From 539efb31516410073caf20a682b8a455a863f4aa Mon Sep 17 00:00:00 2001
From: vgilc <noreply@pandorafms.org>
Date: Mon, 25 Aug 2014 09:02:45 +0000
Subject: [PATCH] 2014-08-25  Vanessa Gil <vanessa.gil@artica.es>

	* godmode/groups/configure_group.php
	  include/functions_tags.php
	  operation/events/events.build_query.php
	  operation/events/events.build_table.php: Fixed ACL propagation + Tags.
	Tickets #1079 and #1072.


git-svn-id: https://svn.code.sf.net/p/pandora/code/trunk@10452 c3f86ba8-e40f-0410-aaad-9ba5e7f4b01f
---
 pandora_console/ChangeLog                     |   8 +
 .../godmode/groups/configure_group.php        |   2 +-
 pandora_console/include/functions_tags.php    | 154 +++++++++++++++---
 .../operation/events/events.build_query.php   |   4 +-
 .../operation/events/events.build_table.php   |   6 +-
 5 files changed, 145 insertions(+), 29 deletions(-)

diff --git a/pandora_console/ChangeLog b/pandora_console/ChangeLog
index 20f926901b..7ea22bb3fe 100644
--- a/pandora_console/ChangeLog
+++ b/pandora_console/ChangeLog
@@ -1,3 +1,11 @@
+2014-08-25  Vanessa Gil <vanessa.gil@artica.es>
+
+	* godmode/groups/configure_group.php
+	  include/functions_tags.php
+	  operation/events/events.build_query.php
+	  operation/events/events.build_table.php: Fixed ACL propagation + Tags. 
+	Tickets #1079 and #1072.
+
 2014-08-22  Alejandro Gallardo <alejandro.gallardo@artica.es>
 	
 	* pandoradb.sql,
diff --git a/pandora_console/godmode/groups/configure_group.php b/pandora_console/godmode/groups/configure_group.php
index c3693f0a00..2f661f1e33 100644
--- a/pandora_console/godmode/groups/configure_group.php
+++ b/pandora_console/godmode/groups/configure_group.php
@@ -149,7 +149,7 @@ $table->data[3][0] = __('Alerts');
 $table->data[3][1] = html_print_checkbox ('alerts_enabled', 1, ! $alerts_disabled, true);
 
 $table->data[4][0] = __('Propagate ACL') . ui_print_help_tip (__("Propagate the same ACL security into the child subgroups."), true);
-$table->data[4][1] = html_print_checkbox('propagate', 1, $propagate, true);
+$table->data[4][1] = html_print_checkbox('propagate', 1, $propagate, true).ui_print_help_icon ("propagate_acl", true);
 
 $table->data[5][0] = __('Custom ID');
 $table->data[5][1] = html_print_input_text ('custom_id', $custom_id, '', 16, 255, true);
diff --git a/pandora_console/include/functions_tags.php b/pandora_console/include/functions_tags.php
index 52acc2ecfe..d9cddc57b4 100644
--- a/pandora_console/include/functions_tags.php
+++ b/pandora_console/include/functions_tags.php
@@ -667,6 +667,20 @@ function tags_get_acl_tags($id_user, $id_group, $access = 'AR', $return_mode = '
 	elseif (!is_array($id_group)) {
 		$id_group = (array) $id_group;
 	}
+
+	$id_group_aux = array();
+	foreach ($id_group as $key=>$id) {
+		array_push($id_group_aux, $id);
+		$parent = db_get_value('parent','tgrupo','id_grupo',$id);
+
+		if ($parent !== 0) {
+			$propagate = db_get_value('propagate','tgrupo','id_grupo',$parent);
+			if ($propagate == 1) {
+				array_push($id_group_aux,$parent);
+			}
+		}
+	}
+	$id_group = $id_group_aux;
 	
 	$acl_column = get_acl_column($access);
 	
@@ -868,11 +882,14 @@ function tags_get_acl_tags_event_condition($acltags) {
 		$condition .= "($group_condition AND \n($tags_condition))\n";
 	}
 	
+	//Commented because ACLs propagation don't work
+/*
 	if (!empty($condition)) {
 		// Juanma (08/05/2014) Fix : Also add events of other groups (taking care of propagate ACLs func!)
 		if (!empty($_groups_not_in))
 			$condition = sprintf("\n((%s) OR id_grupo NOT IN (%s))", $condition, rtrim($_groups_not_in, ','));
 	}
+*/
 	
 	return $condition;
 }
@@ -1017,33 +1034,30 @@ function tags_check_acl($id_user, $id_group, $access, $tags = array()) {
 	if (is_array($id_group)) {
 
 		foreach ($id_group  as $group) {
-
 			if($group > 0) {
-                        	if(isset($acls[$group])) {
-                                	foreach($tags as $tag) {
-                                        	$tag = tags_get_id($tag);
+				if(isset($acls[$group])) {
+					foreach($tags as $tag) {
+						$tag = tags_get_id($tag);
 
