From 42645a9bc165da8d0184f45900bfb9f244228756 Mon Sep 17 00:00:00 2001 From: Yuri Kuznetsov Date: Fri, 19 Apr 2024 14:33:54 +0300 Subject: [PATCH] permission consts --- .../Espo/Classes/Acl/Note/AccessChecker.php | 3 ++- .../Espo/Classes/Acl/Portal/AccessChecker.php | 13 ++++--------- .../Espo/Classes/Acl/User/AccessChecker.php | 16 ++++------------ .../Espo/Classes/MassAction/User/MassDelete.php | 4 ++-- .../Espo/Classes/MassAction/User/MassUpdate.php | 2 +- .../Classes/RecordHooks/Note/AssignmentCheck.php | 7 ++++--- .../User/AccessControlFilters/Mandatory.php | 3 ++- .../Select/User/AccessControlFilters/OnlyOwn.php | 3 ++- application/Espo/Controllers/DataPrivacy.php | 11 ++++++++++- application/Espo/Controllers/Portal.php | 3 ++- application/Espo/Core/Acl.php | 3 ++- application/Espo/Core/Acl/Permission.php | 7 +++++++ application/Espo/Core/AclManager.php | 2 +- .../MassAction/Actions/MassConvertCurrency.php | 2 +- .../Espo/Core/MassAction/Actions/MassDelete.php | 2 +- application/Espo/Core/Portal/AclManager.php | 13 +++++++------ application/Espo/Core/Record/Service.php | 2 +- .../Espo/Modules/Crm/Tools/Calendar/Service.php | 6 +++--- application/Espo/Services/Record.php | 3 ++- application/Espo/Tools/DataPrivacy/Erasor.php | 3 ++- application/Espo/Tools/Export/Service.php | 2 +- application/Espo/Tools/MassUpdate/Processor.php | 2 +- .../Espo/Tools/Stream/FollowerRecordService.php | 2 +- application/Espo/Tools/Stream/RecordService.php | 2 +- .../Tools/Stream/RecordService/QueryHelper.php | 3 ++- 25 files changed, 66 insertions(+), 53 deletions(-) diff --git a/application/Espo/Classes/Acl/Note/AccessChecker.php b/application/Espo/Classes/Acl/Note/AccessChecker.php index 81b22aeb71..ad0177a3db 100644 --- a/application/Espo/Classes/Acl/Note/AccessChecker.php +++ b/application/Espo/Classes/Acl/Note/AccessChecker.php @@ -29,6 +29,7 @@ namespace Espo\Classes\Acl\Note; +use Espo\Core\Acl\Permission; use Espo\Core\Acl\Table; use Espo\Entities\Note; use Espo\Entities\User; @@ -143,7 +144,7 @@ class AccessChecker implements AccessEntityCREDChecker } if ($entity->getTargetType() === Note::TARGET_PORTALS) { - return $this->aclManager->getPermissionLevel($user, 'portal') === Table::LEVEL_YES; + return $this->aclManager->getPermissionLevel($user, Permission::PORTAL) === Table::LEVEL_YES; } return false; diff --git a/application/Espo/Classes/Acl/Portal/AccessChecker.php b/application/Espo/Classes/Acl/Portal/AccessChecker.php index 7c14466c4e..ed04e88bbf 100644 --- a/application/Espo/Classes/Acl/Portal/AccessChecker.php +++ b/application/Espo/Classes/Acl/Portal/AccessChecker.php @@ -29,6 +29,7 @@ namespace Espo\Classes\Acl\Portal; +use Espo\Core\Acl\Permission; use Espo\Entities\Portal; use Espo\Entities\User; use Espo\Core\Acl\AccessEntityCREDChecker; @@ -45,18 +46,12 @@ class AccessChecker implements AccessEntityCREDChecker { use DefaultAccessCheckerDependency; - private DefaultAccessChecker $defaultAccessChecker; - private AclManager $aclManager; - - public function __construct(DefaultAccessChecker $defaultAccessChecker, AclManager $aclManager) - { - $this->defaultAccessChecker = $defaultAccessChecker; - $this->aclManager = $aclManager; - } + public function __construct(private DefaultAccessChecker $defaultAccessChecker, private AclManager $aclManager) + {} public function