Enforce user-specific data access for all users
Refactored controllers and models to always filter data by user ID, removing admin bypass logic. This ensures all statistics, groups, domains, and tags are user-specific regardless of isolation mode, improving data isolation and security.
This commit is contained in:
Hosteroid
@@ -27,27 +27,17 @@ class DashboardController extends Controller
|
||||
$settingModel = new \App\Models\Setting();
|
||||
$isolationMode = $settingModel->getValue('user_isolation_mode', 'shared');
|
||||
|
||||
// Get user-specific or global statistics
|
||||
if ($isolationMode === 'isolated') {
|
||||
$stats = $this->domainModel->getStatistics($userId);
|
||||
$recentDomains = $this->domainModel->getRecent(5, $userId);
|
||||
$groups = $this->groupModel->getAllWithChannelCount($userId);
|
||||
} else {
|
||||
$stats = $this->domainModel->getStatistics();
|
||||
$recentDomains = $this->domainModel->getRecent(5);
|
||||
$groups = $this->groupModel->getAllWithChannelCount();
|
||||
}
|
||||
// Get user-specific statistics (always user-specific)
|
||||
$stats = $this->domainModel->getStatistics($userId);
|
||||
$recentDomains = $this->domainModel->getRecent(5, $userId);
|
||||
$groups = $this->groupModel->getAllWithChannelCount($userId);
|
||||
|
||||
// Get expiring threshold from settings
|
||||
$notificationDays = $settingModel->getNotificationDays();
|
||||
$expiringThreshold = !empty($notificationDays) ? max($notificationDays) : 30;
|
||||
|
||||
// Get expiring domains limited to top 5
|
||||
if ($isolationMode === 'isolated') {
|
||||
$allExpiringDomains = $this->domainModel->getExpiringDomains($expiringThreshold, $userId);
|
||||
} else {
|
||||
$allExpiringDomains = $this->domainModel->getExpiringDomains($expiringThreshold);
|
||||
}
|
||||
$allExpiringDomains = $this->domainModel->getExpiringDomains($expiringThreshold, $userId);
|
||||
$expiringThisMonth = array_slice($allExpiringDomains, 0, 5);
|
||||
|
||||
$recentLogs = $this->logModel->getRecent(10);
|
||||
|
||||
@@ -50,16 +50,11 @@ class DomainController extends Controller
|
||||
];
|
||||
|
||||
// Get filtered and paginated domains using model
|
||||
$result = $this->domainModel->getFilteredPaginated($filters, $sortBy, $sortOrder, $page, $perPage, $expiringThreshold, $isolationMode === 'isolated' ? $userId : null);
|
||||
$result = $this->domainModel->getFilteredPaginated($filters, $sortBy, $sortOrder, $page, $perPage, $expiringThreshold, $userId);
|
||||
|
||||
// Get groups and tags based on isolation mode
|
||||
if ($isolationMode === 'isolated') {
|
||||
$groups = $this->groupModel->getAllWithChannelCount($userId);
|
||||
$allTags = $this->domainModel->getAllTags($userId);
|
||||
} else {
|
||||
$groups = $this->groupModel->getAllWithChannelCount();
|
||||
$allTags = $this->domainModel->getAllTags();
|
||||
}
|
||||
// Get groups and tags (always user-specific)
|
||||
$groups = $this->groupModel->getAllWithChannelCount($userId);
|
||||
$allTags = $this->domainModel->getAllTags($userId);
|
||||
|
||||
// Format domains for display
|
||||
$formattedDomains = \App\Helpers\DomainHelper::formatMultiple($result['domains']);
|
||||
|
||||
@@ -24,12 +24,8 @@ class NotificationGroupController extends Controller
|
||||
$settingModel = new \App\Models\Setting();
|
||||
$isolationMode = $settingModel->getValue('user_isolation_mode', 'shared');
|
||||
|
||||
// Get groups based on isolation mode
|
||||
if ($isolationMode === 'isolated') {
|
||||
$groups = $this->groupModel->getAllWithChannelCount($userId);
|
||||
} else {
|
||||
$groups = $this->groupModel->getAllWithChannelCount();
|
||||
}
|
||||
// Get groups (always user-specific)
|
||||
$groups = $this->groupModel->getAllWithChannelCount($userId);
|
||||
|
||||
// Get users for transfer functionality (admin only)
|
||||
$users = [];
|
||||
|
||||
Reference in New Issue
Block a user