Skip to content

Commit 9630a1b

Browse files
dbarzindbarzin
authored
Merge pull request #555 from dbarzin/dev
Dev
2 parents 1132b93 + ca9560a commit 9630a1b

19 files changed

+943
-443
lines changed

.env.example

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -56,7 +56,7 @@ LDAP_FALLBACK_LOCAL=true
5656
LDAP_AUTO_PROVISION=false
5757

5858
# Config
59-
LDAP_LOGGING=true
59+
LDAP_LOGGING=false
6060
LDAP_CONNECTION=default
6161
LDAP_HOST=127.0.0.1
6262
LDAP_USERNAME="cn=admin,dc=example,dc=org"

app/Http/Controllers/ActionController.php

Lines changed: 28 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -26,11 +26,7 @@ class ActionController extends Controller
2626
public function index(Request $request)
2727
{
2828
// Admin, user, auditor or auditee
29-
abort_if(
30-
! ((Auth::User()->role === 1) ||
31-
(Auth::User()->role === 2) ||
32-
(Auth::User()->role === 3) ||
33-
(Auth::User()->role === 5)),
29+
abort_if(Auth::User()->isAPI(),
3430
Response::HTTP_FORBIDDEN,
3531
'403 Forbidden'
3632
);
@@ -90,11 +86,33 @@ public function index(Request $request)
9086
$actions = $actions->where('actions.scope', $scope);
9187
}
9288

93-
// filter on auditee controls
94-
if (Auth::User()->role === 5) {
95-
$actions = $actions
96-
->leftjoin('action_user', 'controls.id', '=', 'control_user.control_id')
97-
->where('action_user.user_id', '=', Auth::User()->id);
89+
// filter on auditee actions
90+
if (Auth::User()->isAuditee()) {
91+
$userId = Auth::id();
92+
$actions = $actions->where(function($query) use ($userId) {
93+
// Actions assignées directement à l'utilisateur
94+
$query->whereExists(function($q) use ($userId) {
95+
$q->select(DB::raw(1))
96+
->from('action_user')
97+
->whereColumn('action_user.action_id', 'actions.id')
98+
->where('action_user.user_id', $userId);
99+
})
100+
// OU actions liées à des contrôles assignés à l'utilisateur
101+
->orWhereExists(function($q) use ($userId) {
102+
$q->select(DB::raw(1))
103+
->from('control_user')
104+
->whereColumn('control_user.control_id', 'actions.control_id')
105+
->where('control_user.user_id', $userId);
106+
})
107+
// OU actions liées à des contrôles assignés via un groupe
108+
->orWhereExists(function($q) use ($userId) {
109+
$q->select(DB::raw(1))
110+
->from('control_user_group')
111+
->join('user_user_group', 'user_user_group.user_group_id', '=', 'control_user_group.user_group_id')
112+
->whereColumn('control_user_group.control_id', 'actions.control_id')
113+
->where('user_user_group.user_id', $userId);
114+
});
115+
});
98116
}
99117

100118
// Query DB
@@ -128,7 +146,6 @@ public function index(Request $request)
128146
->with('scopes', $scopes)
129147
->with('actions', $actions);
130148
}
131-
132149
/**
133150
* Save an action plan
134151
*

app/Http/Controllers/ControlController.php

Lines changed: 1 addition & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -25,11 +25,7 @@ class ControlController extends Controller
2525
public function index(Request $request)
2626
{
2727
// Not for API
28-
abort_if(
29-
Auth::User()->role === 4,
30-
Response::HTTP_FORBIDDEN,
31-
'403 Forbidden'
32-
);
28+
abort_if(Auth::User()->isAPI(),Response::HTTP_FORBIDDEN, '403 Forbidden');
3329

3430
// -----------------------------------------------------
3531
// Domain filter

