From f0220a9742ef0b7458b2dafaba5d9f860a741a91 Mon Sep 17 00:00:00 2001 From: Dave Arter Date: Fri, 15 Jul 2016 17:02:56 +0100 Subject: Require 'report_edit' permission for editing reports in admin --- perllib/FixMyStreet/App/Controller/Admin.pm | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'perllib/FixMyStreet/App/Controller/Admin.pm') diff --git a/perllib/FixMyStreet/App/Controller/Admin.pm b/perllib/FixMyStreet/App/Controller/Admin.pm index ea8633db0..fbd855333 100644 --- a/perllib/FixMyStreet/App/Controller/Admin.pm +++ b/perllib/FixMyStreet/App/Controller/Admin.pm @@ -669,6 +669,13 @@ sub report_edit : Path('report_edit') : Args(1) { $c->detach( '/page_error_404_not_found' ) unless $problem; + unless ( + $c->cobrand->moniker eq 'zurich' + || $c->user->has_permission_to(report_edit => $problem->bodies_str) + ) { + $c->detach( '/page_error_403_access_denied', [] ); + } + $c->stash->{problem} = $problem; $c->forward('/auth/get_csrf_token'); -- cgit v1.2.3 From 91c5520c7078f2caa3cbdbdcff4f86a29d9d7390 Mon Sep 17 00:00:00 2001 From: Dave Arter Date: Mon, 1 Aug 2016 16:36:55 +0100 Subject: Restrict user editing in admin The 'user_edit' permission is required to edit users. The admin pages on UK council cobrands only allow editing of users whose from_body is the same as the logged-in user, or who have sent reports or updates to the council. --- perllib/FixMyStreet/App/Controller/Admin.pm | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) (limited to 'perllib/FixMyStreet/App/Controller/Admin.pm') diff --git a/perllib/FixMyStreet/App/Controller/Admin.pm b/perllib/FixMyStreet/App/Controller/Admin.pm index fbd855333..91af480a8 100644 --- a/perllib/FixMyStreet/App/Controller/Admin.pm +++ b/perllib/FixMyStreet/App/Controller/Admin.pm @@ -920,7 +920,7 @@ sub users: Path('users') : Args(0) { my $search_n = 0; $search_n = int($search) if $search =~ /^\d+$/; - my $users = $c->model('DB::User')->search( + my $users = $c->cobrand->users->search( { -or => [ email => { ilike => $isearch }, @@ -952,7 +952,7 @@ sub users: Path('users') : Args(0) { $c->forward('fetch_all_bodies'); # Admin users by default - my $users = $c->model('DB::User')->search( + my $users = $c->cobrand->users->search( { from_body => { '!=', undef } }, { order_by => 'name' } ); @@ -1120,7 +1120,13 @@ sub user_edit : Path('user_edit') : Args(1) { $c->forward('/auth/get_csrf_token'); - my $user = $c->model('DB::User')->find( { id => $id } ); + my $user = $c->cobrand->users->find( { id => $id } ); + $c->detach( '/page_error_404_not_found' ) unless $user; + + unless ( $c->user->is_superuser || ( $c->user->has_permission_to('user_edit', $c->user->from_body->id) ) ) { + $c->detach('/page_error_403_access_denied', []); + } + $c->stash->{user} = $user; $c->forward('fetch_all_bodies'); -- cgit v1.2.3 From 4eb4658ad589d01d58b239993e201c47325a2eb4 Mon Sep 17 00:00:00 2001 From: Dave Arter Date: Tue, 2 Aug 2016 17:32:50 +0100 Subject: Restrict from_body editing to superusers Superusers can set a user's from_body to any value, but a normal staff user can only set another user's from_body to the same as their own or undefined. This is presented in the UI as a 'staff' tickbox. --- perllib/FixMyStreet/App/Controller/Admin.pm | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) (limited to 