|
|
|---|
| [ Index ] |
Source Code Reference for V1.00 |
[Summary view] [Print] [Text view]
1 <?php /* $Id: permissions.class.php 192 2008-07-24 02:13:49Z pedroix $ $URL: https://web2project.svn.sourceforge.net/svnroot/web2project/trunk/classes/permissions.class.php $ */ 2 3 /** 4 * Copyright 2005, the web2Project Team. 5 * 6 * This file is part of web2Project and is released under the same license. 7 * Check the file index.php in the top level web2project directory for license 8 * details. If you cannot find this file, or a LICENSE or COPYING file, 9 * please email the author for details. 10 */ 11 12 /* 13 * Permissions system extends the phpgacl class. Very few changes have 14 * been made, however the main one is to provide the database details from 15 * the main w2P environment. 16 */ 17 18 if (!defined('W2P_BASE_DIR')) { 19 die('This file should not be called directly.'); 20 } 21 22 // Set the ADODB directory 23 if (!defined('ADODB_DIR')) { 24 define('ADODB_DIR', W2P_BASE_DIR . '/lib/adodb'); 25 } 26 27 // Include the PHPGACL library 28 require_once W2P_BASE_DIR . '/lib/phpgacl/gacl.class.php'; 29 require_once W2P_BASE_DIR . '/lib/phpgacl/gacl_api.class.php'; 30 // Include the db_connections 31 32 // Now extend the class 33 /** 34 * Extend the gacl_api class. There is an argument to separate this 35 * into a gacl and gacl_api class on the premise that normal activity 36 * only needs the functions in gacl, but it would appear that this is 37 * not so for w2P, which tends to require reverse lookups rather than 38 * just forward ones (i.e. looking up who is allowed to do x, rather 39 * than is x allowed to do y). 40 */ 41 class w2Pacl extends gacl_api { 42 43 var $_db_acl_prefix = 'gacl_'; 44 45 function w2Pacl($opts = null) { 46 global $db; 47 48 if (!is_array($opts)) { 49 $opts = array(); 50 } 51 $opts['db_type'] = w2PgetConfig('dbtype'); 52 $opts['db_host'] = w2PgetConfig('dbhost'); 53 $opts['db_user'] = w2PgetConfig('dbuser'); 54 $opts['db_password'] = w2PgetConfig('dbpass'); 55 $opts['db_name'] = w2PgetConfig('dbname'); 56 $opts['db_table_prefix'] = w2PgetConfig('dbprefix') . $this->_db_acl_prefix; 57 $opts['db'] = $db; 58 // We can add an ADODB instance instead of the database 59 // connection details. This might be worth looking at in 60 // the future. 61 if (w2PgetConfig('debug', 0) > 10) { 62 $this->_debug = true; 63 } 64 parent::gacl_api($opts); 65 } 66 67 function checkLogin($login) { 68 // Simple ARO<->ACO check, no AXO's required. 69 $result = $this->acl_check('system', 'login', 'user', $login); 70 //recalc the users permissions at login time: 71 $recalc = $this->recalcPermissions($login); 72 if (!$recalc) { 73 dprint(__file__, __line__, 0, 'Failed to recalc Permissions'); 74 } 75 return $result; 76 } 77 78 function checkModule($module, $op, $userid = null) { 79 if (!$userid) { 80 $userid = $GLOBALS['AppUI']->user_id; 81 } 82 83 $result = $this->w2Pacl_check('application', $op, 'user', $userid, 'app', $module); 84 //print_r('hi:'.$module.$op.$userid.'>'.$result.' '); 85 //$result = $this->checkModuleItem($module, $op, '0', $userid); 86 87 //dprint(__file__, __line__, 2, "checkModule( $module, $op, $userid) returned $result"); 88 return $result; 89 } 90 91 function checkModuleItem($module, $op, $item = null, $userid = null) { 92 if (!$userid) { 93 $userid = $GLOBALS['AppUI']->user_id; 94 } 95 if (!$item) { 96 return $this->checkModule($module, $op, $userid); 97 } 98 99 $result = $this->w2Pacl_query('application', $op, 'user', $userid, $module, $item); 100 // If there is no acl_id then we default back to the parent lookup 101 /*print_r('hi:'.$module.$op.$userid.'>'.$item.'='.$result.' '); 102 print_r($result);*/ 103 if (!$result || !$result['acl_id']) { 104 dprint(__file__, __line__, 2, "checkModuleItem($module, $op, $userid) did not return a record"); 105 //return $this->checkModule($module, $op, $userid); 106 return false; 107 } 108 //dprint(__file__, __line__, 2, "checkModuleItem($module, $op, $userid) returned $result[access]"); 109 return $result['access']; 110 } 111 112 /** 113 * This gets tricky and is there mainly for the compatibility layer 114 * for getDeny functions. 115 * If we get an ACL ID, and we get access = false, then the item is 116 * actively denied. Any other combination is a soft-deny (i.e. not 117 * strictly allowed, but not actively denied. 118 */ 119 function checkModuleItemDenied($module, $op, $item, $user_id = null) { 120 if (!$user_id) { 121 $user_id = $GLOBALS['AppUI']->user_id; 122 } 123 $result = $this->w2Pacl_query('application', $op, 'user', $user_id, $module, $item); 124 if (!$result || ($result['acl_id'] && !$result['access'])) { 125 return true; 126 } else { 127 return false; 128 } 129 } 130 131 function addLogin($login, $username) { 132 $res = $this->add_object('user', $username, $login, 1, 0, 'aro'); 133 if (!$res) { 134 dprint(__file__, __line__, 0, 'Failed to add user permission object'); 135 } 136 $recalc = $this->recalcPermissions($login); 137 if (!$recalc) { 138 dprint(__file__, __line__, 0, 'Failed to recalc Permissions'); 139 } 140 return $res; 141 } 142 143 function updateLogin($login, $username) { 144 $id = $this->get_object_id('user', $login, 'aro'); 145 if (!$id) { 146 return $this->addLogin($login, $username); 147 } 148 // Check if the details have changed. 149 list($osec, $val, $oord, $oname, $ohid) = $this->get_object_data($id, 'aro'); 150 if ($oname != $username) { 151 $res = $this->edit_object($id, 'user', $username, $login, 1, 0, 'aro'); 152 if (!$res) { 153 dprint(__file__, __line__, 0, 'Failed to change user permission object'); 154 } 155 } 156 return $res; 157 } 158 159 function deleteLogin($login) { 160 $id = $this->get_object_id('user', $login, 'aro'); 161 if ($id) { 162 $id = $this->del_object($id, 'aro', true); 163 } 164 if (!$id) { 165 dprint(__file__, __line__, 0, 'Failed to remove user permission object'); 166 } 167 $recalc = $this->removePermissions($login); 168 if (!$recalc) { 169 dprint(__file__, __line__, 0, 'Failed to remove Permissions'); 170 } 171 return $id; 172 } 173 174 function addModule($mod, $modname) { 175 $res = $this->add_object('app', $modname, $mod, 1, 0, 'axo'); 176 if ($res) { 177 $res = $this->addGroupItem($mod); 178 } 179 if (!$res) { 180 dprint(__file__, __line__, 0, 'Failed to add module permission object'); 181 } 182 $recalc = $this->recalcPermissions(null, null, null, $mod); 183 if (!