/**
* Only owner
*
* @param User $user
* @return int $authz
*/
public function user_may_read($user)
{
if ($user->is_system()) {
return AIR2_AUTHZ_IS_SYSTEM;
}
if ($user->user_id == $this->usrs_user_id) {
return AIR2_AUTHZ_IS_OWNER;
}
return AIR2_AUTHZ_IS_DENIED;
}
/**
*
*
* @param User $user
* @return int authz flag
*/
public function user_may_delete(User $user)
{
//Carper::carp(sprintf('check if user_may_delete tag %s for %s', $this->tag_tm_id, $user->user_username));
if ($user->is_system()) {
return AIR2_AUTHZ_IS_SYSTEM;
}
// authz only by role + org
$authz = $user->get_authz();
foreach ($authz as $orgid => $role) {
if (ACTION_ORG_PRJ_INQ_TAG_DELETE & $role) {
//Carper::carp(sprintf("User %s may write to tag with role %s in org %s", $user->user_username, $role, $orgid));
return AIR2_AUTHZ_IS_OWNER;
}
}
return AIR2_AUTHZ_IS_DENIED;
}
/**
* Need read to create; owner or manager to update/delete.
*
* @param User $user
* @return authz integer
*/
public function user_may_write(User $user)
{
if ($user->is_system()) {
return AIR2_AUTHZ_IS_SYSTEM;
} elseif ($this->SrcResponseSet->user_may_read($user)) {
if (!$this->exists()) {
return AIR2_AUTHZ_IS_NEW;
} elseif ($this->srsan_cre_user == $user->user_id) {
return AIR2_AUTHZ_IS_OWNER;
} else {
// may only write non-owned if MANAGER of owning user
$ownr = Doctrine::getTable('User')->find($this->srsan_cre_user);
if ($ownr && $ownr->user_may_manage($user)) {
return AIR2_AUTHZ_IS_MANAGER;
}
}
}
return AIR2_AUTHZ_IS_DENIED;
}
/**
* Write - owner
*
* @param Doctrine_Query $q
* @param User $u
* @param string $alias (optional)
*/
public static function query_may_write($q, $u, $alias = null)
{
if ($u->is_system()) {
return;
}
$a = $alias ? "{$alias}." : "";
$q->addWhere("{$a}bin_user_id = ?", $u->user_id);
}
/**
* Apply authz rules for who may manage a SrcResponse.
*
* @param AIR2_Query $q
* @param User $u
* @param string $alias (optional)
*/
public static function query_may_manage(AIR2_Query $q, User $u, $alias = null)
{
if ($u->is_system()) {
return;
}
$a = $alias ? "{$alias}." : "";
// manageable src_response_sets
$tmp = AIR2_Query::create();
SrcResponseSet::query_may_manage($tmp, $u);
$tmp = array_pop($tmp->getDqlPart('where'));
$srs_ids = "select srs_id from src_response_set where {$tmp}";
// add to query
$q->addWhere("{$a}sr_srs_id in ({$srs_ids})");
}
/**
* Update
*
* @param User $u
* @param array $data
*/
protected function air_update(User $u, $data)
{
if (isset($data['uem_address'])) {
$u->UserEmailAddress[0]->uem_address = $data['uem_address'];
$u->UserEmailAddress[0]->uem_primary_flag = true;
// for NON-system users, sync username with email
if (!$u->is_system()) {
$u->user_username = $data['uem_address'];
}
}
if (isset($data['uph_number']) || isset($data['uph_ext'])) {
$n = isset($data['uph_number']) ? $data['uph_number'] : $u->UserPhoneNumber[0]->uph_number;
$e = isset($data['uph_ext']) ? $data['uph_ext'] : $u->UserPhoneNumber[0]->uph_ext;
$u->UserPhoneNumber[0]->uph_number = $n;
$u->UserPhoneNumber[0]->uph_ext = $e;
$u->UserPhoneNumber[0]->uph_country = 'USA';
$u->UserPhoneNumber[0]->uph_primary_flag = true;
}
$old_title = null;
if (isset($data['org_uuid'])) {
// run through all orgs, and change home
$found = false;
foreach ($u->UserOrg as $uo) {
if ($uo->uo_home_flag) {
$old_title = $uo->uo_user_title;
}
if ($uo->Organization->org_uuid == $data['org_uuid']) {
$found = $uo;
$uo->uo_home_flag = true;
} else {
$uo->uo_home_flag = false;
}
}
if (!$found) {
$u = $data['org_uuid'];
throw new Rframe_Exception(RFrame::BAD_DATA, "Invalid home-org UUID '{$u}'");
}
if ($old_title) {
$found->uo_user_title = $old_title;
}
}
if (isset($data['uo_user_title'])) {
// run through all orgs, and change home-org title
$found = false;
foreach ($u->UserOrg as $uo) {
if ($uo->uo_home_flag) {
$uo->uo_user_title = $data['uo_user_title'];
$found = true;
}
}
if (!$found) {
throw new Rframe_Exception(RFrame::BAD_DATA, "Cannot change title: no home org");
}
}
if (isset($data['avatar'])) {
try {
if (!$u->Avatar) {
$u->Avatar = new ImageUserAvatar();
}
$u->Avatar->set_image($data['avatar']);
} catch (Exception $e) {
throw new Rframe_Exception(RFrame::BAD_DATA, $e->getMessage());
}
}
if (array_key_exists('avatar', $data) && !$data['avatar']) {
if ($u->Avatar) {
$u->Avatar->delete();
$u->clearRelated('Avatar');
}
}
}
/**
* Manageable if MANAGER in opted-in Org.
