Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Statistics / Behavioural Statistics] Fix permission issue where users were allowed to see statistics from sites they don't have access to. #5252

Merged
merged 10 commits into from
Jan 14, 2020

Conversation

racostas
Copy link
Contributor

Description of the issue

A user with role Data Entry was able to see statistics from sites it does not belong/have access

For example if there are two users and two sites:

user Site 1 is associate only to Site_1.
user Site 2 is associate only to Site_2.

(Both of them have the role Data Entry and nothing more in the permissions)
When going to MainMenu->Reports->Statistics->Behavioural Statistics

The user of Site 1 is able to see the statistics for Site 2 and vice versa

oneSiteAffilationMultipleSiteReport

Testing instructions

Now each user should be able to see only the statistics for the sites it belong/have access

oneSiteAffilationOneSiteReport

Note:

This is a temp fix based on 21.0-released. A major refractory still pending.

lorisadmin added 2 commits September 27, 2019 15:25
…s were allowed to see statistics from sites they don't have access to.
PapillonMcGill
PapillonMcGill previously approved these changes Sep 30, 2019
modules/statistics/php/stats_behavioural.class.inc Outdated Show resolved Hide resolved
@PapillonMcGill
Copy link
Contributor

@racostas Thanks for submitting this patch.

@johnsaigle
Copy link
Contributor

This appears to fix #5086 and #2772. Nice!

Co-Authored-By: PapillonMcGill <34311645+PapillonMcGill@users.noreply.github.com>
racostas and others added 3 commits September 30, 2019 13:51
Co-Authored-By: John Saigle <4022790+johnsaigle@users.noreply.github.com>
Co-Authored-By: John Saigle <4022790+johnsaigle@users.noreply.github.com>
Co-Authored-By: John Saigle <4022790+johnsaigle@users.noreply.github.com>
@racostas
Copy link
Contributor Author

Thanks @PapillonMcGill, @johnsaigle and @zaliqarosli !!

@johnsaigle
Copy link
Contributor

@racostas This isn't passing Travis due to some coding style issues.

If you run make checkstatic locally, it should display the issues you need to fix.

@johnsaigle johnsaigle added Category: Bug PR or issue that aims to report or fix a bug Category: Security PR or issue that aims to improve security labels Sep 30, 2019
racostas and others added 2 commits October 1, 2019 09:13
Co-Authored-By: Zaliqa <zaliqa.rosli@mcin.ca>
Co-Authored-By: Zaliqa <zaliqa.rosli@mcin.ca>
$DB =& \Database::singleton();
$factory = \NDB_Factory::singleton();
$DB = $factory->database();
$user = $factory->user();
Copy link
Contributor

@PapillonMcGill PapillonMcGill Oct 1, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
$user = $factory->user();
$user = $factory->user();

To pass coding style


if (!$user->hasPermission('access_all_profiles')) {
$sitesString = implode(",", $user->getCenterIDs());
$query .= " AND CenterID IN (" . $sitesString . ")";
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
$query .= " AND CenterID IN (" . $sitesString . ")";
$query .= " AND CenterID IN (" . $sitesString . ")";

here too

PapillonMcGill
PapillonMcGill previously approved these changes Oct 1, 2019
@johnsaigle johnsaigle requested a review from zaliqarosli October 1, 2019 16:45
zaliqarosli
zaliqarosli previously approved these changes Oct 1, 2019
Copy link
Contributor

@zaliqarosli zaliqarosli left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks good but will have to be tested

@johnsaigle
Copy link
Contributor

@ridz1208 @driusan Should this go into the bugfix release?

@driusan
Copy link
Collaborator

driusan commented Oct 9, 2019

I have no strong feelings on what branch it should go to.

@ridz1208
Copy link
Collaborator

ridz1208 commented Oct 9, 2019

I think it should be properly tested and go to bugfix

@racostas racostas dismissed stale reviews from zaliqarosli and PapillonMcGill via 7d7d640 October 9, 2019 21:53
@ridz1208 ridz1208 added the State: Needs rebase PR that needs to be rebased to proceed (conflicts, wrong branch...) label Nov 6, 2019
@ridz1208 ridz1208 changed the base branch from minor to master December 13, 2019 19:21
@racostas racostas changed the base branch from master to 22.0-release January 6, 2020 15:58
@driusan driusan merged commit 5c982d4 into aces:22.0-release Jan 14, 2020
@ridz1208 ridz1208 added this to the 22.0.1 milestone Jan 15, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Category: Bug PR or issue that aims to report or fix a bug Category: Security PR or issue that aims to improve security State: Needs rebase PR that needs to be rebased to proceed (conflicts, wrong branch...)
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants