commit 7a6c5813d4f3f953dc95a9efe0c976096f587779 parent 9b3b3e4906db17e84abec581d7cccac50fdb2f2f Author: Jan Dankert <develop@jandankert.de> Date: Sat, 6 Mar 2021 03:42:38 +0100 New: Better permission checks. Diffstat:
50 files changed, 313 insertions(+), 148 deletions(-)
diff --git a/modules/cms/action/ObjectAction.class.php b/modules/cms/action/ObjectAction.class.php @@ -44,6 +44,16 @@ class ObjectAction extends BaseAction } + /** + * Should be overwritten by subclasses. + * + * @return int Permission-flag. + */ + public function getRequiredPermission() { + return Permission::ACL_READ; + } + + public function init() { $baseObject = new BaseObject( $this->request->getId() ); @@ -51,7 +61,7 @@ class ObjectAction extends BaseAction $this->setBaseObject( $baseObject ); - $this->checkRight( Permission::ACL_READ ); + $this->checkRight( $this->getRequiredPermission() ); } diff --git a/modules/cms/action/PageelementAction.class.php b/modules/cms/action/PageelementAction.class.php @@ -57,8 +57,7 @@ use util\Transformer; */ class PageelementAction extends BaseAction { - public $security = Action::SECURITY_USER; - + public $security = Action::SECURITY_GUEST; /** * Enthaelt das Seitenobjekt @@ -131,6 +130,15 @@ class PageelementAction extends BaseAction } $this->pageelement = new Pageelement($id); + + if ( ! $this->page->hasRight( $this->getRequiredPagePermission() ) ) { + throw new SecurityException('Insufficient permissions for this page' ); + } + } + + + protected function getRequiredPagePermission() { + return Permission::ACL_READ; } diff --git a/modules/cms/action/ProjectAction.class.php b/modules/cms/action/ProjectAction.class.php @@ -7,6 +7,7 @@ use cms\model\Permission; use cms\model\Folder; use cms\model\Project; use language\Messages; +use util\exception\SecurityException; // OpenRat Content Management System // Copyright (C) 2002-2012 Jan Dankert, cms@jandankert.de @@ -40,7 +41,6 @@ class ProjectAction extends BaseAction * @var Project */ protected $project; - var $defaultSubAction = 'listing'; function __construct() @@ -53,6 +53,10 @@ class ProjectAction extends BaseAction { $this->project = new Project( $this->request->getId() ); $this->project->load(); + + if ( ! $this->userMayReadProject() ) { + throw new SecurityException(); + } } @@ -69,6 +73,19 @@ class ProjectAction extends BaseAction } + /** + * Stellt fest, ob der angemeldete Benutzer Projekt-Admin ist. + * Dies ist der Fall, wenn der Benutzer PROP-Rechte im Root-Folder hat. + * @return bool|int + */ + protected function userMayReadProject() { + + $rootFolder = new Folder( $this->project->getRootObjectId() ); + + return $rootFolder->hasRight(Permission::ACL_READ); + } + + /** * Make a linkable hostname diff --git a/modules/cms/action/ProjectlistAction.class.php b/modules/cms/action/ProjectlistAction.class.php @@ -34,8 +34,6 @@ use util\exception\SecurityException; */ class ProjectlistAction extends BaseAction { - public $security = Action::SECURITY_USER; - function __construct() { parent::__construct(); diff --git a/modules/cms/action/file/FilePubAction.class.php b/modules/cms/action/file/FilePubAction.class.php @@ -7,9 +7,14 @@ use cms\generator\FileGenerator; use cms\generator\Producer; use cms\generator\Publisher; use cms\generator\PublishOrder; +use cms\model\Permission; class FilePubAction extends FileAction implements Method { - public function view() { + public function getRequiredPermission() { + return Permission::ACL_PUBLISH; + } + + public function view() { } public function post() { $fileGenerator = new FileGenerator( new FileContext( $this->file->objectid, Producer::SCHEME_PUBLIC)); diff --git a/modules/cms/action/file/FileRemoveAction.class.php b/modules/cms/action/file/FileRemoveAction.class.php @@ -2,6 +2,7 @@ namespace cms\action\file; use cms\action\FileAction; use cms\action\Method; +use cms\model\Permission; use language\Messages; @@ -10,7 +11,12 @@ use language\Messages; */ class FileRemoveAction extends FileAction implements Method { - public function view() { + public function getRequiredPermission() { + return Permission::ACL_DELETE; + } + + + public function view() { $this->setTemplateVar( 'name',$this->file->filename ); } diff --git