function view_revoke_request()
{
require_once __DIR__ . '/../../../../lib/Gocdb_Services/Factory.php';
require_once __DIR__ . '/../../components/Get_User_Principle.php';
require_once __DIR__ . '/../utils.php';
$dn = Get_User_Principle();
$user = \Factory::getUserService()->getUserByPrinciple($dn);
if ($user == null) {
throw new Exception("Unregistered users can't revoke roles");
}
//Check the portal is not in read only mode, returns exception if it is and user is not an admin
checkPortalIsNotReadOnlyOrUserIsAdmin($user);
$requestId = $_POST['id'];
if (!isset($requestId) || !is_numeric($requestId)) {
throw new LogicException("Invalid role id");
}
// Either a self revocation or revoke is requested by 2nd party
// check to see that user has permission to revoke role
$role = \Factory::getRoleService()->getRoleById($requestId);
\Factory::getRoleService()->revokeRole($role, $user);
if ($role->getUser() != $user) {
// revoke by 2nd party
show_view('political_role/role_revoked.php');
} else {
// Self revocation
show_view('political_role/role_self_revoked.php');
}
die;
}
function view_ngi()
{
require_once __DIR__ . '/../../../../lib/Gocdb_Services/Factory.php';
require_once __DIR__ . '/../utils.php';
require_once __DIR__ . '/../../../web_portal/components/Get_User_Principle.php';
if (!isset($_GET['id']) || !is_numeric($_GET['id'])) {
throw new Exception("An id must be specified");
}
$ngiId = $_GET['id'];
//get user for case that portal is read only and user is admin, so they can still see edit links
$dn = Get_User_Principle();
$user = \Factory::getUserService()->getUserByPrinciple($dn);
$params['portalIsReadOnly'] = portalIsReadOnlyAndUserIsNotAdmin($user);
$params['UserIsAdmin'] = false;
if (!is_null($user)) {
$params['UserIsAdmin'] = $user->isAdmin();
}
$params['authenticated'] = false;
if ($user != null) {
$params['authenticated'] = true;
}
$ngiServ = \Factory::getNgiService();
$siteServ = \Factory::getSiteService();
$ngi = $ngiServ->getNgi($ngiId);
// Does current viewer have edit permissions over NGI ?
$params['ShowEdit'] = false;
if (count($ngiServ->authorizeAction(\Action::EDIT_OBJECT, $ngi, $user)) >= 1) {
$params['ShowEdit'] = true;
}
// Add ngi to params
$params['ngi'] = $ngi;
// Add all roles over ngi to params
$allRoles = $ngi->getRoles();
$roles = array();
foreach ($allRoles as $role) {
if ($role->getStatus() == \RoleStatus::GRANTED) {
$roles[] = $role;
}
}
$params['roles'] = $roles;
// Add ngi's project to params
$projects = $ngi->getProjects();
$params['Projects'] = $projects;
// Add sites and scopes to params
$params['SitesAndScopes'] = array();
foreach ($ngi->getSites() as $site) {
$params['SitesAndScopes'][] = array('Site' => $site, 'Scopes' => $siteServ->getScopesWithParentScopeInfo($site));
}
// Add RoleActionRecords to params
$params['RoleActionRecords'] = \Factory::getRoleService()->getRoleActionRecordsById_Type($ngi->getId(), 'ngi');
show_view('ngi/view_ngi.php', $params, $ngi->getName());
die;
}
function view_user()
{
require_once __DIR__ . '/../../../../lib/Gocdb_Services/Factory.php';
require_once __DIR__ . '/../../components/Get_User_Principle.php';
if (!isset($_GET['id']) || !is_numeric($_GET['id'])) {
throw new Exception("An id must be specified");
}
$userId = $_GET['id'];
$user = \Factory::getUserService()->getUser($userId);
if ($user === null) {
throw new Exception("No user with that ID");
}
$params['user'] = $user;
// get the targetUser's roles
$roles = \Factory::getRoleService()->getUserRoles($user, \RoleStatus::GRANTED);
//$user->getRoles();
$callingUser = \Factory::getUserService()->getUserByPrinciple(Get_User_Principle());
// can the calling user revoke the targetUser's roles?
