protected function DoCheckToDelete(&$oDeletionPlan) { parent::DoCheckToDelete($oDeletionPlan); // Plugins // foreach (MetaModel::EnumPlugins('iApplicationObjectExtension') as $oExtensionInstance) { $aNewIssues = $oExtensionInstance->OnCheckToDelete($this); if (count($aNewIssues) > 0) { $this->m_aDeleteIssues = array_merge($this->m_aDeleteIssues, $aNewIssues); } } // User rights // $bDeleteAllowed = UserRights::IsActionAllowed(get_class($this), UR_ACTION_DELETE, DBObjectSet::FromObject($this)); if (!$bDeleteAllowed) { // Security issue $this->m_bSecurityIssue = true; $this->m_aDeleteIssues[] = Dict::S('UI:Delete:NotAllowedToDelete'); } }
/** * Displays the details of a request * @param WebPage $oP The current web page * @param Object $oObj The target object * @return void */ function ShowDetailsRequest(WebPage $oP, $oObj) { $sClass = get_class($oObj); $sLogAttCode = GetConstant($sClass, 'PUBLIC_LOG'); $sUserCommentAttCode = GetConstant($sClass, 'USER_COMMENT'); $bIsReopenButton = false; $bIsCloseButton = false; $bIsEscalateButton = false; $bEditAttachments = false; $aEditAtt = array(); // List of attributes editable in the main form if (!MetaModel::DBIsReadOnly()) { switch ($oObj->GetState()) { case 'resolved': $aEditAtt = array(); $aTransitions = $oObj->EnumTransitions(); $oSet = DBObjectSet::FromObject($oObj); // Add the "Reopen" button if this is valid action if (array_key_exists('ev_reopen', $aTransitions) && UserRights::IsStimulusAllowed($sClass, 'ev_reopen', $oSet)) { $bIsReopenButton = true; MakeStimulusForm($oP, $oObj, 'ev_reopen', array($sLogAttCode)); } // Add the "Close" button if this is valid action if (array_key_exists('ev_close', $aTransitions) && UserRights::IsStimulusAllowed($sClass, 'ev_close', $oSet)) { $bIsCloseButton = true; MakeStimulusForm($oP, $oObj, 'ev_close', array('user_satisfaction', $sUserCommentAttCode)); } break; case 'closed': // By convention 'closed' is the final state of a ticket and nothing can be done in such a state break; default: // In all other states, the only possible action is to update the ticket (both the case log and the attachments) // This update is possible only if the case log field is not read-only or hidden in the current state $iFlags = $oObj->GetAttributeFlags($sLogAttCode); $bReadOnly = ($iFlags & (OPT_ATT_READONLY | OPT_ATT_HIDDEN)) != 0; if ($bReadOnly) { $aEditAtt = array(); $bEditAttachments = false; } else { $aEditAtt = array($sLogAttCode => '????'); $bEditAttachments = true; } break; } } // REFACTORISER LA MISE EN FORME $oP->add("<h1 id=\"title_request_details\">" . $oObj->GetIcon() . " " . Dict::Format('Portal:TitleRequestDetailsFor_Request', $oObj->GetName()) . "</h1>\n"); $aAttList = json_decode(GetConstant($sClass, 'DETAILS_ZLIST'), true); switch ($oObj->GetState()) { case 'closed': $aAttList['centered'][] = 'user_satisfaction'; $aAttList['centered'][] = $sUserCommentAttCode; } // Remove the edited attribute from the shown attributes // foreach ($aEditAtt as $sAttCode => $foo) { foreach ($aAttList as $col => $aColumn) { if (in_array($sAttCode, $aColumn)) { if (($index = array_search($sAttCode, $aColumn)) !== false) { unset($aAttList[$col][$index]); } } } } $oP->add("<div class=\"wizContainer\" id=\"form_commment_request\">\n"); $oP->WizardFormStart('request_form', null); $oP->add('<div id="request_details">'); $oP->add('<table id="request_details_table">'); $oP->add('<tr>'); $oP->add('<td style="vertical-align:top;">'); $oP->DisplayObjectDetails($oObj, $aAttList['col:left']); $oP->add('</td>'); $oP->add('<td style="vertical-align:top;">'); $oP->DisplayObjectDetails($oObj, $aAttList['col:right']); $oP->add('</td>'); $oP->add('</tr>'); if (array_key_exists('centered', $aAttList)) { $oP->add('<tr>'); $oP->add('<td style="vertical-align:top;" colspan="2">'); $oP->DisplayObjectDetails($oObj, $aAttList['centered']); $oP->add('</td>'); $oP->add('</tr>'); } // REFACTORISER $oP->add('<tr>'); $oP->add('<td colspan="2" style="vertical-align:top;">'); $oAttPlugin = new AttachmentPlugIn(); if ($bEditAttachments) { $oAttPlugin->EnableDelete(false); $oAttPlugin->OnDisplayRelations($oObj, $oP, true); } else { $oAttPlugin->OnDisplayRelations($oObj, $oP, false); } $oP->add('</td>'); $oP->add('</tr>'); $oP->add('<tr>'); $oP->add('<td colspan="2" style="vertical-align:top;">'); //$oP->add("<form action=\"../portal/index.php\" id=\"request_form\" method=\"post\">\n"); //$oP->add('<table id=""><tr><td style="vertical-align:top;">'); //$oP->add("<h1 id=\"title_request_details\">".Dict::Format('Portal:CommentsFor_Request', $oObj->GetName())."