a/modules/cms/action/file/FileUploadAction.class.php b/modules/cms/action/file/FileUploadAction.class.php @@ -4,11 +4,17 @@ namespace cms\action\file; use cms\action\FileAction; use cms\action\Method; +use cms\model\Permission; class FileUploadAction extends FileAction implements Method { - public function view() { + public function getRequiredPermission() { + return Permission::ACL_WRITE; + } + + + public function view() { } diff --git a/modules/cms/action/folder/FolderCreatefileAction.class.php b/modules/cms/action/folder/FolderCreatefileAction.class.php @@ -4,13 +4,18 @@ use cms\action\FolderAction; use cms\action\Method; use cms\model\BaseObject; use cms\model\File; +use cms\model\Permission; use language\Messages; use util\Http; use util\Upload; class FolderCreatefileAction extends FolderAction implements Method { - public function view() { + public function getRequiredPermission() { + return Permission::ACL_CREATE_FILE; + } + + public function view() { // Maximale Dateigroesse. $maxSizeBytes = $this->maxFileSize(); $this->setTemplateVar('max_size' ,($maxSizeBytes/1024).' KB' ); diff --git a/modules/cms/action/folder/FolderCreatefolderAction.class.php b/modules/cms/action/folder/FolderCreatefolderAction.class.php @@ -4,11 +4,16 @@ use cms\action\FolderAction; use cms\action\Method; use cms\model\BaseObject; use cms\model\Folder; +use cms\model\Permission; use language\Messages; class FolderCreatefolderAction extends FolderAction implements Method { - public function view() { + public function getRequiredPermission() { + return Permission::ACL_CREATE_FOLDER; + } + + public function view() { $this->setTemplateVar('objectid' ,$this->folder->objectid ); $this->setTemplateVar('languageid',$this->folder->languageid ); } diff --git a/modules/cms/action/folder/FolderCreateimageAction.class.php b/modules/cms/action/folder/FolderCreateimageAction.class.php @@ -4,13 +4,18 @@ use cms\action\FolderAction; use cms\action\Method; use cms\model\BaseObject; use cms\model\Image; +use cms\model\Permission; use language\Messages; use util\Http; use util\Upload; class FolderCreateimageAction extends FolderAction implements Method { - public function view() { + public function getRequiredPermission() { + return Permission::ACL_CREATE_FILE; + } + + public function view() { // Maximale Dateigroesse. $maxSizeBytes = $this->maxFileSize(); $this->setTemplateVar('max_size' ,($maxSizeBytes/1024).' KB' ); diff --git a/modules/cms/action/folder/FolderCreatelinkAction.class.php b/modules/cms/action/folder/FolderCreatelinkAction.class.php @@ -4,11 +4,17 @@ use cms\action\FolderAction; use cms\action\Method; use cms\model\BaseObject; use cms\model\Link; +use cms\model\Permission; use language\Messages; class FolderCreatelinkAction extends FolderAction implements Method { + public function getRequiredPermission() { + return Permission::ACL_CREATE_LINK; + } + + public function view() { $this->setTemplateVar('objectid' ,$this->folder->objectid ); diff --git a/modules/cms/action/folder/FolderCreatepageAction.class.php b/modules/cms/action/folder/FolderCreatepageAction.class.php @@ -5,14 +5,20 @@ use cms\action\FolderAction; use cms\action\Method; use cms\model\BaseObject; use cms\model\Page; +use cms\model\Permission; use cms\model\Project; use language\Messages; class FolderCreatepageAction extends FolderAction implements Method { + public function getRequiredPermission() { + return Permission::ACL_CREATE_PAGE; + } - public function view() { + + + public function view() { $project = new Project( $this->folder->projectid ); $all_templates = $project->getTemplates(); diff --git a/modules/cms/action/folder/FolderCreatetextAction.class.php b/modules/cms/action/folder/FolderCreatetextAction.class.php @@ -3,6 +3,7 @@ namespace cms\action\folder; use cms\action\FolderAction; use cms\action\Method; use cms\model\BaseObject; +use cms\model\Permission; use cms\model\Text; use language\Messages; use util\exception\ValidationException; @@ -11,7 +12,11 @@ use util\Upload; class FolderCreatetextAction extends FolderAction implements Method { - public function view() { + public function getRequiredPermission() { + return Permission::ACL_CREATE_FILE; + } + + public function view() { // Maximale