/** * Only owner * * @param User $user * @return int $authz */ public function user_may_read($user) { if ($user->is_system()) { return AIR2_AUTHZ_IS_SYSTEM; } if ($user->user_id == $this->usrs_user_id) { return AIR2_AUTHZ_IS_OWNER; } return AIR2_AUTHZ_IS_DENIED; }
/** * * * @param User $user * @return int authz flag */ public function user_may_delete(User $user) { //Carper::carp(sprintf('check if user_may_delete tag %s for %s', $this->tag_tm_id, $user->user_username)); if ($user->is_system()) { return AIR2_AUTHZ_IS_SYSTEM; } // authz only by role + org $authz = $user->get_authz(); foreach ($authz as $orgid => $role) { if (ACTION_ORG_PRJ_INQ_TAG_DELETE & $role) { //Carper::carp(sprintf("User %s may write to tag with role %s in org %s", $user->user_username, $role, $orgid)); return AIR2_AUTHZ_IS_OWNER; } } return AIR2_AUTHZ_IS_DENIED; }
/** * Need read to create; owner or manager to update/delete. * * @param User $user * @return authz integer */ public function user_may_write(User $user) { if ($user->is_system()) { return AIR2_AUTHZ_IS_SYSTEM; } elseif ($this->SrcResponseSet->user_may_read($user)) { if (!$this->exists()) { return AIR2_AUTHZ_IS_NEW; } elseif ($this->srsan_cre_user == $user->user_id) { return AIR2_AUTHZ_IS_OWNER; } else { // may only write non-owned if MANAGER of owning user $ownr = Doctrine::getTable('User')->find($this->srsan_cre_user); if ($ownr && $ownr->user_may_manage($user)) { return AIR2_AUTHZ_IS_MANAGER; } } } return AIR2_AUTHZ_IS_DENIED; }
/** * Write - owner * * @param Doctrine_Query $q * @param User $u * @param string $alias (optional) */ public static function query_may_write($q, $u, $alias = null) { if ($u->is_system()) { return; } $a = $alias ? "{$alias}." : ""; $q->addWhere("{$a}bin_user_id = ?", $u->user_id); }
/** * Apply authz rules for who may manage a SrcResponse. * * @param AIR2_Query $q * @param User $u * @param string $alias (optional) */ public static function query_may_manage(AIR2_Query $q, User $u, $alias = null) { if ($u->is_system()) { return; } $a = $alias ? "{$alias}." : ""; // manageable src_response_sets $tmp = AIR2_Query::create(); SrcResponseSet::query_may_manage($tmp, $u); $tmp = array_pop($tmp->getDqlPart('where')); $srs_ids = "select srs_id from src_response_set where {$tmp}"; // add to query $q->addWhere("{$a}sr_srs_id in ({$srs_ids})"); }
/** * Update * * @param User $u * @param array $data */ protected function air_update(User $u, $data) { if (isset($data['uem_address'])) { $u->UserEmailAddress[0]->uem_address = $data['uem_address']; $u->UserEmailAddress[0]->uem_primary_flag = true; // for NON-system users, sync username with email if (!$u->is_system()) { $u->user_username = $data['uem_address']; } } if (isset($data['uph_number']) || isset($data['uph_ext'])) { $n = isset($data['uph_number']) ? $data['uph_number'] : $u->UserPhoneNumber[0]->uph_number; $e = isset($data['uph_ext']) ? $data['uph_ext'] : $u->UserPhoneNumber[0]->uph_ext; $u->UserPhoneNumber[0]->uph_number = $n; $u->UserPhoneNumber[0]->uph_ext = $e; $u->UserPhoneNumber[0]->uph_country = 'USA'; $u->UserPhoneNumber[0]->uph_primary_flag = true; } $old_title = null; if (isset($data['org_uuid'])) { // run through all orgs, and change home $found = false; foreach ($u->UserOrg as $uo) { if ($uo->uo_home_flag) { $old_title = $uo->uo_user_title; } if ($uo->Organization->org_uuid == $data['org_uuid']) { $found = $uo; $uo->uo_home_flag = true; } else { $uo->uo_home_flag = false; } } if (!