$recalc) { 184 dprint(__file__, __line__, 0, 'Failed to recalc module Permissions'); 185 } 186 return $res; 187 } 188 189 function addModuleSection($mod) { 190 $res = $this->add_object_section(ucfirst($mod) . ' Record', $mod, 0, 0, 'axo'); 191 if (!$res) { 192 dprint(__file__, __line__, 0, 'Failed to add module permission section'); 193 } 194 $recalc = $this->recalcPermissions(null, null, null, $mod); 195 if (!$recalc) { 196 dprint(__file__, __line__, 0, 'Failed to recalc module Permissions'); 197 } 198 return $res; 199 } 200 201 function addModuleItem($mod, $itemid, $itemdesc) { 202 $res = $this->add_object($mod, $itemdesc, $itemid, 0, 0, 'axo'); 203 $recalc = $this->recalcPermissions(null, null, null, $mod); 204 if (!$recalc) { 205 dprint(__file__, __line__, 0, 'Failed to recalc module Permissions'); 206 } 207 return $res; 208 } 209 210 function addGroupItem($item, $group = 'all', $section = 'app', $type = 'axo') { 211 if ($gid = $this->get_group_id($group, null, $type)) { 212 $res = $this->add_group_object($gid, $section, $item, $type); 213 } 214 return $res; 215 } 216 217 function deleteModule($mod) { 218 $id = $this->get_object_id('app', $mod, 'axo'); 219 if ($id) { 220 $this->deleteGroupItem($mod); 221 $id = $this->del_object($id, 'axo', true); 222 } 223 if (!$id) { 224 dprint(__file__, __line__, 0, 'Failed to remove module permission object'); 225 } 226 $recalc = $this->removeModulePermissions($mod); 227 if (!$recalc) { 228 dprint(__file__, __line__, 0, 'Failed to recalc Permissions'); 229 } 230 return $id; 231 } 232 233 function deleteModuleSection($mod) { 234 $id = $this->get_object_section_section_id(null, $mod, 'axo'); 235 if ($id) { 236 $id = $this->del_object_section($id, 'axo', true); 237 } 238 if (!$id) { 239 dprint(__file__, __line__, 0, 'Failed to remove module permission section'); 240 } 241 $recalc = $this->recalcPermissions(null, null, null, $mod); 242 if (!$recalc) { 243 dprint(__file__, __line__, 0, 'Failed to recalc module Permissions'); 244 } 245 return $id . $res; 246 } 247 248 /* 249 ** Deleting all module-associyted entries from the phpgacl tables 250 ** such as gacl_aco_maps, gacl_acl and gacl_aro_map 251 ** 252 ** @author gregorerhardt 253 ** @date 20070927 254 ** @cause #2140 255 ** 256 ** @access public 257 ** @param string module (directory) name 258 ** @return 259 */ 260 261 function deleteModuleItems($mod) { 262 // Declaring the return string 263 $res = null; 264 265 // Fetching module-associated ACL ID's 266 $q = new DBQuery; 267 $q->addTable('gacl_axo_map'); 268 $q->addQuery('acl_id'); 269 $q->addWhere('value = \'' . $mod . '\''); 270 $acls = $q->loadHashList('acl_id'); 271 $q->clear(); 272 273 foreach ($acls as $acl => $k) { 274 // Deleting gacl_aco_map entries 275 $q = new DBQuery; 276 $q->setDelete('gacl_aco_map'); 277 $q->addWhere('acl_id = ' . $acl); 278 if (!$q->exec()) { 279 $res .= is_null($res) ? db_error() : "\n\t" . db_error(); 280 } 281 $q->clear(); 282 283 // Deleting gacl_aro_map entries 284 $q = new DBQuery; 285 $q->setDelete('gacl_aro_map'); 286 $q->addWhere('acl_id = ' . $acl); 287 if (!$q->exec()) { 288 $res .= "\n\t" . db_error(); 289 } 290 $q->clear(); 291 292 // Deleting gacl_aco_map entries 293 $q = new DBQuery; 294 $q->setDelete('gacl_acl'); 295 $q->addWhere('id = ' . $acl); 296 if (!$q->exec()) { 297 $res .= "\n\t" . db_error(); 298 } 299 $q->clear(); 300 } 301 302 $recalc = $this->recalcPermissions(null, null, null, $mod); 303 if (!$recalc) { 304 dprint(__file__, __line__, 0, 'Failed to recalc module Permissions'); 305 } 306 // Returning null (no error) or database error message (error) 307 return $res; 308 } 309 310 function deleteGroupItem($item, $group = 'all', $section = 'app', $type = 'axo') { 311 if ($gid = $this->get_group_id($group, null, $type)) { 312 $res = $this->del_group_object($gid, $section, $item, $type); 313 } 314 return $res; 315 } 316 317 function isUserPermitted($userid, $module = null) { 318 if ($module) { 319 return $this->checkModule($module, 'view', $userid); 320 } else { 321 //this checks if the user is able to login 322 //return $this->checkLogin($userid); 323 return $this->acl_check('system', 'login', 'user', $userid); 324 } 325 } 326 327 function getPermittedUsers($module = null) { 328 // Not as pretty as I'd like, but we can do it reasonably well. 329 // Check to see if we are allowed to see other users. 330 // If not we can only see ourselves. 331 global $AppUI; 332 $rows = w2PgetUsersList(); 333 foreach ($rows as $row) { 334 if (($this->isUserPermitted($row['user_id'], $module)) || $row['user_id'] == $AppUI->user_id) { 335 $userlist[$row['user_id']] = $row['contact_name']; 336 } 337 } 338 // Now format the userlist as an assoc array. 339 return $userlist; 340 } 341 342 function getItemACLs($module, $uid = null) { 343 if (!$uid) { 344 $uid = $GLOBALS['AppUI']->user_id; 345 } 346 // Grab a list of all acls that match the user/module, for which Deny permission is set. 347 //Pedro A.: "user" is not the only thing in place for item ACLs anymore, need to search the Role Item ACLs too 348 return $this->w2Psearch_acl('application', 'view', 'user', $uid, $module); 349 // return $this->search_acl("application", "view", false, $uid, false, $module, false, false, false); 350 } 351 352 function getUserACLs($uid = null) { 353 if (!$uid) { 354 $uid = $GLOBALS['AppUI']->user_id; 355 } 356 return $this->search_acl('application', false, 'user', $uid, null, false, false, false, false); 357 } 358 359 function getRoleACLs($role_id) { 360 $role = $this->getRole($role_id); 361 return $this->search_acl('application', false, false, false, $role['name'], false, false, false, false); 362 } 363 364 function getRole($role_id) { 365 $data = $this->get_group_data($role_id); 366 if ($data) { 367 return array('id' => $data[0], 'parent_id' => $data[1], 'value' => $data[2], 'name' => $data[3], 'lft' => $data[4], 'rgt' => $data[5]); 368 } else { 369 return false; 370 } 371 } 372 373 function &getDeniedItems($module, $uid = null) { 374 $items = array(); 375 if (!$uid) { 376 $uid = $GLOBALS['AppUI']->user_id; 377 } 378 379 $acls = $this->getItemACLs($module, $uid); 380 // If we get here we should have an array. 381 if (is_array($acls)) { 382 // Grab the item values 383 foreach ($acls as $acl) { 384 if ($acl['access'] == false) { 385 $items[] = $acl['item_id']; 386 } 387 } 388 } else { 389 dprint(__file__, __line__, 2, "getDeniedItems($module, $uid) - no ACL's match"); 390 } 391 //dprint(__file__, __line__, 2, "getDeniedItems($module, $uid) returning " . count($items) . " items"); 392 return $items; 393 } 394 395 // This is probably redundant. 396 function &getAllowedItems($module, $uid = null) { 397 $items = array(); 398 if (!$uid) { 399 $uid = $GLOBALS['AppUI']->user_id; 400 } 401 $acls = $this->getItemACLs($module, $uid); 402 if (is_array($acls)) { 403 foreach ($acls as $acl) { 404 if ($acl['access'] == true) { 405 $items[] = $acl['item_id']; 406 } 407 } 408 } else { 409 dprint(__file__, __line__, 2, "getAllowedItems($module, $uid) - no ACL's match"); 410 } 411 //dprint(__file__, __line__, 2, 'getAllowedItems(' . $module . ',' . $uid . ') returning ' . count($items) . ' items'); 412 //print_r('. '.$module.'->'); 413 //print_r($items); 414 return $items; 415 } 416 417 // Copied from get_group_children in the parent class, this version returns 418 // all of the fields, rather than just the group ids. This makes it a bit 419 // more efficient as it doesn't need the get_group_data call for each row. 420 function getChildren($group_id, $group_type = 'ARO', $recurse = 'NO_RECURSE') { 421 //$this->debug_text("get_group_children(): Group_ID: $group_id Group Type: $group_type Recurse: $recurse"); 422 423 switch (strtolower(trim($group_type))) { 424 case 'axo': 425 $group_type = 'axo'; 426 $table = $this->_db_acl_prefix . 'axo_groups'; 427 break; 428 default: 429 $group_type = 'aro'; 430 $table = $this->_db_acl_prefix . 'aro_groups'; 431 } 432 433 if (empty($group_id)) { 434 $this->debug_text("get_group_children(): ID ($group_id) is empty, this is required"); 435 return false; 436 } 437 438 $q = new DBQuery; 439 $q->addTable($table, 'g1'); 440 $q->addQuery('g1.id, g1.name, g1.value, g1.parent_id'); 441 $q->addOrder('g1.value'); 442 443 switch (strtoupper($recurse)) { 444 case 'RECURSE': 445 $q->addJoin($table, 'g2', 'g2.lft<g1.lft AND g2.rgt>g1.rgt'); 446 $q->addWhere('g2.id=' . $group_id); 447 break; 448 default: 449 $q->addWhere('g1.parent_id=' . $group_id); 450 } 451 452 $result = array(); 453 $q->exec(); 454 while ($row = $q->fetchRow()) { 455 $result[] = array('id' => $row[0], 'name' => $row[1], 'value' => $row[2], 'parent_id' => $row[3]); 456 } 457 $q->clear(); 458 return $result; 459 } 460 461 function insertRole($value, $name) { 462 $role_parent = $this->get_group_id('role'); 463 $value = str_replace(' ', '_', $value); 464 return $this->add_group($value, $name, $role_parent); 465 } 466 467 function updateRole($id, $value, $name) { 468 $res = $this->edit_group($id, $value, $name); 469 $recalc = $this->recalcPermissions(null, null, $id); 470 if (!$recalc) { 471 dprint(__file__, __line__, 0, 'Failed to recalc Permissions'); 472 } 473 return $res; 474 } 475 476 function deleteRole($id) { 477 // Delete all of the group assignments before deleting group. 478 $objs = $this->get_group_objects($id); 479 foreach ($objs as $section => $value) { 480 $this->del_group_object($id, $section, $value); 481 } 482 $res = $this->del_group($id, false); 483 $recalc = $this->recalcPermissions(null, null, $id); 484 if (!$recalc) { 485 dprint(__file__, __line__, 0, 'Failed to recalc Permissions'); 486 } 487 return $res; 488 } 489 490 function insertUserRole($role, $user) { 491 // Check to see if the user ACL exists first. 492 $id = $this->get_object_id('user', $user, 'aro'); 493 if (!$id) { 494 $q = new DBQuery; 495 $q->addTable('users'); 496 $q->addQuery('user_username'); 497 $q->addWhere('user_id = ' . $user); 498 $rq = $q->exec(); 499 if (!$rq) { 500 dprint(__file__, __line__, 0, "Cannot add role, user $user does not exist!<br>" . db_error()); 501 $q->clear(); 502 return false; 503 } 504 $row = $q->fetchRow(); 505 if ($row) { 506 $this->addLogin($user, $row['user_username']); 507 } 508 $q->clear(); 509 } 510 $res = $this->add_group_object($role, 'user', $user); 511 $recalc = $this->recalcPermissions($user); 512 if (!$recalc) { 513 dprint(__file__, __line__, 0, 'Failed to recalc Permissions'); 514 } 515 return $res; 516 } 517 518 function deleteUserRole($role, $user) { 519 $res = $this->del_group_object($role, 'user', $user); 520 $recalc = $this->recalcPermissions($user); 521 if (!$recalc) { 522 dprint(__file__, __line__, 0, 'Failed to recalc Permissions'); 523 } 524 return $res; 525 } 526 527 // Returns the group ids of all groups this user is mapped to. 528 // Not provided in original phpGacl, but useful. 529 function getUserRoles($user) { 530 $id = $this->get_object_id('user', $user, 'aro'); 531 $result = $this->get_group_map($id); 532 if (!is_array($result)) { 533 $result = array(); 534 } 535 return $result; 536 } 537 538 // Returns the group of users under a role 539 // Not provided in original phpGacl, but useful. 540 function getRoleUsers($role = null) { 541 if (!$role) { 542 return false; 543 } 544 545 $q = new DBQuery; 546 $q->addTable($this->_db_acl_prefix . 'aro', 'a'); 547 $q->addTable($this->_db_acl_prefix . 'aro_groups', 'g1'); 548 $q->addTable($this->_db_acl_prefix . 'groups_aro_map', 'g2'); 549 $q->addQuery('a.value'); 550 $q->addWhere('g1.id = g2.group_id'); 551 $q->addWhere('a.id = g2.aro_id'); 552 $q->addWhere('g1.id = ' . $role); 553 $q->addOrder('g1.value'); 554 555 $result = array(); 556 $result = $q->loadHashList(); 557 $q->clear(); 558 if (count($result)) { 559 return $result; 560 } else { 561 return false; 562 } 563 } 564 565 // Returns the group of users that have a role (and therefore can login) 566 // Not provided in original phpGacl, but useful. 567 function getUsersWithRole() { 568 $q = new DBQuery; 569 $q->addTable($this->_db_acl_prefix . 'groups_aro_map', 'g'); 570 $q->addQuery('DISTINCT(g.aro_id)'); 571 572 $result = array(); 573 $result = $q->loadHashList(); 574 $q->clear(); 575 if (count($result)) { 576 return $result; 577 } else { 578 return false; 579 } 580 } 581 582 // Return a list of module groups and modules that a user can 583 // be permitted access to. 584 function getModuleList() { 585 $result = array(); 586 // First grab all the module groups. 587 $parent_id = $this->get_group_id('mod', null, 'axo'); 588 if (!