</h1>\n"); $oP->add("<input type=\"hidden\" name=\"class\" value=\"{$sClass}\">"); $oP->add("<input type=\"hidden\" name=\"id\" value=\"" . $oObj->GetKey() . "\">"); $oP->add("<input type=\"hidden\" name=\"operation\" value=\"update_request\">"); $oP->add("<input type=\"hidden\" id=\"stimulus_to_apply\" name=\"apply_stimulus\" value=\"\">\n"); $oP->add_script(<<<EOF \tfunction SetStimulusToApply(sStimulusCode) \t{ \t\t\$('#stimulus_to_apply').val(sStimulusCode); \t} EOF ); $aEditFields = array(); // Intermediate array to avoid code duplication while splitting btw ticket_log and the rest foreach ($aEditAtt as $sAttCode => $foo) { $sValue = $oObj->Get($sAttCode); $sDisplayValue = $oObj->GetEditValue($sAttCode); $aArgs = array('this' => $oObj, 'formPrefix' => ''); $oAttDef = MetaModel::GetAttributeDef($sClass, $sAttCode); $sInputId = 'input_' . $sAttCode; $sHTMLValue = "<span id=\"field_{$sInputId}\">" . cmdbAbstractObject::GetFormElementForField($oP, $sClass, $sAttCode, $oAttDef, $sValue, $sDisplayValue, $sInputId, '', 0, $aArgs) . '</span>'; $aEditFields[$sAttCode] = array('label' => MetaModel::GetLabel($sClass, $sAttCode), 'value' => $sHTMLValue); } foreach ($aEditFields as $sAttCode => $aFieldSpec) { if ($sAttCode == $sLogAttCode) { // Skip, the public log will be displayed below the buttons continue; } $oP->add("<div class=\"edit_item\">"); $oP->add('<h1>' . $aFieldSpec['label'] . '</h1>'); $oP->add($aFieldSpec['value']); $oP->add('</div>'); } if ($bIsReopenButton) { $sStimulusCode = 'ev_reopen'; $sTitle = addslashes(Dict::S('Portal:Button:ReopenTicket')); $sOk = addslashes(Dict::S('UI:Button:Ok')); $oP->p('<input type="button" onClick="RunStimulusDialog(\'' . $sStimulusCode . '\', \'' . $sTitle . '\', \'' . $sOk . '\');" value="' . $sTitle . '...">'); } if ($bIsCloseButton) { $sStimulusCode = 'ev_close'; $sTitle = addslashes(Dict::S('Portal:Button:CloseTicket')); $sOk = addslashes(Dict::S('UI:Button:Ok')); $oP->p('<input type="button" onClick="RunStimulusDialog(\'' . $sStimulusCode . '\', \'' . $sTitle . '\', \'' . $sOk . '\');" value="' . $sTitle . '...">'); } elseif (count($aEditAtt) > 0) { $oP->p('<input type="submit" value="' . Dict::S('Portal:Button:UpdateRequest') . '">'); } if ($bIsEscalateButton) { $sStimulusCode = 'ev_timeout'; $oP->p('<input type="submit" onClick="SetStimulusToApply(\'' . $sStimulusCode . '\');" value="' . Dict::S('Portal:ButtonEscalate') . '">'); } $oP->add('</td>'); $oP->add('</tr>'); $oP->add('<tr>'); $oP->add('<td colspan="2" style="vertical-align:top;">'); if (isset($aEditFields[$sLogAttCode])) { $oP->add("<div class=\"edit_item\">"); $oP->add('<h1>' . $aEditFields[$sLogAttCode]['label'] . '</h1>'); $oP->add($aEditFields[$sLogAttCode]['value']); $oP->add('</div>'); } else { $oP->add('<h1>' . MetaModel::GetLabel($sClass, $sLogAttCode) . '</h1>'); $oP->add($oObj->GetAsHTML($sLogAttCode)); } $oP->add('</td>'); $oP->add('</tr>'); $oP->add('</table>'); $oP->add('</div>'); $oP->WizardFormEnd(); $oP->add('</div>'); }
