hotline #59056 : user administration limited to current role level and under

b2d714d7 · Patrick Barroca · a024db6c · b2d714d7 · b2d714d7 · b2d714d7
Commit b2d714d7 authored 7 years ago by Patrick Barroca
--- a/VERSIONS_HOTLINE/59056
+++ b/VERSIONS_HOTLINE/59056
+ - ticket #59056 : Administration utilisateurs : seuls les administrateurs système peuvent voir et modifier les comptes administrateurs système
\ No newline at end of file
--- a/application/modules/admin/controllers/UsersController.php
+++ b/application/modules/admin/controllers/UsersController.php
@@ -29,7 +29,10 @@ class Admin_UsersController extends ZendAfi_Controller_Action {

  public function indexAction()  {
    $this->view->titre = $this->_('Gestion des utilisateurs');
-    $this->_helper->userSearch([], new Class_User_SearchCriteria($this->_request->getParams()));
+    $this->_helper
+      ->userSearch([],
+                   (new Class_User_SearchCriteria($this->_request->getParams()))
+                   ->addCriteria(new Class_User_SearchCriteria_RoleLevelLimit($this->_request->getParams())));
  }



--- a/library/Class/User/SearchCriteria.php
+++ b/library/Class/User/SearchCriteria.php
@@ -66,6 +66,9 @@ class Class_User_SearchCriteria {

    $names = [];
    foreach($this->_criteria as $criteria) {
+      if (!$element = $criteria->getElement())
+        continue;
+
      $form->addElement($criteria->getElement());
      $names[] = $criteria->getName();
    }
@@ -85,7 +88,7 @@ class Class_User_SearchCriteria {
    if ($this->_search_params)
      return $this;

-    $this->_search_params =  ['wheres' => []];
+    $this->_search_params = ['wheres' => []];

    foreach($this->_criteria as $criteria)
      $criteria->acceptSearchVisitor($this);

--- a/library/Class/User/SearchCriteria/RoleLevelLimit.php
+++ b/library/Class/User/SearchCriteria/RoleLevelLimit.php
+<?php
+/**
+ * Copyright (c) 2012-2017, Agence Française Informatique (AFI). All rights reserved.
+ *
+ * BOKEH is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU AFFERO GENERAL PUBLIC LICENSE as published by
+ * the Free Software Foundation.
+ *
+ * There are special exceptions to the terms and conditions of the AGPL as it
+ * is applied to this software (see README file).
+ *
+ * BOKEH is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU AFFERO GENERAL PUBLIC LICENSE for more details.
+ *
+ * You should have received a copy of the GNU AFFERO GENERAL PUBLIC LICENSE
+ * along with BOKEH; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301  USA
+ */
+
+
+class Class_User_SearchCriteria_RoleLevelLimit extends Class_User_SearchCriteria_Abstract {
+  protected function buildElement() {
+    // not based on form element
+  }
+
+
+  public function acceptSearchVisitor($visitor) {
+    $visitor->addWhereParam('role_level <= ' . Class_Users::getIdentity()->getRoleLevel());
+  }
+}
--- a/library/ZendAfi/Controller/Plugin/Manager/User.php
+++ b/library/ZendAfi/Controller/Plugin/Manager/User.php
@@ -33,6 +33,7 @@ class ZendAfi_Controller_Plugin_Manager_User extends ZendAfi_Controller_Plugin_M
    return $post;
  }

+
  protected function _getFormValues($model) {
    $array_model=parent::_getFormValues($model);
    $array_model['user_group_ids']=implode('-',array_map(function($group) { return $group->getId();},$model->getUserGroups()));
@@ -53,5 +54,7 @@ class ZendAfi_Controller_Plugin_Manager_User extends ZendAfi_Controller_Plugin_M
  }


-}
-?>
\ No newline at end of file
+  protected function _canEdit($model) {
+    return $model->getRoleLevel() <= Class_Users::getIdentity()->getRoleLevel();
+  }
+}
\ No newline at end of file
--- a/tests/application/modules/admin/controllers/UsersControllerTest.php
+++ b/tests/application/modules/admin/controllers/UsersControllerTest.php
@@ -118,13 +118,13 @@ class UsersControllerIndexTest extends UsersControllerWithMarcusTestCase {

