diff options
Diffstat (limited to 'controllers')
| -rw-r--r-- | controllers/base.php | 51 | ||||
| -rw-r--r-- | controllers/board.php | 55 | ||||
| -rw-r--r-- | controllers/config.php | 4 | ||||
| -rw-r--r-- | controllers/project.php | 95 | ||||
| -rw-r--r-- | controllers/task.php | 27 | ||||
| -rw-r--r-- | controllers/user.php | 12 |
6 files changed, 161 insertions, 83 deletions
diff --git a/controllers/base.php b/controllers/base.php index da4ee8ae..cf423402 100644 --- a/controllers/base.php +++ b/controllers/base.php @@ -9,6 +9,7 @@ require __DIR__.'/../lib/template.php'; require __DIR__.'/../lib/helper.php'; require __DIR__.'/../lib/translator.php'; require __DIR__.'/../models/base.php'; +require __DIR__.'/../models/acl.php'; require __DIR__.'/../models/config.php'; require __DIR__.'/../models/user.php'; require __DIR__.'/../models/project.php'; @@ -26,6 +27,7 @@ abstract class Base protected $task; protected $board; protected $config; + protected $acl; public function __construct() { @@ -38,30 +40,20 @@ abstract class Base $this->project = new \Model\Project; $this->task = new \Model\Task; $this->board = new \Model\Board; - } - - private function noAuthAllowed($controller, $action) - { - $public = array( - 'user' => array('login', 'check'), - 'task' => array('add'), - 'board' => array('readonly'), - ); - - if (isset($public[$controller])) { - return in_array($action, $public[$controller]); - } - - return false; + $this->acl = new \Model\Acl; } public function beforeAction($controller, $action) { + // Start the session $this->session->open(dirname($_SERVER['PHP_SELF']), SESSION_SAVE_PATH); - if (! isset($_SESSION['user']) && ! $this->noAuthAllowed($controller, $action)) { - $this->response->redirect('?controller=user&action=login'); - } + // HTTP secure headers + $this->response->csp(); + $this->response->nosniff(); + $this->response->xss(); + $this->response->hsts(); + $this->response->xframe(); // Load translations $language = $this->config->get('language', 'en_US'); @@ -70,17 +62,24 @@ abstract class Base // Set timezone date_default_timezone_set($this->config->get('timezone', 'UTC')); - $this->response->csp(); - $this->response->nosniff(); - $this->response->xss(); - $this->response->hsts(); - $this->response->xframe(); + // If the user is not authenticated redirect to the login form, if the action is public continue + if (! isset($_SESSION['user']) && ! $this->acl->isPublicAction($controller, $action)) { + $this->response->redirect('?controller=user&action=login'); + } + + // Check if the user is allowed to see this page + if (! $this->acl->isPageAccessAllowed($controller, $action)) { + $this->response->redirect('?controller=user&action=forbidden'); + } } - public function checkPermissions() + public function checkProjectPermissions($project_id) { - if ($_SESSION['user']['is_admin'] == 0) { - $this->response->redirect('?controller=user&action=forbidden'); + if ($this->acl->isRegularUser()) { + + if ($project_id > 0 && ! $this->project->isUserAllowed($project_id, $this->acl->getUserId())) { + $this->response->redirect('?controller=project&action=forbidden'); + } } } diff --git a/controllers/board.php b/controllers/board.php index a0f00367..13714b3c 100644 --- a/controllers/board.php +++ b/controllers/board.php @@ -8,15 +8,20 @@ class Board extends Base public function assign() { $task = $this->task->getById($this->request->getIntegerParam('task_id')); - $project = $this->project->get($task['project_id']); + $project = $this->project->getById($task['project_id']); $projects = $this->project->getListByStatus(\Model\Project::ACTIVE); + if ($this->acl->isRegularUser()) { + $projects = $this->project->filterListByAccess($projects, $this->acl->getUserId()); + } + if (! $project) $this->notfound(); + $this->checkProjectPermissions($project['id']); $this->response->html($this->template->layout('board_assign', array( 'errors' => array(), 'values' => $task, - 'users_list' => $this->user->getList(), + 'users_list' => $this->project->getUsersList($project['id']), 