// Fall through /////////////////////////////////////////////////////////////////////////////////////////// // Fall through /////////////////////////////////////////////////////////////////////////////////////////// case 'delete': case 'bulk_delete': // Actual bulk deletion (if confirmed) $sClass = utils::ReadParam('class', '', false, 'class'); $sClassLabel = MetaModel::GetName($sClass); $aObjects = array(); if ($operation == 'delete') { // Single object $id = utils::ReadParam('id', ''); $oObj = MetaModel::GetObject($sClass, $id); $aObjects[] = $oObj; if (!UserRights::IsActionAllowed($sClass, UR_ACTION_DELETE, DBObjectSet::FromObject($oObj))) { throw new SecurityException(Dict::Format('UI:Error:DeleteNotAllowedOn_Class', $sClassLabel)); } } else { // Several objects $sFilter = utils::ReadPostedParam('filter', ''); $oFullSetFilter = DBObjectSearch::unserialize($sFilter); $aSelectObject = utils::ReadMultipleSelection($oFullSetFilter); if (empty($sClass) || empty($aSelectObject)) { throw new ApplicationException(Dict::Format('UI:Error:2ParametersMissing', 'class', 'selectObject[]')); } foreach ($aSelectObject as $iId) { $aObjects[] = MetaModel::GetObject($sClass, $iId); } if (count($aObjects) == 1) { if (!UserRights::IsActionAllowed($sClass, UR_ACTION_DELETE, DBObjectSet::FromArray($sClass, $aObjects))) {
public function CreateAdministrator($sAdminUser, $sAdminPwd, $sLanguage = 'EN US') { CMDBObject::SetTrackInfo('Initialization'); $oChange = CMDBObject::GetCurrentChange(); $iContactId = 0; // Support drastic data model changes: no organization class (or not writable)! if (MetaModel::IsValidClass('Organization') && !MetaModel::IsAbstract('Organization')) { $oOrg = new Organization(); $oOrg->Set('name', 'My Company/Department'); $oOrg->Set('code', 'SOMECODE'); $iOrgId = $oOrg->DBInsertTrackedNoReload($oChange, true); // Support drastic data model changes: no Person class (or not writable)! if (MetaModel::IsValidClass('Person') && !MetaModel::IsAbstract('Person')) { $oContact = new Person(); $oContact->Set('name', 'My last name'); $oContact->Set('first_name', 'My first name'); if (MetaModel::IsValidAttCode('Person', 'org_id')) { $oContact->Set('org_id', $iOrgId); } if (MetaModel::IsValidAttCode('Person', 'phone')) { $oContact->Set('phone', '+00 000 000 000'); } $oContact->Set('email', '*****@*****.**'); $iContactId = $oContact->DBInsertTrackedNoReload($oChange, true); } } $oUser = new UserLocal(); $oUser->Set('login', $sAdminUser); $oUser->Set('password', $sAdminPwd); if (MetaModel::IsValidAttCode('UserLocal', 'contactid') && $iContactId != 0) { $oUser->Set('contactid', $iContactId); } $oUser->Set('language', $sLanguage); // Language was chosen during the installation // Add this user to the very specific 'admin' profile $oAdminProfile = MetaModel::GetObjectFromOQL("SELECT URP_Profiles WHERE name = :name", array('name' => ADMIN_PROFILE_NAME), true); if (is_object($oAdminProfile)) { $oUserProfile = new URP_UserProfile(); //$oUserProfile->Set('userid', $iUserId); $oUserProfile->Set('profileid', $oAdminProfile->GetKey()); $oUserProfile->Set('reason', 'By definition, the administrator must have the administrator profile'); //$oUserProfile->DBInsertTrackedNoReload($oChange, true /* skip security */); $oSet = DBObjectSet::FromObject($oUserProfile); $oUser->Set('profile_list', $oSet); } $iUserId = $oUser->DBInsertTrackedNoReload($oChange, true); return true; }
/** * Helper to ultimately check user rights before writing (Insert, Update or Delete) * The check should never fail, because the UI should prevent from such a usage * Anyhow, if the user has found a workaround... the security gets enforced here */ protected function CheckUserRights($bSkipStrongSecurity, $iActionCode) { if (is_null($bSkipStrongSecurity)) { // This is temporary // We have implemented this safety net right before releasing iTop 1.0 // and we decided that it was too risky to activate it // Anyhow, users willing to have a very strong security could set // skip_strong_security = 0, in the config file $bSkipStrongSecurity = MetaModel::GetConfig()->Get('skip_strong_security'); } if (!$bSkipStrongSecurity) { $sClass = get_class($this); $oSet = DBObjectSet::FromObject($this); if (!UserRights::IsActionAllowed($sClass, $iActionCode, $oSet)) { // Intrusion detected throw new SecurityException('You are not allowed to modify objects of class: ' . $sClass); } } }