Skip to content
Permalink
Browse files

fix: issue-8881

  • Loading branch information
fmancardi committed Mar 12, 2020
1 parent 42647fd commit 71af9949d6d8d3d17deb1cdcdb73e1070f2003af
@@ -151,7 +151,8 @@

{if $display_left_block_3}
<div class="list-group" style="{$divStyle}">
{if $gui->grants.reqs_view == "yes" || $gui->grants.reqs_edit == "yes" }
{if $gui->grants.reqs_view == "yes"
|| $gui->grants.reqs_edit == "yes" }
<a href="{$gui->launcher}?feature=reqSpecMgmt" class="list-group-item" style="{$aStyle}">{$labels.href_req_spec}</a>
<a href="{$reqOverView}" class="list-group-item" style="{$aStyle}">{$labels.href_req_overview}</a>
<a href="{$gui->launcher}?feature=printReqSpec" class="list-group-item" style="{$aStyle}">{$labels.href_print_req}</a>
@@ -2,14 +2,13 @@
Testlink: smarty template -
@filesource usersAssign.tpl
@internal revisions
@since 1.9.15
*}
{lang_get var="labels"
s='TestProject,TestPlan,btn_change,title_user_mgmt,set_roles_to,show_only_authorized_users,
warn_demo,User,btn_upd_user_data,btn_do,title_assign_roles'}

{include file="inc_head.tpl" jsValidate="yes" openHead="yes" enableTableSorting="yes"}
{include file="inc_head.tpl" jsValidate="yes"
openHead="yes" enableTableSorting="yes"}
{include file="inc_ext_js.tpl" css_only=1}

{include file="bootstrap.inc.tpl"}
@@ -72,7 +71,8 @@ function toggleRowByClass(oid,className,displayCheckOn,displayCheckOff,displayVa

{if $tlCfg->gui->usersAssign->pagination->enabled}
{$ll = $tlCfg->gui->usersAssign->pagination->length}
{include file="DataTables.inc.tpl" DataTablesOID="item_view" DataTableslengthMenu=$ll}
{include file="DataTables.inc.tpl"
DataTablesOID="item_view" DataTableslengthMenu=$ll}
{/if}

</head>
@@ -85,7 +85,11 @@ function toggleRowByClass(oid,className,displayCheckOn,displayCheckOff,displayVa
{include file="usermanagement/menu.inc.tpl"}
<div class="workBack">

{include file="inc_update.tpl" result=$result item="$gui->featureType" action="$action" user_feedback=$gui->user_feedback}
{include file="inc_update.tpl"
result=$result
item=$gui->featureType
action=$action
user_feedback=$gui->user_feedback}

{*
Because this page can be reloaded due to a test project change done by
@@ -130,11 +134,6 @@ during refresh feature, and then we have a bad refresh on page getting a bug.
{/foreach}
</select>
</td>
<td>
{*
<input type="button" value="{$labels.btn_change}" onclick="changeFeature('{$gui->featureType}');"/>
*}
</td>
</tr>
<tr>
<td class="labelHolder" style="{$styleLH}"">{$labels.set_roles_to}</td>{if $gui->featureType == 'testproject'} <td>&nbsp;</td> {/if}
@@ -488,8 +488,9 @@ function testlinkInitPage(&$db, $initProject = FALSE,
checkSessionValid($db);
}

if ($userRightsCheckFunction) {
checkUserRightsFor($db,$userRightsCheckFunction,$onFailureGoToLogin);
if ($userRightsCheckFunction !== null) {
checkUserRightsFor($db,$userRightsCheckFunction,
$onFailureGoToLogin);
}

// Init plugins
@@ -975,10 +976,8 @@ function checkUserRightsFor(&$db,$pfn,$onFailureGoToLogin=false)
}


if (!$m2call($db,$currentUser,$arguments,$action))
{
if (!$action)
{
if (!$m2call($db,$currentUser,$arguments,$action)) {
if (!$action) {
$action = "any";
}
logAuditEvent(TLS("audit_security_user_right_missing",$currentUser->login,$script,$action),
@@ -2097,3 +2096,46 @@ function initContext()

return array($context,$env);
}



/*
* rights check
*/
function pageAccessCheck(&$db, &$user, $context)
{
$tplan_id = 0;
if (property_exists($context,'tplan_id')) {
$tplan_id = $context->tplan_id;
}


$checkAnd = true;
foreach ($context->rightsAnd as $ri) {
$checkAnd &= $user->hasRight($db,$ri,
$context->tproject_id,
$tplan_id,true);
}

