- Fixed permissions

intranet-riskmanagement.info

@@ -7,7 +7,7 @@
     <initial-install-p>f</initial-install-p>
     <singleton-p>t</singleton-p>
     <auto-mount>intranet-riskmanagement</auto-mount>
-    <version name="5.0.2.4.0" url="http://www.project-open.net/download/apm/intranet-riskmanagement-5.0.2.4.0.apm">
+    <version name="5.0.2.4.1" url="http://www.project-open.net/download/apm/intranet-riskmanagement-5.0.2.4.1.apm">
         <owner url="mailto:frank.bergmann@project-open.com">Frank Bergmann</owner>
         <owner url="mailto:mai-bee@gmx.net">Alwin Egger</owner>
         <vendor url="http://www.project-open.com/">]project-open[</vendor>
@@ -20,7 +20,7 @@
         <callbacks>
         </callbacks>
         <parameters>
-        <!-- No version parameters -->
+            <parameter scope="instance" datatype="string"  min_n_values="1"  max_n_values="1"  name="RiskPermissionFunction" default="" description="Custom version of permissions for risks? Default is the empty string for using the default function."/>
         </parameters>
 
     </version>

tcl/intranet-riskmanagement-procs.tcl

@@ -59,6 +59,11 @@ ad_proc -public im_risk_permissions {user_id risk_id view_var read_var write_var
     upvar $write_var write
     upvar $admin_var admin
 
+    set perm_proc [parameter::get_from_package_key -package_key "intranet-riskmanagement" -parameter "RiskPermissionFunction" -default ""]
+    if {"" ne $perm_proc} {
+	return [$perm_proc $user_id risk_id view read write admin]
+    }
+
     # set user_is_admin_p [im_is_user_site_wide_or_intranet_admin $user_id]
     set risk_project_id [util_memoize [list db_string risk_project "select risk_project_id from im_risks where risk_id = $risk_id" -default ""]]
 

www/new.tcl

@@ -83,14 +83,23 @@ set focus "risk.var_name"
 if {"" == $return_url} { set return_url [im_url_with_query] }
 
 if {[info exists risk_id] && "" == $risk_id} { unset risk_id }
-
-set view_risks_all_p [im_permission $current_user_id "view_risks_all"]
 set copy_from_risk_name ""
 
 # No support for workflow at the moment
 set edit_risk_status_p 1
 
 
+# Permissions
+if {[info exists risk_id]} {
+    im_risk_permissions $user_id $risk_id view_p read_p write_p admin_p
+    if {!$read_p} { ad_return_complaint 1 "You don't have permissions to see this risk #$risk_id" }
+} else {
+    im_project_permissions $user_id $risk_project_id view_p read_p write_p admin_p
+    if {!$write_p} { ad_return_complaint 1 "You don't have permissions to add a new risk to project #$risk_project_id" }
+}
+
+
+
 # ----------------------------------------------
 # Page Title
 
@@ -138,7 +147,6 @@ if {([info exists risk_id] && $risk_id ne "")} {
 
 }
 
-
 # ---------------------------------------------
 # The base form. Define this early so we can extract the form status
 # ---------------------------------------------