'projects' => $projects, 'current_project_id' => $project['id'], 'current_project_name' => $project['name'], @@ -29,6 +34,8 @@ class Board extends Base public function assignTask() { $values = $this->request->getValues(); + $this->checkProjectPermissions($values['project_id']); + list($valid,) = $this->task->validateAssigneeModification($values); if ($valid && $this->task->update($values)) { @@ -68,8 +75,18 @@ class Board extends Base { $projects = $this->project->getListByStatus(\Model\Project::ACTIVE); - if (! count($projects)) { - $this->redirectNoProject(); + if ($this->acl->isRegularUser()) { + $projects = $this->project->filterListByAccess($projects, $this->acl->getUserId()); + } + + if (empty($projects)) { + + if ($this->acl->isAdminUser()) { + $this->redirectNoProject(); + } + else { + $this->response->redirect('?controller=project&action=forbidden'); + } } else if (! empty($_SESSION['user']['default_project_id']) && isset($projects[$_SESSION['user']['default_project_id']])) { $project_id = $_SESSION['user']['default_project_id']; @@ -79,6 +96,8 @@ class Board extends Base list($project_id, $project_name) = each($projects); } + $this->checkProjectPermissions($project_id); + $this->response->html($this->template->layout('board_index', array( 'projects' => $projects, 'current_project_id' => $project_id, @@ -93,8 +112,14 @@ class Board extends Base public function show() { $projects = $this->project->getListByStatus(\Model\Project::ACTIVE); + + if ($this->acl->isRegularUser()) { + $projects = $this->project->filterListByAccess($projects, $this->acl->getUserId()); + } + $project_id = $this->request->getIntegerParam('project_id'); + $this->checkProjectPermissions($project_id); if (! isset($projects[$project_id])) $this->notfound(); $project_name = $projects[$project_id]; @@ -112,10 +137,8 @@ class Board extends Base // Display a form to edit a board public function edit() { - $this->checkPermissions(); - $project_id = $this->request->getIntegerParam('project_id'); - $project = $this->project->get($project_id); + $project = $this->project->getById($project_id); if (! $project) $this->notfound(); @@ -140,10 +163,8 @@ class Board extends Base // Validate and update a board public function update() { - $this->checkPermissions(); - $project_id = $this->request->getIntegerParam('project_id'); - $project = $this->project->get($project_id); + $project = $this->project->getById($project_id); if (! $project) $this->notfound(); @@ -183,10 +204,8 @@ class Board extends Base // Validate and add a new column public function add() { - $this->checkPermissions(); - $project_id = $this->request->getIntegerParam('project_id'); - $project = $this->project->get($project_id); + $project = $this->project->getById($project_id); if (! $project) $this->notfound(); @@ -224,8 +243,6 @@ class Board extends Base // Confirmation dialog before removing a column public function confirm() { - $this->checkPermissions(); - $this->response->html($this->template->layout('board_remove', array( 'column' => $this->board->getColumn($this->request->getIntegerParam('column_id')), 'menu' => 'projects', @@ -236,8 +253,6 @@ class Board extends Base // Remove a column public function remove() { - $this->checkPermissions(); - $column = $this->board->getColumn($this->request->getIntegerParam('column_id')); if ($column && $this->board->removeColumn($column['id'])) { @@ -252,6 +267,12 @@ class Board extends Base // Save the board (Ajax request made by the drag and drop) public function save() { + $project_id = $this->request->getIntegerParam('project_id'); + + if ($project_id > 0 && ! $this->project->isUserAllowed($project_id, $this->acl->getUserId())) { + $this->response->json(array('result' => false), 401); + } + $this->response->json(array( 'result' => $this->board->saveTasksPosition($this->request->getValues()) )); diff --git a/controllers/config.php b/controllers/config.php index 5dfa828b..064fa06d 100644 --- a/controllers/config.php +++ b/controllers/config.php @@ -23,8 +23,6 @@ class Config extends Base // Validate