/**
* Readable by owner and system.
*
* @param User $user
* @return authz integer
*/
public function user_may_read($user)
{
if ($user->is_system()) {
return AIR2_AUTHZ_IS_SYSTEM;
} elseif ($this->tank_user_id == $user->user_id) {
return AIR2_AUTHZ_IS_OWNER;
} else {
// any shared Org where user is a WRITER can
// read the Tank
$user_authz = $user->get_authz();
foreach ($this->TankOrg as $to) {
$role = isset($user_authz[$to->to_org_id]) ? $user_authz[$to->to_org_id] : 0;
if (ACTION_ORG_SRC_UPDATE & $role) {
return AIR2_AUTHZ_IS_ORG;
}
}
return AIR2_AUTHZ_IS_DENIED;
}
}
/**
* Manageable if User is a contact user for this Project, or if User is
* a MANAGER in an EXPLICITLY-related Org.
*
* This effectively prevents a MANAGER from managing a project belonging to
* their parent org.
*
* @param User $user
* @return authz integer
*/
public function user_may_manage($user)
{
if ($user->is_system()) {
return AIR2_AUTHZ_IS_SYSTEM;
}
// check contact_users
foreach ($this->ProjectOrg as $porg) {
if ($porg->porg_contact_user_id == $user->user_id) {
return AIR2_AUTHZ_IS_MANAGER;
}
}
// look for MANAGER role in EXPLICIT organization
$authz = $user->get_authz();
foreach ($this->ProjectOrg as $po) {
if ($po->porg_status == ProjectOrg::$STATUS_ACTIVE) {
$org_id = $po->porg_org_id;
$role = isset($authz[$org_id]) ? $authz[$org_id] : 0;
if (ACTION_ORG_PRJ_DELETE & $role) {
return AIR2_AUTHZ_IS_ORG;
}
}
}
// not a contact_user or manager
return AIR2_AUTHZ_IS_DENIED;
}
/**
* Manageable if MANAGER in opted-in Org.
*
* @param User $user
* @param bool $respect_lock (optional)
* @return authz integer
*/
public function user_may_manage($user, $respect_lock = true)
{
if ($user->is_system()) {
return AIR2_AUTHZ_IS_SYSTEM;
}
if ($respect_lock && $this->src_has_acct == Source::$ACCT_YES) {
return AIR2_AUTHZ_IS_DENIED;
}
// look for MANAGER role in related organization
$user_authz = $user->get_authz();
$src_org_ids = $this->get_authz();
foreach ($src_org_ids as $org_id) {
$role = isset($user_authz[$org_id]) ? $user_authz[$org_id] : null;
if (ACTION_ORG_SRC_DELETE & $role) {
return AIR2_AUTHZ_IS_ORG;
}
}
// no manager role found
return AIR2_AUTHZ_IS_DENIED;
}
/**
* Manage (delete) authz
*
* @param User $user
* @return authz integer
*/
public function user_may_manage($user)
{
if ($user->is_system()) {
return AIR2_AUTHZ_IS_SYSTEM;
}
// TODO: remove this from manage
if ($this->exists() && $this->uo_user_id == $user->user_id) {
$owner_may_modify = array('uo_user_title', 'uo_notify_flag', 'uo_home_flag');
$mod_flds = $this->getModified();
// check that only allowed fields are set
foreach ($owner_may_modify as $fld) {
unset($mod_flds[$fld]);
}
if (count($mod_flds) == 0) {
return AIR2_AUTHZ_IS_OWNER;
}
}
// delete-usr authz in related org
$org_id = $this->uo_org_id;
$authz = $user->get_authz();
$role = array_key_exists($org_id, $authz) ? $authz[$org_id] : 0;
if (ACTION_ORG_USR_DELETE & $role) {
return AIR2_AUTHZ_IS_MANAGER;
}
return AIR2_AUTHZ_IS_DENIED;
}
/**
* Manage authz on srs-inq
*
* @param User $user
* @return authz integer
*/
public function user_may_manage($user)
{
if ($user->is_system()) {
return AIR2_AUTHZ_IS_SYSTEM;
}
$authz = $user->get_authz();
$org_ids = $this->get_authz(false);
//NO CHILDREN!
foreach ($org_ids as $org_id) {
$role = isset($authz[$org_id]) ? $authz[$org_id] : null;
if (ACTION_ORG_PRJ_INQ_SRS_DELETE & $role) {
return AIR2_AUTHZ_IS_ORG;
}
}
return AIR2_AUTHZ_IS_DENIED;
}
/**
* WRITER in any Organization may write.
