Commit 27edc14a authored by Robert Lyon's avatar Robert Lyon Committed by Gerrit Code Review

Merge changes If7dbf908,I6338f363

* changes:
  Bug 1836984: Remove bad access rules when changing institution
  Bug 1836984: stop seeing users in elasticsearch results that we shouldn't see
parents 24e19042 6a81e770
......@@ -367,6 +367,17 @@ class Institution {
if ($profileview = $userobj->get_profile_view()) {
$profileview->add_owner_institution_access(array($this->name));
}
if (is_isolated() && !$admin) {
// If isolated institutions are on and this user is not an admin make sure their existing pages
// are not shared with people outside their new institution
$toremove1 = get_column_sql("SELECT va.id FROM {view} v JOIN {view_access} va ON va.view = v.id WHERE v.owner = ? AND (va.institution IS NOT NULL AND va.institution != ?)", array($user->id, $this->name));
$toremove2 = get_column_sql("SELECT va.id FROM {view} v JOIN {view_access} va ON va.view = v.id WHERE v.owner = ? AND (va.usr IS NOT NULL AND va.usr NOT IN (SELECT usr FROM {usr_institution} WHERE institution = ?))", array($user->id, $this->name));
$toremove3 = get_column_sql("SELECT va.id FROM {view} v JOIN {view_access} va ON va.view = v.id WHERE v.owner = ? AND (va.group IS NOT NULL AND va.group NOT IN (SELECT g.id FROM {group} g WHERE g.institution = ?))", array($user->id, $this->name));
$toremove = array_merge($toremove1, $toremove2, $toremove3);
if (!empty($toremove)) {
delete_records_sql("DELETE FROM {view_access} WHERE id IN (" . join(',', array_map('db_quote', $toremove)) . ")");
}
}
db_commit();
}
......@@ -744,6 +755,17 @@ class Institution {
delete_records('usr_account_preference', 'usr', $user->id, 'field', 'licensedefault', 'value', LICENSE_INSTITUTION_DEFAULT);
delete_records('usr_institution', 'usr', $user->id, 'institution', $this->name);
if (is_isolated() && !$user->admin) {
// If isolated institutions are on and this user is not an admin make sure their existing pages
// are not shared with people outside their new institution
$toremove1 = get_column_sql("SELECT va.id FROM {view} v JOIN {view_access} va ON va.view = v.id WHERE v.owner = ? AND (va.institution IS NOT NULL AND va.institution = ?)", array($user->id, $this->name));
$toremove2 = get_column_sql("SELECT va.id FROM {view} v JOIN {view_access} va ON va.view = v.id WHERE v.owner = ? AND (va.usr IS NOT NULL AND va.usr IN (SELECT usr FROM {usr_institution} WHERE institution = ?))", array($user->id, $this->name));
$toremove3 = get_column_sql("SELECT va.id FROM {view} v JOIN {view_access} va ON va.view = v.id WHERE v.owner = ? AND (va.group IS NOT NULL AND va.group IN (SELECT g.id FROM {group} g WHERE g.institution = ?))", array($user->id, $this->name));
$toremove = array_merge($toremove1, $toremove2, $toremove3);
if (!empty($toremove)) {
delete_records_sql("DELETE FROM {view_access} WHERE id IN (" . join(',', array_map('db_quote', $toremove)) . ")");
}
}
handle_event('updateuser', $user->id);
db_commit();
}
......
......@@ -1408,6 +1408,14 @@ class ElasticsearchFilterAcl
);
$this->params['should'][] = $elasticaFilterInstitutions;
}
else if (empty($user_institutions) && is_isolated()) {
$elasticaFilterInstitutions = array(
'terms' => array(
'access.institutions' => array('mahara'),
),
);
$this->params['should'][] = $elasticaFilterInstitutions;
}
// GROUPS (array of groups that have access to the artefact)
if ($groups = $this->getGroupsList()) {
......
......@@ -446,6 +446,45 @@ class ElasticsearchType_artefact extends ElasticsearchType {
$artefactid
) );
if (is_isolated() && get_field_sql("SELECT v.type FROM {view} v
JOIN {view_artefact} va ON va.view = v.id
JOIN {artefact} a ON a.id = va.artefact
WHERE a.id = ?", array($artefactid)) == 'profile') {
if ($records) {
foreach ($records as $k => $access) {
if ($access->accesstype == 'loggedin') {
unset($records[$k]);
}
}
$records = array_values($records);
}
$viewid = get_field('view_artefact', 'view', 'artefact', $artefactid);
if (!get_records_sql_array("SELECT a.owner FROM {artefact} a
JOIN {usr_institution} ui ON ui.usr = a.owner
WHERE a.id = ?", array($artefactid))) {
// Member of no institution so need to add the 'mahara' institution option
$noinst = new StdClass();
$noinst->view_id = $viewid;
$noinst->accesstype = null;
$noinst->group = null;
$noinst->role = null;
$noinst->usr = null;
$noinst->institution = 'mahara';
$records[] = $noinst;
}
// Need to allow site admins to be able to see profile pages of all users
foreach (get_column('usr', 'id', 'admin', 1) as $adminid) {
$admins = new StdClass();
$admins->view_id = $viewid;
$admins->accesstype = null;
$admins->group = null;
$admins->role = null;
$admins->usr = $adminid;
$admins->institution = null;
$records[] = $admins;
}
}
return $records;
}
......
......@@ -213,6 +213,45 @@ class ElasticsearchType_block_instance extends ElasticsearchType {
$blockid
) );
if (is_isolated() && get_field_sql("SELECT v.type FROM {view} v
JOIN {block_instance} b ON b.view = v.id
WHERE b.id = ?", array($blockid)) == 'profile') {
if ($records) {
foreach ($records as $k => $access) {
if ($access->accesstype == 'loggedin') {
unset($records[$k]);
}
}
$records = array_values($records);
}
$viewid = get_field('block_instance', 'view', 'id', $blockid);
if (!get_records_sql_array("SELECT v.owner FROM {view} v
JOIN {block_instance} b ON b.view = v.id
JOIN {usr_institution} ui ON ui.usr = v.owner
WHERE b.id = ?", array($blockid))) {
// Member of no institution so need to add the 'mahara' institution option
$noinst = new StdClass();
$noinst->view_id = $viewid;
$noinst->accesstype = null;
$noinst->group = null;
$noinst->role = null;
$noinst->usr = null;
$noinst->institution = 'mahara';
$records[] = $noinst;
}
// Need to allow site admins to be able to see profile pages of all users
foreach (get_column('usr', 'id', 'admin', 1) as $adminid) {
$admins = new StdClass();
$admins->view_id = $viewid;
$admins->accesstype = null;
$admins->group = null;
$admins->role = null;
$admins->usr = $adminid;
$admins->institution = null;
$records[] = $admins;
}
}
return $records;
}
}
......@@ -102,6 +102,9 @@ class ElasticsearchType_usr extends ElasticsearchType {
$record->institutions [] = $institution->institution;
}
}
else if (is_isolated()) {
$record->institutions [] = 'mahara';
}
else {
$record->institutions = null;
}
......@@ -152,13 +155,33 @@ class ElasticsearchType_usr extends ElasticsearchType {
WHERE v.id = va.view AND v.type = 'profile' AND v.owner = ?
AND accesstype IN (" . $join . ") ORDER BY FIELD(va.accesstype, " . $join . ")";
}
$profileviewaccess = recordset_to_array ( get_recordset_sql ( $sql, array (
$record->id
) ) );
$record->access ['general'] = (! empty ( $profileviewaccess )) ? $profileviewaccess [0]->accesstype : 'none';
$profileviewaccess = get_records_sql_array($sql, array($record->id));
if (empty($profileviewaccess) || is_isolated()) {
$record->access ['general'] = 'none';
// They either have no open access or isolated institutions are on so open access is not allowed
// So we check if they have an institution rules set
$profileviewinstitution = get_column_sql("
SELECT va.institution FROM {view} v
JOIN {view_access} va ON va.view = v.id
WHERE v.type = 'profile' AND va.institution IS NOT NULL
AND v.owner = ?", array($record->id));
if ($profileviewinstitution) {
$record->access ['institutions'] = $profileviewinstitution;
}
if ($institutions == false) {
$record->access ['institutions'] = array('mahara');
}
// make sure site admins can still be seen by everyone
if (get_field('usr', 'admin', 'id', $record->id)) {
$record->access ['general'] = 'loggedin';
}
}
else {
$record->access ['general'] = (! empty ( $profileviewaccess )) ? $profileviewaccess [0]->accesstype : 'none';
}
// always allow user to search themselves for vanity reasons
$record->access ['usrs'] = $record->id;
// and allow all site admins to search them also
$record->access ['usrs'] = array_merge(array($record->id), get_column('usr', 'id', 'admin', 1));
$record->mainfacetterm = self::$mainfacetterm;
$allowhidename = get_config ( 'userscanhiderealnames' );
$showusername = ! get_config ( 'nousernames' );
......
......@@ -183,6 +183,42 @@ class ElasticsearchType_view extends ElasticsearchType {
$viewid
) );
if (is_isolated() && get_field('view', 'type', 'id', $viewid) == 'profile') {
if ($records) {
foreach ($records as $k => $access) {
if ($access->accesstype == 'loggedin') {
unset($records[$k]);
}
}
$records = array_values($records);
}
if (!get_records_sql_array("SELECT v.owner FROM {view} v
JOIN {usr_institution} ui ON ui.usr = v.owner
WHERE v.id = ?", array($viewid))) {
// Member of no institution so need to add the 'mahara' institution option
$noinst = new StdClass();
$noinst->view_id = $viewid;
$noinst->accesstype = null;
$noinst->group = null;
$noinst->role = null;
$noinst->usr = null;
$noinst->institution = 'mahara';
$records[] = $noinst;
}
// Need to allow site admins to be able to see profile pages of all users
foreach (get_column('usr', 'id', 'admin', 1) as $adminid) {
$admins = new StdClass();
$admins->view_id = $viewid;
$admins->accesstype = null;
$admins->group = null;
$admins->role = null;
$admins->usr = $adminid;
$admins->institution = null;
$records[] = $admins;
}
}
return $records;
}
}
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment