Hi,
On 07/25/11 09:27, MoYo wrote:
Hi,
I think that make it simple may be a good solution.
That is my leitmotiv ("simpler is better"). But, sometimes, we have to
make more specific things.
I do not understand why you want to forbid write access on a network
boundaries if you do not have right on parent network.
You have access to the son, why not been able to update it if you stay
on the parent network boundary ?
Regarding the hierarchy, if you are able to modifiate the boundaries of
the current network without having rights for the parent network, you
are able to expand the current network. This expansion should be
forbidden by the owner of the parent network who has made addressing
plan where your entity must not use IP outside its network.
For instance, in our lab, there are several private networks in the
range 192.168.0.0/255.255.0.0. If we give 192.168.17.0/255.255.255.0 to
an entity, we cannot allow it to expand, because other networks (ie :
192.168.16.0/255.255.255.0 and 192.168.18.0/255.255.255.0) are owned by
other entities.
Trying to do a simple management with warnings if needed may be the
more useful solution.
When trying to use the datas, checking its validity will permit to not
take into account not valid networks ?
Can you me what you mean ?
I do not understand your patch. You only check that you have access to
a module with an entity.
If I understand correctly, it is equivalent to do :
haveAccessToEntity($entities_id) && haveRight($module,$right) ?
It is not exactly the same thing.
For instance, 2 entities ("root entity" and "other entity"). A user
"simple user" has "super-admin" (non recursive) profile on "other
entity" and "admin" (non recursive) profile on "root entity". Both
profiles have write networking access (default configuration). If
"simple user" wants to modifiate a network inside "other entity", he
must be inside the "super-admin" profile (otherwise he won't have access
to this entity). In such case, haveAccessToEntity("root entity") will
return false. However, due to its "admin" profile inside "root entity",
he should have write networking access on "root entity".
Items that you can split in :
- canUpdate/canView : check only global right : haveRight
- CanUpdateItem/ canViewItem : check access to entity (+ others checks
like parent right check if needed...)
That is already what I have done (canUpdateItem always return true as
the check of parents is done during prepareInputForUpdate and
prepareInputForAdd).
Defining theses functions you will be able to use the can function as
proposed before.
Regards
Julien
Le 25/07/2011 08:55, Damien Touraine a écrit :
Hi,
I have tried the method you propose. However, the rights are only
check regarding the current session. Thus, if you have write access
inside the current session, you will have write access on any objects
whatever its entity.
That is a problem for the IPv4 network object I try to implement. I
try to make "delegation of sub networks". I suggest you to give a
look on the wiki page I developped to describe my proposal :
https://forge.indepnet.net/projects/glpi/wiki/IPv4Netowrk_class
So, the method you proposed is not convenient, as it only check
wirtes regarding current session entity wherever we must check rights
from the point of view of other entities.
Thus, I propose you the attached patch : it provide the
'haveAbsoluteRight' function. This one directly ask the database to
retrieve the given right inside the given entity of the given user.
It take care of the recursive rights. We should avoid using it
everytime as it may be time consuming (use of SQL request). But some
times (my case is the only one I see), it may be usefull.
Regards
Damien Touraine
On 07/21/11 13:04, MoYo wrote:
Le 21/07/2011 12:55, Damien Touraine a écrit :
Hi,
Is there a way to know the rights for the current user on another
entity than the current one ?
For instance, we are inside the "A" entity, and we want to know if
the current user has rights for write networking inside entity "B".
I can use :
$currentEntity = $_SESSION["glpiactive_entity"]; // That should be
equal the "A id"
changeActiveEntities("B id");
$allowed = haveRights('networking', 'w');
changeActiveEntities($currentEntity); // Go back to "A" entity
...
But I think it should be to rough.
Hi,
What is the real usage of this checks ?
Check to know if you can add / update an item ?
For an item checking the right add on a specific entity
$item->can(-1,'w',array('entities_id'=>$entities_id));
you can add others params if needed in third argument.
Regards
Julien
KR
Damien Touraine
_______________________________________________
Glpi-dev mailing list
Glpi-dev@gna.org
https://mail.gna.org/listinfo/glpi-dev
_______________________________________________
Glpi-dev mailing list
Glpi-dev@gna.org
https://mail.gna.org/listinfo/glpi-dev
_______________________________________________
Glpi-dev mailing list
Glpi-dev@gna.org
https://mail.gna.org/listinfo/glpi-dev
--
--------------------------------------------------------------------
Damien TOURAINE - Ingénieur de Recherche CNRS, LIMSI-CNRS
Groupe de RV&A "VENISE", (http://www.limsi.fr/venise/)
Bat. 508, Universite Paris-Sud 91403 Orsay cedex - +33 1 69 85 81 64
--------------------------------------------------------------------
_______________________________________________
Glpi-dev mailing list
Glpi-dev@gna.org
https://mail.gna.org/listinfo/glpi-dev