$parent_id) { 589 dprint(__file__, __line__, 0, 'failed to get parent for module groups'); 590 } 591 $groups = $this->getChildren($parent_id, 'axo'); 592 if (is_array($groups)) { 593 foreach ($groups as $group) { 594 $result[] = array('id' => $group['id'], 'type' => 'grp', 'name' => $group['name'], 'value' => $group['value']); 595 } 596 } else { 597 dprint(__file__, __line__, 1, "No groups available for $parent_id"); 598 } 599 // Now the individual modules. 600 $modlist = $this->get_objects_full('app', 0, 'axo'); 601 if (is_array($modlist)) { 602 foreach ($modlist as $mod) { 603 $result[] = array('id' => $mod['id'], 'type' => 'mod', 'name' => $mod['name'], 'value' => $mod['value']); 604 } 605 } 606 return $result; 607 } 608 609 // An assignable module is one where there is a module sub-group 610 // Effectivly we just list those module in the section "modname" 611 function getAssignableModules() { 612 return $this->get_object_sections(null, 0, 'axo', 'value not in ("sys", "app")'); 613 } 614 615 function getPermissionList() { 616 $list = $this->get_objects_full('application', 0, 'aco'); 617 // We only need the id and the name 618 $result = array(); 619 if (!is_array($list)) { 620 return $result; 621 } 622 foreach ($list as $perm) { 623 $result[$perm['id']] = $perm['name']; 624 } 625 return $result; 626 } 627 628 function get_group_map($id, $group_type = 'ARO') { 629 //$this->debug_text("get_group_map(): Assigned ID: $id Group Type: $group_type"); 630 631 switch (strtolower(trim($group_type))) { 632 case 'axo': 633 $group_type = 'axo'; 634 $table = $this->_db_acl_prefix . 'axo_groups'; 635 $map_table = $this->_db_acl_prefix . 'groups_axo_map'; 636 $map_field = 'axo_id'; 637 break; 638 default: 639 $group_type = 'aro'; 640 $table = $this->_db_acl_prefix . 'aro_groups'; 641 $map_table = $this->_db_acl_prefix . 'groups_aro_map'; 642 $map_field = 'aro_id'; 643 } 644 645 if (empty($id)) { 646 $this->debug_text("get_group_map(): ID ($id) is empty, this is required"); 647 return false; 648 } 649 650 $q = new DBQuery; 651 $q->addTable($table, 'g1'); 652 $q->addTable($map_table, 'g2'); 653 $q->addQuery('g1.id, g1.name, g1.value, g1.parent_id'); 654 $q->addWhere('g1.id = g2.group_id AND g2.' . $map_field . ' = ' . $id); 655 $q->addOrder('g1.value'); 656 657 $result = array(); 658 $q->exec(); 659 while ($row = $q->fetchRow()) { 660 $result[] = array('id' => $row[0], 'name' => $row[1], 'value' => $row[2], 'parent_id' => $row[3]); 661 } 662 $q->clear(); 663 return $result; 664 665 } 666 667 /*======================================================================*\ 668 Function: get_object() 669 \*======================================================================*/ 670 function get_object_full($value = null, $section_value = null, $return_hidden = 1, $object_type = null) { 671 672 switch (strtolower(trim($object_type))) { 673 case 'aco': 674 $object_type = 'aco'; 675 $table = $this->_db_acl_prefix . 'aco'; 676 break; 677 case 'aro': 678 $object_type = 'aro'; 679 $table = $this->_db_acl_prefix . 'aro'; 680 break; 681 case 'axo': 682 $object_type = 'axo'; 683 $table = $this->_db_acl_prefix . 'axo'; 684 break; 685 case 'acl': 686 $object_type = 'acl'; 687 $table = $this->_db_acl_prefix . 'acl'; 688 break; 689 default: 690 $this->debug_text('get_object(): Invalid Object Type: ' . $object_type); 691 return false; 692 } 693 694 $this->debug_text("get_object(): Section Value: $section_value Object Type: $object_type"); 695 696 $q = new DBQuery; 697 $q->addTable($table); 698 $q->addQuery('id, section_value, name, value, order_value, hidden'); 699 700 if (!empty($value)) { 701 $q->addWhere('value=' . $this->db->quote($value)); 702 703 } 704 705 if (!empty($section_value)) { 706 $q->addWhere('section_value=' . $this->db->quote($section_value)); 707 708 } 709 710 if ($return_hidden == 0 and $object_type != 'acl') { 711 $q->addWhere('hidden=0'); 712 713 } 714 715 $q->exec(); 716 $row = $q->fetchRow(); 717 $q->clear(); 718 719 if (!is_array($row)) { 720 $this->debug_db('get_object'); 721 return false; 722 } 723 724 // Return Object info. 725 return array('id' => $row[0], 'section_value' => $row[1], 'name' => $row[2], 'value' => $row[3], 'order_value' => $row[4], 'hidden' => $row[5]); 726 } 727 728 /*======================================================================*\ 729 Function: get_objects () 730 Purpose: Grabs all Objects in the database, or specific to a section_value 731 returns format suitable for add_acl and is_conflicting_acl 732 \*======================================================================*/ 733 function get_objects_full($section_value = null, $return_hidden = 1, $object_type = null, $limit_clause = null) { 734 switch (strtolower(trim($object_type))) { 735 case 'aco': 736 $object_type = 'aco'; 737 $table = $this->_db_acl_prefix . 'aco'; 738 break; 739 case 'aro': 740 $object_type = 'aro'; 741 $table = $this->_db_acl_prefix . 'aro'; 742 break; 743 case 'axo': 744 $object_type = 'axo'; 745 $table = $this->_db_acl_prefix . 'axo'; 746 break; 747 default: 748 $this->debug_text('get_objects(): Invalid Object Type: ' . $object_type); 749 return false; 750 } 751 752 $this->debug_text("get_objects(): Section Value: $section_value Object Type: $object_type"); 753 754 $q = new DBQuery; 755 $q->addTable($table); 756 $q->addQuery('id, section_value, name, value, order_value, hidden'); 757 758 if (!empty($section_value)) { 759 $q->addWhere('section_value=' . $this->db->quote($section_value)); 760 } 761 762 if ($return_hidden == 0) { 763 $q->addWhere('hidden=0'); 764 } 765 766 if (!empty($limit_clause)) { 767 $q->addWhere($limit_clause); 768 } 769 770 $q->addOrder('order_value'); 771 772 /* 773 $rs = $q->exec(); 774 775 if (!is_object($rs)) { 776 $this->debug_db('get_objects'); 777 return FALSE; 778 } 779 */ 780 781 $retarr = array(); 782 783 $q->exec(); 784 while ($row = $q->fetchRow()) { 785 $retarr[] = array('id' => $row[0], 'section_value' => $row[1], 'name' => $row[2], 'value' => $row[3], 'order_value' => $row[4], 'hidden' => $row[5]); 786 } 787 $q->clear(); 788 789 // Return objects 790 return $retarr; 791 } 792 793 function get_object_sections($section_value = null, $return_hidden = 1, $object_type = null, $limit_clause = null) { 794 switch (strtolower(trim($object_type))) { 795 case 'aco': 796 $object_type = 'aco'; 797 $table = $this->_db_acl_prefix . 'aco_sections'; 798 break; 799 case 'aro': 800 $object_type = 'aro'; 801 $table = $this->_db_acl_prefix . 'aro_sections'; 802 break; 803 case 'axo': 804 $object_type = 'axo'; 805 $table = $this->_db_acl_prefix . 