$found) { $u = $data['org_uuid']; throw new Rframe_Exception(RFrame::BAD_DATA, "Invalid home-org UUID '{$u}'"); } if ($old_title) { $found->uo_user_title = $old_title; } } if (isset($data['uo_user_title'])) { // run through all orgs, and change home-org title $found = false; foreach ($u->UserOrg as $uo) { if ($uo->uo_home_flag) { $uo->uo_user_title = $data['uo_user_title']; $found = true; } } if (!$found) { throw new Rframe_Exception(RFrame::BAD_DATA, "Cannot change title: no home org"); } } if (isset($data['avatar'])) { try { if (!$u->Avatar) { $u->Avatar = new ImageUserAvatar(); } $u->Avatar->set_image($data['avatar']); } catch (Exception $e) { throw new Rframe_Exception(RFrame::BAD_DATA, $e->getMessage()); } } if (array_key_exists('avatar', $data) && !$data['avatar']) { if ($u->Avatar) { $u->Avatar->delete(); $u->clearRelated('Avatar'); } } }
/** * Manageable if MANAGER in opted-in Org. * * @param User $user * @param bool $respect_lock (optional) * @return authz integer */ public function user_may_manage($user, $respect_lock = true) { if ($user->is_system()) { return AIR2_AUTHZ_IS_SYSTEM; } if ($respect_lock && $this->src_has_acct == Source::$ACCT_YES) { return AIR2_AUTHZ_IS_DENIED; } // look for MANAGER role in related organization $user_authz = $user->get_authz(); $src_org_ids = $this->get_authz(); foreach ($src_org_ids as $org_id) { $role = isset($user_authz[$org_id]) ? $user_authz[$org_id] : null; if (ACTION_ORG_SRC_DELETE & $role) { return AIR2_AUTHZ_IS_ORG; } } // no manager role found return AIR2_AUTHZ_IS_DENIED; }
/** * Apply authz rules for who may write. * * @param AIR2_Query $q * @param User $u * @param string $alias (optional) */ public static function query_may_write(AIR2_Query $q, User $u, $alias = null) { if ($u->is_system()) { return; } $a = $alias ? "{$alias}." : ""; // readable inquiries $tmp = AIR2_Query::create(); Inquiry::query_may_read($tmp, $u); $tmp = array_pop($tmp->getDqlPart('where')); $inq_ids = "select inq_id from inquiry where {$tmp}"; // add to query $user_id = $u->user_id; $own = "{$a}inqan_cre_user = {$user_id}"; $q->addWhere("({$a}inqan_inq_id in ({$inq_ids}) and {$own})"); }
/** * Apply authz rules for who may manage a SrcResponseSet. * * @param AIR2_Query $q * @param User $u * @param string $alias (optional) */ public static function query_may_manage(AIR2_Query $q, User $u, $alias = null) { if ($u->is_system()) { return; } $a = $alias ? "{$alias}." : ""; // manageable $mg_org_ids = $u->get_authz_str(ACTION_ORG_PRJ_INQ_SRS_DELETE, 'porg_org_id', true); $prj_ids = "select porg_prj_id from project_org where {$mg_org_ids}"; $inq_ids = "select pinq_inq_id from project_inquiry where pinq_prj_id in ({$prj_ids})"; // fetch actual id's, to prevent doctrine from adding its own alias to // our columns (pinq fields will get re-aliased by doctrine). $conn = AIR2_DBManager::get_connection(); $rs = $conn->fetchColumn($inq_ids, array(), 0); $inq_ids = count($rs) ? implode(',', $rs) : 'NULL'; // add to query $q->addWhere("{$a}srs_inq_id in ({$inq_ids})"); }
/** * Must be owner to write to existing SavedSearch. * * @param User $user * @return authz integer */ public function user_may_write($user) { if ($user->is_system()) { return AIR2_AUTHZ_IS_SYSTEM; } if (!$this->exists()) { return AIR2_AUTHZ_IS_NEW; } if ($this->ssearch_cre_user == $user->user_id) { return AIR2_AUTHZ_IS_OWNER; } return AIR2_AUTHZ_IS_DENIED; }