Dateigroesse. $maxSizeBytes = $this->maxFileSize(); $this->setTemplateVar('max_size' ,($maxSizeBytes/1024).' KB' ); diff --git a/modules/cms/action/folder/FolderCreateurlAction.class.php b/modules/cms/action/folder/FolderCreateurlAction.class.php @@ -3,12 +3,17 @@ namespace cms\action\folder; use cms\action\FolderAction; use cms\action\Method; use cms\model\BaseObject; +use cms\model\Permission; use cms\model\Url; use language\Messages; class FolderCreateurlAction extends FolderAction implements Method { - public function view() { + public function getRequiredPermission() { + return Permission::ACL_CREATE_LINK; // todo maybe we need a special permission flag for this? + } + + public function view() { } public function post() { $description = $this->request->getText('description'); diff --git a/modules/cms/action/folder/FolderOrderAction.class.php b/modules/cms/action/folder/FolderOrderAction.class.php @@ -8,7 +8,11 @@ use language\Messages; class FolderOrderAction extends FolderAction implements Method { - public function view() { + public function getRequiredPermission() { + return Permission::ACL_WRITE; + } + + public function view() { $list = array(); // Schleife ueber alle Objekte in diesem Ordner diff --git a/modules/cms/action/folder/FolderPubAction.class.php b/modules/cms/action/folder/FolderPubAction.class.php @@ -20,8 +20,13 @@ use util\Session; class FolderPubAction extends FolderAction implements Method { + public function getRequiredPermission() { + return Permission::ACL_PUBLISH; + } - public function view() { + + + public function view() { // Schalter nur anzeigen, wenn sinnvoll // TODO texts, urls.... diff --git a/modules/cms/action/folder/FolderRemoveAction.class.php b/modules/cms/action/folder/FolderRemoveAction.class.php @@ -2,11 +2,17 @@ namespace cms\action\folder; use cms\action\FolderAction; use cms\action\Method; +use cms\model\Permission; use language\Messages; class FolderRemoveAction extends FolderAction implements Method { + public function getRequiredPermission() { + return Permission::ACL_DELETE; + } + + public function view() { $this->setTemplateVar( 'name',$this->folder->filename ); $this->setTemplateVar( 'hasChildren', $this->folder->hasChildren() ); diff --git a/modules/cms/action/image/ImageSizeAction.class.php b/modules/cms/action/image/ImageSizeAction.class.php @@ -4,9 +4,14 @@ use cms\action\Action; use cms\action\ImageAction; use cms\action\Method; use cms\model\Image; +use cms\model\Permission; use language\Messages; class ImageSizeAction extends ImageAction implements Method { + public function getRequiredPermission() { + return Permission::ACL_WRITE; + } + public function view() { $this->setTemplateVars( $this->image->getProperties() ); diff --git a/modules/cms/action/link/LinkRemoveAction.class.php b/modules/cms/action/link/LinkRemoveAction.class.php @@ -3,12 +3,18 @@ namespace cms\action\link; use cms\action\Action; use cms\action\LinkAction; use cms\action\Method; +use cms\model\Permission; use language\Messages; class LinkRemoveAction extends LinkAction implements Method { - public function view() { + public function getRequiredPermission() { + return Permission::ACL_DELETE; + } + + + public function view() { $this->setTemplateVar( 'name',$this->link->filename ); } diff --git a/modules/cms/action/link/LinkValueAction.class.php b/modules/cms/action/link/LinkValueAction.class.php @@ -4,12 +4,18 @@ use cms\action\Action; use cms\action\LinkAction; use cms\action\Method; use cms\model\BaseObject; +use cms\model\Permission; use language\Messages; class LinkValueAction extends LinkAction implements Method { - public function view() { + public function getRequiredPermission() { + return Permission::ACL_WRITE; + } + + + public function view() { $this->setTemplateVars( $this->link->getProperties() ); // Typ der Verknuepfung diff --git a/modules/cms/action/object/ObjectAclformAction.class.php b/modules/cms/action/object/ObjectAclformAction.class.php @@ -13,6 +13,11 @@ use cms\model\User; use language\Messages; class ObjectAclformAction extends ObjectAction implements Method { + public function getRequiredPermission() + { + return Permission::ACL_GRANT; + } + public function view() { $o = new BaseObject( $this->request->getId() ); $o->objectLoadRaw(); diff --git a/modules/cms/action/object/ObjectCopyAction.class.php b/modules/cms/action/object/ObjectCopyAction.class.php @@ -14,6 +14,11 @@ use language\Messages; class ObjectCopyAction extends ObjectAction implements Method { + public function getRequiredPermission() + { + return Permission::ACL_WRITE; + } + public function view() { $sourceObject = new BaseObject( $this->request->getId()); $sourceObject->load(); diff --git a/modules/cms/action/object/ObjectDelaclAction.class.php b/modules/cms/action/object/ObjectDelaclAction.class.php @@ -9,6 +9,12 @@ use language\Messages; use util\Http; class ObjectDelaclAction extends ObjectAction implements Method { + + public function getRequiredPermission() + { + return Permission::ACL_GRANT; + } + public function view() { } public function post() { diff --git a/modules/cms/action/object/ObjectInheritAction.class.php b/modules/cms/action/object/ObjectInheritAction.class.php @@ -11,6 +11,12 @@ use logger\Logger; use util\Session; class ObjectInheritAction extends ObjectAction implements Method { + + public function getRequiredPermission() + { + return Permission::ACL_GRANT; + } + public function view() { $o = new BaseObject( $this->request->getId() ); $o->objectLoadRaw(); diff --git a/modules/cms/action/object/ObjectPropAction.class.php b/modules/cms/action/object/ObjectPropAction.class.php @@ -4,6 +4,7 @@ use cms\action\Method; use cms\action\ObjectAction; use cms\action\RequestParams; use cms\model\BaseObject; +use cms\model\Permission; use cms\model\Project; use language\Messages; use util\exception\ValidationException; @@ -11,6 +12,11 @@ use util\exception\ValidationException; class ObjectPropAction extends ObjectAction implements Method { + public function getRequiredPermission() + { + return Permission::ACL_PROP; + } + public function view() { $this->setTemplateVar( 'filename', $this->baseObject->filename ); $alias = $this->baseObject->getAliasForLanguage(null ); @@ -23,6 +29,7 @@ class ObjectPropAction extends ObjectAction implements Method { public function post() { + if ( ! $this->request->has('filename' ) ) throw new ValidationException('filename'); diff --git a/modules/cms/action/object/ObjectRightsAction.class.php b/modules/cms/action/object/ObjectRightsAction.class.php @@ -8,7 +8,8 @@ use cms\model\BaseObject; class ObjectRightsAction extends ObjectAction implements Method { - public function view() { + + public function view() { $o = new BaseObject( $this->request->getId() ); $o->objectLoadRaw(); $this->setTemplateVar( 'show',$o->getRelatedAclTypes() ); diff --git a/modules/cms/action/page/PageAllAction.class.php b/modules/cms/action/page/PageAllAction.class.php @@ -24,7 +24,12 @@ use util\Text; class PageAllAction extends PageAction implements Method { - public function view() + public function getRequiredPermission() { + return Permission::ACL_WRITE; + } + + + public function view() { $languageid = $this->request->getRequiredId('languageid'); diff --git a/modules/cms/action/page/PageChangetemplateAction.class.php b/modules/cms/action/page/PageChangetemplateAction.class.php @@ -2,12 +2,17 @@ namespace cms\action\page; use cms\action\Method; use cms\action\PageAction; +use cms\model\Permission; use cms\model\Project; use cms\model\Template; use util\Html; class PageChangetemplateAction extends PageAction implements Method { - public function view() { + public function getRequiredPermission() { + return Permission::ACL_PROP; + } + + public function view() { $this->page->load(); diff --git a/modules/cms/action/page/PageChangetemplateselectelementsAction.class.php b/modules/cms/action/page/PageChangetemplateselectelementsAction.class.php @@ -4,12 +4,18 @@ use cms\action\Action; use cms\action\Method; use cms\action\PageAction; use cms\model\Element; +use cms\model\Permission; use cms\model\Template; use language\Messages; class PageChangetemplateselectelementsAction extends PageAction implements Method { - public function view() { + public function getRequiredPermission() { + return Permission::ACL_PROP; + } + + + public function view() { $newTemplateId = $this->request->getText( 'newtemplateid' ); if ( $newTemplateId != 0 ) diff --git a/modules/cms/action/page/PageFormAction.class.php b/modules/cms/action/page/PageFormAction.class.php @@ -12,8 +12,11 @@ use cms\model\Value; class PageFormAction extends PageAction implements Method { + public function getRequiredPermission() { + return Permission::ACL_WRITE; + } - public function view() { + public function view() { $list = array(); foreach( $this->page->values as $id=>$value ) diff --git a/modules/cms/action/page/PageNameAction.class.php b/modules/cms/action/page/PageNameAction.class.php @@ -5,13 +5,18 @@ use cms\action\object\ObjectInfoAction; use cms\action\object\ObjectNameAction; use cms\action\PageAction; use cms\model\BaseObject; +use cms\model\Permission; use cms\model\Project; use language\Messages; class PageNameAction extends PageAction implements Method { + public function getRequiredPermission() { + return Permission::ACL_WRITE; + } - public function view() { + + public function view() { $languageId = $this->request->getText('languageid'); diff --git a/modules/cms/action/page/PagePubAction.class.php b/modules/cms/action/page/PagePubAction.class.php @@ -14,7 +14,11 @@ use language\Messages; use util\Session; class PagePubAction extends PageAction implements Method { - public function view() { + public function getRequiredPermission() { + return Permission::ACL_PUBLISH; + } + + public function view() { } public function post() { diff --git a/modules/cms/action/page/PageRemoveAction.class.php b/modules/cms/action/page/PageRemoveAction.class.php @@ -2,10 +2,16 @@ namespace cms\action\page; use cms\action\Method; use cms\action\PageAction; +use cms\model\Permission; use language\Messages; class PageRemoveAction extends PageAction implements Method { + public function getRequiredPermission() { + return Permission::ACL_DELETE; + } + + public function view() { $this->setTemplateVar( 'name',$this->page->filename ); } diff --git a/modules/cms/action/pageelement/PageelementPubAction.class.php b/modules/cms/action/pageelement/PageelementPubAction.class.php @@ -6,6 +6,12 @@ use cms\model\Permission; use util\exception\SecurityException; class PageelementPubAction extends PageelementAction implements Method { + + protected function getRequiredPagePermission() + { + return Permission::ACL_PUBLISH; + } + public function view() { } public function post() { diff --git a/modules/cms/action/pageelement/PageelementReleaseAction.class.php b/modules/cms/action/pageelement/PageelementReleaseAction.class.php @@ -8,6 +8,13 @@ use LogicException; use util\exception\SecurityException; class PageelementReleaseAction extends PageelementAction implements Method { + + + protected function getRequiredPagePermission() + { + return Permission::ACL_RELEASE; + } + public function view() { } public function post() { diff --git a/modules/cms/action/pageelement/PageelementRestoreAction.class.php b/modules/cms/action/pageelement/PageelementRestoreAction.class.php @@ -4,10 +4,17 @@ use cms\action\Action; use cms\action\Method; use cms\action\PageelementAction; use cms\model\Element; +use cms\model\Permission; use language\Messages; class PageelementRestoreAction extends PageelementAction implements Method { + protected function getRequiredPagePermission() + { + return Permission::ACL_WRITE; + } + + public function view() { } diff --git a/modules/cms/action/pageelement/PageelementValueAction.class.php b/modules/cms/action/pageelement/PageelementValueAction.class.php @@ -7,7 +7,12 @@ use cms\model\Page; class PageelementValueAction extends PageelementAction implements Method { - public function view() { + protected function getRequiredPagePermission() + { + return Permission::ACL_WRITE; + } + + public function view() { $this->value->languageid = $this->page->languageid; $this->value->objectid = $this->page->objectid; $this->value->pageid = $this->page->pageid; @@ -55,6 +60,7 @@ class PageelementValueAction extends PageelementAction implements Method { public function post() { + $this->element->load(); $type = $this->element->type; diff --git a/modules/cms/action/project/ProjectEditAction.class.php b/modules/cms/action/project/ProjectEditAction.class.php @@ -1,9 +1,13 @@ <?php namespace cms\action\project; +use