check(User $user, ScopeData $data): bool { - $level = $this->aclManager->getPermissionLevel($user, 'portal'); + $level = $this->aclManager->getPermissionLevel($user, Permission::PORTAL); return $level === Table::LEVEL_YES; } diff --git a/application/Espo/Classes/Acl/User/AccessChecker.php b/application/Espo/Classes/Acl/User/AccessChecker.php index 136a32a9e0..98b6158a42 100644 --- a/application/Espo/Classes/Acl/User/AccessChecker.php +++ b/application/Espo/Classes/Acl/User/AccessChecker.php @@ -29,6 +29,7 @@ namespace Espo\Classes\Acl\User; +use Espo\Core\Acl\Permission; use Espo\Entities\User; use Espo\ORM\Entity; use Espo\Core\Acl\AccessEntityCREDSChecker; @@ -60,8 +61,6 @@ class AccessChecker implements AccessEntityCREDSChecker return false; } - /** @var User $entity */ - if ($entity->isSuperAdmin() && !$user->isSuperAdmin()) { return false; } @@ -71,10 +70,8 @@ class AccessChecker implements AccessEntityCREDSChecker public function checkEntityRead(User $user, Entity $entity, ScopeData $data): bool { - /** @var User $entity */ - if ($entity->isPortal()) { - if ($this->aclManager->getPermissionLevel($user, 'portal') === Table::LEVEL_YES) { + if ($this->aclManager->getPermissionLevel($user, Permission::PORTAL) === Table::LEVEL_YES) { return true; } @@ -90,8 +87,6 @@ class AccessChecker implements AccessEntityCREDSChecker public function checkEntityEdit(User $user, Entity $entity, ScopeData $data): bool { - /** @var User $entity */ - if ($entity->isSystem()) { return false; } @@ -111,8 +106,6 @@ class AccessChecker implements AccessEntityCREDSChecker public function checkEntityDelete(User $user, Entity $entity, ScopeData $data): bool { - /** @var User $entity */ - if (!$user->isAdmin()) { return false; } @@ -130,8 +123,7 @@ class AccessChecker implements AccessEntityCREDSChecker public function checkEntityStream(User $user, Entity $entity, ScopeData $data): bool { - /** @var User $entity */ - - return $this->aclManager->checkUserPermission($user, $entity, 'user'); + /** @noinspection PhpRedundantOptionalArgumentInspection */ + return $this->aclManager->checkUserPermission($user, $entity, Permission::USER); } } diff --git a/application/Espo/Classes/MassAction/User/MassDelete.php b/application/Espo/Classes/MassAction/User/MassDelete.php index 9bf931ba0c..76e62b8b52 100644 --- a/application/Espo/Classes/MassAction/User/MassDelete.php +++ b/application/Espo/Classes/MassAction/User/MassDelete.php @@ -65,12 +65,12 @@ class MassDelete implements MassAction $entityType = $params->getEntityType(); if (!$this->acl->check($entityType, Acl\Table::ACTION_DELETE)) { - throw new Forbidden("No delete access for '{$entityType}'."); + throw new Forbidden("No delete access for '$entityType'."); } if ( !$params->hasIds() && - $this->acl->getPermissionLevel('massUpdate') !== Acl\Table::LEVEL_YES + $this->acl->getPermissionLevel(Acl\Permission::MASS_UPDATE) !