Regular users can remove only their own tasks
This commit is contained in:
Frédéric Guillot
@@ -31,6 +31,7 @@ use Model\LastLogin;
|
|||||||
* @property \Model\Task $task
|
* @property \Model\Task $task
|
||||||
* @property \Model\TaskHistory $taskHistory
|
* @property \Model\TaskHistory $taskHistory
|
||||||
* @property \Model\TaskExport $taskExport
|
* @property \Model\TaskExport $taskExport
|
||||||
|
* @property \Model\TaskPermission $taskPermission
|
||||||
* @property \Model\TaskValidator $taskValidator
|
* @property \Model\TaskValidator $taskValidator
|
||||||
* @property \Model\CommentHistory $commentHistory
|
* @property \Model\CommentHistory $commentHistory
|
||||||
* @property \Model\SubtaskHistory $subtaskHistory
|
* @property \Model\SubtaskHistory $subtaskHistory
|
||||||
@@ -242,6 +243,10 @@ abstract class Base
|
|||||||
*/
|
*/
|
||||||
protected function taskLayout($template, array $params)
|
protected function taskLayout($template, array $params)
|
||||||
{
|
{
|
||||||
|
if (isset($params['task']) && $this->taskPermission->canRemoveTask($params['task']) === false) {
|
||||||
|
$params['hide_remove_menu'] = true;
|
||||||
|
}
|
||||||
|
|
||||||
$content = $this->template->load($template, $params);
|
$content = $this->template->load($template, $params);
|
||||||
$params['task_content_for_layout'] = $content;
|
$params['task_content_for_layout'] = $content;
|
||||||
|
|
||||||
|
|||||||
@@ -289,6 +289,10 @@ class Task extends Base
|
|||||||
{
|
{
|
||||||
$task = $this->getTask();
|
$task = $this->getTask();
|
||||||
|
|
||||||
|
if (! $this->taskPermission->canRemoveTask($task)) {
|
||||||
|
$this->forbidden();
|
||||||
|
}
|
||||||
|
|
||||||
if ($this->request->getStringParam('confirmation') === 'yes') {
|
if ($this->request->getStringParam('confirmation') === 'yes') {
|
||||||
|
|
||||||
$this->checkCSRFParam();
|
$this->checkCSRFParam();
|
||||||
|
|||||||
32
app/Model/TaskPermission.php
Normal file
32
app/Model/TaskPermission.php
Normal file
@@ -0,0 +1,32 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
namespace Model;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Task permission model
|
||||||
|
*
|
||||||
|
* @package model
|
||||||
|
* @author Frederic Guillot
|
||||||
|
*/
|
||||||
|
class TaskPermission extends Base
|
||||||
|
{
|
||||||
|
/**
|
||||||
|
* Return true if the user can remove a task
|
||||||
|
*
|
||||||
|
* Regular users can't remove tasks from other people
|
||||||
|
*
|
||||||
|
* @public
|
||||||
|
* @return boolean
|
||||||
|
*/
|
||||||
|
public function canRemoveTask(array $task)
|
||||||
|
{
|
||||||
|
if ($this->acl->isAdminUser()) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
else if (isset($task['creator_id']) && $task['creator_id'] == $this->acl->getUserId()) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -7,7 +7,7 @@
|
|||||||
</div>
|
</div>
|
||||||
<section class="task-show" id="task-section">
|
<section class="task-show" id="task-section">
|
||||||
|
|
||||||
<?= Helper\template('task_sidebar', array('task' => $task)) ?>
|
<?= Helper\template('task_sidebar', array('task' => $task, 'hide_remove_menu' => isset($hide_remove_menu))) ?>
|
||||||
|
|
||||||
<div class="task-show-main">
|
<div class="task-show-main">
|
||||||
<?= $task_content_for_layout ?>
|
<?= $task_content_for_layout ?>
|
||||||
|
|||||||
@@ -18,7 +18,9 @@
|
|||||||
<a href="?controller=task&action=open&task_id=<?= $task['id'] ?>"><?= t('Open this task') ?></a>
|
<a href="?controller=task&action=open&task_id=<?= $task['id'] ?>"><?= t('Open this task') ?></a>
|
||||||
<?php endif ?>
|
<?php endif ?>
|
||||||
</li>
|
</li>
|
||||||
<li><a href="?controller=task&action=remove&task_id=<?= $task['id'] ?>"><?= t('Remove') ?></a></li>
|
<?php if (! $hide_remove_menu): ?>
|
||||||
|
<li><a href="?controller=task&action=remove&task_id=<?= $task['id'] ?>"><?= t('Remove') ?></a></li>
|
||||||
|
<?php endif ?>
|
||||||
</ul>
|
</ul>
|
||||||
</div>
|
</div>
|
||||||
</div>
|
</div>
|