-                                        	if(in_array($tag, $acls[$group])) {
-                                                	return true;
-                                        	}
-                                	}
-                        	}
-                        	else {
-                                	return false;
-                        	}
+						if(in_array($tag, $acls[$group])) {
+							return true;
+						}
+					}
+				}
+				else {
+					return false;
+				}
 			} else {
-                        	foreach($acls as $acl_tags) {
-                                	foreach($tags as $tag) {
-                                        	$tag = tags_get_id($tag);
-                                        	if(in_array($tag, $acl_tags)) {
-                                                	return true;
-                                        	}
-                                	}
-                        	}
-               		}
-
-                }
-
+				foreach($acls as $acl_tags) {
+					foreach($tags as $tag) {
+							$tag = tags_get_id($tag);
+							if(in_array($tag, $acl_tags)) {
+								return true;
+							}
+					}
+				}
+			}
+		}
 	} else {
 		if($id_group > 0) {
 			if(isset($acls[$id_group])) {
@@ -1073,4 +1087,96 @@ function tags_check_acl($id_user, $id_group, $access, $tags = array()) {
 
 	return false;
 }
+
+function tags_check_acl_event($id_user, $id_group, $access, $tags = array(),$p = false) {
+	global $config;
+
+	if($id_user === false) {
+		$id_user = $config['id_user'];
+	}
+	
+	$acls = tags_get_acl_tags($id_user, $id_group, $access, 'data');
+
+	// If there are wrong parameters or fail ACL check, return false
+	if($acls === ERR_WRONG_PARAMETERS || $acls === ERR_ACL) {
+		return false;
+	}
+
+	// If there are not tags restrictions or tags passed, return true
+	if(empty($acls) || empty($tags)) {
+		return true;
+	}
+
+	# Fix: If user profile has more than one group, due to ACL propagation then id_group can be an array
+	if (is_array($id_group)) {
+
+		foreach ($id_group  as $group) {
+			if($group > 0) {
+				if(isset($acls[$group])) {
+					foreach($tags as $tag) {
+						$tag = tags_get_id($tag);
+						if(in_array($tag, $acls[$group])) {
+							return true;
+						}
+					}
+				}
+				else {
+					//return false;
+					$return = false;
+                }
+			} else {
+				foreach($acls as $acl_tags) {
+						foreach($tags as $tag) {
+								$tag = tags_get_id($tag);
+								if(in_array($tag, $acl_tags)) {
+										return true;
+								}
+						}
+				}
+			}
+
+		}
+
+	} else {
+		if($id_group > 0) {
+			if(isset($acls[$id_group])) {
+				foreach($tags as $tag) {
+					$tag = tags_get_id($tag);
+					
+					if(in_array($tag, $acls[$id_group])) {
+						return true;
+					}
+				}
+			}
+			else {
+				//return false;
+				$return = false;
+			}
+		}
+		else {
+			foreach($acls as $acl_tags) {
+				foreach($tags as $tag) {
+					$tag = tags_get_id($tag);
+					if(in_array($tag, $acl_tags)) {
+						return true;
+					}
+				}
+			}
+		}
+	}	
+	//return false;
+	$return = false;
+	
+	if ($return == false) {
+		$parent = db_get_value('parent','tgrupo','id_grupo',$id_group);
+
+		if ($parent !== 0) {
+			$propagate = db_get_value('propagate','tgrupo','id_grupo',$parent);
+			if ($propagate == 1) {
+				$acl_parent = tags_check_acl_event($id_user, $parent, $access, $tags,$p);
+				return $acl_parent;
+			}
+		}
+	}
+}
 ?>
diff --git a/pandora_console/operation/events/events.build_query.php b/pandora_console/operation/events/events.build_query.php
index 14d96cf8df..5bdc878177 100755
--- a/pandora_console/operation/events/events.build_query.php
+++ b/pandora_console/operation/events/events.build_query.php
@@ -188,7 +188,9 @@ else {
 $tags_acls_condition = tags_get_acl_tags($id_user, $group_array, 'ER',
 	'event_condition', 'AND');
 
-$sql_post .= $tags_acls_condition;
+if (($tags_acls_condition != ERR_WRONG_PARAMETERS) && ($tags_acls_condition != ERR_ACL)&& ($tags_acls_condition != -110000)) {
+	$sql_post .= $tags_acls_condition;
+}
 
 // Metaconsole fitlers
 if ($meta) {
diff --git a/pandora_console/operation/events/events.build_table.php b/pandora_console/operation/events/events.build_table.php
index b7816c07b7..8275162d0e 100644
--- a/pandora_console/operation/events/events.build_table.php
+++ b/pandora_console/operation/events/events.build_table.php
@@ -503,7 +503,7 @@ foreach ($result as $event) {
 		
 		if(!$readonly) {
 			// Validate event
-			if (($event["estado"] != 1) && (tags_check_acl ($config["id_user"], $event["id_grupo"], "EW", $event['clean_tags']) == 1)) {
+			if (($event["estado"] != 1) && (tags_check_acl_event ($config["id_user"], $event["id_grupo"], "EW", $event['clean_tags'], true) == 1)) {
 				$data[$i] .= '<a href="javascript:validate_event_advanced('.$event["id_evento"].', 1)" id="validate-'.$event["id_evento"].'">';
 				$data[$i] .= html_print_image ("images/ok.png", true,
 					array ("title" => __('Validate event')));
@@ -536,12 +536,12 @@ foreach ($result as $event) {
 		$i++;
 		
 		if(!$readonly) {
-			if (tags_check_acl ($config["id_user"], $event["id_grupo"], "EM", $event['clean_tags']) == 1) {
+			if (tags_check_acl_event ($config["id_user"], $event["id_grupo"], "EM", $event['clean_tags']) == 1) {
 				//Checkbox
 				// Class 'candeleted' must be the fist class to be parsed from javascript. Dont change
 				$data[$i] = html_print_checkbox_extended ("validate_ids[]", $event['id_evento'], false, false, false, 'class="candeleted chk_val"', true);
 			}
-			else if (tags_check_acl ($config["id_user"], $event["id_grupo"], "EW", $event['clean_tags']) == 1) {
+			else if (tags_check_acl_event ($config["id_user"], $event["id_grupo"], "EW", $event['clean_tags']) == 1) {
 				//Checkbox
 				$data[$i] = html_print_checkbox_extended ("validate_ids[]", $event['id_evento'], false, false, false, 'class="chk_val"', true);
 			}