== Acl\Table::LEVEL_YES ) { throw new Forbidden("No mass-update permission."); } diff --git a/application/Espo/Classes/MassAction/User/MassUpdate.php b/application/Espo/Classes/MassAction/User/MassUpdate.php index 672f1d2ca0..7777b073d3 100644 --- a/application/Espo/Classes/MassAction/User/MassUpdate.php +++ b/application/Espo/Classes/MassAction/User/MassUpdate.php @@ -51,7 +51,7 @@ use Espo\Tools\MassUpdate\Data as MassUpdateData; class MassUpdate implements MassAction { - private const PERMISSION = 'massUpdate'; + private const PERMISSION = Acl\Permission::MASS_UPDATE; /** @var string[] */ private array $notAllowedAttributeList = [ diff --git a/application/Espo/Classes/RecordHooks/Note/AssignmentCheck.php b/application/Espo/Classes/RecordHooks/Note/AssignmentCheck.php index 9b7427c3be..1c39318c4b 100644 --- a/application/Espo/Classes/RecordHooks/Note/AssignmentCheck.php +++ b/application/Espo/Classes/RecordHooks/Note/AssignmentCheck.php @@ -30,6 +30,7 @@ namespace Espo\Classes\RecordHooks\Note; use Espo\Core\Acl; +use Espo\Core\Acl\Permission; use Espo\Core\Acl\Table as AclTable; use Espo\Core\Exceptions\BadRequest; use Espo\Core\Exceptions\Forbidden; @@ -90,7 +91,7 @@ class AssignmentCheck implements SaveHook } } - $messagePermission = $this->acl->getPermissionLevel('message'); + $messagePermission = $this->acl->getPermissionLevel(Permission::MESSAGE); if ($messagePermission === AclTable::LEVEL_NO) { if ( @@ -126,14 +127,14 @@ class AssignmentCheck implements SaveHook throw new BadRequest("No portal IDs."); } - if ($this->acl->getPermissionLevel('portal') !== AclTable::LEVEL_YES) { + if ($this->acl->getPermissionLevel(Permission::PORTAL) !== AclTable::LEVEL_YES) { throw new Forbidden('Not permitted to post to portal users.'); } } if ( $targetType === Note::TARGET_USERS && - $this->acl->getPermissionLevel('portal') !== AclTable::LEVEL_YES + $this->acl->getPermissionLevel(Permission::PORTAL) !== AclTable::LEVEL_YES ) { if ($hasPortalTargetUser) { throw new Forbidden('Not permitted to post to portal users.'); diff --git a/application/Espo/Classes/Select/User/AccessControlFilters/Mandatory.php b/application/Espo/Classes/Select/User/AccessControlFilters/Mandatory.php index faaebec618..b0b4054324 100644 --- a/application/Espo/Classes/Select/User/AccessControlFilters/Mandatory.php +++ b/application/Espo/Classes/Select/User/AccessControlFilters/Mandatory.php @@ -29,6 +29,7 @@ namespace Espo\Classes\Select\User\AccessControlFilters; +use Espo\Core\Acl\Permission; use Espo\ORM\Query\SelectBuilder; use Espo\Core\Acl\Table; use Espo\Core\AclManager; @@ -51,7 +52,7 @@ class Mandatory implements Filter ]); } - if ($this->aclManager->getPermissionLevel($this->user, 'portal') !== Table::LEVEL_YES) { + if ($this->aclManager->getPermissionLevel($this->user, Permission::PORTAL) !== Table::LEVEL_YES) { $queryBuilder->where([ 'OR' => [ 'type!=' => User::TYPE_PORTAL, diff --git a/application/Espo/Classes/Select/User/AccessControlFilters/OnlyOwn.php b/application/Espo/Classes/Select/User/AccessControlFilters/OnlyOwn.php index ce25fae8e1..af8292694c 100644 --- a/application/Espo/Classes/Select/User/AccessControlFilters/OnlyOwn.php +++ b/application/Espo/Classes/Select/User/AccessControlFilters/OnlyOwn.php @@ -29,6 +29,7 @@ namespace Espo\Classes\Select\User\AccessControlFilters; +use Espo\Core\Acl\Permission; use Espo\ORM\Query\SelectBuilder; use Espo\Core\Acl\Table; use Espo\Core\AclManager; @@ -43,7 +44,7 @@ class OnlyOwn implements Filter public function apply(SelectBuilder $queryBuilder): void { - if ($this->aclManager->getPermissionLevel($this->user, 'portal') === Table::LEVEL_YES) { + if ($this->aclManager->getPermissionLevel($this->user, Permission::PORTAL) === Table::LEVEL_YES) { $queryBuilder->where([ 'OR' => [ 