jjimenez/safekat
1
0
Fork 0
mirror of https://git.imnavajas.es/jjimenez/safekat.git synced 2025-07-25 22:52:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

Blindado rol root en seguridad

Browse Source
This commit is contained in:
Ignacio Martinez Navajas
2025-07-18 12:36:22 +02:00
parent df21b5ba05
commit cc757b5db3
2 changed files with 76 additions and 63 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
ci4/app/Controllers/Configuracion/Group.php
View File

@ -52,7 +52,6 @@ class Group extends \App\Controllers\GoBaseController
$postData = $this->request->getPost();
$temp_data['id'] = $groupEntity->id;
$temp_data['title'] = $postData['title'];
$temp_data['description'] = $postData['description'];
@ -243,30 +242,4 @@ class Group extends \App\Controllers\GoBaseController
}
}
public function menuItems()
{
if ($this->request->isAJAX()) {
$searchStr = goSanitize($this->request->getPost('searchTerm'))[0];
$reqId = goSanitize($this->request->getPost('id'))[0];
$reqText = goSanitize($this->request->getPost('text'))[0];
$onlyActiveOnes = false;
$columns2select = [$reqId ?? 'id', $reqText ?? 'nombre'];
$onlyActiveOnes = false;
$menu = $this->model->getSelect2MenuItems($columns2select, $columns2select[1], $onlyActiveOnes, $searchStr);
$nonItem = new \stdClass;
$nonItem->id = '';
$nonItem->text = '- ' . lang('Basic.global.None') . ' -';
array_unshift($menu, $nonItem);
$newTokenHash = csrf_hash();
$csrfTokenName = csrf_token();
$data = [
'menu' => $menu,
$csrfTokenName => $newTokenHash
];
return $this->respond($data);
} else {
return $this->failUnauthorized('Invalid request', 403);
}
}
}