$checkOr = true;
if ($checkAnd) {
$checkOr = false;
foreach ($context->rightsAnd as $ri) {
$checkOr = $user->hasRight($db,$ri,
$context->tproject_id,
$tplan_id,true);
if ($checkOr) {
break;
}
}
}

if ($checkAnd == false && $checkOr == false) {
$script = basename($_SERVER['PHP_SELF']);
$action = 'Access Req Feature';
$msg = TLS("audit_security_user_right_missing",
$user->login,$script,$action);
logAuditEvent($msg, $action,$user->dbID,"users");
throw new Exception($msg, 1);
}
}
@@ -55,7 +55,8 @@
'tc_exec_assignment' => 'lib/plan/planTCNavigator.php?feature=tc_exec_assignment',
'executeTest' => array('lib/execute/execNavigator.php?setting_testplan=', 'lib/execute/execDashboard.php?id='),
'showMetrics' => 'lib/results/resultsNavigator.php',
'reqSpecMgmt' => array('lib/requirements/reqSpecListTree.php','lib/project/project_req_spec_mgmt.php?id=')
'reqSpecMgmt' => array('lib/requirements/reqSpecListTree.php',
'lib/project/project_req_spec_mgmt.php?id=')
);

$full_screen = array('newest_tcversions' => 1);
@@ -65,22 +66,19 @@

/** feature to display */
$showFeature = $args->feature;
if (isset($aa_tfp[$showFeature]) === FALSE)
{
if (isset($aa_tfp[$showFeature]) === FALSE) {
// argument is wrong
tLog("Wrong page argument feature = ".$showFeature, 'ERROR');
exit();
}

// features that need to run the validate build function
if (in_array($showFeature,array('executeTest','showMetrics','tc_exec_assignment')))
{
if (in_array($showFeature,array('executeTest','showMetrics','tc_exec_assignment'))) {
// Check if for test project selected at least a test plan exist
if( isset($_SESSION['testplanID']) || !is_null($args->tplan_id))
{
// Filter on build attributes: ACTIVE,OPEN
switch($showFeature)
{
switch($showFeature) {
case 'executeTest':
$hasToBe['active'] = true;
$hasToBe['open'] = true;
@@ -108,8 +106,7 @@
$tplanIDCard->name = $_SESSION['testplanName'];
$tplanMgr = new testplan($db);

if(!is_null($args->tplan_id))
{
if(!is_null($args->tplan_id)) {
$tplanIDCard->id = intval($args->tplan_id);
$dummy = $tplanMgr->tree_manager->get_node_hierarchy_info($tplanIDCard->id);
$tplanIDCard->name = $dummy['name'];
@@ -136,30 +133,25 @@

// try to add context in order to avoid using global coupling via $_SESSION
// this will be useful to open different test projects on different browser TAB
if( is_array($aa_tfp[$showFeature]) )
{
if( is_array($aa_tfp[$showFeature]) ) {
$leftPane = $aa_tfp[$showFeature][0];
$rightPane = $aa_tfp[$showFeature][1];

if($rightPane[strlen($rightPane)-1] == '=')
{
if($rightPane[strlen($rightPane)-1] == '=') {
$rightPane .= intval($_SESSION['testprojectID']);
}

if($showFeature == 'executeTest')
{
if($showFeature == 'executeTest') {
$leftPane .= $args->tplan_id;
}
// new dBug($leftPane);

}
else
{
} else {
$leftPane = $aa_tfp[$showFeature];
$rightPane = 'lib/general/staticPage.php?key=' . $showFeature;
}

if( intval($args->tproject_id) > 0 || intval($args->tproject_id) > 0)
if( intval($args->tproject_id) > 0 || intval($args->tplan_id) > 0)
{
$leftPane .= (strpos($leftPane,"?") === false) ? "?" : "&";
$leftPane .= "tproject_id={$args->tproject_id}&tplan_id={$args->tplan_id}";
@@ -170,12 +162,9 @@
$rightPane .= "tproject_id={$args->tproject_id}&tplan_id={$args->tplan_id}";
}

if(isset($full_screen[$showFeature]))
{
if(isset($full_screen[$showFeature])) {
redirect($leftPane);
}
else
{
} else {
$smarty->assign('treewidth', TL_FRMWORKAREA_LEFT_FRAME_WIDTH);
$smarty->assign('treeframe', $leftPane);
$smarty->assign('workframe', $rightPane);
@@ -50,6 +50,13 @@

$gui = new stdClass();
$gui->grants = getGrants($db,$user,$testprojectID,$userIsBlindFolded);