app/Http/Controllers/DomainController.php

Lines changed: 48 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -19,19 +19,58 @@ class DomainController extends Controller
1919
*/
2020
public function index()
2121
{
22-
$domains = DB::table('domains')->orderBy('id')->get();
23-
24-
$domains = DB::table('domains')
25-
->select('domains.id', 'domains.framework', 'domains.title', 'domains.description', DB::raw('COUNT(measures.id) AS measures'))
26-
->leftJoin('measures', 'measures.domain_id', '=', 'domains.id')
27-
->groupBy('domains.id')
28-
->orderBy('domains.title')
29-
->get();
22+
if (Auth::user()->isAuditee()) {
23+
$userId = Auth::id();
24+
25+
// Pour les Auditees : récupérer uniquement les domaines avec mesures assignées
26+
$domains = DB::table('domains')
27+
->select(
28+
'domains.id',
29+
'domains.framework',
30+
'domains.title',
31+
'domains.description',
32+
DB::raw('(
33+
SELECT COUNT(DISTINCT m.id)
34+
FROM measures m
35+
WHERE m.domain_id = domains.id
36+
AND EXISTS (
37+
SELECT 1
38+
FROM control_measure cm
39+
WHERE cm.measure_id = m.id
40+
AND (
41+
EXISTS (
42+
SELECT 1
43+
FROM control_user cu
44+
WHERE cu.control_id = cm.control_id
45+
AND cu.user_id = ' . $userId . '
46+
)
47+
OR EXISTS (
48+
SELECT 1
49+
FROM control_user_group cug
50+
INNER JOIN user_user_group uug ON uug.user_group_id = cug.user_group_id
51+
WHERE cug.control_id = cm.control_id
52+
AND uug.user_id = ' . $userId . '
53+
)
54+
)
55+
)
56+
) AS measures')
57+
)
58+
->havingRaw('measures > 0')
59+
->orderBy('domains.title')
60+
->get();
61+
} else {
62+
// Pour les autres rôles : tous les domaines avec toutes les mesures
63+
$domains = DB::table('domains')
64+
->select('domains.id', 'domains.framework', 'domains.title', 'domains.description', DB::raw('COUNT(measures.id) AS measures'))
65+
->leftJoin('measures', 'measures.domain_id', '=', 'domains.id')
66+
->groupBy('domains.id', 'domains.framework', 'domains.title', 'domains.description')
67+
->orderBy('domains.title')
68+
->get();
69+
}
3070

3171
return view('domains.index')
3272
->with('domains', $domains);
3373
}
34-
3574
/**
3675
* Show the form for creating a new resource.
3776
*

app/Http/Controllers/GlobalSearchController.php

Lines changed: 23 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,7 @@ class GlobalSearchController extends Controller
1818
public function search(Request $request)
1919
{
2020
// Not for API
21-
abort_if(Auth::User()->role === 4, Response::HTTP_FORBIDDEN, '403 Forbidden');
21+
abort_if(Auth::User()->isAPI(), Response::HTTP_FORBIDDEN, '403 Forbidden');
2222

2323
$term = $request->input('search');
2424
if ($term === null) {
@@ -28,21 +28,34 @@ public function search(Request $request)
2828
$searchableData = [];
2929

3030
foreach ($this->models as $model) {
31-
// user only search on controls
32-
if (
33-
(Auth::User()->role === 5) && ($model !== \App\Models\Control::class)
34-
) {
31+
// Auditee only search on controls
32+
if (Auth::User()->isAuditee() && $model !== \App\Models\Control::class) {
3533
continue;
3634
}
3735

3836
$query = $model::query();
3937
$fields = $model::$searchable;
4038

41-
// user only search on assigned controls
42-
if (Auth::User()->role === 5) {
43-
$query = $query
44-
->join('control_user', 'controls.id', '=', 'control_user.control_id')
45-
->where('control_user.user_id', '=', Auth::User()->id);
39+
// Auditee only search on assigned controls
40+
if (Auth::User()->isAuditee()) {
41+
$userId = Auth::id();
42+
$query = $query->where(function($q) use ($userId) {
43+
// Contrôles assignés directement à l'utilisateur
44+
$q->whereExists(function($subQ) use ($userId) {
45+
$subQ->selectRaw(1)
46+
->from('control_user')
47+
->whereColumn('control_user.control_id', 'controls.id')
48+
->where('control_user.user_id', $userId);
49+
})
50+
// OU contrôles assignés via un groupe d'utilisateurs
51+
->orWhereExists(function($subQ) use ($userId) {
52+
$subQ->selectRaw(1)
53+
->from('control_user_group')
54+
->join('user_user_group', 'user_user_group.user_group_id', '=', 'control_user_group.user_group_id')
55+
->whereColumn('control_user_group.control_id', 'controls.id')
56+
->where('user_user_group.user_id', $userId);
57+
});
58+
});
4659
}
4760

4861
$query = $query->where(function ($subQuery) use ($fields, $term) {

0 commit comments

Comments
 (0)