Merge pull request #3001 from connortechnology/update_users_controller
Update permissions checking when viewing/editing users. Fixes #2982.…
This commit is contained in:
commit
4c69d7b748
|
@ -14,6 +14,18 @@ class UsersController extends AppController {
|
||||||
*/
|
*/
|
||||||
public $components = array('RequestHandler', 'Paginator');
|
public $components = array('RequestHandler', 'Paginator');
|
||||||
|
|
||||||
|
public function beforeFilter() {
|
||||||
|
parent::beforeFilter();
|
||||||
|
|
||||||
|
global $user;
|
||||||
|
# We already tested for auth in appController, so we just need to test for specific permission
|
||||||
|
$canView = (!$user) || ($user['System'] != 'None');
|
||||||
|
if ( !$canView ) {
|
||||||
|
throw new UnauthorizedException(__('Insufficient Privileges'));
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* index method
|
* index method
|
||||||
*
|
*
|
||||||
|
@ -23,6 +35,12 @@ class UsersController extends AppController {
|
||||||
public function index() {
|
public function index() {
|
||||||
$this->User->recursive = 0;
|
$this->User->recursive = 0;
|
||||||
|
|
||||||
|
global $user;
|
||||||
|
# We should actually be able to list our own user, but I'm not bothering at this time.
|
||||||
|
if ( $user['System'] == 'None' ) {
|
||||||
|
throw new UnauthorizedException(__('Insufficient Privileges'));
|
||||||
|
return;
|
||||||
|
}
|
||||||
$users = $this->Paginator->paginate('User');
|
$users = $this->Paginator->paginate('User');
|
||||||
|
|
||||||
$this->set(compact('users'));
|
$this->set(compact('users'));
|
||||||
|
@ -37,9 +55,19 @@ class UsersController extends AppController {
|
||||||
*/
|
*/
|
||||||
public function view($id = null) {
|
public function view($id = null) {
|
||||||
$this->User->recursive = 1;
|
$this->User->recursive = 1;
|
||||||
if (!$this->User->exists($id)) {
|
|
||||||
|
global $user;
|
||||||
|
# We can view ourselves
|
||||||
|
$canView = ($user['System'] != 'None') or ($user['Id'] == $id);
|
||||||
|
if ( !$canView ) {
|
||||||
|
throw new UnauthorizedException(__('Insufficient Privileges'));
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
if ( !$this->User->exists($id) ) {
|
||||||
throw new NotFoundException(__('Invalid user'));
|
throw new NotFoundException(__('Invalid user'));
|
||||||
}
|
}
|
||||||
|
|
||||||
$options = array('conditions' => array('User.' . $this->User->primaryKey => $id));
|
$options = array('conditions' => array('User.' . $this->User->primaryKey => $id));
|
||||||
$user = $this->User->find('first', $options);
|
$user = $this->User->find('first', $options);
|
||||||
|
|
||||||
|
@ -55,9 +83,16 @@ class UsersController extends AppController {
|
||||||
* @return void
|
* @return void
|
||||||
*/
|
*/
|
||||||
public function add() {
|
public function add() {
|
||||||
if ($this->request->is('post')) {
|
if ( $this->request->is('post') ) {
|
||||||
|
|
||||||
|
global $user;
|
||||||
|
if ( $user['System'] != 'Edit' ) {
|
||||||
|
throw new UnauthorizedException(__('Insufficient Privileges'));
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
$this->User->create();
|
$this->User->create();
|
||||||
if ($this->User->save($this->request->data)) {
|
if ( $this->User->save($this->request->data) ) {
|
||||||
return $this->flash(__('The user has been saved.'), array('action' => 'index'));
|
return $this->flash(__('The user has been saved.'), array('action' => 'index'));
|
||||||
}
|
}
|
||||||
$this->Session->setFlash(
|
$this->Session->setFlash(
|
||||||
|
@ -76,7 +111,14 @@ class UsersController extends AppController {
|
||||||
public function edit($id = null) {
|
public function edit($id = null) {
|
||||||
$this->User->id = $id;
