fix: issue-8881

gui/templates/tl-classic/mainPageLeft.tpl

@@ -151,7 +151,8 @@
 
 {if $display_left_block_3}
   <div class="list-group" style="{$divStyle}">
-       {if $gui->grants.reqs_view == "yes" || $gui->grants.reqs_edit == "yes" }
+       {if $gui->grants.reqs_view == "yes" 
+           || $gui->grants.reqs_edit == "yes" }
           <a href="{$gui->launcher}?feature=reqSpecMgmt" class="list-group-item" style="{$aStyle}">{$labels.href_req_spec}</a>
           <a href="{$reqOverView}" class="list-group-item" style="{$aStyle}">{$labels.href_req_overview}</a>
           <a href="{$gui->launcher}?feature=printReqSpec" class="list-group-item" style="{$aStyle}">{$labels.href_print_req}</a>

gui/templates/tl-classic/usermanagement/usersAssign.tpl

@@ -2,14 +2,13 @@
 Testlink: smarty template - 
 @filesource usersAssign.tpl
 
-@internal revisions
-@since 1.9.15
 *}
 {lang_get var="labels" 
           s='TestProject,TestPlan,btn_change,title_user_mgmt,set_roles_to,show_only_authorized_users,
              warn_demo,User,btn_upd_user_data,btn_do,title_assign_roles'}
 
-{include file="inc_head.tpl" jsValidate="yes" openHead="yes" enableTableSorting="yes"}
+{include file="inc_head.tpl" jsValidate="yes" 
+  openHead="yes" enableTableSorting="yes"}
 {include file="inc_ext_js.tpl" css_only=1}
 
 {include file="bootstrap.inc.tpl"}
@@ -72,7 +71,8 @@ function toggleRowByClass(oid,className,displayCheckOn,displayCheckOff,displayVa
 
 {if $tlCfg->gui->usersAssign->pagination->enabled}
   {$ll = $tlCfg->gui->usersAssign->pagination->length}
-  {include file="DataTables.inc.tpl" DataTablesOID="item_view" DataTableslengthMenu=$ll}
+  {include file="DataTables.inc.tpl" 
+    DataTablesOID="item_view" DataTableslengthMenu=$ll}
 {/if}
 
 </head>
@@ -85,7 +85,11 @@ function toggleRowByClass(oid,className,displayCheckOn,displayCheckOff,displayVa
 {include file="usermanagement/menu.inc.tpl"}
 <div class="workBack">
 
-{include file="inc_update.tpl" result=$result item="$gui->featureType" action="$action" user_feedback=$gui->user_feedback}
+{include file="inc_update.tpl" 
+         result=$result 
+         item=$gui->featureType 
+         action=$action
+         user_feedback=$gui->user_feedback}
 
 {* 
 Because this page can be reloaded due to a test project change done by
@@ -130,11 +134,6 @@ during refresh feature, and then we have a bad refresh on page getting a bug.
 		    	   {/foreach}
 		    	   </select>
 		    	</td>
-			<td>
-          {* 
-					<input type="button" value="{$labels.btn_change}" onclick="changeFeature('{$gui->featureType}');"/>
-          *}
-		  </td>
 			</tr>
    		<tr>
    		<td class="labelHolder" style="{$styleLH}"">{$labels.set_roles_to}</td>{if $gui->featureType == 'testproject'} <td>&nbsp;</td> {/if}

lib/functions/common.php

@@ -488,8 +488,9 @@ function testlinkInitPage(&$db, $initProject = FALSE,
     checkSessionValid($db);
   }
 
-  if ($userRightsCheckFunction) {
-    checkUserRightsFor($db,$userRightsCheckFunction,$onFailureGoToLogin);
+  if ($userRightsCheckFunction !== null) {
+    checkUserRightsFor($db,$userRightsCheckFunction,
+                       $onFailureGoToLogin);
   }
 
