From 11aba4ce63f61d7992bf3db9ad1165cb62c06175 Mon Sep 17 00:00:00 2001
From: Junichi Satoh <junichi@rworks.jp>
Date: Fri, 15 Jul 2016 15:37:56 +0900
Subject: [PATCH] Removed unused argument from check_acl() and added new
 option(argument) for roots up. Fixed that users_can_manage_group_all()
 returns ture even if user does not have rights to manage group all.

---
 pandora_console/include/functions.php       | 13 +++++--------
 pandora_console/include/functions_users.php |  2 +-
 2 files changed, 6 insertions(+), 9 deletions(-)

diff --git a/pandora_console/include/functions.php b/pandora_console/include/functions.php
index 2788e699f4..a9fe4bf03c 100644
--- a/pandora_console/include/functions.php
+++ b/pandora_console/include/functions.php
@@ -1753,11 +1753,11 @@ function check_login ($output = true) {
  * @param int $id_user User id
  * @param int $id_group Agents group id to check from
  * @param string $access Access privilege
- * @param int $id_agent The agent id.
+ * @param bool $onlyOneGroup Flag to check acl for specified group only (not to roots up, or check acl for 'All' group when $id_group is 0).
  *
  * @return bool 1 if the user has privileges, 0 if not.
  */
-function check_acl($id_user, $id_group, $access, $id_agent = 0) {
+function check_acl($id_user, $id_group, $access, $onlyOneGroup = false) {
 	if (empty ($id_user)) {
 		//User ID needs to be specified
 		trigger_error ("Security error: check_acl got an empty string for user id", E_USER_WARNING);
@@ -1771,7 +1771,7 @@ function check_acl($id_user, $id_group, $access, $id_agent = 0) {
 	}
 	
 	$parents_id = array($id_group);
-	if ($id_group != 0) {
+	if ($id_group != 0 && $onlyOneGroup == false) {
 		$group = db_get_row_filter('tgrupo', array('id_grupo' => $id_group));
 		$parents = groups_get_parents($group['parent'], true);
 		
@@ -1779,13 +1779,10 @@ function check_acl($id_user, $id_group, $access, $id_agent = 0) {
 			$parents_id[] = $parent['id_grupo'];
 		}
 	}
-	else {
-		$parents_id = array();
-	}
 	
 	// TODO: To reduce this querys in one adding the group condition if necessary (only one line is different)
 	//Joined multiple queries into one. That saves on the query overhead and query cache.
-	if ($id_group == 0) {
+	if ($id_group == 0 && $onlyOneGroup == false) {
 		$query = sprintf("SELECT tperfil.incident_view, tperfil.incident_edit,
 				tperfil.incident_management, tperfil.agent_view,
 				tperfil.agent_edit, tperfil.alert_edit,
@@ -1800,7 +1797,7 @@ function check_acl($id_user, $id_group, $access, $id_agent = 0) {
 			FROM tusuario_perfil, tperfil
 			WHERE tusuario_perfil.id_perfil = tperfil.id_perfil
 				AND tusuario_perfil.id_usuario = '%s'", $id_user);
-		//GroupID = 0, group id doesnt matter (use with caution!)
+		//GroupID = 0 and onlyOneGroup = false, group id doesnt matter (use with caution!)
 	}
 	else {
 		$query = sprintf("SELECT tperfil.incident_view, tperfil.incident_edit,
diff --git a/pandora_console/include/functions_users.php b/pandora_console/include/functions_users.php
index c3717cb12b..e12cf6611f 100755
--- a/pandora_console/include/functions_users.php
+++ b/pandora_console/include/functions_users.php
@@ -826,7 +826,7 @@ function users_can_manage_group_all($access = "PM") {
 	
 	$is_admin = db_get_value('is_admin', 'tusuario', 'id_user', $config['id_user']);
 	
-	if (check_acl ($config['id_user'], 0, $access) || $is_admin) {
+	if (check_acl ($config['id_user'], 0, $access, true) || $is_admin) {
 		return true;
 	}