Skip to content

Commit

Permalink
Refactor module access query for extendability
Browse files Browse the repository at this point in the history 
Centralise duplicate logic into Sugarbean and update usages to use new function `buildAccessWhere` instead of all doing get owner and group call independently making it hard to extend
  • Loading branch information
@mattlorimer @jack7anderson7
mattlorimer authored and jack7anderson7 committed Dec 15, 2022
1 parent 9f19ea4 commit cbf8b3f
Show file tree
Hide file tree
Showing 12 changed files with 132 additions and 305 deletions.
133 changes: 50 additions & 83 deletions data/SugarBean.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3511,22 +3511,7 @@ public function get_list(
if (isset($_SESSION['show_deleted'])) {
$show_deleted = 1;
}

if ($this->bean_implements('ACL') && ACLController::requireOwner($this->module_dir, 'list')) {
global $current_user;
$owner_where = $this->getOwnerWhere($current_user->id);

//rrs - because $this->getOwnerWhere() can return '' we need to be sure to check for it and
//handle it properly else you could get into a situation where you are create a where stmt like
//WHERE .. AND ''
if (!empty($owner_where)) {
if (empty($where)) {
$where = $owner_where;
} else {
$where .= ' AND ' . $owner_where;
}
}
}

$query = $this->create_new_list_query(
$order_by,
$where,
Expand Down Expand Up @@ -3558,6 +3543,49 @@ public function getOwnerWhere($user_id)
return '';
}


/**
* @param string $view
* @param User $user
* @return string
*/
public function buildAccessWhere($view, $user = null)
{
global $current_user, $sugar_config;

$conditions = [];
$user = $user === null ? $current_user : $user;

if ($this->bean_implements('ACL') && ACLController::requireOwner($this->module_dir, $view)) {
$ownerWhere = $this->getOwnerWhere($user->id);
if (!empty($ownerWhere)) {
$conditions['owner'] = $ownerWhere;
}
}

/* BEGIN - SECURITY GROUPS */
$SecurityGroupFile = BeanFactory::getBeanFile('SecurityGroups');
require_once $SecurityGroupFile;
if ($view === 'list' && $this->module_dir === 'Users' && !is_admin($user)
&& isset($sugar_config['securitysuite_filter_user_list'])
&& $sugar_config['securitysuite_filter_user_list']
) {
$groupWhere = SecurityGroup::getGroupUsersWhere($user->id);
$conditions['group'] = $groupWhere;
} elseif ($this->bean_implements('ACL') && ACLController::requireSecurityGroup($this->module_dir, $view)) {
$ownerWhere = $this->getOwnerWhere($user->id);
$groupWhere = SecurityGroup::getGroupWhere($this->table_name, $this->module_dir, $user->id);
if (!empty($ownerWhere)) {
$conditions['group'] = " (" . $ownerWhere . " or " . $groupWhere . ") ";
} else {
$conditions['group'] = $groupWhere;
}
}
/* END - SECURITY GROUPS */

return implode(' AND ', $conditions);
}

/**
* Return the list query used by the list views and export button.
* Next generation of create_new_list_query function.
Expand Down Expand Up @@ -3592,45 +3620,12 @@ public function create_new_list_query(
$secondarySelectedFields = array();
$ret_array = array();
$distinct = '';
if ($this->bean_implements('ACL') && ACLController::requireOwner($this->module_dir, 'list')) {
global $current_user;
$owner_where = $this->getOwnerWhere($current_user->id);
if (empty($where)) {
$where = $owner_where;
} else {
$where .= ' AND ' . $owner_where;
}
}
/* BEGIN - SECURITY GROUPS */
global $current_user, $sugar_config;
if ($this->module_dir == 'Users' && !is_admin($current_user)
&& isset($sugar_config['securitysuite_filter_user_list'])
&& $sugar_config['securitysuite_filter_user_list']
) {
require_once('modules/SecurityGroups/SecurityGroup.php');
global $current_user;
$group_where = SecurityGroup::getGroupUsersWhere($current_user->id);
if (empty($where)) {
$where = " (" . $group_where . ") ";
} else {
$where .= " AND (" . $group_where . ") ";
}
} elseif ($this->bean_implements('ACL') && ACLController::requireSecurityGroup($this->module_dir, 'list')) {
require_once('modules/SecurityGroups/SecurityGroup.php');
global $current_user;
$owner_where = $this->getOwnerWhere($current_user->id);
$group_where = SecurityGroup::getGroupWhere($this->table_name, $this->module_dir, $current_user->id);
if (!empty($owner_where)) {
if (empty($where)) {
$where = " (" . $owner_where . " or " . $group_where . ") ";
} else {
$where .= " AND (" . $owner_where . " or " . $group_where . ") ";
}
} else {
$where .= ' AND ' . $group_where;
}