||||||
100
tests/units/TaskPermissionTest.php
Normal file
100
tests/units/TaskPermissionTest.php
Normal file
@@ -0,0 +1,100 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
require_once __DIR__.'/Base.php';
|
||||||
|
|
||||||
|
use Model\Task;
|
||||||
|
use Model\TaskPermission;
|
||||||
|
use Model\Project;
|
||||||
|
use Model\Category;
|
||||||
|
use Model\User;
|
||||||
|
|
||||||
|
class TaskPermissionTest extends Base
|
||||||
|
{
|
||||||
|
public function testPrepareCreation()
|
||||||
|
{
|
||||||
|
$t = new Task($this->registry);
|
||||||
|
$tp = new TaskPermission($this->registry);
|
||||||
|
$p = new Project($this->registry);
|
||||||
|
$u = new User($this->registry);
|
||||||
|
|
||||||
|
$this->assertTrue($u->create(array('username' => 'toto', 'password' => '123456')));
|
||||||
|
$this->assertTrue($u->create(array('username' => 'toto2', 'password' => '123456')));
|
||||||
|
$this->assertEquals(1, $p->create(array('name' => 'Project #1')));
|
||||||
|
$this->assertEquals(1, $t->create(array('title' => 'Task #1', 'project_id' => 1, 'creator_id' => 1)));
|
||||||
|
$this->assertEquals(2, $t->create(array('title' => 'Task #2', 'project_id' => 1, 'creator_id' => 2)));
|
||||||
|
$this->assertEquals(3, $t->create(array('title' => 'Task #3', 'project_id' => 1, 'creator_id' => 3)));
|
||||||
|
$this->assertEquals(4, $t->create(array('title' => 'Task #4', 'project_id' => 1)));
|
||||||
|
|
||||||
|
// User #1 can remove everything
|
||||||
|
$user = $u->getbyId(1);
|
||||||
|
$this->assertNotEmpty($user);
|
||||||
|
$u->updateSession($user);
|
||||||
|
|
||||||
|
$task = $t->getbyId(1);
|
||||||
|
$this->assertNotEmpty($task);
|
||||||
|
$this->assertTrue($tp->canRemoveTask($task));
|
||||||
|
|
||||||
|
// User #2 can't remove the task #1
|
||||||
|
$user = $u->getbyId(2);
|
||||||
|
$this->assertNotEmpty($user);
|
||||||
|
$u->updateSession($user);
|
||||||
|
|
||||||
|
$task = $t->getbyId(1);
|
||||||
|
$this->assertNotEmpty($task);
|
||||||
|
$this->assertFalse($tp->canRemoveTask($task));
|
||||||
|
|
||||||
|
// User #1 can remove everything
|
||||||
|
$user = $u->getbyId(1);
|
||||||
|
$this->assertNotEmpty($user);
|
||||||
|
$u->updateSession($user);
|
||||||
|
|
||||||
|
$task = $t->getbyId(2);
|
||||||
|
$this->assertNotEmpty($task);
|
||||||
|
$this->assertTrue($tp->canRemoveTask($task));
|
||||||
|
|
||||||
|
// User #2 can remove his own task
|
||||||
|
$user = $u->getbyId(2);
|
||||||
|
$this->assertNotEmpty($user);
|
||||||
|
$u->updateSession($user);
|
||||||
|
|
||||||
|
$task = $t->getbyId(2);
|
||||||
|
$this->assertNotEmpty($task);
|
||||||
|
$this->assertTrue($tp->canRemoveTask($task));
|
||||||
|
|
||||||
|
// User #1 can remove everything
|
||||||
|
$user = $u->getbyId(1);
|
||||||
|
$this->assertNotEmpty($user);
|
||||||
|
$u->updateSession($user);
|
||||||
|
|
||||||
|
$task = $t->getbyId(3);
|
||||||
|
$this->assertNotEmpty($task);
|
||||||
|
$this->assertTrue($tp->canRemoveTask($task));
|
||||||
|
|
||||||
|
// User #2 can't remove the task #3
|
||||||
|
$user = $u->getbyId(2);
|
||||||
|
$this->assertNotEmpty($user);
|
||||||
|
$u->updateSession($user);
|
||||||
|
|
||||||
|
$task = $t->getbyId(3);
|
||||||
|
$this->assertNotEmpty($task);
|
||||||
|
$this->assertFalse($tp->canRemoveTask($task));
|
||||||
|
|
||||||
|
// User #1 can remove everything
|
||||||
|
$user = $u->getbyId(1);
|
||||||
|
$this->assertNotEmpty($user);
|
||||||
|
$u->updateSession($user);
|
||||||
|
|
||||||
|
$task = $t->getbyId(4);
|
||||||
|
$this->assertNotEmpty($task);
|
||||||
|
$this->assertTrue($tp->canRemoveTask($task));
|
||||||
|
|
||||||
|
// User #2 can't remove the task #4
|
||||||
|
$user = $u->getbyId(2);
|
||||||
|
$this->assertNotEmpty($user);
|
||||||
|
$u->updateSession($user);
|
||||||
|
|
||||||
|
$task = $t->getbyId(4);
|
||||||
|
$this->assertNotEmpty($task);
|
||||||
|
$this->assertFalse($tp->canRemoveTask($task));
|
||||||
|
}
|
||||||
|
}
|
||||||
Reference in New Issue
Block a user