From 5f077edc474727fe4fc5dae93f40eb50143c40a7 Mon Sep 17 00:00:00 2001 From: Olivia Kaufmann Date: Tue, 7 Jan 2020 16:14:20 +0100 Subject: [PATCH 1/3] global role "UserTakeOver-User" is also allowed to use the plugin --- .../class.ilUserTakeOverMembersGUI.php | 5 +++- classes/class.ilUserTakeOverUIHookGUI.php | 9 ++++-- classes/class.usrtoHelper.php | 30 +++++++++++++++++-- sql/dbupdate.php | 7 +---- 4 files changed, 39 insertions(+), 12 deletions(-) diff --git a/classes/Members/class.ilUserTakeOverMembersGUI.php b/classes/Members/class.ilUserTakeOverMembersGUI.php index 8855a58..9265bfc 100644 --- a/classes/Members/class.ilUserTakeOverMembersGUI.php +++ b/classes/Members/class.ilUserTakeOverMembersGUI.php @@ -175,7 +175,10 @@ protected function fillForm(&$form) protected function searchUsers() { // Only Administrators - if (!in_array(2, self::dic()->rbacreview()->assignedGlobalRoles(self::dic()->user()->getId()))) { + + if (!usrtoHelper::getInstance()->checkPluginAccess()) + // if (!in_array(2, self::dic()->rbacreview()->assignedGlobalRoles(self::dic()->user()->getId()))) + { //self::plugin()->output([], false); echo json_encode([]); exit; diff --git a/classes/class.ilUserTakeOverUIHookGUI.php b/classes/class.ilUserTakeOverUIHookGUI.php index 95c94bd..dd7354a 100644 --- a/classes/class.ilUserTakeOverUIHookGUI.php +++ b/classes/class.ilUserTakeOverUIHookGUI.php @@ -70,7 +70,7 @@ public function getHTML($a_comp, $a_part, $a_par = []) // If we are admin /** Some Async requests wont instanciate rbacreview. Thus we just terminate. */ if ((self::dic()->rbacreview() instanceof ilRbacReview) - && in_array(2, self::dic()->rbacreview()->assignedGlobalRoles(self::dic()->user()->getId())) + && usrtoHelper::getInstance()->checkPluginAccess() ) { ///////////////// IN THE USER ADMINISTRATION ///////////////// $this->initTakeOverToolbar(self::dic()->toolbar()); @@ -107,7 +107,10 @@ public function gotoHook() protected function getTopBarHtml() { $template = self::plugin()->getPluginObject()->getTemplate("tpl.MMUserTakeOver.html", false, false); - if (in_array(2, self::dic()->rbacreview()->assignedGlobalRoles(self::dic()->user()->getId()))) { + + if (usrtoHelper::getInstance()->checkPluginAccess()){ + + //if(in_array(2, self::dic()->rbacreview()->assignedGlobalRoles(self::dic()->user()->getId()))){ $template->setVariable("SEARCHUSERLINK", self::dic()->ctrl()->getLinkTargetByClass([ ilUIPluginRouterGUI::class, //ilUserTakeOverConfigGUI::class, @@ -136,7 +139,7 @@ protected function getTopBarHtml() $groups_html = $this->getGroupsHtml($group_ids, self::dic()->user()); } //only group members or user with admin role can use search - if (in_array(2, self::dic()->rbacreview()->assignedGlobalRoles(self::dic()->user()->getId())) || !empty($group_ids)) { + if (usrtoHelper::getInstance()->checkPluginAccess() || !empty($group_ids)) { $template->setCurrentBlock("DROPDOWN_TOGGLE"); $template->setVariable("TOGGLE", ""); $template->parseCurrentBlock(); diff --git a/classes/class.usrtoHelper.php b/classes/class.usrtoHelper.php index 6a228cf..a118f50 100644 --- a/classes/class.usrtoHelper.php +++ b/classes/class.usrtoHelper.php @@ -19,6 +19,7 @@ class usrtoHelper const USR_ID_BACKUP = 'usrtoOriginalAccountId'; const USR_ID = 'usr_id'; const PLUGIN_CLASS_NAME = ilUserTakeOverPlugin::class; + const USRTO_ROLE_NAME = 'UserTakeOver-User'; /** * @var usrtoHelper */ @@ -157,12 +158,37 @@ protected function checkAccess($usr_id, $take_over_id, $group_id) return true; } - // If the user taking over is of id 13? or is not in the admin role he does not have permission. - if (!isset($usr_id) || $usr_id == 13 || !in_array(2, self::dic()->rbacreview()->assignedGlobalRoles($usr_id))) { + if(!