'axo_sections'; 806 break; 807 default: 808 $this->debug_text('get_object_sections(): Invalid Object Type: ' . $object_type); 809 return false; 810 } 811 812 $this->debug_text("get_objects(): Section Value: $section_value Object Type: $object_type"); 813 814 // $query = 'SELECT id, value, name, order_value, hidden FROM '. $table; 815 $q = new DBQuery; 816 $q->addTable($table); 817 $q->addQuery('id, value, name, order_value, hidden'); 818 819 if (!empty($section_value)) { 820 $q->addWhere('value=' . $this->db->quote($section_value)); 821 822 } 823 824 if ($return_hidden == 0) { 825 $q->addWhere('hidden=0'); 826 827 } 828 829 if (!empty($limit_clause)) { 830 $q->addWhere($limit_clause); 831 832 } 833 834 $q->addOrder('order_value'); 835 836 $rs = $q->exec(); 837 838 /* 839 if (!is_object($rs)) { 840 $this->debug_db('get_object_sections'); 841 return FALSE; 842 } 843 */ 844 845 $retarr = array(); 846 847 while ($row = $q->fetchRow()) { 848 $retarr[] = array('id' => $row[0], 'value' => $row[1], 'name' => $row[2], 'order_value' => $row[3], 'hidden' => $row[4]); 849 } 850 $q->clear(); 851 852 // Return objects 853 return $retarr; 854 } 855 856 /** Called from do_perms_aed, allows us to add a new ACL */ 857 function addUserPermission() { 858 // Need to have a user id, 859 // parse the permissions array 860 if (!is_array($_POST['permission_type'])) { 861 $this->debug_text('you must select at least one permission'); 862 return false; 863 } 864 /* 865 echo "<pre>\n"; 866 var_dump($_POST); 867 echo "</pre>\n"; 868 return true; 869 */ 870 871 $mod_type = substr($_POST['permission_module'], 0, 4); 872 $mod_id = substr($_POST['permission_module'], 4); 873 $mod_group = null; 874 $mod_mod = null; 875 if ($mod_type == 'grp,') { 876 $mod_group = array($mod_id); 877 } else { 878 if (isset($_POST['permission_item']) && $_POST['permission_item']) { 879 $mod_mod = array(); 880 $mod_mod[$_POST['permission_table']][] = $_POST['permission_item']; 881 // check if the item already exists, if not create it. 882 // First need to check if the section exists. 883 if (!$this->get_object_section_section_id(null, $_POST['permission_table'], 'axo')) { 884 $this->addModuleSection($_POST['permission_table']); 885 } 886 if (!$this->get_object_id($_POST['permission_table'], $_POST['permission_item'], 'axo')) { 887 $this->addModuleItem($_POST['permission_table'], $_POST['permission_item'], $_POST['permission_item']); 888 } 889 } else { 890 // Get the module information 891 $mod_info = $this->get_object_data($mod_id, 'axo'); 892 $mod_mod = array(); 893 $mod_mod[$mod_info[0][0]][] = $mod_info[0][1]; 894 } 895 } 896 $aro_info = $this->get_object_data($_POST['permission_user'], 'aro'); 897 $aro_map = array(); 898 $aro_map[$aro_info[0][0]][] = $aro_info[0][1]; 899 // Build the permissions info 900 $type_map = array(); 901 foreach ($_POST['permission_type'] as $tid) { 902 $type = $this->get_object_data($tid, 'aco'); 903 foreach ($type as $t) { 904 $type_map[$t[0]][] = $t[1]; 905 } 906 } 907 $res = $this->add_acl($type_map, $aro_map, null, $mod_mod, $mod_group, $_POST['permission_access'], 1, null, null, 'user'); 908 909 $recalc = $this->recalcPermissions(null, $_POST['permission_user']); 910 if (!$recalc) { 911 dprint(__file__, __line__, 0, 'Failed to recalc Permissions'); 912 } 913 914 return $res; 915 } 916 917 function addRolePermission() { 918 if (!is_array($_POST['permission_type'])) { 919 $this->debug_text('you must select at least one permission'); 920 return false; 921 } 922 923 $mod_type = substr($_POST['permission_module'], 0, 4); 924 $mod_id = substr($_POST['permission_module'], 4); 925 $mod_group = null; 926 $mod_mod = null; 927 if ($mod_type == 'grp,') { 928 $mod_group = array($mod_id); 929 } else { 930 if (isset($_POST['permission_item']) && $_POST['permission_item']) { 931 $mod_mod = array(); 932 $mod_mod[$_POST['permission_table']][] = $_POST['permission_item']; 933 // check if the item already exists, if not create it. 934 // First need to check if the section exists. 935 if (!$this->get_object_section_section_id(null, $_POST['permission_table'], 'axo')) { 936 $this->addModuleSection($_POST['permission_table']); 937 } 938 if (!$this->get_object_id($_POST['permission_table'], $_POST['permission_item'], 'axo')) { 939 $this->addModuleItem($_POST['permission_table'], $_POST['permission_item'], $_POST['permission_item']); 940 } 941 } else { 942 // Get the module information 943 $mod_info = $this->get_object_data($mod_id, 'axo'); 944 $mod_mod = array(); 945 $mod_mod[$mod_info[0][0]][] = $mod_info[0][1]; 946 } 947 } 948 $aro_map = array($_POST['role_id']); 949 // Build the permissions info 950 $type_map = array(); 951 foreach ($_POST['permission_type'] as $tid) { 952 $type = $this->get_object_data($tid, 'aco'); 953 foreach ($type as $t) { 954 $type_map[$t[0]][] = $t[1]; 955 } 956 } 957 $res = $this->add_acl($type_map, null, $aro_map, $mod_mod, $mod_group, $_POST['permission_access'], 1, null, null, 'user'); 958 959 $recalc = $this->recalcPermissions(null, null, $_POST['role_id']); 960 if (!$recalc) { 961 dprint(__file__, __line__, 0, 'Failed to recalc Permissions'); 962 } 963 964 return $res; 965 } 966 967 // Some function overrides. 968 function debug_text($text) { 969 $this->_debug_msg = $text; 970 dprint(__file__, __line__, 9, $text); 971 } 972 973 function msg() { 974 return $this->_debug_msg; 975 } 976 977 /** 978 * w2Pacl::removeACLPermissions() Removes the permissions for a given ACL ID 979 * 980 * @param mixed $module 981 * @return 982 */ 983 function removeACLPermissions($acl_id = null) { 984 if (!$acl_id) { 985 return 'Can not remove acl permissions: no acl id given.'; 986 } 987 $q = new DBQuery; 988 $q->setDelete($this->_db_acl_prefix . 'permissions'); 989 $q->addWhere('acl_id = \'' . $acl_id . '\''); 990 $result = $q->exec(); 991 $q->clear(); 992 return $result; 993 } 994 995 /** 996 * w2Pacl::removeModulePermissions() Removes the permissions from the results table for a module 997 * 998 * @param mixed $module 999 * @return 1000 */ 1001 function removeModulePermissions($module = null) { 1002 if (!$module) { 1003 return 'Can not remove modules permissions: no module name given.'; 1004 } 1005 $q = new DBQuery; 1006 $q->setDelete($this->_db_acl_prefix . 