From c2efbbdafc8b8912a92fc1bf3bd79f8d39b4c2dc Mon Sep 17 00:00:00 2001 From: Johannes Meyer Date: Tue, 12 Jan 2021 11:38:59 +0100 Subject: [PATCH] RoleForm: Don't hide permissions/restrictions in admin roles resolves #4068 --- application/forms/Security/RoleForm.php | 162 ++++++++++++------------ 1 file changed, 82 insertions(+), 80 deletions(-) diff --git a/application/forms/Security/RoleForm.php b/application/forms/Security/RoleForm.php index d6f3d447b..b50cb8f8b 100644 --- a/application/forms/Security/RoleForm.php +++ b/application/forms/Security/RoleForm.php @@ -178,103 +178,105 @@ class RoleForm extends RepositoryForm ] ); - if (! isset($formData[self::WILDCARD_NAME]) || ! $formData[self::WILDCARD_NAME]) { - foreach ($this->providedPermissions as $moduleName => $permissionList) { - $this->sortPermissions($permissionList); + $hasAdminPerm = isset($formData[self::WILDCARD_NAME]) && $formData[self::WILDCARD_NAME]; + foreach ($this->providedPermissions as $moduleName => $permissionList) { + $this->sortPermissions($permissionList); - $elements = [$moduleName . '_header']; + $elements = [$moduleName . '_header']; + $this->addElement( + 'note', + $moduleName . '_header', + [ + 'decorators' => ['ViewHelper'], + 'value' => '

' . ($moduleName !== 'application' + ? sprintf('%s %s', $moduleName, $this->translate('Module')) + : 'Icinga Web 2') . '

' + ] + ); + + $elements[] = 'permission_header'; + $this->addElement('note', 'permission_header', [ + 'value' => '

' . $this->translate('Permissions') . '

', + 'decorators' => ['ViewHelper'] + ]); + + $hasFullPerm = false; + foreach ($permissionList as $name => $spec) { + $elementName = $name; + if ($hasFullPerm || $hasAdminPerm) { + $elementName .= '_fake'; + } + + $elements[] = $elementName; $this->addElement( - 'note', - $moduleName . '_header', + 'checkbox', + $elementName, [ - 'decorators' => ['ViewHelper'], - 'value' => '

' . ($moduleName !== 'application' - ? sprintf('%s %s', $moduleName, $this->translate('Module')) - : 'Icinga Web 2') . '

' + 'ignore' => $hasFullPerm || $hasAdminPerm, + 'autosubmit' => isset($spec['isFullPerm']), + 'disabled' => $hasFullPerm || $hasAdminPerm ?: null, + 'value' => $hasFullPerm || $hasAdminPerm, + 'label' => preg_replace( + // Adds a zero-width char after each slash to help browsers break onto newlines + '~(? isset($spec['description']) ? $spec['description'] : $spec['name'] ] - ); + ) + ->getElement($elementName) + ->getDecorator('Label') + ->setOption('escape', false); - $elements[] = 'permission_header'; - $this->addElement('note', 'permission_header', [ - 'value' => '

' . $this->translate('Permissions') . '

', + if ($hasFullPerm || $hasAdminPerm) { + // Add a hidden element to preserve the configured permission value + $this->addElement('hidden', $name); + } + + if (isset($spec['isFullPerm'])) { + $hasFullPerm = isset($formData[$name]) && $formData[$name]; + } + } + + if (isset($this->providedRestrictions[$moduleName])) { + $elements[] = 'restriction_header'; + $this->addElement('note', 'restriction_header', [ + 'value' => '

' . $this->translate('Restrictions') . '

', 'decorators' => ['ViewHelper'] ]); - $hasFullPerm = false; - foreach ($permissionList as $name => $spec) { + foreach ($this->providedRestrictions[$moduleName] as $name => $spec) { $elements[] = $name; $this->addElement( - 'checkbox', + 'text', $name, [ - 'ignore' => isset($spec['isUsagePerm']) ? false : $hasFullPerm, - 'autosubmit' => isset($spec['isFullPerm']), - 'disabled' => $hasFullPerm ?: null, - 'value' => $hasFullPerm, 'label' => preg_replace( // Adds a zero-width char after each slash to help browsers break onto newlines '~(? isset($spec['description']) ? $spec['description'] : $spec['name'] + 'description' => $spec['description'] ] ) ->getElement($name) ->getDecorator('Label') ->setOption('escape', false); - if (isset($spec['isFullPerm'])) { - $hasFullPerm = isset($formData[$name]) && $formData[$name]; - } - } - - if (isset($this->providedRestrictions[$moduleName])) { - $elements[] = 'restriction_header'; - $this->addElement('note', 'restriction_header', [ - 'value' => '

' . $this->translate('Restrictions') . '

', - 'decorators' => ['ViewHelper'] - ]); - - foreach ($this->providedRestrictions[$moduleName] as $name => $spec) { - $elements[] = $name; - $this->addElement( - 'text', - $name, - [ - 'label' => preg_replace( - // Adds a zero-width char after each slash to help browsers break onto newlines - '~(? $spec['description'] - ] - ) - ->getElement($name) - ->getDecorator('Label') - ->setOption('escape', false); - } - } - - $this->addDisplayGroup($elements, $moduleName . '_elements', [ - 'decorators' => [ - 'FormElements', - ['Fieldset', [ - 'class' => 'collapsible', - 'data-toggle-element' => 'h3', - 'data-visible-height' => 0 - ]] - ] - ]); - } - } else { - // Previously it was possible to define restrictions for super users, so make sure - // to not remove any restrictions which were set before the enforced separation - foreach ($this->providedRestrictions as $restrictionList) { - foreach ($restrictionList as $name => $_) { - $this->addElement('hidden', $name); } } + + $this->addDisplayGroup($elements, $moduleName . '_elements', [ + 'decorators' => [ + 'FormElements', + ['Fieldset', [ + 'class' => 'collapsible', + 'data-toggle-element' => 'h3', + 'data-visible-height' => 0 + ]] + ] + ]); } } @@ -293,7 +295,7 @@ class RoleForm extends RepositoryForm 'name' => $role->name, 'users' => $role->users, 'groups' => $role->groups, - self::WILDCARD_NAME => $role->permissions === '*' + self::WILDCARD_NAME => (bool) preg_match('~(?permissions) ]; if (! empty($role->permissions) && $role->permissions !== '*') { @@ -334,15 +336,15 @@ class RoleForm extends RepositoryForm $permissions = []; if (isset($values[self::WILDCARD_NAME]) && $values[self::WILDCARD_NAME]) { $permissions[] = '*'; - } else { - foreach ($this->providedPermissions as $moduleName => $permissionList) { - foreach ($permissionList as $name => $spec) { - if (isset($values[$name]) && $values[$name]) { - $permissions[] = $spec['name']; - } + } - unset($values[$name]); + foreach ($this->providedPermissions as $moduleName => $permissionList) { + foreach ($permissionList as $name => $spec) { + if (isset($values[$name]) && $values[$name]) { + $permissions[] = $spec['name']; } + + unset($values[$name]); } }