mirror of
https://github.com/espocrm/espocrm.git
synced 2026-06-28 06:56:05 +00:00
permission consts
This commit is contained in:
Yuri Kuznetsov
@@ -29,6 +29,7 @@
|
||||
|
||||
namespace Espo\Classes\Acl\Note;
|
||||
|
||||
use Espo\Core\Acl\Permission;
|
||||
use Espo\Core\Acl\Table;
|
||||
use Espo\Entities\Note;
|
||||
use Espo\Entities\User;
|
||||
@@ -143,7 +144,7 @@ class AccessChecker implements AccessEntityCREDChecker
|
||||
}
|
||||
|
||||
if ($entity->getTargetType() === Note::TARGET_PORTALS) {
|
||||
return $this->aclManager->getPermissionLevel($user, 'portal') === Table::LEVEL_YES;
|
||||
return $this->aclManager->getPermissionLevel($user, Permission::PORTAL) === Table::LEVEL_YES;
|
||||
}
|
||||
|
||||
return false;
|
||||
|
||||
@@ -29,6 +29,7 @@
|
||||
|
||||
namespace Espo\Classes\Acl\Portal;
|
||||
|
||||
use Espo\Core\Acl\Permission;
|
||||
use Espo\Entities\Portal;
|
||||
use Espo\Entities\User;
|
||||
use Espo\Core\Acl\AccessEntityCREDChecker;
|
||||
@@ -45,18 +46,12 @@ class AccessChecker implements AccessEntityCREDChecker
|
||||
{
|
||||
use DefaultAccessCheckerDependency;
|
||||
|
||||
private DefaultAccessChecker $defaultAccessChecker;
|
||||
private AclManager $aclManager;
|
||||
|
||||
public function __construct(DefaultAccessChecker $defaultAccessChecker, AclManager $aclManager)
|
||||
{
|
||||
$this->defaultAccessChecker = $defaultAccessChecker;
|
||||
$this->aclManager = $aclManager;
|
||||
}
|
||||
public function __construct(private DefaultAccessChecker $defaultAccessChecker, private AclManager $aclManager)
|
||||
{}
|
||||
|
||||
public function check(User $user, ScopeData $data): bool
|
||||
{
|
||||
$level = $this->aclManager->getPermissionLevel($user, 'portal');
|
||||
$level = $this->aclManager->getPermissionLevel($user, Permission::PORTAL);
|
||||
|
||||
return $level === Table::LEVEL_YES;
|
||||
}
|
||||
|
||||
@@ -29,6 +29,7 @@
|
||||
|
||||
namespace Espo\Classes\Acl\User;
|
||||
|
||||
use Espo\Core\Acl\Permission;
|
||||
use Espo\Entities\User;
|
||||
use Espo\ORM\Entity;
|
||||
use Espo\Core\Acl\AccessEntityCREDSChecker;
|
||||
@@ -60,8 +61,6 @@ class AccessChecker implements AccessEntityCREDSChecker
|
||||
return false;
|
||||
}
|
||||
|
||||
/** @var User $entity */
|
||||
|
||||
if ($entity->isSuperAdmin() && !$user->isSuperAdmin()) {
|
||||
return false;
|
||||
}
|
||||
@@ -71,10 +70,8 @@ class AccessChecker implements AccessEntityCREDSChecker
|
||||
|
||||
public function checkEntityRead(User $user, Entity $entity, ScopeData $data): bool
|
||||
{
|
||||
/** @var User $entity */
|
||||
|
||||
if ($entity->isPortal()) {
|
||||
if ($this->aclManager->getPermissionLevel($user, 'portal') === Table::LEVEL_YES) {
|
||||
if ($this->aclManager->getPermissionLevel($user, Permission::PORTAL) === Table::LEVEL_YES) {
|
||||
return true;
|
||||
}
|
||||
|
||||
@@ -90,8 +87,6 @@ class AccessChecker implements AccessEntityCREDSChecker
|
||||
|
||||
public function checkEntityEdit(User $user, Entity $entity, ScopeData $data): bool
|
||||
{
|
||||
/** @var User $entity */
|
||||
|
||||
if ($entity->isSystem()) {
