COmanage Developers List

Author: benno
Date: 2012-11-16 11:24:08 -0500 (Fri, 16 Nov 2012)
New Revision: 400

Modified:
   registry/trunk/app/Controller/HistoryRecordsController.php
   registry/trunk/app/Model/CoRole.php
   registry/trunk/app/View/CoPeople/fields.inc
   registry/trunk/app/View/OrgIdentities/fields.inc
Log:
Fix permissions for viewing history (CO-491)

Modified: registry/trunk/app/Controller/HistoryRecordsController.php
===================================================================
--- registry/trunk/app/Controller/HistoryRecordsController.php  2012-11-14 
04:33:47 UTC (rev 399)
+++ registry/trunk/app/Controller/HistoryRecordsController.php  2012-11-16 
16:24:08 UTC (rev 400)
@@ -44,6 +44,7 @@
     'contain' => array(
       'ActorCoPerson.Name',
       'CoPerson.Name',
+      'CoPersonRole',
       'OrgIdentity.Name'
     )
   );
@@ -61,31 +62,56 @@
       // Set page title
       $this->set('title_for_layout', _txt('ct.history_records.pl'));
       
-      // We need an Org ID, CO Person ID to retrieve on. 
+      // We need an Org ID or a CO Person ID to retrieve on. We have to 
carefully craft our queries
+      // in order to pull only records that the current user is authorized 
to see.
       
       // Use server side pagination
       
       if(!empty($this->params['named']['copersonid'])) {
-        $this->set('history_records',
-                   $this->paginate('HistoryRecord',
-                                   array('HistoryRecord.co_person_id' => 
$this->params['named']['copersonid'])));
+        // CO Administrators can see all records, however COU Administrators 
can only see records
+        // with no CO Person Role ID or where the CO Person Role ID is in a 
COU they administer.
+        
+        $args = array();
+        $args['HistoryRecord.co_person_id'] = 
$this->params['named']['copersonid'];
+        
+        if(!empty($this->viewVars['permissions']['cous'])) {
+          // Pull records in the COUs this user can see, as well as those 
with no COU attached.
+          // Note a join isn't needed here because paginate+contain is 
already joining the right tables.
+          
+          $args['OR']['CoPersonRole.cou_id'] = 
array_keys($this->viewVars['permissions']['cous']);
+          $args['OR'][] = 'HistoryRecord.co_person_role_id IS NULL';
+        } else {
+          // This should catch the case where COUs aren't in use
+          $args[] = 'HistoryRecord.co_person_role_id IS NULL';
+        }
+        
+        $this->set('history_records', $this->paginate('HistoryRecord', 
$args));
       } elseif(!empty($this->params['named']['orgidentityid'])) {
         // Org ID is a bit tricky when org identities are pooled, because we 
shouldn't pull
         // history for that Org ID related to COs other than the current one.
+        // Note a join isn't needed here because paginate+contain is already 
joining the right tables.
         
         $pool = $this->CmpEnrollmentConfiguration->orgIdentitiesPooled();
         
-        $this->paginate['conditions'] = 
array('HistoryRecord.org_identity_id' => 
$this->params['named']['orgidentityid']);
+        $args = array();
+        $args['HistoryRecord.org_identity_id'] = 
$this->params['named']['orgidentityid'];
         
         if($pool) {
-          // XXX This should be replaced with a clever Cake query that joins 
CoPerson where
-          // co_people.co_id = $this->cur_co['Co']['id'], but for the moment 
that's not
-          // working, so we'll simply constrain to records with no CO Person 
associated.
+          $args['CoPerson.co_id'] = $this->cur_co['Co']['id'];
+        }
+        
+        if(!empty($this->viewVars['permissions']['cous'])) {
+          // Pull records in the COUs this user can see, as well as those 
with no COU attached.
+          // Note a join isn't needed here because paginate+contain is 
already joining the right tables.
           
-          $this->paginate['conditions']['CoPerson.id'] = null;
+          $args['OR']['CoPersonRole.cou_id'] = 
array_keys($this->viewVars['permissions']['cous']);
+          $args['OR'][] = 'HistoryRecord.co_person_role_id IS NULL';
+        } else {
+          // This should catch the case where COUs aren't in use
+          $args[] = 'HistoryRecord.co_person_role_id IS NULL';
         }
         
-        $this->set('history_records', $this->paginate('HistoryRecord'));
+        $this->set('history_records', $this->paginate('HistoryRecord', 
$args));
       } else {
         // Throw an error. This controller doesn't permit retrieve all 
history via the UI.
         
