/**
  * @deprecated
  * Enter description here ...
  * @param unknown_type $dm_conditions
  * @param unknown_type $dimension
  * @param unknown_type $member_ids
  * @param unknown_type $object_type_id
  * @param unknown_type $pg_ids
  * @param unknown_type $operator
  * @param unknown_type $selection_members
  * @param unknown_type $all
  */
 static function prepareQuery($dm_conditions, $dimension, $member_ids, $object_type_id, $pg_ids, $operator, $selection_members, $all = false)
 {
     $permission_conditions = "";
     $member_ids_csv = count($member_ids) > 0 ? implode(",", $member_ids) : '0';
     $check = $dimension->getDefinesPermissions() && !$dimension->hasAllowAllForContact($pg_ids);
     if ($check) {
         // context permissions
         $context_conditions = "";
         $context_permission_member_ids = array();
         $context_permission_member_ids = ContactMemberPermissions::getActiveContextPermissions(logged_user(), $object_type_id, $selection_members, $member_ids);
         if (count($context_permission_member_ids) != 0) {
             $context_conditions .= "OR EXISTS (SELECT `om2`.`object_id` FROM `" . TABLE_PREFIX . "object_members` `om2` WHERE\r\n\t    \t\t\t\t\t\t\t`om2`.`object_id` = `om`.`object_id` AND `o`.`object_type_id` = {$object_type_id} \r\n\t    \t\t\t\t\t\t\tAND `om2`.`member_id` IN (" . implode(",", $context_permission_member_ids) . "))";
         }
         $permission_conditions = "AND EXISTS (SELECT `cmp`.`member_id` FROM `" . TABLE_PREFIX . "contact_member_permissions` \r\n    \t\t\t\t\t\t`cmp` WHERE `om2`.`member_id` = `cmp`.`member_id` AND `cmp`.`permission_group_id` IN ({$pg_ids}) AND \r\n    \t\t\t\t\t\t`o`.`object_type_id` = `cmp`.`object_type_id`) {$context_conditions}";
     }
     $not_exists = "OR NOT EXISTS (SELECT `om2`.`object_id` FROM `" . TABLE_PREFIX . "object_members` `om2` WHERE\r\n    \t\t\t\t\t\t`om2`.`object_id` = `om`.`object_id` AND `om2`.`member_id` IN (" . $member_ids_csv . ")\r\n    \t\t\t\t\t\tAND `om2`.`is_optimization` = 0)";
     $dm_condition = "EXISTS (SELECT `om2`.`object_id` FROM `" . TABLE_PREFIX . "object_members` `om2` WHERE\r\n    \t\t\t\t\t\t`om2`.`object_id` = `om`.`object_id` AND `om2`.`member_id` IN (" . $member_ids_csv . ")\r\n    \t\t\t\t\t\tAND `om2`.`is_optimization` = 0 {$permission_conditions})";
     if ($all) {
         $condition = "({$dm_condition} {$not_exists})";
         $operator = "AND";
     } else {
         $condition = $dm_condition;
     }
     $dm_conditions = $dm_conditions != "" ? " {$operator} {$condition}" : " {$condition}";
     return $dm_conditions;
 }
Ejemplo n.º 2
0
	/**
	 * Return true is $user can access an $object. False otherwise.
	 *
	 * @param Contact $user
	 * @param array $members
	 * @param $object_type_id
	 * @return boolean
	 */
	function can_access(Contact $user, $members, $object_type_id, $access_level){
		if($user->isAdministrator()){
			return true;
		}
		$write = $access_level == ACCESS_LEVEL_WRITE;
		$delete = $access_level == ACCESS_LEVEL_DELETE;
		
		if (($user->isGuest() && $access_level!= ACCESS_LEVEL_READ) || !count($members)>0) return false;
		
		try {
			$contact_pg_ids = ContactPermissionGroups::getPermissionGroupIdsByContactCSV($user->getId(),false);
			$allow_all_cache = array();
			$dimension_query_methods = array();
			
			$dimension_permissions = array();
			foreach($members as $k => $m){
				if (!$m instanceof Member) {
					unset($members[$k]);
					continue;
				}
				
