/**
* Set an access level to a given user for a list of websites ID.
*
* If access = 'noaccess' the current access (if any) will be deleted.
* If access = 'view' or 'admin' the current access level is deleted and updated with the new value.
*
* @param string $userLogin The user login
* @param string $access Access to grant. Must have one of the following value : noaccess, view, admin
* @param int|array $idSites The array of idSites on which to apply the access level for the user.
* If the value is "all" then we apply the access level to all the websites ID for which the current authentificated user has an 'admin' access.
*
* @throws Exception if the user doesn't exist
* @throws Exception if the access parameter doesn't have a correct value
* @throws Exception if any of the given website ID doesn't exist
*
* @return bool true on success
*/
public function setUserAccess($userLogin, $access, $idSites)
{
$this->checkAccessType($access);
$this->checkUserExists($userLogin);
$this->checkUserHasNotSuperUserAccess($userLogin);
if ($userLogin == 'anonymous' && $access == 'admin') {
throw new Exception(Piwik::translate("UsersManager_ExceptionAdminAnonymous"));
}
// in case idSites is all we grant access to all the websites on which the current connected user has an 'admin' access
if ($idSites === 'all') {
$idSites = \Piwik\Plugins\SitesManager\API::getInstance()->getSitesIdWithAdminAccess();
} else {
$idSites = Site::getIdSitesFromIdSitesString($idSites);
}
if (empty($idSites)) {
throw new Exception('Specify at least one website ID in &idSites=');
}
// it is possible to set user access on websites only for the websites admin
// basically an admin can give the view or the admin access to any user for the websites he manages
Piwik::checkUserHasAdminAccess($idSites);
$this->model->deleteUserAccess($userLogin, $idSites);
// if the access is noaccess then we don't save it as this is the default value
// when no access are specified
if ($access != 'noaccess') {
$this->model->addUserAccess($userLogin, $access, $idSites);
} else {
if (!empty($idSites) && !is_array($idSites)) {
$idSites = array($idSites);
}
Piwik::postEvent('UsersManager.removeSiteAccess', array($userLogin, $idSites));
}
// we reload the access list which doesn't yet take in consideration this new user access
Access::getInstance()->reloadAccess();
Cache::deleteTrackerCache();
}
/**
* Uses information in LDAP user entity to set access levels in Piwik.
*
* @param string $piwikLogin The username of the Piwik user whose access will be set.
* @param string[] $ldapUser The LDAP entity to use when synchronizing.
*/
public function synchronizePiwikAccessFromLdap($piwikLogin, $ldapUser)
{
if (empty($this->userAccessMapper)) {
return;
}
$userAccess = $this->userAccessMapper->getPiwikUserAccessForLdapUser($ldapUser);
if (empty($userAccess)) {
Log::warning("UserSynchronizer::%s: User '%s' has no access in LDAP, but access synchronization is enabled.", __FUNCTION__, $piwikLogin);
return;
}
$this->userModel->deleteUserAccess($piwikLogin);
$usersManagerApi = $this->usersManagerApi;
foreach ($userAccess as $userAccessLevel => $sites) {
Access::doAsSuperUser(function () use($usersManagerApi, $userAccessLevel, $sites, $piwikLogin) {
if ($userAccessLevel == 'superuser') {
$usersManagerApi->setSuperUserAccess($piwikLogin, true);
} else {
$usersManagerApi->setUserAccess($piwikLogin, $userAccessLevel, $sites);
}
});
}
}
