function save_permissions($pg_id, $is_guest = false) { $sys_permissions_data = array_var($_POST, 'sys_perm'); $changed_members = array(); //module permissions $mod_permissions_data = array_var($_POST, 'mod_perm'); TabPanelPermissions::clearByPermissionGroup($pg_id); if (!is_null($mod_permissions_data) && is_array($mod_permissions_data)) { foreach ($mod_permissions_data as $tab_id => $val) { $tpp = new TabPanelPermission(); $tpp->setPermissionGroupId($pg_id); $tpp->setTabPanelId($tab_id); $tpp->save(); } } //system permissions $system_permissions = SystemPermissions::findById($pg_id); if (!$system_permissions instanceof SystemPermission) { $system_permissions = new SystemPermission(); $system_permissions->setPermissionGroupId($pg_id); } $system_permissions->setAllPermissions(false); $other_permissions = array(); Hook::fire('add_user_permissions', $pg_id, $other_permissions); foreach ($other_permissions as $k => $v) { $system_permissions->setColumnValue($k, false); } $sys_permissions_data['can_task_assignee'] = !$is_guest; $system_permissions->setFromAttributes($sys_permissions_data); $system_permissions->save(); //member permissions $permissionsString = array_var($_POST, 'permissions'); if ($permissionsString && $permissionsString != '') { $permissions = json_decode($permissionsString); } if (isset($permissions) && !is_null($permissions) && is_array($permissions)) { $allowed_members_ids = array(); foreach ($permissions as $perm) { if (!isset($all_perm_deleted[$perm->m])) { $all_perm_deleted[$perm->m] = true; } $allowed_members_ids[$perm->m] = array(); $allowed_members_ids[$perm->m]['pg'] = $pg_id; $cmp = ContactMemberPermissions::findById(array('permission_group_id' => $pg_id, 'member_id' => $perm->m, 'object_type_id' => $perm->o)); if (!$cmp instanceof ContactMemberPermission) { $cmp = new ContactMemberPermission(); $cmp->setPermissionGroupId($pg_id); $cmp->setMemberId($perm->m); $cmp->setObjectTypeId($perm->o); } $cmp->setCanWrite($is_guest ? false : $perm->w); $cmp->setCanDelete($is_guest ? false : $perm->d); if ($perm->r) { if (isset($allowed_members_ids[$perm->m]['w'])) { if ($allowed_members_ids[$perm->m]['w'] != 1) { $allowed_members_ids[$perm->m]['w'] = $is_guest ? false : $perm->w; } } else { $allowed_members_ids[$perm->m]['w'] = $is_guest ? false : $perm->w; } if (isset($allowed_members_ids[$perm->m]['d'])) { if ($allowed_members_ids[$perm->m]['d'] != 1) { $allowed_members_ids[$perm->m]['d'] = $is_guest ? false : $perm->d; } } else { $allowed_members_ids[$perm->m]['d'] = $is_guest ? false : $perm->d; } $cmp->save(); $all_perm_deleted[$perm->m] = false; } else { $cmp->delete(); } $changed_members[] = $perm->m; } $sharingTablecontroller = new SharingTableController(); $sharingTablecontroller->afterPermissionChanged($pg_id, $permissions); foreach ($allowed_members_ids as $key => $mids) { $mbm = Members::findById($key); $root_cmp = ContactMemberPermissions::findById(array('permission_group_id' => $mids['pg'], 'member_id' => $key, 'object_type_id' => $mbm->getObjectTypeId())); if (!$root_cmp instanceof ContactMemberPermission) { $root_cmp = new ContactMemberPermission(); $root_cmp->setPermissionGroupId($mids['pg']); $root_cmp->setMemberId($key); $root_cmp->setObjectTypeId($mbm->getObjectTypeId()); } $root_cmp->setCanWrite($mids['w']); $root_cmp->setCanDelete($mids['d']); $root_cmp->save(); } foreach ($all_perm_deleted as $mid => $pd) { if ($pd) { ContactMemberPermissions::instance()->delete("`permission_group_id` = {$pg_id} AND `member_id` = {$mid}"); } } } // set all permissiions to read_only if ($is_guest) { $all_saved_permissions = ContactMemberPermissions::findAll(array("conditions" => "`permission_group_id` = {$pg_id}")); foreach ($all_saved_permissions as $sp) { /* @var $sp ContactMemberPermission */ if ($sp->getCanDelete() || $sp->getCanWrite()) { $sp->setCanDelete(false); $sp->setCanWrite(false); $sp->save(); } } $cdps = ContactDimensionPermissions::findAll(array("conditions" => "`permission_type` = 'allow all'")); foreach ($cdps as $cdp) { $cdp->setPermissionType('check'); $cdp->save(); } } // check the status of the changed dimensions to set 'allow_all', 'deny_all' or 'check' $dimensions = Dimensions::findAll(array("conditions" => array("`id` IN (SELECT DISTINCT `dimension_id` FROM " . Members::instance()->getTableName(true) . " WHERE `id` IN (?))", $changed_members))); foreach ($dimensions as $dimension) { $mem_ids = $dimension->getAllMembers(true); if (count($mem_ids) == 0) { $mem_ids[] = 0; } $count = ContactMemberPermissions::count(array('conditions' => "`permission_group_id`={$pg_id} AND `member_id` IN (" . implode(",", $mem_ids) . ") AND `can_delete` = 0")); if ($count > 0) { $dimension->setContactDimensionPermission($pg_id, 'check'); } else { $count = ContactMemberPermissions::count(array('conditions' => "`permission_group_id`={$pg_id} AND `member_id` IN (" . implode(",", $mem_ids) . ")")); if ($count == 0) { $dimension->setContactDimensionPermission($pg_id, 'deny all'); } else { $allow_all = true; $dim_obj_types = $dimension->getAllowedObjectTypeContents(); $members = Members::findAll("`id` IN (" . implode(",", $mem_ids) . ")"); foreach ($dim_obj_types as $dim_obj_type) { $mem_ids_for_ot = array(); foreach ($members as $member) { if ($dim_obj_type->getDimensionObjectTypeId() == $member->getObjectTypeId()) { $mem_ids_for_ot[] = $member->getId(); } } if (count($mem_ids_for_ot) == 0) { $mem_ids_for_ot[] = 0; } $count = ContactMemberPermissions::count(array('conditions' => "`permission_group_id`={$pg_id} AND \n\t\t\t\t\t\t`object_type_id` = " . $dim_obj_type->getContentObjectTypeId() . " AND `can_delete` = 1 AND `member_id` IN (" . implode(",", $mem_ids_for_ot) . ")")); if ($count != count($mem_ids_for_ot)) { $allow_all = false; break; } } if ($allow_all) { $dimension->setContactDimensionPermission($pg_id, 'allow all'); } else { $dimension->setContactDimensionPermission($pg_id, 'check'); } } } } }
function saveMember($member_data, Member $member, $is_new = true) { try { DB::beginWork(); if (!$is_new) { $old_parent = $member->getParentMemberId(); } $member->setFromAttributes($member_data); /* @var $member Member */ $object_type = ObjectTypes::findById($member->getObjectTypeId()); if (!$object_type instanceof ObjectType) { throw new Exception(lang("you must select a valid object type")); } if ($member->getParentMemberId() == 0) { $dot = DimensionObjectTypes::findById(array('dimension_id' => $member->getDimensionId(), 'object_type_id' => $member->getObjectTypeId())); if (!$dot->getIsRoot()) { throw new Exception(lang("member cannot be root", lang($object_type->getName()))); } $member->setDepth(1); } else { $allowedParents = $this->getAssignableParents($member->getDimensionId(), $member->getObjectTypeId()); if (!$is_new) { $childrenIds = $member->getAllChildrenIds(true); } $hasValidParent = false; if ($member->getId() == $member->getParentMemberId() || !$is_new && in_array($member->getParentMemberId(), $childrenIds)) { throw new Exception(lang("invalid parent member")); } foreach ($allowedParents as $parent) { if ($parent['id'] == $member->getParentMemberId()) { $hasValidParent = true; break; } } if (!$hasValidParent) { throw new Exception(lang("invalid parent member")); } $parent = Members::findById($member->getParentMemberId()); if ($parent instanceof Member) { $member->setDepth($parent->getDepth() + 1); } else { $member->setDepth(1); } } if ($object_type->getType() == 'dimension_object') { $handler_class = $object_type->getHandlerClass(); if ($is_new || $member->getObjectId() == 0) { eval('$dimension_object = ' . $handler_class . '::instance()->newDimensionObject();'); } else { $dimension_object = Objects::findObject($member->getObjectId()); } if ($dimension_object) { $dimension_object->modifyMemberValidations($member); $dimension_obj_data = array_var($_POST, 'dim_obj'); if (!array_var($dimension_obj_data, 'name')) { $dimension_obj_data['name'] = $member->getName(); } eval('$fields = ' . $handler_class . '::getPublicColumns();'); foreach ($fields as $field) { if (array_var($field, 'type') == DATA_TYPE_DATETIME) { $dimension_obj_data[$field['col']] = getDateValue($dimension_obj_data[$field['col']]); } } $member->save(); $dimension_object->setFromAttributes($dimension_obj_data, $member); $dimension_object->save(); $member->setObjectId($dimension_object->getId()); $member->save(); Hook::fire("after_add_dimension_object_member", $member, $null); } } else { $member->save(); } // Other dimensions member restrictions $restricted_members = array_var($_POST, 'restricted_members'); if (is_array($restricted_members)) { MemberRestrictions::clearRestrictions($member->getId()); foreach ($restricted_members as $dim_id => $dim_members) { foreach ($dim_members as $mem_id => $member_restrictions) { $restricted = isset($member_restrictions['restricted']); if ($restricted) { $order_num = array_var($member_restrictions, 'order_num', 0); $member_restriction = new MemberRestriction(); $member_restriction->setMemberId($member->getId()); $member_restriction->setRestrictedMemberId($mem_id); $member_restriction->setOrder($order_num); $member_restriction->save(); } } } } // Save member property members (also check for required associations) if (array_var($_POST, 'save_properties')) { $required_association_ids = DimensionMemberAssociations::getRequiredAssociatations($member->getDimensionId(), $member->getObjectTypeId(), true); $missing_req_association_ids = array_fill_keys($required_association_ids, true); // if keeps record change is_active, if not delete record $old_properties = MemberPropertyMembers::getAssociatedPropertiesForMember($member->getId()); foreach ($old_properties as $property) { $association = DimensionMemberAssociations::findById($property->getAssociationId()); if (!$association->getKeepsRecord()) { $property->delete(); } } $new_properties = array(); $associated_members = array_var($_POST, 'associated_members', array()); foreach ($associated_members as $prop_member_id => $assoc_id) { $active_association = null; if (isset($missing_req_association_ids[$assoc_id])) { $missing_req_association_ids[$assoc_id] = false; } $conditions = "`association_id` = {$assoc_id} AND `member_id` = " . $member->getId() . " AND `is_active` = 1"; $active_associations = MemberPropertyMembers::find(array('conditions' => $conditions)); if (count($active_associations) > 0) { $active_association = $active_associations[0]; } $association = DimensionMemberAssociations::findById($assoc_id); if ($active_association instanceof MemberPropertyMember) { if ($active_association->getPropertyMemberId() != $prop_member_id) { if ($association->getKeepsRecord()) { $active_association->setIsActive(false); $active_association->save(); } // save current association $mpm = new MemberPropertyMember(); $mpm->setAssociationId($assoc_id); $mpm->setMemberId($member->getId()); $mpm->setPropertyMemberId($prop_member_id); $mpm->setIsActive(true); $mpm->save(); $new_properties[] = $mpm; } } else { // save current association $mpm = new MemberPropertyMember(); $mpm->setAssociationId($assoc_id); $mpm->setMemberId($member->getId()); $mpm->setPropertyMemberId($prop_member_id); $mpm->setIsActive(true); $mpm->save(); $new_properties[] = $mpm; } } $missing_names = array(); $missing_count = 0; foreach ($missing_req_association_ids as $assoc => $missing) { $assoc_instance = DimensionMemberAssociations::findById($assoc); if ($assoc_instance instanceof DimensionMemberAssociation) { $assoc_dim = Dimensions::getDimensionById($assoc_instance->getAssociatedDimensionMemberAssociationId()); if ($assoc_dim instanceof Dimension) { if (!in_array($assoc_dim->getName(), $missing_names)) { $missing_names[] = $assoc_dim->getName(); } } } if ($missing) { $missing_count++; } } if ($missing_count > 0) { throw new Exception(lang("missing required associations", implode(", ", $missing_names))); } $args = array($member, $old_properties, $new_properties); Hook::fire('edit_member_properties', $args, $ret); } if ($is_new) { // set all permissions for the creator $dimension = $member->getDimension(); $allowed_object_types = array(); $dim_obj_types = $dimension->getAllowedObjectTypeContents(); foreach ($dim_obj_types as $dim_obj_type) { // To draw a row for each object type of the dimension if (!in_array($dim_obj_type->getContentObjectTypeId(), $allowed_object_types) && $dim_obj_type->getDimensionObjectTypeId() == $member->getObjectTypeId()) { $allowed_object_types[] = $dim_obj_type->getContentObjectTypeId(); } } $allowed_object_types[] = $object_type->getId(); foreach ($allowed_object_types as $ot) { $cmp = ContactMemberPermissions::findOne(array('conditions' => 'permission_group_id = ' . logged_user()->getPermissionGroupId() . ' AND member_id = ' . $member->getId() . ' AND object_type_id = ' . $ot)); if (!$cmp instanceof ContactMemberPermission) { $cmp = new ContactMemberPermission(); $cmp->setPermissionGroupId(logged_user()->getPermissionGroupId()); $cmp->setMemberId($member->getId()); $cmp->setObjectTypeId($ot); } $cmp->setCanWrite(1); $cmp->setCanDelete(1); $cmp->save(); } // set all permissions for permission groups that has allow all in the dimension $permission_groups = ContactDimensionPermissions::findAll(array("conditions" => array("`dimension_id` = ? AND `permission_type` = 'allow all'", $dimension->getId()))); if (is_array($permission_groups)) { foreach ($permission_groups as $pg) { foreach ($allowed_object_types as $ot) { $cmp = ContactMemberPermissions::findById(array('permission_group_id' => $pg->getPermissionGroupId(), 'member_id' => $member->getId(), 'object_type_id' => $ot)); if (!$cmp instanceof ContactMemberPermission) { $cmp = new ContactMemberPermission(); $cmp->setPermissionGroupId($pg->getPermissionGroupId()); $cmp->setMemberId($member->getId()); $cmp->setObjectTypeId($ot); } $cmp->setCanWrite(1); $cmp->setCanDelete(1); $cmp->save(); } } } // Inherit permissions from parent node, if they are not already set if ($member->getDepth() && $member->getParentMember()) { $parentNodeId = $member->getParentMember()->getId(); $condition = "member_id = {$parentNodeId}"; foreach (ContactMemberPermissions::instance()->findAll(array("conditions" => $condition)) as $parentPermission) { /* @var $parentPermission ContactMemberPermission */ $g = $parentPermission->getPermissionGroupId(); $t = $parentPermission->getObjectTypeId(); $w = $parentPermission->getCanWrite(); $d = $parentPermission->getCanDelete(); $existsCondition = "member_id = " . $member->getId() . " AND permission_group_id= {$g} AND object_type_id = {$t}"; if (!ContactMemberPermissions::instance()->count(array("conditions" => $existsCondition))) { $newPermission = new ContactMemberPermission(); $newPermission->setPermissionGroupId($g); $newPermission->setObjectTypeId($t); $newPermission->setCanWrite($w); $newPermission->setCanDelete($d); $newPermission->setMemberId($member->getId()); $newPermission->save(); } } } // Fill sharing table if is a dimension object (after permission creation); if (isset($dimension_object) && $dimension_object instanceof ContentDataObject) { $dimension_object->addToSharingTable(); } } else { // if parent changed rebuild object_members for every object in this member if ($old_parent != $member->getParentMemberId()) { $sql = "SELECT om.object_id FROM " . TABLE_PREFIX . "object_members om WHERE om.member_id=" . $member->getId(); $object_ids = DB::executeAll($sql); if (!is_array($object_ids)) { $object_ids = array(); } foreach ($object_ids as $row) { $content_object = Objects::findObject($row['object_id']); if (!$content_object instanceof ContentDataObject) { continue; } $parent_ids = array(); if ($old_parent > 0) { $all_parents = Members::findById($old_parent)->getAllParentMembersInHierarchy(true); foreach ($all_parents as $p) { $parent_ids[] = $p->getId(); } if (count($parent_ids) > 0) { DB::execute("DELETE FROM " . TABLE_PREFIX . "object_members WHERE object_id=" . $content_object->getId() . " AND member_id IN (" . implode(",", $parent_ids) . ")"); } } $content_object->addToMembers(array($member)); $content_object->addToSharingTable(); } } } DB::commit(); flash_success(lang('success save member', lang(ObjectTypes::findById($member->getObjectTypeId())->getName()), $member->getName())); ajx_current("back"); // Add od to array on new members if ($is_new) { $member_data['member_id'] = $member->getId(); } evt_add("after member save", $member_data); return $member; } catch (Exception $e) { DB::rollback(); flash_error($e->getMessage()); ajx_current("empty"); } }
function save_permissions($pg_id, $is_guest = false, $permissions_data = null, $save_cmps = true, $update_sharing_table = true, $fire_hook = true, $update_contact_member_cache = true, $users_ids_to_check = array(), $only_member_permissions = false) { if (is_null($permissions_data)) { // system permissions $sys_permissions_data = array_var($_POST, 'sys_perm'); // module permissions $mod_permissions_data = array_var($_POST, 'mod_perm'); // root permissions if ($rp_genid = array_var($_POST, 'root_perm_genid')) { $rp_permissions_data = array(); foreach ($_POST as $name => $value) { if (str_starts_with($name, $rp_genid . 'rg_root_')) { $rp_permissions_data[$name] = $value; } } } // member permissions $permissionsString = array_var($_POST, 'permissions'); } else { // system permissions $sys_permissions_data = array_var($permissions_data, 'sys_perm'); // module permissions $mod_permissions_data = array_var($permissions_data, 'mod_perm'); // root permissions $rp_genid = array_var($permissions_data, 'root_perm_genid'); $rp_permissions_data = array_var($permissions_data, 'root_perm'); // member permissions $permissionsString = array_var($permissions_data, 'permissions'); } try { DB::beginWork(); $changed_members = array(); // save module permissions if (!$only_member_permissions) { try { TabPanelPermissions::clearByPermissionGroup($pg_id, true); if (!is_null($mod_permissions_data) && is_array($mod_permissions_data)) { foreach ($mod_permissions_data as $tab_id => $val) { DB::execute("INSERT INTO " . TABLE_PREFIX . "tab_panel_permissions (permission_group_id,tab_panel_id) VALUES ('{$pg_id}','{$tab_id}') ON DUPLICATE KEY UPDATE permission_group_id=permission_group_id"); } } } catch (Exception $e) { Logger::log("Error saving module permissions for permission group {$pg_id}: " . $e->getMessage() . "\n" . $e->getTraceAsString()); throw $e; } } $root_permissions_sharing_table_delete = array(); $root_permissions_sharing_table_add = array(); if (logged_user() instanceof Contact && can_manage_security(logged_user())) { try { if (!$only_member_permissions) { // save system permissions $system_permissions = SystemPermissions::findById($pg_id); if (!