www/view.tcl

-# /www/admin/categories/one.tcl
-#
-# Copyright (C) 2004 various parties
-# The code is based on ArsDigita ACS 3.4
-#
-# This program is free software. You can redistribute it
-# and/or modify it under the terms of the GNU General
-# Public License as published by the Free Software Foundation;
-# either version 2 of the License, or (at your option)
-# any later version. This program is distributed in the
-# hope that it will be useful, but WITHOUT ANY WARRANTY;
-# without even the implied warranty of MERCHANTABILITY or
-# FITNESS FOR A PARTICULAR PURPOSE.
-# See the GNU General Public License for more details.
-
-ad_page_contract {
-    Displays and edits a risk.
-    @param risk_id which component should be modified
-    @param curr_project_id only used on creation of new risk
-
-    @author mai-bee@gmx.net
-} {
-    { risk_id:integer 0 }
-    { curr_project_id:integer 0 }
-    { return_url "" }
-}
-
-set user_id [auth::require_login]
-set page_title "View Risk"
-set context_bar [im_context_bar $page_title]
-
-# ---------------------------------------------------------------
-# Permission
-# ---------------------------------------------------------------
-
-if {![im_permission $user_id "view_risks"]} {
-    ad_return_complaint "Insufficient Privileges" "
-    <li>You don't have sufficient privileges to see risks."
-}
-
-# ---------------------------------------------------------------
-# Get Risk Data
-# ---------------------------------------------------------------
-
-if {[info exists risk_id] && $risk_id ne "" && $risk_id > 0} {
-    if { ![db_0or1row risk_data "select r.*, im_name_from_user_id(owner_id) as owner_name from im_risks r where r.risk_id = :risk_id" ] } {
-	ad_return_complaint "Bad Risk" "<li>We couldn't find the risk \#$risk_id; Hmm... there must be something wrong with our page!"
-	return
-    }
-    
-    db_1row pro_name "select project_name from im_projects where project_id = :project_id"
-    set page_title "Edit Risk"
-    set context_bar [im_context_bar $page_title]
-
-} elseif { [info exists curr_project_id] && $curr_project_id ne "" && $curr_project_id > 0 } {
-    # create a new risk
-    set owner_id $user_id
-    set project_id $curr_project_id
-    db_1row pro_name "select project_name from im_projects where project_id = :project_id"
-    db_1row user_name_date "select im_name_from_user_id(:user_id) as owner_name from dual"
-    set risk_id 0
-    set probability "0.00"
-    set impact "0"
-    set title ""
-    set description ""
-    set type 5100
-
-    set page_title "New Risk"
-    set context_bar [im_context_bar $page_title]
-} else {
-     ad_return_complaint "Missing Parameters" "<li>To crate a new risk, at least the project ID must be specified (curr_project_id)!"
-}
-
-# ---------------------------------------------------------------
-# Format Risk Data
-# ---------------------------------------------------------------
-
-set html_hidden_info [export_vars -form {owner_id risk_id project_id return_url}]
-
-set page_body "
-<form action=\"new-2.tcl\" method=GET>
-$html_hidden_info
-<TABLE border=0>
-  <TBODY>
-  <TR>
-    <TD class=rowtitle align=middle colSpan=2>Risk</TD></TR>
-  <TR class=rowodd>
-    <TD>User</TD>
-    <TD><a href=\"/intranet/users/[export_vars -base view {owner_id}]\">$owner_name</a></TD></TR>
-  <TR class=roweven>
-    <TD>Project</TD>
-    <TD><a href=\"/intranet/projects/[export_vars -base view {project_id}]\">$project_name</a></TD></TR>
-  <TR class=rowodd>
-    <TD>Title</TD>
-    <TD><input name=\"title\" type=\"text\" size=\"50\" value=$title></TD></TR>
-  <TR class=rowodd>
-    <TD>Probability</TD>
-    <TD><input name=\"probability\" type=\"text\" size=\"30\" value=$probability>%</TD></TR>
-  <TR class=roweven>
-    <TD>Impact</TD>
-    <TD><input name=\"impact\" type=\"text\" size=\"30\" value=$impact></TD></TR>
-  <TR class=rowodd>
-    <TD>Description</TD>
-    <TD><textarea name=\"description\" cols=\"50\" rows=\"5\">$description</textarea></TD></TR>
-  <TR class=rowodd>
-    <TD>Risk Type</TD>
-    <TD>[im_category_select "Intranet Risk Type" type $type]</TD></TR>
-</TBODY></TABLE>
-<input type=submit name=submit value=Save></form><form action=\"delete.tcl\" method=GET><input type=submit name=submit value=Delete>
-<input type=hidden name=state value=pending>
-<input type=hidden name=risk_id value=$risk_id>
-<input type=hidden name=project_id value=$project_id>
-</form>
-"
-
-doc_return  200 text/html [im_return_template]