0013302: fix node acl for roles with groups
authorPhilipp Schüle <p.schuele@metaways.de>
Tue, 4 Jul 2017 07:37:03 +0000 (09:37 +0200)
committerPhilipp Schüle <p.schuele@metaways.de>
Wed, 5 Jul 2017 07:40:52 +0000 (09:40 +0200)
* fix role grants for personal folders
* fix role grants with groups as role memberships

https://forge.tine20.org/view.php?id=13302

Change-Id: Iddf3805303bfd04ca7830ec52bce2bb9ed0f369a
Reviewed-on: http://gerrit.tine20.com/customers/5002
Reviewed-by: Philipp Schüle <p.schuele@metaways.de>
Tested-by: Philipp Schüle <p.schuele@metaways.de>
tests/tine20/Filemanager/Frontend/JsonTests.php
tine20/Tinebase/FileSystem.php
tine20/Tinebase/Model/Grants.php

index 6681d18..04e889f 100644 (file)
@@ -1808,6 +1808,47 @@ class Filemanager_Frontend_JsonTests extends TestCase
             . print_r($childWithoutPersonalGrants['grants'], true));
     }
 
+    /**
+     * testNodeRoleAcl for personal folders
+     *
+     * @throws Tinebase_Exception_InvalidArgument
+     */
+    public function testNodeRoleAcl()
+    {
+        $node = $this->testCreateContainerNodeInPersonalFolder();
+
+        // give sclever role the grants to add nodes
+        $secretaryRole = Tinebase_Role::getInstance()->getRoleByName('secretary role');
+        $node['grants'][] = array(
+            'account_id' => $secretaryRole->getId(),
+            'account_type' => Tinebase_Acl_Rights::ACCOUNT_TYPE_ROLE,
+            Tinebase_Model_Grants::GRANT_READ => true,
+            Tinebase_Model_Grants::GRANT_ADD => true,
+            Tinebase_Model_Grants::GRANT_EDIT => false,
+            Tinebase_Model_Grants::GRANT_DELETE => true,
+            Tinebase_Model_Grants::GRANT_EXPORT => false,
+            Tinebase_Model_Grants::GRANT_SYNC => false,
+            Tinebase_Model_Grants::GRANT_ADMIN => false,
+            Tinebase_Model_Grants::GRANT_FREEBUSY => false,
+            Tinebase_Model_Grants::GRANT_PRIVATE => false,
+            Tinebase_Model_Grants::GRANT_DOWNLOAD => false,
+            Tinebase_Model_Grants::GRANT_PUBLISH => false,
+        );
+        $result = $this->_getUit()->saveNode($node);
+        self::assertEquals(2, count($result['grants']));
+
+        // switch to sclever
+        Tinebase_Core::set(Tinebase_Core::USER, $this->_personas['sclever']);
+
+        // add a subfolder
+        $subfolderPath = $node['path'] . '/subfolder';
+        $this->_getUit()->createNode($subfolderPath, 'folder');
+
+        // delete subfolder
+        $result = $this->_getUit()->deleteNodes(array($subfolderPath));
+        self::assertEquals($result['status'], 'success');
+    }
+
     public function testRecursiveFilter()
     {
         $folders = $this->testCreateDirectoryNodesInPersonal();
index 7e158d3..a1b1aa4 100644 (file)
@@ -1906,7 +1906,7 @@ class Tinebase_FileSystem implements
             'ignoreAcl' => $_ignoreAcl,
         ));
         if (null !== $_requiredGrants) {
-            $searchFilter->setRequiredGrants($_requiredGrants);
+            $searchFilter->setRequiredGrants((array) $_requiredGrants);
         }
         $children = $this->search($searchFilter, null, true);
         if (count($children) > 0) {
@@ -2261,7 +2261,11 @@ class Tinebase_FileSystem implements
         switch ($_path->containerType) {
             case Tinebase_FileSystem::FOLDER_TYPE_PERSONAL:
                 if ($_path->containerOwner && ($_topLevelAllowed || ! $_path->isToplevelPath())) {
-                    $hasPermission = ($_path->containerOwner === Tinebase_Core::getUser()->accountLoginName || $_action === 'get');
+                    if ($_path->isToplevelPath()) {
+                        $hasPermission = ($_path->containerOwner === Tinebase_Core::getUser()->accountLoginName || $_action === 'get');
+                    } else {
+                        $hasPermission = $this->checkACLNode($_path->getNode(), $_action);
+                    }
                 } else {
                     $hasPermission = ($_action === 'get');
                 }
index 6649f7e..0bad779 100644 (file)
@@ -202,7 +202,7 @@ class Tinebase_Model_Grants extends Tinebase_Record_Abstract
                         return true;
                     }
                     if (Tinebase_Acl_Rights::ACCOUNT_TYPE_GROUP === $roleMember['account_type'] &&
-                        in_array($user->getId(), Tinebase_Group::getInstance()->getGroupMembers($this->account_id))) {
+                        in_array($user->getId(), Tinebase_Group::getInstance()->getGroupMembers($roleMember['account_id']))) {
                         return true;
                     }
                 }