fix(formanswer): more permissive READ access to formanswers

btry · btry · commit e4d4c24c8729 · 2019-08-22T10:38:27.000+02:00
if a user is no longer a validator of a formanswer but was choosen as a validator, READ ccess should be still granted

Signed-off-by: Thierry Bugier &lt;tbugier@teclib.com&gt;
diff --git a/inc/formanswer.class.php b/inc/formanswer.class.php
@@ -76,7 +76,17 @@ public function canViewItem() {
          return true;
       }
 
-      if ($_SESSION['glpiID'] == $this->getField('requester_id')) {
+      if ($_SESSION['glpiID'] == $this->fields['requester_id']) {
+         return true;
+      }
+
+      if ($_SESSION['glpiID'] == $this->fields['users_id_validator']) {
+         return true;
+      }
+
+      $groupUser = new Group_User();
+      $groups = $groupUser->getUserGroups($_SESSION['glpiID']);
+      if (in_array($this->fields['users_id_validator'], $groups)) {
          return true;
       }
 
@@ -105,12 +115,8 @@ public function canViewItem() {
                return true;
             }
          } else {
-            $groupUser = new Group_User();
-            $groups = $groupUser->getUserGroups($_SESSION['glpiID']);
-            foreach ($groups as $group) {
-               if ($row['items_id'] == $group['id']) {
-                  return true;
-               }
+            if (in_array($row['items_id'], $groups)) {
+               return true;
             }
          }
       }

Original file line number	Diff line number	Diff line change
`@@ -76,7 +76,17 @@ public function canViewItem() {`
`76`	`76`	`return true;`
`77`	`77`	`}`
`78`	`78`
`79`		`- if ($_SESSION['glpiID'] == $this->getField('requester_id')) {`
	`79`	`+ if ($_SESSION['glpiID'] == $this->fields['requester_id']) {`
	`80`	`+ return true;`
	`81`	`+ }`
	`82`	`+`
	`83`	`+ if ($_SESSION['glpiID'] == $this->fields['users_id_validator']) {`
	`84`	`+ return true;`
	`85`	`+ }`
	`86`	`+`
	`87`	`+ $groupUser = new Group_User();`
	`88`	`+ $groups = $groupUser->getUserGroups($_SESSION['glpiID']);`
	`89`	`+ if (in_array($this->fields['users_id_validator'], $groups)) {`
`80`	`90`	`return true;`
`81`	`91`	`}`
`82`	`92`
`@@ -105,12 +115,8 @@ public function canViewItem() {`
`105`	`115`	`return true;`
`106`	`116`	`}`
`107`	`117`	`} else {`
`108`		`- $groupUser = new Group_User();`
`109`		`- $groups = $groupUser->getUserGroups($_SESSION['glpiID']);`
`110`		`- foreach ($groups as $group) {`
`111`		`- if ($row['items_id'] == $group['id']) {`
`112`		`- return true;`
`113`		`- }`
	`118`	`+ if (in_array($row['items_id'], $groups)) {`
	`119`	`+ return true;`
`114`	`120`	`}`
`115`	`121`	`}`
`116`	`122`	`}`