comanage-dev - [comanage-dev] r243 - in registry/trunk/app: Controller View/CoPeople
Subject: COmanage Developers List
List archive
- From:
- To:
- Subject: [comanage-dev] r243 - in registry/trunk/app: Controller View/CoPeople
- Date: Fri, 2 Mar 2012 17:28:53 -0500
Author: benno
Date: 2012-03-02 17:28:53 -0500 (Fri, 02 Mar 2012)
New Revision: 243
Modified:
registry/trunk/app/Controller/CoInvitesController.php
registry/trunk/app/Controller/CoPeopleController.php
registry/trunk/app/Controller/CoPersonRolesController.php
registry/trunk/app/Controller/OrgIdentitiesController.php
registry/trunk/app/View/CoPeople/index.ctp
Log:
Fix COU admin authz processing for CO-226
Modified: registry/trunk/app/Controller/CoInvitesController.php
===================================================================
--- registry/trunk/app/Controller/CoInvitesController.php 2012-03-02
22:20:14 UTC (rev 242)
+++ registry/trunk/app/Controller/CoInvitesController.php 2012-03-02
22:28:53 UTC (rev 243)
@@ -164,7 +164,7 @@
$p['reply'] = true;
// Send an invite? (HTML only)
- $p['send'] = ($cmr['cmadmin'] || $cmr['coadmin'] || $cmr['subadmin']);
+ $p['send'] = ($cmr['cmadmin'] || $cmr['coadmin'] ||
!empty($cmr['couadmin']));
$this->set('permissions', $p);
return($p[$this->action]);
Modified: registry/trunk/app/Controller/CoPeopleController.php
===================================================================
--- registry/trunk/app/Controller/CoPeopleController.php 2012-03-02
22:20:14 UTC (rev 242)
+++ registry/trunk/app/Controller/CoPeopleController.php 2012-03-02
22:28:53 UTC (rev 243)
@@ -303,9 +303,10 @@
// Determine what operations this user can perform
// Add a new CO Person?
- $p['add'] = ($cmr['cmadmin'] || $cmr['coadmin'] || $cmr['subadmin']);
+ $p['add'] = ($cmr['cmadmin'] || $cmr['coadmin'] ||
!empty($cmr['couadmin']));
+ $p['enroll'] = $p['add'];
// Via invite?
- $p['invite'] = ($cmr['cmadmin'] || $cmr['coadmin'] || $cmr['subadmin']);
+ $p['invite'] = ($cmr['cmadmin'] || $cmr['coadmin'] ||
!empty($cmr['couadmin']));
// Compare CO attributes and Org attributes?
$p['compare'] = ($cmr['cmadmin'] || $cmr['coadmin'] || $self);
@@ -314,20 +315,20 @@
// A COU admin should be able to delete a CO Person, but not if they
have any roles
// associated with a COU the admin isn't responsible for. We'll catch
that in
// checkDeleteDependencies.
- $p['delete'] = ($cmr['cmadmin'] || $cmr['coadmin'] || $cmr['subadmin']);
+ $p['delete'] = ($cmr['cmadmin'] || $cmr['coadmin'] ||
!empty($cmr['couadmin']));
// Edit an existing CO Person?
- $p['edit'] = ($cmr['cmadmin'] || $cmr['coadmin'] || $cmr['subadmin'] ||
$self);
+ $p['edit'] = ($cmr['cmadmin'] || $cmr['coadmin'] ||
!empty($cmr['couadmin']) || $self);
// Are we allowed to edit our own record?
// If we're an admin, we act as an admin, not self.
- $p['editself'] = $self && !$cmr['cmadmin'] && !$cmr['coadmin'] &&
!$cmr['subadmin'];
+ $p['editself'] = $self && !$cmr['cmadmin'] && !$cmr['coadmin'] &&
empty($cmr['couadmin']);
// View all existing CO People (or a COU's worth)?
- $p['index'] = ($cmr['cmadmin'] || $cmr['coadmin'] || $cmr['subadmin']);
+ $p['index'] = ($cmr['cmadmin'] || $cmr['coadmin'] ||
!empty($cmr['couadmin']));
// View an existing CO Person?
- $p['view'] = ($cmr['cmadmin'] || $cmr['coadmin'] || $cmr['subadmin'] ||
$self);
+ $p['view'] = ($cmr['cmadmin'] || $cmr['coadmin'] ||
!empty($cmr['couadmin']) || $self);
// Determine which COUs a person can manage.
@@ -335,18 +336,15 @@
$p['cous'] = $this->CoPerson->CoPersonRole->Cou->find("list",
array("conditions" =>
array("co_id" => $this->cur_co['Co']['id'])));
- elseif($cmr['subadmin'])
- $p['cous'] = $this->CoPerson->CoPersonRole->Cou->find("list",
-
array("conditions" =>
-
array("co_id" => $this->cur_co['Co']['id'],
-
"name" => $cmr['couadmin'])));
+ elseif(!empty($cmr['couadmin']))
+ $p['cous'] = $cmr['couadmin'];
else
$p['cous'] = array();
// COUs are handled a bit differently. We need to authorize operations
that
// operate on a per-person basis accordingly.
- if($cmr['subadmin'] && !empty($p['cous']))
+ if(!empty($cmr['couadmin']) && !empty($p['cous']))
{
if(!empty($this->request->params['pass'][0]))
{
@@ -380,7 +378,8 @@
// These permissions are person-level, and are probably not
exactly right.
// Specifically, delete could be problematic since a COU admin
can't
// delete a person with a COU role that the admin doesn't manage.
- // For now, we'll catch that in checkDeleteDependencies.
+ // For now, we'll catch that in checkDeleteDependencies, and let
the view
+ // worry about what to render by checking the list of COUs.
$p['compare'] = true;
$p['delete'] = true;
Modified: registry/trunk/app/Controller/CoPersonRolesController.php
===================================================================
--- registry/trunk/app/Controller/CoPersonRolesController.php 2012-03-02
22:20:14 UTC (rev 242)
+++ registry/trunk/app/Controller/CoPersonRolesController.php 2012-03-02
22:28:53 UTC (rev 243)
@@ -253,7 +253,7 @@
// Determine what operations this user can perform
// Add a new CO Person Role?
- $p['add'] = ($cmr['cmadmin'] || $cmr['coadmin'] || $cmr['subadmin']);
+ $p['add'] = ($cmr['cmadmin'] || $cmr['coadmin'] ||
!empty($cmr['couadmin']));
// Delete an existing CO Person Role?
$p['delete'] = ($cmr['cmadmin'] || $cmr['coadmin']);
@@ -263,10 +263,10 @@
// Are we trying to edit our own record?
// If we're an admin, we act as an admin, not self.
- $p['editself'] = $self && !$cmr['cmadmin'] && !$cmr['coadmin'] &&
!$cmr['subadmin'];
+ $p['editself'] = $self && !$cmr['cmadmin'] && !$cmr['coadmin'] &&
empty($cmr['couadmin']);
// View all existing CO Person Roles (or a COU's worth)?
- $p['index'] = ($cmr['cmadmin'] || $cmr['coadmin'] || $cmr['subadmin']);
+ $p['index'] = ($cmr['cmadmin'] || $cmr['coadmin'] ||
!empty($cmr['couadmin']));
// View an existing CO Person Role?
$p['view'] = ($cmr['cmadmin'] || $cmr['coadmin'] || $self);
@@ -276,18 +276,15 @@
$p['cous'] = $this->CoPersonRole->Cou->find("list",
array("conditions" =>
array("co_id" =>
$this->cur_co['Co']['id'])));
- elseif($cmr['subadmin'])
- $p['cous'] = $this->CoPersonRole->Cou->find("list",
- array("conditions" =>
- array("co_id" =>
$this->cur_co['Co']['id'],
- "name" =>
$cmr['couadmin'])));
+ elseif(!empty($cmr['couadmin']))
+ $p['cous'] = $cmr['couadmin'];
else
$p['cous'] = array();
// COUs are handled a bit differently. We need to authorize operations
that
// operate on a per-person basis accordingly.
- if($cmr['subadmin'] && !empty($p['cous']))
+ if(!empty($cmr['couadmin']) && !empty($p['cous']))
{
if(!empty($this->request->params['pass'][0]))
{
Modified: registry/trunk/app/Controller/OrgIdentitiesController.php
===================================================================
--- registry/trunk/app/Controller/OrgIdentitiesController.php 2012-03-02
22:20:14 UTC (rev 242)
+++ registry/trunk/app/Controller/OrgIdentitiesController.php 2012-03-02
22:28:53 UTC (rev 243)
@@ -246,29 +246,58 @@
// Construct the permission set for this user, which will also be passed
to the view.