   // Init plugins
@@ -975,10 +976,8 @@ function checkUserRightsFor(&$db,$pfn,$onFailureGoToLogin=false)
   }
 
 
-  if (!$m2call($db,$currentUser,$arguments,$action))
-  {
-    if (!$action)
-    {
+  if (!$m2call($db,$currentUser,$arguments,$action)) {
+    if (!$action) {
       $action = "any";
     }
     logAuditEvent(TLS("audit_security_user_right_missing",$currentUser->login,$script,$action),
@@ -2097,3 +2096,46 @@ function initContext()
 
   return array($context,$env);
 }
+
+
+
+/*
+ * rights check 
+ */
+function pageAccessCheck(&$db, &$user, $context) 
+{
+  $tplan_id = 0;
+  if (property_exists($context,'tplan_id')) {
+    $tplan_id = $context->tplan_id;
+  }
+
+
+  $checkAnd = true;
+  foreach ($context->rightsAnd as $ri) {
+    $checkAnd &= $user->hasRight($db,$ri,
+                          $context->tproject_id,
+                          $tplan_id,true);
+  }
+
+  $checkOr = true;
+  if ($checkAnd) {
+    $checkOr = false;
+    foreach ($context->rightsAnd as $ri) {
+      $checkOr = $user->hasRight($db,$ri,
+                            $context->tproject_id,
+                            $tplan_id,true);
+      if ($checkOr) {
+        break;
+      }
+    }
+  }
+
+  if ($checkAnd == false && $checkOr == false) {
+    $script = basename($_SERVER['PHP_SELF']);
+    $action = 'Access Req Feature';
+    $msg = TLS("audit_security_user_right_missing",
+               $user->login,$script,$action); 
+    logAuditEvent($msg, $action,$user->dbID,"users");
+    throw new Exception($msg, 1);
+  }
+}

lib/general/frmWorkArea.php

@@ -55,7 +55,8 @@
      'tc_exec_assignment' => 'lib/plan/planTCNavigator.php?feature=tc_exec_assignment',
      'executeTest' => array('lib/execute/execNavigator.php?setting_testplan=', 'lib/execute/execDashboard.php?id='),
      'showMetrics' => 'lib/results/resultsNavigator.php',
-     'reqSpecMgmt' => array('lib/requirements/reqSpecListTree.php','lib/project/project_req_spec_mgmt.php?id=')
+     'reqSpecMgmt' => array('lib/requirements/reqSpecListTree.php',
+                            'lib/project/project_req_spec_mgmt.php?id=')
 );
 
 $full_screen = array('newest_tcversions' => 1);
@@ -65,22 +66,19 @@
 
 /** feature to display */
 $showFeature = $args->feature;
-if (isset($aa_tfp[$showFeature]) === FALSE)
-{
+if (isset($aa_tfp[$showFeature]) === FALSE) {
   // argument is wrong
   tLog("Wrong page argument feature = ".$showFeature, 'ERROR');
   exit();
 }
 
 // features that need to run the validate build function
-if (in_array($showFeature,array('executeTest','showMetrics','tc_exec_assignment')))
-{
+if (in_array($showFeature,array('executeTest','showMetrics','tc_exec_assignment'))) {
   // Check if for test project selected at least a test plan exist
   if( isset($_SESSION['testplanID']) || !is_null($args->tplan_id))
   {
     // Filter on build attributes: ACTIVE,OPEN
-    switch($showFeature)
-    {
+    switch($showFeature) {
       case 'executeTest':
         $hasToBe['active'] = true;
         $hasToBe['open'] = true;
@@ -108,8 +106,7 @@
     $tplanIDCard->name = $_SESSION['testplanName'];
     $tplanMgr = new testplan($db);
 
