Merge pull request #3001 from connortechnology/update_users_controller
Update permissions checking when viewing/editing users. Fixes #2982.…
This commit is contained in:
commit
4c69d7b748
|
@ -14,6 +14,18 @@ class UsersController extends AppController {
|
|||
*/
|
||||
public $components = array('RequestHandler', 'Paginator');
|
||||
|
||||
public function beforeFilter() {
|
||||
parent::beforeFilter();
|
||||
|
||||
global $user;
|
||||
# We already tested for auth in appController, so we just need to test for specific permission
|
||||
$canView = (!$user) || ($user['System'] != 'None');
|
||||
if ( !$canView ) {
|
||||
throw new UnauthorizedException(__('Insufficient Privileges'));
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* index method
|
||||
*
|
||||
|
@ -23,6 +35,12 @@ class UsersController extends AppController {
|
|||
public function index() {
|
||||
$this->User->recursive = 0;
|
||||
|
||||
global $user;
|
||||
# We should actually be able to list our own user, but I'm not bothering at this time.
|
||||
if ( $user['System'] == 'None' ) {
|
||||
throw new UnauthorizedException(__('Insufficient Privileges'));
|
||||
return;
|
||||
}
|
||||
$users = $this->Paginator->paginate('User');
|
||||
|
||||
$this->set(compact('users'));
|
||||
|
@ -37,9 +55,19 @@ class UsersController extends AppController {
|
|||
*/
|
||||
public function view($id = null) {
|
||||
$this->User->recursive = 1;
|
||||
if (!$this->User->exists($id)) {
|
||||
|
||||
global $user;
|
||||
# We can view ourselves
|
||||
$canView = ($user['System'] != 'None') or ($user['Id'] == $id);
|
||||
if ( !$canView ) {
|
||||
throw new UnauthorizedException(__('Insufficient Privileges'));
|
||||
return;
|
||||
}
|
||||
|
||||
if ( !$this->User->exists($id) ) {
|
||||
throw new NotFoundException(__('Invalid user'));
|
||||
}
|
||||
|
||||
$options = array('conditions' => array('User.' . $this->User->primaryKey => $id));
|
||||
$user = $this->User->find('first', $options);
|
||||
|
||||
|
@ -55,9 +83,16 @@ class UsersController extends AppController {
|
|||
* @return void
|
||||
*/
|
||||
public function add() {
|
||||
if ($this->request->is('post')) {
|
||||
if ( $this->request->is('post') ) {
|
||||
|
||||
global $user;
|
||||
if ( $user['System'] != 'Edit' ) {
|
||||
throw new UnauthorizedException(__('Insufficient Privileges'));
|
||||
return;
|
||||
}
|
||||
|
||||
$this->User->create();
|
||||
if ($this->User->save($this->request->data)) {
|
||||
if ( $this->User->save($this->request->data) ) {
|
||||
return $this->flash(__('The user has been saved.'), array('action' => 'index'));
|
||||
}
|
||||
$this->Session->setFlash(
|
||||
|
@ -76,7 +111,14 @@ class UsersController extends AppController {
|
|||
public function edit($id = null) {
|
||||
$this->User->id = $id;
|
||||
|
||||
if (!$this->User->exists($id)) {
|
||||
global $user;
|
||||
$canEdit = ($user['System'] == 'Edit') or (($user['Id'] == $id) and ZM_USER_SELF_EDIT);
|
||||
if ( !$canEdit ) {
|
||||
throw new UnauthorizedException(__('Insufficient Privileges'));
|
||||
return;
|
||||
}
|
||||
|
||||
if ( !$this->User->exists($id) ) {
|
||||
throw new NotFoundException(__('Invalid user'));
|
||||
}
|
||||
|
||||
|
@ -87,8 +129,10 @@ class UsersController extends AppController {
|
|||
$message = 'Error';
|
||||
}
|
||||
} else {
|
||||
# What is this doing? Resetting the request data? I understand clearing the password field
|
||||
# but generally I feel like the request data should be read only
|
||||
$this->request->data = $this->User->read(null, $id);
|
||||
unset($this->request->data['User']['password']);
|
||||
unset($this->request->data['User']['Password']);
|
||||
}
|
||||
|
||||
$this->set(array(
|
||||
|
@ -106,6 +150,13 @@ class UsersController extends AppController {
|
|||
*/
|
||||
public function delete($id = null) {
|
||||
$this->User->id = $id;
|
||||
|
||||
global $user;
|
||||
# Can't delete ourselves
|
||||
if ( ($user['System'] != 'Edit') or ($user['Id'] == $id) ) {
|
||||
throw new UnauthorizedException(__('Insufficient Privileges'));
|
||||
return;
|
||||
}
|
||||
if ( !$this->User->exists() ) {
|
||||
throw new NotFoundException(__('Invalid user'));
|
||||
}
|
||||
|
@ -120,35 +171,4 @@ class UsersController extends AppController {
|
|||
'_serialize' => array('message')
|
||||
));
|
||||
}
|
||||
|
||||
public function beforeFilter() {
|
||||
parent::beforeFilter();
|
||||
|
||||
if ( ZM_OPT_USE_AUTH ) {
|
||||
$this->Auth->allow('add', 'logout');
|
||||
} else {
|
||||
$this->Auth->allow();
|
||||
}
|
||||
}
|
||||
|
||||
public function login() {
|
||||
if ( !ZM_OPT_USE_AUTH ) {
|
||||
$this->set(array(
|
||||
'message' => 'Login is not required.',
|
||||
'_serialize' => array('message')
|
||||
));
|
||||
return;
|
||||
}
|
||||
|
||||
if ( $this->request->is('post') ) {
|
||||
if ( $this->Auth->login() ) {
|
||||
return $this->redirect($this->Auth->redirectUrl());
|
||||
}
|
||||
$this->Session->setFlash(__('Invalid username or password, try again'));
|
||||
}
|
||||
}
|
||||
|
||||
public function logout() {
|
||||
return $this->redirect($this->Auth->logout());
|
||||
}
|
||||
}
|
||||
} # end class UsersController
|
||||
|
|
|
@ -21,6 +21,20 @@ class User extends AppModel {
|
|||
)
|
||||
);
|
||||
|
||||
function beforeFind($query) {
|
||||
if ( empty($query['fields']) ) {
|
||||
$schema = $this->schema();
|
||||
unset($schema['Password']);
|
||||
|
||||
foreach (array_keys($schema) as $field) {
|
||||
$query['fields'][] = $this->alias . '.' . $field;
|
||||
}
|
||||
return $query;
|
||||
}
|
||||
return parent::beforeFind($query);
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Use table
|
||||
*
|
||||
|
|
Loading…
Reference in New Issue