From 6262f933bc82fd6e973ab934a5aaa5ca529a996c Mon Sep 17 00:00:00 2001
From: Ramon Gutierrez <arcticzero@gmail.com>
Date: Tue, 27 Feb 2018 23:42:44 +0800
Subject: [PATCH 1/2] Add missing acl checks on list methods #30

---
 src/Controller/JobOrderController.php | 20 ++++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

diff --git a/src/Controller/JobOrderController.php b/src/Controller/JobOrderController.php
index 4b7c1b3d..4cc07c25 100644
--- a/src/Controller/JobOrderController.php
+++ b/src/Controller/JobOrderController.php
@@ -40,10 +40,7 @@ class JobOrderController extends BaseController
 {
     public function getJobOrders(Request $req)
     {
-        if (!$this->isGranted('jo_in.list')) {
-            $exception = $this->createAccessDeniedException('No access.');
-            throw $exception;
-        }
+        $this->denyAccessUnlessGranted('jo_in.list', null, 'No access.');
 
         // get search term
         $term = $req->query->get('search');
@@ -147,7 +144,6 @@ class JobOrderController extends BaseController
 
     public function incomingSubmit(Request $req, ValidatorInterface $validator, InvoiceCreator $ic)
     {
-        error_log(print_r($req->request->all(), true));
         $this->denyAccessUnlessGranted('jo_in.list', null, 'No access.');
 
         // initialize error list
@@ -342,6 +338,8 @@ class JobOrderController extends BaseController
 
     public function listAssigning()
     {
+        $this->denyAccessUnlessGranted('jo_assign.list', null, 'No access.');
+
         $params = $this->initParameters('jo_assign');
 
         $params['table_refresh_rate'] = $this->container->getParameter('job_order_refresh_interval');
@@ -351,6 +349,8 @@ class JobOrderController extends BaseController
 
     public function listFulfillment()
     {
+        $this->denyAccessUnlessGranted('jo_fulfill.list', null, 'No access.');
+
         $params = $this->initParameters('jo_fulfill');
 
         $params['table_refresh_rate'] = $this->container->getParameter('job_order_refresh_interval');
@@ -360,6 +360,8 @@ class JobOrderController extends BaseController
 
     public function listOpen()
     {
+        $this->denyAccessUnlessGranted('jo_open.list', null, 'No access.');
+
         $params = $this->initParameters('jo_open');
 
         $params['table_refresh_rate'] = $this->container->getParameter('job_order_refresh_interval');
@@ -370,6 +372,8 @@ class JobOrderController extends BaseController
 
     public function listAll()
     {
+        $this->denyAccessUnlessGranted('jo_all.list', null, 'No access.');
+
         $params = $this->initParameters('jo_all');
 
         $params['table_refresh_rate'] = $this->container->getParameter('job_order_refresh_interval');
@@ -852,11 +856,11 @@ class JobOrderController extends BaseController
 
     public function fulfillmentForm(MapTools $map_tools, $id)
     {
-        $this->denyAccessUnlessGranted('jo_assign.list', null, 'No access.');
+        $this->denyAccessUnlessGranted('jo_fulfill.list', null, 'No access.');
 
         $em = $this->getDoctrine()->getManager();
 
-        $params = $this->initParameters('jo_assign');
+        $params = $this->initParameters('jo_fulfill');
         $params['mode'] = 'update-fulfillment';
 
         // get row data
@@ -901,7 +905,7 @@ class JobOrderController extends BaseController
 
     public function fulfillmentSubmit(Request $req, ValidatorInterface $validator, $id)
     {
-        $this->denyAccessUnlessGranted('jo_assign.list', null, 'No access.');
+        $this->denyAccessUnlessGranted('jo_fulfill.list', null, 'No access.');
 
         // initialize error list
         $error_array = [];

From 9cef8b4246d0b66565812f8ecf1acc7cbe053123 Mon Sep 17 00:00:00 2001
From: Ramon Gutierrez <arcticzero@gmail.com>
Date: Tue, 27 Feb 2018 23:42:54 +0800
Subject: [PATCH 2/2] Fix acl checking on unlock buttons #30

---
 templates/job-order/list.assigning.html.twig | 4 +++-
 templates/job-order/list.html.twig           | 6 ++++--
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/templates/job-order/list.assigning.html.twig b/templates/job-order/list.assigning.html.twig
index d1c32275..c9b930a3 100644
--- a/templates/job-order/list.assigning.html.twig
+++ b/templates/job-order/list.assigning.html.twig
@@ -111,7 +111,9 @@
 							var actions = '<a href="' + row.meta.update_url + '" class="m-portlet__nav-link btn m-btn m-btn--hover-accent m-btn--icon m-btn--icon-only m-btn--pill btn-edit" title="View / Edit"><i class="la la-edit"></i></a>';
 
                             {% if is_granted('jo_assign.unlock') %}
-							actions += '<a href="' + row.meta.unlock_url + '" class="m-portlet__nav-link btn m-btn m-btn--hover-accent m-btn--icon m-btn--icon-only m-btn--pill btn-edit" title="Unlock"><i class="fa fa-unlock"></i></a>';
+                            	if (row.meta.unlock_url != '') {
+									actions += '<a href="' + row.meta.unlock_url + '" class="m-portlet__nav-link btn m-btn m-btn--hover-accent m-btn--icon m-btn--icon-only m-btn--pill btn-edit" title="Unlock"><i class="fa fa-unlock"></i></a>';
+								}
                             {% endif %}
 							
 							return actions;
diff --git a/templates/job-order/list.html.twig b/templates/job-order/list.html.twig
index 114d45f0..c7a6110e 100644
--- a/templates/job-order/list.html.twig
+++ b/templates/job-order/list.html.twig
@@ -106,8 +106,10 @@
 						template: function (row, index, datatable) {
 							var actions = '<a href="' + row.meta.update_url + '" class="m-portlet__nav-link btn m-btn m-btn--hover-accent m-btn--icon m-btn--icon-only m-btn--pill btn-edit" title="View / Edit"><i class="la la-edit"></i></a>';
 
-                            {% if row.meta.unlock_url != "" && is_granted('jo_proc.unlock') %}
-							actions += '<a href="' + row.meta.unlock_url + '" class="m-portlet__nav-link btn m-btn m-btn--hover-accent m-btn--icon m-btn--icon-only m-btn--pill btn-edit" title="Unlock"><i class="fa fa-unlock"></i></a>';
+                            {% if is_granted('jo_proc.unlock') %}
+                            	if (row.meta.unlock_url != '') {
+                            		actions += '<a href="' + row.meta.unlock_url + '" class="m-portlet__nav-link btn m-btn m-btn--hover-accent m-btn--icon m-btn--icon-only m-btn--pill btn-edit" title="Unlock"><i class="fa fa-unlock"></i></a>';
+                            	}
                             {% endif %}
 							
 							return actions;