function do_setpermissionallocations()
{
$aPermissionAllowed = (array) KTUtil::arrayGet($_REQUEST, 'foo');
// thanks BD.
$this->startTransaction();
$aStatePermAssigns = KTWorkflowStatePermissionAssignment::getByState($this->oState);
// we now walk the alloc'd perms, and go.
foreach ($aStatePermAssigns as $oPermAssign) {
$aAllowed = (array) $aPermissionAllowed[$oPermAssign->getPermissionId()];
// is already role, group, etc.
$oDescriptor = KTPermissionUtil::getOrCreateDescriptor($aAllowed);
if (PEAR::isError($oDescriptor)) {
$this->errorRedirectTo('allocatepermissions', _kt('Failed to allocate as specified.'));
}
$oPermAssign->setDescriptorId($oDescriptor->getId());
$res = $oPermAssign->update();
if (PEAR::isError($res)) {
$this->errorRedirectTo('allocatepermissions', _kt('Failed to allocate as specified.'));
}
}
KTPermissionUtil::updatePermissionLookupForState($this->oState);
$this->successRedirectTo('managepermissions', _kt('Permissions Allocated.'));
}
/**
* Update's the permission lookup on one folder or document,
* non-recursively.
*/
function updatePermissionLookup(&$oFolderOrDocument, $aOptions = null)
{
$is_a_folder = is_a($oFolderOrDocument, 'Folder');
$is_a_document = is_a($oFolderOrDocument, 'Document') || is_a($oFolderOrDocument, 'KTDocumentCore');
//ensure that the document shortcut is being updated.
if ($is_a_document && $oFolderOrDocument->isSymbolicLink()) {
$oFolderOrDocument->switchToRealCore();
}
$oChannel = null;
$aMapPermAllowed = null;
$oPermLookup = null;
if (!is_null($aOptions)) {
$oChannel = $aOptions['channel'];
$aMapPermAllowed = $aOptions['map_allowed'];
$oPermLookup = $aOptions['perm_lookup'];
}
if (!$is_a_folder && !$is_a_document) {
return;
// we occasionally get handed a PEAR::raiseError. Just ignore it.
}
if (is_null($oChannel)) {
$oChannel =& KTPermissionChannel::getSingleton();
}
if ($is_a_folder) {
$msg = sprintf("Updating folder %s", join('/', $oFolderOrDocument->getPathArray()));
} else {
if (is_a($oFolderOrDocument, 'Document')) {
//modify the message to reflect that a shortcut is begin updated
if ($oFolderOrDocument->isSymbolicLink()) {
$msg = sprintf("Updating shortcut to %s", $oFolderOrDocument->getName());
} else {
$msg = sprintf("Updating document %s", $oFolderOrDocument->getName());
}
} else {
$msg = sprintf("Updating document %d", $oFolderOrDocument->getId());
}
}
$oChannel->sendMessage(new KTPermissionGenericMessage($msg));
//var_dump($msg);
$iPermissionObjectId = $oFolderOrDocument->getPermissionObjectID();
if (empty($iPermissionObjectId)) {
return;
}
$oPO = KTPermissionObject::get($iPermissionObjectId);
if (is_null($aMapPermAllowed)) {
$aPAs = KTPermissionAssignment::getByObjectMulti($oPO);
$aMapPermAllowed = array();
foreach ($aPAs as $oPA) {
$oPD = KTPermissionDescriptor::get($oPA->getPermissionDescriptorID());
$aGroupIDs = $oPD->getGroups();
$aUserIDs = array();
$aRoleIDs = $oPD->getRoles();
$aAllowed = array('group' => $aGroupIDs, 'user' => $aUserIDs, 'role' => $aRoleIDs);