$system_permissions instanceof SystemPermission) { $system_permissions = new SystemPermission(); $system_permissions->setPermissionGroupId($pg_id); } $system_permissions->setAllPermissions(false); $other_permissions = array(); Hook::fire('add_user_permissions', $pg_id, $other_permissions); foreach ($other_permissions as $k => $v) { $system_permissions->setColumnValue($k, false); } // check max permissions for role, in case of modifying user's permissions $role_id = "-1"; $tmp_contact = Contacts::findOne(array('conditions' => 'permission_group_id = ' . $pg_id)); if ($tmp_contact instanceof Contact) { $role_id = $tmp_contact->getUserType(); } $max_role_system_permissions = MaxSystemPermissions::findOne(array('conditions' => 'permission_group_id = ' . $role_id)); if ($max_role_system_permissions instanceof MaxSystemPermission) { foreach ($sys_permissions_data as $col => &$val) { $max_val = $max_role_system_permissions->getColumnValue($col); if (!$max_val) { unset($sys_permissions_data[$col]); } } } // don't allow to write emails for collaborators and guests if ($tmp_contact instanceof Contact) { $user_type_name = $tmp_contact->getUserTypeName(); if (!in_array($user_type_name, array('Super Administrator', 'Administrator', 'Manager', 'Executive'))) { $mail_ot = ObjectTypes::findByName('mail'); if ($mail_ot instanceof ObjectType) { DB::executeAll("UPDATE " . TABLE_PREFIX . "contact_member_permissions SET can_write=0, can_delete=0 WHERE object_type_id=" . $mail_ot->getId() . " AND permission_group_id={$pg_id}"); } } } $sys_permissions_data['can_task_assignee'] = !$is_guest; $system_permissions->setFromAttributes($sys_permissions_data); $system_permissions->setUseOnDuplicateKeyWhenInsert(true); $system_permissions->save(); //object type root permissions $can_have_root_permissions = config_option('let_users_create_objects_in_root') && in_array($user_type_name, array('Super Administrator', 'Administrator', 'Manager', 'Executive')); if ($rp_genid && $can_have_root_permissions) { ContactMemberPermissions::delete("permission_group_id = {$pg_id} AND member_id = 0"); foreach ($rp_permissions_data as $name => $value) { if (str_starts_with($name, $rp_genid . 'rg_root_')) { $rp_ot = substr($name, strrpos($name, '_') + 1); if (is_numeric($rp_ot) && $rp_ot > 0 && $value == 0) { $root_permissions_sharing_table_delete[] = $rp_ot; } if (!is_numeric($rp_ot) || $rp_ot <= 0 || $value < 1) { continue; } $root_permissions_sharing_table_add[] = $rp_ot; // save with member_id = 0 $root_perm_cmp = new ContactMemberPermission(); $root_perm_cmp->setPermissionGroupId($pg_id); $root_perm_cmp->setMemberId('0'); $root_perm_cmp->setObjectTypeId($rp_ot); $root_perm_cmp->setCanWrite($value >= 2); $root_perm_cmp->setCanDelete($value >= 3); $root_perm_cmp->save(); } } } if (!$can_have_root_permissions) { ContactMemberPermissions::delete("permission_group_id = {$pg_id} AND member_id = 0"); $sh_controller = new SharingTableController(); $all_object_type_ids = ObjectTypes::findAll(array('id' => true)); $sh_controller->adjust_root_permissions($pg_id, array('root_permissions_sharing_table_delete' => $all_object_type_ids)); } } } catch (Exception $e) { Logger::log("Error saving system and root permissions for permission group {$pg_id}: " . $e->getMessage() . "\n" . $e->getTraceAsString()); throw $e; } } // set all permissions to read_only if user is guest if ($is_guest) { try { $all_saved_permissions = ContactMemberPermissions::findAll(array("conditions" => "`permission_group_id` = {$pg_id}")); foreach ($all_saved_permissions as $sp) { /* @var $sp ContactMemberPermission */ if ($sp->getCanDelete() || $sp->getCanWrite()) { $sp->setCanDelete(false); $sp->setCanWrite(false); $sp->save(); } } $cdps = ContactDimensionPermissions::findAll(array("conditions" => "`permission_type` = 'allow all'")); foreach ($cdps as $cdp) { $cdp->setPermissionType('check'); $cdp->save(); } } catch (Exception $e) { Logger::log("Error setting guest user permissions to read_only for permission group {$pg_id}: " . $e->getMessage() . "\n" . $e->getTraceAsString()); throw $e; } } // check the status of the changed dimensions to set 'allow_all', 'deny_all' or 'check' try { $dimensions = Dimensions::findAll(array("conditions" => array("`id` IN (SELECT DISTINCT `dimension_id` FROM " . Members::instance()->getTableName(true) . " WHERE `id` IN (?))", $changed_members))); foreach ($dimensions as $dimension) { $dimension->setContactDimensionPermission($pg_id, 'check'); } } catch (Exception $e) { Logger::log("Error setting dimension permissions for permission group {$pg_id}: " . $e->getMessage() . "\n" . $e->getTraceAsString()); throw $e; } //member permissions if ($permissionsString && $permissionsString != '') { $permissions = json_decode($permissionsString); } if (isset($permissions) && !is_null($permissions) && is_array($permissions)) { try { $tmp_contact = Contacts::findOne(array('conditions' => 'permission_group_id = ' . $pg_id)); if ($tmp_contact instanceof Contact) { $user_type_name = $tmp_contact->getUserTypeName(); $role_id = $tmp_contact->getUserType(); $max_role_ot_perms = MaxRoleObjectTypePermissions::instance()->findAll(array('conditions' => "role_id = '{$role_id}'")); } $mail_ot = ObjectTypes::findByName('mail'); $sql_insert_values = ""; $member_object_types_to_delete = array(); $allowed_members_ids = array(); foreach ($permissions as &$perm) { if (!isset($all_perm_deleted[$perm->m])) { $all_perm_deleted[$perm->m] = true; } $allowed_members_ids[$perm->m] = array(); $allowed_members_ids[$perm->m]['pg'] = $pg_id; if ($perm->r) { if (isset($allowed_members_ids[$perm->m]['w'])) { if ($allowed_members_ids[$perm->m]['w'] != 1) { $allowed_members_ids[$perm->m]['w'] = $is_guest ? false : $perm->w; } } else { $allowed_members_ids[$perm->m]['w'] = $is_guest ? false : $perm->w; } if (isset($allowed_members_ids[$perm->m]['d'])) { if ($allowed_members_ids[$perm->m]['d'] != 1) { $allowed_members_ids[$perm->m]['d'] = $is_guest ? false : $perm->d; } } else { $allowed_members_ids[$perm->m]['d'] = $is_guest ? false : $perm->d; } // check max permissions for user type if ($tmp_contact instanceof Contact) { $max_perm = null; foreach ($max_role_ot_perms as $max_role_ot_perm) { if ($max_role_ot_perm->getObjectTypeId() == $perm->o) { $max_perm = $max_role_ot_perm; } } if ($max_perm) { if (!$max_perm->getCanDelete()) { $perm->d = 0; } if (!$max_perm->getCanWrite()) { $perm->w = 0; } } else { $perm->d = 0; $perm->w = 0; $perm->r = 0; } } if ($save_cmps) { // don't allow to write emails for collaborators and guests if ($tmp_contact instanceof Contact && !in_array($user_type_name, array('Super Administrator', 'Administrator', 'Manager', 'Executive'))) { if ($mail_ot instanceof ObjectType && $perm->o == $mail_ot->getId()) { $perm->d = 0; $perm->w = 0; } } $sql_insert_values .= ($sql_insert_values == "" ? "" : ",") . "('" . $pg_id . "','" . $perm->m . "','" . $perm->o . "','" . $perm->d . "','" . $perm->w . "')"; if (!isset($member_object_types_to_delete[$perm->m])) { $member_object_types_to_delete[$perm->m] = array(); } $member_object_types_to_delete[$perm->m][] = $perm->o; } $all_perm_deleted[$perm->m] = false; } else { if (is_numeric($perm->m) && is_numeric($perm->o)) { DB::execute("DELETE FROM " . TABLE_PREFIX . "contact_member_permissions WHERE member_id='" . $perm->m . "' AND object_type_id='" . $perm->o . "' AND permission_group_id={$pg_id}"); } } $changed_members[] = $perm->m; } if ($save_cmps) { if (count($all_perm_deleted) > 0) { $member_ids_to_delete = array(); foreach ($all_perm_deleted as $mid => $del) { // also check in contact_member_permissions $cmps = ContactMemberPermissions::findAll(array('conditions' => 'permission_group_id=' . $pg_id . " AND member_id={$mid}")); if ($del && (!is_array($cmps) || count($cmps) == 0)) { $member_ids_to_delete[] = $mid; } } if (count($member_ids_to_delete) > 0) { DB::execute("DELETE FROM " . TABLE_PREFIX . "contact_member_permissions WHERE member_id IN (" . implode(',', $member_ids_to_delete) . ") AND permission_group_id={$pg_id}"); } } foreach ($member_object_types_to_delete as $mid => $obj_type_ids) { if (count($obj_type_ids) > 0) { DB::execute("DELETE FROM " . TABLE_PREFIX . "contact_member_permissions WHERE member_id={$mid} AND object_type_id IN (" . implode(',', $obj_type_ids) . ") AND permission_group_id={$pg_id}"); } } if ($sql_insert_values != "") { DB::execute("INSERT INTO " . TABLE_PREFIX . "contact_member_permissions (permission_group_id, member_id, object_type_id, can_delete, can_write) VALUES {$sql_insert_values} ON DUPLICATE KEY UPDATE member_id=member_id"); } } } catch (Exception $e) { Logger::log("Error saving member permissions for permission group {$pg_id}: " . $e->getMessage() . "\n" . $e->getTraceAsString()); throw $e; } } DB::commit(); } catch (Exception $e) { Logger::log("Error saving permissions for permission group {$pg_id}: " . $e->getMessage() . "\n" . $e->getTraceAsString()); DB::rollback(); } try { if (isset($permissions) && !is_null($permissions) && is_array($permissions)) { if ($update_sharing_table) { try { $sharingTablecontroller = new SharingTableController(); $rp_info = array('root_permissions_sharing_table_delete' => $root_permissions_sharing_table_delete, 'root_permissions_sharing_table_add' => $root_permissions_sharing_table_add); $sharingTablecontroller->afterPermissionChanged($pg_id, $permissions, $rp_info); } catch (Exception $e) { Logger::log("Error saving permissions to sharing table for permission group {$pg_id}: " . $e->getMessage() . "\n" . $e->getTraceAsString()); throw $e; } } if ($update_contact_member_cache) { try { $contactMemberCacheController = new ContactMemberCacheController(); $group = PermissionGroups::findById($pg_id); $real_group = null; if ($group->getType() == 'user_groups') { $real_group = $group; } $users = $group->getUsers(); $users_ids_checked = array(); foreach ($users as $us) { $users_ids_checked[] = $us->getId(); $contactMemberCacheController->afterUserPermissionChanged($us, $permissions, $real_group); } //check all users related to the group foreach ($users_ids_to_check as $us_id) { if (!in_array($us_id, $users_ids_checked)) { $users_ids_checked[] = $us_id; $us = Contacts::findById($us_id); if ($us instanceof Contact) { $contactMemberCacheController->afterUserPermissionChanged($us, $permissions, $real_group); } } } } catch (Exception $e) { Logger::log("Error saving permissions to contact member cache for permission group {$pg_id}: " . $e->getMessage() . "\n" . $e->getTraceAsString()); throw $e; } } } } catch (Exception $e) { Logger::log("Error saving module permissions for permission group {$pg_id}: " . $e->getMessage() . "\n" . $e->getTraceAsString()); } if ($fire_hook) { Hook::fire('after_save_contact_permissions', $pg_id, $pg_id); } // remove contact object from members where permissions were deleted $user = Contacts::findOne(array('conditions' => 'permission_group_id=' . $pg_id)); if ($user instanceof Contact) { $to_remove = array(); if (isset($all_perm_deleted) && is_array($all_perm_deleted)) { foreach ($all_perm_deleted as $m_id => $must_remove) { if ($must_remove) { $to_remove[] = $m_id; } } ObjectMembers::removeObjectFromMembers($user, logged_user(), null, $to_remove); } } }