Computation of user rights: deny on a parent class must give DENY even if the class is explicitely ALLOW on the same profile (that was already working if the rules are given on several profiles). Note that this has a cost when building the grant matrix!

git-svn-id: http://svn.code.sf.net/p/itop/code/trunk@3365 a333f486-631f-4898-b8df-5754b55c2be0

setup/compiler.class.inc.php

@@ -1650,15 +1650,16 @@ class ProfilesConfig
 
 	public static function GetProfileActionGrant(\$iProfileId, \$sClass, \$sAction)
 	{
-		// Search for a grant, starting from the most explicit declaration,
-		// then searching for less and less explicit declaration
+		// Search for a grant, stoping if any deny is encountered (allowance implies the verification of all paths)
+		\$bAllow = null;
 
 		// 1 - The class itself
 		// 
 		\$sGrantKey = \$iProfileId.'_'.\$sClass.'_'.\$sAction;
 		if (isset(self::\$aGRANTS[\$sGrantKey]))
 		{
-			return self::\$aGRANTS[\$sGrantKey];
+			\$bAllow = self::\$aGRANTS[\$sGrantKey];
+			if (!\$bAllow) return false;
 		}
 
 		// 2 - The parent classes, up to the root class
@@ -1668,12 +1669,58 @@ class ProfilesConfig
 			\$sGrantKey = \$iProfileId.'_'.\$sParent.'+_'.\$sAction;
 			if (isset(self::\$aGRANTS[\$sGrantKey]))
 			{
-				return self::\$aGRANTS[\$sGrantKey];
+				\$bAllow = self::\$aGRANTS[\$sGrantKey];
+				if (!\$bAllow) return false;
 			}
 		}
 
-		// 3 - The related classes (if the current is an N-N link with AUTO_DEL)
+		// 3 - The related classes (if the current is an N-N link with DEL_AUTO/DEL_SILENT)
 		//
+		\$bGrant = self::GetLinkActionGrant(\$iProfileId, \$sClass, \$sAction);
+		if (!is_null(\$bGrant))
+		{
+			\$bAllow = \$bGrant;
+			if (!\$bAllow) return false;
+		}
+
+		// 4 - All
+		// 
+		\$sGrantKey = \$iProfileId.'_*_'.\$sAction;
+		if (isset(self::\$aGRANTS[\$sGrantKey]))
+		{
+			\$bAllow = self::\$aGRANTS[\$sGrantKey];
+			if (!\$bAllow) return false;
+		}
+
+		// null or true
+		return \$bAllow;
+	}	
+
+	public static function GetProfileStimulusGrant(\$iProfileId, \$sClass, \$sStimulus)
+	{
+		\$sGrantKey = \$iProfileId.'_'.\$sClass.'_s_'.\$sStimulus;
+		if (isset(self::\$aGRANTS[\$sGrantKey]))
+		{
+			return self::\$aGRANTS[\$sGrantKey];
+		}
+		\$sGrantKey = \$iProfileId.'_*_s_'.\$sStimulus;
+		if (isset(self::\$aGRANTS[\$sGrantKey]))
+		{
+			return self::\$aGRANTS[\$sGrantKey];
+		}
+		return null;
+	}
+
+	// returns an array of id => array of column => php value(so-called "real value")
+	public static function GetProfilesValues()
+	{
+		return self::\$aPROFILES;
+	}
+
+	// Propagate the rights on classes onto the links themselves (the external keys must have DEL_AUTO or DEL_SILENT
+	//
+	protected static function GetLinkActionGrant(\$iProfileId, \$sClass, \$sAction)
+	{
 		if (array_key_exists(\$sClass, self::\$aLINKTOCLASSES))
 		{
 			// Get the grant for the remote classes. The resulting grant is:
@@ -1714,38 +1761,7 @@ class ProfilesConfig
 				return false;
 			}
 		}
-
-		// 4 - All
-		// 
-		\$sGrantKey = \$iProfileId.'_*_'.\$sAction;
-		if (isset(self::\$aGRANTS[\$sGrantKey]))
-		{
-			return self::\$aGRANTS[\$sGrantKey];
-		}
-
-		// Still undefined for this class
 		return null;
-	}	
-
-	public static function GetProfileStimulusGrant(\$iProfileId, \$sClass, \$sStimulus)
-	{
-		\$sGrantKey = \$iProfileId.'_'.\$sClass.'_s_'.\$sStimulus;
-		if (isset(self::\$aGRANTS[\$sGrantKey]))
-		{
-			return self::\$aGRANTS[\$sGrantKey];
-		}
-		\$sGrantKey = \$iProfileId.'_*_s_'.\$sStimulus;
-		if (isset(self::\$aGRANTS[\$sGrantKey]))
-		{
-			return self::\$aGRANTS[\$sGrantKey];
-		}
-		return null;
-	}
-
-	// returns an array of id => array of column => php value(so-called "real value")
-	public static function GetProfilesValues()
-	{
-		return self::\$aPROFILES;
 	}
 }