-    if(!is_null($args->tplan_id))
-    {
+    if(!is_null($args->tplan_id)) {
       $tplanIDCard->id = intval($args->tplan_id);
       $dummy = $tplanMgr->tree_manager->get_node_hierarchy_info($tplanIDCard->id);
       $tplanIDCard->name = $dummy['name'];
@@ -136,30 +133,25 @@
 
 // try to add context in order to avoid using global coupling via $_SESSION
 // this will be useful to open different test projects on different browser TAB
-if( is_array($aa_tfp[$showFeature]) )
-{
+if( is_array($aa_tfp[$showFeature]) ) {
   $leftPane = $aa_tfp[$showFeature][0];
   $rightPane = $aa_tfp[$showFeature][1];
 
-  if($rightPane[strlen($rightPane)-1] == '=')
-  {
+  if($rightPane[strlen($rightPane)-1] == '=') {
     $rightPane .= intval($_SESSION['testprojectID']);
   }  
 
-  if($showFeature == 'executeTest')
-  {
+  if($showFeature == 'executeTest') {
     $leftPane .= $args->tplan_id;
   }
   // new dBug($leftPane);
 
-} 
-else
-{
+} else {
   $leftPane = $aa_tfp[$showFeature];
   $rightPane = 'lib/general/staticPage.php?key=' . $showFeature;
 } 
 
-if( intval($args->tproject_id) > 0 || intval($args->tproject_id) > 0)
+if( intval($args->tproject_id) > 0 || intval($args->tplan_id) > 0)
 {  
   $leftPane .= (strpos($leftPane,"?") === false) ? "?" : "&";
   $leftPane .= "tproject_id={$args->tproject_id}&tplan_id={$args->tplan_id}";
@@ -170,12 +162,9 @@
   $rightPane .= "tproject_id={$args->tproject_id}&tplan_id={$args->tplan_id}";
 }
 
-if(isset($full_screen[$showFeature]))
-{
+if(isset($full_screen[$showFeature])) {
   redirect($leftPane);
-}
-else
-{
+} else {
   $smarty->assign('treewidth', TL_FRMWORKAREA_LEFT_FRAME_WIDTH);
   $smarty->assign('treeframe', $leftPane);
   $smarty->assign('workframe', $rightPane);

lib/general/mainPage.php

@@ -50,6 +50,13 @@
 
 $gui = new stdClass();
 $gui->grants = getGrants($db,$user,$testprojectID,$userIsBlindFolded);
+
+/*
+echo '<pre>';
+var_dump($gui->grants);
+echo '</pre>';
+*/
+
 $gui->hasTestCases = false;
 
 if($gui->grants['view_tc']) { 

lib/project/project_req_spec_mgmt.php

@@ -6,25 +6,31 @@
  * @filesource	project_req_spec_mgmt.php
  * @author 		Martin Havlat
  *
- * @internal revisions
- * @since 1.9.10
  */
 require_once('../../config.inc.php');
 require_once('common.php');
-testlinkInitPage($db,false,false,"checkRights");
+testlinkInitPage($db,false,false);
 
 $tproject_id   = isset($_SESSION['testprojectID']) ? intval($_SESSION['testprojectID']) : 0;
 $tproject_name = isset($_SESSION['testprojectName']) ? $_SESSION['testprojectName'] : 'undefined';
 
+$uo = $_SESSION['currentUser'];
+
+$context = new stdClass();
+$context->tproject_id = $tproject_id;
+checkRights($db,$uo,$context);
+
 $gui = new stdClass();
 $gui->main_descr = lang_get('testproject') .  TITLE_SEP . $tproject_name . TITLE_SEP . lang_get('title_req_spec');
 $gui->tproject_id = $tproject_id;
 $gui->refresh_tree = 'no';
 
-$uo = $_SESSION['currentUser'];
+
 $gui->grants = new stdClass();
-$gui->grants->modify = $uo->hasRight($db,'mgt_modify_req');
-$gui->grants->ro = $uo->hasRight($db,'mgt_view_req');
+$gui->grants->modify = 
+  $uo->hasRight($db,'mgt_modify_req',$context->tproject_id);
+$gui->grants->ro = 
+  $uo->hasRight($db,'mgt_view_req',$context->tproject_id);
 