$accessWhere = $this->buildAccessWhere('list');
if (!empty($accessWhere)) {
$where .= empty($where) ? $accessWhere : ' AND ' . $accessWhere;
}
/* END - SECURITY GROUPS */

if (!empty($params['distinct'])) {
$distinct = ' DISTINCT ';
}
Expand Down Expand Up @@ -4470,35 +4465,7 @@ public function get_detail(
if (isset($_SESSION['show_deleted'])) {
$show_deleted = 1;
}

if ($this->bean_implements('ACL') && ACLController::requireOwner($this->module_dir, 'list')) {
global $current_user;
$owner_where = $this->getOwnerWhere($current_user->id);

if (empty($where)) {
$where = $owner_where;
} else {
$where .= ' AND ' . $owner_where;
}
}

/* BEGIN - SECURITY GROUPS */
if ($this->bean_implements('ACL') && ACLController::requireSecurityGroup($this->module_dir, 'list')) {
require_once('modules/SecurityGroups/SecurityGroup.php');
global $current_user;
$owner_where = $this->getOwnerWhere($current_user->id);
$group_where = SecurityGroup::getGroupWhere($this->table_name, $this->module_dir, $current_user->id);
if (!empty($owner_where)) {
if (empty($where)) {
$where = " (" . $owner_where . " or " . $group_where . ") ";
} else {
$where .= " AND (" . $owner_where . " or " . $group_where . ") ";
}
} else {
$where .= ' AND ' . $group_where;
}
}
/* END - SECURITY GROUPS */

$query = $this->create_new_list_query($order_by, $where, array(), array(), $show_deleted, $offset);

return $this->process_detail_query($query, $row_offset, $limit, $max, $where, $offset);
Expand Down
30 changes: 10 additions & 20 deletions include/DetailView/DetailView.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,12 @@ public function __construct()



/**
* @param string $html_varName
* @param SugarBean $seed
* @param int $offset
* @return SugarBean
*/
public function processSugarBean($html_varName, $seed, $offset)
{
global $row_count, $sugar_config;
Expand Down Expand Up @@ -152,27 +158,11 @@ public function processSugarBean($html_varName, $seed, $offset)
$db_offset=$offset-1;

$this->populateQueryWhere($isFirstView, $html_varName);
if (ACLController::requireOwner($seed->module_dir, 'view')) {
global $current_user;
$seed->getOwnerWhere($current_user->id);
if (!empty($this->query_where)) {
$this->query_where .= ' AND ';
}
$this->query_where .= $seed->getOwnerWhere($current_user->id);
}
/* BEGIN - SECURITY GROUPS */
if (ACLController::requireSecurityGroup($seed->module_dir, 'view')) {
require_once('modules/SecurityGroups/SecurityGroup.php');
global $current_user;
$owner_where = $seed->getOwnerWhere($current_user->id);
$group_where = SecurityGroup::getGroupWhere($seed->table_name, $seed->module_dir, $current_user->id);
if (empty($this->query_where)) {
$this->query_where = " (".$owner_where." or ".$group_where.")";
} else {
$this->query_where .= " AND (".$owner_where." or ".$group_where.")";
}

$accessWhere = $seed->buildAccessWhere('view');
if (!empty($accessWhere)) {
$this->query_where .= empty($this->query_where) ? $accessWhere : ' AND ' . $accessWhere;
}
/* END - SECURITY GROUPS */

$order = $this->getLocalSessionVariable($seed->module_dir.'2_'.$html_varName, "ORDER_BY");
$orderBy = '';
Expand Down
29 changes: 4 additions & 25 deletions include/export_utils.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -168,32 +168,11 @@ function export($type, $records = null, $members = false, $sample=false)
ACLController::displayNoAccess();
sugar_die('');
}
if (ACLController::requireOwner($focus->module_dir, 'export')) {
if (!empty($where)) {
$where .= ' AND ';
}
$where .= $focus->getOwnerWhere($current_user->id);
}
/* BEGIN - SECURITY GROUPS */
if (ACLController::requireSecurityGroup($focus->module_dir, 'export')) {
require_once('modules/SecurityGroups/SecurityGroup.php');
global $current_user;
$owner_where = $focus->getOwnerWhere($current_user->id);
$group_where = SecurityGroup::getGroupWhere($focus->table_name, $focus->module_dir, $current_user->id);
if (!empty($owner_where)) {
if (empty($where)) {
$where = " (". $owner_where." or ".$group_where.")";
} else {
$where .= " AND (". $owner_where." or ".$group_where.")";
}
} else {
if (!empty($where)) {
$where .= ' AND ';
}
$where .= $group_where;
}