'id' => $this->user->getId(), diff --git a/application/Espo/Controllers/DataPrivacy.php b/application/Espo/Controllers/DataPrivacy.php index 73753c399d..d1c22d3e78 100644 --- a/application/Espo/Controllers/DataPrivacy.php +++ b/application/Espo/Controllers/DataPrivacy.php @@ -36,17 +36,26 @@ use Espo\Core\Acl; use Espo\Core\Api\Request; use Espo\Core\Api\Response; +use Espo\Core\Exceptions\NotFound; use Espo\Tools\DataPrivacy\Erasor; class DataPrivacy { + /** + * @throws Forbidden + */ public function __construct(private Erasor $erasor, private Acl $acl) { - if ($this->acl->getPermissionLevel('dataPrivacy') === Acl\Table::LEVEL_NO) { + if ($this->acl->getPermissionLevel(Acl\Permission::DATA_PRIVACY) === Acl\Table::LEVEL_NO) { throw new Forbidden(); } } + /** + * @throws BadRequest + * @throws Forbidden + * @throws NotFound + */ public function postActionErase(Request $request, Response $response): void { $data = $request->getParsedBody(); diff --git a/application/Espo/Controllers/Portal.php b/application/Espo/Controllers/Portal.php index 2d8becfb20..eb4d17c37c 100644 --- a/application/Espo/Controllers/Portal.php +++ b/application/Espo/Controllers/Portal.php @@ -29,6 +29,7 @@ namespace Espo\Controllers; +use Espo\Core\Acl\Permission; use Espo\Core\Acl\Table; use Espo\Core\Controllers\Record; @@ -36,7 +37,7 @@ class Portal extends Record { protected function checkAccess(): bool { - $level = $this->acl->getPermissionLevel('portal'); + $level = $this->acl->getPermissionLevel(Permission::PORTAL); return $level === Table::LEVEL_YES; } diff --git a/application/Espo/Core/Acl.php b/application/Espo/Core/Acl.php index c03031386a..c31dddba2a 100644 --- a/application/Espo/Core/Acl.php +++ b/application/Espo/Core/Acl.php @@ -31,6 +31,7 @@ namespace Espo\Core; use Espo\Core\Acl\Exceptions\NotImplemented; use Espo\Core\Acl\GlobalRestriction; +use Espo\Core\Acl\Permission; use Espo\Core\Acl\Table; use Espo\ORM\Entity; @@ -283,7 +284,7 @@ class Acl * * @param User|string $target User entity or user ID. */ - public function checkUserPermission($target, string $permissionType = 'user'): bool + public function checkUserPermission($target, string $permissionType = Permission::USER): bool { return $this->aclManager->checkUserPermission($this->user, $target, $permissionType); } diff --git a/application/Espo/Core/Acl/Permission.php b/application/Espo/Core/Acl/Permission.php index a5105ef044..2b041d209d 100644 --- a/application/Espo/Core/Acl/Permission.php +++ b/application/Espo/Core/Acl/Permission.php @@ -32,4 +32,11 @@ namespace Espo\Core\Acl; class Permission { public const ASSIGNMENT = 'assignment'; + public const USER = 'user'; + public const PORTAL = 'portal'; + public const MASS_UPDATE = 'massUpdate'; + public const EXPORT = 'export'; + public const AUDIT = 'audit'; + public const DATA_PRIVACY = 'dataPrivacy'; + public const MESSAGE = 'message'; } diff --git a/application/Espo/Core/AclManager.php b/application/Espo/Core/AclManager.php index 944c844880..c9ba29ab4b 100644 --- a/application/Espo/Core/AclManager.php +++ b/application/Espo/Core/AclManager.php @@ -573,7 +573,7 @@ class AclManager * * @param User|string $target User entity or user ID. */ - public function checkUserPermission(User $user, $target, string $permissionType = 'user'): bool + public function checkUserPermission(User $user, $target, string $permissionType = Permission::USER): bool { $permission = $this->getPermissionLevel($user, $permissionType); diff --git a/application/Espo/Core/MassAction/Actions/MassConvertCurrency.php b/application/Espo/Core/MassAction/Actions/MassConvertCurrency.php index 572464de97..6b85987e5a 100644 --- a/application/Espo/Core/MassAction/Actions/MassConvertCurrency.php +++ b/application/Espo/Core/MassAction/Actions/MassConvertCurrency.php @@ -68,7 +68,7 @@ class MassConvertCurrency implements MassAction throw new Forbidden("No edit access for '{$entityType}'."); } - if ($this->acl->getPermissionLevel('massUpdate') !== Table::LEVEL_YES) { + if ($this->acl->getPermissionLevel(Acl\Permission::MASS_UPDATE) !== Table::LEVEL_YES) { throw new Forbidden("No mass-update permission."); } diff --git a/application/Espo/Core/MassAction/Actions/MassDelete.php b/application/Espo/Core/MassAction/Actions/MassDelete.php index dfb7da13a0..0458951af8 100644 --- a/application/Espo/Core/MassAction/Actions/MassDelete.php +++ b/application/Espo/Core/MassAction/Actions/MassDelete.php @@ -62,7 +62,7 @@ class MassDelete implements MassAction if ( !$params->hasIds() && - $this->acl->getPermissionLevel('massUpdate') !== Acl\Table::LEVEL_YES + $this->acl->getPermissionLevel(Acl\Permission::MASS_UPDATE) !== Acl\Table::LEVEL_YES ) { throw new Forbidden("No mass-update permission."); } diff --git a/application/Espo/Core/Portal/AclManager.php b/application/Espo/Core/Portal/AclManager.php index afbd77099f..038bcad528 100644 --- a/application/Espo/Core/Portal/AclManager.php +++ b/application/Espo/Core/Portal/AclManager.php @@ -29,6 +29,7 @@ namespace Espo\Core\Portal; +use Espo\Core\Acl\Permission; use Espo\ORM\Entity; use Espo\ORM\EntityManager; @@ -188,7 +189,7 @@ class AclManager extends InternalAclManager */ public function checkReadOnlyAccount(User $user, string $scope): bool { - return $this->getLevel($user, $scope, PortalTable::ACTION_READ) === PortalTable::LEVEL_ACCOUNT; + return $this->getLevel($user, $scope, Table::ACTION_READ) === PortalTable::LEVEL_ACCOUNT; } /** @@ -196,7 +197,7 @@ class AclManager extends InternalAclManager */ public function checkReadOnlyContact(User $user, string $scope): bool { - return $this->getLevel($user, $scope, PortalTable::ACTION_READ)=== PortalTable::LEVEL_CONTACT; + return $this->getLevel($user, $scope, Table::ACTION_READ)=== PortalTable::LEVEL_CONTACT; } public function check(User $user, $subject, ?string $action = null): bool @@ -208,7 +209,7 @@ class AclManager extends InternalAclManager return parent::check($user, $subject, $action); } - public function checkEntity(User $user, Entity $entity, string $action = PortalTable::ACTION_READ): bool + public function checkEntity(User $user, Entity $entity, string $action = Table::ACTION_READ): bool { if ($this->checkUserIsNotPortal($user)) { return $this->internalAclManager->checkEntity($user, $entity, $action); @@ -217,7 +218,7 @@ class AclManager extends InternalAclManager return parent::checkEntity($user, $entity, $action); } - public function checkUserPermission(User $user, $target, string $permissionType = 'user'): bool + public function checkUserPermission(User $user, $target, string $permissionType = Permission::USER): bool { return $this->internalAclManager->checkUserPermission($user, $target, $permissionType); } @@ -304,8 +305,8 @@ class AclManager extends InternalAclManager public function getScopeForbiddenFieldList( User $user, string $scope, - string $action = PortalTable::ACTION_READ, - string $thresholdLevel = PortalTable::LEVEL_NO + string $action = Table::ACTION_READ, + string $thresholdLevel = Table::LEVEL_NO ): array { if ($this->checkUserIsNotPortal($user)) { diff --git a/application/Espo/Core/Record/Service.php b/application/Espo/Core/Record/Service.php index 996d1144b0..4c15ccc84f 100644 --- a/application/Espo/Core/Record/Service.php +++ b/application/Espo/Core/Record/Service.php @@ -1820,7 +1820,7 @@ class Service implements Crud, unset($attributes->$attribute); } - if ($this->acl->getPermissionLevel('assignment') === AclTable::LEVEL_NO) { + if ($this->acl->getPermissionLevel(Acl\Permission::ASSIGNMENT) === AclTable::LEVEL_NO) { unset($attributes->assignedUserId); unset($attributes->assignedUserName); unset($attributes->assignedUsersIds); diff --git a/application/Espo/Modules/Crm/Tools/Calendar/Service.php b/application/Espo/Modules/Crm/Tools/Calendar/Service.php index 90cf5dd532..f40448d388 100644 --- a/application/Espo/Modules/Crm/Tools/Calendar/Service.php +++ b/application/Espo/Modules/Crm/Tools/Calendar/Service.php @@ -176,7 +176,7 @@ class Service { if ($entity instanceof User) { /** @noinspection PhpRedundantOptionalArgumentInspection */ - if (!$this->acl->checkUserPermission($entity, 'user')) { + if (!$this->acl->checkUserPermission($entity, Acl\Permission::USER)) { throw new Forbidden(); } @@ -598,11 +598,11 @@ class Service */ public function fetchForTeams(array $teamIdList, FetchParams $fetchParams): array { - if ($this->acl->getPermissionLevel('userPermission') === Table::LEVEL_NO) { + if ($this->acl->getPermissionLevel(Acl\Permission::USER) === Table::LEVEL_NO) { throw new Forbidden("User Permission not allowing to view calendars of other users."); } - if ($this->acl->getPermissionLevel('userPermission') === Table::LEVEL_TEAM) { + if ($this->acl->getPermissionLevel(Acl\Permission::USER) === Table::LEVEL_TEAM) { $userTeamIdList = $this->user->getLinkMultipleIdList('teams'); foreach ($teamIdList as $teamId) { diff --git a/application/Espo/Services/Record.php b/application/Espo/Services/Record.php index 45c33dac82..9307f5c954 100644 --- a/application/Espo/Services/Record.php +++ b/application/Espo/Services/Record.php @@ -29,6 +29,7 @@ namespace Espo\Services; +use Espo\Core\Acl\Permission; use Espo\Core\ORM\Entity as CoreEntity; use Espo\ORM\Collection; use Espo\ORM\Entity; @@ -265,7 +266,7 @@ class Record extends RecordService implements */ public function exportCollection(array $params, Collection $collection): string { - if ($this->acl->getPermissionLevel('exportPermission') !== AclTable::LEVEL_YES) { + if ($this->acl->getPermissionLevel(Permission::EXPORT) !