cms\action\Action; use cms\action\Method; use cms\action\ProjectAction; class ProjectEditAction extends ProjectAction implements Method { + + public $security = Action::SECURITY_GUEST; + public function view() { $this->setTemplateVar('name' ,$this->project->name); diff --git a/modules/cms/action/project/ProjectHistoryAction.class.php b/modules/cms/action/project/ProjectHistoryAction.class.php @@ -1,12 +1,24 @@ <?php namespace cms\action\project; +use cms\action\Action; use cms\action\Method; use cms\action\ProjectAction; +use cms\model\BaseObject; +use cms\model\Permission; class ProjectHistoryAction extends ProjectAction implements Method { - public function view() { + + public $security = Action::SECURITY_GUEST; + + public function view() { $result = $this->project->getLastChanges(); - + + // Permission check + $result = array_filter( $result, function( $object ) { + $baseObject = new BaseObject($object['objectid']); + return $baseObject->hasRight( Permission::ACL_READ ); + }); + $this->setTemplateVar('timeline', $result); } public function post() { diff --git a/modules/cms/action/projectlist/ProjectlistAddAction.class.php b/modules/cms/action/projectlist/ProjectlistAddAction.class.php @@ -1,5 +1,6 @@ <?php namespace cms\action\projectlist; +use cms\action\Action; use cms\action\Method; use cms\action\ProjectlistAction; use cms\model\Project; @@ -8,10 +9,9 @@ use util\exception\SecurityException; class ProjectlistAddAction extends ProjectlistAction implements Method { - public function view() { + public $security = Action::SECURITY_ADMIN; - if( ! $this->userIsAdmin() ) - throw new SecurityException('user is not allowed to add a project'); + public function view() { $this->setTemplateVar( 'projects',Project::getAllProjects() ); } @@ -19,9 +19,6 @@ class ProjectlistAddAction extends ProjectlistAction implements Method { public function post() { - if( !$this->userIsAdmin()) - throw new SecurityException(); - /* $projectid = $this->request->getVar('projectid'); diff --git a/modules/cms/action/projectlist/ProjectlistEditAction.class.php b/modules/cms/action/projectlist/ProjectlistEditAction.class.php @@ -1,5 +1,6 @@ <?php namespace cms\action\projectlist; +use cms\action\Action; use cms\action\Method; use cms\action\ProjectlistAction; use cms\model\Permission; @@ -7,28 +8,27 @@ use cms\model\Folder; use cms\model\Project; class ProjectlistEditAction extends ProjectlistAction implements Method { + + public $security = Action::SECURITY_GUEST; + public function view() { // Projekte ermitteln $list = array(); - foreach(Project::getAllProjects() as $id=> $name ) - { - - // Schleife ueber alle Projekte - foreach (Project::getAllProjects() as $id => $name) { + // Schleife ueber alle Projekte + foreach (Project::getAllProjects() as $id => $name) { - $project = new Project($id); - $rootFolder = new Folder($project->getRootObjectId()); - $rootFolder->load(); + $project = new Project($id); + $rootFolder = new Folder($project->getRootObjectId()); + $rootFolder->load(); - // Berechtigt für das Projekt? - if ($rootFolder->hasRight(Permission::ACL_READ)) { - $list[$id] = array(); - $list[$id]['id' ] = $id; - $list[$id]['name' ] = $name; - } - } - } + // Berechtigt für das Projekt? + if ($rootFolder->hasRight(Permission::ACL_READ)) { + $list[$id] = array(); + $list[$id]['id' ] = $id; + $list[$id]['name' ] = $name; + } + } $this->setTemplateVar('projects',$list); $this->setTemplateVar('add',$this->userIsAdmin()); diff --git a/modules/cms/action/projectlist/ProjectlistHistoryAction.class.php b/modules/cms/action/projectlist/ProjectlistHistoryAction.class.php @@ -1,14 +1,29 @@ <?php namespace cms\action\projectlist; +use cms\action\Action; use cms\action\Method; use cms\action\ProjectlistAction; +use cms\model\BaseObject; +use cms\model\Permission; use cms\model\Project; class ProjectlistHistoryAction extends ProjectlistAction implements Method { - public function view() { + + public $security = Action::SECURITY_GUEST; + + public function view() { + $result = Project::getAllLastChanges(); + + // Permission check + $result = array_filter( $result, function( $object ) { + $baseObject = new BaseObject($object['objectid']); + return $baseObject->hasRight( Permission::ACL_READ ); + }); + $this->setTemplateVar('timeline', $result); } + public function post() { } } diff --git a/modules/cms/action/text/TextValueAction.class.php b/modules/cms/action/text/TextValueAction.class.php @@ -3,12 +3,18 @@ namespace cms\action\text; use cms\action\Method; use cms\action\RequestParams; use cms\action\TextAction; +use cms\model\Permission; use language\Messages; class TextValueAction extends TextAction implements Method { - public function view() { + public function getRequiredPermission() { + return Permission::ACL_WRITE; + } + + + public function view() { $this->setTemplateVar( 'text', $this->text->loadValue() ); } diff --git a/modules/cms/action/url/UrlRemoveAction.class.php b/modules/cms/action/url/UrlRemoveAction.class.php @@ -3,12 +3,18 @@ namespace cms\action\url; use cms\action\Action; use cms\action\Method; use cms\action\UrlAction; +use cms\model\Permission; use language\Messages; class UrlRemoveAction extends UrlAction implements Method { - public function view() { + public function getRequiredPermission() { + return Permission::ACL_DELETE; + } + + + public function view() { $this->setTemplateVar( 'name',$this->url->filename ); } diff --git a/modules/cms/action/url/UrlValueAction.class.php b/modules/cms/action/url/UrlValueAction.class.php @@ -2,13 +2,18 @@ namespace cms\action\url; use cms\action\Method; use cms\action\UrlAction; +use cms\model\Permission; use language\Messages; class UrlValueAction extends UrlAction implements Method { + public function getRequiredPermission() { + return Permission::ACL_WRITE; + } - public function view() { + + public function view() { $this->setTemplateVars( $this->url->getProperties() ); // Typ der Verknuepfung diff --git a/modules/cms/ui/action/index/IndexShowAction.class.php b/modules/cms/ui/action/index/IndexShowAction.class.php @@ -52,16 +52,6 @@ class IndexShowAction extends IndexAction implements Method { $this->setTemplateVar('style',$style ); - $userIsLoggedIn = is_object($user); - - // Welche Aktion soll ausgeführt werden? - $action = ''; - $id = 0; - $this->updateStartAction( $action, $id ); - - $this->setTemplateVar('action',$action); - $this->setTemplateVar('id' ,$id ); - $this->setTemplateVar('scriptLink', $this->getScriptLink() ); $this->setTemplateVar('styleLink' , $this->getStyleLink() ); @@ -81,19 +71,6 @@ class IndexShowAction extends IndexAction implements Method { if ( DEVELOPMENT ) $this->addInfoFor( new User(),Messages::DEVELOPMENT_MODE ); - $methods = array( - 'edit' => true, - 'preview' => true, - 'info' => true, - 'rights' => true, - ); - - $methodList = array(); - foreach( $methods as $method=>$openByDefault ) - { - $methodList[] = array('name'=>$method,'open'=>$openByDefault); - } - $this->setTemplateVar('methodList', $methodList); $this->setTemplateVar('favicon_url', C::subset('theme')->get('favicon','modules/cms/ui/themes/default/images/openrat-logo.ico') ); $vars = $this->getOutputData(); @@ -137,64 +114,7 @@ class IndexShowAction extends IndexAction implements Method { } - /** - * Ermittelt die erste zu startende Aktion. - * @param $action - * @param $id - */ - protected function updateStartAction(&$action, &$id ) - { - $user = Session::getUser(); - - if ( !is_object($user) ) - { - $action = 'login'; - $id = 0; - return; - } - - - // Die Action im originalen Request hat Priorität. - $params = new RequestParams(); - if ( !empty( $params->action ) ) - { - $action = $params->action; - $id = $params->id; - return; - } - - - $startConfig = Configuration::subset( ['login','start'] ); - // Das zuletzt geänderte Objekt benutzen. - if ( $startConfig->is('start_lastchanged_object',true) ) - { - $objectid = Value::getLastChangedObjectByUserId($user->userid); - - if ( BaseObject::available($objectid)) - { - $object = new BaseObject($objectid); - $object->objectLoad(); - $action = $object->getType(); - $id = $objectid; - return; - } - } - - // Das einzige Projekt benutzen - if ( $startConfig->is('start_single_project',true) ) - { - $projects = Project::getAllProjects(); - if ( count($projects) == 1 ) { - // Das einzige Projekt sofort starten. - $action = 'project'; - $id = array_keys($projects)[0]; - } - } - - $action = 'projectlist'; - $id = 0; - } protected function tryAutoLogin() { @@ -212,16 +132,8 @@ class IndexShowAction extends IndexAction implements Method { catch( ObjectNotFoundException $e ) { Logger::warn('Username for autologin does not exist: '.