Commit 32c26684 authored by Robert Lyon's avatar Robert Lyon Committed by Gerrit Code Review

Merge "Bug 1851557: Restricting access users / groups select2 results"

parents 55e985a9 61a2bfc1
......@@ -162,3 +162,4 @@ $string['pluginnotactive1'] = 'The plugin "%s" is not enabled. Please got to "Ad
$string['fileuploadtoobig'] = 'The file upload is too big as it is bigger than "%s"';
$string['sideblockmenuclash'] = 'The sideblock name "%s" is already in use. Please choose a different one.';
$string['isolatedinstitutionsremoverules'] = 'We have hidden %s access rules due to isolated institutions being in effect. The hidden rules will be removed once the form is saved.';
......@@ -7581,3 +7581,59 @@ define('FORMAT_NAME_STUDENTID', 5);
* display format for author names in views - obeys display_name
*/
define('FORMAT_NAME_DISPLAYNAME', 6);
function filter_isolated_view_access($view, $viewaccess) {
global $SESSION;
if (!is_isolated() || empty($viewaccess)) {
// no need to filter
return $viewaccess;
}
$removerules = 0;
foreach ($viewaccess as $k => $access) {
if ($access['accesstype'] == 'loggedin') {
unset($viewaccess[$k]);
$removerules++;
}
else if ($access['type'] == 'user' && !empty($access['usr'])) {
$userinstitutions = get_column('usr_institution', 'institution', 'usr', $access['usr']);
if ($view->get('owner')) {
$viewinstitutions = get_column('usr_institution', 'institution', 'usr', $view->get('owner'));
}
else if ($view->get('group')) {
$viewinstitutions = get_column('group', 'institution', 'id', $view->get('group'));
}
else if ($view->get('institution')) {
$viewinstitutions = array($view->get('institution'));
}
// check that the user is in the same institution
if (!((empty($viewinstitutions) && empty($userinstitutions)) || array_intersect($viewinstitutions, $userinstitutions))) {
unset($viewaccess[$k]);
$removerules++;
}
}
else if ($access['type'] == 'group' && !empty($access['group'])) {
$userinstitutions = get_column('group', 'institution', 'id', $access['group']);
if ($view->get('owner')) {
$viewinstitutions = get_column('usr_institution', 'institution', 'usr', $view->get('owner'));
}
else if ($view->get('group')) {
$viewinstitutions = get_column('group', 'institution', 'id', $view->get('group'));
}
else if ($view->get('institution')) {
$viewinstitutions = array($view->get('institution'));
}
// check that the user is in the same institution
if (!((empty($viewinstitutions) && empty($userinstitutions)) || array_intersect($viewinstitutions, $userinstitutions))) {
unset($viewaccess[$k]);
$removerules++;
}
}
}
if ($removerules) {
$SESSION->add_error_msg(get_string('isolatedinstitutionsremoverules', 'error', $removerules));
}
$viewaccess = array_values($viewaccess);
return $viewaccess;
}
......@@ -163,7 +163,7 @@ class PluginSearchInternal extends PluginSearch {
}
$is_any_admin = $USER->get('admin') || $USER->is_institutional_admin() || $USER->get('staff') || $USER->is_institutional_staff();
if (is_isolated() && get_config('owngroupsonly') && !$is_any_admin) {
if (get_config('owngroupsonly') && !$is_any_admin) {
// In search results only include users that are members of the same groups.
// This does not count for site admins/staff and institutional admins/staff.