if ($user != $callingUser) {
foreach ($roles as $r) {
//$ownedEntityDetail = $r->getOwnedEntity()->getName(). ' ('. $r->getOwnedEntity()->getType().')';
$authorisingRoleNames = \Factory::getRoleService()->authorizeAction(\Action::REVOKE_ROLE, $r->getOwnedEntity(), $callingUser);
if (count($authorisingRoleNames) >= 1) {
$allAuthorisingRoleNames = '';
foreach ($authorisingRoleNames as $arName) {
$allAuthorisingRoleNames .= $arName . ', ';
}
$allAuthorisingRoleNames = substr($allAuthorisingRoleNames, 0, strlen($allAuthorisingRoleNames) - 2);
$r->setDecoratorObject('[' . $allAuthorisingRoleNames . '] ');
}
}
} else {
// current user is viewing their own roles, so they can revoke their own roles
foreach ($roles as $r) {
$r->setDecoratorObject('[Self revoke own role]');
}
}
// Check to see if the current calling user has permission to edit the target user
try {
\Factory::getUserService()->editUserAuthorization($user, $callingUser);
$params['ShowEdit'] = true;
} catch (Exception $e) {
$params['ShowEdit'] = false;
}
/* @var $authToken \org\gocdb\security\authentication\IAuthentication */
$authToken = Get_User_AuthToken();
$params['authAttributes'] = $authToken->getDetails();
$params['roles'] = $roles;
$params['portalIsReadOnly'] = \Factory::getConfigService()->IsPortalReadOnly();
$title = $user->getFullName();
show_view("user/view_user.php", $params, $title);
}
function startPage()
{
require_once __DIR__ . '/../../../lib/Gocdb_Services/Factory.php';
require_once __DIR__ . '/../components/Get_User_Principle.php';
$dn = Get_User_Principle();
$user = \Factory::getUserService()->getUserByPrinciple($dn);
$roles = \Factory::getRoleService()->getPendingRolesUserCanApprove($user);
$configServ = \Factory::getConfigService();
$showMap = $configServ->getShowMapOnStartPage();
$apiKey = $configServ->getGoogleAPIKey();
$params = array('roles' => $roles, 'googleAPIKey' => $apiKey, 'showMap' => $showMap);
$title = "GOCDB";
show_view('start_page.php', $params, $title, null);
}
/**
* Processes a role request submission
* @param type $roleName
* @param type $entityId
* @param \User $user current user
* @throws Exception
*/
function submitRoleRequest($roleName, $entityId, \User $user = null)
{
// validate the enityId is numeric
if (!is_numeric($entityId)) {
throw new Exception('Invalid entityId');
}
// Get the owned entity instance
$entity = \Factory::getOwnedEntityService()->getOwnedEntityById($entityId);
// Create a new Role linking user, entity and roletype. The addRole
// perfoms role validation and throws exceptios accordingly.
$newRole = \Factory::getRoleService()->addRole($roleName, $user, $entity);
if (\Factory::getConfigService()->getSendEmails()) {
\Factory::getNotificationService()->roleRequest($entity);
}
show_view('political_role/new_request.php');
}
function showServiceGroup()
{
require_once __DIR__ . '/../../../web_portal/components/Get_User_Principle.php';
require_once __DIR__ . '/../utils.php';
if (!isset($_GET['id']) || !is_numeric($_GET['id'])) {
throw new Exception("An id must be specified");
}
$sGroupId = $_GET['id'];
$sGroup = \Factory::getServiceGroupService()->getServiceGroup($sGroupId);
$params['sGroup'] = $sGroup;
// get downtimes that affect services under this service group
// 31 = the number of days worth of historical downtimes to show
$downtimes = \Factory::getServiceGroupService()->getDowntimes($sGroupId, 31);
$params['downtimes'] = $downtimes;
//get user for case that portal is read only and user is admin, so they can still see edit links
$dn = Get_User_Principle();
$user = \Factory::getUserService()->getUserByPrinciple($dn);
$params['portalIsReadOnly'] = portalIsReadOnlyAndUserIsNotAdmin($user);
$params['authenticated'] = false;
if ($user != null) {
$params['authenticated'] = true;
}
$allRoles = $sGroup->getRoles();
$roles = array();
foreach ($allRoles as $role) {
if ($role->getStatus() == \RoleStatus::GRANTED) {
$roles[] = $role;
}
}
$params['Roles'] = $roles;
// Does current viewer have edit permissions over object ?
