/**
* check grant for action
*
* @param Timetracker_Model_Timeaccount $_record
* @param string $_action
* @param boolean $_throw
* @param string $_errorMessage
* @param Timetracker_Model_Timesheet $_oldRecord
* @return boolean
* @throws Tinebase_Exception_AccessDenied
*
* @todo think about just setting the default values when user
* hasn't the required grant to change the field (instead of throwing exception)
*/
protected function _checkGrant($_record, $_action, $_throw = TRUE, $_errorMessage = 'No Permission.', $_oldRecord = NULL)
{
// users with MANAGE_TIMEACCOUNTS have all grants here
if ($this->checkRight(Timetracker_Acl_Rights::MANAGE_TIMEACCOUNTS, FALSE) || Timetracker_Model_TimeaccountGrants::hasGrant($_record->timeaccount_id, Tinebase_Model_Grants::GRANT_ADMIN)) {
return TRUE;
}
// only TA managers are allowed to alter TS of closed TAs
if ($_action != 'get') {
$timeaccount = Timetracker_Controller_Timeaccount::getInstance()->get($_record->timeaccount_id);
if (!$timeaccount->is_open) {
return FALSE;
}
// check if timeaccount->is_billable is false => set default in fieldGrants to 0 and allow only managers to change it
if (!$timeaccount->is_billable) {
$this->_fieldGrants['is_billable']['default'] = 0;
$this->_fieldGrants['is_billable']['requiredGrant'] = Tinebase_Model_Grants::GRANT_ADMIN;
}
}
$hasGrant = FALSE;
switch ($_action) {
case 'get':
$hasGrant = Timetracker_Model_TimeaccountGrants::hasGrant($_record->timeaccount_id, array(Timetracker_Model_TimeaccountGrants::VIEW_ALL, Timetracker_Model_TimeaccountGrants::BOOK_ALL)) || $_record->account_id == $this->_currentAccount->getId() && Timetracker_Model_TimeaccountGrants::hasGrant($_record->timeaccount_id, Timetracker_Model_TimeaccountGrants::BOOK_OWN);
break;
case 'create':
$hasGrant = $_record->account_id == $this->_currentAccount->getId() && Timetracker_Model_TimeaccountGrants::hasGrant($_record->timeaccount_id, Timetracker_Model_TimeaccountGrants::BOOK_OWN) || Timetracker_Model_TimeaccountGrants::hasGrant($_record->timeaccount_id, Timetracker_Model_TimeaccountGrants::BOOK_ALL);
if ($hasGrant) {
foreach ($this->_fieldGrants as $field => $config) {
if (isset($_record->{$field}) && $_record->{$field} != $config['default']) {
$hasGrant &= Timetracker_Model_TimeaccountGrants::hasGrant($_record->timeaccount_id, $config['requiredGrant']);
}
}
}
break;
case 'update':
$hasGrant = $_record->account_id == $this->_currentAccount->getId() && Timetracker_Model_TimeaccountGrants::hasGrant($_record->timeaccount_id, Timetracker_Model_TimeaccountGrants::BOOK_OWN) || Timetracker_Model_TimeaccountGrants::hasGrant($_record->timeaccount_id, Timetracker_Model_TimeaccountGrants::BOOK_ALL);
if ($hasGrant) {
foreach ($this->_fieldGrants as $field => $config) {
if (isset($_record->{$field}) && $_record->{$field} != $_oldRecord->{$field}) {
$hasGrant &= Timetracker_Model_TimeaccountGrants::hasGrant($_record->timeaccount_id, $config['requiredGrant']);
}
}
}
break;
case 'delete':
$hasGrant = $_record->account_id == $this->_currentAccount->getId() && Timetracker_Model_TimeaccountGrants::hasGrant($_record->timeaccount_id, Timetracker_Model_TimeaccountGrants::BOOK_OWN) || Timetracker_Model_TimeaccountGrants::hasGrant($_record->timeaccount_id, Timetracker_Model_TimeaccountGrants::BOOK_ALL);
break;
}
if ($_throw && !$hasGrant) {
throw new Tinebase_Exception_AccessDenied($_errorMessage);
}
return $hasGrant;
}
/**
* check grant for action (CRUD)
*
* @param Timetracker_Model_Timeaccount $_record
* @param string $_action
* @param boolean $_throw
* @param string $_errorMessage
* @param Timetracker_Model_Timeaccount $_oldRecord
* @return boolean
* @throws Tinebase_Exception_AccessDenied
*/
protected function _checkGrant($_record, $_action, $_throw = TRUE, $_errorMessage = 'No Permission.', $_oldRecord = NULL)
{
if ($_action == 'create' || $this->_doGrantChecks == FALSE) {
// no check here because the MANAGE_TIMEACCOUNTS right has been already checked before
return TRUE;
}
$hasGrant = Timetracker_Model_TimeaccountGrants::hasGrant($_record->getId(), Tinebase_Model_Grants::GRANT_ADMIN);
switch ($_action) {
case 'get':
$hasGrant = $hasGrant || Timetracker_Model_TimeaccountGrants::hasGrant($_record->getId(), array(Timetracker_Model_TimeaccountGrants::VIEW_ALL, Timetracker_Model_TimeaccountGrants::BOOK_OWN, Timetracker_Model_TimeaccountGrants::BOOK_ALL, Timetracker_Model_TimeaccountGrants::MANAGE_BILLABLE));
case 'delete':
case 'update':
$hasGrant = $hasGrant || $this->checkRight(Timetracker_Acl_Rights::MANAGE_TIMEACCOUNTS, FALSE);
break;
}
if ($_throw && !$hasGrant) {
throw new Tinebase_Exception_AccessDenied($_errorMessage);
}
return $hasGrant;
}
/**
* check grant for action
*
* @param Timetracker_Model_Timeaccount $_record
* @param string $_action
* @param boolean $_throw
* @param string $_errorMessage
* @param Timetracker_Model_Timesheet $_oldRecord
* @return boolean
* @throws Tinebase_Exception_AccessDenied
*
* @todo think about just setting the default values when user
* hasn't the required grant to change the field (instead of throwing exception)
*/
protected function _checkGrant($_record, $_action, $_throw = TRUE, $_errorMessage = 'No Permission.', $_oldRecord = NULL)
{
$isAdmin = false;
// users with MANAGE_TIMEACCOUNTS have all grants here
if ($this->checkRight(Timetracker_Acl_Rights::MANAGE_TIMEACCOUNTS, FALSE) || Timetracker_Model_TimeaccountGrants::hasGrant($_record->timeaccount_id, Tinebase_Model_Grants::GRANT_ADMIN)) {
$isAdmin = true;
}
// only TA managers are allowed to alter TS of closed TAs, but they have to confirm first that they really want to do it
if ($_action != 'get') {
$timeaccount = Timetracker_Controller_Timeaccount::getInstance()->get($_record->timeaccount_id);
if (!$timeaccount->is_open) {
if (Tinebase_Core::isLogLevel(Zend_Log::DEBUG)) {
Tinebase_Core::getLogger()->debug(__METHOD__ . '::' . __LINE__ . ' This Timeaccount is already closed!');
}
if ($isAdmin === true) {
if (is_array($this->_requestContext) && isset($this->_requestContext['skipClosedCheck']) && $this->_requestContext['skipClosedCheck']) {
return true;
}
}
if ($_throw) {
throw new Timetracker_Exception_ClosedTimeaccount();
}
return FALSE;
}
// check if timeaccount->is_billable is false => set default in fieldGrants to 0 and allow only managers to change it
if (!$timeaccount->is_billable) {
$this->_fieldGrants['is_billable']['default'] = 0;
$this->_fieldGrants['is_billable']['requiredGrant'] = Tinebase_Model_Grants::GRANT_ADMIN;
}
}
if ($isAdmin === true) {
return true;
}
$hasGrant = FALSE;
switch ($_action) {
case 'get':
$hasGrant = Timetracker_Model_TimeaccountGrants::hasGrant($_record->timeaccount_id, array(Timetracker_Model_TimeaccountGrants::VIEW_ALL, Timetracker_Model_TimeaccountGrants::BOOK_ALL)) || $_record->account_id == Tinebase_Core::getUser()->getId() && Timetracker_Model_TimeaccountGrants::hasGrant($_record->timeaccount_id, Timetracker_Model_TimeaccountGrants::BOOK_OWN);
break;
case 'create':
$hasGrant = $_record->account_id == Tinebase_Core::getUser()->getId() && Timetracker_Model_TimeaccountGrants::hasGrant($_record->timeaccount_id, Timetracker_Model_TimeaccountGrants::BOOK_OWN) || Timetracker_Model_TimeaccountGrants::hasGrant($_record->timeaccount_id, Timetracker_Model_TimeaccountGrants::BOOK_ALL);
if ($hasGrant) {
foreach ($this->_fieldGrants as $field => $config) {
if (isset($_record->{$field}) && $_record->{$field} != $config['default']) {
$hasGrant &= Timetracker_Model_TimeaccountGrants::hasGrant($_record->timeaccount_id, $config['requiredGrant']);
}
}
}
break;
case 'update':
$hasGrant = $_record->account_id == Tinebase_Core::getUser()->getId() && Timetracker_Model_TimeaccountGrants::hasGrant($_record->timeaccount_id, Timetracker_Model_TimeaccountGrants::BOOK_OWN) || Timetracker_Model_TimeaccountGrants::hasGrant($_record->timeaccount_id, Timetracker_Model_TimeaccountGrants::BOOK_ALL);
if ($hasGrant) {
foreach ($this->_fieldGrants as $field => $config) {
if (isset($_record->{$field}) && $_record->{$field} != $_oldRecord->{$field}) {
$hasGrant &= Timetracker_Model_TimeaccountGrants::hasGrant($_record->timeaccount_id, $config['requiredGrant']);
}
}
}
break;
case 'delete':
$hasGrant = $_record->account_id == Tinebase_Core::getUser()->getId() && Timetracker_Model_TimeaccountGrants::hasGrant($_record->timeaccount_id, Timetracker_Model_TimeaccountGrants::BOOK_OWN) || Timetracker_Model_TimeaccountGrants::hasGrant($_record->timeaccount_id, Timetracker_Model_TimeaccountGrants::BOOK_ALL);
break;
}
if ($_throw && !$hasGrant) {
throw new Tinebase_Exception_AccessDenied($_errorMessage);
}
return $hasGrant;
}
