From ecf1dfae96b45b5b4b058a4d56a45fcbf71c26f2 Mon Sep 17 00:00:00 2001 From: Prav Date: Wed, 19 Feb 2020 17:29:01 +0530 Subject: [PATCH] Task #24 chore: Modified the Authorised and Check methods in RBACL --- README.md | 33 ++++++++++++++- src/administrator/includes/rbacl.php | 44 +++++++++++++------- src/administrator/models/roles.php | 5 --- src/administrator/sql/install.mysql.utf8.sql | 1 + 4 files changed, 61 insertions(+), 22 deletions(-) diff --git a/README.md b/README.md index 2e32808..10009d6 100644 --- a/README.md +++ b/README.md @@ -1 +1,32 @@ -# com_subusers \ No newline at end of file +# com_subusers + +# Introduction +Subusers is a powerful component that provides the facility to associate roles to users. Based on the defined roles, users gets access to perform different actions in the organisation. Subusers is usually integrated with multiagency or clusters. It cannot work on it own. It has to be integrated with any one of the components. + +Based on the action mentioned in the RBACL, role hierarchy gets defined. The higher role must have more actions. + +# Features + +Below features makes subusers a powerful component to use- + +1. Roles Management +Subusers allows the user to introduce / add new role in the system. Roles can be added from the backend. + +Example - An agency can have roles like manager, admin, lead etc. + +2. Role Hierarchy +Subusers allows user to define role hierarchy. Hierarchy is defined by the actions each role have. The role with higher actions count is considered to be superior role. + +Example - An agency can have roles like manager, admin, lead etc. Admin can perfom 10 actions while manager can perform 8 actions, this defines that admin role is higher than manager in terms of hierarchy. + +3. User Role Association +Subusers allows you to add roles to users. An agency can have multiple user roles and those roles can managed in this component quite easily. + +Example - A user can be a manager in one agency and Admin in another. + +4. Data access security +Subusers allows you have multiple user roles within the agencies but with this, the component keeps check on user that user should access the data only for the agency where he has access to. + +# Syntax to use + +RBACL::check(userId, recordClient, action, actionClient = null, contentId = null) diff --git a/src/administrator/includes/rbacl.php b/src/administrator/includes/rbacl.php index 79532ed..58da110 100644 --- a/src/administrator/includes/rbacl.php +++ b/src/administrator/includes/rbacl.php @@ -73,16 +73,17 @@ public static function model($name, $config = array()) /** * Method to check if a user is authorised to perform an action, optionally on an content. * - * @param integer $userId Id of the user for which to check authorisation. - * @param string $client The name of the client to authorise. com_content - * @param string $action The name of the action to authorise. Eg. core.edit - * @param integer $contentId The content key. null check with role and allowed actions. + * @param integer $userId Id of the user for which to check authorisation. + * @param string $client The name of the client to authorise. com_content + * @param string $action The name of the action to authorise. Eg. core.edit + * @param string $actionClient The name of the client of action to authorise. Eg. com_content + * @param integer $contentId The content key. null check with role and allowed actions. * * @return boolean True if allowed, false for an explicit deny, null for an implicit deny. * * @since __DEPLOY_VERSION__ */ - public static function check($userId, $client, $action, $contentId = null) + public static function check($userId, $client, $action, $actionClient = null, $contentId = null) { $action = strtolower(preg_replace('#[\s\-]+#', '.', trim($action))); @@ -90,10 +91,15 @@ public static function check($userId, $client, $action, $contentId = null) if ($user->id) { + if (empty(trim($actionClient))) + { + $actionClient = $client; + } + /* * Step 1. Check the action is exist */ - $actionObj = SubusersAction::loadActionByCode($action, $client); + $actionObj = SubusersAction::loadActionByCode($action, $actionClient); if ($actionObj->id) { @@ -130,9 +136,7 @@ public static function check($userId, $client, $action, $contentId = null) $userModel = self::model("user"); $contentRoleId = $userModel->getAssociatedContentRole($userId, $client, $contentId); - $rolesAllowed = array_intersect($contentRoleId, $allowedRoles); - - if (!empty($rolesAllowed)) + if (in_array($contentRoleId[0], $allowedRoles)) { return true; } @@ -146,23 +150,31 @@ public static function check($userId, $client, $action, $contentId = null) /** * This method will check the core Joomla authorisatoion and RBACL authorisation * - * @param integer $userId Id of the user for which to check authorisation. - * @param string $client The name of the client to authorise. com_content - * @param string $action The name of the action to authorise. Eg. core.edit - * @param integer $contentId The content key. null check with role and allowed actions. + * @param integer $userId Id of the user for which to check authorisation. + * @param string $client The name of the client to authorise. com_content + * @param string $action The name of the action to authorise. Eg. core.edit + * @param string $actionClient The name of the client of action to authorise. Eg. com_content + * @param integer $contentId The content key. null check with role and allowed actions. * * @return boolean True if authorised * * @since __DEPLOY_VERSION__ */ - public static function authorise($userId, $client, $action, $contentId = null) + public static function authorise($userId, $client, $action, $actionClient = null, $contentId = null) { $client = (string) $client; $action = (string) $action; + $actionClient = (string) $actionClient; + + if (empty(trim($actionClient))) + { + $actionClient = $client; + } + $user = Factory::getUser($userId); - $result = $user->authorise($action, $client); + $result = $user->authorise($action, $actionClient); - return $result && self::check($userId, $client, $action, $contentId); + return $result && self::check($userId, $client, $action, $actionClient, $contentId); } /** diff --git a/src/administrator/models/roles.php b/src/administrator/models/roles.php index 691b0f5..aed6489 100755 --- a/src/administrator/models/roles.php +++ b/src/administrator/models/roles.php @@ -78,7 +78,6 @@ protected function populateState($ordering = 'a.id', $direction = 'desc') */ protected function getListQuery() { - // Create a new query object. $db = $this->getDbo(); $query = $db->getQuery(true); @@ -90,11 +89,9 @@ protected function getListQuery() ); $query->from('`#__tjsu_roles` AS a'); - // Join over the user field 'created_by' $query->select('`created_by`.name AS `created_by`'); $query->join('LEFT', '#__users AS `created_by` ON `created_by`.id = a.`created_by`'); - // Filter by search in title $search = $this->getState('filter.search'); if (!empty($search)) @@ -114,13 +111,11 @@ protected function getListQuery() $client = $this->getState('filter.client'); - // Filter by client if (!empty($client)) { $query->where($db->quoteName('a.client') . ' = ' . $db->quote($client)); } - // Add the list ordering clause. $orderCol = $this->state->get('list.ordering'); $orderDirn = $this->state->get('list.direction'); diff --git a/src/administrator/sql/install.mysql.utf8.sql b/src/administrator/sql/install.mysql.utf8.sql index 6929ca2..dd62033 100755 --- a/src/administrator/sql/install.mysql.utf8.sql +++ b/src/administrator/sql/install.mysql.utf8.sql @@ -6,6 +6,7 @@ CREATE TABLE IF NOT EXISTS `#__tjsu_roles` ( `id` int(11) unsigned NOT NULL AUTO_INCREMENT, `name` varchar(255) NOT NULL COMMENT 'The name of the role', `client` varchar(255) NOT NULL COMMENT 'The client name Eg. com_tjlms, com_jlike', + `state` tinyint(1) NOT NULL DEFAULT '1', `created_by` int(11) NOT NULL, `created_date` datetime NOT NULL DEFAULT '0000-00-00 00:00:00', `modified_by` int(11) NOT NULL,