== AclTable::LEVEL_YES) { throw new ForbiddenSilent("No 'export' permission."); } diff --git a/application/Espo/Tools/DataPrivacy/Erasor.php b/application/Espo/Tools/DataPrivacy/Erasor.php index ba24437ac8..80333aafef 100644 --- a/application/Espo/Tools/DataPrivacy/Erasor.php +++ b/application/Espo/Tools/DataPrivacy/Erasor.php @@ -29,6 +29,7 @@ namespace Espo\Tools\DataPrivacy; +use Espo\Core\Acl\Permission; use Espo\Core\Acl\Table; use Espo\Core\Exceptions\Forbidden; use Espo\Core\Exceptions\NotFound; @@ -69,7 +70,7 @@ class Erasor implements */ public function erase(string $entityType, string $id, array $fieldList): void { - if ($this->acl->getPermissionLevel('dataPrivacyPermission') === Table::LEVEL_NO) { + if ($this->acl->getPermissionLevel(Permission::DATA_PRIVACY) === Table::LEVEL_NO) { throw new Forbidden(); } diff --git a/application/Espo/Tools/Export/Service.php b/application/Espo/Tools/Export/Service.php index af025f4b71..cb5c3108cd 100644 --- a/application/Espo/Tools/Export/Service.php +++ b/application/Espo/Tools/Export/Service.php @@ -64,7 +64,7 @@ class Service $entityType = $params->getEntityType(); - if ($this->acl->getPermissionLevel('exportPermission') !== Table::LEVEL_YES) { + if ($this->acl->getPermissionLevel(Acl\Permission::EXPORT) !== Table::LEVEL_YES) { throw new ForbiddenSilent("No 'export' permission."); } diff --git a/application/Espo/Tools/MassUpdate/Processor.php b/application/Espo/Tools/MassUpdate/Processor.php index 022f42ee50..c10c8a29ef 100644 --- a/application/Espo/Tools/MassUpdate/Processor.php +++ b/application/Espo/Tools/MassUpdate/Processor.php @@ -56,7 +56,7 @@ use stdClass; class Processor { - private const PERMISSION = 'massUpdatePermission'; + private const PERMISSION = Acl\Permission::MASS_UPDATE; public function __construct( private ValueMapPreparator $valueMapPreparator, diff --git a/application/Espo/Tools/Stream/FollowerRecordService.php b/application/Espo/Tools/Stream/FollowerRecordService.php index 8051ac0ed6..5ab53ca342 100644 --- a/application/Espo/Tools/Stream/FollowerRecordService.php +++ b/application/Espo/Tools/Stream/FollowerRecordService.php @@ -214,7 +214,7 @@ class FollowerRecordService throw new Forbidden("No 'read' access to user $userId."); } - if ($user->isPortal() && $this->acl->getPermissionLevel('portal') !== Acl\Table::LEVEL_YES) { + if ($user->isPortal() && $this->acl->getPermissionLevel(Acl\Permission::PORTAL) !== Acl\Table::LEVEL_YES) { throw new Forbidden("No 'portal' permission."); } diff --git a/application/Espo/Tools/Stream/RecordService.php b/application/Espo/Tools/Stream/RecordService.php index 82d0d7f5d2..3d02a9a9f1 100644 --- a/application/Espo/Tools/Stream/RecordService.php +++ b/application/Espo/Tools/Stream/RecordService.php @@ -100,7 +100,7 @@ class RecordService throw new Forbidden(); } - if ($this->acl->getPermissionLevel('audit') !== Table::LEVEL_YES) { + if ($this->acl->getPermissionLevel(Acl\Permission::AUDIT) !== Table::LEVEL_YES) { throw new Forbidden(); } diff --git a/application/Espo/Tools/Stream/RecordService/QueryHelper.php b/application/Espo/Tools/Stream/RecordService/QueryHelper.php index 0f29d94d58..2a05d3863d 100644 --- a/application/Espo/Tools/Stream/RecordService/QueryHelper.php +++ b/application/Espo/Tools/Stream/RecordService/QueryHelper.php @@ -29,6 +29,7 @@ namespace Espo\Tools\Stream\RecordService; +use Espo\Core\Acl\Permission; use Espo\Core\Acl\Table; use Espo\Core\AclManager; use Espo\Core\Exceptions\BadRequest; @@ -136,7 +137,7 @@ class QueryHelper public function buildPostedToPortalQuery(User $user, SelectBuilder $baseBuilder): ?Select { if (!$user->isPortal()) { - if ($this->aclManager->getPermissionLevel($user, 'portal') !== Table::LEVEL_YES) { + if ($this->aclManager->getPermissionLevel($user, Permission::PORTAL) !== Table::LEVEL_YES) { return null; }