'perllib/FixMyStreet/App/Controller/Admin.pm') diff --git a/perllib/FixMyStreet/App/Controller/Admin.pm b/perllib/FixMyStreet/App/Controller/Admin.pm index 91af480a8..ce2a653a2 100644 --- a/perllib/FixMyStreet/App/Controller/Admin.pm +++ b/perllib/FixMyStreet/App/Controller/Admin.pm @@ -1148,10 +1148,18 @@ sub user_edit : Path('user_edit') : Args(1) { $user->name( $c->get_param('name') ); $user->email( $c->get_param('email') ); $user->phone( $c->get_param('phone') ) if $c->get_param('phone'); - $user->from_body( $c->get_param('body') || undef ); $user->flagged( $c->get_param('flagged') || 0 ); # Only superusers can grant superuser status $user->is_superuser( ( $c->user->is_superuser && $c->get_param('is_superuser') ) || 0 ); + # Superusers can set from_body to any value, but other staff can only + # set from_body to the same value as their own from_body. + if ($c->user->is_superuser) { + $user->from_body( $c->get_param('body') || undef ); + } elsif ($c->get_param('body') eq $c->user->from_body->id) { + $user->from_body( $c->user->from_body ); + } else { + $user->from_body( undef ); + } unless ($user->email) { $c->stash->{field_errors}->{email} = _('Please enter a valid email'); -- cgit v1.2.3 From d2a00747fc56342ed262804d8f268335e6ec1dfa Mon Sep 17 00:00:00 2001 From: Dave Arter Date: Wed, 17 Aug 2016 15:31:56 +0100 Subject: Allow user permissions to be granted/revoked in admin --- perllib/FixMyStreet/App/Controller/Admin.pm | 29 ++++++++++++++++++++++++++--- 1 file changed, 26 insertions(+), 3 deletions(-) (limited to 'perllib/FixMyStreet/App/Controller/Admin.pm') diff --git a/perllib/FixMyStreet/App/Controller/Admin.pm b/perllib/FixMyStreet/App/Controller/Admin.pm index ce2a653a2..c8432df0c 100644 --- a/perllib/FixMyStreet/App/Controller/Admin.pm +++ b/perllib/FixMyStreet/App/Controller/Admin.pm @@ -1129,6 +1129,10 @@ sub user_edit : Path('user_edit') : Args(1) { $c->stash->{user} = $user; + if ( $user->from_body && $c->user->has_permission_to('user_manage_permissions', $user->from_body->id) ) { + $c->stash->{available_permissions} = $c->cobrand->available_permissions; + } + $c->forward('fetch_all_bodies'); if ( $c->get_param('submit') ) { @@ -1139,7 +1143,7 @@ sub user_edit : Path('user_edit') : Args(1) { if ( $user->email ne $c->get_param('email') || $user->name ne $c->get_param('name') || ($user->phone || "") ne $c->get_param('phone') || - ($user->from_body && $user->from_body->id ne $c->get_param('body')) || + ($user->from_body && $c->get_param('body') && $user->from_body->id ne $c->get_param('body')) || (!$user->from_body && $c->get_param('body')) ) { $edited = 1; @@ -1153,14 +1157,33 @@ sub user_edit : Path('user_edit') : Args(1) { $user->is_superuser( ( $c->user->is_superuser && $c->get_param('is_superuser') ) || 0 ); # Superusers can set from_body to any value, but other staff can only # set from_body to the same value as their own from_body. - if ($c->user->is_superuser) { + if ( $c->user->is_superuser ) { $user->from_body( $c->get_param('body') || undef ); - } elsif ($c->get_param('body') eq $c->user->from_body->id) { + } elsif ( $c->user->has_permission_to('user_assign_body', $c->user->from_body->id ) && + $c->get_param('body') && $c->get_param('body') eq $c->user->from_body->id ) { $user->from_body( $c->user->from_body ); } else { $user->from_body( undef ); } + if (!