|
||||
return false;
|
||||
}
|
||||
@@ -111,8 +106,6 @@ class AccessChecker implements AccessEntityCREDSChecker
|
||||
|
||||
public function checkEntityDelete(User $user, Entity $entity, ScopeData $data): bool
|
||||
{
|
||||
/** @var User $entity */
|
||||
|
||||
if (!$user->isAdmin()) {
|
||||
return false;
|
||||
}
|
||||
@@ -130,8 +123,7 @@ class AccessChecker implements AccessEntityCREDSChecker
|
||||
|
||||
public function checkEntityStream(User $user, Entity $entity, ScopeData $data): bool
|
||||
{
|
||||
/** @var User $entity */
|
||||
|
||||
return $this->aclManager->checkUserPermission($user, $entity, 'user');
|
||||
/** @noinspection PhpRedundantOptionalArgumentInspection */
|
||||
return $this->aclManager->checkUserPermission($user, $entity, Permission::USER);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -65,12 +65,12 @@ class MassDelete implements MassAction
|
||||
$entityType = $params->getEntityType();
|
||||
|
||||
if (!$this->acl->check($entityType, Acl\Table::ACTION_DELETE)) {
|
||||
throw new Forbidden("No delete access for '{$entityType}'.");
|
||||
throw new Forbidden("No delete access for '$entityType'.");
|
||||
}
|
||||
|
||||
if (
|
||||
!$params->hasIds() &&
|
||||
$this->acl->getPermissionLevel('massUpdate') !== Acl\Table::LEVEL_YES
|
||||
$this->acl->getPermissionLevel(Acl\Permission::MASS_UPDATE) !== Acl\Table::LEVEL_YES
|
||||
) {
|
||||
throw new Forbidden("No mass-update permission.");
|
||||
}
|
||||
|
||||
@@ -51,7 +51,7 @@ use Espo\Tools\MassUpdate\Data as MassUpdateData;
|
||||
|
||||
class MassUpdate implements MassAction
|
||||
{
|
||||
private const PERMISSION = 'massUpdate';
|
||||
private const PERMISSION = Acl\Permission::MASS_UPDATE;
|
||||
|
||||
/** @var string[] */
|
||||
private array $notAllowedAttributeList = [
|
||||
|
||||
@@ -30,6 +30,7 @@
|
||||
namespace Espo\Classes\RecordHooks\Note;
|
||||
|
||||
use Espo\Core\Acl;
|
||||
use Espo\Core\Acl\Permission;
|
||||
use Espo\Core\Acl\Table as AclTable;
|
||||
use Espo\Core\Exceptions\BadRequest;
|
||||
use Espo\Core\Exceptions\Forbidden;
|
||||
@@ -90,7 +91,7 @@ class AssignmentCheck implements SaveHook
|
||||
}
|
||||
}
|
||||
|
||||
$messagePermission = $this->acl->getPermissionLevel('message');
|
||||
$messagePermission = $this->acl->getPermissionLevel(Permission::MESSAGE);
|
||||
|
||||
if ($messagePermission === AclTable::LEVEL_NO) {
|
||||
if (
|
||||
@@ -126,14 +127,14 @@ class AssignmentCheck implements SaveHook
|
||||
throw new BadRequest("No portal IDs.");
|
||||
}
|
||||
|
||||
if ($this->acl->getPermissionLevel('portal') !== AclTable::LEVEL_YES) {
|
||||
if ($this->acl->getPermissionLevel(Permission::PORTAL) !== AclTable::LEVEL_YES) {
|
||||
throw new Forbidden('Not permitted to post to portal users.');
|
||||
}
|
||||
}
|
||||
|
||||
if (
|
||||
$targetType === Note::TARGET_USERS &&
|
||||
$this->acl->getPermissionLevel('portal') !== AclTable::LEVEL_YES
|
||||
$this->acl->getPermissionLevel(Permission::PORTAL) !== AclTable::LEVEL_YES
|
||||
) {
|
||||
if ($hasPortalTargetUser) {
|
||||
