From a625b598a659f7260c0cf9a0e2c452f834a72b32 Mon Sep 17 00:00:00 2001
From: mdtrooper <tres.14159@gmail.com>
Date: Thu, 13 Mar 2014 10:22:34 +0000
Subject: [PATCH] 2014-03-13  Miguel de Dios <miguel.dedios@artica.es>

	* godmode/reporting/reporting_builder.main.php,
	godmode/reporting/reporting_builder.php,
	include/functions_users.php: fixed the access to the report with the
	user profile "RW" and "RM".

	Incident: #655




git-svn-id: https://svn.code.sf.net/p/pandora/code/trunk@9575 c3f86ba8-e40f-0410-aaad-9ba5e7f4b01f
---
 pandora_console/ChangeLog                     |  9 ++
 .../reporting/reporting_builder.main.php      | 12 +--
 .../godmode/reporting/reporting_builder.php   | 82 ++++++++++++-------
 pandora_console/include/functions_users.php   |  4 +-
 4 files changed, 72 insertions(+), 35 deletions(-)

diff --git a/pandora_console/ChangeLog b/pandora_console/ChangeLog
index 94d3d8c6b8..4627fca030 100644
--- a/pandora_console/ChangeLog
+++ b/pandora_console/ChangeLog
@@ -1,3 +1,12 @@
+2014-03-13  Miguel de Dios <miguel.dedios@artica.es>
+	
+	* godmode/reporting/reporting_builder.main.php,
+	godmode/reporting/reporting_builder.php,
+	include/functions_users.php: fixed the access to the report with the
+	user profile "RW" and "RM".
+	
+	Incident: #655
+
 2014-03-13  Vanessa Gil <vanessa.gil@artica.es>
 	
 	* godmode/menu.php
diff --git a/pandora_console/godmode/reporting/reporting_builder.main.php b/pandora_console/godmode/reporting/reporting_builder.main.php
index ca5a5559a6..fd90173070 100644
--- a/pandora_console/godmode/reporting/reporting_builder.main.php
+++ b/pandora_console/godmode/reporting/reporting_builder.main.php
@@ -58,15 +58,17 @@ $table->data['name'][1] = html_print_input_text('name', $reportName,
 
 $table->data['group'][0] = __('Group');
 
-$write_groups = users_get_groups_for_select(false, "RW", users_can_manage_group_all(), true, false, 'id_grupo');
-	
+$write_groups = users_get_groups_for_select(false, "RW",
+	users_can_manage_group_all(), true, false, 'id_grupo');
+
 // If the report group is not among the RW groups (special permission) we add it
 if (!isset($write_groups[$idGroupReport])) {
 	$write_groups[$idGroupReport] = groups_get_name($idGroupReport);
 }
 
-$table->data['group'][1] = html_print_select ($write_groups, 'id_group', $idGroupReport, false, '', '', true);
-	
+$table->data['group'][1] = html_print_select($write_groups, 'id_group',
+	$idGroupReport, false, '', '', true);
+
 if ($report_id_user == $config['id_user'] ||
 	is_user_admin ($config["id_user"])) {
 	//S/he is the creator of report (or admin) and s/he can change the access.
@@ -78,7 +80,7 @@ if ($report_id_user == $config['id_user'] ||
 		ui_print_help_tip(__('For example, you want a report that the people of "All" groups can see but you want to edit only for you or your group.'), true);
 	$table->data['access'][1] = html_print_select ($type_access, 'type_access',
 		$type_access_selected, 'change_type_access(this)', '', 0, true);
-
+	
 	$style = "display: none;";
 	if ($type_access_selected == 'group_edit')
 		$style = "";
diff --git a/pandora_console/godmode/reporting/reporting_builder.php b/pandora_console/godmode/reporting/reporting_builder.php
index 8756816b29..90ce4b6405 100644
--- a/pandora_console/godmode/reporting/reporting_builder.php
+++ b/pandora_console/godmode/reporting/reporting_builder.php
@@ -336,17 +336,17 @@ switch ($action) {
 				'order' => 'name'
 			);
 		}
-
+		
 		# Fix : group filter was not working
 		// Show only selected groups
-        if ($id_group > 0) {
-        	$group = array("$id_group" => $id_group);
-           	$filter['id_group'] = $id_group;
+		if ($id_group > 0) {
+			$group = array("$id_group" => $id_group);
+			$filter['id_group'] = $id_group;
 		}
-        else {
-            $group = false;
-        }
-
+		else {
+			$group = false;
+		}
+		
 		
 		// Filter normal and metaconsole reports
 		if ($config['metaconsole'] == 1 and defined('METACONSOLE'))
@@ -357,7 +357,7 @@ switch ($action) {
 		$reports = reports_get_reports ($filter,
 			array ('name', 'id_report', 'description', 'private',
 				'id_user', 'id_group'), $return_all_group, 'RR', $group);
-	
+		
 		$table->width = '0px';
 		if (sizeof ($reports)) {
 			$table->id = 'report_list';
@@ -389,7 +389,8 @@ switch ($action) {
 				$table->head[$next] = __('Group');
 				$table->align[$next] = 'center';
 				$next++;
-				$table->head[$next] = '<span title="Operations">' . __('Op.') . '</span>';
+				$table->head[$next] = '<span title="Operations">' .
+					__('Op.') . '</span>';
 				$table->size = array ();
 				$table->size[$next] = '80px';
 				$table->style[$next] = 'text-align:center;';
@@ -398,7 +399,7 @@ switch ($action) {
 			
 			foreach ($reports as $report) {
 				
-				if (!is_user_admin ($config["id_user"])){
+				if (!is_user_admin ($config["id_user"])) {
 					if ($report["private"] && $report["id_user"] != $config['id_user'])
 						if (!check_acl ($config["id_user"], $report["id_group"], "RR"))
 							continue;
@@ -448,40 +449,65 @@ switch ($action) {
 				
