[Statistics] Review study statistics _checkCriteria() permission #6743
Description
master branch
Review the suggested change and remove the below TODO/FIXME comments.
modules/statistics/php/statistics_dd_site.class.inc:_checkCriteria()
function _checkCriteria($centerID, $projectID)
{
// TODO: _checkCriteria takes care of restricting access to sites the user belongs to.
// When logic reimplemented on hasCenterPermission(),
// _checkCriteria() will take care of retreiving information
// only for those centers the user has the specific permission.
// TODO: There are no means of set permissions per site
// for a given user right now: (e.g.) The user X can have
// the permission data_entry on site Y but not on site Z.
// Currently, hasCenterPermission() function is only checking
// if the user have a given center AND a given permission
// not if it have the permission for this specific center.
// This logic will be implemented in hasCenterPermission()
// in near versions when the permission framework allow it
if (!empty($centerID)) {
$this->query_criteria .= " AND s.CenterID =:cid ";
$this->query_vars['cid'] = $centerID;
} else {
$list_of_permitted_sites = (array) null;
$currentUser = \User::singleton();
if ($currentUser->hasPermission('access_all_profiles')) {
$list_of_permitted_sites = array_keys(\Utility::getSiteList());
} else {
foreach ($currentUser->getCenterIDs() as $centerID) {
if ($currentUser->hasCenterPermission(
'data_entry',
intval($centerID)
)
) {
array_push($list_of_permitted_sites, $centerID);
}
}
}
$params = array();
$centerIDs = array();
foreach ($list_of_permitted_sites as $key => $siteID) {
$params[] = ":id$key";
$centerIDs["id$key"] = $siteID;
}
$this->query_criteria .=
" AND s.CenterID IN (" . implode(',', $params) . ")";
$this->query_vars += $centerIDs;
}
if (!empty($projectID)) {
$this->query_criteria .= " AND s.ProjectID =:pid ";
$this->query_vars['pid'] = $projectID;
}
}
See #5687 for more details