$username); - - // Kein Auto-Login moeglich, die Anmeldemaske anzeigen. - $this->setTemplateVars( array('dialogAction'=>'login','dialogMethod'=>'login')); } } - else - { - // Kein Auto-Login moeglich, die Anmeldemaske anzeigen. - $this->setTemplateVars( array('dialogAction'=>'login','dialogMethod'=>'login')); - } } diff --git a/modules/cms/ui/themes/default/html/views/index/show.php b/modules/cms/ui/themes/default/html/views/index/show.php @@ -51,7 +51,7 @@ <div class="<?php echo O::escapeHtml('or-collapsible-value or-view or-act-view-loader') ?>" data-method="<?php echo O::escapeHtml(''.@$mainMethodName.'') ?>"><?php echo O::escapeHtml('') ?></div> </section> </main> - <div id="<?php echo O::escapeHtml('dialog') ?>" class="<?php echo O::escapeHtml('or-dialog or-dialog--is-closed') ?>" data-action="<?php echo O::escapeHtml(''.@$dialogAction.'') ?>" data-method="<?php echo O::escapeHtml(''.@$dialogMethod.'') ?>"><?php echo O::escapeHtml('') ?> + <div id="<?php echo O::escapeHtml('dialog') ?>" class="<?php echo O::escapeHtml('or-dialog or-dialog--is-closed') ?>" data-action="<?php echo O::escapeHtml('') ?>" data-method="<?php echo O::escapeHtml('') ?>"><?php echo O::escapeHtml('') ?> <div class="<?php echo O::escapeHtml('or-dialog-filler') ?>"><?php echo O::escapeHtml('') ?> <span class="<?php echo O::escapeHtml('or-dialog-filler-icon or-btn or-image-icon or-image-icon--menu-close') ?>"><?php echo O::escapeHtml('') ?></span> </div> diff --git a/modules/cms/ui/themes/default/html/views/index/show.tpl.src.xml b/modules/cms/ui/themes/default/html/views/index/show.tpl.src.xml @@ -111,8 +111,7 @@ <!-- Modal dialog --> - <div id="dialog" class="or-dialog or-dialog--is-closed" data-action="${dialogAction}" - data-method="${dialogMethod}"> + <div id="dialog" class="or-dialog or-dialog--is-closed" data-action="" data-method=""> <!-- Header menu --> <div class="or-dialog-filler"><!-- empty element, this is only for styling the background --> <span class="or-dialog-filler-icon or-btn or-image-icon or-image-icon--menu-close"></span> diff --git a/modules/cms/ui/themes/default/html/views/projectlist/history.php b/modules/cms/ui/themes/default/html/views/projectlist/history.php @@ -22,7 +22,7 @@ <?php foreach((array)@$timeline as $list_key=>$list_value) { extract($list_value); ?> <tr class="<?php echo O::escapeHtml('or-data') ?>"><?php echo O::escapeHtml('') ?> <td class="<?php echo O::escapeHtml('or-act-clickable') ?>"><?php echo O::escapeHtml('') ?> - <a target="<?php echo O::escapeHtml('_self') ?>" data-type="<?php echo O::escapeHtml('post') ?>" data-action="<?php echo O::escapeHtml('start') ?>" data-method="<?php echo O::escapeHtml('projectmenu') ?>" data-id="<?php echo O::escapeHtml(''.@$projectid.'') ?>" data-extra="<?php echo O::escapeHtml('[]') ?>" data-data="<?php echo O::escapeHtml('{"action":"start","subaction":"projectmenu","id":"'.@$projectid.'","token":"'.@$_token.'","none":"0"}') ?>" class="<?php echo O::escapeHtml('or-link') ?>"><?php echo O::escapeHtml('') ?> + <a target="<?php echo O::escapeHtml('_self') ?>" data-type="<?php echo O::escapeHtml('open') ?>" data-action="<?php echo O::escapeHtml('project') ?>" data-method="<?php echo O::escapeHtml('') ?>" data-id="<?php echo O::escapeHtml(''.@$projectid.'') ?>" data-extra="<?php echo O::escapeHtml('[]') ?>" href="<?php echo O::escapeHtml('#/project/'.@$projectid.'') ?>" class="<?php echo O::escapeHtml('or-link') ?>"><?php echo O::escapeHtml('') ?> <span><?php echo O::escapeHtml(''.@$projectname.'') ?></span> </a> </td> diff --git a/modules/cms/ui/themes/default/html/views/projectlist/history.tpl.src.xml b/modules/cms/ui/themes/default/html/views/projectlist/history.tpl.src.xml @@ -17,7 +17,7 @@ <list list="${timeline}" extract="true"> <row class="data"> <column class="act-clickable"> - <link type="post" action="start" subaction="projectmenu" id="${projectid}"> + <link type="open" action="project" id="${projectid}"> <text value="${projectname}"/> </link> </column>