$this->checkPluginAccess($usr_id)){ ilUtil::sendFailure(self::plugin()->translate('no_permission'), true); ilUtil::redirect('login.php'); + } + } + public function checkPluginAccess($usr_id=null){ + if (!isset($usr_id)) { + $usr_id = self::dic()->user()->getId(); + } + // if user has the correct global role or he is an Administrator, he has permission to use the Plugin + $allowed_role=$this->getRoleAllowed(); + + $global_roles_of_user = self::dic()->rbacreview()->assignedGlobalRoles($usr_id); + $needles=array("2", $allowed_role); + // If the user taking over is of id 13? or is not in the admin role he does not have permission. + if (!isset($usr_id) || $usr_id == 13 || empty(array_intersect($needles, $global_roles_of_user))) { return false; } + + return true; + + } + + protected function getRoleAllowed() + { + // roles named UserTakeOver-User are allowed to use the plugin + if(self::dic()->rbacreview()->roleExists(self::USRTO_ROLE_NAME)){ + $roles= self::dic()->rbacreview()->getRolesByFilter(2,0, self::USRTO_ROLE_NAME); + } + return $roles[0]["obj_id"]; } + } \ No newline at end of file diff --git a/sql/dbupdate.php b/sql/dbupdate.php index cc8799f..78551c0 100644 --- a/sql/dbupdate.php +++ b/sql/dbupdate.php @@ -41,9 +41,4 @@ \srag\DIC\UserTakeOver\DICStatic::dic()->database()->dropTable('ui_uihk_usrto_config'); } ?> -<#5> -database()->tableExists(ilUserTakeOverConfig::TABLE_NAME)) { - \ilUserTakeOverConfig::updateDB(); -} -?> + From 98cc1ccd28513c80c1027c8543421489463e1b74 Mon Sep 17 00:00:00 2001 From: Olivia Kaufmann Date: Wed, 22 Jan 2020 14:17:56 +0100 Subject: [PATCH 2/3] readd db-update --- sql/dbupdate.php | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/sql/dbupdate.php b/sql/dbupdate.php index 78551c0..957cdaa 100644 --- a/sql/dbupdate.php +++ b/sql/dbupdate.php @@ -41,4 +41,9 @@ \srag\DIC\UserTakeOver\DICStatic::dic()->database()->dropTable('ui_uihk_usrto_config'); } ?> - +<#5> +database()->tableExists(ilUserTakeOverConfig::TABLE_NAME)) { + \ilUserTakeOverConfig::updateDB(); +} +?> From d61537ad38fbc60d7811b5e141c406ea50f4c9d6 Mon Sep 17 00:00:00 2001 From: Olivia Kaufmann Date: Fri, 24 Jan 2020 16:27:01 +0100 Subject: [PATCH 3/3] add return value to methods remove comments change function checkPluginAccess --- classes/Members/class.ilUserTakeOverMembersGUI.php | 5 ++--- classes/class.ilUserTakeOverUIHookGUI.php | 14 +++++++------- classes/class.usrtoHelper.php | 7 ++----- 3 files changed, 11 insertions(+), 15 deletions(-) diff --git a/classes/Members/class.ilUserTakeOverMembersGUI.php b/classes/Members/class.ilUserTakeOverMembersGUI.php index 9265bfc..3caf3d3 100644 --- a/classes/Members/class.ilUserTakeOverMembersGUI.php +++ b/classes/Members/class.ilUserTakeOverMembersGUI.php @@ -176,8 +176,7 @@ protected function searchUsers() { // Only Administrators - if (!usrtoHelper::getInstance()->checkPluginAccess()) - // if (!in_array(2, self::dic()->rbacreview()->assignedGlobalRoles(self::dic()->user()->getId()))) + if (!usrtoHelper::getInstance()->checkPluginAccess(self::dic()->user()->getId())) { //self::plugin()->output([], false); echo json_encode([]); @@ -203,7 +202,7 @@ protected function searchUsers() ]; } - //self::plugin()->output($result, false); + echo json_encode($result); exit; } diff --git