You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@vcl.apache.org by jf...@apache.org on 2011/10/05 18:26:01 UTC
svn commit: r1179303 - in /incubator/vcl/trunk/web/.ht-inc: groups.php
privileges.php
Author: jfthomps
Date: Wed Oct 5 16:26:00 2011
New Revision: 1179303
URL: http://svn.apache.org/viewvc?rev=1179303&view=rev
Log:
VCL-467
Members of a group from one affiliation have access to groups with the same name from other affiliations
applied changes submitted by Aaron Coburn
groups.php: modified viewGroups - check for user being editor of user group using editgroupid instead of editgroup (name)
privileges.php:
-modified jsonGetUserGroupMembers - use editgroupid instead of editgroup to determine if user has access to view user group membership
-modified checkUserHasPriv - changed user groups foreach to check on groupid in addition to name
Modified:
incubator/vcl/trunk/web/.ht-inc/groups.php
incubator/vcl/trunk/web/.ht-inc/privileges.php
Modified: incubator/vcl/trunk/web/.ht-inc/groups.php
URL: http://svn.apache.org/viewvc/incubator/vcl/trunk/web/.ht-inc/groups.php?rev=1179303&r1=1179302&r2=1179303&view=diff
==============================================================================
--- incubator/vcl/trunk/web/.ht-inc/groups.php (original)
+++ incubator/vcl/trunk/web/.ht-inc/groups.php Wed Oct 5 16:26:00 2011
@@ -140,8 +140,8 @@ function viewGroups() {
$editor = 0;
if($usergroups[$id]["ownerid"] == $user["id"])
$owner = 1;
- if(array_key_exists("editgroup", $usergroups[$id]) &&
- in_array($usergroups[$id]["editgroup"], $user["groups"]))
+ if(array_key_exists("editgroupid", $usergroups[$id]) &&
+ array_key_exists($usergroups[$id]["editgroupid"], $user["groups"]))
$editor = 1;
if(! $owner && ! $editor)
continue;
Modified: incubator/vcl/trunk/web/.ht-inc/privileges.php
URL: http://svn.apache.org/viewvc/incubator/vcl/trunk/web/.ht-inc/privileges.php?rev=1179303&r1=1179302&r2=1179303&view=diff
==============================================================================
--- incubator/vcl/trunk/web/.ht-inc/privileges.php (original)
+++ incubator/vcl/trunk/web/.ht-inc/privileges.php Wed Oct 5 16:26:00 2011
@@ -1713,7 +1713,8 @@ function jsonGetUserGroupMembers() {
$usergrpid = processInputVar('groupid', ARG_NUMERIC);
$domid = processInputVar('domid', ARG_STRING);
$query = "SELECT g.ownerid, "
- . "g2.name AS editgroup "
+ . "g2.name AS editgroup, "
+ . "g2.editusergroupid AS editgroupid "
. "FROM usergroup g "
. "LEFT JOIN usergroup g2 ON (g.editusergroupid = g2.id) "
. "WHERE g.id = $usergrpid";
@@ -1725,7 +1726,7 @@ function jsonGetUserGroupMembers() {
sendJSON($arr);
return;
}
- if($grpdata["ownerid"] != $user["id"] && ! (in_array($grpdata["editgroup"], $user["groups"]))) {
+ if($grpdata["ownerid"] != $user["id"] && ! (array_key_exists($grpdata["editgroupid"], $user["groups"]))) {
# user doesn't have access to view membership
$msg = '(not authorized to view membership)';
$arr = array('members' => $msg, 'domid' => $domid);
@@ -2637,15 +2638,18 @@ function checkUserHasPriv($priv, $uid, $
return 1;
}
- foreach($_user["groups"] as $groupname) {
+ foreach($_user["groups"] as $groupid => $groupname) {
// if group (has $priv at this node) ||
# (has cascaded $priv && ! have block at this node) return 1
if((array_key_exists($groupname, $privs["usergroups"]) &&
+ $groupid == $privs['usergroups'][$groupname]['id'] &&
in_array($priv, $privs["usergroups"][$groupname]['privs'])) ||
((array_key_exists($groupname, $cascadePrivs["usergroups"]) &&
+ $groupid == $cascadePrivs['usergroups'][$groupname]['id'] &&
in_array($priv, $cascadePrivs["usergroups"][$groupname]['privs'])) &&
(! array_key_exists($groupname, $privs["usergroups"]) ||
- ! in_array("block", $privs["usergroups"][$groupname]['privs'])))) {
+ (! in_array("block", $privs["usergroups"][$groupname]['privs']) &&
+ $groupid == $privs['usergroups'][$groupname]['id'])))) {
$_SESSION['userhaspriv'][$key] = 1;
return 1;
}