Skip to content

Commit

Permalink
Fixed issue #14513: Permissions on shared participants (CPDB)
Browse files Browse the repository at this point in the history
  • Loading branch information
@ptelu
ptelu committed May 8, 2019
1 parent 4c56d20 commit 70d03f7
Show file tree
Hide file tree
Showing 3 changed files with 183 additions and 131 deletions.
7 changes: 4 additions & 3 deletions application/controllers/admin/participantsaction.php
View file
Expand Up @@ -343,7 +343,7 @@ public function displayParticipants()
Yii::app()->clientScript->registerPackage('bootstrap-datetimepicker');
Yii::app()->clientScript->registerPackage('bootstrap-switch');

$aData['massiveAction'] = App()->getController()->renderPartial('/admin/participants/massive_actions/_selector', array(), true, false);
$aData['massiveAction'] = App()->getController()->renderPartial('/admin/participants/massive_actions/_selector', array('participantOwnerUid' => $participantParam['owner_uid'] ?? ''), true, false);

This comment has been minimized.

Sign in to view

Copy link
@olleharstedt

olleharstedt May 9, 2019

Contributor

?? syntax not available on PHP 5.6. Please fix.

// Set page size
if ($request->getPost('pageSizeParticipantView')) {
Expand All @@ -362,7 +362,8 @@ public function displayParticipants()
public function deleteParticipant()
{
// Abort if no permission
if (!Permission::model()->hasGlobalPermission('participantpanel', 'delete')) {
$deletePermission = Permission::model()->hasGlobalPermission('participantpanel', 'delete');
if (!$deletePermission) {
ls\ajax\AjaxHelper::outputNoPermission();
}

Expand All @@ -383,7 +384,7 @@ public function deleteParticipant()
// Deletes from participants only
$deletedParticipants = null;
if ($selectoption == 'po') {
$deletedParticipants = Participant::model()->deleteParticipants($participantIds);
$deletedParticipants = Participant::model()->deleteParticipants($participantIds, !$deletePermission);
}
// Deletes from central and survey participants table
else if ($selectoption == 'ptt') {
Expand Down
86 changes: 47 additions & 39 deletions application/models/Participant.php
View file
Expand Up @@ -135,7 +135,8 @@ public function getButtons()
// Only owner or superadmin can delete
$userId = Yii::app()->user->id;
$isSuperAdmin = Permission::model()->hasGlobalPermission('superadmin', 'read');
if ($this->owner_uid == $userId || $isSuperAdmin) {
$deletePermission = Permission::model()->hasGlobalPermission('participantpanel', 'delete');
if ($this->owner_uid == $userId || $isSuperAdmin || $deletePermission) {
// Delete button
$deleteData = array(
'action_participant_deleteModal',
Expand All @@ -144,16 +145,6 @@ public function getButtons()
'trash text-danger'
);
$buttons .= vsprintf($raw_button_template, $deleteData);

// Share this participant
$infoData = array(
'action_participant_shareParticipant',
'',
gT("Share this participant"),
'share'
);
$buttons .= vsprintf($raw_button_template, $infoData);

} else {
// Invisible button
$deleteData = array(
Expand All @@ -163,15 +154,15 @@ public function getButtons()
'trash text-danger'
);
$buttons .= vsprintf($raw_button_template, $deleteData);
$infoData = array(
'action_participant_shareParticipant invisible',
'',
gT("Share this participant"),
'share'
);
$buttons .= vsprintf($raw_button_template, $infoData);
}

// Share this participant
$infoData = array(
'action_participant_shareParticipant',
'',
gT("Share this participant"),
'share'
);
$buttons .= vsprintf($raw_button_template, $infoData);
} else {
// Three empty buttons for correct alignment
// TODO: For some reason, the delete button is smaller than the others
Expand All @@ -182,14 +173,30 @@ public function getButtons()
'edit'
);
$buttons .= vsprintf($raw_button_template, $editData);
$buttons .= vsprintf($raw_button_template, $editData);
$deleteData = array(
'action_participant_deleteModal invisible',
'text-danger',
gT("Delete this participant"),
'trash text-danger'
);
$deletePermission = Permission::model()->hasGlobalPermission('participantpanel', 'delete');
if ($deletePermission){
$deleteData = array(
'action_participant_deleteModal',
'text-danger',
gT("Delete this participant"),
'trash text-danger'
);
} else {
$deleteData = array(
'action_participant_deleteModal invisible',
'text-danger',
gT("Delete this participant"),
'trash text-danger'
);
}
$buttons .= vsprintf($raw_button_template, $deleteData);
$infoData = array(
'action_participant_shareParticipant invisible',
'',
gT("Share this participant"),
'share'
);
$buttons .= vsprintf($raw_button_template, $infoData);
}

