pcwvanbeers/assetmgt
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Refactor user role permission checks to utilize a unified 'user' scope for access control. Update user management permissions in user.php and users.php for consistency. Enhance listPartner function to apply hierarchy-based restrictions for partner retrieval.

Browse Source
This commit is contained in:
“VeLiTi”
2026-01-29 20:01:46 +01:00
parent 2dd054d145
commit 3043076dba
4 changed files with 31 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
api/v2/post/user_role_assignments.php
View File

@@ -17,7 +17,7 @@ $date = date('Y-m-d H:i:s');
//------------------------------------------
// BATCH UPDATE - Update all roles for a user
//------------------------------------------
if (isset($post_content['batch_update']) && isset($post_content['user_id']) && isAllowed('user_manage',$profile,$permission,'U') === 1){
if (isset($post_content['batch_update']) && isset($post_content['user_id']) && isAllowed('user',$profile,$permission,'U') === 1){
$user_id = $post_content['user_id'];
$selected_roles = $post_content['roles'] ?? [];
@@ -105,13 +105,13 @@ else {
$input_insert = substr($input_insert, 1);
//QUERY AND VERIFY ALLOWED
if ($command == 'update' && isAllowed('user_manage',$profile,$permission,'U') === 1){
if ($command == 'update' && isAllowed('user',$profile,$permission,'U') === 1){
$sql = 'UPDATE user_role_assignments SET '.$clause.' WHERE rowID = ?';
$execute_input[] = $id;
$stmt = $pdo->prepare($sql);
$stmt->execute($execute_input);
}
elseif ($command == 'insert' && isAllowed('user_manage',$profile,$permission,'C') === 1){
elseif ($command == 'insert' && isAllowed('user',$profile,$permission,'C') === 1){
//Check if this user-role combination already exists (including inactive ones)
$stmt = $pdo->prepare('SELECT rowID, is_active FROM user_role_assignments WHERE user_id = ? AND role_id = ? LIMIT 1');
$stmt->execute([$post_content['user_id'], $post_content['role_id']]);
@@ -131,7 +131,7 @@ else {
$stmt->execute($execute_input);
}
}
elseif ($command == 'delete' && isAllowed('user_manage',$profile,$permission,'D') === 1){
elseif ($command == 'delete' && isAllowed('user',$profile,$permission,'D') === 1){
//Soft delete by setting is_active to 0
$stmt = $pdo->prepare('UPDATE user_role_assignments SET is_active = 0, updatedby = ?, updated = ? WHERE rowID = ?');
$stmt->execute([$username, $date, $id]);