Ejemplo n.º 1
0
	/**
	 * _checkUserResourcePermission
	 * Check if user have access to all of the resources that trigger email record has defined
	 *
	 * We need to do this here, because currently API shuldn't be checking any user permission.
	 * Once user permission are being used in API, we can deprecate this function
	 *
	 * @param Array $record Associated array of the record
	 * @param User_API $user User API
	 *
	 * @return Boolean Returns TRUE if user have all permission, FALSE otherwise
	 *
	 * @todo deprecate this when API take account user permission
	 */
	private function _checkUserResourcePermission($record, $user)
	{
		// If admin, don't worry about evaluating permission
		if ($user->Admin()) {
			return true;
		}

		$error = false;
		$userLists = $user->GetLists();
		$userNewsletters = $user->GetNewsletters();

		// Check if user have access to particular list
		if ($record['triggertype'] == 'f' && isset($record['data']['listid']) && !array_key_exists($record['data']['listid'], $userLists)) {
			trigger_error('Does not have access to contact list', E_USER_NOTICE);
			$error = true;
		}

		// Check if user have access to particular newsletter specified for link
		if ($record['triggertype'] == 'l' && isset($record['data']['linkid_newsletterid']) && !array_key_exists($record['data']['linkid_newsletterid'], $userNewsletters)) {
			trigger_error('Does not have access to specified newsletter', E_USER_NOTICE);
			$error = true;
		}

		// Check newsletter ID defined for "Newsletter Opened" event
		if ($record['triggertype'] == 'n' && isset($record['data']['newsletterid']) && !array_key_exists($record['data']['newsletterid'], $userNewsletters)) {
			trigger_error('Does not have access to specified newsletter', E_USER_NOTICE);
			$error = true;
		}

		// Check if list IDs defined for static date exists
		if ($record['triggertype'] == 's' && isset($record['data']['staticdate_listids'])) {
			foreach ($record['data']['staticdate_listids'] as $each) {
				if (!array_key_exists($each, $userLists)) {
					trigger_error('Does not have access to specified list', E_USER_NOTICE);
					$error = true;
					break;
				}
			}
		}

		// ----- The following are required for "send" action
			if (isset($record['triggeractions']['send']) && isset($record['triggeractions']['send']['enabled']) && $record['triggeractions']['send']['enabled']) {
				if (isset($record['triggeractions']['send']['newsletterid']) && !array_key_exists($record['triggeractions']['send']['newsletterid'], $userNewsletters)) {
					trigger_error('Newsletter does not exits', E_USER_NOTICE);
					return false;
				}
			}
		// -----

		// ----- The following are required for "addlist" action
			if (isset($record['triggeractions']['addlist']) && isset($record['triggeractions']['addlist']['enabled']) && $record['triggeractions']['addlist']['enabled']) {
				if (isset($record['triggeractions']['addlist']['listid'])) {
					foreach ($record['triggeractions']['addlist']['listid'] as $each) {
						if (!array_key_exists($each, $userLists)) {
							trigger_error('Does not have access to specified newsletter', E_USER_NOTICE);
							$error = true;
							break;
						}
					}
				}
			}
		// -----


		return !$error;
	}
Ejemplo n.º 2
0
		/**
		 * _checkPermissionCanEdit
		 * Check whether or not a user can edit a segment
		 *
		 * Checking user privilege in this instance will also means checking
		 * whether or not a user have access to all mailing list used in a segment.
		 * Once lists used in a segment become "restricted" to a user, user should not be able to edit
		 * the segment at all.
		 *
		 * Here's the logic:
		 * (1) If Admin go to (7), otherwise go to (2)
		 * (2) If segment is owned by user, go to (3), otherwise go (4)
		 * (3) If user have "edit" permission, go to (7), otherwise (6)
		 * (4) If user is allowed to have "edit" access to the segment, then check (5), otherwise go (7)
		 * (5) If user DO NOT have access to all the lists in the segment, go (6), otherwise go (7)
		 * (6) CANNOT EDIT
		 * (7) CAN EDIT
		 *
		 * @param Segment_API $segmentapi Current segment API
		 * @param User_API $userapi Current user API
		 *
		 * @return Boolean Returns TRUE if user have edit privilege on segment, FALSE otherwise
		 *
		 * @uses User_API::HasAccess()
		 * @uses User_API::GetLists()
		 *
		 * @access private
		 */
		function _checkPermissionCanEdit($segmentapi, $userapi)
		{
			if ($userapi->Admin()) {
				return true;
			}

			$haveAccess = false;
			$userList = array_keys($userapi->GetLists());

			if ($segmentapi->ownerid == $userapi->userid) {
				if ($userapi->HasAccess('Segments', 'Edit')) {
					$haveAccess = true;
				}
			} else {
				if ($userapi->HasAccess('Segments', 'Edit', $segmentapi->segmentid)) {
					if (count(array_intersect($userList, $segmentapi->searchinfo['Lists'])) == count($segmentapi->searchinfo['Lists'])) {
						$haveAccess = true;
					}
				}
			}

			return $haveAccess;
		}