Merge pull request #2359 from connortechnology/fix_2353

Update permissions checking for Groups to not use session. Fixes #2353
This commit is contained in:
Andrew Bauer 2018-12-21 15:16:49 -06:00 committed by GitHub
commit 153877b9c0
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 52 additions and 25 deletions

View File

@ -16,8 +16,10 @@ class GroupsController extends AppController {
public function beforeFilter() { public function beforeFilter() {
parent::beforeFilter(); parent::beforeFilter();
$canView = $this->Session->Read('groupsPermission'); global $user;
if ( $canView == 'None' ) { # We already tested for auth in appController, so we just need to test for specific permission
$canView = (!$user) || ($user['Groups'] != 'None');
if ( !$canView ) {
throw new UnauthorizedException(__('Insufficient Privileges')); throw new UnauthorizedException(__('Insufficient Privileges'));
return; return;
} }
@ -65,14 +67,21 @@ class GroupsController extends AppController {
public function add() { public function add() {
if ( $this->request->is('post') ) { if ( $this->request->is('post') ) {
if ($this->Session->Read('groupPermission') != 'Edit') { global $user;
throw new UnauthorizedException(__('Insufficient privileges')); # We already tested for auth in appController,
# so we just need to test for specific permission
$canEdit = (!$user) || ($user['Groups'] == 'Edit');
if ( !$canEdit ) {
throw new UnauthorizedException(__('Insufficient Privileges'));
return; return;
} }
$this->Group->create(); $this->Group->create();
if ( $this->Group->save($this->request->data) ) { if ( $this->Group->save($this->request->data) ) {
return $this->flash(__('The group has been saved.'), array('action' => 'index')); return $this->flash(
__('The group has been saved.'),
array('action' => 'index')
);
} }
} }
$monitors = $this->Group->Monitor->find('list'); $monitors = $this->Group->Monitor->find('list');
@ -91,12 +100,19 @@ class GroupsController extends AppController {
throw new NotFoundException(__('Invalid group')); throw new NotFoundException(__('Invalid group'));
} }
if ( $this->request->is(array('post', 'put'))) { if ( $this->request->is(array('post', 'put'))) {
if ( $this->Session->Read('groupPermission') != 'Edit' ) { global $user;
throw new UnauthorizedException(__('Insufficient privileges')); # We already tested for auth in appController,
# so we just need to test for specific permission
$canEdit = (!$user) || ($user['Groups'] == 'Edit');
if ( !$canEdit ) {
throw new UnauthorizedException(__('Insufficient Privileges'));
return; return;
} }
if ( $this->Group->save($this->request->data) ) { if ( $this->Group->save($this->request->data) ) {
return $this->flash(__('The group has been saved.'), array('action' => 'index')); return $this->flash(
__('The group has been saved.'),
array('action' => 'index')
);
} else { } else {
$message = 'Error'; $message = 'Error';
} }
@ -108,7 +124,7 @@ class GroupsController extends AppController {
$this->set(array( $this->set(array(
'message' => $message, 'message' => $message,
'monitors'=> $monitors, 'monitors'=> $monitors,
'_serialize' => array('message',) '_serialize' => array('message')
)); ));
} }
@ -125,15 +141,26 @@ class GroupsController extends AppController {
throw new NotFoundException(__('Invalid group')); throw new NotFoundException(__('Invalid group'));
} }
$this->request->allowMethod('post', 'delete'); $this->request->allowMethod('post', 'delete');
if ( $this->Session->Read('groupPermission') != 'Edit' ) {
throw new UnauthorizedException(__('Insufficient privileges')); global $user;
# We already tested for auth in appController,
# so we just need to test for specific permission
$canEdit = (!$user) || ($user['Groups'] == 'Edit');
if ( !$canEdit ) {
throw new UnauthorizedException(__('Insufficient Privileges'));
return; return;
} }
if ( $this->Group->delete() ) { if ( $this->Group->delete() ) {
return $this->flash(__('The group has been deleted.'), array('action' => 'index')); return $this->flash(
__('The group has been deleted.'),
array('action' => 'index')
);
} else { } else {
return $this->flash(__('The group could not be deleted. Please, try again.'), array('action' => 'index')); return $this->flash(
__('The group could not be deleted. Please, try again.'),
array('action' => 'index')
);
} }
} // end function delete } // end function delete
} // end class GroupController } // end class GroupController

View File

@ -38,8 +38,8 @@ class Group extends AppModel {
*/ */
public $validate = array( public $validate = array(
'Name' => array( 'Name' => array(
'notEmpty' => array( 'notBlank' => array(
'rule' => array('notEmpty'))), 'rule' => array('notBlank'))),
'Id' => array( 'Id' => array(
'numeric' => array( 'numeric' => array(
'rule' => array('numeric'), 'rule' => array('numeric'),