From 21f037764ff1c598aca32690b9589720747f02f7 Mon Sep 17 00:00:00 2001 From: Johan Cwiklinski Date: Sat, 30 Mar 2024 07:39:50 +0100 Subject: [PATCH] Make NOBODY visible documents accessible from configuration to admins closes #1815 --- galette/lib/Galette/Entity/Document.php | 15 ++- tests/Galette/Entity/tests/units/Document.php | 109 +++++++++++++++++- 2 files changed, 117 insertions(+), 7 deletions(-) diff --git a/galette/lib/Galette/Entity/Document.php b/galette/lib/Galette/Entity/Document.php index f62ff11ad..1a8f4aaca 100644 --- a/galette/lib/Galette/Entity/Document.php +++ b/galette/lib/Galette/Entity/Document.php @@ -73,6 +73,7 @@ class Document implements FileInterface private ?string $comment = null; /** @var array */ private array $errors = []; + private bool $public_list = false; /** * Main constructor @@ -129,12 +130,12 @@ class Document implements FileInterface * * @throws Throwable */ - public static function getList(string $type = null): array + public function getList(string $type = null): array { - global $zdb, $login; + global $login; try { - $select = $zdb->select(self::TABLE); + $select = $this->zdb->select(self::TABLE); if ($type !== null) { $select->where(['type' => $type]); @@ -142,14 +143,15 @@ class Document implements FileInterface $select->order(self::PK); - $results = $zdb->execute($select); + $results = $this->zdb->execute($select); $documents = []; $access_level = $login->getAccessLevel(); foreach ($results as $r) { // skip entries according to access control if ( - $r->visible == FieldsConfig::NOBODY || + $r->visible == FieldsConfig::NOBODY && + ($this->public_list === true || ($this->public_list === false && !$login->isAdmin())) || ($r->visible == FieldsConfig::ADMIN && $access_level < Authentication::ACCESS_ADMIN) || ($r->visible == FieldsConfig::STAFF && @@ -162,7 +164,7 @@ class Document implements FileInterface continue; } - $documents[$r->{self::PK}] = new Document($zdb, $r); + $documents[$r->{self::PK}] = new Document($this->zdb, $r); } return $documents; } catch (Throwable $e) { @@ -184,6 +186,7 @@ class Document implements FileInterface */ public function getTypedList(): array { + $this->public_list = true; $list = $this->getList(); $sys_types = $this->getSystemTypes(false); diff --git a/tests/Galette/Entity/tests/units/Document.php b/tests/Galette/Entity/tests/units/Document.php index b0ae7cb28..7ae9b9371 100644 --- a/tests/Galette/Entity/tests/units/Document.php +++ b/tests/Galette/Entity/tests/units/Document.php @@ -176,7 +176,7 @@ class Document extends GaletteTestCase $post = [ 'document_type' => 'An other document type', 'comment' => '', - 'visible' => \Galette\Entity\FieldsConfig::ADMIN + 'visible' => \Galette\Entity\FieldsConfig::STAFF ]; $this->assertTrue($document->store($post, $_FILES)); @@ -197,5 +197,112 @@ class Document extends GaletteTestCase $this->assertArrayHasKey('An other document type', $tlist); $this->assertCount(1, $tlist[\Galette\Entity\Document::STATUS]); $this->assertCount(1, $tlist['An other document type']); + $this->assertTrue($this->login->logOut()); + + //logged in regular member document + $document = $this->getDocumentInstance(); + $_FILES['document_file'] = [ + 'error' => UPLOAD_ERR_OK, + 'name' => 'member.pdf', + 'tmp_name' => '/tmp/member.pdf', + 'size' => 4096 + ]; + $post = [ + 'document_type' => \Galette\Entity\Document::MINUTES, + 'comment' => '', + 'visible' => \Galette\Entity\FieldsConfig::USER_READ + ]; + $this->assertTrue($document->store($post, $_FILES)); + + //inaccessible document + $document = $this->getDocumentInstance(); + $_FILES['document_file'] = [ + 'error' => UPLOAD_ERR_OK, + 'name' => 'noaccess.pdf', + 'tmp_name' => '/tmp/noaccess.pdf', + 'size' => 4096 + ]; + $post = [ + 'document_type' => \Galette\Entity\Document::MINUTES, + 'comment' => '', + 'visible' => \Galette\Entity\FieldsConfig::NOBODY + ]; + $this->assertTrue($document->store($post, $_FILES)); + + //test list - not authenticated + $list = $document->getList(); + $this->assertCount(1, $list); + + //test list - authenticated. noaccess doc should be present + $this->logSuperAdmin(); + $list = $document->getList(); + $this->assertCount(4, $list); + + //test list by type (for public pages) - noaccess doc should not be present. + $tlist = $document->getTypedList(); + $this->assertCount(3, $tlist); + $this->assertArrayHasKey(\Galette\Entity\Document::STATUS, $tlist); + $this->assertCount(1, $tlist[\Galette\Entity\Document::STATUS]); + $this->assertCount(1, $tlist['An other document type']); + $this->assertCount(1, $tlist[\Galette\Entity\Document::MINUTES]); + $this->login->logOut(); + + global $login; + $login = $this->getMockBuilder(\Galette\Core\Login::class) + ->setConstructorArgs(array($this->zdb, new \Galette\Core\I18n())) + ->onlyMethods(array('isLogged', 'isStaff', 'isAdmin', 'isSuperAdmin')) + ->getMock(); + + $login->method('isLogged')->willReturn(true); + $login->method('isStaff')->willReturn(true); + $login->method('isAdmin')->willReturn(false); + $login->method('isSuperAdmin')->willReturn(false); + + //test list - authenticated, but not admin. noaccess doc should not be present + $list = $document->getList(); + $this->assertCount(3, $list); + + //test list by type (for public pages) - noaccess doc should not be present. + $tlist = $document->getTypedList(); + $this->assertCount(3, $tlist); + + //regular user + $login = $this->getMockBuilder(\Galette\Core\Login::class) + ->setConstructorArgs(array($this->zdb, new \Galette\Core\I18n())) + ->onlyMethods(array('isLogged', 'isStaff', 'isAdmin', 'isSuperAdmin')) + ->getMock(); + + $login->method('isLogged')->willReturn(true); + $login->method('isStaff')->willReturn(false); + $login->method('isAdmin')->willReturn(false); + $login->method('isSuperAdmin')->willReturn(false); + + //test list - authenticated, but not admin nor staff + $list = $document->getList(); + $this->assertCount(2, $list); + + //test list by type (for public pages) + $tlist = $document->getTypedList(); + $this->assertCount(2, $tlist); + + //non logged in user + $login = $this->getMockBuilder(\Galette\Core\Login::class) + ->setConstructorArgs(array($this->zdb, new \Galette\Core\I18n())) + ->onlyMethods(array('isLogged', 'isStaff', 'isAdmin', 'isSuperAdmin')) + ->getMock(); + + $login->method('isLogged')->willReturn(false); + $login->method('isStaff')->willReturn(false); + $login->method('isAdmin')->willReturn(false); + $login->method('isSuperAdmin')->willReturn(false); + + //test list - authenticated, but not admin. noaccess doc should not be present + $this->logSuperAdmin(); + $list = $document->getList(); + $this->assertCount(1, $list); + + //test list by type (for public pages) - noaccess doc should not be present. + $tlist = $document->getTypedList(); + $this->assertCount(1, $tlist); } } -- 2.39.2