$params['ShowEdit'] = false;
if (count(\Factory::getServiceGroupService()->authorizeAction(\Action::EDIT_OBJECT, $sGroup, $user)) >= 1) {
$params['ShowEdit'] = true;
}
// Add RoleActionRecords to params
$params['RoleActionRecords'] = \Factory::getRoleService()->getRoleActionRecordsById_Type($sGroup->getId(), 'servicegroup');
$title = $sGroup->getName();
show_view("service_group/view_sgroup.php", $params, $title);
}
function show_project()
{
require_once __DIR__ . '/../../../../lib/Gocdb_Services/Factory.php';
require_once __DIR__ . '/../utils.php';
require_once __DIR__ . '/../../../../htdocs/web_portal/components/Get_User_Principle.php';
if (!isset($_GET['id']) || !is_numeric($_GET['id'])) {
throw new Exception("An id must be specified");
}
$projId = $_GET['id'];
$serv = \Factory::getProjectService();
$project = $serv->getProject($projId);
$allRoles = $project->getRoles();
$roles = array();
foreach ($allRoles as $role) {
if ($role->getStatus() == \RoleStatus::GRANTED && $role->getRoleType()->getName() != \RoleTypeName::CIC_STAFF) {
$roles[] = $role;
}
}
//get user for case that portal is read only and user is admin, so they can still see edit links
$dn = Get_User_Principle();
$user = \Factory::getUserService()->getUserByPrinciple($dn);
$params['ShowEdit'] = false;
if (count($serv->authorizeAction(\Action::EDIT_OBJECT, $project, $user)) >= 1) {
$params['ShowEdit'] = true;
}
$params['authenticated'] = false;
if ($user != null) {
$params['authenticated'] = true;
}
// Add RoleActionRecords to params
$params['RoleActionRecords'] = \Factory::getRoleService()->getRoleActionRecordsById_Type($project->getId(), 'project');
$params['Name'] = $project->getName();
$params['Description'] = $project->getDescription();
$params['ID'] = $project->getId();
$params['NGIs'] = $project->getNgis();
$params['Sites'] = $serv->getSites($project);
$params['Roles'] = $roles;
$params['portalIsReadOnly'] = portalIsReadOnlyAndUserIsNotAdmin($user);
show_view('project/view_project.php', $params, $params['Name']);
}
function view_deny_request()
{
require_once __DIR__ . '/../../../../lib/Gocdb_Services/Factory.php';
require_once __DIR__ . '/../../components/Get_User_Principle.php';
require_once __DIR__ . '/../utils.php';
$dn = Get_User_Principle();
$user = \Factory::getUserService()->getUserByPrinciple($dn);
if ($user == null) {
throw new Exception("Unregistered users can't view/deny role requests");
}
$requestId = $_POST['id'];
//Check the portal is not in read only mode, returns exception if it is and user is not an admin
checkPortalIsNotReadOnlyOrUserIsAdmin($user);
if (!isset($requestId) || !is_numeric($requestId)) {
throw new LogicException("Invalid role request id");
}
// Lookup role request with id
$roleRequest = \Factory::getRoleService()->getRoleById($requestId);
\Factory::getRoleService()->rejectRoleRequest($roleRequest, $user);
show_view('political_role/request_denied.php');
die;
}
function view_requests()
{
require_once __DIR__ . '/../../../../lib/Gocdb_Services/Factory.php';
require_once __DIR__ . '/../../components/Get_User_Principle.php';
require_once __DIR__ . '/../utils.php';
$dn = Get_User_Principle();
$user = \Factory::getUserService()->getUserByPrinciple($dn);
if ($user == null) {
throw new Exception("Unregistered users can't view/request roles");
}
// Entites is a two-dimensional array that lists both the id and name of
// OwnedEntities that a user can reqeust a role over (Projects, NGIs, Sites,
// ServiceGroups). If an inner dimesional array does not contain an Object_ID
// array key, then it is used as a section title in a pull-down list.
