improve ACL on report creation + various UI improvements

- show button to update report only to users with correct permissions; - show new page only to users with correct permissions ; - rename scope => circle in column, + translations
2025-06-13 22:04:23 +00:00 · 2015-12-14 22:55:13 +01:00 · 2015-12-14 22:55:13 +01:00 · 2c89aa4812
commit 2c89aa4812
parent 119b3c0bc1
4 changed files with 41 additions and 10 deletions
--- a/Controller/ReportController.php
+++ b/Controller/ReportController.php
@ -70,6 +70,21 @@ class ReportController extends Controller
     */
    public function selectReportTypeAction($person_id, Request $request)
    {
+        $em = $this->getDoctrine()->getManager();
+        
+        $person = $em->getRepository('ChillPersonBundle:Person')
+                ->find($person_id);
+        
+        if ($person === NULL) {
+            throw $this->createNotFoundException('Person not found!');
+        }
+        
+        $this->denyAccessUnlessGranted('CHILL_PERSON_SEE', $person, 'access denied for person view');
+        // check access on report creation for a dummy report
+        $this->denyAccessUnlessGranted('CHILL_REPORT_CREATE', 
+                (new Report())->setPerson($person), 'access denied for report creation');
+        
+        
        $cFGroupId = $request->query->get('cFGroup');

        if($cFGroupId) {
@ -78,8 +93,6 @@ class ReportController extends Controller
                    array('person_id' => $person_id, 'cf_group_id' => $cFGroupId)));
        }

-        $em = $this->getDoctrine()->getManager();
-
        $cFGroups = $em->getRepository('ChillCustomFieldsBundle:CustomFieldsGroup')
            ->findByEntity('Chill\ReportBundle\Entity\Report');

@ -210,6 +223,9 @@ class ReportController extends Controller
        }
        
        $this->denyAccessUnlessGranted('CHILL_PERSON_SEE', $person);
+        // check access on report creation for a dummy report
+        $this->denyAccessUnlessGranted('CHILL_REPORT_CREATE', 
+                (new Report())->setPerson($person), 'access denied for report creation');
        
        if ($cFGroup === NULL){
            throw $this->createNotFoundException("custom fields group not found");
--- a/Resources/views/Report/list.html.twig
+++ b/Resources/views/Report/list.html.twig
@ -26,7 +26,7 @@
            <tr>
                <th class="chill-red">{{ 'Date' | trans }}</th>
                <th class="chill-green">{{ 'Report type' | trans }}</th>
-                <th class="chill-orange">{{ 'Report scope' | trans }}</th>
+                <th class="chill-orange">{{ 'Circle' | trans }}</th>
                <th></th>
                <th></th>
            </tr>
@ -37,8 +37,20 @@
                <td>{% if report.date %}{{ report.date|localizeddate('long', 'none') }}{% endif %}</td>
                <td>{{ report.cFGroup.getName(app.request.locale)  }}</td>
                <td>{{ report.scope.name|localize_translatable_string }}</td>
-                <td><a href="{{ path('report_view', { 'person_id': report.person.id, 'report_id': report.id }) }}" class="sc-button black">{{ 'View' | trans }}</a></td>
-                <td><a href="{{ path('report_edit', { 'person_id': report.person.id, 'report_id': report.id }) }}" class="sc-button bt-update">{{ 'Update' | trans }}</a></td>
+                <td>
+                    <ul class="record_actions">
+                        {% if is_granted('CHILL_REPORT_SEE', report) %}
+                        <li>
+                            <a href="{{ path('report_view', { 'person_id': report.person.id, 'report_id': report.id }) }}" class="sc-button black">{{ 'View the report' | trans | capitalize }}</a>
+                        </li>
+                        {% endif %}
+                        {% if is_granted('CHILL_REPORT_UPDATE', report) %}
+                            <li>
+                        <a href="{{ path('report_edit', { 'person_id': report.person.id, 'report_id': report.id }) }}" class="sc-button bt-update">{{ 'Update' | trans }}</a>
+                            </li>
+                        {% endif %}
+                    </ul>
+                </td>
            </tr>
        {% endfor %}
        </tbody>
--- a/Resources/views/Report/new.html.twig
+++ b/Resources/views/Report/new.html.twig
@ -23,7 +23,9 @@
 {% block personcontent %}
    {{ form_start(form) }}

-    {{ form_widget(form) }}
+    {{ form_row(form.user) }}
+    {{ form_row(form.date) }}
+    {{ form_row(form.scope) }}
        <div class="grid-12 centered sticky-form-buttons">
            <button class="sc-button green margin-10" type="submit"><i class="fa fa-save"></i> {{ 'Add report'|trans }}</button>
        </div>
--- a/Resources/views/Report/view.html.twig
+++ b/Resources/views/Report/view.html.twig
@ -27,8 +27,8 @@
    <dl>
        <dt>{{ 'Person'|trans }}&nbsp;:</dt>
        <dd>{{ entity.person }}</dd>
-        <dt>{{ 'Scope'|trans }}&nbsp;:</dt>
-        <dd><span class="scope">{{ entity.scope.name|localize_translatable_string }}</span></dd>
+        <dt>{{ 'Circle'|trans }}&nbsp;:</dt>
+        <dd><span class="scope circle">{{ entity.scope.name|localize_translatable_string }}</span></dd>
        <dt>{{ 'Date'|trans }}&nbsp;:</dt>
        <dd>{{ entity.date|localizeddate('long', 'none') }}</dd>
        <dt>{{ 'User'|trans }}&nbsp;:</dt>
@ -38,7 +38,8 @@

        {{ chill_custom_fields_group_widget(entity.cFData, entity.cFGroup) }}
    </dl>
-
+    
+    {% if is_granted('CHILL_REPORT_UPDATE', entity) %}
    <a class="sc-button bt-update" href="{{ path('report_edit', { 'person_id': entity.person.id, 'report_id': entity.id }) }}"><i class="fa fa-pencil"></i> {{ 'Update the report' | trans }}</a>
-
+    {% endif %}
 {% endblock %}