				$dimension = $m->getDimension();
				if(!$dimension->getDefinesPermissions()){
					continue;
				}
				$dimension_id = $dimension->getId();
				if (!isset($dimension_permissions[$dimension_id])) {
					$dimension_permissions[$dimension_id]=false;
				}
										
				if (!$dimension_permissions[$dimension_id]){
					if ($m->canContainObject($object_type_id)){
						
						if (!isset($dimension_query_methods[$dimension->getId()])) {
							$dimension_query_methods[$dimension->getId()] = $dimension->getPermissionQueryMethod();
						}
						
						//dimension defines permissions and user has maximum level of permissions
						if (isset($allow_all_cache[$dimension_id])) {
							$allow_all = $allow_all_cache[$dimension_id];
						} else {
							$allow_all = $dimension->hasAllowAllForContact($contact_pg_ids);
							$allow_all_cache[$dimension_id] = $allow_all;
						}
						if ($allow_all) {
							$dimension_permissions[$dimension_id]=true;
						}
						
						//check individual members
						if (!$dimension_permissions[$dimension_id] && ContactMemberPermissions::contactCanReadObjectTypeinMember($contact_pg_ids, $m->getId(), $object_type_id, $write, $delete, $user)){
							$dimension_permissions[$dimension_id]=true;
						}
					} else {
						unset($dimension_permissions[$dimension_id]);
					}
				}
			}

			$allowed = true;
			// check that user has permissions in all mandatory query method dimensions
			$mandatory_count = 0;
			foreach ($dimension_query_methods as $dim_id => $qmethod) {
				if ($qmethod == DIMENSION_PERMISSION_QUERY_METHOD_MANDATORY) {
					$mandatory_count++;
					if (!array_var($dimension_permissions, $dim_id)) {
						// if one of the members belong to a mandatory dimension and user does not have permissions on it then return false
						return false;
					}
				}
			}
			
			// If no members in mandatory dimensions then check for not mandatory ones 
			if ($allowed && $mandatory_count == 0) {
				foreach ($dimension_query_methods as $dim_id => $qmethod) {
					if ($qmethod == DIMENSION_PERMISSION_QUERY_METHOD_NOT_MANDATORY) {
						if (array_var($dimension_permissions, $dim_id)) {
							// if has permissions over any member of a non mandatory dimension then return true
							return true;
						} else {
							$allowed = false;
						}
					}
				}
			}

			if ($allowed && count($dimension_permissions)) {
				return true;	
			}
			
			// Si hasta aca tienen perm en todas las dim, return true. Si hay alguna que no tiene perm sigo
			
			//Check Context Permissions
			$member_ids = array();
			foreach ($members as $member_obj) $member_ids[] = $member_obj->getId();
			$allowed_members = ContactMemberPermissions::getActiveContextPermissions($user, $object_type_id, $members, $member_ids, $write, $delete);
			$count=0;
			foreach($members as $m){
				$count++;
				if (!in_array($m->getId(), $allowed_members)) return false;
				else if ($count==count($members)) return true;
			}
			