'permissions'); 1007 $q->addWhere('module = \'' . $module . '\''); 1008 $result = $q->exec(); 1009 $q->clear(); 1010 return $result; 1011 } 1012 1013 /** 1014 * w2Pacl::removePermissions() Removes the permissions from the results table for a given user (example: when you delete a user) 1015 * 1016 * @param mixed $user_id 1017 * @return 1018 */ 1019 function removePermissions($user_id = null) { 1020 if (!$user_id) { 1021 return 'Can not remove users permissions: no user given.'; 1022 } 1023 $q = new DBQuery; 1024 $q->setDelete($this->_db_acl_prefix . 'permissions'); 1025 $q->addWhere('user_id = \'' . $user_id . '\''); 1026 $result = $q->exec(); 1027 $q->clear(); 1028 return $result; 1029 } 1030 1031 /** 1032 * w2Pacl::recalcPermissions() 1033 * 1034 * @param mixed $user_id 1035 * @param mixed $user_aro_id 1036 * @param mixed $role_id 1037 * @param mixed $module 1038 * @return 1039 */ 1040 function recalcPermissions($user_id = null, $user_aro_id = null, $role_id = null, $module = '', $method = 1) { 1041 /*echo '<pre>'; 1042 print_r(debug_backtrace()); 1043 echo '</pre>';die;*/ 1044 1045 //@ini_set('max_execution_time', 180); 1046 //@ini_set('memory_limit', '128M'); 1047 1048 $q = new DBQuery; 1049 $q->addTable($this->_db_acl_prefix . 'aco_sections', 'a'); 1050 $q->addQuery('a.value AS a_value, a.name AS a_name, 1051 b.value AS b_value, b.name AS b_name, 1052 c.value AS c_value, c.name AS c_name, 1053 d.value AS d_value, d.name AS d_name, 1054 e.value AS e_value, e.name AS e_name, 1055 f.value AS f_value, f.name AS f_name 1056 '); 1057 $q->leftJoin($this->_db_acl_prefix . 'aco', 'b', 'a.value=b.section_value,' . w2PgetConfig('dbprefix') . $this->_db_acl_prefix . 'aro_sections c'); 1058 $q->leftJoin($this->_db_acl_prefix . 'aro', 'd', 'c.value=d.section_value,' . w2PgetConfig('dbprefix') . $this->_db_acl_prefix . 'axo_sections e'); 1059 $q->leftJoin($this->_db_acl_prefix . 'axo', 'f', 'e.value=f.section_value'); 1060 if ($user_id) { 1061 $q->addWhere('d.value = \'' . $user_id . '\''); 1062 } elseif ($user_aro_id) { 1063 $q->addWhere('d.id = \'' . $user_aro_id . '\''); 1064 } else { 1065 //only recalculate permissions for users able to login (that have at least one role) 1066 $active_users = $this->getUsersWithRole(); 1067 $q->addWhere('d.id IN (' . implode(',', array_keys($active_users)) . ')'); 1068 } 1069 if ($role_id) { 1070 $role_users = $this->getRoleUsers($role_id); 1071 if ($role_users) { 1072 $q->addWhere('d.value IN (' . implode(',', array_keys($role_users)) . ')'); 1073 } else { 1074 //If there are no users affected then make it so nothing is recalculated 1075 $q->addWhere('d.value = 0'); 1076 } 1077 } 1078 if ($module) { 1079 $q->addWhere('f.value = \'' . $module . '\''); 1080 } 1081 //Make sure things without axos are not ported, this would make addon modules to carry wrong soft denials affecting visible addon modules 1082 $q->addWhere('f.value IS NOT NULL'); 1083 //Is the order necessary? 1084 //$q->addOrder('a.value, b.value, c.value, d.value, e.value, f.value'); 1085 //print_r('User ID:'.$user_id); 1086 //print_r(' User ARO ID:'.$user_aro_id); 1087 //print_r(' SQL: '.$q->prepare());die; 1088 $rows = $q->loadList(); 1089 $q->clear(); 1090 1091 /* echo("<pre>"); 1092 print_r($rows); 1093 echo("</pre>");*/ 1094 $total_rows = count($rows); 1095 1096 $acls = array(); 1097 1098 while (list(, $row) = @each($rows)) { 1099 /* list( 1100 $aco_section_value, 1101 $aco_section_name, 1102 $aco_value, 1103 $aco_name, 1104 1105 $aro_section_value, 1106 $aro_section_name, 1107 $aro_value, 1108 $aro_name, 1109 1110 $axo_section_value, 1111 $axo_section_name, 1112 $axo_value, 1113 $axo_name 1114 ) = $row;*/ 1115 1116 $aco_section_value = $row['a_value']; 1117 $aco_value = $row['b_value']; 1118 1119 $aro_section_value = $row['c_value']; 1120 $aro_value = $row['d_value']; 1121 $aro_name = $row['d_name']; 1122 1123 $axo_section_value = $row['e_value']; 1124 $axo_value = $row['f_value']; 1125 1126 $acl_result = $this->acl_query($aco_section_value, $aco_value, $aro_section_value, $aro_value, $axo_section_value, $axo_value); 1127 1128 $acl_id = &$acl_result['acl_id']; 1129 $access = &$acl_result['allow']; 1130 1131 $acls[] = array('aco_section_value' => $aco_section_value, 'aco_value' => $aco_value, 'aro_section_value' => $aro_section_value, 'aro_value' => $aro_value, 'aro_name' => $aro_name, 'axo_section_value' => $axo_section_value, 'axo_value' => $axo_value, 'acl_id' => $acl_id, 'access' => $access, ); 1132 } 1133 /*echo("<pre>"); 1134 print_r($acls); 1135 echo("</pre>");die;*/ 1136 1137 $user_permissions = array(); 1138 foreach ($acls as $key => $acl) { 1139 $user_permissions[$acl['aro_value']][$key]['user_id'] = $acl['aro_value']; 1140 $user_permissions[$acl['aro_value']][$key]['user_name'] = $acl['aro_name']; 1141 $user_permissions[$acl['aro_value']][$key]['module'] = ($acl['axo_section_value'] == 'app' || $acl['axo_section_value'] == 'sys') ? $acl['axo_value'] : $acl['axo_section_value']; 1142 $user_permissions[$acl['aro_value']][$key]['item_id'] = ($acl['axo_section_value'] == 'app' || $acl['axo_section_value'] == 'sys') ? 0 : $acl['axo_value']; 1143 $user_permissions[$acl['aro_value']][$key]['action'] = $acl['aco_value']; 1144 $user_permissions[$acl['aro_value']][$key]['access'] = $acl['access'] ? 1 : 0; 1145 $user_permissions[$acl['aro_value']][$key]['acl_id'] = $acl['acl_id']; 1146 } 1147 1148 // Now that we have the users permissions lets delete the existing ones and insert the new ones 1149 $q = new DBQuery; 1150 $q->setDelete($this->_db_acl_prefix . 'permissions'); 1151 if ($user_id) { 1152 $q->addWhere('user_id = \'' . $user_id . '\''); 1153 } 1154 if ($user_aro_id) { 1155 $qui = new DBQuery; 1156 $qui->addTable($this->_db_acl_prefix . 'aro'); 1157 $qui->addQuery('value'); 1158 $qui->addWhere('id = \'' . $user_aro_id . '\''); 1159 $id = $qui->loadResult(); 1160 if ($id) { 1161 $q->addWhere('user_id = \'' . $id . '\''); 1162 } 1163 } 1164 if ($role_id) { 1165 $role_users = $this->getRoleUsers($role_id); 1166 if ($role_users) { 1167 $q->addWhere('user_id IN (' . implode(',', array_keys($role_users)) . ')'); 1168 } else { 1169 //If there are no users affected then don not delete anything 1170 $q->addWhere('user_id = 0'); 1171 } 1172 } 1173 if ($module) { 1174 $q->addWhere('module = \'' . $module . '\''); 1175 } 1176 $q->exec(); 1177 $q->clear(); 1178 1179 /*echo("<pre>"); 1180 print_r($user_permissions); 1181 echo("</pre>");*/ 1182 $q = new DBQuery; 1183 foreach ($user_permissions as $user => $permissions) { 1184 foreach ($permissions as $permission) { 1185 //Only show permissions with acl_id and item_id when item permissions are to show 1186 //Don't show login ACOs 1187 if (!($permission['item_id'] && !$permission['acl_id']) && ($permission['action'] != 'login')) { 1188 $q->addTable($this->_db_acl_prefix . 'permissions'); 1189 $q->addInsert('user_id', $permission['user_id']); 1190 $q->addInsert('user_name', $permission['user_name']); 1191 $q->addInsert('module', $permission['module']); 1192 $q->addInsert('item_id', ($permission['item_id'] ? $permission['item_id'] : 0)); 1193 $q->addInsert('action', $permission['action']); 1194 $q->addInsert('access', $permission['access']); 1195 $q->addInsert('acl_id', ($permission['acl_id'] ? $permission['acl_id'] : 0)); 1196 $q->exec(); 1197 $q->clear(); 1198 } 1199 } 1200 } 1201 1202 return true; 1203 } 1204 1205 //Our own acl_check 1206 /** 1207 * w2Pacl::w2Pacl_check() 1208 * //w2Pacl_check is used for modules only 1209 * 1210 * @param mixed $application it passes 'application' string by default and is not used 1211 * @param mixed $op one of the acos 'access','view','add','delete','edit' 1212 * @param mixed $user it passes 'user' string by default and is not used 1213 * @param mixed $userid it passes the user_id 1214 * @param mixed $app it passes 'app' string by default and is not used 1215 * @param mixed $module it passes the modules name 1216 * @return 1217 */ 1218 function w2Pacl_check($application = 'application', $op, $user = 'user', $userid, $app = 'app', $module) { 1219 global $w2p_performance_acltime, $w2p_performance_aclchecks; 1220 $q = new DBQuery; 1221 $q->addTable($this->_db_acl_prefix . 'permissions'); 1222 $q->addQuery('access'); 1223 $q->addWhere('module = \'' . $module . '\''); 1224 $q->addWhere('action = \'' . $op . '\''); 1225 $q->addWhere('item_id = 0'); 1226 $q->addWhere('user_id = ' . (int)$userid); 1227 $q->addOrder('acl_id DESC'); 1228 if (W2P_PERFORMANCE_DEBUG) { 1229 $startTime = array_sum(explode(' ', microtime())); 1230 } 1231 $res = $q->loadResult(); 1232 if (W2P_PERFORMANCE_DEBUG) { 1233 ++$w2p_performance_aclchecks; 1234 $w2p_performance_acltime += array_sum(explode(' ', microtime())) - $startTime; 1235 } 1236 return $res; 1237 } 1238 1239 function w2Pacl_nuclear($userid, $module, $item, $mod_class = array()) { 1240 global $AppUI; 1241 //This is a sensitive function so if the minimum permission request arguments are not provided don't permit anything to this item 1242 if (!$userid || !$module || !$item) { 1243 return array(); 1244 } 1245 1246 /*echo('<pre>'); 1247 print_r(debug_backtrace()); 1248 echo('</pre>');*/ 1249 1250 if (!count($mod_class)) { 1251 $q = new DBQuery; 1252 $q->addTable('modules'); 1253 $q->addQuery('mod_main_class, permissions_item_table, permissions_item_field, permissions_item_label, mod_directory'); 1254 $q->addWhere('mod_directory = \'' . $module . '\''); 1255 $q->addWhere('mod_active = 1'); 1256 $mod_class = $q->loadHash(); 1257 } 1258 1259 /*print_r($mod_class); 1260 print_r('user:'.$userid.'module:'.$module.'Item:'.$item); 1261 print_r($AppUI->getModuleClass($mod_class['mod_directory']));*/ 1262 1263 //If we don't know what is the module we are dealing with lets deny 1264 if (!$mod_class['mod_directory']) { 1265 dprint(__file__, __line__, 2, 'user:' . $userid . 'module:' . $module . 'Item:' . $item . $AppUI->getModuleClass($mod_class['mod_directory'])); 1266 return array(); 1267 } 1268 require_once ($AppUI->getModuleClass($mod_class['mod_directory'])); 1269 $obj = new $mod_class['mod_main_class']; 1270 $allowedRecords = array(); 1271 if ($module == 'projects') { 1272 $allowedRecords = $obj->getAllowedRecords($userid, $mod_class['permissions_item_table'] . '.' . $mod_class['permissions_item_field'] . ',' . $mod_class['permissions_item_label'], '', null, null, 'projects'); 1273 } else { 1274 $allowedRecords = $obj->getAllowedRecords($userid, $mod_class['permissions_item_table'] . '.' . $mod_class['permissions_item_field'] . ',' . $mod_class['permissions_item_label']); 1275 } 1276 /*print_r($allowedRecords[(int)$item]); 1277 print_r(intval(isset($allowedRecords[(int)$item]))); 1278 print_r('Result:'.$item.'>count='.count($allowedRecords));die;*/ 1279 1280 if (count($allowedRecords)) { 1281 if (isset($allowedRecords[(int)$item])) { 1282 return array('access' => 1, 'acl_id' => 'checked'); 1283 } else { 1284 return array(); 1285 } 1286 } else { 1287 return array(); 1288 } 1289 } 1290 1291 /** 1292 * w2Pacl::w2Pacl_query() 1293 * //w2Pacl_query is used for items only 1294 * 1295 * @param string $application 1296 * @param mixed $op 1297 * @param string $user 1298 * @param mixed $userid 1299 * @param mixed $module 1300 * @param mixed $item 1301 * @return 1302 */ 1303 function w2Pacl_query($application = 'application', $op, $user = 'user', $userid, $module, $item) { 1304 global $w2p_performance_acltime, $w2p_performance_aclchecks; 1305 //Basically the view action is nuclear when it comes to cascading, therefore all the others are straight forward 1306 //So if there is no specific permissions regarding the item, then it is the module that determines the permission. 1307 //Exception: Task log is not a module so just check if we have module permission for the action 1308 1309 //This is a sensitive function so if the minimum permission request arguments are not provided don't permit anything to this item 1310 if (!$op || !$userid || !$module || !$item) { 1311 return array(); 1312 } 1313 1314 $mod_class = array(); 1315 if ($module == 'task_log') { 1316 $mod_class = array('mod_main_class' => 'CTaskLog', 'permissions_item_table' => 'task_log', 'permissions_item_field' => 'task_log_id', 'permissions_item_label' => 'task_log_name', 'mod_directory' => 'tasks'); 1317 } elseif ($module == 'admin') { 1318 $mod_class = array('mod_main_class' => 'CUser', 'permissions_item_table' => 'users', 'permissions_item_field' => 'user_id', 'permissions_item_label' => 'user_username', 'mod_directory' => 'admin'); 1319 } elseif ($module == 'users') { 1320 $mod_class = array('mod_main_class' => 'CUser', 'permissions_item_table' => 'users', 'permissions_item_field' => 'user_id', 'permissions_item_label' => 'user_username', 'mod_directory' => 'admin'); 1321 } elseif ($module == 'events') { 1322 $mod_class = array('mod_main_class' => 'CEvent', 'permissions_item_table' => 'events', 'permissions_item_field' => 'event_id', 'permissions_item_label' => 'event_title', 'mod_directory' => 'calendar'); 1323 } 1324 /*print_r($module); 1325 print_r($op);*/ 1326 if ($op == 'view') { 1327 //Because view is nuclear we can't just check the permission against the results table, so we need to check the allowed records on each class, so it handles the 1328 //Cascading of permissions. 