Skip to content
This repository was archived by the owner on Nov 25, 2020. It is now read-only.

Commit fb71bdc

Browse files
cdujeucdujeu
committed
Fix max overriding order issue
Send repo security scope to UI.
1 parent 6c4ded3 commit fb71bdc

File tree

6 files changed

+81
-37
lines changed

6 files changed

+81
-37
lines changed

core/src/core/classes/class.AJXP_Permission.php

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -82,6 +82,10 @@ function denies(){
8282
return false;
8383
}
8484

85+
function isEmpty(){
86+
return $this->value === 0;
87+
}
88+
8589
function testPermission($numPerm){
8690
if(is_integer($numPerm) && ($numPerm < self::MASK)){
8791
$numPerm = $numPerm & self::MASK;

core/src/core/classes/class.AJXP_PermissionMask.php

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -41,6 +41,7 @@ function __construct($serializedForm = null){
4141
if($permissionValue["read"]) $perm->setRead();
4242
if($permissionValue["write"]) $perm->setWrite();
4343
if($permissionValue["deny"]) $perm->setDeny();
44+
if($perm->isEmpty()) continue;
4445
$this->updateBranch($path, $perm);
4546
}
4647
}
@@ -114,6 +115,12 @@ function match($test, $permission){
114115

115116
if(empty($test) || $test == "/" || $test == "/." || $test == "/..") {
116117
if(!count($pathes)) return true;
118+
if(isSet($pathes["/"])) {
119+
$permObject = $pathes["/"];
120+
// If not read or write, must be read at least for root
121+
if($permObject->denies()) $permObject->setRead(true);
122+
return $permObject->testPermission($permission);
123+
}
117124
if($permission == AJXP_Permission::READ) return true;
118125
else if($permission == AJXP_Permission::WRITE) return false;
119126
return true;

core/src/core/classes/class.AJXP_Role.php

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -424,7 +424,8 @@ public function override(AJXP_Role $role)
424424
$allKeys = array_merge(array_keys($this->masks), array_keys($roleMasks));
425425
foreach($allKeys as $repoId){
426426
if(isSet($roleMasks[$repoId]) && isSet($this->masks[$repoId])){
427-
$newRole->setMask($repoId, $this->masks[$repoId]->override($roleMasks[$repoId]));
427+
//$newRole->setMask($repoId, $this->masks[$repoId]->override($roleMasks[$repoId]));
428+
$newRole->setMask($repoId, $roleMasks[$repoId]->override($this->masks[$repoId]));
428429
}else if(isSet($roleMasks[$repoId])){
429430
$newRole->setMask($repoId, $roleMasks[$repoId]);
430431
}else{

core/src/core/classes/class.AuthService.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -610,7 +610,7 @@ public static function updateAdminRights($adminUser)
610610
$allRepoList = ConfService::getRepositoriesList("all", false);
611611
foreach ($allRepoList as $repoId => $repoObject) {
612612
if(!self::allowedForCurrentGroup($repoObject, $adminUser)) continue;
613-
if($repoObject->hasParent() && $repoObject->getParentId() != $adminUser->getId()) continue;
613+
if($repoObject->hasOwner() && $repoObject->getOwner() != $adminUser->getId()) continue;
614614
$adminUser->personalRole->setAcl($repoId, "rw");
615615
}
616616
$adminUser->recomputeMergedRole();

core/src/phpunit/AJXP/Tests/Atomics/PermissionMaskTest.php

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -162,6 +162,23 @@ public function testPermissionMask(){
162162

163163
//$this->assertTrue($mask->match("/a1", \AJXP_Permission::DENY));
164164

165+
// Test that a deny is cutting the sub branches
166+
$mask1 = new \AJXP_PermissionMask();
167+
$mask1->updateBranch("/a1/b1", new \AJXP_Permission("rw"));
168+
$mask1->updateBranch("/a1/b2", new \AJXP_Permission("rw"));
169+
$mask1->updateBranch("/a1/b3/c1", new \AJXP_Permission("rw"));
170+
$mask1->updateBranch("/a1/b3/c2", new \AJXP_Permission("rw"));
171+
172+
$mask2 = new \AJXP_PermissionMask();
173+
$mask2->updateBranch("/a1", new \AJXP_Permission("d"));
174+
175+
$result = $mask1->override($mask2);
176+
$this->assertFalse($result->match("/a1", \AJXP_Permission::READ));
177+
$this->assertFalse($result->match("/a1/b2", \AJXP_Permission::READ));
178+
$this->assertFalse($result->match("/a1/b3", \AJXP_Permission::READ));
179+
$this->assertFalse($result->match("/a1/b3/c1", \AJXP_Permission::READ));
180+
$this->assertFalse($result->match("/a1/any", \AJXP_Permission::READ));
181+
165182
}
166183

167184
}

core/src/plugins/access.ajxp_conf/class.ajxp_confAccessDriver.php

Lines changed: 50 additions & 35 deletions
Original file line numberDiff line numberDiff line change
@@ -207,47 +207,57 @@ public function listAllActions($action, $httpVars, $fileVars)
207207
echo json_encode(array("LIST" => array(), "HAS_GROUPS" => true));
208208
return;
209209
}
210+
if(isSet($_SESSION["ALL_ACTIONS_CACHE"])){
211+
$actions = $_SESSION["ALL_ACTIONS_CACHE"];
212+
}else{
210213

