From 06dfb55eb7a89e72e2e7587a844e3609573dfe1e Mon Sep 17 00:00:00 2001 From: Christian Hofmaier Date: Tue, 2 May 2017 15:53:48 +0200 Subject: [statistics_reporting] implemented usecase of permissionmanager in statistics_reporting --- .../statistics_reporting/page.inc.php | 46 +++++++++++++++++----- .../permissions/permissions.json | 10 +++++ 2 files changed, 47 insertions(+), 9 deletions(-) create mode 100644 modules-available/statistics_reporting/permissions/permissions.json (limited to 'modules-available/statistics_reporting') diff --git a/modules-available/statistics_reporting/page.inc.php b/modules-available/statistics_reporting/page.inc.php index 4845d5be..1a85bfa8 100644 --- a/modules-available/statistics_reporting/page.inc.php +++ b/modules-available/statistics_reporting/page.inc.php @@ -52,16 +52,25 @@ class Page_Statistics_Reporting extends Page // Export - handle in doPreprocess so we don't render the menu etc. if ($this->action === 'export') { - $this->doExport(); - // Does not return + if (User::hasPermission("table.export") && User::hasPermission("table.view.$this->type")) { + $this->doExport(); + // Does not return + } else { + Message::addError('main.no-permission'); + } } // Get report - fetch data exactly the way it would automatically be reported // so the user can know what is going on if ($this->action === 'getreport') { - $report = RemoteReport::generateReport(strtotime('-7 days'), time('now')); - Header('Content-Disposition: attachment; filename=remote-report.json'); - Header('Content-Type: application/json; charset=utf-8'); - die(json_encode($report)); + if(User::hasPermission("reporting.download")) { + $report = RemoteReport::generateReport(strtotime('-7 days'), time('now')); + Header('Content-Disposition: attachment; filename=remote-report.json'); + Header('Content-Type: application/json; charset=utf-8'); + die(json_encode($report)); + } else { + Message::addError('main.no-permission'); + } + } } @@ -137,8 +146,8 @@ class Page_Statistics_Reporting extends Page { $this->action = Request::any('action', false, 'string'); if ($this->action === 'setReporting') { - if (!User::isLoggedIn()) { - die("No."); + if (!User::hasPermission("reporting.change")) { + die("Permission denied."); } $state = Request::post('reporting', false, 'string'); if ($state === false) { @@ -271,9 +280,28 @@ class Page_Statistics_Reporting extends Page } } } + // only show locations which you have permission for + $filterLocs = User::getAllowedLocations("table.view.location"); + foreach ($data as $key => $row) { + if (!in_array($row['locationId'], $filterLocs)) { + unset($data[$key]); + } + } + // correct indexing of array after deletions + $data = array_values($data); return $data; case 'client': - return GetData::perClient($flags); + $data = GetData::perClient($flags); + // only show clients from locations which you have permission for + $filterLocs = User::getAllowedLocations("table.view.location"); + foreach ($data as $key => $row) { + if (!in_array($row['locationId'], $filterLocs)) { + unset($data[$key]); + } + } + // correct indexing of array after deletions + $data = array_values($data); + return $data; case 'user': return GetData::perUser($flags); case 'vm': diff --git a/modules-available/statistics_reporting/permissions/permissions.json b/modules-available/statistics_reporting/permissions/permissions.json new file mode 100644 index 00000000..14f4ff3b --- /dev/null +++ b/modules-available/statistics_reporting/permissions/permissions.json @@ -0,0 +1,10 @@ +{ + "table.view.total": "View total table.", + "table.view.location": "View location table.", + "table.view.client": "View client table.", + "table.view.user": "View user table.", + "table.view.vm": "View lecture table.", + "table.export": "Export tables as JSON/CSV/XML.", + "reporting.download": "Download weekly report.", + "reporting.change": "Change weekly reporting settings." +} \ No newline at end of file -- cgit v1.2.3-55-g7522