diff options
| author | Dave Arter <davea@mysociety.org> | 2016-08-01 16:36:55 +0100 |
|---|---|---|
| committer | Dave Arter <davea@mysociety.org> | 2016-08-17 15:34:53 +0100 |
| commit | 91c5520c7078f2caa3cbdbdcff4f86a29d9d7390 (patch) | |
| tree | 3f6919c4a7713db5db4e83aeddec87591742da6f /perllib/FixMyStreet/Cobrand | |
| parent | f0220a9742ef0b7458b2dafaba5d9f860a741a91 (diff) | |
Restrict user editing in admin
The 'user_edit' permission is required to edit users.
The admin pages on UK council cobrands only allow editing of users whose
from_body is the same as the logged-in user, or who have sent reports or updates
to the council.
Diffstat (limited to 'perllib/FixMyStreet/Cobrand')
| -rw-r--r-- | perllib/FixMyStreet/Cobrand/Default.pm | 24 | ||||
| -rw-r--r-- | perllib/FixMyStreet/Cobrand/UKCouncils.pm | 27 |
2 files changed, 51 insertions, 0 deletions
diff --git a/perllib/FixMyStreet/Cobrand/Default.pm b/perllib/FixMyStreet/Cobrand/Default.pm index 686684a05..8c75a1234 100644 --- a/perllib/FixMyStreet/Cobrand/Default.pm +++ b/perllib/FixMyStreet/Cobrand/Default.pm @@ -140,6 +140,30 @@ sub problems_on_map_restriction { return $rs; } +=head1 users + +Returns a ResultSet of Users, potentially restricted to a subset if we're on +a cobrand that only wants some of the data. + +=cut + +sub users { + my $self = shift; + return $self->users_restriction($self->{c}->model('DB::User')); +} + +=head1 users_restriction + +Used to restricts users in the admin in a cobrand in a particular way. Do +nothing by default. + +=cut + +sub users_restriction { + my ($self, $rs) = @_; + return $rs; +} + sub site_key { return 0; } =head2 restriction diff --git a/perllib/FixMyStreet/Cobrand/UKCouncils.pm b/perllib/FixMyStreet/Cobrand/UKCouncils.pm index 43f10130a..701a4ca1c 100644 --- a/perllib/FixMyStreet/Cobrand/UKCouncils.pm +++ b/perllib/FixMyStreet/Cobrand/UKCouncils.pm @@ -50,6 +50,33 @@ sub updates_restriction { return $rs->to_body($self->council_id); } +sub users_restriction { + my ($self, $rs) = @_; + + # Council admins can only see users who are members of the same council or + # users who have sent a report or update to that council. + + my $problem_user_ids = $self->problems->search( + undef, + { + columns => [ 'user_id' ], + distinct => 1 + } + )->as_query; + my $update_user_ids = $self->updates->search( + undef, + { + columns => [ 'user_id' ], + distinct => 1 + } + )->as_query; + + return $rs->search([ + from_body => $self->council_id, + id => [ { -in => $problem_user_ids }, { -in => $update_user_ids } ], + ]); +} + sub base_url { my $self = shift; my $base_url = FixMyStreet->config('BASE_URL'); |