/** * Apply authz rules for who may manage a User. * * @param AIR2_Query $q * @param User $u * @param string $alias (optional) */ public static function query_may_manage(AIR2_Query $q, User $u, $alias = null) { if ($u->is_system()) { return; } $a = $alias ? "{$alias}." : ""; // delete-usr authz in org $manage_org_ids = $u->get_authz_str(ACTION_ORG_USR_DELETE, 'uo_org_id', false); $stat = UserOrg::$STATUS_ACTIVE; $usr_ids = "select uo_user_id from user_org where {$manage_org_ids}"; $q->addWhere("{$a}user_id in ({$usr_ids})"); }
/** * Read * * @param User $user * @return boolean */ public function user_may_read($user) { if ($user->is_system()) { return AIR2_AUTHZ_IS_SYSTEM; } return AIR2_AUTHZ_IS_PUBLIC; }
/** * Must be owner, or inherit from Project or Inquiry * * @param User $user * @return authz integer */ public function user_may_write($user) { if ($user->is_system()) { return AIR2_AUTHZ_IS_SYSTEM; } if ($this->out_cre_user == $user->user_id) { return AIR2_AUTHZ_IS_OWNER; } if (!$this->exists()) { return AIR2_AUTHZ_IS_NEW; } if ($this->Organization) { $authz = $this->Organization->user_may_write($user); if ($authz) { return $authz; } } // per redmine #4022, only owner may edit // foreach ($this->PrjOutcome as $pout) { // $authz = $pout->Project->user_may_write($user); // if ($authz) return $authz; // } // foreach ($this->InqOutcome as $iout) { // $authz = $iout->Inquiry->user_may_write($user); // if ($authz) return $authz; // } return AIR2_AUTHZ_IS_DENIED; }
/** * Apply authz rules for who may manage an Inquiry. * * @param AIR2_Query $q * @param User $u * @param string $alias (optional) */ public static function query_may_manage(AIR2_Query $q, User $u, $alias = null) { if ($u->is_system()) { return; } $a = $alias ? "{$alias}." : ""; $uid = $u->user_id; // managable or contact-user $mg_org_ids = $u->get_authz_str(ACTION_ORG_PRJ_INQ_DELETE, 'porg_org_id'); $is_contact = "porg_contact_user_id={$uid}"; $prj_ids = "select porg_prj_id from project_org where {$mg_org_ids} or {$is_contact}"; $inq_ids = "select pinq_inq_id from project_inquiry where pinq_prj_id in ({$prj_ids})"; // owner $owner = "inq_cre_user={$uid}"; // add to query $q->addWhere("({$a}inq_id in ({$inq_ids}) or {$owner})"); }
/** * Inherit from Organization * * @param AIR2_Query $q * @param User $u * @param string $alias (optional) * @return unknown */ public static function query_may_read(AIR2_Query $q, User $u, $alias = null) { if ($u->is_system()) { return; } return Organization::query_may_read($q, $u, $alias); }
/** * Apply authz rules for who may manage an Organization * * @param AIR2_Query $q * @param User $u * @param string $alias (optional) */ public static function query_may_manage(AIR2_Query $q, User $u, $alias = null) { if ($u->is_system()) { return; } $a = $alias ? "{$alias}." : ""; $org_ids = $u->get_authz_str(ACTION_ORG_DELETE, 'org_id', false); $q->addWhere($a . $org_ids); }
/** * Manage (delete) authz * * @param User $user * @return authz integer */ public function user_may_manage($user) { if ($user->is_system()) { return AIR2_AUTHZ_IS_SYSTEM; } // TODO: remove this from manage if ($this->exists() && $this->uo_user_id == $user->user_id) { $owner_may_modify = array('uo_user_title', 'uo_notify_flag', 'uo_home_flag'); $mod_flds = $this->getModified(); // check that only allowed fields are set foreach ($owner_may_modify as $fld) { unset($mod_flds[$fld]); } if (count($mod_flds) == 0) { return AIR2_AUTHZ_IS_OWNER; } } // delete-usr authz in related org $org_id = $this->uo_org_id; $authz = $user->get_authz(); $role = array_key_exists($org_id, $authz) ? $authz[$org_id] : 0; if (ACTION_ORG_USR_DELETE & $role) { return AIR2_AUTHZ_IS_MANAGER; } return AIR2_AUTHZ_IS_DENIED; }
