/** * Readable by owner and system. * * @param User $user * @return authz integer */ public function user_may_read($user) { if ($user->is_system()) { return AIR2_AUTHZ_IS_SYSTEM; } elseif ($this->tank_user_id == $user->user_id) { return AIR2_AUTHZ_IS_OWNER; } else { // any shared Org where user is a WRITER can // read the Tank $user_authz = $user->get_authz(); foreach ($this->TankOrg as $to) { $role = isset($user_authz[$to->to_org_id]) ? $user_authz[$to->to_org_id] : 0; if (ACTION_ORG_SRC_UPDATE & $role) { return AIR2_AUTHZ_IS_ORG; } } return AIR2_AUTHZ_IS_DENIED; } }
/** * Manageable if User is a contact user for this Project, or if User is * a MANAGER in an EXPLICITLY-related Org. * * This effectively prevents a MANAGER from managing a project belonging to * their parent org. * * @param User $user * @return authz integer */ public function user_may_manage($user) { if ($user->is_system()) { return AIR2_AUTHZ_IS_SYSTEM; } // check contact_users foreach ($this->ProjectOrg as $porg) { if ($porg->porg_contact_user_id == $user->user_id) { return AIR2_AUTHZ_IS_MANAGER; } } // look for MANAGER role in EXPLICIT organization $authz = $user->get_authz(); foreach ($this->ProjectOrg as $po) { if ($po->porg_status == ProjectOrg::$STATUS_ACTIVE) { $org_id = $po->porg_org_id; $role = isset($authz[$org_id]) ? $authz[$org_id] : 0; if (ACTION_ORG_PRJ_DELETE & $role) { return AIR2_AUTHZ_IS_ORG; } } } // not a contact_user or manager return AIR2_AUTHZ_IS_DENIED; }
/** * Manageable if MANAGER in opted-in Org. * * @param User $user * @param bool $respect_lock (optional) * @return authz integer */ public function user_may_manage($user, $respect_lock = true) { if ($user->is_system()) { return AIR2_AUTHZ_IS_SYSTEM; } if ($respect_lock && $this->src_has_acct == Source::$ACCT_YES) { return AIR2_AUTHZ_IS_DENIED; } // look for MANAGER role in related organization $user_authz = $user->get_authz(); $src_org_ids = $this->get_authz(); foreach ($src_org_ids as $org_id) { $role = isset($user_authz[$org_id]) ? $user_authz[$org_id] : null; if (ACTION_ORG_SRC_DELETE & $role) { return AIR2_AUTHZ_IS_ORG; } } // no manager role found return AIR2_AUTHZ_IS_DENIED; }
/** * Manage (delete) authz * * @param User $user * @return authz integer */ public function user_may_manage($user) { if ($user->is_system()) { return AIR2_AUTHZ_IS_SYSTEM; } // TODO: remove this from manage if ($this->exists() && $this->uo_user_id == $user->user_id) { $owner_may_modify = array('uo_user_title', 'uo_notify_flag', 'uo_home_flag'); $mod_flds = $this->getModified(); // check that only allowed fields are set foreach ($owner_may_modify as $fld) { unset($mod_flds[$fld]); } if (count($mod_flds) == 0) { return AIR2_AUTHZ_IS_OWNER; } } // delete-usr authz in related org $org_id = $this->uo_org_id; $authz = $user->get_authz(); $role = array_key_exists($org_id, $authz) ? $authz[$org_id] : 0; if (ACTION_ORG_USR_DELETE & $role) { return AIR2_AUTHZ_IS_MANAGER; } return AIR2_AUTHZ_IS_DENIED; }
/** * Manage authz on srs-inq * * @param User $user * @return authz integer */ public function user_may_manage($user) { if ($user->is_system()) { return AIR2_AUTHZ_IS_SYSTEM; } $authz = $user->get_authz(); $org_ids = $this->get_authz(false); //NO CHILDREN! foreach ($org_ids as $org_id) { $role = isset($authz[$org_id]) ? $authz[$org_id] : null; if (ACTION_ORG_PRJ_INQ_SRS_DELETE & $role) { return AIR2_AUTHZ_IS_ORG; } } return AIR2_AUTHZ_IS_DENIED; }
/** * WRITER in any Organization may write. * * @param User $u * @return int */ public function user_may_write(User $u) { if ($u->is_system()) { return AIR2_AUTHZ_IS_SYSTEM; } // look for WRITER role in any organization $authz = $u->get_authz(); foreach ($authz as $orgid => $role) { if (ACTION_ORG_UPDATE & $role) { return AIR2_AUTHZ_IS_ORG; } } // no WRITER role found return AIR2_AUTHZ_IS_DENIED; }
