tyler.durden
/
pandorafms
mirror of https://github.com/pandorafms/pandorafms.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fixes on the reports permissions

This commit is contained in:
Alejandro Gallardo Escobar 2014-10-02 15:27:51 +02:00
parent 42781e0bee
commit e432ae8584
1 changed files with 69 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

85
pandora_console/godmode/reporting/reporting_builder.php
View File

@ -93,11 +93,23 @@ if ($idReport != 0) {
$edit = true; $edit = true;
break; break;
} }
if (! $edit) { if (! $edit) {
db_pandora_audit("ACL Violation", // The user that created the report should can delete it. Despite its permissions.
"Trying to access report builder"); $delete_report_bypass = false;
require ("general/noaccess.php");
exit; if ($action == 'delete_report') {
if ($config['id_user'] == $report['id_user'] || is_user_admin ($config["id_user"])) {
$delete_report_bypass = true;
}
}
if (!$delete_report_bypass) {
db_pandora_audit("ACL Violation",
"Trying to access report builder");
require ("general/noaccess.php");
exit;
}
} }
} }
@ -298,6 +310,43 @@ switch ($action) {
enterprise_hook('open_meta_frame'); enterprise_hook('open_meta_frame');
if ($action == 'delete_report') { if ($action == 'delete_report') {
$delete = false;
switch ($type_access_selected) {
case 'group_view':
if ($config['id_user'] == $report['id_user'] || is_user_admin ($config["id_user"])) {
$delete = true; //owner can delete
} else {
$delete = check_acl($config['id_user'],
$report['id_group'], "RM")
&&
users_can_manage_group_all($report["id_group"], "RM");
}
break;
case 'group_edit':
if ($config['id_user'] == $report['id_user'] || is_user_admin ($config["id_user"])) {
$delete = true; //owner can delete
} else {
$delete = check_acl($config['id_user'],
$report['id_group'], "RM")
&&
users_can_manage_group_all($report["id_group"], "RM");
}
break;
case 'user_edit':
if ($config['id_user'] == $report['id_user'] ||
is_user_admin ($config["id_user"])) {
$delete = true;
}
break;
}
if (! $delete) {
db_pandora_audit("ACL Violation",
"Trying to access report builder deletion");
require ("general/noaccess.php");
exit;
}
$result = reports_delete_report ($idReport); $result = reports_delete_report ($idReport);
if ($result !== false) if ($result !== false)
db_pandora_audit("Report management", "Delete report #$idReport"); db_pandora_audit("Report management", "Delete report #$idReport");
@ -494,14 +543,14 @@ switch ($action) {
&& &&
users_can_manage_group_all($report["id_group"], "RW"); users_can_manage_group_all($report["id_group"], "RW");
if ($config['id_user'] == $report['id_user']) { if ($config['id_user'] == $report['id_user'] || is_user_admin ($config["id_user"])) {
$delete = true; //owner can delete $delete = true; //owner can delete
} else { } else {
$delete = check_acl($config['id_user'], $delete = check_acl($config['id_user'],
$report['id_group'], "RM") $report['id_group'], "RM")
&& &&
users_can_manage_group_all($report["id_group"], "RM"); users_can_manage_group_all($report["id_group"], "RM");
} }
break; break;
case 'group_edit': case 'group_edit':
$edit = check_acl($config['id_user'], $edit = check_acl($config['id_user'],
@ -509,10 +558,14 @@ switch ($action) {
&& &&
users_can_manage_group_all($report["id_group_edit"], "RW"); users_can_manage_group_all($report["id_group_edit"], "RW");
$delete = check_acl($config['id_user'], if ($config['id_user'] == $report['id_user'] || is_user_admin ($config["id_user"])) {
$report['id_group_edit'], "RM") $delete = true; //owner can delete
&& } else {
users_can_manage_group_all($report["id_group_edit"], "RM"); $delete = check_acl($config['id_user'],
$report['id_group'], "RM")
&&
users_can_manage_group_all($report["id_group"], "RM");
}
break; break;
case 'user_edit': case 'user_edit':
if ($config['id_user'] == $report['id_user'] || if ($config['id_user'] == $report['id_user'] ||