$user->from_body) { + # Non-staff users aren't allowed any permissions + $user->user_body_permissions->delete_all; + } elsif ($c->stash->{available_permissions}) { + my @all_permissions = map { keys %$_ } values %{ $c->stash->{available_permissions} }; + my @user_permissions = grep { $c->get_param("permissions[$_]") ? 1 : undef } @all_permissions; + $user->user_body_permissions->search({ + body_id => $user->from_body->id, + permission_type => { '!=' => \@user_permissions }, + })->delete; + foreach my $permission_type (@user_permissions) { + $user->user_body_permissions->find_or_create({ + body_id => $user->from_body->id, + permission_type => $permission_type, + }); + } + } + unless ($user->email) { $c->stash->{field_errors}->{email} = _('Please enter a valid email'); return; -- cgit v1.2.3 From 82bb11cae220072581a809d1b4a1131f7267c0a2 Mon Sep 17 00:00:00 2001 From: Dave Arter Date: Thu, 4 Aug 2016 15:13:19 +0100 Subject: Restrict admin config/stats pages MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The config page is only accessible by superusers. The stats page only shows figures for the user’s from_body unless superuser. --- perllib/FixMyStreet/App/Controller/Admin.pm | 30 +++++++++-------------------- 1 file changed, 9 insertions(+), 21 deletions(-) (limited to 'perllib/FixMyStreet/App/Controller/Admin.pm') diff --git a/perllib/FixMyStreet/App/Controller/Admin.pm b/perllib/FixMyStreet/App/Controller/Admin.pm index c8432df0c..17425ad77 100644 --- a/perllib/FixMyStreet/App/Controller/Admin.pm +++ b/perllib/FixMyStreet/App/Controller/Admin.pm @@ -1273,7 +1273,13 @@ sub stats_fix_rate : Path('stats/fix-rate') : Args(0) { sub stats : Path('stats') : Args(0) { my ( $self, $c ) = @_; - $c->forward('fetch_all_bodies'); + my $selected_body; + if ( $c->user->is_superuser ) { + $c->forward('fetch_all_bodies'); + $selected_body = $c->get_param('body'); + } else { + $selected_body = $c->user->from_body->id; + } if ( $c->cobrand->moniker eq 'seesomething' || $c->cobrand->moniker eq 'zurich' ) { return $c->cobrand->admin_stats(); @@ -1303,7 +1309,7 @@ sub stats : Path('stats') : Args(0) { my $bymonth = $c->get_param('bymonth'); $c->stash->{bymonth} = $bymonth; - $c->stash->{selected_body} = $c->get_param('body'); + $c->stash->{selected_body} = $selected_body; my $field = 'confirmed'; @@ -1332,7 +1338,7 @@ sub stats : Path('stats') : Args(0) { ); } - my $p = $c->cobrand->problems->to_body($c->get_param('body'))->search( + my $p = $c->cobrand->problems->to_body($selected_body)->search( { -AND => [ $field => { '>=', $start_date}, @@ -1362,24 +1368,6 @@ sub set_allowed_pages : Private { my $pages = $c->cobrand->admin_pages; - if( !$pages ) { - $pages = { - 'summary' => [_('Summary'), 0], - 'bodies' => [_('Bodies'), 1], - 'reports' => [_('Reports'), 2], - 'timeline' => [_('Timeline'), 3], - 'users' => [_('Users'), 5], - 'flagged' => [_('Flagged'), 6], - 'stats' => [_('Stats'), 7], - 'config' => [ _('Configuration'), 8], - 'user_edit' => [undef, undef], - 'body' => [undef, undef], - 'report_edit' => [undef, undef], - 'update_edit' => [undef, undef], - 'abuse_edit' => [undef, undef], - } - } - my @allowed_links = sort {$pages->{$a}[1] <=> $pages->{$b}[1]} grep {$pages->{$_}->[0] } keys %$pages; $c->stash->{allowed_pages} = $pages; -- cgit v1.2.3