Navigation Menu

Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PLAT-9896 - make sure roles changes in admin console can be done only… #8507

Merged
merged 1 commit into from Jun 6, 2019
Merged

PLAT-9896 - make sure roles changes in admin console can be done only… #8507

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
3 changes: 3 additions & 0 deletions admin_console/controllers/UserController.php 100755 → 100644
View file
Open in desktop
Expand Up @@ -400,6 +400,7 @@ private function proccessChangeRoleForm(Form_ChangeUserRole $form)
}
catch(Exception $ex)
{
$this->view->errMessage = $ex->getMessage();
if ($ex->getCode() === 'INVALID_USER_ID')
$form->setDescription($ex->getMessage());
else if ($ex->getCode() === 'LOGIN_DATA_NOT_FOUND')
Expand All @@ -410,6 +411,8 @@ private function proccessChangeRoleForm(Form_ChangeUserRole $form)
$form->setDescription($ex->getMessage());
else if ($ex->getCode() === 'ACCOUNT_OWNER_NEEDS_PARTNER_ADMIN_ROLE')
$form->setDescription($ex->getMessage());
else if ($ex->getCode() === 'NOT_ALLOWED_TO_CHANGE_ROLE')
$form->setDescription($ex->getMessage());
else
throw $ex;
}
Expand Down
6 changes: 6 additions & 0 deletions admin_console/views/scripts/user/change-role.phtml
View file
Open in desktop
@@ -1,2 +1,8 @@
<?php if($this->errMessage): ?>
<script type="text/javascript">
alert('<?php echo $this->errMessage; ?>');
</script>
<?php endif; ?>

<?php $this->form->setAction($this->url(array('controller' => 'user', 'action' => 'change-role'))); ?>
<?php echo $this->form; ?>
6 changes: 6 additions & 0 deletions admin_console/views/scripts/user/user-role-configure.phtml
View file
Open in desktop
@@ -1,2 +1,8 @@
<?php if($this->errMessage): ?>
<script type="text/javascript">
alert('<?php echo $this->errMessage; ?>');
</script>
<?php endif; ?>

<?php $this->form->setAction($this->url(array('controller' => 'user', 'action' => 'user-role-configure'))); ?>
<?php echo $this->form; ?>
2 changes: 2 additions & 0 deletions alpha/apps/kaltura/lib/webservices/APIErrors.class.php
View file
Open in desktop
Expand Up @@ -415,6 +415,8 @@ public static function getMessage($errorString)
const CANNOT_SET_ROOT_ADMIN_AS_NO_ADMIN = "CANNOT_SET_ROOT_ADMIN_AS_NO_ADMIN;;Root admin user cannot be set to not admin";

const CANNOT_CHANGE_OWN_ROLE = "CANNOT_CHANGE_OWN_ROLE;;User cannot change his own role";

const NOT_ALLOWED_TO_CHANGE_ROLE = "NOT_ALLOWED_TO_CHANGE_ROLE;;User Is not allowed change roles";

const PERMISSION_NOT_FOUND = "PERMISSION_NOT_FOUND;ERR_TEXT;@ERR_TEXT@";

Expand Down
1 change: 1 addition & 0 deletions alpha/lib/enums/PermissionName.php
View file
Open in desktop
Expand Up @@ -125,6 +125,7 @@ interface PermissionName extends BaseEnum
const SYSTEM_ADMIN_CONTENT_DISTRIBUTION_BASE = 'SYSTEM_ADMIN_CONTENT_DISTRIBUTION_BASE';
const SYSTEM_ADMIN_CONTENT_DISTRIBUTION_MODIFY = 'SYSTEM_ADMIN_CONTENT_DISTRIBUTION_MODIFY';
const SYSTEM_ADMIN_PERMISSIONS_MANAGE = 'SYSTEM_ADMIN_PERMISSIONS_MANAGE';
const SYSTEM_ADMIN_PERMISSIONS_UPDATE = 'SYSTEM_ADMIN_PERMISSIONS_UPDATE';
const SYSTEM_ADMIN_ENTRY_INVESTIGATION = 'SYSTEM_ADMIN_ENTRY_INVESTIGATION';

const SYSTEM_ADMIN_CATALOG_ITEM_BASE = "reach.SYSTEM_ADMIN_CATALOG_ITEM_BASE";
Expand Down
4 changes: 4 additions & 0 deletions api_v3/services/UserService.php
View file
Open in desktop
Expand Up @@ -72,6 +72,10 @@ public function updateAction($userId, KalturaUser $user)
try
{
if (!is_null($user->roleIds)) {
if ($this->getPartnerId() == Partner::ADMIN_CONSOLE_PARTNER_ID && !kPermissionManager::isPermitted(PermissionName::SYSTEM_ADMIN_PERMISSIONS_UPDATE))
{
throw new KalturaAPIException(KalturaErrors::NOT_ALLOWED_TO_CHANGE_ROLE);
}
UserRolePeer::testValidRolesForUser($user->roleIds, $this->getPartnerId());
if ($user->roleIds != $dbUser->getRoleIds() &&
$dbUser->getId() == $this->getKuser()->getId()) {
Expand Down
5 changes: 5 additions & 0 deletions deployment/permissions/partner.-2.ini
View file
Open in desktop
Expand Up @@ -549,3 +549,8 @@ permission196.partnerId = -2
permission196.type = 1
permission196.name = CONF_MAPS_EDIT_PLUGIN_ADMIN
permission196.friendlyName = "Configuration maps edit permission"

permission197.partnerId = -2
permission197.type = 1
permission197.name = SYSTEM_ADMIN_PERMISSIONS_UPDATE
permission197.friendlyName = "update permissions"
11 changes: 11 additions & 0 deletions deployment/updates/scripts/add_permissions/2019_06_03_update_user_role_permissions.php
View file
Open in desktop
@@ -0,0 +1,11 @@
<?php
/**
* @package deployment
* @subpackage orion.roles_and_permissions
*/

$addPermissionsScript = realpath(dirname(__FILE__) . '/../../../../') . '/alpha/scripts/utils/permissions/removePermissionsAndItems.php';

$removeConfig = realpath(dirname(__FILE__)) . '/../ini_files/2019_06_03_userrole_update_permissions.ini';
passthru("php $addPermissionsScript $removeConfig");

9 changes: 9 additions & 0 deletions deployment/updates/scripts/ini_files/2019_06_03_userrole_update_permissions.ini
View file
Open in desktop
@@ -0,0 +1,9 @@
[action_permission_items]
permissionItem6.service = userrole
permissionItem6.action = update
permissionItem6.partnerId = 0
permissionItem6.param3 =
permissionItem6.param4 =
permissionItem6.param5 =
permissionItem6.tags =
permissionItem6.permissions = -2>SYSTEM_ADMIN_PERMISSIONS_MANAGE