public function actionEditModulePermissions($id) { $group = Group::getById(intval($id)); $title = Zurmo::t('ZurmoModule', 'Record Permissions'); $breadCrumbLinks = array(strval($group) => array('group/' . static::resolveBreadCrumbActionByGroup($group), 'id' => $id), $title); $data = PermissionsUtil::getAllModulePermissionsDataByPermitable($group); $permissionsForm = ModulePermissionsFormUtil::makeFormFromPermissionsData($data); $postVariableName = get_class($permissionsForm); if (isset($_POST[$postVariableName])) { $this->clearCaches(); $castedPostData = ModulePermissionsFormUtil::typeCastPostData($_POST[$postVariableName]); $readyToSetPostData = ModulePermissionsEditViewUtil::resolveWritePermissionsFromArray($castedPostData); if (ModulePermissionsFormUtil::setPermissionsFromCastedPost($readyToSetPostData, $group)) { Yii::app()->user->setFlash('notification', Zurmo::t('ZurmoModule', 'Record Permissions Saved Successfully.')); $action = $this->resolveActionToGoToAfterSave($group); $this->redirect(array($this->getId() . '/' . $action, 'id' => $group->id)); Yii::app()->end(0, false); } } $permissionsData = GroupModulePermissionsDataToEditViewAdapater::resolveData($data); $metadata = ModulePermissionsEditViewUtil::resolveMetadataFromData($permissionsData, ModulePermissionsEditAndDetailsView::getMetadata()); $titleBarAndEditView = new GroupActionBarAndSecurityEditView($this->getId(), $this->getModule()->getId(), $permissionsForm, $group, $this->getModule()->getPluralCamelCasedName(), $metadata, 'ModulePermissionsEditAndDetailsView', 'GroupModulePermissionsEditMenu'); $view = new GroupsPageView(ZurmoDefaultAdminViewUtil::makeViewWithBreadcrumbsForCurrentUser($this, $titleBarAndEditView, $breadCrumbLinks, 'GroupBreadCrumbView')); echo $view->render(); }
public function actionSecurityDetails($id) { UserAccessUtil::resolveCanCurrentUserAccessAction(intval($id)); $user = User::getById(intval($id)); UserAccessUtil::resolveCanCurrentUserAccessRootUser($user); UserAccessUtil::resolveAccessingASystemUser($user); $title = Zurmo::t('UsersModule', 'Security Overview'); $breadCrumbLinks = array(strval($user) => array('default/details', 'id' => $id), $title); $modulePermissionsData = PermissionsUtil::getAllModulePermissionsDataByPermitable($user); $modulePermissionsForm = ModulePermissionsFormUtil::makeFormFromPermissionsData($modulePermissionsData); $viewReadyModulePermissionsData = GroupModulePermissionsDataToEditViewAdapater::resolveData($modulePermissionsData); $modulePermissionsViewMetadata = ModulePermissionsActualDetailsViewUtil::resolveMetadataFromData($viewReadyModulePermissionsData, ModulePermissionsEditAndDetailsView::getMetadata()); $rightsData = RightsUtil::getAllModuleRightsDataByPermitable($user); $rightsForm = RightsFormUtil::makeFormFromRightsData($rightsData); $rightsViewMetadata = RightsEffectiveDetailsViewUtil::resolveMetadataFromData($rightsData, RightsEditAndDetailsView::getMetadata()); $policiesData = PoliciesUtil::getAllModulePoliciesDataByPermitable($user); $policiesForm = PoliciesFormUtil::makeFormFromPoliciesData($policiesData); $policiesViewMetadata = PoliciesEffectiveDetailsViewUtil::resolveMetadataFromData($policiesData, PoliciesEditAndDetailsView::getMetadata()); $groupMembershipAdapter = new UserGroupMembershipToViewAdapter($user); $groupMembershipViewData = $groupMembershipAdapter->getViewData(); $securityDetailsView = new UserActionBarAndSecurityDetailsView($this->getId(), $this->getModule()->getId(), $user, $modulePermissionsForm, $rightsForm, $policiesForm, $modulePermissionsViewMetadata, $rightsViewMetadata, $policiesViewMetadata, $groupMembershipViewData); $view = new UsersPageView($this->resolveZurmoDefaultOrAdminView($securityDetailsView, $breadCrumbLinks, 'UserBreadCrumbView')); echo $view->render(); }
/** * Should not throw an exception AccessDeniedSecurityException */ public function testARegularUserWhoCanAccessGroupsCanProperlyModifyModulePermission() { $nobody = UserTestHelper::createBasicUser('nobody'); $nobody->setRight('GroupsModule', GroupsModule::RIGHT_ACCESS_GROUPS); $nobody->setRight('GroupsModule', GroupsModule::RIGHT_CREATE_GROUPS); $nobody->setRight('GroupsModule', GroupsModule::RIGHT_DELETE_GROUPS); $this->assertTrue($nobody->save()); Yii::app()->user->userModel = $nobody; $group = new Group(); $group->name = 'newGroup2'; $saved = $group->save(); $this->assertTrue($saved); $group->forget(); $newItem = NamedSecurableItem::getByName('SomeModule'); $this->assertEquals(array(Permission::NONE, Permission::NONE), $newItem->getExplicitActualPermissions($group)); $newItem->forget(); $fakePost = array('SomeModule__' . Permission::CHANGE_PERMISSIONS => strval(Permission::ALLOW), 'SomeModule__' . Permission::CHANGE_OWNER => strval(Permission::ALLOW)); $validatedPost = ModulePermissionsFormUtil::typeCastPostData($fakePost); $saved = ModulePermissionsFormUtil::setPermissionsFromCastedPost($validatedPost, $group); $this->assertTrue($saved); //Success, an exception was not thrown. AccessDeniedSecurityException }