 				$type_access_selected = reports_get_type_access($report);
 				$edit = false;
+				$delete = false;
+				
 				switch ($type_access_selected) {
 					case 'group_view':
-						$edit = check_acl($config['id_user'], $report['id_group'], "RW") && users_can_manage_group_all($report["id_group"]);
+						$edit = check_acl($config['id_user'],
+							$report['id_group'], "RW")
+							&&
+							users_can_manage_group_all($report["id_group"], "RW");
+						
+						$delete = check_acl($config['id_user'],
+							$report['id_group'], "RM")
+							&&
+							users_can_manage_group_all($report["id_group"], "RM");
 						break;
 					case 'group_edit':
-						$edit = check_acl($config['id_user'], $report['id_group_edit'], "RW") && users_can_manage_group_all($report["id_group_edit"]);
+						$edit = check_acl($config['id_user'],
+							$report['id_group_edit'], "RW")
+							&&
+							users_can_manage_group_all($report["id_group_edit"], "RW");
+						
+						$delete = check_acl($config['id_user'],
+							$report['id_group_edit'], "RM")
+							&&
+							users_can_manage_group_all($report["id_group_edit"], "RM");
 						break;
 					case 'user_edit':
 						if ($config['id_user'] == $report['id_user'] ||
-							is_user_admin ($config["id_user"]))
+							is_user_admin ($config["id_user"])) {
 							$edit = true;
+							$delete = true;
+						}
 						break;
 				}
 				
-				
-				if ($edit) {
+				if ($edit || $delete) {
 					if (!isset($table->head[$next])) {
 						$table->head[$next] = '<span title="Operations">' . __('Op.') . '</span>';
 						$table->size = array ();
 						$table->size[$next] = '80px';
 						$table->style[$next] = 'text-align:center;';
 					}
-				
-					$data[$next] = '<form method="post" action="index.php?sec=reporting&sec2=godmode/reporting/reporting_builder&action=edit&pure='.$pure.'" style="display:inline">';
-					$data[$next] .= html_print_input_hidden ('id_report', $report['id_report'], true);
-					$data[$next] .= html_print_input_image ('edit', 'images/config.png', 1, '', true, array ('title' => __('Edit')));
-					$data[$next] .= '</form>';
 					
-					$data[$next] .= '<form method="post" style="display:inline;" onsubmit="if (!confirm (\''.__('Are you sure?').'\')) return false">';
-					$data[$next] .= html_print_input_hidden ('id_report', $report['id_report'], true);
-					$data[$next] .= html_print_input_hidden ('action','delete_report', true);
-					$data[$next] .= html_print_input_image ('delete', 'images/cross.png', 1, '',
-						true, array ('title' => __('Delete')));
-					$data[$next] .= '</form>';
+					if ($edit) {
+						$data[$next] = '<form method="post" action="index.php?sec=reporting&sec2=godmode/reporting/reporting_builder&action=edit&pure='.$pure.'" style="display:inline">';
+						$data[$next] .= html_print_input_hidden('id_report',
+							$report['id_report'], true);
+						$data[$next] .= html_print_input_image('edit',
+							'images/config.png', 1, '', true, array ('title' => __('Edit')));
+						$data[$next] .= '</form>';
+					}
+					
+					if ($delete) {
+						$data[$next] .= '<form method="post" style="display:inline;" onsubmit="if (!confirm (\''.__('Are you sure?').'\')) return false">';
+						$data[$next] .= html_print_input_hidden ('id_report', $report['id_report'], true);
+						$data[$next] .= html_print_input_hidden ('action','delete_report', true);
+						$data[$next] .= html_print_input_image ('delete', 'images/cross.png', 1, '',
+							true, array ('title' => __('Delete')));
+						$data[$next] .= '</form>';
+					}
 				}
 				
 				array_push ($table->data, $data);
@@ -499,7 +525,7 @@ switch ($action) {
 		}
 		
 		enterprise_hook('close_meta_frame');
-
+		
 		return;
 		break;
 	case 'new':
diff --git a/pandora_console/include/functions_users.php b/pandora_console/include/functions_users.php
index a4ae6cc06f..d0eb1f9b47 100644
--- a/pandora_console/include/functions_users.php
+++ b/pandora_console/include/functions_users.php
@@ -793,7 +793,7 @@ function users_check_users() {
 // Check if a user can manage a group when group is all
 // This function dont check acls of the group, only if the 
 // user is admin or pandora manager and the group is all
-function users_can_manage_group_all($id_group = 0) {
+function users_can_manage_group_all($id_group = 0, $access = "PM") {
 	global $config;
 	
 	if ($id_group != 0) {
@@ -802,7 +802,7 @@ function users_can_manage_group_all($id_group = 0) {
 	
 	$is_admin = db_get_value('is_admin', 'tusuario', 'id_user', $config['id_user']);
 	
-	if (check_acl ($config['id_user'], 0, "PM") || $is_admin) {
+	if (check_acl ($config['id_user'], 0, $access) || $is_admin) {
 		return true;
 	}