 $smarty = new TLSmarty();
 $smarty->assign('gui', $gui);
@@ -33,8 +39,9 @@
 /**
  *
  */
-function checkRights(&$db,&$user)
+function checkRights(&$db, &$user, $context) 
 {
-  return ($user->hasRight($db,'mgt_view_req') || 
-		  $user->hasRight($db,'mgt_modify_req'));
+  $context->rightsOr = ["mgt_view_req","mgt_modify_req"];
+  $context->rightsAnd = [];
+  pageAccessCheck($db, $user, $context);
 }

lib/requirements/reqEdit.php

@@ -23,14 +23,19 @@
 $editorCfg = getWebEditorCfg('requirement');
 require_once(require_web_editor($editorCfg['type']));
 
-testlinkInitPage($db,false,false,"checkRights");
+testlinkInitPage($db,false,false);
 
 $templateCfg = templateConfiguration();
 $commandMgr = new reqCommands($db);
 
 $args = init_args($db);
 $gui = initialize_gui($db,$args,$commandMgr);
 
+$context = new stdClass();
+$context->tproject_id = $args->tproject_id;
+checkRights($db,$args->user,$context);
+
+
 $pFn = $args->doAction;
 $op = null;
 if(method_exists($commandMgr,$pFn)) {
@@ -46,6 +51,7 @@
  */
 function init_args(&$dbHandler)
 {
+
   $reqTitleSize = config_get('field_size')->requirement_title;
   $iParams = array("requirement_id" => array(tlInputParameter::INT_N),
                    "req_version_id" => array(tlInputParameter::INT_N),
@@ -79,6 +85,7 @@ function init_args(&$dbHandler)
   R_PARAMS($iParams,$args);
   $_REQUEST=strings_stripSlashes($_REQUEST);
 
+  $args->user = $_SESSION['currentUser'];
   $args->req_id = $args->requirement_id;
   $args->title = $args->req_title;
   $args->arrReqIds = $args->req_id_cbox;
@@ -299,9 +306,12 @@ function initialize_gui(&$dbHandler,&$argsObj,&$commandMgr)
   return $gui;
 }
 
-
-function checkRights(&$db,&$user)
+/**
+ *
+ */
+function checkRights(&$db,&$user,&$context)
 {
-  return ($user->hasRight($db,'mgt_view_req') && $user->hasRight($db,'mgt_modify_req'));
-}
-?>
+  $context->rightsOr = [];
+  $context->rightsAnd = ["mgt_view_req","mgt_modify_req"];
+  pageAccessCheck($db, $user, $context);
+}

lib/requirements/reqExport.php

@@ -14,13 +14,19 @@
 require_once("common.php");
 require_once("requirements.inc.php");
 
-testlinkInitPage($db,false,false,"checkRights");
+testlinkInitPage($db,false,false);
 $templateCfg = templateConfiguration();
 $req_spec_mgr = new requirement_spec_mgr($db);
 
 $args = init_args();
 $gui = initializeGui($args,$req_spec_mgr);
 
+$context = new stdClass();
+$context->tproject_id = $args->tproject_id;
+checkRights($db,$_SESSION['currentUser'],$context);
+
+
+
 switch($args->doAction)
 {
   case 'export':
@@ -36,15 +42,15 @@
 
 
 /**
- * checkRights
  *
  */
-function checkRights(&$db,&$user)
+function checkRights(&$db,&$user,&$context)
 {
-  return $user->hasRight($db,'mgt_view_req');
+  $context->rightsOr = [];
+  $context->rightsAnd = ["mgt_view_req"];
+  pageAccessCheck($db, $user, $context);
 }
 
-
 /**
  * init_args
  *