1329 if (W2P_PERFORMANCE_DEBUG) { 1330 $startTime = array_sum(explode(' ', microtime())); 1331 } 1332 $res = $this->w2Pacl_nuclear($userid, $module, $item, $mod_class); 1333 if (W2P_PERFORMANCE_DEBUG) { 1334 ++$w2p_performance_aclchecks; 1335 $w2p_performance_acltime += array_sum(explode(' ', microtime())) - $startTime; 1336 } 1337 return $res; 1338 } else { 1339 if (W2P_PERFORMANCE_DEBUG) { 1340 $startTime = array_sum(explode(' ', microtime())); 1341 } 1342 $nuclear = $this->w2Pacl_nuclear($userid, $module, $item, $mod_class); 1343 if (!$nuclear || !$nuclear['acl_id']) { 1344 //if we don't have nuclear (view) permission then don't waste our time checking the rest and ... deny. 1345 if (W2P_PERFORMANCE_DEBUG) { 1346 ++$w2p_performance_aclchecks; 1347 $w2p_performance_acltime += array_sum(explode(' ', microtime())) - $startTime; 1348 } 1349 return array(); 1350 } else { 1351 $q = new DBQuery; 1352 $q->addTable($this->_db_acl_prefix . 'permissions'); 1353 $q->addQuery('access, acl_id'); 1354 $q->addWhere('module = \'' . $module . '\''); 1355 $q->addWhere('action = \'' . $op . '\''); 1356 $q->addWhere('user_id = ' . (int)$userid); 1357 $q->addWhere('(item_id = ' . (int)$item . ' OR item_id = 0)'); 1358 $q->addOrder('item_id DESC, acl_id DESC'); 1359 //print_r($q->prepare()); 1360 $result = array(); 1361 $result = $q->loadList(); 1362 //print_r($result); 1363 if (W2P_PERFORMANCE_DEBUG) { 1364 ++$w2p_performance_aclchecks; 1365 $w2p_performance_acltime += array_sum(explode(' ', microtime())) - $startTime; 1366 } 1367 return $result[0]; 1368 } 1369 } 1370 } 1371 1372 function w2Psearch_acl($application = 'application', $op, $user = 'user', $userid, $module) { 1373 global $w2p_performance_acltime, $w2p_performance_aclchecks; 1374 $q = new DBQuery; 1375 $q->addTable($this->_db_acl_prefix . 'permissions'); 1376 $q->addQuery('acl_id, access, item_id'); 1377 $q->addWhere('module = \'' . $module . '\''); 1378 $q->addWhere('action = \'' . $op . '\''); 1379 $q->addWhere('user_id = ' . (int)$userid); 1380 $q->addOrder('acl_id DESC'); 1381 if (W2P_PERFORMANCE_DEBUG) { 1382 $startTime = array_sum(explode(' ', microtime())); 1383 } 1384 $res = $q->loadList(); 1385 if (W2P_PERFORMANCE_DEBUG) { 1386 ++$w2p_performance_aclchecks; 1387 $w2p_performance_acltime += array_sum(explode(' ', microtime())) - $startTime; 1388 } 1389 return $res; 1390 } 1391 } 1392 1393 // The includes/permissions.php file has been ported here because it held a group of public functions for permission checking. 1394 // And that is so it stays on one place only. 1395 // Permission flags used in the DB 1396 1397 define('PERM_DENY', '0'); 1398 define('PERM_EDIT', '-1'); 1399 define('PERM_READ', '1'); 1400 1401 define('PERM_ALL', '-1'); 1402 1403 // TODO: getDeny* should return true/false instead of 1/0 1404 1405 function getReadableModule() { 1406 global $AppUI; 1407 $perms = &$AppUI->acl(); 1408 1409 $q = new DBQuery; 1410 $q->addTable('modules'); 1411 $q->addQuery('mod_directory'); 1412 $q->addWhere('mod_active = 1'); 1413 $q->addOrder('mod_ui_order'); 1414 $modules = $q->loadColumn(); 1415 foreach ($modules as $mod) { 1416 if ($perms->checkModule($mod, 'access')) { 1417 return $mod; 1418 } 1419 } 1420 return null; 1421 } 1422 1423 /** 1424 * This function is used to check permissions. 1425 */ 1426 function checkFlag($flag, $perm_type, $old_flag) { 1427 if ($old_flag) { 1428 return (($flag == PERM_DENY) || // permission denied 1429 ($perm_type == PERM_EDIT && $flag == PERM_READ) // we ask for editing, but are only allowed to read 1430 ) ? 0 : 1; 1431 } else { 1432 if ($perm_type == PERM_READ) { 1433 return ($flag != PERM_DENY) ? 1 : 0; 1434 } else { 1435 // => $perm_type == PERM_EDIT 1436 return ($flag == $perm_type) ? 1 : 0; 1437 } 1438 } 1439 } 1440 1441 /** 1442 * This function checks certain permissions for 1443 * a given module and optionally an item_id. 1444 * 1445 * $perm_type can be PERM_READ or PERM_EDIT 1446 */ 1447 function isAllowed($perm_type, $mod, $item_id = 0) { 1448 $invert = false; 1449 switch ($perm_type) { 1450 case PERM_READ: 1451 $perm_type = 'view'; 1452 break; 1453 case PERM_EDIT: 1454 $perm_type = 'edit'; 1455 break; 1456 case PERM_ALL: 1457 $perm_type = 'edit'; 1458 break; 1459 case PERM_DENY: 1460 $perm_type = 'view'; 1461 $invert = true; 1462 break; 1463 } 1464 $allowed = getPermission($mod, $perm_type, $item_id); 1465 if ($invert) { 1466 return !$allowed; 1467 } 1468 return $allowed; 1469 } 1470 1471 function getPermission($mod, $perm, $item_id = 0) { 1472 // First check if the module is readable, i.e. has view permission. 1473 $perms = &$GLOBALS['AppUI']->acl(); 1474 $result = $perms->checkModule($mod, $perm); 1475 // If we have access then we need to ensure we are not denied access to the particular 1476 // item. 1477 if ($result && $item_id) { 1478 if ($perms->checkModuleItemDenied($mod, $perm, $item_id)) { 1479 $result = false; 1480 } 1481 } 1482 // If denied we need to check if we are allowed the task. This can be done 1483 // a lot better in PHPGACL, but is here for compatibility. 1484 if ($mod == 'tasks' && !$result && $item_id > 0) { 1485 $q = new DBQuery; 1486 $q->addTable('tasks'); 1487 $q->addQuery('task_project'); 1488 $q->addWhere('task_id = ' . (int)$item_id); 1489 $project_id = $q->loadResult(); 1490 $result = getPermission('projects', $perm, $project_id); 1491 } 1492 return $result; 1493 } 1494 1495 function getDenyRead($mod, $item_id = 0) { 1496 return !getPermission($mod, 'view', $item_id); 1497 } 1498 1499 function getDenyEdit($mod, $item_id = 0) { 1500 return !getPermission($mod, 'edit', $item_id); 1501 } 1502 1503 function getDenyAdd($mod, $item_id = 0) { 1504 return !getPermission($mod, 'add', $item_id); 1505 } 1506 ?>
title
Description
Body
title
Description
Body
title
Description
Body
title
Body
| Generated: Sat Jul 17 03:00:04 2010 | Cross-referenced by PHPXref 0.7 |