and save settings public function save() { - $this->checkPermissions(); - $values = $this->request->getValues(); list($valid, $errors) = $this->config->validateModification($values); @@ -56,7 +54,6 @@ class Config extends Base // Download the database public function downloadDb() { - $this->checkPermissions(); $this->response->forceDownload('db.sqlite.gz'); $this->response->binary($this->config->downloadDatabase()); } @@ -64,7 +61,6 @@ class Config extends Base // Optimize the database public function optimizeDb() { - $this->checkPermissions(); $this->config->optimizeDatabase(); $this->session->flash(t('Database optimization done.')); $this->response->redirect('?controller=config'); diff --git a/controllers/project.php b/controllers/project.php index 1ad2e829..8d8584bc 100644 --- a/controllers/project.php +++ b/controllers/project.php @@ -4,17 +4,28 @@ namespace Controller; class Project extends Base { + // Display access forbidden page + public function forbidden() + { + $this->response->html($this->template->layout('project_forbidden', array( + 'menu' => 'projects', + 'title' => t('Access Forbidden') + ))); + } + // List of completed tasks for a given project public function tasks() { $project_id = $this->request->getIntegerParam('project_id'); - $project = $this->project->get($project_id); + $project = $this->project->getById($project_id); if (! $project) { $this->session->flashError(t('Project not found.')); $this->response->redirect('?controller=project'); } + $this->checkProjectPermissions($project['id']); + $tasks = $this->task->getAllByProjectId($project_id, array(0)); $nb_tasks = count($tasks); @@ -30,7 +41,7 @@ class Project extends Base // List of projects public function index() { - $projects = $this->project->getAll(true); + $projects = $this->project->getAll(true, $this->acl->isRegularUser()); $nb_projects = count($projects); $this->response->html($this->template->layout('project_index', array( @@ -44,8 +55,6 @@ class Project extends Base // Display a form to create a new project public function create() { - $this->checkPermissions(); - $this->response->html($this->template->layout('project_new', array( 'errors' => array(), 'values' => array(), @@ -57,8 +66,6 @@ class Project extends Base // Validate and save a new project public function save() { - $this->checkPermissions(); - $values = $this->request->getValues(); list($valid, $errors) = $this->project->validateCreation($values); @@ -84,9 +91,7 @@ class Project extends Base // Display a form to edit a project public function edit() { - $this->checkPermissions(); - - $project = $this->project->get($this->request->getIntegerParam('project_id')); + $project = $this->project->getById($this->request->getIntegerParam('project_id')); if (! $project) { $this->session->flashError(t('Project not found.')); @@ -104,8 +109,6 @@ class Project extends Base // Validate and update a project public function update() { - $this->checkPermissions(); - $values = $this->request->getValues() + array('is_active' => 0); list($valid, $errors) = $this->project->validateModification($values); @@ -131,9 +134,7 @@ class Project extends Base // Confirmation dialog before to remove a project public function confirm() { - $this->checkPermissions(); - - $project = $this->project->get($this->request->getIntegerParam('project_id')); + $project = $this->project->getById($this->request->getIntegerParam('project_id')); if (! $project) { $this->session->flashError(t('Project not found.')); @@ -150,8 +151,6 @@ class Project extends Base // Remove a project public function remove() { - $this->checkPermissions(); - $project_id = $this->request->getIntegerParam('project_id'); if ($project_id && $this->project->remove($project_id)) { @@ -166,8 +165,6 @@ class Project extends Base // Enable a project public function enable() { - $this->checkPermissions(); - $project_id = $this->request->getIntegerParam('project_id'); if ($project_id && $this->project->enable($project_id)) { @@ -182,8 +179,6 @@ class Project extends Base // Disable a project