Merge branch 'hotfix-3.0.2' into stable

CHANGELOG.md

@@ -1,5 +1,9 @@
 # Changelog
 
+## v3.0.2
+
+* Fix issue where super users could not delete dashboards owned by other users
+
 ## v3.0.1
 
 * Limit dynamic widget titles to 50 chars

handlers/admin/datamanager/admin_dashboard.cfc

@@ -41,20 +41,23 @@ component extends="preside.system.base.AdminHandler" {
 	}
 
 	private void function preFetchRecordsForGridListing( event, rc, prc, args={} ) {
-		var adminUserId     = event.getAdminUserId();
-		var adminUserGroups = _getAdminUserGroups( adminUserId );
-
-		args.extraFilters = args.extraFilters ?: [];
-		args.extraFilters.append( {
-			  filter       = "view_access = 'public'
-					or admin_dashboard.owner = :adminUserId
-					or ( view_access = 'specific' and ( view_users.id = :adminUserId or view_groups.id in ( :adminUserGroups ) ) )
-					or ( edit_access = 'specific' and ( edit_users.id = :adminUserId or edit_groups.id in ( :adminUserGroups ) ) )"
-			, filterParams = {
-				  adminUserId     = { type="varchar", value=adminUserId }
-				, adminUserGroups = { type="varchar", value=adminUserGroups, list=true }
-			  }
-		} );
+		var adminUserId = event.getAdminUserId();
+
+		if ( !dashboardService.hasFullAccess( adminUserId ) ) {
+			var adminUserGroups = _getAdminUserGroups( adminUserId );
+
+			args.extraFilters = args.extraFilters ?: [];
+			args.extraFilters.append( {
+				  filter       = "view_access = 'public'
+						or admin_dashboard.owner = :adminUserId
+						or ( view_access = 'specific' and ( view_users.id = :adminUserId or view_groups.id in ( :adminUserGroups ) ) )
+						or ( edit_access = 'specific' and ( edit_users.id = :adminUserId or edit_groups.id in ( :adminUserGroups ) ) )"
+				, filterParams = {
+					  adminUserId     = { type="varchar", value=adminUserId }
+					, adminUserGroups = { type="varchar", value=adminUserGroups, list=true }
+				  }
+			} );
+		}
 	}
 
 	private void function postFetchRecordsForGridListing( event, rc, prc, args={} ) {
@@ -68,14 +71,16 @@ component extends="preside.system.base.AdminHandler" {
 		var canDelete       = [];
 		var canViewThis     = false;
 		var canEditThis     = false;
+		var hasFullAccess   = dashboardService.hasFullAccess( adminUserId );
+
 
 		for( var r in records ){
 			canEditThis = r.owner_id == adminUserId || ( r.edit_access == "specific" && ( listFind( r.edit_users_list, adminUserId ) || _listFindOneOf( r.edit_groups_list, adminUserGroups ) ) );
 			canViewThis = canEditThis || r.view_access == "public" || ( r.view_access == "specific" && ( listFind( r.view_users_list, adminUserId ) || _listFindOneOf( r.view_groups_list, adminUserGroups ) ) )
-			canEdit.append( canEditThis );
-			canView.append( canViewThis );
-			canShare.append( r.owner_id == adminUserId );
-			canDelete.append( r.owner_id == adminUserId );
+			canEdit.append(   hasFullAccess || canEditThis );
+			canView.append(   hasFullAccess || canViewThis );
+			canShare.append(  hasFullAccess || r.owner_id == adminUserId );
+			canDelete.append( hasFullAccess || r.owner_id == adminUserId );
 		}
 
 		QueryAddColumn( records, "canView", canView );

services/AdminDashboardService.cfc

@@ -3,6 +3,7 @@
  * @singleton      true
  */
 component {
+	property name="permissionService" inject="PermissionService";
 
 // CONSTRUCTOR
 	/**
@@ -14,6 +15,10 @@ component {
 
 // PUBLIC API METHODS
 	public boolean function userCanViewDashboard( required string dashboardId, string adminUserId=$getAdminLoggedInUserId() ) {
+		if ( hasFullAccess( arguments.adminUserId ) ) {
+			return true;
+		}
+
 		var adminUserGroups = _getAdminUserGroups( arguments.adminUserId );
 
 		return $getPresideObject( "admin_dashboard" ).dataExists(
@@ -32,6 +37,10 @@ component {
 	}
 
 	public boolean function userCanEditDashboard( required string dashboardId, string adminUserId=$getAdminLoggedInUserId() ) {
+		if ( hasFullAccess( arguments.adminUserId ) ) {
+			return true;
+		}
+
 		return $getPresideObject( "admin_dashboard" ).dataExists(
 			  filter       = { "admin_dashboard.id"=arguments.dashboardId }
 			, extraFilters = [ {
@@ -43,17 +52,29 @@ component {
 	}
 
 	public boolean function userCanShareDashboard( required string dashboardId, string adminUserId=$getAdminLoggedInUserId() ) {
+		if ( hasFullAccess( arguments.adminUserId ) ) {
+			return true;
+		}
+
 		return $getPresideObject( "admin_dashboard" ).dataExists(
 			filter = { id=arguments.dashboardId, owner=arguments.adminUserId }
 		);
 	}
 
 	public boolean function userCanDeleteDashboard( required string dashboardId, string adminUserId=$getAdminLoggedInUserId() ) {
+		if ( hasFullAccess( arguments.adminUserId ) ) {
+			return true;
+		}
+
 		return $getPresideObject( "admin_dashboard" ).dataExists(
 			filter = { id=arguments.dashboardId, owner=arguments.adminUserId }
 		);
 	}
 
+	public boolean function hasFullAccess( required string adminUserId ) {
+		return permissionService.userHasAssignedRoles( userId=arguments.adminUserId, roles=[ "sysadmin" ] );
+	}
+
 // PRIVATE HELPERS
 	private string function _getAdminUserGroups( required string adminUserId ) {
 		return $getPresideObject( "security_group" ).selectData(
@@ -62,7 +83,6 @@ component {
 		).valueList( "id" );
 	}
 
-
 // GETTERS AND SETTERS
 
 }