/** * Inherit from Project * * @param AIR2_Query $q * @param User $u * @param string $alias (optional) */ public static function query_may_read(AIR2_Query $q, User $u, $alias = null) { if ($u->is_system()) { return; } $a = $alias ? "{$alias}." : ""; // readable projects $tmp = AIR2_Query::create(); Project::query_may_read($tmp, $u); $tmp = array_pop($tmp->getDqlPart('where')); $prj_ids = "select prj_id from project where {$tmp}"; // fetch actual id's, to prevent doctrine from adding its own alias to // our columns (porg fields will get re-aliased by doctrine). $conn = AIR2_DBManager::get_connection(); $rs = $conn->fetchColumn($prj_ids, array(), 0); $prj_ids = count($rs) ? implode(',', $rs) : 'NULL'; $q->addWhere("{$a}porg_prj_id in ({$prj_ids})"); }
/** * For now, only SYSTEM users may manage (delete) SrcOrgs * * @param User $user * @return authz integer */ public function user_may_manage($user) { if ($user->is_system()) { return AIR2_AUTHZ_IS_SYSTEM; } return AIR2_AUTHZ_IS_DENIED; }
/** * Write - bin_source writable * * @param Doctrine_Query $q * @param User $u * @param string $alias (optional) */ public static function query_may_write($q, $u, $alias = null) { if ($u->is_system()) { return; } $a = $alias ? "{$alias}." : ""; $write_bin_ids = "select bin_id from bin where bin_user_id=?"; $q->addWhere("{$a}bsrs_bin_id in ({$write_bin_ids})", $u->user_id); }
/** * Apply authz rules for who may manage a Project. * * @param AIR2_Query $q * @param User $u * @param string $alias (optional) */ public static function query_may_manage(AIR2_Query $q, User $u, $alias = null) { if ($u->is_system()) { return; } $a = $alias ? "{$alias}." : ""; // is user contact_user for this project $user_id = $u->user_id; $prj_ids = "select porg_prj_id from project_org where porg_contact_user_id = {$user_id}"; $contact_user = "******"; // is user MANAGER in an org related to this project $org_ids = $u->get_authz_str(ACTION_ORG_PRJ_DELETE, 'porg_org_id', false); $prj_ids = "select porg_prj_id from project_org where {$org_ids}"; $manager = "{$a}prj_id in ({$prj_ids})"; // add complete where condition $q->addWhere("({$contact_user} or {$manager})"); }
/** * WRITER in any Organization may write. * * @param User $u * @return int */ public function user_may_write(User $u) { if ($u->is_system()) { return AIR2_AUTHZ_IS_SYSTEM; } // look for WRITER role in any organization $authz = $u->get_authz(); foreach ($authz as $orgid => $role) { if (ACTION_ORG_UPDATE & $role) { return AIR2_AUTHZ_IS_ORG; } } // no WRITER role found return AIR2_AUTHZ_IS_DENIED; }
/** * Restrict to owner, and anyone able to update sources in a tank_org. * * @param AIR2_Query $q * @param User $u * @param string $alias (optional) */ public static function query_may_read(AIR2_Query $q, User $u, $alias = null) { if ($u->is_system()) { return; } $a = $alias ? "{$alias}." : ""; $uid = $u->user_id; $authz_str = $u->get_authz_str(ACTION_ORG_SRC_UPDATE, 'to_org_id'); $subselect = "select to_tank_id from tank_org where {$authz_str}"; $q->addWhere("({$a}tank_id in ({$subselect}) or {$a}tank_user_id = {$uid})"); }
/** * Apply authz rules for who may manage. * * @param AIR2_Query $q * @param User $u * @param string $alias (optional) */ public static function query_may_manage(AIR2_Query $q, User $u, $alias = null) { if ($u->is_system()) { return; } $a = $alias ? "{$alias}." : ""; $user_id = $u->user_id; $prjq = $q->createSubquery(); $prjq->select('prj.prj_id'); $prjq->from('Project prj'); Project::query_may_manage($prjq, $u); $q->addWhere("{$a}prjan_prj_id IN (" . $prjq->getDql() . ")"); $q->addWhere("{$a}prjan_cre_user = ?", $u->user_id); }