r3624 - in trunk: apps/qubit/modules/informationobject/actions apps/qubit/modules/informationobject/config plugins/qbAclPlugin/lib

Wed, 30 Sep 2009 17:33:40 -0700 

Author: david
Date: Wed Sep 30 17:35:23 2009
New Revision: 3624

Log:
Switch to explicit ACL checks for authorization to preform actions on info 
objects.

Modified:
   trunk/apps/qubit/modules/informationobject/actions/deleteAction.class.php
   trunk/apps/qubit/modules/informationobject/actions/editAction.class.php
   trunk/apps/qubit/modules/informationobject/actions/listAction.class.php
   trunk/apps/qubit/modules/informationobject/actions/showAction.class.php
   trunk/apps/qubit/modules/informationobject/config/security.yml
   trunk/plugins/qbAclPlugin/lib/QubitAcl.class.php

Modified: 
trunk/apps/qubit/modules/informationobject/actions/deleteAction.class.php
==============================================================================
--- trunk/apps/qubit/modules/informationobject/actions/deleteAction.class.php   
Wed Sep 30 16:52:27 2009        (r3623)
+++ trunk/apps/qubit/modules/informationobject/actions/deleteAction.class.php   
Wed Sep 30 17:35:23 2009        (r3624)
@@ -31,6 +31,12 @@
       $this->forward404();
     }
 
+    // Check user authorization
+    if (!QubitAcl::check(QubitInformationObject::getRoot(), 
QubitAclAction::DELETE_ID))
+    {
+      QubitAcl::forwardUnauthorized();
+    }
+
     $request->setAttribute('informationObject', $this->informationObject);
 
     if ($request->isMethod('delete'))

Modified: 
trunk/apps/qubit/modules/informationobject/actions/editAction.class.php
==============================================================================
--- trunk/apps/qubit/modules/informationobject/actions/editAction.class.php     
Wed Sep 30 16:52:27 2009        (r3623)
+++ trunk/apps/qubit/modules/informationobject/actions/editAction.class.php     
Wed Sep 30 17:35:23 2009        (r3624)
@@ -238,6 +238,12 @@
         $this->forward404();
       }
 
+      // Check user authorization
+      if (!QubitAcl::check($this->informationObject, 
QubitAclAction::UPDATE_ID))
+      {
+        QubitAcl::forwardUnauthorized();
+      }
+
       // Add optimistic lock
       $this->form->setDefault('serialNumber', 
$this->informationObject->serialNumber);
       $this->form->setValidator('serialNumber', new sfValidatorInteger);
@@ -245,6 +251,12 @@
     }
     else
     {
+      // Check user authorization
+      if (!QubitAcl::check(QubitInformationObject::getRoot(), 
QubitAclAction::CREATE_ID))
+      {
+        QubitAcl::forwardUnauthorized();
+      }
+
       $this->form->setValidator('parent', new sfValidatorString);
       $this->form->setWidget('parent', new sfWidgetFormInputHidden);
 

Modified: 
trunk/apps/qubit/modules/informationobject/actions/listAction.class.php
==============================================================================
--- trunk/apps/qubit/modules/informationobject/actions/listAction.class.php     
Wed Sep 30 16:52:27 2009        (r3623)
+++ trunk/apps/qubit/modules/informationobject/actions/listAction.class.php     
Wed Sep 30 17:35:23 2009        (r3624)
@@ -87,16 +87,7 @@
       // If all repositories are denied, re-route user
       if (array('*') == $deniedRepositories)
       {
-        if ($this->context->getUser()->isAuthenticated())
-        {
-          // Access denied
-          QubitAcl::forwardToSecureAction();
-        }
-        else
-        {
-          // Login page
-          QubitAcl::forwardToLoginAction();
-        }
+        QubitAcl::forwardUnauthorized();
       }
 
       $subquery = new Zend_Search_Lucene_Search_Query_MultiTerm();

Modified: 
trunk/apps/qubit/modules/informationobject/actions/showAction.class.php
==============================================================================
--- trunk/apps/qubit/modules/informationobject/actions/showAction.class.php     
Wed Sep 30 16:52:27 2009        (r3623)
+++ trunk/apps/qubit/modules/informationobject/actions/showAction.class.php     
Wed Sep 30 17:35:23 2009        (r3624)
@@ -39,6 +39,12 @@
       $this->forward404();
     }
 
+    // Check user authorization
+    if (!QubitAcl::check($this->informationObject, QubitAclAction::READ_ID))
+    {
+      QubitAcl::forwardUnauthorized();
+    }
+
     // HACK: populate information object from ORM
     $request->setAttribute('informationObject', $this->informationObject);
 

Modified: trunk/apps/qubit/modules/informationobject/config/security.yml
==============================================================================
--- trunk/apps/qubit/modules/informationobject/config/security.yml      Wed Sep 
30 16:52:27 2009        (r3623)
+++ trunk/apps/qubit/modules/informationobject/config/security.yml      Wed Sep 
30 17:35:23 2009        (r3624)
@@ -1,6 +1,3 @@
-delete:
-  is_secure:   on
-  credentials: [[ contributor, editor, administrator ]]
 deleteActorRelation:
   is_secure:  on
   credentials: [[ contributor, editor, administrator ]]
@@ -14,25 +11,6 @@
   is_secure:  on
   credentials: [[ contributor, editor, administrator ]]
 
-edit:
-  is_secure:   on
-  credentials: [[ contributor, editor, administrator, translator ]]
-editDc:
-  is_secure:   on
-  credentials: [[ contributor, editor, administrator, translator ]]
-editIsad:
-  is_secure:   on
-  credentials: [[ contributor, editor, administrator, translator ]]
-editMods:
-  is_secure:   on
-  credentials: [[ contributor, editor, administrator, translator ]]
-editRad:
-  is_secure:   on
-  credentials: [[ contributor, editor, administrator, translator ]]
-
-list:
-  is_secure:   off
-
 move:
   is_secure:  on
   credentials: [[ contributor, editor, administrator ]]

Modified: trunk/plugins/qbAclPlugin/lib/QubitAcl.class.php
==============================================================================
--- trunk/plugins/qbAclPlugin/lib/QubitAcl.class.php    Wed Sep 30 16:52:27 
2009        (r3623)
+++ trunk/plugins/qbAclPlugin/lib/QubitAcl.class.php    Wed Sep 30 17:35:23 
2009        (r3624)
@@ -348,6 +348,17 @@
     return $deniedRepositories;
   }
 
+  public static function forwardUnauthorized()
+  {
+    if (!sfContext::getInstance()->getUser()->isAuthenticated())
+    {
+      self::forwardToLoginAction();
+    }
+    else
+    {
+      self::forwardToSecureAction();
+    }
+  }
 
   /**
    * Forwards the current request to the secure action.

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"Qubit Toolkit Commits" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to 
[email protected]
For more options, visit this group at 
http://groups.google.ca/group/qubit-commits?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply via email to