         ->whenCalled('findAllBy')
         ->with(['role_level' => 2,
-                 'where' => '(STR_TO_DATE(date_fin, \'%Y-%m-%d\') >= CURDATE()) AND (login LIKE "%francis%" OR nom LIKE "%francis%" OR prenom LIKE "%francis%" OR pseudo LIKE "%francis%" OR mail LIKE "%francis%" OR idabon LIKE "%francis%")',
+                 'where' => '(STR_TO_DATE(date_fin, \'%Y-%m-%d\') >= CURDATE()) AND (login LIKE "%francis%" OR nom LIKE "%francis%" OR prenom LIKE "%francis%" OR pseudo LIKE "%francis%" OR mail LIKE "%francis%" OR idabon LIKE "%francis%") AND (role_level <= 7)',
                 'limitPage' => [1, 20]])
         ->answers([$francis])

         ->whenCalled('countBy')
         ->with(['role_level' => 2,
-                 'where' => '(STR_TO_DATE(date_fin, \'%Y-%m-%d\') >= CURDATE()) AND (login LIKE "%francis%" OR nom LIKE "%francis%" OR prenom LIKE "%francis%" OR pseudo LIKE "%francis%" OR mail LIKE "%francis%" OR idabon LIKE "%francis%")'])
+                 'where' => '(STR_TO_DATE(date_fin, \'%Y-%m-%d\') >= CURDATE()) AND (login LIKE "%francis%" OR nom LIKE "%francis%" OR prenom LIKE "%francis%" OR pseudo LIKE "%francis%" OR mail LIKE "%francis%" OR idabon LIKE "%francis%") AND (role_level <= 7)'])
         ->answers(55)

         ->beStrict();
@@ -1046,4 +1046,73 @@ class Admin_UsersControllerChangeAdminSkinActionTest extends Admin_AbstractContr
  public function userAdminSkinColorShouldRedCss() {
    $this->assertEquals('red.css', Class_Users::getIdentity()->getAdminSkin()->getColor());
  }
+}
+
+
+
+abstract class UsersControllerWithAdminPortal extends Admin_AbstractControllerTestCase {
+  protected $_storm_default_to_volatile = true;
+
+  public function setUp() {
+    parent::setUp();
+
+    $this->fixture('Class_Users',
+                   ['id' => 1,
+                    'login' => 'tom',
+                    'password' => 'rom',
+                    'role_level' => ZendAfi_Acl_AdminControllerRoles::SUPER_ADMIN]);
+
+    ZendAfi_Auth::getInstance()
+      ->logUser($this->fixture('Class_Users',
+                               ['id' => 2,
+                                'login' => 'tim',
+                                'password' => 'rim',
+                                'role_level' => ZendAfi_Acl_AdminControllerRoles::ADMIN_PORTAIL]));
+  }
+}
+
+
+
+
+class UsersControllerIndexWithAdminPortal extends UsersControllerWithAdminPortal {
+  public function setUp() {
+    parent::setUp();
+
+    $this->onLoaderOfModel('Class_Users')
+         ->whenCalled('findAllBy')
+         ->with(['where' => '(role_level <= ' . ZendAfi_Acl_AdminControllerRoles::ADMIN_PORTAIL . ')',
+                 'limitPage' => [1, 20]])
+         ->answers([Class_Users::find(2)])
+
+         ->whenCalled('countBy')
+         ->with(['where' => '(role_level <= ' . ZendAfi_Acl_AdminControllerRoles::ADMIN_PORTAIL . ')'])
+         ->answers(1)
+      ;
+
+    $this->dispatch('/admin/users', true);
+  }
+
+
+  /** @test */
+  public function superAdminEditLinkShouldNotBePresent() {
+    $this->assertNotXPath('//a[contains(@href, "/users/edit/id/1")]',
+                          $this->_response->getBody());
+  }
+}
+
+
+
+
+class UsersControllerEditSuperAdminWithAdminPortal extends UsersControllerWithAdminPortal {
+  public function setUp() {
+    parent::setUp();
+
+    $this->dispatch('/admin/users/edit/id/1', true);
+  }
+
+
+  /** @test */
+  public function shouldRedirectToIndex() {
+    $this->assertRedirectTo('/admin/users/index');
+  }
 }
\ No newline at end of file