From 033c65b79beec69309e299bcc5a5d6c5cc496097 Mon Sep 17 00:00:00 2001
From: yuri <yurikuzn@users.noreply.github.com>
Date: Mon, 31 Jul 2017 12:15:01 +0300
Subject: [PATCH] acl strict mode

---
 application/Espo/Controllers/Settings.php         |  6 +++++-
 application/Espo/Core/Acl/Table.php               | 15 +++++++++------
 application/Espo/Core/defaults/config.php         |  1 +
 .../Espo/Resources/i18n/en_US/Settings.json       |  6 ++++--
 .../Espo/Resources/layouts/Settings/settings.json |  3 ++-
 application/Espo/Resources/metadata/app/acl.json  |  4 ++++
 .../Espo/Resources/metadata/app/aclPortal.json    |  4 ++++
 .../Resources/metadata/entityDefs/Settings.json   |  4 ++++
 8 files changed, 33 insertions(+), 10 deletions(-)

diff --git a/application/Espo/Controllers/Settings.php b/application/Espo/Controllers/Settings.php
index d59ed8138e..0bcf8a7bab 100644
--- a/application/Espo/Controllers/Settings.php
+++ b/application/Espo/Controllers/Settings.php
@@ -76,7 +76,11 @@ class Settings extends \Espo\Core\Controllers\Base
             throw new BadRequest();
         }
 
-        if (isset($data['useCache']) && $data['useCache'] != $this->getConfig()->get('useCache')) {
+        if (
+            (isset($data['useCache']) && $data['useCache'] != $this->getConfig()->get('useCache'))
+            ||
+            (isset($data['aclStrictMode']) && $data['aclStrictMode'] !== $this->getConfig()->get('aclStrictMode'))
+        ) {
             $this->getContainer()->get('dataManager')->clearCache();
         }
 
diff --git a/application/Espo/Core/Acl/Table.php b/application/Espo/Core/Acl/Table.php
index b46fd5a457..04bd8b9a19 100644
--- a/application/Espo/Core/Acl/Table.php
+++ b/application/Espo/Core/Acl/Table.php
@@ -77,6 +77,8 @@ class Table
 
     protected $forbiddenFieldsCache = array();
 
+    protected $isStrictMode = false;
+
     public function __construct(User $user, Config $config = null, FileManager $fileManager = null, Metadata $metadata = null, FieldManagerUtil $fieldManager = null)
     {
         $this->data = (object) [
@@ -85,6 +87,8 @@ class Table
             'fieldTableQuickAccess' => (object) [],
         ];
 
+        $this->isStrictMode = $config->get('aclStrictMode', false);
+
         $this->user = $user;
 
         $this->metadata = $metadata;
@@ -135,11 +139,6 @@ class Table
         return $this->fieldManager;
     }
 
-    protected function getConfig()
-    {
-        return $this->config;
-    }
-
     public function getMap()
     {
         return $this->data;
@@ -454,7 +453,11 @@ class Table
                     $aclType = $this->defaultAclType;
                 }
                 if (!empty($aclType)) {
-                    $defaultValue = $this->metadata->get('app.'.$this->type.'.scopeLevelTypesDefaults.' . $aclType, $this->metadata->get('app.'.$this->type.'.scopeLevelTypesDefaults.record'));
+                    $paramDefaultsName = 'scopeLevelTypesDefaults';
+                    if ($this->isStrictMode) {
+                        $paramDefaultsName = 'scopeLevelTypesStrictDefaults';
+                    }
+                    $defaultValue = $this->metadata->get(['app', $this->type, $paramDefaultsName, $aclType], $this->metadata->get(['app', $this->type, $paramDefaultsName, 'record']));
                     if (is_array($defaultValue)) {
                         $defaultValue = (object) $defaultValue;
                     }
diff --git a/application/Espo/Core/defaults/config.php b/application/Espo/Core/defaults/config.php
index 6b480be45f..cfc64bacca 100644
--- a/application/Espo/Core/defaults/config.php
+++ b/application/Espo/Core/defaults/config.php
@@ -165,6 +165,7 @@ return array (
     'cleanupAuthTokenPeriod' => '1 month',
     'currencyFormat' => 1,
     'currencyDecimalPlaces' => null,
+    'aclStrictMode' => false,
     'isInstalled' => false
 );
 
diff --git a/application/Espo/Resources/i18n/en_US/Settings.json b/application/Espo/Resources/i18n/en_US/Settings.json
index b29862c89e..4af93aaf9c 100644
--- a/application/Espo/Resources/i18n/en_US/Settings.json
+++ b/application/Espo/Resources/i18n/en_US/Settings.json
@@ -87,7 +87,8 @@
         "historyEntityList": "History Entity List",
         "b2cMode": "B2C Mode",
         "currencyFormat": "Currency Format",
-        "currencyDecimalPlaces": "Currency Decimal Places"
+        "currencyDecimalPlaces": "Currency Decimal Places",
+        "aclStrictMode": "ACL Strict Mode"
     },
     "options": {
         "weekStart": {
@@ -130,7 +131,8 @@
         "ldapUserTeams": "Teams for created user. For more, see user profile.",
         "ldapUserDefaultTeam": "Default team for created user. For more, see user profile.",
         "b2cMode": "By default EspoCRM is adapted for B2B. You can switch it to B2C.",
-        "currencyDecimalPlaces": "Number of decimal places. If empty then all nonempty decimal places will be displayed."
+        "currencyDecimalPlaces": "Number of decimal places. If empty then all nonempty decimal places will be displayed.",
+        "aclStrictMode": "Enabled: Access to scopes will be forbidden if it's not specified in roles.\n\nDisabled: Access to scopes will be allowed if it's not specified in roles."
     },
     "labels": {
         "System": "System",
diff --git a/application/Espo/Resources/layouts/Settings/settings.json b/application/Espo/Resources/layouts/Settings/settings.json
index e72847af2d..2e5d934570 100644
--- a/application/Espo/Resources/layouts/Settings/settings.json
+++ b/application/Espo/Resources/layouts/Settings/settings.json
@@ -4,7 +4,8 @@
         "rows": [
             [{"name": "useCache"}, {"name": "siteUrl"}],
             [{"name": "exportDisabled"}, {"name": "globalSearchEntityList"}],
-            [{"name": "followCreatedEntities"}, {"name": "b2cMode"}]
+            [{"name": "followCreatedEntities"}, {"name": "b2cMode"}],
+            [{"name": "aclStrictMode"}, false]
         ]
     },
     {
diff --git a/application/Espo/Resources/metadata/app/acl.json b/application/Espo/Resources/metadata/app/acl.json
index 13308d2959..fbf1415466 100644
--- a/application/Espo/Resources/metadata/app/acl.json
+++ b/application/Espo/Resources/metadata/app/acl.json
@@ -94,5 +94,9 @@
             "delete": "no",
             "create": "yes"
         }
+    },
+    "scopeLevelTypesStrictDefaults": {
+        "boolean": false,
+        "record": false
     }
 }
diff --git a/application/Espo/Resources/metadata/app/aclPortal.json b/application/Espo/Resources/metadata/app/aclPortal.json
index 481afc145b..08e0edb680 100644
--- a/application/Espo/Resources/metadata/app/aclPortal.json
+++ b/application/Espo/Resources/metadata/app/aclPortal.json
@@ -114,5 +114,9 @@
     "scopeLevelTypesDefaults": {
         "boolean": false,
         "record": false
+    },
+    "scopeLevelTypesStrictDefaults": {
+        "boolean": false,
+        "record": false
     }
 }
diff --git a/application/Espo/Resources/metadata/entityDefs/Settings.json b/application/Espo/Resources/metadata/entityDefs/Settings.json
index 90055b2a34..9d4b4638aa 100644
--- a/application/Espo/Resources/metadata/entityDefs/Settings.json
+++ b/application/Espo/Resources/metadata/entityDefs/Settings.json
@@ -419,6 +419,10 @@
         "massEmailDisableMandatoryOptOutLink": {
             "type": "bool"
         },
+        "aclStrictMode": {
+            "type": "bool",
+            "tooltip": true
+        },
         "lastViewedCount": {
             "type": "int",
             "min": 1,