Denis Chenu

icon indicating a website link http://sondages.pro icon indicating an email [email protected]

icon company SondagesPro icon location Roubaix icon location LimeSurvey plugin developer. Free and Open Source user, supporter and dev. Webquality Opquast certified 31650N.

Results 401 comments of Denis Chenu

Fixed issue #18356: User with only user update allowed can set/remove any role to any user

I don't like to add a new Service since Permission is already here. I think we can just start with a minimal Permission system : 2 permission, 'user' and 'permission'...

Fixed issue #18356: User with only user update allowed can set/remove any role to any user

https://github.com/LimeSurvey/LimeSurvey/blob/master/application/models/Interfaces/PermissionInterface.php https://github.com/LimeSurvey/LimeSurvey/blob/master/application/models/Traits/PermissionTrait.php See https://github.com/LimeSurvey/LimeSurvey/blob/e4f3ede06d502a176e9d02d3e9d4ac55bb3b76e4/application/models/Traits/PermissionTrait.php#L41 for usage in User Then your function are - canAssignPermissions : `$user->hasPermission('permission', 'update');` - canAssignRole : `$user->hasPermission('role', 'update');` - canEdit : `$user->hasPermission('user', 'update');` See : https://github.com/LimeSurvey/LimeSurvey/blob/e4f3ede06d502a176e9d02d3e9d4ac55bb3b76e4/application/models/Survey.php#L2250...

Fixed issue #18356: User with only user update allowed can set/remove any role to any user

And when we create the Permission manage page : a lot is ready :)

Fixed issue #18356: User with only user update allowed can set/remove any role to any user

> Well the logic about child-parent relationship is not there. ? see [getOwnerId](https://github.com/LimeSurvey/LimeSurvey/blob/e4f3ede06d502a176e9d02d3e9d4ac55bb3b76e4/application/models/Traits/PermissionTrait.php#L10) … done for this … You add it in user : where is the issue here ?...

Fixed issue #18356: User with only user update allowed can set/remove any role to any user

> Well the logic about child-parent relationship is not there. What's wrong in having a logic layer for that? It's here : https://github.com/LimeSurvey/LimeSurvey/blob/e4f3ede06d502a176e9d02d3e9d4ac55bb3b76e4/application/models/Permission.php#L576 exactly.

Fixed issue #18356: User with only user update allowed can set/remove any role to any user

My opinion on this commit : 2 solution 1. Just fix the issue 18356 : use `Permission::model()->hasGlobalPermission('superadmin', 'read')` in actionSaveRole and actionAddRole (light commit) 2. Do the whole access system...

Fixed issue #18356: User with only user update allowed can set/remove any role to any user

> It is not definite. Just trying to solve a problem decently in a short period of time. Then : do only the 1st point : > 1. Just fix...

Fixed issue #18356: User with only user update allowed can set/remove any role to any user

> So we have similar logics when Editing users, applying permissions, applying roles, theme permissions, ... That's why a class to handle it centrally is usefull, as a starter. Later,...

Fixed issue #18356: User with only user update allowed can set/remove any role to any user

> > Currently : owner_id is tested in Permission model, but you can test in User->hasPermission andnever use Permission model. > > How would you write `$user->hasPermission()` using the permission...

Fixed issue #18356: User with only user update allowed can set/remove any role to any user

For me : the commit are really complex against a `if (!Permission::model()->hasGlobalPermission('users', 'update')) {` replaced by a `if (!Permission::model()->hasGlobalPermission('superadmin', 'read')) {`