acl fixes

application/Espo/Classes/Acl/Portal/AccessChecker.php

@@ -0,0 +1,72 @@
+<?php
+/************************************************************************
+ * This file is part of EspoCRM.
+ *
+ * EspoCRM - Open Source CRM application.
+ * Copyright (C) 2014-2021 Yurii Kuznietsov, Taras Machyshyn, Oleksii Avramenko
+ * Website: https://www.espocrm.com
+ *
+ * EspoCRM is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * EspoCRM is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with EspoCRM. If not, see http://www.gnu.org/licenses/.
+ *
+ * The interactive user interfaces in modified source and object code versions
+ * of this program must display Appropriate Legal Notices, as required under
+ * Section 5 of the GNU General Public License version 3.
+ *
+ * In accordance with Section 7(b) of the GNU General Public License version 3,
+ * these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
+ ************************************************************************/
+
+namespace Espo\Classes\Acl\Portal;
+
+use Espo\Entities\User;
+
+use Espo\ORM\Entity;
+
+use Espo\Core\{
+    Acl\ScopeData,
+    Acl\DefaultAccessChecker,
+    Acl\AccessEntityCREDChecker,
+    Acl\Traits\DefaultAccessCheckerDependency,
+    Acl\Table,
+    AclManager,
+};
+
+class AccessChecker implements AccessEntityCREDChecker
+{
+    use DefaultAccessCheckerDependency;
+
+    private $defaultAccessChecker;
+
+    private $aclManager;
+
+    public function __construct(DefaultAccessChecker $defaultAccessChecker, AclManager $aclManager)
+    {
+        $this->defaultAccessChecker = $defaultAccessChecker;
+        $this->aclManager = $aclManager;
+    }
+
+    public function checkRead(User $user, ScopeData $data): bool
+    {
+        $level = $this->aclManager->getPermissionLevel($user, 'portal');
+
+        return $level === Table::LEVEL_YES;
+    }
+
+    public function checkEntityRead(User $user, Entity $entity, ScopeData $data): bool
+    {
+        $level = $this->aclManager->getPermissionLevel($user, 'portal');
+
+        return $level === Table::LEVEL_YES;
+    }
+}

application/Espo/Resources/metadata/aclDefs/Portal.json

@@ -0,0 +1,3 @@
+{
+    "accessCheckerClassName": "Espo\\Classes\\Acl\\Portal\\AccessChecker"
+}

application/Espo/Resources/metadata/app/acl.json

@@ -116,6 +116,18 @@
                 "read": "all",
                 "edit": "all",
                 "delete": "all"
+            },
+            "Job": {
+                "create": "no",
+                "read": "all",
+                "edit": "no",
+                "delete": "all"
+            },
+            "Extension": {
+                "create": "no",
+                "read": "all",
+                "edit": "no",
+                "delete": "all"
             }
         }
     },

application/Espo/Services/Record.php

@@ -407,7 +407,7 @@ class Record implements Crud,
      */
     public function read(string $id): Entity
     {
-        if (!$this->acl->check($this->entityType)) {
+        if (!$this->acl->check($this->entityType, AclTable::ACTION_READ)) {
             throw new ForbiddenSilent();
         }
 
@@ -1010,7 +1010,7 @@ class Record implements Crud,
      */
     public function create(StdClass $data): Entity
     {
-        if (!$this->acl->check($this->entityType)) {
+        if (!$this->acl->check($this->entityType, AclTable::ACTION_CREATE)) {
             throw new ForbiddenSilent();
         }
 
@@ -1059,7 +1059,7 @@ class Record implements Crud,
      */
     public function update(string $id, StdClass $data): Entity
     {
-        if (!$this->acl->check($this->entityType)) {
+        if (!$this->acl->check($this->entityType, AclTable::ACTION_EDIT)) {
             throw new ForbiddenSilent();
         }
 
