From 388e73a726fd48a984790710384bd6eef6275ba0 Mon Sep 17 00:00:00 2001
From: cdujeu <charles@ajaxplorer.info>
Date: Thu, 26 Nov 2015 21:39:23 +0100
Subject: [PATCH] Change DefaultRights management: update Root Group, do not
 update personal roles anymore, otherwise it always takes precedency on parent
 groups/roles. Do not skip the AJXP_CLEAR_VALUE, set to the merged role.

---
 core/src/core/classes/class.AJXP_Role.php     |  2 +-
 core/src/core/classes/class.AuthService.php   |  2 +
 core/src/core/classes/class.ConfService.php   |  2 +-
 .../class.ajxp_confAccessDriver.php           | 53 ++++++++++---------
 4 files changed, 32 insertions(+), 27 deletions(-)

diff --git a/core/src/core/classes/class.AJXP_Role.php b/core/src/core/classes/class.AJXP_Role.php
index 4c59be22d5..34b9161972 100644
--- a/core/src/core/classes/class.AJXP_Role.php
+++ b/core/src/core/classes/class.AJXP_Role.php
@@ -399,7 +399,7 @@ public function override(AJXP_Role $role)
         $roleAcl = $role->listAcls();
         $newAcls = $this->array_merge_recursive2($roleAcl, $this->listAcls());
         foreach ($newAcls as $repoId => $rightString) {
-            if($rightString == AJXP_VALUE_CLEAR) continue;
+            //if($rightString == AJXP_VALUE_CLEAR) continue;
             if(empty($rightString) && !empty($roleAcl[$repoId])){
                 $rightString = $roleAcl[$repoId];
             }
diff --git a/core/src/core/classes/class.AuthService.php b/core/src/core/classes/class.AuthService.php
index a8bccbbbb9..8f5da1f813 100644
--- a/core/src/core/classes/class.AuthService.php
+++ b/core/src/core/classes/class.AuthService.php
@@ -620,6 +620,7 @@ public static function updateAdminRights($adminUser)
     public static function updateDefaultRights(&$userObject)
     {
         if (!$userObject->hasParent()) {
+            /*
             $changes = false;
             $repoList = ConfService::getRepositoriesList("all");
             foreach ($repoList as $repositoryId => $repoObject) {
@@ -633,6 +634,7 @@ public static function updateDefaultRights(&$userObject)
             if ($changes) {
                 $userObject->recomputeMergedRole();
             }
+            */
             $rolesList = self::getRolesList(array(), true);
             foreach ($rolesList as $roleId => $roleObject) {
                 if(!self::allowedForCurrentGroup($roleObject, $userObject)) continue;
diff --git a/core/src/core/classes/class.ConfService.php b/core/src/core/classes/class.ConfService.php
index 999d2e3136..8abb3b4c2e 100644
--- a/core/src/core/classes/class.ConfService.php
+++ b/core/src/core/classes/class.ConfService.php
@@ -935,7 +935,7 @@ public static function addRepository($oRepository)
         return self::getInstance()->addRepositoryInst($oRepository);
     }
     /**
-     * @param $oRepository
+     * @param Repository $oRepository
      * @return -1|null on error
      */
     public function addRepositoryInst($oRepository)
diff --git a/core/src/plugins/access.ajxp_conf/class.ajxp_confAccessDriver.php b/core/src/plugins/access.ajxp_conf/class.ajxp_confAccessDriver.php
index f4e31dead2..d104b6feec 100644
--- a/core/src/plugins/access.ajxp_conf/class.ajxp_confAccessDriver.php
+++ b/core/src/plugins/access.ajxp_conf/class.ajxp_confAccessDriver.php
@@ -451,6 +451,11 @@ public function switchAction($action, $httpVars, $fileVars)
         if ($currentUserIsGroupAdmin && ConfService::getAuthDriverImpl()->isAjxpAdmin(AuthService::getLoggedUser()->getId())) {
             $currentUserIsGroupAdmin = false;
         }
+        $currentAdminBasePath = "/";
+        if (AuthService::getLoggedUser()!=null && AuthService::getLoggedUser()->getGroupPath()!=null) {
+            $currentAdminBasePath = AuthService::getLoggedUser()->getGroupPath();
+        }
+
 
         switch ($action) {
             //------------------------------------
@@ -948,12 +953,10 @@ public function switchAction($action, $httpVars, $fileVars)
                 AuthService::createUser($new_user_login, $httpVars["new_user_pwd"]);
                 $confStorage = ConfService::getConfStorageImpl();
                 $newUser = $confStorage->createUserObject($new_user_login);
-                $basePath = AuthService::getLoggedUser()->getGroupPath();
-                if(empty ($basePath)) $basePath = "/";
                 if (!empty($httpVars["group_path"])) {
-                    $newUser->setGroupPath(rtrim($basePath, "/")."/".ltrim($httpVars["group_path"], "/"));
+                    $newUser->setGroupPath(rtrim($currentAdminBasePath, "/")."/".ltrim($httpVars["group_path"], "/"));
                 } else {
-                    $newUser->setGroupPath($basePath);
+                    $newUser->setGroupPath($currentAdminBasePath);
                 }
 
                 $newUser->save("superuser");
@@ -1061,12 +1064,10 @@ public function switchAction($action, $httpVars, $fileVars)
                 $userId = null;
                 $usersMoved = array();
 
