInterface;
+use Alchemy\Phrasea\Model\Entities\User;
+
+class ApplyRightsCommand extends Command
+{
+	public function __construct($name = null)
+    {
+        parent::__construct($name);
+
+        $this->setDescription('Apply right on databox, inject appbox:basusr to dboxes:collusr')
+            ->addOption('user_id', null, InputOption::VALUE_REQUIRED, 'the user ID to apply rights')
+            ;
+
+        return $this;
+    }
+
+    protected function doExecute(InputInterface $input, OutputInterface $output)
+    {
+    	$userId = $input->getOption('user_id');
+    	$userRepository = $this->container['repo.users'];
+
+    	if ($userId) {
+    		if (($user = $userRepository->find($userId)) === null) {
+    			$output->writeln('user not found!');
+
+    			return 0;
+    		}
+
+           	$this->injectRightsSbas($user);
+    	} else {
+    		foreach ($userRepository->findAll() as $user) {
+	            	$this->injectRightsSbas($user);
+	        }
+    	}
+
+    	$output->writeln('Apply right on databox finished!');
+
+    	return 0;
+    }
+
+    private function injectRightsSbas(User $user)
+    {
+    	$userAcl = $this->container->getAclForUser($user);
+
+    	foreach ($userAcl->get_granted_sbas() as $databox) {
+
+	    	$userAcl->delete_injected_rights_sbas($databox);
+
+	        $sql = "INSERT INTO collusr
+	              (site, usr_id, coll_id, mask_and, mask_xor, ord)
+	              VALUES (:site_id, :usr_id, :coll_id, :mask_and, :mask_xor, :ord)";
+	        $stmt = $databox->get_connection()->prepare($sql);
+	        $iord = 0;
+
+	        //  fix collusr if user has right on collection
+	        foreach ($userAcl->get_granted_base([], [$databox->get_sbas_id()]) as $collection) {
+	            try {
+	                $stmt->execute([
+	                    ':site_id'  => $this->container['conf']->get(['main', 'key']),
+	                    ':usr_id'   => $user->getId(),
+	                    ':coll_id'  => $collection->get_coll_id(),
+	                    ':mask_and' => $userAcl->get_mask_and($collection->get_base_id()),
+	                    ':mask_xor' => $userAcl->get_mask_xor($collection->get_base_id()),
+	                    ':ord'      => $iord++
+	                ]);
+	            } catch (DBALException $e) {
+
+	            }
+	        }
+
+	        $stmt->closeCursor();
+    	}
+    }
+}

lib/Alchemy/Phrasea/Helper/User/Edit.php

@@ -585,8 +585,8 @@ class Edit extends \Alchemy\Phrasea\Helper\Helper
                 $user = $this->app['repo.users']->find($usr_id);
 
                 $this->app->getAclForUser($user)->revoke_access_from_bases($delete)
-                    ->give_access_to_base($create)
+                    ->give_access_to_sbas($create_sbas)     // give access to sbas before bas
-                    ->give_access_to_sbas($create_sbas);
+                    ->give_access_to_base($create);
 
                 foreach ($update as $base_id => $rights) {
                     $this->app->getAclForUser($user)

lib/classes/record/adapter.php

@@ -1737,7 +1737,9 @@ class record_adapter implements RecordInterface, cache_cacheableInterface
             throw new Exception('This record is not a grouping');
         }
 
-        $selections = $this->getDatabox()->getRecordRepository()->findChildren([$this->getRecordId()], null, $offset, $max_items);
+        $user = $this->getAuthenticatedUser();
+
+        $selections = $this->getDatabox()->getRecordRepository()->findChildren([$this->getRecordId()], $user, $offset, $max_items);
 
         return reset($selections);
     }
@@ -1747,7 +1749,9 @@ class record_adapter implements RecordInterface, cache_cacheableInterface
      */
     public function get_grouping_parents()
     {
-        $selections = $this->getDatabox()->getRecordRepository()->findParents([$this->getRecordId()]);
+        $user = $this->getAuthenticatedUser();
+
+        $selections = $this->getDatabox()->getRecordRepository()->findParents([$this->getRecordId()], $user);
 
         return reset($selections);
     }
@@ -1950,4 +1954,15 @@ class record_adapter implements RecordInterface, cache_cacheableInterface
     {
         return $this->app['provider.repo.media_subdef']->getRepositoryForDatabox($this->getDataboxId());
     }
+
+    /**
+     * @return User|null
+     */
+    protected function getAuthenticatedUser()
+    {
+        /** @var \Alchemy\Phrasea\Authentication\Authenticator $authenticator */
+        $authenticator = $this->app['authentication'];
+
+        return $authenticator->getUser();
+    }
 }