|
$this->User->id = $id;
|
||||||
|
|
||||||
if (!$this->User->exists($id)) {
|
global $user;
|
||||||
|
$canEdit = ($user['System'] == 'Edit') or (($user['Id'] == $id) and ZM_USER_SELF_EDIT);
|
||||||
|
if ( !$canEdit ) {
|
||||||
|
throw new UnauthorizedException(__('Insufficient Privileges'));
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
if ( !$this->User->exists($id) ) {
|
||||||
throw new NotFoundException(__('Invalid user'));
|
throw new NotFoundException(__('Invalid user'));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -87,8 +129,10 @@ class UsersController extends AppController {
|
||||||
$message = 'Error';
|
$message = 'Error';
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
|
# What is this doing? Resetting the request data? I understand clearing the password field
|
||||||
|
# but generally I feel like the request data should be read only
|
||||||
$this->request->data = $this->User->read(null, $id);
|
$this->request->data = $this->User->read(null, $id);
|
||||||
unset($this->request->data['User']['password']);
|
unset($this->request->data['User']['Password']);
|
||||||
}
|
}
|
||||||
|
|
||||||
$this->set(array(
|
$this->set(array(
|
||||||
|
@ -106,6 +150,13 @@ class UsersController extends AppController {
|
||||||
*/
|
*/
|
||||||
public function delete($id = null) {
|
public function delete($id = null) {
|
||||||
$this->User->id = $id;
|
$this->User->id = $id;
|
||||||
|
|
||||||
|
global $user;
|
||||||
|
# Can't delete ourselves
|
||||||
|
if ( ($user['System'] != 'Edit') or ($user['Id'] == $id) ) {
|
||||||
|
throw new UnauthorizedException(__('Insufficient Privileges'));
|
||||||
|
return;
|
||||||
|
}
|
||||||
if ( !$this->User->exists() ) {
|
if ( !$this->User->exists() ) {
|
||||||
throw new NotFoundException(__('Invalid user'));
|
throw new NotFoundException(__('Invalid user'));
|
||||||
}
|
}
|
||||||
|
@ -120,35 +171,4 @@ class UsersController extends AppController {
|
||||||
'_serialize' => array('message')
|
'_serialize' => array('message')
|
||||||
));
|
));
|
||||||
}
|
}
|
||||||
|
} # end class UsersController
|
||||||
public function beforeFilter() {
|
|
||||||
parent::beforeFilter();
|
|
||||||
|
|
||||||
if ( ZM_OPT_USE_AUTH ) {
|
|
||||||
$this->Auth->allow('add', 'logout');
|
|
||||||
} else {
|
|
||||||
$this->Auth->allow();
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
public function login() {
|
|
||||||
if ( !ZM_OPT_USE_AUTH ) {
|
|
||||||
$this->set(array(
|
|
||||||
'message' => 'Login is not required.',
|
|
||||||
'_serialize' => array('message')
|
|
||||||
));
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
|
|
||||||
if ( $this->request->is('post') ) {
|
|
||||||
if ( $this->Auth->login() ) {
|
|
||||||
return $this->redirect($this->Auth->redirectUrl());
|
|
||||||
}
|
|
||||||
$this->Session->setFlash(__('Invalid username or password, try again'));
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
public function logout() {
|
|
||||||
return $this->redirect($this->Auth->logout());
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
|
@ -21,6 +21,20 @@ class User extends AppModel {
|
||||||
)
|
)
|
||||||
);
|
);
|
||||||
|
|
||||||
|
function beforeFind($query) {
|
||||||
|
if ( empty($query['fields']) ) {
|
||||||
|
$schema = $this->schema();
|
||||||
|
unset($schema['Password']);
|
||||||
|
|
||||||
|
foreach (array_keys($schema) as $field) {
|
||||||
|
$query['fields'][] = $this->alias . '.' . $field;
|
||||||
|
}
|
||||||
|
return $query;
|
||||||
|
}
|
||||||
|
return parent::beforeFind($query);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Use table
|
* Use table
|
||||||
*
|
*
|
||||||
|
|
Loading…
Reference in New Issue