211-
$nodes = AJXP_PluginsService::getInstance()->searchAllManifests("//action", "node", false, true, true);
212-
$actions = array();
213-
foreach ($nodes as $node) {
214-
$xPath = new DOMXPath($node->ownerDocument);
215-
$proc = $xPath->query("processing", $node);
216-
if(!$proc->length) continue;
217-
$txt = $xPath->query("gui/@text", $node);
218-
if ($txt->length) {
219-
$messId = $txt->item(0)->nodeValue;
220-
} else {
221-
$messId = "";
222-
}
223-
$parentPlugin = $node->parentNode->parentNode->parentNode;
224-
$pId = $parentPlugin->attributes->getNamedItem("id")->nodeValue;
225-
if (empty($pId)) {
226-
$pId = $parentPlugin->nodeName .".";
227-
if($pId == "ajxpdriver.") $pId = "access.";
228-
$pId .= $parentPlugin->attributes->getNamedItem("name")->nodeValue;
229-
}
230-
//echo($pId." : ". $node->attributes->getNamedItem("name")->nodeValue . " (".$messId.")<br>");
231-
if(!is_array($actions[$pId])) $actions[$pId] = array();
232-
$actionName = $node->attributes->getNamedItem("name")->nodeValue;
233-
$actions[$pId][$actionName] = array( "action" => $actionName , "label" => $messId);
234-
235-
}
236-
ksort($actions, SORT_STRING);
237-
foreach ($actions as $actPid => $actionGroup) {
238-
ksort($actionGroup, SORT_STRING);
239-
$actions[$actPid] = array();
240-
foreach ($actionGroup as $v) {
241-
$actions[$actPid][] = $v;
214+
$nodes = AJXP_PluginsService::getInstance()->searchAllManifests("//action", "node", false, true, true);
215+
$actions = array();
216+
foreach ($nodes as $node) {
217+
$xPath = new DOMXPath($node->ownerDocument);
218+
$proc = $xPath->query("processing", $node);
219+
if(!$proc->length) continue;
220+
$txt = $xPath->query("gui/@text", $node);
221+
if ($txt->length) {
222+
$messId = $txt->item(0)->nodeValue;
223+
} else {
224+
$messId = "";
225+
}
226+
$parentPlugin = $node->parentNode->parentNode->parentNode;
227+
$pId = $parentPlugin->attributes->getNamedItem("id")->nodeValue;
228+
if (empty($pId)) {
229+
$pId = $parentPlugin->nodeName .".";
230+
if($pId == "ajxpdriver.") $pId = "access.";
231+
$pId .= $parentPlugin->attributes->getNamedItem("name")->nodeValue;
232+
}
233+
//echo($pId." : ". $node->attributes->getNamedItem("name")->nodeValue . " (".$messId.")<br>");
234+
if(!is_array($actions[$pId])) $actions[$pId] = array();
235+
$actionName = $node->attributes->getNamedItem("name")->nodeValue;
236+
$actions[$pId][$actionName] = array( "action" => $actionName , "label" => $messId);
237+
238+
}
239+
ksort($actions, SORT_STRING);
240+
foreach ($actions as $actPid => $actionGroup) {
241+
ksort($actionGroup, SORT_STRING);
242+
$actions[$actPid] = array();
243+
foreach ($actionGroup as $v) {
244+
$actions[$actPid][] = $v;
245+
}
242246
}
247+
$_SESSION["ALL_ACTIONS_CACHE"] = $actions;
243248
}
244249
HTMLWriter::charsetHeader("application/json");
245250
echo json_encode(array("LIST" => $actions, "HAS_GROUPS" => true));
246251
break;
247252

248253
case "list_all_plugins_parameters":
249254

250-
$actions = $this->getEditableParameters(true);
255+
if(isSet($_SESSION["ALL_PARAMS_CACHE"])){
256+
$actions = $_SESSION["ALL_PARAMS_CACHE"];
257+
}else{
258+
$actions = $this->getEditableParameters(true);
259+
$_SESSION["ALL_PARAMS_CACHE"] = $actions;
260+
}
251261
HTMLWriter::charsetHeader("application/json");
252262
echo json_encode(array("LIST" => $actions, "HAS_GROUPS" => true));
253263
break;
@@ -640,6 +650,7 @@ public function switchAction($action, $httpVars, $fileVars)
640650
$repoDetailed[$repositoryId] = array(
641651
"label" => SystemTextEncoding::toUTF8($repositoryObject->getDisplay()),
642652
"driver" => $repositoryObject->getAccessType(),
653+
"scope" => $repositoryObject->securityScope(),
643654
"meta" => $meta
644655
);
645656
}
@@ -1448,7 +1459,7 @@ public function switchAction($action, $httpVars, $fileVars)
14481459
}
14491460
$nested = array();
14501461
$definitions = $plug->getConfigsDefinitions();
1451-
print("<repository index=\"$repId\"");
1462+
print("<repository index=\"$repId\" securityScope=\"".$repository->securityScope()."\"");
14521463
foreach ($repository as $name => $option) {
14531464
if(strstr($name, " ")>-1) continue;
14541465
if ($name == "driverInstance") continue;
@@ -1636,9 +1647,13 @@ public function switchAction($action, $httpVars, $fileVars)
16361647
// TODO : WHAT TO DO FOR SUB ADMINS ?
16371648
if (isSet($httpVars["permission_mask"]) && !empty($httpVars["permission_mask"])){
16381649
$mask = json_decode($httpVars["permission_mask"], true);
1639-
$perm = new AJXP_PermissionMask($mask);
16401650
$rootGroup = AuthService::getRole("AJXP_GRP_/");
1641-
$rootGroup->setMask($repId, $perm);
1651+
if(count($mask)){
1652+
$perm = new AJXP_PermissionMask($mask);
1653+
$rootGroup->setMask($repId, $perm);
1654+
}else{
1655+
$rootGroup->clearMask($repId);
1656+
}
16421657
AuthService::updateRole($rootGroup);
16431658
}
16441659
ConfService::replaceRepository($repId, $repo);

0 commit comments

Comments
 (0)