-                $basePath = (AuthService::getLoggedUser()!=null ? AuthService::getLoggedUser()->getGroupPath(): "/");
-                if(empty ($basePath)) $basePath = "/";
                 if (!empty($groupPath)) {
-                    $targetPath = rtrim($basePath, "/")."/".ltrim($groupPath, "/");
+                    $targetPath = rtrim($currentAdminBasePath, "/")."/".ltrim($groupPath, "/");
                 } else {
-                    $targetPath = $basePath;
+                    $targetPath = $currentAdminBasePath;
                 }
 
                 foreach ($userSelection->getFiles() as $selectedUser) {
@@ -1468,11 +1469,7 @@ public function switchAction($action, $httpVars, $fileVars)
                 if ($currentUserIsGroupAdmin) {
                     $newRep->setGroupPath(AuthService::getLoggedUser()->getGroupPath());
                 } else if (!empty($options["AJXP_GROUP_PATH_PARAMETER"])) {
-                    $basePath = "/";
-                    if (AuthService::getLoggedUser()!=null && AuthService::getLoggedUser()->getGroupPath()!=null) {
-                        $basePath = AuthService::getLoggedUser()->getGroupPath();
-                    }
-                    $value =  AJXP_Utils::securePath(rtrim($basePath, "/")."/".ltrim($options["AJXP_GROUP_PATH_PARAMETER"], "/"));
+                    $value =  AJXP_Utils::securePath(rtrim($currentAdminBasePath, "/")."/".ltrim($options["AJXP_GROUP_PATH_PARAMETER"], "/"));
                     $newRep->setGroupPath($value);
                 }
 
@@ -1481,6 +1478,11 @@ public function switchAction($action, $httpVars, $fileVars)
                 if ($res == -1) {
                     AJXP_XMLWriter::sendMessage(null, $mess["ajxp_conf.51"]);
                 } else {
+                    $defaultRights = $newRep->getDefaultRight();
+                    if(!empty($defaultRights)){
+                        $groupRole = AuthService::getRole("AJXP_GRP_".$currentAdminBasePath, true);
+                        $groupRole->setAcl($newRep->getId(), $defaultRights);
+                    }
                     $loggedUser = AuthService::getLoggedUser();
                     $loggedUser->personalRole->setAcl($newRep->getUniqueId(), "rw");
                     $loggedUser->recomputeMergedRole();
@@ -1562,12 +1564,8 @@ public function switchAction($action, $httpVars, $fileVars)
                     // Add SLUG
                     if(!$repository->isTemplate) print("<param name=\"AJXP_SLUG\" value=\"".$repository->getSlug()."\"/>");
                     if ($repository->getGroupPath() != null) {
-                        $basePath = "/";
-                        if (AuthService::getLoggedUser()!=null && AuthService::getLoggedUser()->getGroupPath()!=null) {
-                            $basePath = AuthService::getLoggedUser()->getGroupPath();
-                        }
                         $groupPath = $repository->getGroupPath();
-                        if($basePath != "/") $groupPath = substr($repository->getGroupPath(), strlen($basePath));
+                        if($currentAdminBasePath != "/") $groupPath = substr($repository->getGroupPath(), strlen($currentAdminBasePath));
                         print("<param name=\"AJXP_GROUP_PATH_PARAMETER\" value=\"".$groupPath."\"/>");
                     }
 
@@ -1628,6 +1626,7 @@ public function switchAction($action, $httpVars, $fileVars)
             case "edit_repository_data" :
                 $repId = $httpVars["repository_id"];
                 $repo = ConfService::getRepositoryById($repId);
+                $initialDefaultRights = $repo->getDefaultRight();
                 if(!$repo->isWriteable()){
                     if (isSet($httpVars["permission_mask"]) && !empty($httpVars["permission_mask"])){
                         $mask = json_decode($httpVars["permission_mask"], true);
@@ -1681,11 +1680,7 @@ public function switchAction($action, $httpVars, $fileVars)
                                     }
                                 }
                             } elseif ($key == "AJXP_GROUP_PATH_PARAMETER") {
-                                $basePath = "/";
-                                if (AuthService::getLoggedUser()!=null && AuthService::getLoggedUser()->getGroupPath()!=null) {
-                                    $basePath = AuthService::getLoggedUser()->getGroupPath();
-                                }
-                                $value =  AJXP_Utils::securePath(rtrim($basePath, "/")."/".ltrim($value, "/"));
+                                $value =  AJXP_Utils::securePath(rtrim($currentAdminBasePath, "/")."/".ltrim($value, "/"));
                                 $repo->setGroupPath($value);
                                 continue;
                             }
@@ -1727,10 +1722,10 @@ public function switchAction($action, $httpVars, $fileVars)
                             return;
                         }
                     }
-                    // TODO : WHAT TO DO FOR SUB ADMINS ?
+
+                    $rootGroup = AuthService::getRole("AJXP_GRP_".$currentAdminBasePath, true);
                     if (isSet($httpVars["permission_mask"]) && !empty($httpVars["permission_mask"])){
                         $mask = json_decode($httpVars["permission_mask"], true);
-                        $rootGroup = AuthService::getRole("AJXP_GRP_/");
                         if(count($mask)){
                             $perm = new AJXP_PermissionMask($mask);
                             $rootGroup->setMask($repId, $perm);
@@ -1739,6 +1734,14 @@ public function switchAction($action, $httpVars, $fileVars)
                         }
                         AuthService::updateRole($rootGroup);
                     }
+                    $defaultRights = $repo->getDefaultRight();
+                    if($defaultRights != $initialDefaultRights){
+                        $currentDefaultRights = $rootGroup->getAcl($repId);
+                        if(!empty($defaultRights) || !empty($currentDefaultRights)){
+                            $rootGroup->setAcl($repId, empty($defaultRights) ? "" : $defaultRights);
+                            AuthService::updateRole($rootGroup);
+                        }
+                    }
                     ConfService::replaceRepository($repId, $repo);
                 }
                 AJXP_XMLWriter::header();