/** * Write - owner * * @param User $user * @return boolean */ public function user_may_write($user) { if ($user->is_system()) { return AIR2_AUTHZ_IS_SYSTEM; } if (!$this->exists()) { $authz = $user->get_authz(); foreach ($authz as $org_id => $role) { if ($role & ACTION_BATCH_CREATE) { return AIR2_AUTHZ_IS_NEW; } } } if ($this->bin_user_id == $user->user_id) { return AIR2_AUTHZ_IS_OWNER; } return AIR2_AUTHZ_IS_DENIED; }
/** * Manage organization * * @param User $user * @return authz integer */ public function user_may_manage($user) { if ($user->is_system()) { return AIR2_AUTHZ_IS_SYSTEM; } $authz = $user->get_authz(); $this_authz = array_key_exists($this->org_id, $authz) ? $authz[$this->org_id] : 0; $parent_authz = array_key_exists($this->org_parent_id, $authz) ? $authz[$this->org_parent_id] : 0; if ($this->exists() && ACTION_ORG_DELETE & $this_authz) { return AIR2_AUTHZ_IS_MANAGER; } elseif (!$this->exists() && ACTION_ORG_DELETE & $parent_authz) { return AIR2_AUTHZ_IS_MANAGER; } return AIR2_AUTHZ_IS_DENIED; }
/** * * * @param User $user * @return int authz flag */ public function user_may_delete(User $user) { //Carper::carp(sprintf('check if user_may_delete tag %s for %s', $this->tag_tm_id, $user->user_username)); if ($user->is_system()) { return AIR2_AUTHZ_IS_SYSTEM; } // authz only by role + org $authz = $user->get_authz(); foreach ($authz as $orgid => $role) { if (ACTION_ORG_PRJ_INQ_TAG_DELETE & $role) { //Carper::carp(sprintf("User %s may write to tag with role %s in org %s", $user->user_username, $role, $orgid)); return AIR2_AUTHZ_IS_OWNER; } } return AIR2_AUTHZ_IS_DENIED; }
/** * Write authz * * @param User $user * @return boolean */ public function user_may_write($user) { if ($user->is_system()) { return AIR2_AUTHZ_IS_SYSTEM; } if (!$this->exists()) { $authz = $user->get_authz(); foreach ($authz as $org_id => $role) { if ($role & ACTION_EMAIL_CREATE) { return AIR2_AUTHZ_IS_NEW; } } } elseif ($this->email_cre_user == $user->user_id) { return AIR2_AUTHZ_IS_OWNER; } else { $authz = $user->get_authz(); $orgid = $this->email_org_id; $role = isset($authz[$orgid]) ? $authz[$orgid] : null; if (ACTION_EMAIL_CREATE & $role) { return AIR2_AUTHZ_IS_ORG; } } return AIR2_AUTHZ_IS_DENIED; }
/** * Manageable by MANAGERs in joined orgs * * @param User $user * @return authz integer */ public function user_may_manage($user) { if ($user->is_system()) { return AIR2_AUTHZ_IS_SYSTEM; } // look in related organizations $authz = $user->get_authz(); foreach ($this->UserOrg as $uo) { $role = isset($authz[$uo->uo_org_id]) ? $authz[$uo->uo_org_id] : null; if (ACTION_ORG_USR_DELETE & $role) { return AIR2_AUTHZ_IS_MANAGER; } } return AIR2_AUTHZ_IS_DENIED; }
/** * Managing Inquiries * * @param User $user * @return authz integer */ public function user_may_manage($user) { if ($user->is_system()) { return AIR2_AUTHZ_IS_SYSTEM; } // allow owner to manage if ($user->user_id == $this->inq_cre_user) { return AIR2_AUTHZ_IS_OWNER; } // allow contact-user to manage foreach ($this->ProjectInquiry as $pinq) { foreach ($pinq->Project->ProjectOrg as $porg) { if ($user->user_id == $porg->porg_contact_user_id) { return AIR2_AUTHZ_IS_MANAGER; } } } // others updating $authz = $user->get_authz(); $org_ids = $this->get_authz(false); //NO CHILDREN foreach ($org_ids as $org_id) { $role = isset($authz[$org_id]) ? $authz[$org_id] : null; if (ACTION_ORG_PRJ_INQ_DELETE & $role) { return AIR2_AUTHZ_IS_ORG; } } return AIR2_AUTHZ_IS_DENIED; }