WordPress.org
Get WordPress

Plugin Directory

Changeset 2145649


Ignore:
Timestamp:
08/26/2019 12:08:01 PM (6 years ago)
Author:
Will Brownsberger
Message:

version 4.5 work in progress

Location:
wp-issues-crm/trunk
Files:
3 edited

Legend:

Unmodified
Added
Removed

  • wp-issues-crm/trunk/php/admin/class-wic-admin-access.php

    r2145245 r2145649  
    99class WIC_Admin_Access {
    1010    /*
    11     *
    12     * GET security is mediated by Wordpress and $nav_array in WIC_Admin_Navigation
    13     *
    14     * This module is for screening calls to the authorized ajax endpoints (all of which go to entity classes) and the uploads and downloads
    15     *
    16     * If ajax_class_method_to_auth_required[class] is not array, string value is auth_required and applies to all methods within class
     11    * This module checks capability levels of the current user's role, as defined in >Config>Security setting, against an array of required capability levels for particular class/modules.
     12    *
     13    * In addition, if the capability level is check_record, then the module tests whether the particular record is assigned to the current_user or current_user_can (view_edit_unassigned)
     14    *
     15    * Records are assigned in the case management field group for issues and constituents or from the inbox for messages.
     16    *
     17    * GET security is mediated by Wordpress and $nav_array in WIC_Admin_Navigation, but this module is also called on GETS to verify record level access rules
     18    *
     19    * This module is primarily for authorizing calls to wpIssuesCRM ajax endpoints (both of which route only to classes in /php/entity) and the 3 upload and 2 download functions
     20    *
     21    * If ajax_class_method_to_auth_required[class] is not an array, string value is the capability level and applies to all methods within that class
     22    *    where ajax_class_method_to_auth_required[class] is an array, the capability level is method specific
    1723    *
    1824    * check_record means function is accessible to any with wp_issues_crm_access, but must check specific record
    1925    *
    20     * return true or false -- calling navigation method must die on false
    21     *
     26    * function returns true or false -- calling navigation method must die on false
     27    *
     28    * check_security is a public function, but is called only from WIC_Admin_Access (9 methods)
     29    *
     30    * check_required_capability is called from a few other modules to make UI changes consistent with the user's capability level.  The users capabilities as to view_edit_unassigned and email are also
     31    *    used for UI changes on the client side
     32    *
     33    * the list_send capability is not enforced by this module but in email_send/search_link
     34    *
     35    * email batch cron and geocode are secured by cron keys
    2236    */
    2337    public static function check_security ( $entity, $action, $id, $data, $nonce = true ) {
    2438        /*
    2539        *
    26         * exclusive list of allowed ajax calls and their required capabilities
    27         * also applied to get calls to do check_record level of security
    28         *
     40        * EXCLUSIVE list of allowed GETS and ajax calls and their required capabilities
     41        *   also applied to get calls to do check_record level of security
     42        *   any GET or ajax requests not in this list will be rejected (return false from this method and die in calling method)
    2943        */
    3044   
     
    3953            // 'address_usps'                   not taking ajax calls,
    4054            'advanced_search'                   => 'view_edit_unassigned',
    41             'advanced_search_activity'          => 'view_edit_unassigned',
    42             'advanced_search_constituent'       => 'view_edit_unassigned',
    43             'advanced_search_constituent_having'=> 'view_edit_unassigned',
    44             'advanced_search_row'               => 'view_edit_unassigned',
     55            //'advanced_search_activity'        not taking ajax calls,
     56            //'advanced_search_constituent'     not taking ajax calls,
     57            //'advanced_search_constituent_having'=> not taking ajax calls,
     58            //'advanced_search_row'             not taking ajax calls,
    4559            'autocomplete'                      => '',
    46             'comment'                           => '',
     60            'comment'                           => 'edit_theme_options',
    4761            'constituent' => array (
    4862                'new_blank_form'                => '',
     
    5266                'form_save_update'              => 'check_record'
    5367            ),
    54             'dashboard'                         => '',
     68            'dashboard' => array(
     69                'dashboard'                     => '',
     70                'dashboard_overview'            => '',
     71                'dashboard_mycases'             => '',
     72                'dashboard_myissues'            => '',
     73                'dashboard_recent'              => '',
     74                'save_dashboard_preferences'    => '',
     75                'dashboard_issues'              => 'view_edit_unassigned',
     76                'dashboard_cases'               => 'view_edit_unassigned',
     77                'dashboard_activity'            => 'view_edit_unassigned',
     78                'dashboard_activity_type'       => 'view_edit_unassigned',
     79                'dashboard_searches'            => 'view_edit_unassigned',
     80                'dashboard_uploads'             => 'view_edit_unassigned',
     81            ),
    5582            'data_dictionary'                   => 'edit_theme_options',
    5683            'download'                          => 'downloads', // not really an ajax call -- allows this function to be used by do_download (note the 's')
    57             // 'email'                          not taking ajax calls ( email address on constituent record )
    58             'email_account'                     => 'edit_theme_options',
     84            // 'email'                          not taking ajax calls ( email address on constituent record, called within constituent function )
     85            'email_account'                     => 'email',
    5986            'email_activesync'                  => 'email',
    60             'email_activesync_parse'            => 'email',
    61             'email_activesync_synch'            => 'email',
     87            //'email_activesync_parse'          => not taking ajax calls,
     88            //'email_activesync_synch'          => not taking ajax calls,
    6289            'email_attachment'                  => 'email',
    6390            'email_block'                       => 'email',
    6491            'email_compose'                     => 'email',
    6592            'email_connect'                     => 'email',
    66             'email_cron'                        => 'edit_theme_options',
     93            // 'email_cron'                     secured with cron key
    6794            'email_deliver'                     => 'email',
    68             'email_deliver_activesync'          => 'email',
     95            //'email_deliver_activesync'        not taking ajax calls,
    6996            'email_inbox' => array (
    7097                'new_blank_form'                => '',
    71                 'get_issue_options'             => '',
    72                 'get_inbox_options'             => '',
     98                //'get_issue_options'           //not taking ajax calls
     99                //'get_inbox_options'           //not taking ajax calls
    73100                'load_inbox'                    => '', // check required capability within function to scope what shown
    74101                'load_sent'                     => 'view_edit_unassigned',
     
