Finesse effective permissions

This commit is contained in:
snipe
2025-11-11 18:26:02 +00:00
parent 3aa046bfa7
commit 33e72f6183
15 changed files with 129 additions and 39 deletions
+32 -3
View File
@@ -256,7 +256,10 @@ class User extends SnipeModel implements AuthenticatableContract, AuthorizableCo
protected function checkPermissionSection($section)
{
$user_groups = $this->groups;
if (($this->permissions == '') && (count($user_groups) == 0)) {
// The user has no permissions and is not in any groups
if ((($this->permissions == '') || ($this->permissions == 'null')) && (count($user_groups) == 0)) {
return false;
}
@@ -271,13 +274,17 @@ class User extends SnipeModel implements AuthenticatableContract, AuthorizableCo
}
$is_user_section_permissions_set = ($user_permissions != '') && array_key_exists($section, $user_permissions);
//If the user is explicitly granted, return true
$is_user_section_permissions_set = array_key_exists($section, $user_permissions);
// If the user is explicitly granted, return true
if ($is_user_section_permissions_set && ($user_permissions[$section] == '1')) {
\Log::debug('user '.$this->id.' is granted '.$section.' permission on the user model');
return true;
}
// If the user is explicitly denied, return false
if ($is_user_section_permissions_set && ($user_permissions[$section] == '-1')) {
\Log::debug('user '.$this->id.' is denied '.$section.' permission on the user model');
return false;
}
@@ -285,6 +292,7 @@ class User extends SnipeModel implements AuthenticatableContract, AuthorizableCo
foreach ($user_groups as $user_group) {
$group_permissions = (array) json_decode($user_group->permissions, true);
if (((array_key_exists($section, $group_permissions)) && ($group_permissions[$section] == '1'))) {
\Log::debug('user '.$this->id.' is granted '.$section.' permission via group membership');
return true;
}
}
@@ -292,6 +300,23 @@ class User extends SnipeModel implements AuthenticatableContract, AuthorizableCo
return false;
}
// This gets the permissions including group associations
public function getEffectivePermissions() : array{
$effective_permissions_array = [];
foreach (config('permissions') as $section => $section_permissions) {
for ($x = 0; $x < count($section_permissions); $x++) {
$permission_from_config = $section_permissions[$x]['permission'];
$effective_permissions_array[$permission_from_config] = $this->hasAccess($permission_from_config) ? 1 : 0;
}
}
return $effective_permissions_array;
}
/**
* Check user permissions
*
@@ -308,6 +333,10 @@ class User extends SnipeModel implements AuthenticatableContract, AuthorizableCo
return true;
}
if (($section!='superuser') && ($this->isAdmin())) {
return true;
}
return $this->checkPermissionSection($section);
}