throw new Forbidden('Not permitted to post to portal users.');
|
||||
|
||||
@@ -29,6 +29,7 @@
|
||||
|
||||
namespace Espo\Classes\Select\User\AccessControlFilters;
|
||||
|
||||
use Espo\Core\Acl\Permission;
|
||||
use Espo\ORM\Query\SelectBuilder;
|
||||
use Espo\Core\Acl\Table;
|
||||
use Espo\Core\AclManager;
|
||||
@@ -51,7 +52,7 @@ class Mandatory implements Filter
|
||||
]);
|
||||
}
|
||||
|
||||
if ($this->aclManager->getPermissionLevel($this->user, 'portal') !== Table::LEVEL_YES) {
|
||||
if ($this->aclManager->getPermissionLevel($this->user, Permission::PORTAL) !== Table::LEVEL_YES) {
|
||||
$queryBuilder->where([
|
||||
'OR' => [
|
||||
'type!=' => User::TYPE_PORTAL,
|
||||
|
||||
@@ -29,6 +29,7 @@
|
||||
|
||||
namespace Espo\Classes\Select\User\AccessControlFilters;
|
||||
|
||||
use Espo\Core\Acl\Permission;
|
||||
use Espo\ORM\Query\SelectBuilder;
|
||||
use Espo\Core\Acl\Table;
|
||||
use Espo\Core\AclManager;
|
||||
@@ -43,7 +44,7 @@ class OnlyOwn implements Filter
|
||||
|
||||
public function apply(SelectBuilder $queryBuilder): void
|
||||
{
|
||||
if ($this->aclManager->getPermissionLevel($this->user, 'portal') === Table::LEVEL_YES) {
|
||||
if ($this->aclManager->getPermissionLevel($this->user, Permission::PORTAL) === Table::LEVEL_YES) {
|
||||
$queryBuilder->where([
|
||||
'OR' => [
|
||||
'id' => $this->user->getId(),
|
||||
|
||||
@@ -36,17 +36,26 @@ use Espo\Core\Acl;
|
||||
use Espo\Core\Api\Request;
|
||||
use Espo\Core\Api\Response;
|
||||
|
||||
use Espo\Core\Exceptions\NotFound;
|
||||
use Espo\Tools\DataPrivacy\Erasor;
|
||||
|
||||
class DataPrivacy
|
||||
{
|
||||
/**
|
||||
* @throws Forbidden
|
||||
*/
|
||||
public function __construct(private Erasor $erasor, private Acl $acl)
|
||||
{
|
||||
if ($this->acl->getPermissionLevel('dataPrivacy') === Acl\Table::LEVEL_NO) {
|
||||
if ($this->acl->getPermissionLevel(Acl\Permission::DATA_PRIVACY) === Acl\Table::LEVEL_NO) {
|
||||
throw new Forbidden();
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* @throws BadRequest
|
||||
* @throws Forbidden
|
||||
* @throws NotFound
|
||||
*/
|
||||
public function postActionErase(Request $request, Response $response): void
|
||||
{
|
||||
$data = $request->getParsedBody();
|
||||
|
||||
@@ -29,6 +29,7 @@
|
||||
|
||||
namespace Espo\Controllers;
|
||||
|
||||
use Espo\Core\Acl\Permission;
|
||||
use Espo\Core\Acl\Table;
|
||||
use Espo\Core\Controllers\Record;
|
||||
|
||||
@@ -36,7 +37,7 @@ class Portal extends Record
|
||||
{
|
||||
protected function checkAccess(): bool
|
||||
{
|
||||
$level = $this->acl->getPermissionLevel('portal');
|
||||
$level = $this->acl->getPermissionLevel(Permission::PORTAL);
|
||||
|
||||
return $level === Table::LEVEL_YES;
|
||||
}
|
||||
|
||||
@@ -31,6 +31,7 @@ namespace Espo\Core;
|
||||
|
||||
use Espo\Core\Acl\Exceptions\NotImplemented;
|
||||
use Espo\Core\Acl\GlobalRestriction;
|
||||
use Espo\Core\Acl\Permission;
|
||||
use Espo\Core\Acl\Table;
|
||||
|
||||
use Espo\ORM\Entity;
|
||||
@@ -283,7 +284,7 @@ class Acl
|
||||
*
|
||||
* @param User|string $target User entity or user ID.
|
||||
*/
|
||||
public function checkUserPermission($target, string $permissionType = 'user'): bool
|
||||
public function checkUserPermission($target, string $permissionType = Permission::USER): bool
|
||||
{
|
||||
return $this->aclManager->checkUserPermission($this->user, $target, $permissionType);
|
||||
}
|
||||
|
||||
@@ -32,4 +32,11 @@ namespace Espo\Core\Acl;
|
||||
class Permission
|
||||
{
|
||||
public const ASSIGNMENT = 'assignment';
|
||||
public const USER = 'user';
|
||||
public const PORTAL = 'portal';
|
||||
public const MASS_UPDATE = 'massUpdate';
|
||||
public const EXPORT = 'export';
|
||||
public const AUDIT = 'audit';
|
||||
public const DATA_PRIVACY = 'dataPrivacy';
|
||||
public const MESSAGE = 'message';
|
||||
}
|
||||
|
||||
@@ -573,7 +573,7 @@ class AclManager
|
||||
*
|
||||
* @param User|string $target User entity or user ID.
|
||||
*/
|
||||
public function checkUserPermission(User $user, $target, string $permissionType = 'user'): bool
|
||||
public function checkUserPermission(User $user, $target, string $permissionType = Permission::USER): bool
|
||||
{
|
||||
$permission = $this->getPermissionLevel($user, $permissionType);
|
||||
|
||||
|
||||
@@ -68,7 +68,7 @@ class MassConvertCurrency implements MassAction
|
||||
throw new Forbidden("No edit access for '{$entityType}'.");
|
||||
}
|
||||
|
||||
if ($this->acl->getPermissionLevel('massUpdate') !== Table::LEVEL_YES) {
|
||||
if ($this->acl->getPermissionLevel(Acl\Permission::MASS_UPDATE) !== Table::LEVEL_YES) {
|
||||
throw new Forbidden("No mass-update permission.");
|
||||
}
|
||||
|
||||
|
||||
@@ -62,7 +62,7 @@ class MassDelete implements MassAction
|
||||
|
||||
if (
|
||||
!$params->hasIds() &&
|
||||
$this->acl->getPermissionLevel('massUpdate') !== Acl\Table::LEVEL_YES
|
||||
$this->acl->getPermissionLevel(Acl\Permission::MASS_UPDATE) !== Acl\Table::LEVEL_YES
|
||||
) {
|
||||
throw new Forbidden("No mass-update permission.");
|
||||
}
|
||||
|
||||
@@ -29,6 +29,7 @@
|
||||
|
||||
namespace Espo\Core\Portal;
|
||||
|
||||
use Espo\Core\Acl\Permission;
|
||||
use Espo\ORM\Entity;
|
||||
use Espo\ORM\EntityManager;
|
||||
|
||||
@@ -188,7 +189,7 @@ class AclManager extends InternalAclManager
|
||||
*/
|
||||
public function checkReadOnlyAccount(User $user, string $scope): bool
|
||||
{
|
||||
return $this->getLevel($user, $scope, PortalTable::ACTION_READ) === PortalTable::LEVEL_ACCOUNT;
|
||||
return $this->getLevel($user, $scope, Table::ACTION_READ) === PortalTable::LEVEL_ACCOUNT;
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -196,7 +197,7 @@ class AclManager extends InternalAclManager
|
||||
*/
|
||||
public function checkReadOnlyContact(User $user, string $scope): bool
|
||||
{
|
||||
return $this->getLevel($user, $scope, PortalTable::ACTION_READ)=== PortalTable::LEVEL_CONTACT;
|
||||
return $this->getLevel($user, $scope, Table::ACTION_READ)=== PortalTable::LEVEL_CONTACT;
|
||||
}
|
||||
|
||||
public function check(User $user, $subject, ?string $action = null): bool
|
||||
@@ -208,7 +209,7 @@ class AclManager extends InternalAclManager
|
||||
return parent::check($user, $subject, $action);
|
||||
}
|
||||
|
||||
public function checkEntity(User $user, Entity $entity, string $action = PortalTable::ACTION_READ): bool
|
||||
public function checkEntity(User $user, Entity $entity, string $action = Table::ACTION_READ): bool
|
||||
{
|
||||
if ($this->checkUserIsNotPortal($user)) {
|
||||
return $this->internalAclManager->checkEntity($user, $entity, $action);
|
||||
@@ -217,7 +218,7 @@ class AclManager extends InternalAclManager
|
||||
return parent::checkEntity($user, $entity, $action);
|
||||
}
|
||||
|
||||
public function checkUserPermission(User $user, $target, string $permissionType = 'user'): bool
|
||||
public function checkUserPermission(User $user, $target, string $permissionType = Permission::USER): bool
|
||||
{
|
||||
return $this->internalAclManager->checkUserPermission($user, $target, $permissionType);
|
||||
}
|
||||
@@ -304,8 +305,8 @@ class AclManager extends InternalAclManager
|
||||
public function getScopeForbiddenFieldList(
|
||||
User $user,
|
||||
string $scope,
|
||||
string $action = PortalTable::ACTION_READ,
|
||||
string $thresholdLevel = PortalTable::LEVEL_NO
|
||||
string $action = Table::ACTION_READ,
|
||||
string $thresholdLevel = Table::LEVEL_NO
|
||||
): array {
|
||||
|
||||
if ($this->checkUserIsNotPortal($user)) {
|
||||
|
||||
@@ -1820,7 +1820,7 @@ class Service implements Crud,
|
||||
unset($attributes->$attribute);
|
||||
}
|
||||
|
||||
if ($this->acl->getPermissionLevel('assignment') === AclTable::LEVEL_NO) {
|
||||
if ($this->acl->getPermissionLevel(Acl\Permission::ASSIGNMENT) === AclTable::LEVEL_NO) {
|
||||
unset($attributes->assignedUserId);
|
||||
unset($attributes->assignedUserName);
|
||||
unset($attributes->assignedUsersIds);
|
||||
|
||||
@@ -176,7 +176,7 @@ class Service
|
||||
{
|
||||
if ($entity instanceof User) {
|
||||
/** @noinspection PhpRedundantOptionalArgumentInspection */
|
||||
if (!$this->acl->checkUserPermission($entity, 'user')) {
|
||||
if (!$this->acl->checkUserPermission($entity, Acl\Permission::USER)) {
|
||||
throw new Forbidden();
|
||||
}
|
||||
|
||||
@@ -598,11 +598,11 @@ class Service
|
||||
*/
|
||||
public function fetchForTeams(array $teamIdList, FetchParams $fetchParams): array
|
||||
{
|
||||
if ($this->acl->getPermissionLevel('userPermission') === Table::LEVEL_NO) {
|
||||
if ($this->acl->getPermissionLevel(Acl\Permission::USER) === Table::LEVEL_NO) {
|
||||
throw new Forbidden("User Permission not allowing to view calendars of other users.");
|
||||
}
|
||||
|
||||
if ($this->acl->getPermissionLevel('userPermission') === Table::LEVEL_TEAM) {
|
||||
if ($this->acl->getPermissionLevel(Acl\Permission::USER) === Table::LEVEL_TEAM) {
|
||||
$userTeamIdList = $this->user->getLinkMultipleIdList('teams');
|
||||
|
||||
foreach ($teamIdList as $teamId) {
|
||||
|
||||
@@ -29,6 +29,7 @@
|
||||
|
||||
namespace Espo\Services;
|
||||
|
||||
use Espo\Core\Acl\Permission;
|
||||
use Espo\Core\ORM\Entity as CoreEntity;
|
||||
use Espo\ORM\Collection;
|
||||
use Espo\ORM\Entity;
|
||||
@@ -265,7 +266,7 @@ class Record extends RecordService implements