a/classes/class.ilUserTakeOverUIHookGUI.php b/classes/class.ilUserTakeOverUIHookGUI.php index dd7354a..01db953 100644 --- a/classes/class.ilUserTakeOverUIHookGUI.php +++ b/classes/class.ilUserTakeOverUIHookGUI.php @@ -59,6 +59,7 @@ protected static function setLoaded($key) */ public function getHTML($a_comp, $a_part, $a_par = []) { + $user_id=self::dic()->user()->getId(); if ($a_comp == 'Services/MainMenu' && $a_part == 'main_menu_search') { if (!self::isLoaded('user_take_over')) { $html = ''; @@ -70,12 +71,12 @@ public function getHTML($a_comp, $a_part, $a_par = []) // If we are admin /** Some Async requests wont instanciate rbacreview. Thus we just terminate. */ if ((self::dic()->rbacreview() instanceof ilRbacReview) - && usrtoHelper::getInstance()->checkPluginAccess() + && usrtoHelper::getInstance()->checkPluginAccess($user_id) ) { ///////////////// IN THE USER ADMINISTRATION ///////////////// $this->initTakeOverToolbar(self::dic()->toolbar()); } - $html .= $this->getTopBarHtml(); + $html .= $this->getTopBarHtml($user_id); self::setLoaded('user_take_over'); // Main Menu gets called multiple times so we statically save that we already did all that is needed. @@ -104,13 +105,12 @@ public function gotoHook() * @return array * @internal param $a_comp */ - protected function getTopBarHtml() + protected function getTopBarHtml($user_id) { $template = self::plugin()->getPluginObject()->getTemplate("tpl.MMUserTakeOver.html", false, false); - if (usrtoHelper::getInstance()->checkPluginAccess()){ + if (usrtoHelper::getInstance()->checkPluginAccess($user_id)){ - //if(in_array(2, self::dic()->rbacreview()->assignedGlobalRoles(self::dic()->user()->getId()))){ $template->setVariable("SEARCHUSERLINK", self::dic()->ctrl()->getLinkTargetByClass([ ilUIPluginRouterGUI::class, //ilUserTakeOverConfigGUI::class, @@ -132,14 +132,14 @@ protected function getTopBarHtml() } /////////// For the Groups ////////////////// - $group_ids = usrtoMember::where(["user_id" => self::dic()->user()->getId()], "=")->getArray(null, "group_id"); + $group_ids = usrtoMember::where(["user_id" => $user_id], "=")->getArray(null, "group_id"); //if the current user is member of at least one group render the groups html if (!empty($group_ids)) { $groups_html = $this->getGroupsHtml($group_ids, self::dic()->user()); } //only group members or user with admin role can use search - if (usrtoHelper::getInstance()->checkPluginAccess() || !empty($group_ids)) { + if (usrtoHelper::getInstance()->checkPluginAccess($user_id) || !empty($group_ids)) { $template->setCurrentBlock("DROPDOWN_TOGGLE"); $template->setVariable("TOGGLE", ""); $template->parseCurrentBlock(); diff --git a/classes/class.usrtoHelper.php b/classes/class.usrtoHelper.php index a118f50..e22fd8a 100644 --- a/classes/class.usrtoHelper.php +++ b/classes/class.usrtoHelper.php @@ -164,10 +164,7 @@ protected function checkAccess($usr_id, $take_over_id, $group_id) } } - public function checkPluginAccess($usr_id=null){ - if (!isset($usr_id)) { - $usr_id = self::dic()->user()->getId(); - } + public function checkPluginAccess($usr_id):bool{ // if user has the correct global role or he is an Administrator, he has permission to use the Plugin $allowed_role=$this->getRoleAllowed(); @@ -182,7 +179,7 @@ public function checkPluginAccess($usr_id=null){ } - protected function getRoleAllowed() + protected function getRoleAllowed():string { // roles named UserTakeOver-User are allowed to use the plugin if(self::dic()->rbacreview()->roleExists(self::USRTO_ROLE_NAME)){