		}
		catch(Exception $e) {
			tpl_assign('error', $e);
			return false;
		}
		return false;
	}
Ejemplo n.º 3
0
/**
 * Return true is $user can access an $object. False otherwise.
 *
 * @param Contact $user
 * @param array $members
 * @param $object_type_id
 * @return boolean
 */
function can_access(Contact $user, $members, $object_type_id, $access_level)
{
    if ($user->isAdministrator()) {
        return true;
    }
    $write = $access_level == ACCESS_LEVEL_WRITE;
    $delete = $access_level == ACCESS_LEVEL_DELETE;
    if ($user->isGuest() && $access_level != ACCESS_LEVEL_READ || !count($members) > 0) {
        return false;
    }
    try {
        $contact_pg_ids = ContactPermissionGroups::getPermissionGroupIdsByContactCSV($user->getId(), false);
        $allow_all_cache = array();
        $dimension_permissions = array();
        foreach ($members as $k => $m) {
            if (!$m instanceof Member) {
                unset($members[$k]);
                continue;
            }
            $dimension = $m->getDimension();
            if (!$dimension->getDefinesPermissions()) {
                continue;
            }
            $dimension_id = $dimension->getId();
            if (!isset($dimension_permissions[$dimension_id])) {
                $dimension_permissions[$dimension_id] = false;
            }
            if (!$dimension_permissions[$dimension_id]) {
                if ($m->canContainObject($object_type_id)) {
                    //dimension defines permissions and user has maximum level of permissions
                    if (isset($allow_all_cache[$dimension_id])) {
                        $allow_all = $allow_all_cache[$dimension_id];
                    } else {
                        $allow_all = $dimension->hasAllowAllForContact($contact_pg_ids);
                        $allow_all_cache[$dimension_id] = $allow_all;
                    }
                    if ($allow_all) {
                        $dimension_permissions[$dimension_id] = true;
                    }
                    //check individual members
                    if (!$dimension_permissions[$dimension_id] && ContactMemberPermissions::contactCanReadObjectTypeinMember($contact_pg_ids, $m->getId(), $object_type_id, $write, $delete, $user)) {
                        $dimension_permissions[$dimension_id] = true;
                    }
                } else {
                    unset($dimension_permissions[$dimension_id]);
                }
            }
        }
        $allowed = true;
        foreach ($dimension_permissions as $perm) {
            if (!$perm) {
                $allowed = false;
            } else {
                return true;
                // if user has permission in one of the object's members then can access = true
            }
        }
        if ($allowed && count($dimension_permissions)) {
            return true;
        }
        // Si hasta aca tienen perm en todas las dim, return true. Si hay alguna que no tiene perm sigo
        //Check Context Permissions
        $member_ids = array();
        foreach ($members as $member_obj) {
            $member_ids[] = $member_obj->getId();
        }
        $allowed_members = ContactMemberPermissions::getActiveContextPermissions($user, $object_type_id, $members, $member_ids, $write, $delete);
        $count = 0;
        foreach ($members as $m) {
            $count++;
            if (!in_array($m->getId(), $allowed_members)) {
                return false;
            } else {
                if ($count == count($members)) {
                    return true;
                }
            }
        }
    } catch (Exception $e) {
        tpl_assign('error', $e);
        return false;
    }
    return false;
}
Ejemplo n.º 4
0
/**
 * Return true is $user can access an $object. False otherwise.
 *
 * @param Contact $user
 * @param array $members
 * @param $object_type_id
 * @return boolean
 */
function can_access(Contact $user, $members, $object_type_id, $access_level, $allow_super_admin = true)
{
    if ($allow_super_admin && $user->isAdministrator()) {
        return true;
    }
    $write = $access_level == ACCESS_LEVEL_WRITE;
    $delete = $access_level == ACCESS_LEVEL_DELETE;
    if ($user->isGuest() && $access_level != ACCESS_LEVEL_READ) {
        return false;
    }
    try {
        $contact_pg_ids = ContactPermissionGroups::getPermissionGroupIdsByContactCSV($user->getId(), false);
        $allow_all_cache = array();
        $dimension_query_methods = array();
        // if no manageable member then check if user has permissions wihout classifying
        $manageable_members = array();
        foreach ($members as $mem) {
            if ($mem instanceof Member && $mem->getDimension()->getIsManageable() && $mem->getDimension()->getDefinesPermissions()) {
                $manageable_members[] = $mem->getId();
            }
        }
        if (count($manageable_members) == 0) {
            $return = false;
            if (config_option('let_users_create_objects_in_root') && $contact_pg_ids != "" && ($user->isAdminGroup() || $user->isExecutive() || $user->isManager())) {