|
||||
*/
|
||||
public function exportCollection(array $params, Collection $collection): string
|
||||
{
|
||||
if ($this->acl->getPermissionLevel('exportPermission') !== AclTable::LEVEL_YES) {
|
||||
if ($this->acl->getPermissionLevel(Permission::EXPORT) !== AclTable::LEVEL_YES) {
|
||||
throw new ForbiddenSilent("No 'export' permission.");
|
||||
}
|
||||
|
||||
|
||||
@@ -29,6 +29,7 @@
|
||||
|
||||
namespace Espo\Tools\DataPrivacy;
|
||||
|
||||
use Espo\Core\Acl\Permission;
|
||||
use Espo\Core\Acl\Table;
|
||||
use Espo\Core\Exceptions\Forbidden;
|
||||
use Espo\Core\Exceptions\NotFound;
|
||||
@@ -69,7 +70,7 @@ class Erasor implements
|
||||
*/
|
||||
public function erase(string $entityType, string $id, array $fieldList): void
|
||||
{
|
||||
if ($this->acl->getPermissionLevel('dataPrivacyPermission') === Table::LEVEL_NO) {
|
||||
if ($this->acl->getPermissionLevel(Permission::DATA_PRIVACY) === Table::LEVEL_NO) {
|
||||
throw new Forbidden();
|
||||
}
|
||||
|
||||
|
||||
@@ -64,7 +64,7 @@ class Service
|
||||
|
||||
$entityType = $params->getEntityType();
|
||||
|
||||
if ($this->acl->getPermissionLevel('exportPermission') !== Table::LEVEL_YES) {
|
||||
if ($this->acl->getPermissionLevel(Acl\Permission::EXPORT) !== Table::LEVEL_YES) {
|
||||
throw new ForbiddenSilent("No 'export' permission.");
|
||||
}
|
||||
|
||||
|
||||
@@ -56,7 +56,7 @@ use stdClass;
|
||||
|
||||
class Processor
|
||||
{
|
||||
private const PERMISSION = 'massUpdatePermission';
|
||||
private const PERMISSION = Acl\Permission::MASS_UPDATE;
|
||||
|
||||
public function __construct(
|
||||
private ValueMapPreparator $valueMapPreparator,
|
||||
|
||||
@@ -214,7 +214,7 @@ class FollowerRecordService
|
||||
throw new Forbidden("No 'read' access to user $userId.");
|
||||
}
|
||||
|
||||
if ($user->isPortal() && $this->acl->getPermissionLevel('portal') !== Acl\Table::LEVEL_YES) {
|
||||
if ($user->isPortal() && $this->acl->getPermissionLevel(Acl\Permission::PORTAL) !== Acl\Table::LEVEL_YES) {
|
||||
throw new Forbidden("No 'portal' permission.");
|
||||
}
|
||||
|
||||
|
||||
@@ -100,7 +100,7 @@ class RecordService
|
||||
throw new Forbidden();
|
||||
}
|
||||
|
||||
if ($this->acl->getPermissionLevel('audit') !== Table::LEVEL_YES) {
|
||||
if ($this->acl->getPermissionLevel(Acl\Permission::AUDIT) !== Table::LEVEL_YES) {
|
||||
throw new Forbidden();
|
||||
}
|
||||
|
||||
|
||||
@@ -29,6 +29,7 @@
|
||||
|
||||
namespace Espo\Tools\Stream\RecordService;
|
||||
|
||||
use Espo\Core\Acl\Permission;
|
||||
use Espo\Core\Acl\Table;
|
||||
use Espo\Core\AclManager;
|
||||
use Espo\Core\Exceptions\BadRequest;
|
||||
@@ -136,7 +137,7 @@ class QueryHelper
|
||||
public function buildPostedToPortalQuery(User $user, SelectBuilder $baseBuilder): ?Select
|
||||
{
|
||||
if (!$user->isPortal()) {
|
||||
if ($this->aclManager->getPermissionLevel($user, 'portal') !== Table::LEVEL_YES) {
|
||||
if ($this->aclManager->getPermissionLevel($user, Permission::PORTAL) !== Table::LEVEL_YES) {
|
||||
return null;
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user