diff --git a/application/Espo/Core/Acl/Table.php b/application/Espo/Core/Acl/Table.php index d1c4e9ee00..04513c56e7 100644 --- a/application/Espo/Core/Acl/Table.php +++ b/application/Espo/Core/Acl/Table.php @@ -73,6 +73,8 @@ class Table protected $forbiddenFieldsCache = array(); + protected $isStrictModeForced = false; + protected $isStrictMode = false; public function __construct(User $user, Config $config = null, FileManager $fileManager = null, Metadata $metadata = null, FieldManagerUtil $fieldManager = null) @@ -83,7 +85,11 @@ class Table 'fieldTableQuickAccess' => (object) [], ]; - $this->isStrictMode = $config->get('aclStrictMode', false); + if ($this->isStrictModeForced) { + $this->isStrictMode = true; + } else { + $this->isStrictMode = $config->get('aclStrictMode', false); + } $this->user = $user; @@ -405,7 +411,12 @@ class Table return; } - $data = $this->metadata->get('app.'.$this->type.'.default.scopeLevel', array()); + $defaultsGroupName = 'default'; + if ($this->isStrictMode) { + $defaultsGroupName = 'strictDefault'; + } + + $data = $this->metadata->get(['app', $this->type, $defaultsGroupName, 'scopeLevel'], []); foreach ($data as $scope => $item) { if (isset($table->$scope)) continue; @@ -416,7 +427,7 @@ class Table $table->$scope = $value; } - $defaultFieldData = $this->metadata->get('app.'.$this->type.'.default.fieldLevel', array()); + $defaultFieldData = $this->metadata->get(['app', $this->type, $defaultsGroupName, 'fieldLevel'], []); foreach ($this->getScopeList() as $scope) { if (isset($table->$scope) && $table->$scope === false) continue; @@ -424,7 +435,7 @@ class Table $fieldList = array_keys($this->getMetadata()->get("entityDefs.{$scope}.fields", [])); - $defaultScopeFieldData = $this->metadata->get('app.'.$this->type.'.default.scopeFieldLevel.' . $scope, array()); + $defaultScopeFieldData = $this->metadata->get('app.'.$this->type.'.'.$defaultsGroupName.'.scopeFieldLevel.' . $scope, []); foreach (array_merge($defaultFieldData, $defaultScopeFieldData) as $field => $f) { if (!in_array($field, $fieldList)) continue; diff --git a/application/Espo/Core/AclPortal/Table.php b/application/Espo/Core/AclPortal/Table.php index 44735bda4a..c2835e5187 100644 --- a/application/Espo/Core/AclPortal/Table.php +++ b/application/Espo/Core/AclPortal/Table.php @@ -50,6 +50,8 @@ class Table extends \Espo\Core\Acl\Table protected $levelList = ['yes', 'all', 'account', 'contact', 'own', 'no']; + protected $isStrictModeForced = true; + public function __construct(User $user, Portal $portal, Config $config = null, FileManager $fileManager = null, Metadata $metadata = null, FieldManagerUtil $fieldManager = null) { if (empty($portal)) { diff --git a/application/Espo/Resources/metadata/app/acl.json b/application/Espo/Resources/metadata/app/acl.json index 6d19d31c4a..ba87b4375f 100644 --- a/application/Espo/Resources/metadata/app/acl.json +++ b/application/Espo/Resources/metadata/app/acl.json @@ -75,6 +75,23 @@ }, "default": { "scopeLevel": { + "User": { + "read": "all" + } + }, + "fieldLevel": { + }, + "scopeFieldLevel": { + "User": { + "gender": false + } + } + }, + "strictDefault": { + "scopeLevel": { + "User": { + "read": "own" + } }, "fieldLevel": { }, diff --git a/application/Espo/Resources/metadata/app/aclPortal.json b/application/Espo/Resources/metadata/app/aclPortal.json index 83ee1b3c94..095aa0b669 100644 --- a/application/Espo/Resources/metadata/app/aclPortal.json +++ b/application/Espo/Resources/metadata/app/aclPortal.json @@ -86,7 +86,7 @@ } } }, - "default": { + "strictDefault": { "scopeLevel": { }, "fieldLevel": { @@ -115,6 +115,9 @@ }, "leads": false }, + "KnowledgeBaseArticle": { + "assignedUser": false + }, "User": { "gender": false } @@ -123,16 +126,9 @@ "valuePermissionList": [ "exportPermission" ], - "permissionsDefaults": { - "exportPermission": "no" - }, "permissionsStrictDefaults": { "exportPermission": "no" }, - "scopeLevelTypesDefaults": { - "boolean": false, - "record": false - }, "scopeLevelTypesStrictDefaults": { "boolean": false, "record": false