*
* @param User $user
* @param bool $respect_lock (optional)
* @return authz integer
*/
public function user_may_manage($user, $respect_lock = true)
{
if ($user->is_system()) {
return AIR2_AUTHZ_IS_SYSTEM;
}
if ($respect_lock && $this->src_has_acct == Source::$ACCT_YES) {
return AIR2_AUTHZ_IS_DENIED;
}
// look for MANAGER role in related organization
$user_authz = $user->get_authz();
$src_org_ids = $this->get_authz();
foreach ($src_org_ids as $org_id) {
$role = isset($user_authz[$org_id]) ? $user_authz[$org_id] : null;
if (ACTION_ORG_SRC_DELETE & $role) {
return AIR2_AUTHZ_IS_ORG;
}
}
// no manager role found
return AIR2_AUTHZ_IS_DENIED;
}
/**
* Apply authz rules for who may write.
*
* @param AIR2_Query $q
* @param User $u
* @param string $alias (optional)
*/
public static function query_may_write(AIR2_Query $q, User $u, $alias = null)
{
if ($u->is_system()) {
return;
}
$a = $alias ? "{$alias}." : "";
// readable inquiries
$tmp = AIR2_Query::create();
Inquiry::query_may_read($tmp, $u);
$tmp = array_pop($tmp->getDqlPart('where'));
$inq_ids = "select inq_id from inquiry where {$tmp}";
// add to query
$user_id = $u->user_id;
$own = "{$a}inqan_cre_user = {$user_id}";
$q->addWhere("({$a}inqan_inq_id in ({$inq_ids}) and {$own})");
}
/**
* Apply authz rules for who may manage a SrcResponseSet.
*
* @param AIR2_Query $q
* @param User $u
* @param string $alias (optional)
*/
public static function query_may_manage(AIR2_Query $q, User $u, $alias = null)
{
if ($u->is_system()) {
return;
}
$a = $alias ? "{$alias}." : "";
// manageable
$mg_org_ids = $u->get_authz_str(ACTION_ORG_PRJ_INQ_SRS_DELETE, 'porg_org_id', true);
$prj_ids = "select porg_prj_id from project_org where {$mg_org_ids}";
$inq_ids = "select pinq_inq_id from project_inquiry where pinq_prj_id in ({$prj_ids})";
// fetch actual id's, to prevent doctrine from adding its own alias to
// our columns (pinq fields will get re-aliased by doctrine).
$conn = AIR2_DBManager::get_connection();
$rs = $conn->fetchColumn($inq_ids, array(), 0);
$inq_ids = count($rs) ? implode(',', $rs) : 'NULL';
// add to query
$q->addWhere("{$a}srs_inq_id in ({$inq_ids})");
}
/**
* Must be owner to write to existing SavedSearch.
*
* @param User $user
* @return authz integer
*/
public function user_may_write($user)
{
if ($user->is_system()) {
return AIR2_AUTHZ_IS_SYSTEM;
}
if (!$this->exists()) {
return AIR2_AUTHZ_IS_NEW;
}
if ($this->ssearch_cre_user == $user->user_id) {
return AIR2_AUTHZ_IS_OWNER;
}
return AIR2_AUTHZ_IS_DENIED;
}
/**
* Apply authz rules for who may manage a User.