                $cond = $delete ? 'AND can_delete = 1' : ($write ? 'AND can_write = 1' : '');
                $cmp = ContactMemberPermissions::findOne(array('conditions' => "member_id=0 AND object_type_id={$object_type_id} AND permission_group_id IN ({$contact_pg_ids}) {$cond}"));
                $return = $cmp instanceof ContactMemberPermission;
            }
            return $return;
        }
        $max_role_ot_perm = MaxRoleObjectTypePermissions::instance()->findOne(array('conditions' => "object_type_id='{$object_type_id}' AND role_id = '" . $user->getUserType() . "'"));
        $enabled_dimensions = config_option('enabled_dimensions');
        $dimension_permissions = array();
        foreach ($members as $k => $m) {
            if (!$m instanceof Member) {
                unset($members[$k]);
                continue;
            }
            $dimension = $m->getDimension();
            if (!$dimension->getDefinesPermissions() || !in_array($dimension->getId(), $enabled_dimensions)) {
                continue;
            }
            $dimension_id = $dimension->getId();
            if (!isset($dimension_permissions[$dimension_id])) {
                $dimension_permissions[$dimension_id] = false;
            }
            if (!$dimension_permissions[$dimension_id]) {
                if ($m->canContainObject($object_type_id)) {
                    if (!isset($dimension_query_methods[$dimension->getId()])) {
                        $dimension_query_methods[$dimension->getId()] = $dimension->getPermissionQueryMethod();
                    }
                    //dimension defines permissions and user has maximum level of permissions
                    if (isset($allow_all_cache[$dimension_id])) {
                        $allow_all = $allow_all_cache[$dimension_id];
                    } else {
                        $allow_all = $dimension->hasAllowAllForContact($contact_pg_ids);
                        $allow_all_cache[$dimension_id] = $allow_all;
                    }
                    if ($allow_all) {
                        $dimension_permissions[$dimension_id] = true;
                    }
                    //check individual members
                    if (!$dimension_permissions[$dimension_id] && ContactMemberPermissions::contactCanReadObjectTypeinMember($contact_pg_ids, $m->getId(), $object_type_id, $write, $delete, $user)) {
                        if ($max_role_ot_perm) {
                            if ($access_level == ACCESS_LEVEL_DELETE && $max_role_ot_perm->getCanDelete() || $access_level == ACCESS_LEVEL_WRITE && $max_role_ot_perm->getCanWrite() || $access_level == ACCESS_LEVEL_READ) {
                                $dimension_permissions[$dimension_id] = true;
                            }
                        }
                    }
                } else {
                    unset($dimension_permissions[$dimension_id]);
                }
            }
        }
        $allowed = true;
        // check that user has permissions in all mandatory query method dimensions
        $mandatory_count = 0;
        foreach ($dimension_query_methods as $dim_id => $qmethod) {
            if (!in_array($dim_id, $enabled_dimensions)) {
                continue;
            }
            if ($qmethod == DIMENSION_PERMISSION_QUERY_METHOD_MANDATORY) {
                $mandatory_count++;
                if (!array_var($dimension_permissions, $dim_id)) {
                    // if one of the members belong to a mandatory dimension and user does not have permissions on it then return false
                    return false;
                }
            }
        }
        // If no members in mandatory dimensions then check for not mandatory ones
        if ($allowed && $mandatory_count == 0) {
            foreach ($dimension_query_methods as $dim_id => $qmethod) {
                if ($qmethod == DIMENSION_PERMISSION_QUERY_METHOD_NOT_MANDATORY) {
                    if (array_var($dimension_permissions, $dim_id)) {
                        // if has permissions over any member of a non mandatory dimension then return true
                        return true;
                    } else {
                        $allowed = false;
                    }
                }
            }
        }
        if ($allowed && count($dimension_permissions)) {
            return true;
        }
        // Si hasta aca tienen perm en todas las dim, return true. Si hay alguna que no tiene perm sigo
        //Check Context Permissions
        $member_ids = array();
        foreach ($members as $member_obj) {
            $member_ids[] = $member_obj->getId();
        }
        $allowed_members = ContactMemberPermissions::getActiveContextPermissions($user, $object_type_id, $members, $member_ids, $write, $delete);
        $count = 0;
        foreach ($members as $m) {
            $count++;
            if (!in_array($m->getId(), $allowed_members)) {
                return false;
            } else {
                if ($count == count($members)) {
                    return true;
                }
            }
        }
    } catch (Exception $e) {
        tpl_assign('error', $e);
        return false;
    }
    return false;
}