From 44d71206e0fe60ad2c43dcc81254313687a24b54 Mon Sep 17 00:00:00 2001 From: Esteban Gallego Date: Thu, 8 Feb 2024 16:52:11 -0500 Subject: [PATCH 1/5] Hide unauthorized icons from sidebar --- ProcessMaker/Http/Middleware/GenerateMenus.php | 10 ++++++++-- ProcessMaker/Models/Permission.php | 3 +++ 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/ProcessMaker/Http/Middleware/GenerateMenus.php b/ProcessMaker/Http/Middleware/GenerateMenus.php index cebb3afd04..b96720dd13 100644 --- a/ProcessMaker/Http/Middleware/GenerateMenus.php +++ b/ProcessMaker/Http/Middleware/GenerateMenus.php @@ -5,6 +5,7 @@ use Closure; use Illuminate\Http\Request; use Lavary\Menu\Facade as Menu; +use ProcessMaker\Models\Permission; use ProcessMaker\Models\Setting; class GenerateMenus @@ -296,10 +297,15 @@ private function userHasPermission($permission) // Fetch the user's permissions and check if the user has the specific permission $userPermissions = $user->permissions->pluck('group')->unique()->toArray(); - if ($user->can($permission) && count($userPermissions) === 1 && $userPermissions[0] === 'Projects') { + $defaultPermissions = Permission::DEFAULT_PERMISSIONS; + + // Check if $userPermissions and $defaultPermissions have the same values + $userWithDefaultPermissions = empty(array_diff($userPermissions, $defaultPermissions)); + + if ($user->can($permission) && count($userPermissions) === 2 && $userWithDefaultPermissions) { return false; // Deny UI access if the user has only the 'Projects' permission } - return $user->can($permission); + return $user->can($permission) && $user->hasPermission($permission); } } diff --git a/ProcessMaker/Models/Permission.php b/ProcessMaker/Models/Permission.php index 04a58ab5a4..ec00c3da97 100644 --- a/ProcessMaker/Models/Permission.php +++ b/ProcessMaker/Models/Permission.php @@ -4,6 +4,7 @@ use Illuminate\Database\Eloquent\ModelNotFoundException; use Illuminate\Support\Facades\DB; +use Twilio\Rest\Autopilot\V1\Assistant\DefaultsList; class Permission extends ProcessMakerModel { @@ -15,6 +16,8 @@ class Permission extends ProcessMakerModel 'group', ]; + const DEFAULT_PERMISSIONS = ['Projects', 'Process Catalog']; + public function getResourceTitleAttribute() { $match = preg_match('/(.+)-(.+)/', $this->name, $matches); From 09668ce4596f46ffc5e3adbb486176f2b39a9219 Mon Sep 17 00:00:00 2001 From: Esteban Gallego Date: Thu, 8 Feb 2024 18:28:31 -0500 Subject: [PATCH 2/5] Make userHasPermission accesible for other packages --- ProcessMaker/Http/Middleware/GenerateMenus.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ProcessMaker/Http/Middleware/GenerateMenus.php b/ProcessMaker/Http/Middleware/GenerateMenus.php index b96720dd13..0cc5219241 100644 --- a/ProcessMaker/Http/Middleware/GenerateMenus.php +++ b/ProcessMaker/Http/Middleware/GenerateMenus.php @@ -283,7 +283,7 @@ public function handle(Request $request, Closure $next) return $next($request); } - private function userHasPermission($permission) + public static function userHasPermission($permission) { $user = \Auth::user(); @@ -297,9 +297,9 @@ private function userHasPermission($permission) // Fetch the user's permissions and check if the user has the specific permission $userPermissions = $user->permissions->pluck('group')->unique()->toArray(); - $defaultPermissions = Permission::DEFAULT_PERMISSIONS; // Check if $userPermissions and $defaultPermissions have the same values + $defaultPermissions = Permission::DEFAULT_PERMISSIONS; $userWithDefaultPermissions = empty(array_diff($userPermissions, $defaultPermissions)); if ($user->can($permission) && count($userPermissions) === 2 && $userWithDefaultPermissions) { From 44697cce0e153b3ac689ffc497f79d017da30253 Mon Sep 17 00:00:00 2001 From: Esteban Gallego Date: Thu, 8 Feb 2024 18:51:58 -0500 Subject: [PATCH 3/5] Remove unnecessary class --- ProcessMaker/Models/Permission.php | 1 - 1 file changed, 1 deletion(-) diff --git a/ProcessMaker/Models/Permission.php b/ProcessMaker/Models/Permission.php index ec00c3da97..64377474d7 100644 --- a/ProcessMaker/Models/Permission.php +++ b/ProcessMaker/Models/Permission.php @@ -4,7 +4,6 @@ use Illuminate\Database\Eloquent\ModelNotFoundException; use Illuminate\Support\Facades\DB; -use Twilio\Rest\Autopilot\V1\Assistant\DefaultsList; class Permission extends ProcessMakerModel { From f2fd1fb5ea33d9d6589ded0019bc3ca7194c2844 Mon Sep 17 00:00:00 2001 From: Esteban Gallego Date: Thu, 8 Feb 2024 19:06:53 -0500 Subject: [PATCH 4/5] SonarQube fix --- ProcessMaker/Http/Middleware/GenerateMenus.php | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/ProcessMaker/Http/Middleware/GenerateMenus.php b/ProcessMaker/Http/Middleware/GenerateMenus.php index 0cc5219241..0282084bfc 100644 --- a/ProcessMaker/Http/Middleware/GenerateMenus.php +++ b/ProcessMaker/Http/Middleware/GenerateMenus.php @@ -287,10 +287,6 @@ public static function userHasPermission($permission) { $user = \Auth::user(); - if (!$user) { - return false; - } - if ($user->is_administrator) { return true; } @@ -302,7 +298,7 @@ public static function userHasPermission($permission) $defaultPermissions = Permission::DEFAULT_PERMISSIONS; $userWithDefaultPermissions = empty(array_diff($userPermissions, $defaultPermissions)); - if ($user->can($permission) && count($userPermissions) === 2 && $userWithDefaultPermissions) { + if (!$user || $user->can($permission) && count($userPermissions) === 2 && $userWithDefaultPermissions) { return false; // Deny UI access if the user has only the 'Projects' permission } From bc783ebb96e4fd07d5faef1b345a38af5cd0e6f7 Mon Sep 17 00:00:00 2001 From: Esteban Gallego Date: Fri, 9 Feb 2024 10:29:12 -0500 Subject: [PATCH 5/5] Refactor userHasPermission --- ProcessMaker/Http/Middleware/GenerateMenus.php | 13 +++---------- 1 file changed, 3 insertions(+), 10 deletions(-) diff --git a/ProcessMaker/Http/Middleware/GenerateMenus.php b/ProcessMaker/Http/Middleware/GenerateMenus.php index 0282084bfc..d98f4affe8 100644 --- a/ProcessMaker/Http/Middleware/GenerateMenus.php +++ b/ProcessMaker/Http/Middleware/GenerateMenus.php @@ -287,21 +287,14 @@ public static function userHasPermission($permission) { $user = \Auth::user(); - if ($user->is_administrator) { - return true; + if (!$user || !$user->is_administrator) { + return $user && $user->can($permission) && $user->hasPermission($permission); } - // Fetch the user's permissions and check if the user has the specific permission $userPermissions = $user->permissions->pluck('group')->unique()->toArray(); - - // Check if $userPermissions and $defaultPermissions have the same values $defaultPermissions = Permission::DEFAULT_PERMISSIONS; $userWithDefaultPermissions = empty(array_diff($userPermissions, $defaultPermissions)); - if (!$user || $user->can($permission) && count($userPermissions) === 2 && $userWithDefaultPermissions) { - return false; // Deny UI access if the user has only the 'Projects' permission - } - - return $user->can($permission) && $user->hasPermission($permission); + return !($user->can($permission) && count($userPermissions) === 2 && $userWithDefaultPermissions); } }