$aMapPermAllowed[$oPA->getPermissionID()] = $aAllowed;
}
}
if (!$is_a_folder) {
$aDynamicConditions = KTPermissionDynamicCondition::getByPermissionObject($oPO);
if (!PEAR::isError($aDynamicConditions)) {
foreach ($aDynamicConditions as $oDynamicCondition) {
$iConditionId = $oDynamicCondition->getConditionId();
if (KTSearchUtil::testConditionOnDocument($iConditionId, $oFolderOrDocument)) {
$iGroupId = $oDynamicCondition->getGroupId();
$aPermissionIds = $oDynamicCondition->getAssignment();
foreach ($aPermissionIds as $iPermissionId) {
$aCurrentAllowed = KTUtil::arrayGet($aMapPermAllowed, $iPermissionId, array());
$aCurrentAllowed['group'][] = $iGroupId;
$aMapPermAllowed[$iPermissionId] = $aCurrentAllowed;
}
}
}
}
}
if (!$is_a_folder) {
$oState = KTWorkflowUtil::getWorkflowStateForDocument($oFolderOrDocument);
if (!(PEAR::isError($oState) || is_null($oState) || $oState == false)) {
$aWorkflowStatePermissionAssignments = KTWorkflowStatePermissionAssignment::getByState($oState);
foreach ($aWorkflowStatePermissionAssignments as $oAssignment) {
$iPermissionId = $oAssignment->getPermissionId();
$iPermissionDescriptorId = $oAssignment->getDescriptorId();
$oPD = KTPermissionDescriptor::get($iPermissionDescriptorId);
$aGroupIDs = $oPD->getGroups();
$aUserIDs = array();
$aRoleIDs = $oPD->getRoles();
$aAllowed = array('group' => $aGroupIDs, 'user' => $aUserIDs, 'role' => $aRoleIDs);
$aMapPermAllowed[$iPermissionId] = $aAllowed;
}
}
}
// if we have roles: nearest folder.
$iRoleSourceFolder = null;
if ($is_a_document) {
$iRoleSourceFolder = $oFolderOrDocument->getFolderID();
} else {
$iRoleSourceFolder = $oFolderOrDocument->getId();
}
// very minor perf win: map role_id (in context) to PD.
$_roleCache = array();
foreach ($aMapPermAllowed as $iPermissionId => $aAllowed) {
$aAfterRoles = array();
if (array_key_exists('role', $aAllowed)) {
foreach ($aAllowed['role'] as $k => $iRoleId) {
// store the PD <-> RoleId map
// special-case "all" or "authenticated".
if ($iRoleId == -3 || $iRoleId == -4) {
$aAfterRoles[] = $iRoleId;
continue;
}
if (!array_key_exists($iRoleId, $_roleCache)) {
$oRoleAllocation = null;
if ($is_a_document) {
$oRoleAllocation =& DocumentRoleAllocation::getAllocationsForDocumentAndRole($oFolderOrDocument->getId(), $iRoleId);
if (PEAR::isError($oRoleAllocation)) {
$oRoleAllocation = null;
}
}
// if that's null - not set _on_ the document, then
if (is_null($oRoleAllocation)) {
$oRoleAllocation =& RoleAllocation::getAllocationsForFolderAndRole($iRoleSourceFolder, $iRoleId);
}
$_roleCache[$iRoleId] = $oRoleAllocation;
}
// roles are _not_ always assigned (can be null at root)
if (!is_null($_roleCache[$iRoleId])) {
$aMapPermAllowed[$iPermissionId]['user'] = kt_array_merge($aMapPermAllowed[$iPermissionId]['user'], $_roleCache[$iRoleId]->getUserIds());
$aMapPermAllowed[$iPermissionId]['group'] = kt_array_merge($aMapPermAllowed[$iPermissionId]['group'], $_roleCache[$iRoleId]->getGroupIds());
// naturally, roles cannot be assigned roles, or madness follows.