/*
echo '<pre>';
var_dump($gui->grants);
echo '</pre>';
*/

$gui->hasTestCases = false;

if($gui->grants['view_tc']) {
@@ -6,25 +6,31 @@
* @filesource project_req_spec_mgmt.php
* @author Martin Havlat
*
* @internal revisions
* @since 1.9.10
*/
require_once('../../config.inc.php');
require_once('common.php');
testlinkInitPage($db,false,false,"checkRights");
testlinkInitPage($db,false,false);

$tproject_id = isset($_SESSION['testprojectID']) ? intval($_SESSION['testprojectID']) : 0;
$tproject_name = isset($_SESSION['testprojectName']) ? $_SESSION['testprojectName'] : 'undefined';

$uo = $_SESSION['currentUser'];

$context = new stdClass();
$context->tproject_id = $tproject_id;
checkRights($db,$uo,$context);

$gui = new stdClass();
$gui->main_descr = lang_get('testproject') . TITLE_SEP . $tproject_name . TITLE_SEP . lang_get('title_req_spec');
$gui->tproject_id = $tproject_id;
$gui->refresh_tree = 'no';

$uo = $_SESSION['currentUser'];

$gui->grants = new stdClass();
$gui->grants->modify = $uo->hasRight($db,'mgt_modify_req');
$gui->grants->ro = $uo->hasRight($db,'mgt_view_req');
$gui->grants->modify =
$uo->hasRight($db,'mgt_modify_req',$context->tproject_id);
$gui->grants->ro =
$uo->hasRight($db,'mgt_view_req',$context->tproject_id);

$smarty = new TLSmarty();
$smarty->assign('gui', $gui);
@@ -33,8 +39,9 @@
/**
*
*/
function checkRights(&$db,&$user)
function checkRights(&$db, &$user, $context)
{
return ($user->hasRight($db,'mgt_view_req') ||
$user->hasRight($db,'mgt_modify_req'));
$context->rightsOr = ["mgt_view_req","mgt_modify_req"];
$context->rightsAnd = [];
pageAccessCheck($db, $user, $context);
}
@@ -23,14 +23,19 @@
$editorCfg = getWebEditorCfg('requirement');
require_once(require_web_editor($editorCfg['type']));

testlinkInitPage($db,false,false,"checkRights");
testlinkInitPage($db,false,false);

$templateCfg = templateConfiguration();
$commandMgr = new reqCommands($db);

$args = init_args($db);
$gui = initialize_gui($db,$args,$commandMgr);

$context = new stdClass();
$context->tproject_id = $args->tproject_id;
checkRights($db,$args->user,$context);


$pFn = $args->doAction;
$op = null;
if(method_exists($commandMgr,$pFn)) {
@@ -46,6 +51,7 @@
*/
function init_args(&$dbHandler)
{

$reqTitleSize = config_get('field_size')->requirement_title;
$iParams = array("requirement_id" => array(tlInputParameter::INT_N),
"req_version_id" => array(tlInputParameter::INT_N),
@@ -79,6 +85,7 @@ function init_args(&$dbHandler)
R_PARAMS($iParams,$args);
$_REQUEST=strings_stripSlashes($_REQUEST);

$args->user = $_SESSION['currentUser'];
$args->req_id = $args->requirement_id;
$args->title = $args->req_title;
$args->arrReqIds = $args->req_id_cbox;
@@ -299,9 +306,12 @@ function initialize_gui(&$dbHandler,&$argsObj,&$commandMgr)
return $gui;
}


function checkRights(&$db,&$user)
/**
*
*/
function checkRights(&$db,&$user,&$context)
{
return ($user->hasRight($db,'mgt_view_req') && $user->hasRight($db,'mgt_modify_req'));
}
?>
$context->rightsOr = [];
$context->rightsAnd = ["mgt_view_req","mgt_modify_req"];
pageAccessCheck($db, $user, $context);
}
@@ -14,13 +14,19 @@
require_once("common.php");
require_once("requirements.inc.php");

testlinkInitPage($db,false,false,"checkRights");
testlinkInitPage($db,false,false);
$templateCfg = templateConfiguration();
$req_spec_mgr = new requirement_spec_mgr($db);

$args = init_args();
$gui = initializeGui($args,$req_spec_mgr);

$context = new stdClass();
$context->tproject_id = $args->tproject_id;
checkRights($db,$_SESSION['currentUser'],$context);



switch($args->doAction)
{
case 'export':
@@ -36,15 +42,15 @@


/**
* checkRights
*
*/
function checkRights(&$db,&$user)
function checkRights(&$db,&$user,&$context)
{
return $user->hasRight($db,'mgt_view_req');
$context->rightsOr = [];
$context->rightsAnd = ["mgt_view_req"];
pageAccessCheck($db, $user, $context);
}


/**
* init_args
*

0 comments on commit 71af994

Please sign in to comment.
You can’t perform that action at this time.