public function disable() { - $this->checkPermissions(); - $project_id = $this->request->getIntegerParam('project_id'); if ($project_id && $this->project->disable($project_id)) { @@ -194,4 +189,64 @@ class Project extends Base $this->response->redirect('?controller=project'); } + + // Users list for the selected project + public function users() + { + $project = $this->project->getById($this->request->getIntegerParam('project_id')); + + if (! $project) { + $this->session->flashError(t('Project not found.')); + $this->response->redirect('?controller=project'); + } + + $this->response->html($this->template->layout('project_users', array( + 'project' => $project, + 'users' => $this->project->getAllUsers($project['id']), + 'menu' => 'projects', + 'title' => t('Edit project access list') + ))); + } + + // Allow a specific user for the selected project + public function allow() + { + $values = $this->request->getValues(); + list($valid,) = $this->project->validateUserAccess($values); + + if ($valid) { + + if ($this->project->allowUser($values['project_id'], $values['user_id'])) { + $this->session->flash(t('Project updated successfully.')); + } + else { + $this->session->flashError(t('Unable to update this project.')); + } + } + + $this->response->redirect('?controller=project&action=users&project_id='.$values['project_id']); + } + + // Revoke user access + public function revoke() + { + $values = array( + 'project_id' => $this->request->getIntegerParam('project_id'), + 'user_id' => $this->request->getIntegerParam('user_id'), + ); + + list($valid,) = $this->project->validateUserAccess($values); + + if ($valid) { + + if ($this->project->revokeUser($values['project_id'], $values['user_id'])) { + $this->session->flash(t('Project updated successfully.')); + } + else { + $this->session->flashError(t('Unable to update this project.')); + } + } + + $this->response->redirect('?controller=project&action=users&project_id='.$values['project_id']); + } } diff --git a/controllers/task.php b/controllers/task.php index 3aa486d5..0057a531 100644 --- a/controllers/task.php +++ b/controllers/task.php @@ -45,6 +45,7 @@ class Task extends Base $task = $this->task->getById($this->request->getIntegerParam('task_id'), true); if (! $task) $this->notfound(); + $this->checkProjectPermissions($task['project_id']); $this->response->html($this->template->layout('task_show', array( 'task' => $task, @@ -59,6 +60,7 @@ class Task extends Base public function create() { $project_id = $this->request->getIntegerParam('project_id'); + $this->checkProjectPermissions($project_id); $this->response->html($this->template->layout('task_new', array( 'errors' => array(), @@ -71,7 +73,7 @@ class Task extends Base ), 'projects_list' => $this->project->getListByStatus(\Model\Project::ACTIVE), 'columns_list' => $this->board->getColumnsList($project_id), - 'users_list' => $this->user->getList(), + 'users_list' => $this->project->getUsersList($project_id), 'colors_list' => $this->task->getColors(), 'menu' => 'tasks', 'title' => t('New task') @@ -82,6 +84,8 @@ class Task extends Base public function save() { $values = $this->request->getValues(); + $this->checkProjectPermissions($values['project_id']); + list($valid, $errors) = $this->task->validateCreation($values); if ($valid) { @@ -108,7 +112,7 @@ class Task extends Base 'values' => $values, 'projects_list' => $this->project->getListByStatus(\Model\Project::ACTIVE), 'columns_list' => $this->board->getColumnsList($values['project_id']), - 'users_list' => $this->user->getList(), + 'users_list' => $this->project->getUsersList($values['project_id']), 'colors_list' => $this->task->getColors(), 'menu' => 'tasks', 'title' => t('New task') @@ -121,12 +125,13 @@ class Task extends Base $task = $this->task->getById($this->request->getIntegerParam('task_id')); if (! $task) $this->notfound(); + $this->checkProjectPermissions($task['project_id']); $this->response->html($this->template->layout('task_edit', array( 'errors' => array(), 'values' => $task, 