$entities = array();
$entities[] = array('Name' => 'Projects');
$allProjects = \Factory::getProjectService()->getProjects();
foreach ($allProjects as $proj) {
$entities[] = array('Object_ID' => $proj->getId(), 'Name' => $proj->getName());
}
$entities[] = array('Name' => 'NGIs');
$allNGIs = \Factory::getNgiService()->getNGIs();
foreach ($allNGIs as $ngi) {
$entities[] = array('Object_ID' => $ngi->getId(), 'Name' => $ngi->getName());
}
$entities[] = array('Name' => 'Sites');
$allSites = \Factory::getSiteService()->getSitesBy();
foreach ($allSites as $site) {
$entities[] = array('Object_ID' => $site->getId(), 'Name' => $site->getShortName());
}
$entities[] = array('Name' => 'ServiceGroups');
$allSGs = \Factory::getServiceGroupService()->getServiceGroups();
foreach ($allSGs as $sg) {
$entities[] = array('Object_ID' => $sg->getId(), 'Name' => $sg->getName());
}
// Current user's own pending roles
$myPendingRoleRequests = \Factory::getRoleService()->getUserRoles($user, \RoleStatus::PENDING);
// foreach role, lookup corresponding RoleActionRecord (if any) and populate
// the role.decoratorObject with the roleActionRecord for subsequent display
// foreach($myPendingRoleRequests as $role){
// $rar = \Factory::getRoleService()->getRoleActionRecordByRoleId($role->getId());
// $role->setDecoratorObject($rar);
// }
// Other roles current user can approve
$otherRolesUserCanApprove = \Factory::getRoleService()->getPendingRolesUserCanApprove($user);
// can the calling user grant or reject each role?
foreach ($otherRolesUserCanApprove as $r) {
$grantRejectRoleNamesArray = array();
$grantRejectRoleNamesArray['grant'] = '';
$grantRejectRoleNamesArray['deny'] = '';
// get list of roles that allows user to to grant the role request
$grantRoleAuthorisingRoleNames = \Factory::getRoleService()->authorizeAction(\Action::GRANT_ROLE, $r->getOwnedEntity(), $user);
if (count($grantRoleAuthorisingRoleNames) >= 1) {
$allAuthorisingRoleNames = '';
foreach ($grantRoleAuthorisingRoleNames as $arName) {
$allAuthorisingRoleNames .= $arName . ', ';
}
$allAuthorisingRoleNames = substr($allAuthorisingRoleNames, 0, strlen($allAuthorisingRoleNames) - 2);
$grantRejectRoleNamesArray['grant'] = '[' . $allAuthorisingRoleNames . ']';
}
// get list of roles that allows user to reject the role request
$denyRoleAuthorisingRoleNames = \Factory::getRoleService()->authorizeAction(\Action::REJECT_ROLE, $r->getOwnedEntity(), $user);
if (count($denyRoleAuthorisingRoleNames) >= 1) {
$allAuthorisingRoleNames = '';
foreach ($denyRoleAuthorisingRoleNames as $arName) {
$allAuthorisingRoleNames .= $arName . ', ';
}
$allAuthorisingRoleNames = substr($allAuthorisingRoleNames, 0, strlen($allAuthorisingRoleNames) - 2);
$grantRejectRoleNamesArray['deny'] = '[' . $allAuthorisingRoleNames . ']';
}
// store array of role names in decorator object
$r->setDecoratorObject($grantRejectRoleNamesArray);
}
$params = array();
$params['entities'] = $entities;
$params['myRequests'] = $myPendingRoleRequests;
$params['allRequests'] = $otherRolesUserCanApprove;
$params['portalIsReadOnly'] = portalIsReadOnlyAndUserIsNotAdmin($user);
show_view("political_role/view_requests.php", $params, "Role Requests");
die;
}
/**
* Draws a form to add a new downtime
* @param \User $user current user
* @return null
*/
function draw(\User $user = null)
{
if (is_null($user)) {
throw new Exception("Unregistered users can't add a downtime.");
