@@ -91,6 +91,21 @@ public function __construct($request = null, $response = null)
9191 ];
9292 }
9393
94+ private function __applyAuditACL (array $ user )
95+ {
96+ $ acl = [];
97+ if (empty ($ user ['Role ' ]['perm_site_admin ' ])) {
98+ if (!empty ($ user ['Role ' ]['perm_admin ' ])) {
99+ // ORG admins can see their own org info
100+ $ acl = ['AuditLog.org_id ' => $ user ['org_id ' ]];
101+ } else {
102+ // users can see their own info
103+ $ acl = ['AuditLog.user_id ' => $ user ['id ' ]];
104+ }
105+ }
106+ return $ acl ;
107+ }
108+
94109 public function admin_index ()
95110 {
96111 $ this ->paginate ['fields ' ][] = 'ip ' ;
@@ -119,6 +134,10 @@ public function admin_index()
119134 ]);
120135
121136 $ this ->paginate ['conditions ' ] = $ this ->__searchConditions ($ params );
137+ $ acl = $ this ->__applyAuditACL ($ this ->Auth ->user ());
138+ if ($ acl ) {
139+ $ this ->paginate ['conditions ' ]['AND ' ][] = $ acl ;
140+ }
122141 $ list = $ this ->paginate ();
123142
124143 if ($ this ->_isRest ()) {
@@ -156,7 +175,6 @@ public function eventIndex($eventId, $org = null)
156175 if (empty ($ event )) {
157176 throw new NotFoundException ('Invalid event. ' );
158177 }
159-
160178 $ this ->paginate ['conditions ' ] = $ this ->__createEventIndexConditions ($ event );
161179 $ this ->set ('passedArgsArray ' , ['eventId ' => $ eventId , 'org ' => $ org ]);
162180
@@ -233,6 +251,7 @@ public function returnDates($org = 'all')
233251 */
234252 private function __searchConditions (array $ params )
235253 {
254+ $ conditions = [];
236255 $ qbRules = [];
237256 foreach ($ params as $ key => $ value ) {
238257 if ($ key === 'model ' && strpos ($ value , ': ' ) !== false ) {
@@ -263,7 +282,6 @@ private function __searchConditions(array $params)
263282 }
264283 $ this ->set ('qbRules ' , $ qbRules );
265284
266- $ conditions = [];
267285 if (isset ($ params ['user ' ])) {
268286 if (strtoupper ($ params ['user ' ]) === 'SYSTEM ' ) {
269287 $ conditions ['AuditLog.user_id ' ] = 0 ;
@@ -351,7 +369,6 @@ private function __createEventIndexConditions(array $event)
351369 // Site admins and event owners can see all changes
352370 return ['event_id ' => $ event ['Event ' ]['id ' ]];
353371 }
354-
355372 $ event = $ this ->AuditLog ->Event ->fetchEvent ($ this ->Auth ->user (), [
356373 'eventid ' => $ event ['Event ' ]['id ' ],
357374 'sgReferenceOnly ' => 1 ,
@@ -361,7 +378,6 @@ private function __createEventIndexConditions(array $event)
361378 'includeEventCorrelations ' => false ,
362379 'excludeGalaxy ' => true ,
363380 ])[0 ];
364-
365381 $ attributeIds = [];
366382 $ objectIds = [];
367383 $ proposalIds = array_column ($ event ['ShadowAttribute ' ], 'id ' );
0 commit comments