'columns_list' => $this->board->getColumnsList($task['project_id']), - 'users_list' => $this->user->getList(), + 'users_list' => $this->project->getUsersList($task['project_id']), 'colors_list' => $this->task->getColors(), 'menu' => 'tasks', 'title' => t('Edit a task') @@ -137,6 +142,8 @@ class Task extends Base public function update() { $values = $this->request->getValues(); + $this->checkProjectPermissions($values['project_id']); + list($valid, $errors) = $this->task->validateModification($values); if ($valid) { @@ -154,7 +161,7 @@ class Task extends Base 'errors' => $errors, 'values' => $values, 'columns_list' => $this->board->getColumnsList($values['project_id']), - 'users_list' => $this->user->getList(), + 'users_list' => $this->project->getUsersList($values['project_id']), 'colors_list' => $this->task->getColors(), 'menu' => 'tasks', 'title' => t('Edit a task') @@ -166,7 +173,10 @@ class Task extends Base { $task = $this->task->getById($this->request->getIntegerParam('task_id')); - if ($task && $this->task->close($task['id'])) { + if (! $task) $this->notfound(); + $this->checkProjectPermissions($task['project_id']); + + if ($this->task->close($task['id'])) { $this->session->flash(t('Task closed successfully.')); } else { $this->session->flashError(t('Unable to close this task.')); @@ -181,6 +191,7 @@ class Task extends Base $task = $this->task->getById($this->request->getIntegerParam('task_id')); if (! $task) $this->notfound(); + $this->checkProjectPermissions($task['project_id']); $this->response->html($this->template->layout('task_close', array( 'task' => $task, @@ -194,7 +205,10 @@ class Task extends Base { $task = $this->task->getById($this->request->getIntegerParam('task_id')); - if ($task && $this->task->open($task['id'])) { + if (! $task) $this->notfound(); + $this->checkProjectPermissions($task['project_id']); + + if ($this->task->open($task['id'])) { $this->session->flash(t('Task opened successfully.')); } else { $this->session->flashError(t('Unable to open this task.')); @@ -209,6 +223,7 @@ class Task extends Base $task = $this->task->getById($this->request->getIntegerParam('task_id')); if (! $task) $this->notfound(); + $this->checkProjectPermissions($task['project_id']); $this->response->html($this->template->layout('task_open', array( 'task' => $task, diff --git a/controllers/user.php b/controllers/user.php index 9f9781ef..10d3ad21 100644 --- a/controllers/user.php +++ b/controllers/user.php @@ -68,8 +68,6 @@ class User extends Base // Display a form to create a new user public function create() { - $this->checkPermissions(); - $this->response->html($this->template->layout('user_new', array( 'projects' => $this->project->getList(), 'errors' => array(), @@ -82,8 +80,6 @@ class User extends Base // Validate and save a new user public function save() { - $this->checkPermissions(); - $values = $this->request->getValues(); list($valid, $errors) = $this->user->validateCreation($values); @@ -121,7 +117,7 @@ class User extends Base unset($user['password']); $this->response->html($this->template->layout('user_edit', array( - 'projects' => $this->project->getList(), + 'projects' => $this->project->filterListByAccess($this->project->getList(), $user['id']), 'errors' => array(), 'values' => $user, 'menu' => 'users', @@ -162,7 +158,7 @@ class User extends Base } $this->response->html($this->template->layout('user_edit', array( - 'projects' => $this->project->getList(), + 'projects' => $this->project->filterListByAccess($this->project->getList(), $values['id']), 'errors' => $errors, 'values' => $values, 'menu' => 'users', @@ -173,8 +169,6 @@ class User extends Base // Confirmation dialog before to remove a user public function confirm() { - $this->checkPermissions(); - $user = $this->user->getById($this->request->getIntegerParam('user_id')); if (! $user) $this->notfound(); @@ -189,8 +183,6 @@ class User extends Base // Remove a user public function remove() { - $this->checkPermissions(); - $user_id = $this->request->getIntegerParam('user_id'); if ($user_id && $this->user->remove($user_id)) { |