    80107            'email_inbox_parse'                 => 'email',
    81108            'email_inbox_synch'                 => 'email',
    82             'email_md5'                         => 'email',
    83             'email_message' => array (                  // not that list_send capability is checked within the send function
     109            // 'email_md5'                      not taking ajax calls,
     110            'email_message' => array (         
    84111                'load_message_detail'           => 'check_record',
    85112                'load_full_message'             => 'check_record',
     
    94121            ), 
    95122            'email_oauth'                       => '', // not adding beyond general access requirement and gmail acc
    96             'email_oauth_synch'                 => 'email',
    97             'email_oauth_update'                => 'email',
     123            //'email_oauth_synch'               not taking ajax calls,
     124            //'email_oauth_update'              not taking ajax calls,
    98125            'email_process'                     => 'email',
    99             'email_send'                        => 'email',
     126            'email_send'                        => 'email', // note: that list_send capability is checked within the send function
    100127            'email_settings'                    => 'email',
    101             'email_subject'                     => 'email',
     128            'email_subject' => array(
     129                'show_subject_list'             => 'email',
     130                'delete_subject_from_list'      => 'email',
     131                'manual_add_subject'            => 'email',
     132            ),
    102133            'email_uid_reservation'             => 'email',
    103134            'email_unprocess'                   => 'email',
    104135            'external'                          => 'edit_theme_options',
    105             'external_field'                    => 'edit_theme_options',
    106             'geocode'                           => 'view_edit_unassigned',
     136            // 'external_field'                 not taking ajax calls
     137            'geocode'                           => 'view_edit_unassigned', // also accessed with cron key
    107138            'issue'                             => 'check_record',
    108139            // 'issue_open_metabox'             not taking ajax calls
    109             'list'                              => '', //  no functions
     140            // 'list'                           not taking ajax calls
    110141            'manage_storage'                    => 'edit_theme_options',
    111             'multivalue'                        => '', // pass through
     142            // 'multivalue'                     not taking ajax calls
    112143            'option_group'                      => 'edit_theme_options',
    113             'option_value'                      => 'edit_theme_options',
     144            // 'option_value'                   not taking ajax calls
    114145            'owner'                             => 'create_sites',
    115146            //'parent'                          not taking ajax calls
     
    211242            }
    212243        }       
    213         return true;  // return of requesting page matters for history pushes in ajax_form
     244        return true; 
    214245       
    215246    }
     
    311342                return $this->can_user_access_this_folder_message ( $data->folder, $id );
    312343            case 'load_full_message': // from activity records
    313                 return $this-> can_user_access_this_page_message( $id, $data ); // $data is page
     344                return $this-> can_user_access_this_page_message( $id, $data ); // $data is page as 0/1 or 'done'/'sent'
    314345            case 'quick_update_inbox_defined_item': // from inbox reply
    315346                return $this->can_user_access_this_folder_message ( $data->folder, $id );
     
    335366    private static function can_user_access_this_page_message( $message_id, $message_in_outbox ) {
    336367   
    337         // translate 'page' to binary message in outbox
     368        // translate 'page' to binary message in outbox if necessary
    338369        if ( 0 != $message_in_outbox && 1 != $message_in_outbox ) {
    339             $message_in_outbox = $message_in_outbox == 'done' ? 0 : 1;
     370            $message_in_outbox = 'done' == $message_in_outbox ? 0 : 1;
    340371        }
    341372   

  • wp-issues-crm/trunk/php/entity/class-wic-entity-dashboard.php

    r2145245 r2145649  
    4848                'dashboard_myissues'        => 'Assigned Issues',
    4949                'dashboard_mycases'         => 'Assigned Cases',
     50                'dashboard_recent'          => 'Recently Updated',
    5051            );
    5152        }

  • wp-issues-crm/trunk/readme.txt

    r2134249 r2145649  
    108108
    109109== Changelog ==
     110= 4.5.0.1 =
     111* New features to support office division of labor between drafters and approvers of email
     112* Add new dashboard work flow status widget
     113* Automatically save draft replies, constituent assignments and issue assignments in inbox
     114* Add new approval button and tabs ("Assigned and Ready")
     115* Add new level of security segmentation by assignment of case/constituent, issue or email to users
     116* Redefine email capability so that those without it can access emails assigned to them -- inbox tabs and ui powers limited
     117* Rewrite security logic for clarity and to prevent cross-user violations of new rules
     118* NOTE: Non-administrators may need to have the capability to view unassigned records to their role in Configure > security
    110119= 4.4.1.4 =
    111120* Additional table locking
Note: See TracChangeset for help on using the changeset viewer.