*
* @param AIR2_Query $q
* @param User $u
* @param string $alias (optional)
*/
public static function query_may_manage(AIR2_Query $q, User $u, $alias = null)
{
if ($u->is_system()) {
return;
}
$a = $alias ? "{$alias}." : "";
// delete-usr authz in org
$manage_org_ids = $u->get_authz_str(ACTION_ORG_USR_DELETE, 'uo_org_id', false);
$stat = UserOrg::$STATUS_ACTIVE;
$usr_ids = "select uo_user_id from user_org where {$manage_org_ids}";
$q->addWhere("{$a}user_id in ({$usr_ids})");
}
/**
* Read
*
* @param User $user
* @return boolean
*/
public function user_may_read($user)
{
if ($user->is_system()) {
return AIR2_AUTHZ_IS_SYSTEM;
}
return AIR2_AUTHZ_IS_PUBLIC;
}
/**
* Must be owner, or inherit from Project or Inquiry
*
* @param User $user
* @return authz integer
*/
public function user_may_write($user)
{
if ($user->is_system()) {
return AIR2_AUTHZ_IS_SYSTEM;
}
if ($this->out_cre_user == $user->user_id) {
return AIR2_AUTHZ_IS_OWNER;
}
if (!$this->exists()) {
return AIR2_AUTHZ_IS_NEW;
}
if ($this->Organization) {
$authz = $this->Organization->user_may_write($user);
if ($authz) {
return $authz;
}
}
// per redmine #4022, only owner may edit
// foreach ($this->PrjOutcome as $pout) {
// $authz = $pout->Project->user_may_write($user);
// if ($authz) return $authz;
// }
// foreach ($this->InqOutcome as $iout) {
// $authz = $iout->Inquiry->user_may_write($user);
// if ($authz) return $authz;
// }
return AIR2_AUTHZ_IS_DENIED;
}
/**
* Apply authz rules for who may manage an Inquiry.
*
* @param AIR2_Query $q
* @param User $u
* @param string $alias (optional)
*/
public static function query_may_manage(AIR2_Query $q, User $u, $alias = null)
{
if ($u->is_system()) {
return;
}
$a = $alias ? "{$alias}." : "";
$uid = $u->user_id;
// managable or contact-user
$mg_org_ids = $u->get_authz_str(ACTION_ORG_PRJ_INQ_DELETE, 'porg_org_id');
$is_contact = "porg_contact_user_id={$uid}";
$prj_ids = "select porg_prj_id from project_org where {$mg_org_ids} or {$is_contact}";
$inq_ids = "select pinq_inq_id from project_inquiry where pinq_prj_id in ({$prj_ids})";
// owner
$owner = "inq_cre_user={$uid}";
// add to query
$q->addWhere("({$a}inq_id in ({$inq_ids}) or {$owner})");
}
/**
* Inherit from Organization
*
* @param AIR2_Query $q
* @param User $u
* @param string $alias (optional)
* @return unknown
*/
public static function query_may_read(AIR2_Query $q, User $u, $alias = null)
{
if ($u->is_system()) {
return;
}
return Organization::query_may_read($q, $u, $alias);
}
/**
* Apply authz rules for who may manage an Organization
*
* @param AIR2_Query $q
* @param User $u
* @param string $alias (optional)
*/
public static function query_may_manage(AIR2_Query $q, User $u, $alias = null)
{
if ($u->is_system()) {
return;
}
$a = $alias ? "{$alias}." : "";
$org_ids = $u->get_authz_str(ACTION_ORG_DELETE, 'org_id', false);
$q->addWhere($a . $org_ids);
}
/**
* Manage (delete) authz
*
* @param User $user
* @return authz integer
*/
public function user_may_manage($user)
{
if ($user->is_system()) {
return AIR2_AUTHZ_IS_SYSTEM;
}
// TODO: remove this from manage
if ($this->exists() && $this->uo_user_id == $user->user_id) {
$owner_may_modify = array('uo_user_title', 'uo_notify_flag', 'uo_home_flag');
$mod_flds = $this->getModified();
// check that only allowed fields are set
foreach ($owner_may_modify as $fld) {
unset($mod_flds[$fld]);
}
if (count($mod_flds) == 0) {
return AIR2_AUTHZ_IS_OWNER;
}
}
// delete-usr authz in related org
$org_id = $this->uo_org_id;
$authz = $user->get_authz();
$role = array_key_exists($org_id, $authz) ? $authz[$org_id] : 0;
if (ACTION_ORG_USR_DELETE & $role) {
return AIR2_AUTHZ_IS_MANAGER;
}
return AIR2_AUTHZ_IS_DENIED;
}
/**
* Inherit from Project
*
* @param AIR2_Query $q
* @param User $u
* @param string $alias (optional)
*/
public static function query_may_read(AIR2_Query $q, User $u, $alias = null)
{
if ($u->is_system()) {
return;
}
$a = $alias ? "{$alias}." : "";
// readable projects
$tmp = AIR2_Query::create();
Project::query_may_read($tmp, $u);
$tmp = array_pop($tmp->getDqlPart('where'));
$prj_ids = "select prj_id from project where {$tmp}";
// fetch actual id's, to prevent doctrine from adding its own alias to
// our columns (porg fields will get re-aliased by doctrine).
