# # # # # create_user_grants() # # Creates a simplified user grants model with super roles in session_info. # It is the rbac user_grants node which is used to check which permissions # are given for admin/reports/config per profile. # # # # include "templates.util.rbac.create_user_grants_util"; subroutine(create_user_grants( string session_id), ( # debug_message("\n\n#### create_user_grants START \n"); string user_node_name = node_name(volatile.authenticated_user_node_path); node session_info = "sessions_cache." . session_id . ".session_info"; node user = "users." . user_node_name; string default_url_query_string; set_subnode_value(session_info, "user_node_name", user_node_name); # Set default_url_query_string to "?dp=index", # we override it in case that the user has any valid access rights. # In case that the user has no roles assigned or no access to any page # it will load index and indicate No Permission. set_subnode_value(session_info, "default_url_query_string", "?dp=index"); # # # Clean up any existing user_grants (possible upon re-login of same web browser, sessionId does not change!) # # if (session_info?{"user_grants"}) then ( delete_node(session_info{"user_grants"}); ); # # # Create default values # # set_subnode_value(session_info, "user_grants", ""); node user_grants = session_info{"user_grants"}; set_subnode_value(user_grants, "requires_admin_link_in_reports", true); set_subnode_value(user_grants, "super_admin", ""); set_subnode_value(user_grants, "super_scheduler_actions", ""); set_subnode_value(user_grants, "super_miscellaneous", ""); set_subnode_value(user_grants, "super_users_roles", ""); set_subnode_value(user_grants, "all_profiles_grants", ""); node all_profiles_grants = user_grants{"all_profiles_grants"}; set_subnode_value(all_profiles_grants, "access_reports", false); set_subnode_value(all_profiles_grants, "access_config", false); set_subnode_value(all_profiles_grants, "rename_profile", false); set_subnode_value(all_profiles_grants, "delete_profile", false); set_subnode_value(all_profiles_grants, "super_role", ""); set_subnode_value(user_grants, "profiles_grants", ""); set_subnode_value(user_grants, "super_roles", ""); # # # Create the super roles # # if (user?{"access"} and (num_subnodes(user{"access"}) > 0)) then ( node user_access = user{"access"}; debug_message("#### user_access:\n" . node_as_string(user_access) . "\n"); # # Create a temp node where each profile shows the roles individually (in case of multiple profile role associations # node simplified_user_access = get_simplified_user_access(user_access); debug_message("#### simplified_user_access:\n" . node_as_string(simplified_user_access) . "\n"); if (num_subnodes(simplified_user_access) > 0) then ( string licensing_tier = get_licensing_tier(); # debug_message("\n#### create_user_grants() - licensing_tier: " . licensing_tier . "\n"); node lai_roles = if (licensing_tier eq "enterprise") then ("roles_enterprise") else ("roles_standard"); # debug_message("\n#### create_user_grants() - lai_roles: " . lai_roles . "\n"); node user_grants_super_admin = user_grants{"super_admin"}; node user_grants_super_miscellaneous = user_grants{"super_miscellaneous"}; node user_grants_super_roles = user_grants{"super_roles"}; node enabled_field_categories = get_enabled_field_categories(); bool is_enabled_field_categories = (num_subnodes(enabled_field_categories) > 0); node profiles_grants = user_grants{"profiles_grants"}; node item; string profile_name; string super_role_name; node the_super_role; bool is_access_reports; bool is_access_config; bool is_rename_profile; bool is_delete_profile; foreach item simplified_user_access ( profile_name = node_name(item); super_role_name = @item{"super_role_name"}; # # # If we didn't create the super role yet then create it now # # if (!user_grants_super_roles?{super_role_name}) then ( set_subnode_value(user_grants_super_roles, super_role_name, ""); # If is_enabled_field_categories then add the default field_categories if (is_enabled_field_categories) then ( clone_node(enabled_field_categories, user_grants_super_roles . "." . super_role_name . ".field_categories"); ); create_super_role( lai_roles, user_grants_super_admin, user_grants_super_miscellaneous, user_grants_super_roles{super_role_name}, item{"roles"}); ); # Clean up field_categories from field_categories which have grants so that it remains # only field_categories for which the user has no permission. if (is_enabled_field_categories) then ( remove_granted_field_categories_from_super_role(user_grants_super_roles{super_role_name}); ); # # # Set profile specific values # # the_super_role = user_grants_super_roles{super_role_name}; is_access_reports = (?(the_super_role . ".reports.access_reports")); is_access_config = (the_super_role?{"config"} and (num_subnodes(the_super_role{"config"}) > 0)); is_rename_profile = (?(the_super_role . ".admin.rename_profile.view")); is_delete_profile = (?(the_super_role . ".admin.profiles.delete")); if (profile_name eq "__ALL__PROFILES__") then ( # set_subnode_value(user_grants, "is_all_profiles_super_role", true); set_subnode_value(all_profiles_grants, "access_reports", is_access_reports); set_subnode_value(all_profiles_grants, "access_config", is_access_config); set_subnode_value(all_profiles_grants, "rename_profile", is_rename_profile); set_subnode_value(all_profiles_grants, "delete_profile", is_delete_profile); set_subnode_value(all_profiles_grants, "super_role", super_role_name); ) else if (profile_name ne "__NO__PROFILES__") then ( profiles_grants . "." . profile_name . ".access_reports" = is_access_reports; profiles_grants . "." . profile_name . ".access_config" = is_access_config; profiles_grants . "." . profile_name . ".rename_profile" = is_rename_profile; profiles_grants . "." . profile_name . ".delete_profile" = is_delete_profile; profiles_grants . "." . profile_name . ".super_role" = super_role_name; ); ); debug_message("\n#### all super roles done:\n" . node_as_string(user_grants) . "\n"); # # # Create super_scheduler_actions # # if (?(user_grants_super_admin . ".scheduler.unlimited_grants") and !@(user_grants_super_admin . ".scheduler.unlimited_grants")) then ( create_super_scheduler_actions( user_grants_super_admin, user_grants{"super_scheduler_actions"}, all_profiles_grants, profiles_grants, user_grants_super_roles ); ); # # # Create super_users_roles # # if (?(user_grants_super_admin . ".users.unlimited_grants") and !@(user_grants_super_admin . ".users.unlimited_grants")) then ( create_super_users_roles( user_grants_super_admin, user_grants{"super_users_roles"}, all_profiles_grants, profiles_grants, user_grants_super_roles ); ); # # # Check if we give this user Admin Profiles access (i.e to view profiles to access the reports) # # update_super_admin_profiles_view_permission(user_grants); # # # Set final default_url_query_string # # debug_message("#### user_grants_super_admin:\n" . node_as_string(user_grants_super_admin) . "\n"); bool auto_direct_to_reports_after_login = if (user?{"auto_direct_to_reports_after_login"}) then (@user{"auto_direct_to_reports_after_login"}) else (false); string default_url_query_string = get_default_url_query_string(user_grants_super_admin, all_profiles_grants, profiles_grants, auto_direct_to_reports_after_login); set_subnode_value(session_info, "default_url_query_string", default_url_query_string); ); ); save_node(session_info); # debug_message("\n#### #### create_user_grants END \n"); ));