@@ -1140,7 +1140,10 @@ class Record implements Crud,
 
     public function delete(string $id): void
     {
-        if (!$this->acl->check($this->entityType)) {
+        if (
+            !$this->acl->check($this->entityType, AclTable::ACTION_DELETE) &&
+            !$this->acl->check($this->entityType, AclTable::ACTION_EDIT)
+        ) {
             throw new ForbiddenSilent();
         }
 
@@ -1199,7 +1202,7 @@ class Record implements Crud,
      */
     public function find(array $params): RecordCollection
     {
-        if (!$this->acl->check($this->entityType)) {
+        if (!$this->acl->check($this->entityType, AclTable::ACTION_READ)) {
             throw new ForbiddenSilent();
         }
 
@@ -1331,7 +1334,7 @@ class Record implements Crud,
      */
     public function findLinked(string $id, string $link, array $params): RecordCollection
     {
-        if (!$this->acl->check($this->entityType)) {
+        if (!$this->acl->check($this->entityType, AclTable::ACTION_READ)) {
             throw new ForbiddenSilent("No access.");
         }
 
@@ -1502,10 +1505,9 @@ class Record implements Crud,
             if (!$this->acl->check($entity, AclTable::ACTION_READ)) {
                 throw new Forbidden();
             }
-        } else {
-            if (!$this->acl->check($entity, AclTable::ACTION_EDIT)) {
-                throw new Forbidden();
-            }
+        }
+        else if (!$this->acl->check($entity, AclTable::ACTION_EDIT)) {
+            throw new Forbidden();
         }
 
         $methodName = 'link' . ucfirst($link);
@@ -1627,7 +1629,7 @@ class Record implements Crud,
 
     public function linkFollowers(string $id, string $foreignId): void
     {
-        if (!$this->acl->check($this->entityType)) {
+        if (!$this->acl->check($this->entityType, AclTable::ACTION_EDIT)) {
             throw new Forbidden();
         }
 
@@ -1680,7 +1682,7 @@ class Record implements Crud,
 
     public function unlinkFollowers(string $id, string $foreignId): void
     {
-        if (!$this->acl->check($this->entityType)) {
+        if (!$this->acl->check($this->entityType, AclTable::ACTION_EDIT)) {
             throw new Forbidden();
         }
 
@@ -1729,7 +1731,7 @@ class Record implements Crud,
 
     public function massLink(string $id, string $link, array $where, ?array $selectData = null)
     {
-        if (!$this->acl->check($this->entityType)) {
+        if (!$this->acl->check($this->entityType, AclTable::ACTION_EDIT)) {
             throw new Forbidden();
         }
 
@@ -1881,7 +1883,7 @@ class Record implements Crud,
      */
     public function follow(string $id, ?string $userId = null)
     {
-        if (!$this->acl->check($this->entityType)) {
+        if (!$this->acl->check($this->entityType, AclTable::ACTION_STREAM)) {
             throw new Forbidden();
         }
 
@@ -2066,6 +2068,10 @@ class Record implements Crud,
      */
     public function merge(string $id, array $sourceIdList, StdClass $data): void
     {
+        if (!$this->acl->check($this->entityType, AclTable::ACTION_EDIT)) {
+            throw new Forbidden("No edit access.");
+        }
+
         if (!$id) {
             throw new Error("No ID passed.");
         }

application/Espo/Tools/Kanban/KanbanService.php

@@ -35,6 +35,7 @@ use Espo\Core\{
     Utils\Config,
     Utils\Metadata,
     Exceptions\ForbiddenSilent,
+    Acl\Table,
 };
 
 use Espo\Entities\User;
@@ -123,7 +124,7 @@ class KanbanService
             throw new Forbidden("Non-object entitis are not supported.");
         }
 
-        if (!$this->aclManager->check($this->user, $entityType, 'read')) {
+        if (!$this->aclManager->check($this->user, $entityType, Table::ACTION_READ)) {
             throw new ForbiddenSilent();
         }
     }