112
ci4/app/Controllers/Configuracion/Users.php
View File

@ -69,7 +69,7 @@ class Users extends \App\Controllers\GoBaseController
public function add()
{
if ($this->request->getPost()) :
if ($this->request->getPost()):
$postData = $this->request->getPost();
@ -94,8 +94,8 @@ class Users extends \App\Controllers\GoBaseController
// Obtener proveedor de usuarios
$users = auth()->getProvider();
if ($successfulResult = $this->canValidate()) :
if ($this->canValidate()) :
if ($successfulResult = $this->canValidate()):
if ($this->canValidate()):
try {
// The Email is unique
@ -134,17 +134,12 @@ class Users extends \App\Controllers\GoBaseController
$thenRedirect = true; // Change this to false if you want your user to stay on the form after submission
endif;
if ($noException && $successfulResult) :
if ($noException && $successfulResult):
$id = $users->getInsertID();
$this->group_user_model->where('user_id', $id)->delete();
foreach ($currentGroups as $group) {
$group_user_data = [
'user_id' => $id,
'group' => $group
];
$this->group_user_model->insert($group_user_data);
}
// Asignar los grupos de usuarios a los que pertenece el usuario editado
$this->saveUserGroupsSafely($id, $currentGroups);
$this->chat_department_user_model->where("user_id", $id)->delete();
foreach ($chatDepartments as $chatDepartment) {
$this->chat_department_user_model->insert([
@ -156,8 +151,8 @@ class Users extends \App\Controllers\GoBaseController
$message = lang('Basic.global.saveSuccess', [mb_strtolower(lang('Users.user'))]) . '.';
$message = ucfirst(str_replace("'", "\'", $message));
if ($thenRedirect) :
if (!empty($this->indexRoute)) :
if ($thenRedirect):
if (!empty($this->indexRoute)):
return redirect()->to(route_to($this->indexRoute))->with('successMessage', $message);
else:
return $this->redirect2listView('successMessage', $message);
@ -173,7 +168,7 @@ class Users extends \App\Controllers\GoBaseController
$this->viewData['user'] = isset($sanitizedData) ? new UserEntity($sanitizedData) : new UserEntity();
$this->viewData['clienteList'] = $this->getClienteListItems();
$this->viewData['formAction'] = route_to('createUser');
$this->viewData['groups'] = $this->group_model->select('keyword, title')->findAll();
$this->viewData['groups'] = $this->group_model->select('keyword, title')->where('id >', 0)->findAll();
$this->viewData['chatDepartments'] = $this->chat_department_model->findAll();
$this->viewData['boxTitle'] = lang('Basic.global.addNew') . ' ' . lang('Users.user') . ' ' . lang('Basic.global.addNewSuffix');
@ -191,12 +186,12 @@ class Users extends \App\Controllers\GoBaseController
$users = auth()->getProvider();
$user = $users->findById($id);
if ($user == false) :
if ($user == false):
$message = lang('Basic.global.notFoundWithIdErr', [mb_strtolower(lang('Users.user')), $id]);
return $this->redirect2listView('errorMessage', $message);
endif;
if ($this->request->getPost()) :
if ($this->request->getPost()):
$postData = $this->request->getPost();
@ -218,9 +213,9 @@ class Users extends \App\Controllers\GoBaseController
}
$noException = true;
if ($successfulResult = $this->canValidate()) :
if ($successfulResult = $this->canValidate()):
if ($this->canValidate()) :
if ($this->canValidate()):
try {
if (in_array('cliente-editor', $currentGroups) || in_array('cliente-administrador', $currentGroups)) {
@ -249,16 +244,11 @@ class Users extends \App\Controllers\GoBaseController
$thenRedirect = false;
endif;
if ($noException && $successfulResult) :
if ($noException && $successfulResult):
// Asignar los grupos de usuarios a los que pertenece el usuario editado
$this->saveUserGroupsSafely($user->id, $currentGroups);
$this->group_user_model->where('user_id', $user->id)->delete();
foreach ($currentGroups as $group) {
$group_user_data = [
'user_id' => $user->id,
'group' => $group
];
$this->group_user_model->insert($group_user_data);
}
$this->chat_department_user_model->where("user_id", $id)->delete();
foreach ($chatDepartments as $chatDepartment) {
$this->chat_department_user_model->insert([
@ -270,8 +260,8 @@ class Users extends \App\Controllers\GoBaseController
$message = lang('Basic.global.updateSuccess', [mb_strtolower(lang('Users.user'))]) . '.';
$message = ucfirst(str_replace("'", "\'", $message));
if ($thenRedirect) :
if (!empty($this->indexRoute)) :
if ($thenRedirect):
if (!empty($this->indexRoute)):
return redirect()->to(route_to($this->indexRoute))->with('successMessage', $message);
else:
return $this->redirect2listView('successMessage', $message);
@ -287,7 +277,7 @@ class Users extends \App\Controllers\GoBaseController
$this->viewData['clienteList'] = $this->getClienteListItems($user->cliente_id);
$this->viewData['formAction'] = route_to('updateUser', $id);
$this->viewData['selectedGroups'] = $this->group_model->getUsersRoles($requestedId);
$this->viewData['groups'] = $this->group_model->select('keyword, title')->findAll();
$this->viewData['groups'] = $this->group_model->select('keyword, title')->where('id >', 0)->findAll();
$this->viewData['chatDepartments'] = $this->chat_department_model->select(["display", "name", "id as chatDepartmentId"])->findAll();
$this->viewData['chatDepartmentUser'] = $this->chat_department_user_model->getChatDepartmentUser($user->id);
$this->viewData['boxTitle'] = lang('Basic.global.edit2') . ' ' . lang('Users.user') . ' ' . lang('Basic.global.edit3');
@ -299,18 +289,22 @@ class Users extends \App\Controllers\GoBaseController
public function delete($requestedId = null, bool $deletePermanently = true)
{
if ($requestedId == null) :
if ($requestedId == null):
return $this->redirect2listView();
endif;
$id = filter_var($requestedId, FILTER_SANITIZE_URL);
$user = $this->model->find($id);
if ($user == false) :
if ($user == false):
$message = lang('Basic.global.notFoundWithIdErr', [mb_strtolower(lang('Users.user')), $id]);
return $this->redirect2listView('errorMessage', $message);
endif;
// Elimina todos los grupos actuales
$this->group_user_model->where('user_id', $id)->delete();
// Elimina todos los grupos de chat actuales
$this->chat_department_user_model->where("user_id", $id)->delete();
$users = auth()->getProvider();
@ -433,11 +427,11 @@ class Users extends \App\Controllers\GoBaseController
protected function getClienteListItems($selId = null)
{
$data = ['' => ""];
if (!empty($selId)) :
if (!empty($selId)):
$clienteModel = model('App\Models\Clientes\ClienteModel');
$selOption = $clienteModel->where('id', $selId)->findColumn('nombre');
if (!empty($selOption)) :
if (!empty($selOption)):
$data[$selId] = $selOption[0];
endif;
endif;
@ -450,7 +444,7 @@ class Users extends \App\Controllers\GoBaseController
['title' => lang("App.menu_change_session"), 'route' => route_to('maquinistaUserChangeList'), 'active' => true]
];
$maquinistas = [];
$users = auth()->getProvider()->whereNotIn('id',[auth()->user()->id])->findAll();
$users = auth()->getProvider()->whereNotIn('id', [auth()->user()->id])->findAll();
foreach ($users as $key => $user) {
if ($user->inGroup('maquina') && !$user->inGroup('admin', 'comercial', 'cliente-editor', 'cliente-admin')) {
$maquinistas[] = $user;
@ -467,4 +461,50 @@ class Users extends \App\Controllers\GoBaseController
auth()->login($user);
return redirect("home");
}
/**
* Asigna grupos a un usuario, asegurando que no se pueda inyectar el grupo 'root',
* pero manteniéndolo si ya lo tenía previamente.
*
* @param int $userId ID del usuario al que se le asignarán los grupos
* @param array $requestedGroups Grupos solicitados desde el formulario
* @return void
*/
private function saveUserGroupsSafely(int $userId, array $requestedGroups): void
{
// Verifica si el usuario ya tenía el grupo 'root'
$existingGroups = $this->group_user_model
->where('user_id', $userId)
->findColumn('group') ?? [];
$hasRoot = in_array('root', $existingGroups);
// Elimina todos los grupos actuales
$this->group_user_model->where('user_id', $userId)->delete();
// Inserta solo los grupos válidos (sin 'root')
foreach ($requestedGroups as $group) {
if (!empty($group) && $group !== 'root') {
$this->group_user_model->insert([
'user_id' => $userId,
'group' => $group,
'created_at' => date('Y-m-d H:i:s'),
]);
} elseif ($group === 'root') {
log_message('alert', "Intento de asignar grupo 'root' al usuario ID $userId");
}
}
// Reasigna 'root' solo si el usuario ya lo tenía
if ($hasRoot) {
$this->group_user_model->insert([
'user_id' => $userId,
'group' => 'root',
'created_at' => date('Y-m-d H:i:s'),
]);
}
}
}