@@ -129,8 +155,17 @@
     
     // View history records?
     // We could allow $self to view own records, but for the moment we don't 
(for no specific reason)
-    $p['index'] = ($cmr['cmadmin'] || $cmr['coadmin']);
+    $p['index'] = $cmr['cmadmin'] || $cmr['coadmin'] || $cmr['couadmin'];
     
+    // Determine which COUs a person can manage, needed for index() to 
filter records
+    
+    if($cmr['cmadmin'] || $cmr['coadmin'])
+      $p['cous'] = 
$this->CoPerson->CoPersonRole->Cou->allCous($this->cur_co['Co']['id']);
+    elseif(!empty($cmr['admincous']))
+      $p['cous'] = $cmr['admincous'];
+    else
+      $p['cous'] = array();
+    
     $this->set('permissions', $p);
     return($p[$this->action]);
   }

Modified: registry/trunk/app/Model/CoRole.php
===================================================================
--- registry/trunk/app/Model/CoRole.php 2012-11-14 04:33:47 UTC (rev 399)
+++ registry/trunk/app/Model/CoRole.php 2012-11-16 16:24:08 UTC (rev 400)
@@ -120,10 +120,11 @@
    * @param  Integer CO Person ID
    * @param  Integer CO ID
    * @param  Integer COU ID
+   * @param  Boolean Whether to check only active roles or all roles
    * @return Boolean True if the CO Person has a matching role, false 
otherwise
    */
   
-  protected function cachedPersonRoleCheck($coPersonId, $coId, $couId=null) {
+  protected function cachedPersonRoleCheck($coPersonId, $coId, $couId=null, 
$active=true) {
     // First check the cache
     
     if($couId) {
@@ -149,8 +150,10 @@
     $args['joins'][0]['conditions'][0] = 
'CoPerson.id=CoPersonRole.co_person_id';
     $args['conditions']['CoPerson.id'] = $coPersonId;
     $args['conditions']['CoPerson.co_id'] = $coId;
-    $args['conditions']['CoPerson.status'] = StatusEnum::Active;
-    $args['conditions']['CoPersonRole.status'] = StatusEnum::Active;
+    if($active) {
+      $args['conditions']['CoPerson.status'] = StatusEnum::Active;
+      $args['conditions']['CoPersonRole.status'] = StatusEnum::Active;
+    }
     if($couId) {
       $args['conditions']['CoPersonRole.cou_id'] = $couId;
     }
@@ -500,6 +503,37 @@
   }
   
   /**
+   * Determine if a CO Person is a COU Administrator for another CO Person.
+   *
+   * @since  COmanage Registry v0.8
+   * @param  Integer CO Person ID of potential COU Admin
+   * @param  Integer CO Person ID of subject
+   * @param  Integer CO ID
+   * @return Boolean True if the CO Person is a COU Administrator for the 
subject, false otherwise
+   */
+   
+  public function isCouAdminForCoPerson($coPersonId, $subjectCoPersonId, 
$coId) {
+    // First, pull the COUs for which $coPersonId is a COU admin
+    $adminCous = $this->couAdminFor($coPersonId, $coId);
+    
+    // Next, walk through the list seeing if $subjectCoPersonId is a member. 
We do
+    // one SQL query per COU, but an optimization that could be done is the 
query
+    // WHERE cou_id IN (array_keys($adminCous)).
+    
+    foreach(array_keys($adminCous) as $couId) {
+      // We accept statuses other than Active, since (eg) a COU Admin might 
want to view
+      // the history of someone who is pending or expired.
+      
+      if($this->cachedPersonRoleCheck($subjectCoPersonId, $coId, $couId, 
false)) {
+        // Match found, no need to continue
+        return true;
+      }
+    }
+    
+    return false;
+  }
+  
+  /**
    * Determine if a CO Person is in a COU.
    *
    * @since  COmanage Registry v0.7

Modified: registry/trunk/app/View/CoPeople/fields.inc
===================================================================
--- registry/trunk/app/View/CoPeople/fields.inc 2012-11-14 04:33:47 UTC (rev 
399)
+++ registry/trunk/app/View/CoPeople/fields.inc 2012-11-16 16:24:08 UTC (rev 
400)
@@ -23,7 +23,6 @@
  */
 -->
 <?php
-
   // Globals
   global $cm_lang, $cm_texts;
 
@@ -103,7 +102,8 @@
       array(
         'controller' => 'history_records',
         'action' => 'index',
-        'copersonid' => $co_people[0]['CoPerson']['id']
+        'copersonid' => $co_people[0]['CoPerson']['id'],
+        'co' => $cur_co['Co']['id']
       ),
       array('class' => 'historybutton')
     );

Modified: registry/trunk/app/View/OrgIdentities/fields.inc
===================================================================
--- registry/trunk/app/View/OrgIdentities/fields.inc    2012-11-14 04:33:47 
UTC (rev 399)
+++ registry/trunk/app/View/OrgIdentities/fields.inc    2012-11-16 16:24:08 
UTC (rev 400)
@@ -68,7 +68,8 @@
       array(
         'controller' => 'history_records',
         'action' => 'index',
-        'orgidentityid' => $org_identities[0]['OrgIdentity']['id']
+        'orgidentityid' => $org_identities[0]['OrgIdentity']['id'],
+        'co' => ($pool_org_identities ? false : $cur_co['Co']['id'])
       ),
       array('class' => 'historybutton')
     );