$accessWhere = $focus->buildAccessWhere('export');
if (!empty($accessWhere)) {
$where .= empty($where) ? $accessWhere : ' AND ' . $accessWhere;
}
/* END - SECURITY GROUPS */
}
// Export entire list was broken because the where clause already has "where" in it
// and when the query is built, it has a "where" as well, so the query was ill-formed.
Expand Down
24 changes: 5 additions & 19 deletions include/utils.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3136,26 +3136,12 @@ function get_bean_select_array(
}

$query .= " {$focus->table_name}.deleted=0";

/* BEGIN - SECURITY GROUPS */
global $current_user, $sugar_config;
if ($focus->module_dir == 'Users' && !is_admin($current_user) && isset($sugar_config['securitysuite_filter_user_list']) && $sugar_config['securitysuite_filter_user_list'] == true
) {
require_once 'modules/SecurityGroups/SecurityGroup.php';
$group_where = SecurityGroup::getGroupUsersWhere($current_user->id);
$query .= ' AND (' . $group_where . ') ';
} elseif ($focus->bean_implements('ACL') && ACLController::requireSecurityGroup($focus->module_dir, 'list')) {
require_once 'modules/SecurityGroups/SecurityGroup.php';
$owner_where = $focus->getOwnerWhere($current_user->id);
$group_where = SecurityGroup::getGroupWhere($focus->table_name, $focus->module_dir, $current_user->id);
if (!empty($owner_where)) {
$query .= ' AND (' . $owner_where . ' or ' . $group_where . ') ';
} else {
$query .= ' AND ' . $group_where;
}

$accessWhere = $focus->buildAccessWhere('list');
if (!empty($accessWhere)) {
$query .= ' AND ' . $accessWhere;
}
/* END - SECURITY GROUPS */


if ($order_by != '') {
$query .= " order by {$focus->table_name}.{$order_by}";
}
Expand Down
25 changes: 3 additions & 22 deletions modules/AOR_Reports/AOR_Report.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1427,29 +1427,10 @@ public function build_report_access_query(SugarBean $module, $alias)
{
$tempTableName = $module->table_name;
$module->table_name = $alias;
$where = '';
if ($module->bean_implements('ACL') && ACLController::requireOwner($module->module_dir, 'list')) {
global $current_user;
$owner_where = $module->getOwnerWhere($current_user->id);
$where = ' AND ' . $owner_where;
$where = $module->buildAccessWhere('list');
if (!empty($where)) {
$where = ' AND ' . $where;
}

if (file_exists('modules/SecurityGroups/SecurityGroup.php')) {
/* BEGIN - SECURITY GROUPS */
if ($module->bean_implements('ACL') && ACLController::requireSecurityGroup($module->module_dir, 'list')) {
require_once('modules/SecurityGroups/SecurityGroup.php');
global $current_user;
$owner_where = $module->getOwnerWhere($current_user->id);
$group_where = SecurityGroup::getGroupWhere($alias, $module->module_dir, $current_user->id);
if (!empty($owner_where)) {
$where .= " AND (" . $owner_where . " or " . $group_where . ") ";
} else {
$where .= ' AND ' . $group_where;
}
}
/* END - SECURITY GROUPS */
}

$module->table_name = $tempTableName;

return $where;
Expand Down
15 changes: 6 additions & 9 deletions modules/Campaigns/utils.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -413,16 +413,13 @@ function get_subscription_lists_query($focus, $additional_fields = null)
$all_news_type_pl_query .= "and c.campaign_type = 'NewsLetter' and pl.deleted = 0 and c.deleted=0 and plc.deleted=0 ";
$all_news_type_pl_query .= "and (pl.list_type like 'exempt%' or pl.list_type ='default') ";

/* BEGIN - SECURITY GROUPS */
if ($focus->bean_implements('ACL') && ACLController::requireSecurityGroup('Campaigns', 'list')) {
require_once('modules/SecurityGroups/SecurityGroup.php');
global $current_user;
$owner_where = $focus->getOwnerWhere($current_user->id);
$group_where = SecurityGroup::getGroupWhere('c', 'Campaigns', $current_user->id);
$all_news_type_pl_query .= " AND ( c.assigned_user_id ='".$current_user->id."' or ".$group_where.") ";
$campaign = BeanFactory::newBean('Campaigns');
$campaign->table_name = 'c';
$accessWhere = $campaign->buildAccessWhere('list');
if (!empty($accessWhere)) {
$all_news_type_pl_query .= ' AND ' . $accessWhere;
}
/* END - SECURITY GROUPS */


$all_news_type_list =$focus->db->query($all_news_type_pl_query);

//build array of all newsletter campaigns
Expand Down
Loading

0 comments on commit cbf8b3f

Please sign in to comment.