}
unset($aAllowed['role'][$k]);
}
}
unset($aMapPermAllowed[$iPermissionId]['role']);
if (!empty($aAfterRoles)) {
$aMapPermAllowed[$iPermissionId]['role'] = $aAfterRoles;
}
}
/*
print '<pre>';
print '=======' . $oFolderOrDocument->getName();
print '<br />';
var_dump($aMapPermAllowed);
print '</pre>';
*/
//if (is_null($oPermLookup)) {
$aMapPermDesc = array();
foreach ($aMapPermAllowed as $iPermissionId => $aAllowed) {
$oLookupPD = KTPermissionUtil::getOrCreateDescriptor($aAllowed);
$aMapPermDesc[$iPermissionId] = $oLookupPD->getID();
}
$oPermLookup = KTPermissionLookupAssignment::findOrCreateLookupByPermissionDescriptorMap($aMapPermDesc);
//}
$oFolderOrDocument->setPermissionLookupID($oPermLookup->getID());
$oFolderOrDocument->update();
}
function do_resolved_users()
{
$this->oPage->setBreadcrumbDetails(_kt("Permissions"));
$oTemplate = $this->oValidator->validateTemplate("ktcore/document/resolved_permissions_user");
$oPL = KTPermissionLookup::get($this->oDocument->getPermissionLookupID());
$aPermissions = KTPermission::getList();
$aMapPermissionGroup = array();
$aMapPermissionRole = array();
$aMapPermissionUser = array();
$aUsers = User::getList();
foreach ($aPermissions as $oPermission) {
$oPLA = KTPermissionLookupAssignment::getByPermissionAndLookup($oPermission, $oPL);
if (PEAR::isError($oPLA)) {
continue;
}
$oDescriptor = KTPermissionDescriptor::get($oPLA->getPermissionDescriptorID());
$iPermissionID = $oPermission->getID();
$aMapPermissionGroup[$iPermissionID] = array();
foreach ($aUsers as $oUser) {
if (KTPermissionUtil::userHasPermissionOnItem($oUser, $oPermission, $this->oDocument)) {
$aMapPermissionUser[$iPermissionID][$oUser->getId()] = true;
$aActiveUsers[$oUser->getId()] = true;
}
}
}
// now we constitute the actual sets.
$users = array();
$groups = array();
$roles = array();
// should _always_ be empty, barring a bug in permissions::updatePermissionLookup
// this should be quite limited - direct role -> user assignment is typically rare.
foreach ($aActiveUsers as $id => $marker) {
$oUser = User::get($id);
$users[$oUser->getName()] = $oUser;
}
asort($users);
// ascending, per convention.
$bEdit = false;
$sInherited = '';
$aDynamicControls = array();
$aWorkflowControls = array();
// handle conditions
$iPermissionObjectId = $this->oDocument->getPermissionObjectID();
if (!empty($iPermissionObjectId)) {
$oPO = KTPermissionObject::get($iPermissionObjectId);
$aDynamicConditions = KTPermissionDynamicCondition::getByPermissionObject($oPO);
if (!PEAR::isError($aDynamicConditions)) {
foreach ($aDynamicConditions as $oDynamicCondition) {
$iConditionId = $oDynamicCondition->getConditionId();
if (KTSearchUtil::testConditionOnDocument($iConditionId, $this->oDocument)) {
$aPermissionIds = $oDynamicCondition->getAssignment();
foreach ($aPermissionIds as $iPermissionId) {
$aDynamicControls[$iPermissionId] = true;
}
}
}
}
}
// indicate that workflow controls a given permission
$oState = KTWorkflowUtil::getWorkflowStateForDocument($this->oDocument);
if (!(PEAR::isError($oState) || is_null($oState) || $oState == false)) {
$aWorkflowStatePermissionAssignments = KTWorkflowStatePermissionAssignment::getByState($oState);
foreach ($aWorkflowStatePermissionAssignments as $oAssignment) {
$aWorkflowControls[$oAssignment->getPermissionId()] = true;
unset($aDynamicControls[$oAssignment->getPermissionId()]);
}
}
$aTemplateData = array("context" => $this, "permissions" => $aPermissions, "groups" => $groups, "users" => $users, "roles" => $roles, "oDocument" => $this->oDocument, "aMapPermissionGroup" => $aMapPermissionGroup, "aMapPermissionRole" => $aMapPermissionRole, "aMapPermissionUser" => $aMapPermissionUser, "edit" => $bEdit, "inherited" => $sInherited, 'workflow_controls' => $aWorkflowControls, 'conditions_control' => $aDynamicControls);
return $oTemplate->render($aTemplateData);
}