$p = array();
- // Determine what operations this user can perform
+ // Determine what operations this user can perform. This varies
according to
+ // whether or not organizational identities are pooled -- if they are,
we need
+ // to restrict access to only org identities in the same CO.
- // Add a new Org Person?
- $p['add'] = ($cmr['cmadmin'] || $cmr['admin'] || $cmr['subadmin']);
- // Via LDAP query?
- $p['addvialdap'] = ($cmr['cmadmin'] || $cmr['admin'] ||
$cmr['subadmin']);
- $p['selectvialdap'] = ($cmr['cmadmin'] || $cmr['admin'] ||
$cmr['subadmin']);
+ $this->loadModel('CmpEnrollmentConfiguration');
- // Delete an existing Org Person?
- $p['delete'] = ($cmr['cmadmin'] || $cmr['admin'] || $cmr['subadmin']);
+ if($this->CmpEnrollmentConfiguration->orgIdentitiesPooled()) {
+ // Add a new Org Person?
+ $p['add'] = ($cmr['cmadmin'] || $cmr['admin'] || $cmr['subadmin']);
+
+ // Via LDAP query?
+ $p['addvialdap'] = ($cmr['cmadmin'] || $cmr['admin'] ||
$cmr['subadmin']);
+ $p['selectvialdap'] = ($cmr['cmadmin'] || $cmr['admin'] ||
$cmr['subadmin']);
+
+ // Delete an existing Org Person?
+ $p['delete'] = ($cmr['cmadmin'] || $cmr['admin'] || $cmr['subadmin']);
+
+ // Edit an existing Org Person?
+ $p['edit'] = ($cmr['cmadmin'] || $cmr['admin'] || $cmr['subadmin']);
+
+ // Find an Org Person to add to a CO?
+ $p['find'] = ($cmr['cmadmin'] || $cmr['admin'] || $cmr['subadmin']);
+
+ // View all existing Org People?
+ $p['index'] = ($cmr['cmadmin'] || $cmr['admin'] || $cmr['subadmin']);
+
+ // View an existing Org Person?
+ $p['view'] = ($cmr['cmadmin'] || $cmr['admin'] || $cmr['subadmin'] ||
$self);
+ } else {
+ // Add a new Org Person?
+ $p['add'] = ($cmr['cmadmin'] || $cmr['coadmin'] ||
!empty($cmr['couadmin']));
+
+ // Via LDAP query?
+ $p['addvialdap'] = ($cmr['cmadmin'] || $cmr['coadmin'] ||
!empty($cmr['couadmin']));
+ $p['selectvialdap'] = ($cmr['cmadmin'] || $cmr['coadmin'] ||
!empty($cmr['couadmin']));
+
+ // Delete an existing Org Person?
+ $p['delete'] = ($cmr['cmadmin'] || $cmr['coadmin'] ||
!empty($cmr['couadmin']));
+
+ // Edit an existing Org Person?
+ $p['edit'] = ($cmr['cmadmin'] || $cmr['coadmin'] ||
!empty($cmr['couadmin']));
+
+ // Find an Org Person to add to a CO?
+ $p['find'] = ($cmr['cmadmin'] || $cmr['coadmin'] ||
!empty($cmr['couadmin']));
+
+ // View all existing Org People?
+ $p['index'] = ($cmr['cmadmin'] || $cmr['coadmin'] ||
!empty($cmr['couadmin']));
+
+ // View an existing Org Person?
+ $p['view'] = ($cmr['cmadmin'] || $cmr['coadmin'] ||
!empty($cmr['couadmin']) || $self);
+ }
- // Edit an existing Org Person?
- $p['edit'] = ($cmr['cmadmin'] || $cmr['admin'] || $cmr['subadmin']);
-
- // Find an Org Person to add to a CO?
- $p['find'] = ($cmr['cmadmin'] || $cmr['admin'] || $cmr['subadmin']);
-
- // View all existing Org People?
- $p['index'] = ($cmr['cmadmin'] || $cmr['admin'] || $cmr['subadmin']);
-
- // View an existing Org Person?
- $p['view'] = ($cmr['cmadmin'] || $cmr['admin'] || $cmr['subadmin'] ||
$self);
-
$this->set('permissions', $p);
return($p[$this->action]);
}
Modified: registry/trunk/app/View/CoPeople/index.ctp
===================================================================
--- registry/trunk/app/View/CoPeople/index.ctp 2012-03-02 22:20:14 UTC (rev
242)
+++ registry/trunk/app/View/CoPeople/index.ctp 2012-03-02 22:28:53 UTC (rev
243)
@@ -59,11 +59,18 @@
</td>
<td>
<?php
+ // Is this a person in a COU of the currently logged in person?