}
$nowUtcDateTime = new \DateTime(null, new \DateTimeZone("UTC"));
//$twoDaysAgoUtcDateTime = $nowUtcDateTime->sub(\DateInterval::createFromDateString('2 days'));
//$twoDaysAgoUtc = $twoDaysAgoUtcDateTime->format('d/m/Y H:i'); //e.g. 02/10/2013 13:20
// URL mapping
// Return the specified site's timezone label and the offset from now in UTC
// Used in ajax requests for display purposes
if (isset($_GET['siteid_timezone']) && is_numeric($_GET['siteid_timezone'])) {
$site = \Factory::getSiteService()->getSite($_GET['siteid_timezone']);
if ($site != null) {
$siteTzId = $site->getTimeZoneId();
if (!empty($siteTzId)) {
$nowInTargetTz = new \DateTime(null, new \DateTimeZone($siteTzId));
$offsetInSecsFromUtc = $nowInTargetTz->getOffset();
} else {
$siteTzId = 'UTC';
$offsetInSecsFromUtc = 0;
// assume 0 (no offset from UTC)
}
$timezoneId_Offset = array($siteTzId, $offsetInSecsFromUtc);
die(json_encode($timezoneId_Offset));
}
die(json_encode(array('UTC', 0)));
} else {
if (isset($_GET['site'])) {
$site = \Factory::getSiteService()->getSite($_GET['site']);
//old way: \Factory::getSiteService()->edit Authorization($site, $user);
if (count(\Factory::getSiteService()->authorizeAction(\Action::EDIT_OBJECT, $site, $user)) == 0) {
throw new \Exception("You don't have permission over {$site}");
}
$ses = $site->getServices();
$params = array('ses' => $ses, 'nowUtc' => $nowUtcDateTime->format('H:i T'), 'selectAll' => true);
show_view("downtime/add_downtime.php", $params);
die;
} else {
if (isset($_GET['se'])) {
$se = \Factory::getServiceService()->getService($_GET['se']);
$site = \Factory::getSiteService()->getSite($se->getParentSite()->getId());
if (count(\Factory::getServiceService()->authorizeAction(\Action::EDIT_OBJECT, $se, $user)) == 0) {
throw new \Exception("You do not have permission over {$se}.");
}
//$ses = array($se);
$ses = $site->getServices();
$params = array('ses' => $ses, 'nowUtc' => $nowUtcDateTime->format('H:i T'), 'selectAll' => true);
show_view("downtime/add_downtime.php", $params);
die;
} else {
$ses = array();
if ($user->isAdmin()) {
//If a user is an admin, return all SEs instead
$ses = \Factory::getServiceService()->getAllSesJoinParentSites();
} else {
//$allSites = \Factory::getUserService()->getSitesFromRoles($user);
// Get all ses where the user has a GRANTED role over one of its
// parent OwnedObjects (includes Site and NGI but not currently Project)
$sesAll = \Factory::getRoleService()->getReachableServicesFromOwnedObjectRoles($user);
// drop the ses where the user does not have edit permissions over
foreach ($sesAll as $se) {
if (count(\Factory::getServiceService()->authorizeAction(\Action::EDIT_OBJECT, $se, $user)) > 0) {
$ses[] = $se;
}
}
}
if (empty($ses)) {
throw new Exception("You don't hold a role over a NGI " . "or site with child services.");
}
$params = array('ses' => $ses, 'nowUtc' => $nowUtcDateTime->format('H:i T'));
show_view("downtime/add_downtime.php", $params);
die;
}
}
}
}
/**
* Authorization: does the user hold a role that would allow them to add a
* new SE? (e.g. a role over the virtual site)
* @return null
*/
function authorize($vSiteId)
{
// check to see if the user has a role over the virtual site
if (!Factory::getRoleService()->userHasRoleOverVsite($vSiteId)) {
show_view("error.php", "You do not have permission to add a service to this service group.");
die;
}
}
