From ecc6e9f4eccf03b9d18e70e6957d9f14ea89dfd0 Mon Sep 17 00:00:00 2001 From: yuri Date: Thu, 29 Oct 2015 15:20:55 +0200 Subject: [PATCH] restrict access to mention --- application/Espo/Hooks/Note/Mentions.php | 3 + frontend/client/src/views/note/fields/post.js | 65 +++++++++++-------- frontend/client/src/views/stream/panel.js | 63 ++++++++++-------- .../client/src/views/stream/record/edit.js | 2 +- 4 files changed, 79 insertions(+), 54 deletions(-) diff --git a/application/Espo/Hooks/Note/Mentions.php b/application/Espo/Hooks/Note/Mentions.php index 0e0237e704..44c38ad1f8 100644 --- a/application/Espo/Hooks/Note/Mentions.php +++ b/application/Espo/Hooks/Note/Mentions.php @@ -63,6 +63,9 @@ class Mentions extends \Espo\Core\Hooks\Base $userName = substr($item, 1); $user = $this->getEntityManager()->getRepository('User')->where(array('userName' => $userName))->findOne(); if ($user) { + if (!$this->getAcl()->checkPermission('assignmentPermission', $user)) { + continue; + } $m = array( 'id' => $user->id, 'name' => $user->get('name'), diff --git a/frontend/client/src/views/note/fields/post.js b/frontend/client/src/views/note/fields/post.js index e07ff178e8..aba6b87211 100644 --- a/frontend/client/src/views/note/fields/post.js +++ b/frontend/client/src/views/note/fields/post.js @@ -49,35 +49,46 @@ Espo.define('views/note/fields/post', ['views/fields/text', 'lib!Textcomplete'], Dep.prototype.afterRender.call(this); this.$element.attr('placeholder', this.translate('writeMessage', 'messages', 'Note')); - this.$element.textcomplete([{ - match: /(^|\s)@(\w*)$/, - search: function (term, callback) { - if (term.length == 0) { - callback([]); - return; + var assignmentPermission = this.getAcl().get('assignmentPermission'); + + var buildUserListUrl = function (term) { + var url = 'User?orderBy=name&limit=7&q=' + term + '&' + $.param({'primaryFilter': 'active'}); + if (assignmentPermission == 'team') { + url += '&' + $.param({'boolFilterList': ['onlyMyTeam']}) + } + return url; + }.bind(this); + + if (assignmentPermission !== 'no') { + this.$element.textcomplete([{ + match: /(^|\s)@(\w*)$/, + search: function (term, callback) { + if (term.length == 0) { + callback([]); + return; + } + $.ajax({ + url: buildUserListUrl(term) + }).done(function (data) { + callback(data.list) + }); + }, + template: function (mention) { + return mention.name + ' @' + mention.userName + ''; + }, + replace: function (o) { + return '$1@' + o.userName + ''; } - $.ajax({ - url: 'User?orderBy=name&limit=7&q=' + term, + }],{ + zIndex: 1100 + }); - }).done(function (data) { - callback(data.list) - }); - }, - template: function (mention) { - return mention.name + ' @' + mention.userName + ''; - }, - replace: function (o) { - return '$1@' + o.userName + ''; - } - }],{ - zIndex: 1100 - }); - - this.once('remove', function () { - if (this.$element.size()) { - this.$element.textcomplete('destroy'); - } - }, this); + this.once('remove', function () { + if (this.$element.size()) { + this.$element.textcomplete('destroy'); + } + }, this); + } }, validateRequired: function () { diff --git a/frontend/client/src/views/stream/panel.js b/frontend/client/src/views/stream/panel.js index fea1959f22..a0410c1ecd 100644 --- a/frontend/client/src/views/stream/panel.js +++ b/frontend/client/src/views/stream/panel.js @@ -153,34 +153,45 @@ Espo.define('views/stream/panel', ['views/record/panels/relationship', 'lib!Text collection.fetch(); } - this.$textarea.textcomplete([{ - match: /(^|\s)@(\w*)$/, - index: 2, - search: function (term, callback) { - if (term.length == 0) { - callback([]); - return; + var assignmentPermission = this.getAcl().get('assignmentPermission'); + + var buildUserListUrl = function (term) { + var url = 'User?orderBy=name&limit=7&q=' + term + '&' + $.param({'primaryFilter': 'active'}); + if (assignmentPermission == 'team') { + url += '&' + $.param({'boolFilterList': ['onlyMyTeam']}) + } + return url; + }.bind(this); + + if (assignmentPermission !== 'no') { + this.$textarea.textcomplete([{ + match: /(^|\s)@(\w*)$/, + index: 2, + search: function (term, callback) { + if (term.length == 0) { + callback([]); + return; + } + $.ajax({ + url: buildUserListUrl(term), + }).done(function (data) { + callback(data.list) + }); + }, + template: function (mention) { + return mention.name + ' @' + mention.userName + ''; + }, + replace: function (o) { + return '$1@' + o.userName + ''; } - $.ajax({ - url: 'User?orderBy=name&limit=7&q=' + term, + }]); - }).done(function (data) { - callback(data.list) - }); - }, - template: function (mention) { - return mention.name + ' @' + mention.userName + ''; - }, - replace: function (o) { - return '$1@' + o.userName + ''; - } - }]); - - this.once('remove', function () { - if (this.$textarea.size()) { - this.$textarea.textcomplete('destroy'); - } - }, this); + this.once('remove', function () { + if (this.$textarea.size()) { + this.$textarea.textcomplete('destroy'); + } + }, this); + } $a = this.$el.find('.buttons-panel a.stream-post-info'); diff --git a/frontend/client/src/views/stream/record/edit.js b/frontend/client/src/views/stream/record/edit.js index aedb2991c7..136278471c 100644 --- a/frontend/client/src/views/stream/record/edit.js +++ b/frontend/client/src/views/stream/record/edit.js @@ -154,7 +154,7 @@ Espo.define('views/stream/record/edit', 'views/record/base', function (Dep) { $('body').off('click.stream-create-post'); $('body').on('click.stream-create-post', function (e) { if ($.contains(window.document.body, e.target) && !$.contains(this.$el.get(0), e.target) && !$(e.target).closest('.modal-dialog').size()) { - if (this.getView('post').$element.val() == '') { + if (this.hasView('post') && this.getView('post').$element.val() == '') { if (!(this.model.get('attachmentsIds') || []).length) { this.disablePostingMode(); }