*
* @param User $u
* @return int
*/
public function user_may_write(User $u)
{
if ($u->is_system()) {
return AIR2_AUTHZ_IS_SYSTEM;
}
// look for WRITER role in any organization
$authz = $u->get_authz();
foreach ($authz as $orgid => $role) {
if (ACTION_ORG_UPDATE & $role) {
return AIR2_AUTHZ_IS_ORG;
}
}
// no WRITER role found
return AIR2_AUTHZ_IS_DENIED;
}
/**
* Write - owner
*
* @param User $user
* @return boolean
*/
public function user_may_write($user)
{
if ($user->is_system()) {
return AIR2_AUTHZ_IS_SYSTEM;
}
if (!$this->exists()) {
$authz = $user->get_authz();
foreach ($authz as $org_id => $role) {
if ($role & ACTION_BATCH_CREATE) {
return AIR2_AUTHZ_IS_NEW;
}
}
}
if ($this->bin_user_id == $user->user_id) {
return AIR2_AUTHZ_IS_OWNER;
}
return AIR2_AUTHZ_IS_DENIED;
}
/**
* Manage organization
*
* @param User $user
* @return authz integer
*/
public function user_may_manage($user)
{
if ($user->is_system()) {
return AIR2_AUTHZ_IS_SYSTEM;
}
$authz = $user->get_authz();
$this_authz = array_key_exists($this->org_id, $authz) ? $authz[$this->org_id] : 0;
$parent_authz = array_key_exists($this->org_parent_id, $authz) ? $authz[$this->org_parent_id] : 0;
if ($this->exists() && ACTION_ORG_DELETE & $this_authz) {
return AIR2_AUTHZ_IS_MANAGER;
} elseif (!$this->exists() && ACTION_ORG_DELETE & $parent_authz) {
return AIR2_AUTHZ_IS_MANAGER;
}
return AIR2_AUTHZ_IS_DENIED;
}
/**
*
*
* @param User $user
* @return int authz flag
*/
public function user_may_delete(User $user)
{
//Carper::carp(sprintf('check if user_may_delete tag %s for %s', $this->tag_tm_id, $user->user_username));
if ($user->is_system()) {
return AIR2_AUTHZ_IS_SYSTEM;
}
// authz only by role + org
$authz = $user->get_authz();
foreach ($authz as $orgid => $role) {
if (ACTION_ORG_PRJ_INQ_TAG_DELETE & $role) {
//Carper::carp(sprintf("User %s may write to tag with role %s in org %s", $user->user_username, $role, $orgid));
return AIR2_AUTHZ_IS_OWNER;
}
}
return AIR2_AUTHZ_IS_DENIED;
}
/**
* Write authz
*
* @param User $user
* @return boolean
*/
public function user_may_write($user)
{
if ($user->is_system()) {
return AIR2_AUTHZ_IS_SYSTEM;
}
if (!$this->exists()) {
$authz = $user->get_authz();
foreach ($authz as $org_id => $role) {
if ($role & ACTION_EMAIL_CREATE) {
return AIR2_AUTHZ_IS_NEW;
}
}
} elseif ($this->email_cre_user == $user->user_id) {
return AIR2_AUTHZ_IS_OWNER;
} else {
$authz = $user->get_authz();
$orgid = $this->email_org_id;
$role = isset($authz[$orgid]) ? $authz[$orgid] : null;
if (ACTION_EMAIL_CREATE & $role) {
return AIR2_AUTHZ_IS_ORG;
}
}
return AIR2_AUTHZ_IS_DENIED;
}
/**
* Manageable by MANAGERs in joined orgs
*
* @param User $user
* @return authz integer
*/
public function user_may_manage($user)
{
if ($user->is_system()) {
return AIR2_AUTHZ_IS_SYSTEM;
}
// look in related organizations
$authz = $user->get_authz();
foreach ($this->UserOrg as $uo) {
$role = isset($authz[$uo->uo_org_id]) ? $authz[$uo->uo_org_id] : null;
if (ACTION_ORG_USR_DELETE & $role) {
return AIR2_AUTHZ_IS_MANAGER;
}
}
return AIR2_AUTHZ_IS_DENIED;
}
/**
* Managing Inquiries
*
* @param User $user
* @return authz integer
*/
public function user_may_manage($user)
{
if ($user->is_system()) {
return AIR2_AUTHZ_IS_SYSTEM;
}
// allow owner to manage
if ($user->user_id == $this->inq_cre_user) {
return AIR2_AUTHZ_IS_OWNER;
}
// allow contact-user to manage
foreach ($this->ProjectInquiry as $pinq) {
foreach ($pinq->Project->ProjectOrg as $porg) {
if ($user->user_id == $porg->porg_contact_user_id) {
return AIR2_AUTHZ_IS_MANAGER;
}
}
}
// others updating
$authz = $user->get_authz();
$org_ids = $this->get_authz(false);
//NO CHILDREN
foreach ($org_ids as $org_id) {
$role = isset($authz[$org_id]) ? $authz[$org_id] : null;
if (ACTION_ORG_PRJ_INQ_DELETE & $role) {
return AIR2_AUTHZ_IS_ORG;
}
}
return AIR2_AUTHZ_IS_DENIED;
}