public function testSetModulePermissionsFormFromExplicitDenyDirectlyToExplicitAllowFromPost() { $group = Group::getByName('modulePermissionsGroup'); $data = PermissionsUtil::getAllModulePermissionsDataByPermitable($group); $form = ModulePermissionsFormUtil::makeFormFromPermissionsData($data); $compareData = array('AccountsModule' => array(Permission::CHANGE_OWNER => array('explicit' => null, 'inherited' => null, 'actual' => null), Permission::CHANGE_PERMISSIONS => array('explicit' => null, 'inherited' => null, 'actual' => null), Permission::DELETE => array('explicit' => null, 'inherited' => null, 'actual' => null), Permission::READ => array('explicit' => null, 'inherited' => null, 'actual' => null), Permission::WRITE => array('explicit' => null, 'inherited' => null, 'actual' => null))); $this->assertEquals($compareData['AccountsModule'], $form->data['AccountsModule']); //Now set the read permission to deny $fakePost = array('AccountsModule__' . Permission::READ => strval(Permission::DENY)); $validatedPost = ModulePermissionsFormUtil::typeCastPostData($fakePost); $saved = ModulePermissionsFormUtil::setPermissionsFromCastedPost($validatedPost, $group); $this->assertTrue($saved); //Now the read should explicitly be deny $data = PermissionsUtil::getAllModulePermissionsDataByPermitable($group); $form = ModulePermissionsFormUtil::makeFormFromPermissionsData($data); $compareData = array('AccountsModule' => array(Permission::CHANGE_OWNER => array('explicit' => null, 'inherited' => null, 'actual' => null), Permission::CHANGE_PERMISSIONS => array('explicit' => null, 'inherited' => null, 'actual' => null), Permission::DELETE => array('explicit' => null, 'inherited' => null, 'actual' => null), Permission::READ => array('explicit' => Permission::DENY, 'inherited' => null, 'actual' => Permission::DENY), Permission::WRITE => array('explicit' => null, 'inherited' => null, 'actual' => null))); $this->assertEquals($compareData['AccountsModule'], $form->data['AccountsModule']); //Now set the read to explicit All, which skips removing the permission (prior to fixing the bug here: //https://www.pivotaltracker.com/story/show/54420494 $fakePost = array('AccountsModule__' . Permission::READ => strval(Permission::ALLOW)); $validatedPost = ModulePermissionsFormUtil::typeCastPostData($fakePost); $saved = ModulePermissionsFormUtil::setPermissionsFromCastedPost($validatedPost, $group); $this->assertTrue($saved); //Now the read should explicitly be deny $data = PermissionsUtil::getAllModulePermissionsDataByPermitable($group); $form = ModulePermissionsFormUtil::makeFormFromPermissionsData($data); $compareData = array('AccountsModule' => array(Permission::CHANGE_OWNER => array('explicit' => null, 'inherited' => null, 'actual' => null), Permission::CHANGE_PERMISSIONS => array('explicit' => null, 'inherited' => null, 'actual' => null), Permission::DELETE => array('explicit' => null, 'inherited' => null, 'actual' => null), Permission::READ => array('explicit' => Permission::ALLOW, 'inherited' => null, 'actual' => Permission::ALLOW), Permission::WRITE => array('explicit' => null, 'inherited' => null, 'actual' => null))); $this->assertEquals($compareData['AccountsModule'], $form->data['AccountsModule']); }
public function testGroupChangeOrDeleteScenario5() { $super = User::getByUsername('super'); Yii::app()->user->userModel = $super; $job = new ReadPermissionSubscriptionUpdateForAccountJob(); $jobBasedOnBuildTable = new ReadPermissionSubscriptionUpdateForAccountFromBuildTableJob(); $johnny = self::$johnny; $this->deleteAllModelsAndRecordsFromReadPermissionTable('Account'); $account = AccountTestHelper::createAccountByNameForOwner('Fifth Account', $super); Yii::app()->jobQueue->deleteAll(); sleep(1); $group = new Group(); $group->name = 'Group5'; $this->assertTrue($group->save()); $group->users->add($johnny); $this->assertTrue($group->save()); Yii::app()->jobQueue->deleteAll(); $fakePost = array('AccountsModule__' . Permission::CHANGE_PERMISSIONS => strval(Permission::ALLOW)); $validatedPost = ModulePermissionsFormUtil::typeCastPostData($fakePost); $saved = ModulePermissionsFormUtil::setPermissionsFromCastedPost($validatedPost, $group); $this->assertTrue($saved); $queuedJobs = Yii::app()->jobQueue->getAll(); $this->assertEquals(1, count($queuedJobs[5])); $this->assertEquals('ReadPermissionSubscriptionUpdateForAccount', $queuedJobs[5][0]['jobType']); Yii::app()->jobQueue->deleteAll(); $this->assertTrue($job->run()); }