+ $myPerson = false;
+
foreach ($p['CoPersonRole'] as $pr) {
// We look at COU here if set for the role
if($permissions['edit']
- && (!isset($pr['cou_id']) || isset($permissions['cous'][
$pr['cou_id'] ])))
- {
+ && (!isset($pr['cou_id'])
+ || $pr['cou_id'] == ''
+ || in_array($pr['Cou']['name'], $permissions['cous'])))
+ $myPerson = true;
+
+ if($myPerson) {
echo $this->Html->link(_txt('op.edit'),
array('controller' =>
'co_person_roles',
'action' =>
($permissions['edit'] ? "edit" : "view"),
@@ -90,23 +97,27 @@
echo $this->Html->link(_txt('op.compare'),
array('controller' => 'co_people',
'action' => 'compare', $p['CoPerson']['id'], 'co' => $cur_co['Co']['id']),
array('class' => 'comparebutton')) .
"\n";
-
- if($permissions['edit'])
- echo $this->Html->link(_txt('op.edit'),
- array('controller' => 'co_people',
'action' => 'edit', $p['CoPerson']['id'], 'co' => $cur_co['Co']['id']),
- array('class' => 'editbutton')) . "\n";
+
+ if($myPerson) {
+ // Edit actions are unavailable
- if($permissions['delete'])
- echo '<button class="deletebutton" title="' . _txt('op.delete')
. '" onclick="javascript:js_confirm_delete(\'' .
_jtxt(Sanitize::html(generateCn($p['Name']))) . '\', \'' .
$this->Html->url(array('controller' => 'co_people', 'action' => 'delete',
$p['CoPerson']['id'], 'co' => $cur_co['Co']['id'])) . '\')";>' .
_txt('op.delete') . '</button>' . "\n";
-
- if($permissions['invite'] && ($p['CoPerson']['status'] != 'A' &&
$p['CoPerson']['status'] != 'D'))
- echo '<button class="invitebutton" title="' .
_txt('op.inv.resend') . '" onclick="javascript:js_confirm_reinvite(\'' .
_jtxt(Sanitize::html(generateCn($p['Name']))) . '\', \'' .
$this->Html->url(array('controller' => 'co_invites', 'action' => 'send',
'copersonid' => $p['CoPerson']['id'], 'co' => $cur_co['Co']['id'])) .
'\')";>' . _txt('op.inv.resend') . '</button>' . "\n";
+ if($permissions['edit'])
+ echo $this->Html->link(_txt('op.edit'),
+ array('controller' => 'co_people',
'action' => 'edit', $p['CoPerson']['id'], 'co' => $cur_co['Co']['id']),
+ array('class' => 'editbutton')) . "\n";
+
+ if($permissions['delete'])
+ echo '<button class="deletebutton" title="' .
_txt('op.delete') . '" onclick="javascript:js_confirm_delete(\'' .
_jtxt(Sanitize::html(generateCn($p['Name']))) . '\', \'' .
$this->Html->url(array('controller' => 'co_people', 'action' => 'delete',
$p['CoPerson']['id'], 'co' => $cur_co['Co']['id'])) . '\')";>' .
_txt('op.delete') . '</button>' . "\n";
+
+ if($permissions['invite'] && ($p['CoPerson']['status'] != 'A' &&
$p['CoPerson']['status'] != 'D'))
+ echo '<button class="invitebutton" title="' .
_txt('op.inv.resend') . '" onclick="javascript:js_confirm_reinvite(\'' .
_jtxt(Sanitize::html(generateCn($p['Name']))) . '\', \'' .
$this->Html->url(array('controller' => 'co_invites', 'action' => 'send',
'copersonid' => $p['CoPerson']['id'], 'co' => $cur_co['Co']['id'])) .
'\')";>' . _txt('op.inv.resend') . '</button>' . "\n";
+ }
?>
<?php ; ?>
</td>
</tr>
<?php $i++; ?>
- <?php endforeach; ?>
+ <?php endforeach; // $co_people ?>
</tbody>
<tfoot>
- [comanage-dev] r243 - in registry/trunk/app: Controller View/CoPeople, svnlog, 03/02/2012
Archive powered by MHonArc 2.6.16.