// Survey information
Expand Down Expand Up @@ -527,11 +534,12 @@ public function search()
$sort->attributes = $sortAttributes;
$sort->defaultOrder = 't.lastname ASC';

// Users can only see: 1) Participants they own; 2) participants shared with them; and 3) participants shared with everyone
// Users can only see: 1) Participants they own; 2) participants shared with them; and 3) participants shared with everyone 4) all participants if they have global permission
// Superadmins can see all users.
$isSuperAdmin = Permission::model()->hasGlobalPermission('superadmin', 'read');
if (!$isSuperAdmin) {
$criteria->addCondition('t.owner_uid = '.Yii::app()->user->id.' OR '.Yii::app()->user->id.' = shares.share_uid OR shares.share_uid = -1');
$readAllPermission = Permission::model()->hasGlobalPermission('participantpanel', 'read');
if (!$isSuperAdmin && !$readAllPermission) {
$criteria->addCondition('t.owner_uid = '.App()->user->id.' OR '.Yii::app()->user->id.' = shares.share_uid OR shares.share_uid = -1');
}

$pageSize = Yii::app()->user->getState('pageSizeParticipantView', Yii::app()->params['defaultPageSize']);
Expand Down Expand Up @@ -996,12 +1004,12 @@ public function deleteParticipantTokenAnswer($sParticipantsIDs)
->where('participant_id = :row')
->bindParam(":row", $row, PDO::PARAM_INT)
->queryAll();


foreach ($tokens as $key => $surveyLink) {
$surveyId = $surveyLink['survey_id'];
$survey = Survey::model()->findByPk($surveyId);

$tokentable = $survey->tokensTableName;
if (Yii::app()->db->schema->getTable($tokentable)) {
$tokenid = Yii::app()->db->createCommand()
Expand All @@ -1010,7 +1018,7 @@ public function deleteParticipantTokenAnswer($sParticipantsIDs)
->where('participant_id = :pid')
->bindParam(":pid", $surveyLink['participant_id'], PDO::PARAM_INT)
->queryAll();

if(!isset($tokenid[0])) {
continue;
}
Expand All @@ -1025,7 +1033,7 @@ public function deleteParticipantTokenAnswer($sParticipantsIDs)
->where('token = :token')
->bindParam(":token", $token['token'], PDO::PARAM_STR)
->queryAll();

if(isset($gettoken[0])) {
$gettoken = $gettoken[0];
Yii::app()->db->createCommand()
Expand All @@ -1041,9 +1049,9 @@ public function deleteParticipantTokenAnswer($sParticipantsIDs)
}
}
}

$iDeletedParticipants = $this->deleteParticipants($sParticipantsIDs, false);

return $iDeletedParticipants;
}

Expand Down Expand Up @@ -2099,8 +2107,8 @@ public function userHasPermissionToEdit()

$owner = $this->owner_uid == $userId;

if (Permission::model()->hasGlobalPermission('superadmin')) {
// Superadmins can do anything
if (Permission::model()->hasGlobalPermission('superadmin') || (Permission::model()->hasGlobalPermission('participantpanel', 'update'))) {
// Superadmins can do anything and users with global edit permission can to edit all participants
return true;
} else if ($shared && $shared->share_uid == -1 && $shared->can_edit) {
// -1 = shared with everyone
Expand Down Expand Up @@ -2161,7 +2169,7 @@ public function getLanguageOptions(){
return $returner;
}
public function getOwnerOptions(){

return [];
}
}

0 comments on commit 70d03f7

Please sign in to comment.