$conn = AIR2_DBManager::get_connection();
$rs = $conn->fetchColumn($prj_ids, array(), 0);
$prj_ids = count($rs) ? implode(',', $rs) : 'NULL';
$q->addWhere("{$a}porg_prj_id in ({$prj_ids})");
}
/**
* For now, only SYSTEM users may manage (delete) SrcOrgs
*
* @param User $user
* @return authz integer
*/
public function user_may_manage($user)
{
if ($user->is_system()) {
return AIR2_AUTHZ_IS_SYSTEM;
}
return AIR2_AUTHZ_IS_DENIED;
}
/**
* Write - bin_source writable
*
* @param Doctrine_Query $q
* @param User $u
* @param string $alias (optional)
*/
public static function query_may_write($q, $u, $alias = null)
{
if ($u->is_system()) {
return;
}
$a = $alias ? "{$alias}." : "";
$write_bin_ids = "select bin_id from bin where bin_user_id=?";
$q->addWhere("{$a}bsrs_bin_id in ({$write_bin_ids})", $u->user_id);
}
/**
* Apply authz rules for who may manage a Project.
*
* @param AIR2_Query $q
* @param User $u
* @param string $alias (optional)
*/
public static function query_may_manage(AIR2_Query $q, User $u, $alias = null)
{
if ($u->is_system()) {
return;
}
$a = $alias ? "{$alias}." : "";
// is user contact_user for this project
$user_id = $u->user_id;
$prj_ids = "select porg_prj_id from project_org where porg_contact_user_id = {$user_id}";
$contact_user = "******";
// is user MANAGER in an org related to this project
$org_ids = $u->get_authz_str(ACTION_ORG_PRJ_DELETE, 'porg_org_id', false);
$prj_ids = "select porg_prj_id from project_org where {$org_ids}";
$manager = "{$a}prj_id in ({$prj_ids})";
// add complete where condition
$q->addWhere("({$contact_user} or {$manager})");
}
/**
* WRITER in any Organization may write.
*
* @param User $u
* @return int
*/
public function user_may_write(User $u)
{
if ($u->is_system()) {
return AIR2_AUTHZ_IS_SYSTEM;
}
// look for WRITER role in any organization
$authz = $u->get_authz();
foreach ($authz as $orgid => $role) {
if (ACTION_ORG_UPDATE & $role) {
return AIR2_AUTHZ_IS_ORG;
}
}
// no WRITER role found
return AIR2_AUTHZ_IS_DENIED;
}
/**
* Restrict to owner, and anyone able to update sources in a tank_org.
*
* @param AIR2_Query $q
* @param User $u
* @param string $alias (optional)
*/
public static function query_may_read(AIR2_Query $q, User $u, $alias = null)
{
if ($u->is_system()) {
return;
}
$a = $alias ? "{$alias}." : "";
$uid = $u->user_id;
$authz_str = $u->get_authz_str(ACTION_ORG_SRC_UPDATE, 'to_org_id');
$subselect = "select to_tank_id from tank_org where {$authz_str}";
$q->addWhere("({$a}tank_id in ({$subselect}) or {$a}tank_user_id = {$uid})");
}
/**
* Apply authz rules for who may manage.
*
* @param AIR2_Query $q
* @param User $u
* @param string $alias (optional)
*/
public static function query_may_manage(AIR2_Query $q, User $u, $alias = null)
{
if ($u->is_system()) {
return;
}
$a = $alias ? "{$alias}." : "";
$user_id = $u->user_id;
$prjq = $q->createSubquery();
$prjq->select('prj.prj_id');
$prjq->from('Project prj');
Project::query_may_manage($prjq, $u);
$q->addWhere("{$a}prjan_prj_id IN (" . $prjq->getDql() . ")");
$q->addWhere("{$a}prjan_cre_user = ?", $u->user_id);
}
