Details
-
Bug
-
Resolution: Invalid
-
Medium
-
None
-
4.3.0beta1
-
None
Description
The policy test in ezjscservertouter test only the first user policy. If the function is not in the first policy, it stops and user get an error even if he has the right to use this function
Patch :
--- ezjscserverrouter.php.ori 2010-02-22 15:13:34.000000000 +0100 +++ ezjscserverrouter.php 2010-03-09 11:41:35.000000000 +0100 @@ -169,7 +169,22 @@ eZDebug::writeWarning( "'$permissionName' is not defined in ezjscore.ini[ezjscServer]FunctionList", __METHOD__ ); return false; } - $limitationList[] = $permissionName; + + $requiredFunctionAccess=false; + // Something with $accessResult + foreach ( $accessResult['policies'] as $pkey => $limitationArray ) + { + if ( isset( $limitationArray['FunctionList'] ) ) + { + if ( in_array( $permissionName, $limitationArray['FunctionList'] ) ) + { + $requiredFunctionAccess=true; + } + } + } + + if (!$requiredFunctionAccess) + return false; } return ezjscAccessTemplateFunctions::hasAccessToLimitation( 'ezjscore', 'call', array( 'FunctionList', $limitationList ) ); }
Steps to reproduce
- create new server with limitation per function
Example :
[ezjscServer]
FunctionList[]=ezwetimetracker_updatetrack
FunctionList[]=ezwetimetracker_updateusertrack
FunctionList[]=ezwetimetracker_switchdayoff
FunctionList[]=ezwetimetracker_switchmonthstatus
[ezjscServer_ezwetimetracker]
Class=eZWETimeTrackerServerCallFunctions
Functions[]=ezwetimetracker
PermissionPrFunction=enabled
- add multiple policies to this user and perhaps add this user to multiple groups (it may affects)
- try to access to one of the function
if you have some chance, the first user policy within $accessResult['policies'] will contain the function, if not, it will return false even if you have access in another policy
Attachments
Issue Links
- relates to
-
EZP-16129 hasAccessToLimitation ezjscore 1.0.1 function does not properly check multiple policies
- Closed