$groupids = array_keys($USER->get('grouproles'));
......@@ -185,7 +185,8 @@ class PluginSearchInternal extends PluginSearch {
}
$where .= ')';
}
if (is_isolated() && !get_config('owngroupsonly')) {
// Regular institution users should always see institutional admins/staff
if (!empty($data['institutions'])) {
$where .= '
......@@ -655,7 +656,7 @@ class PluginSearchInternal extends PluginSearch {
$is_admin = $USER->get('admin') || $USER->get('staff');
if (is_isolated() && !$is_admin) {
// in search results only include users that are members of the same groups;
// in search results only include users that are members of the same institution
// site admin and site staff users are excluded
$userinst = get_field('usr_institution', 'institution', 'usr', $USER->get('id'));
$searchsql .= '
......@@ -663,7 +664,17 @@ class PluginSearchInternal extends PluginSearch {
SELECT usr FROM {usr_institution} WHERE institution = \'' . $userinst . '\'
)';
}
if (get_config('owngroupsonly') && !$is_admin) {
// in search results only include users that are members of the same groups
// site admin and site staff users are excluded
$usergroups = get_column('group_member', 'group', 'member', $USER->get('id'));
$membergroups = get_column_sql('SELECT member FROM {group_member} WHERE "group" IN (' . implode(',', $usergroups) . ') AND member != ?', array($USER->get('id')));
if ($membergroups) {
$membergroups = array_unique($membergroups);
$searchsql .= '
AND u.id IN (' . implode(',', $membergroups) . ')';
}
}
$orderbyoptions = array(
'adminfirst' => 'gm.role = \'admin\' DESC, gm.role = \'tutor\' DESC,
......@@ -966,14 +977,16 @@ class PluginSearchInternal extends PluginSearch {
$values[] = $category;
}
}
if (is_array($institution) && !empty($institution)) {
$sql .= ' AND institution IN (?)';
$institution = join(',', array_keys($institution));
$values[] = $institution;
}
if (!is_array($institution) && $institution != 'all') {
$sql .= ' AND institution = ?';
$values[] = $institution;
if ($type != 'admin') {
if (is_array($institution) && !empty($institution)) {
$sql .= ' AND institution IN (?)';
$institution = join(',', array_keys($institution));
$values[] = $institution;
}
else if (!is_array($institution) && $institution != 'all') {
$sql .= ' AND institution = ?';
$values[] = $institution;
}
}
$count = get_field_sql('SELECT COUNT(*) '.$sql, $values);
......
......@@ -26,12 +26,22 @@ if ($page < 1) {
$page = 1;
}
$offset = ($page - 1) * $limit;
$is_admin = $USER->get('admin') || $USER->get('staff');
$options = array();
if (is_isolated() && ($USER->get('institutions') || !$USER->get('institutions') && !$is_admin)) {
$options['myinstitutions'] = true;
$options['showadmins'] = false;
}
switch ($type) {
case 'friend':
$data = search_user($query, $limit, $offset, array('exclude' => $USER->get('id'), 'friends' => true));
$options['exclude'] = $USER->get('id');
$options['friends'] = true;
$data = search_user($query, $limit, $offset, $options);
break;
case 'user':
$data = search_user($query, $limit, $offset, array('exclude' => $USER->get('id')));
$options['exclude'] = $USER->get('id');
$data = search_user($query, $limit, $offset, $options);
$roles = get_records_array('usr_access_roles');
$data['roles'] = array();
foreach ($roles as $r) {
......@@ -40,7 +50,20 @@ switch ($type) {
break;
case 'group':
require_once('group.php');
$data = search_group($query, $limit, $offset, '');
$type = 'all';
$groupcategory = '';
$institutions = 'all';
if (is_isolated() && !$is_admin) {
$institutions = $USER->get('institutions');
if (get_config('owngroupsonly')) {
$type = 'member';
}
}
else if (get_config('owngroupsonly') && !$is_admin) {
$type = 'member';
$institutions = array();
}
$data = search_group($query, $limit, $offset, $type, $groupcategory, $institutions);
$roles = get_records_array('grouptype_roles');
$data['roles'] = array();
foreach ($roles as $r) {
......@@ -51,7 +74,9 @@ switch ($type) {
}
break;
default:
$data = search_user($query, $limit, $offset, array('exclude' => $USER->get('id'), 'friends' => true));
$options['exclude'] = $USER->get('id');
$options['friends'] = true;
$data = search_user($query, $limit, $offset, $options);
break;
}
$more = $data['count'] > $limit * $page;
......
......@@ -211,13 +211,9 @@ if ($group && in_array( $USER->get('id'), $admintutorids, true )) {
}
$viewaccess = $view->get_access('%s');
if (is_isolated() && !empty($viewaccess)) {
foreach ($viewaccess as $k => $access) {
if ($access['accesstype'] == 'loggedin') {
unset($viewaccess[$k]);
}
}
$viewaccess = array_values($viewaccess);
$viewaccess = filter_isolated_view_access($view, $viewaccess);
}
$form['elements']['accesslist'] = array(
'type' => 'viewacl',
'allowcomments' => $allowcomments,
......
......@@ -142,12 +142,7 @@ if ($group && in_array($USER->get('id'), $admintutorids, true)) {
}
$viewaccess = $view->get_access('%s');
if (is_isolated() && !empty($viewaccess)) {
foreach ($viewaccess as $k => $access) {
if ($access['accesstype'] == 'loggedin') {
unset($viewaccess[$k]);
}
}
$viewaccess = array_values($viewaccess);
$viewaccess = filter_isolated_view_access($view, $viewaccess);
}
$form['elements']['accesslist'] = array(
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment