-
Notifications
You must be signed in to change notification settings - Fork 175
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Statistics / Behavioural Statistics] Fix permission issue where users were allowed to see statistics from sites they don't have access to. #5252
Conversation
…s were allowed to see statistics from sites they don't have access to.
@racostas Thanks for submitting this patch. |
Co-Authored-By: PapillonMcGill <34311645+PapillonMcGill@users.noreply.github.com>
Co-Authored-By: John Saigle <4022790+johnsaigle@users.noreply.github.com>
Co-Authored-By: John Saigle <4022790+johnsaigle@users.noreply.github.com>
Co-Authored-By: John Saigle <4022790+johnsaigle@users.noreply.github.com>
Thanks @PapillonMcGill, @johnsaigle and @zaliqarosli !! |
@racostas This isn't passing Travis due to some coding style issues. If you run |
Co-Authored-By: Zaliqa <zaliqa.rosli@mcin.ca>
Co-Authored-By: Zaliqa <zaliqa.rosli@mcin.ca>
$DB =& \Database::singleton(); | ||
$factory = \NDB_Factory::singleton(); | ||
$DB = $factory->database(); | ||
$user = $factory->user(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
$user = $factory->user(); | |
$user = $factory->user(); |
To pass coding style
|
||
if (!$user->hasPermission('access_all_profiles')) { | ||
$sitesString = implode(",", $user->getCenterIDs()); | ||
$query .= " AND CenterID IN (" . $sitesString . ")"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
$query .= " AND CenterID IN (" . $sitesString . ")"; | |
$query .= " AND CenterID IN (" . $sitesString . ")"; |
here too
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
looks good but will have to be tested
I have no strong feelings on what branch it should go to. |
I think it should be properly tested and go to bugfix |
…e statistics calculation
7d7d640
Description of the issue
A user with role Data Entry was able to see statistics from sites it does not belong/have access
For example if there are two users and two sites:
user Site 1 is associate only to Site_1.
user Site 2 is associate only to Site_2.
(Both of them have the role Data Entry and nothing more in the permissions)
When going to MainMenu->Reports->Statistics->Behavioural Statistics
The user of Site 1 is able to see the statistics for Site 2 and vice versa
Testing instructions
Now each user should be able to see only the statistics for the sites it belong/have access
Note:
This is a temp fix based on 21.0-released. A major refractory still pending.