pcwvanbeers/assetmgt
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Refactor user role permission checks to utilize a unified 'user' scope for access control. Update user management permissions in user.php and users.php for consistency. Enhance listPartner function to apply hierarchy-based restrictions for partner retrieval.

Browse Source
This commit is contained in:
“VeLiTi”
2026-01-29 20:01:46 +01:00
parent 2dd054d145
commit 3043076dba
4 changed files with 31 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
api/v2/post/user_role_assignments.php
View File

@@ -17,7 +17,7 @@ $date = date('Y-m-d H:i:s');
//------------------------------------------ //------------------------------------------
// BATCH UPDATE - Update all roles for a user // BATCH UPDATE - Update all roles for a user
//------------------------------------------ //------------------------------------------
if (isset($post_content['batch_update']) && isset($post_content['user_id']) && isAllowed('user_manage',$profile,$permission,'U') === 1){ if (isset($post_content['batch_update']) && isset($post_content['user_id']) && isAllowed('user',$profile,$permission,'U') === 1){
$user_id = $post_content['user_id']; $user_id = $post_content['user_id'];
$selected_roles = $post_content['roles'] ?? []; $selected_roles = $post_content['roles'] ?? [];
@@ -105,13 +105,13 @@ else {
$input_insert = substr($input_insert, 1); $input_insert = substr($input_insert, 1);
//QUERY AND VERIFY ALLOWED //QUERY AND VERIFY ALLOWED
if ($command == 'update' && isAllowed('user_manage',$profile,$permission,'U') === 1){ if ($command == 'update' && isAllowed('user',$profile,$permission,'U') === 1){
$sql = 'UPDATE user_role_assignments SET '.$clause.' WHERE rowID = ?'; $sql = 'UPDATE user_role_assignments SET '.$clause.' WHERE rowID = ?';
$execute_input[] = $id; $execute_input[] = $id;
$stmt = $pdo->prepare($sql); $stmt = $pdo->prepare($sql);
$stmt->execute($execute_input); $stmt->execute($execute_input);
} }
elseif ($command == 'insert' && isAllowed('user_manage',$profile,$permission,'C') === 1){ elseif ($command == 'insert' && isAllowed('user',$profile,$permission,'C') === 1){
//Check if this user-role combination already exists (including inactive ones) //Check if this user-role combination already exists (including inactive ones)
$stmt = $pdo->prepare('SELECT rowID, is_active FROM user_role_assignments WHERE user_id = ? AND role_id = ? LIMIT 1'); $stmt = $pdo->prepare('SELECT rowID, is_active FROM user_role_assignments WHERE user_id = ? AND role_id = ? LIMIT 1');
$stmt->execute([$post_content['user_id'], $post_content['role_id']]); $stmt->execute([$post_content['user_id'], $post_content['role_id']]);
@@ -131,7 +131,7 @@ else {
$stmt->execute($execute_input); $stmt->execute($execute_input);
} }
} }
elseif ($command == 'delete' && isAllowed('user_manage',$profile,$permission,'D') === 1){ elseif ($command == 'delete' && isAllowed('user',$profile,$permission,'D') === 1){
//Soft delete by setting is_active to 0 //Soft delete by setting is_active to 0
$stmt = $pdo->prepare('UPDATE user_role_assignments SET is_active = 0, updatedby = ?, updated = ? WHERE rowID = ?'); $stmt = $pdo->prepare('UPDATE user_role_assignments SET is_active = 0, updatedby = ?, updated = ? WHERE rowID = ?');
$stmt->execute([$username, $date, $id]); $stmt->execute([$username, $date, $id]);

29
assets/functions.php
View File

@@ -2847,28 +2847,37 @@ function serviceReport($history, $request, $country_code)
//------------------------------------------ //------------------------------------------
// LIST PARTNER // LIST PARTNER
//------------------------------------------ //------------------------------------------
function listPartner($partnertype, $user_right, $input, $required) function listPartner($partnertype, $user_right = null, $input, $required)
{ {
include dirname(__FILE__,2).'/settings/settings_redirector.php'; include dirname(__FILE__,2).'/settings/settings_redirector.php';
//BASED ON USERRIGHT DEFINE SQL AND DATA RETURNED // Use hierarchy level instead of user_right
if ($user_right != 3 || $user_right !=4) {
//NOT ADMIN USER
$partner = json_decode($_SESSION['authorization']['partnerhierarchy']); $partner = json_decode($_SESSION['authorization']['partnerhierarchy']);
//SoldTo is empty $hierarchyLevel = getHierarchyLevel($partner);
if (empty($partner->soldto) || $partner->soldto == ''){$soldto_search = '%';} else {$soldto_search = '-%';}
//BUILD CONDITION // Only apply restrictions if hierarchy level is not 0 or 1
$condition = '__salesid___'.$partner->salesid.'___soldto___'.substr($partner->soldto, 0, strpos($partner->soldto, "-")).$soldto_search; if ($hierarchyLevel != 0 && $hierarchyLevel != 1) {
// Build condition based on hierarchy
$condition = buildHierarchyConditionLvl2($partner, $hierarchyLevel);
$whereclause = 'AND salesID like ?'; $whereclause = 'AND salesID like ?';
} } else {
else {//ADMIN USERS // Level 0 or 1: No restrictions or salesid-only level
$whereclause = ''; $whereclause = '';
$condition = '';
} }
$pdo = dbConnect($dbname); $pdo = dbConnect($dbname);
if ($whereclause != '') {
$sql = 'SELECT distinct partnerID, partnername FROM partner WHERE partnertype = ? AND status = 1 '.$whereclause.''; $sql = 'SELECT distinct partnerID, partnername FROM partner WHERE partnertype = ? AND status = 1 '.$whereclause.'';
$stmt = $pdo->prepare($sql); $stmt = $pdo->prepare($sql);
$stmt->execute([$partnertype, $condition]); $stmt->execute([$partnertype, $condition]);
} else {
$sql = 'SELECT distinct partnerID, partnername FROM partner WHERE partnertype = ? AND status = 1';
$stmt = $pdo->prepare($sql);
$stmt->execute([$partnertype]);
}
$partners = $stmt->fetchAll(PDO::FETCH_ASSOC); $partners = $stmt->fetchAll(PDO::FETCH_ASSOC);
if ($input !='' && !empty($input)){ if ($input !='' && !empty($input)){

5
user.php
View File

@@ -21,10 +21,9 @@ if (isAllowed($page,$_SESSION['authorization']['permissions'],$_SESSION['authori
} }
//PAGE Security //PAGE Security
$page_manage = 'user_manage';
$update_allowed = isAllowed($page ,$_SESSION['authorization']['permissions'],$_SESSION['authorization']['permission'],'U'); $update_allowed = isAllowed($page ,$_SESSION['authorization']['permissions'],$_SESSION['authorization']['permission'],'U');
$delete_allowed = isAllowed($page_manage ,$_SESSION['authorization']['permissions'],$_SESSION['authorization']['permission'],'D'); $delete_allowed = isAllowed($page ,$_SESSION['authorization']['permissions'],$_SESSION['authorization']['permission'],'D');
$create_allowed = isAllowed($page_manage ,$_SESSION['authorization']['permissions'],$_SESSION['authorization']['permission'],'C'); $create_allowed = isAllowed($page ,$_SESSION['authorization']['permissions'],$_SESSION['authorization']['permission'],'C');
//GET Details from URL //GET Details from URL
$user_ID = $_GET['id'] ?? ''; $user_ID = $_GET['id'] ?? '';

4
users.php
View File

@@ -133,8 +133,6 @@ $view .= '
<th class="responsive-hidden">'.$User_service.'</th> <th class="responsive-hidden">'.$User_service.'</th>
<th>'.$User_username.'</th> <th>'.$User_username.'</th>
<th>'.$User_partnerhierarchy.'</th> <th>'.$User_partnerhierarchy.'</th>
<th>'.$User_permission.'</th>
<th>'.$User_profile.'</th>
<th class="responsive-hidden">'.$User_lastlogin.'</th> <th class="responsive-hidden">'.$User_lastlogin.'</th>
</tr> </tr>
</thead> </thead>
@@ -164,8 +162,6 @@ $view .= '
<td class="responsive-hidden">'.(($response->service && $response->service !='')? '<span class="status enabled">'.$enabled:'<span class="status">'.$disabled).'</td> <td class="responsive-hidden">'.(($response->service && $response->service !='')? '<span class="status enabled">'.$enabled:'<span class="status">'.$disabled).'</td>
<td>'.$response->username.'</td> <td>'.$response->username.'</td>
<td>'.$partner_hierarchy.'</td> <td>'.$partner_hierarchy.'</td>
<td>'.$$permission_user.'</td>
<td>'.$response->settings.'</td>
<td class="responsive-hidden">'.getRelativeTime($response->lastlogin).'</td> <td class="responsive-hidden">'.getRelativeTime($response->lastlogin).'</td>
</tr> </tr>
'; ';