Example #1
0
 } else {
     $row = db_fetch_array($result);
 }
 $from_group_id = $group_id;
 // Get group_id of the document group containing the doc.
 $res_group = db_query("SELECT group_id FROM doc_groups WHERE doc_group=" . $row['doc_group']);
 $object_group_id = db_result($res_group, 0, 'group_id');
 // Visual layout should be that of the document group_id
 $group_id = $object_group_id;
 // Check permissions for document, then document group
 if (permission_exist('DOCUMENT_READ', $docid)) {
     if (!permission_is_authorized('DOCUMENT_READ', $docid, user_getid(), $object_group_id)) {
         exit_error($Language->getText('global', 'perm_denied'), $Language->getText('global', 'error_perm_denied'));
     }
 } else {
     if (!permission_is_authorized('DOCGROUP_READ', $row['doc_group'], user_getid(), $object_group_id)) {
         exit_error($Language->getText('global', 'perm_denied'), $Language->getText('global', 'error_perm_denied'));
     }
 }
 if (user_isloggedin()) {
     //Insert a new entry in the doc_log table only for restricted documents
     $sql = "INSERT INTO doc_log(user_id,docid,time) " . "VALUES ('" . user_getid() . "','" . $docid . "','" . time() . "')";
     $res_insert = db_query($sql);
 }
 // HTML or text files that were copy/pasted are displayed in a Codendi-formatted page.
 // Uploaded files are always displayed as-is.
 if (($row['filetype'] == 'text/html' || $row['filetype'] == 'text/plain') && $row['filesize'] == 0) {
     docman_header(array('title' => $row['title'], 'help' => 'DocumentManager.html'));
     if ($object_group_id != $from_group_id) {
         $group_name = util_get_group_name_from_id($object_group_id);
         print '<H3><span class="feedback">' . $Language->getText('docman_display_doc', 'warning_different_group', array($group_name)) . '</span></H3>';
Example #2
0
 /**
  * Check if user can access to whole wiki
  *
  * checkPermissions - Public
  * @param  int     User identifier
  * @return boolean Is the given user allowed to access to the Wiki
  */
 function isAutorized($uid)
 {
     $autorized = permission_is_authorized('WIKI_READ', $this->gid, $uid, $this->gid);
     return $autorized;
 }
 protected function permission_is_authorized($type, $transition_id, $user_id, $group_id)
 {
     include_once 'www/project/admin/permissions.php';
     return permission_is_authorized($type, $transition_id, $user_id, $group_id);
 }
Example #4
0
 /**
  * _getPackagesForUser
  * 
  * return the packages the user can see
  *
  * @param  user_id  
  */
 function _getPackagesForUser($user_id)
 {
     $frspf = $this->getFRSPackageFactory();
     $packages = array();
     $sql = "SELECT frs_package.package_id,frs_package.name AS package_name,frs_release.name AS release_name,frs_release.release_id AS release_id,frs_release.release_date AS release_date " . "FROM frs_package,frs_release " . "WHERE frs_package.package_id=frs_release.package_id " . "AND frs_package.group_id='" . db_ei($this->getGroupId()) . "' " . "AND frs_release.status_id=' " . db_ei($frspf->STATUS_ACTIVE) . "' " . "ORDER BY frs_package.rank,frs_package.package_id,frs_release.release_date DESC, frs_release.release_id DESC";
     $res_files = db_query($sql);
     $rows_files = db_numrows($res_files);
     if ($res_files && $rows_files >= 1) {
         for ($f = 0; $f < $rows_files; $f++) {
             $package_id = db_result($res_files, $f, 'package_id');
             $release_id = db_result($res_files, $f, 'release_id');
             if ($frspf->userCanRead($this->getGroupId(), $package_id, $user_id)) {
                 if (isset($package_displayed[$package_id]) && $package_displayed[$package_id]) {
                     //if ($package_id==db_result($res_files,($f-1),'package_id')) {
                     //same package as last iteration - don't show this release
                 } else {
                     $authorized = false;
                     // check access.
                     if (permission_exist('RELEASE_READ', $release_id)) {
                         $authorized = permission_is_authorized('RELEASE_READ', $release_id, $user_id, $this->getGroupId());
                     } else {
                         $authorized = permission_is_authorized('PACKAGE_READ', $package_id, $user_id, $this->getGroupId());
                     }
                     if ($authorized) {
                         $packages[] = array('package_name' => db_result($res_files, $f, 'package_name'), 'release_name' => db_result($res_files, $f, 'release_name'), 'release_id' => $release_id, 'package_id' => $package_id);
                         $package_displayed[$package_id] = true;
                     }
                 }
             }
         }
     }
     return $packages;
 }
Example #5
0
 public function isAutorized($uid)
 {
     if ($this->referenced == true) {
         $userCanAccess = false;
         $eM =& EventManager::instance();
         $eM->processEvent('userCanAccessWikiDocument', array('canAccess' => &$userCanAccess, 'wiki_page' => $this->pagename, 'group_id' => $this->gid));
         if (!$userCanAccess) {
             return false;
         }
     } else {
         // Check if user is authorized.
         if ($this->permissionExist()) {
             if (!permission_is_authorized(Wiki_PermissionsManager::WIKI_PERMISSION_READ, $this->id, $uid, $this->gid)) {
                 return false;
             }
         }
     }
     return true;
 }
Example #6
0
 /**
  * userCanDownload : determine if the user can download the file or not
  *
  * WARNING : for the moment, user can download the file if the user can view the package and can view the release the file belongs to.  
  *  
  * @param int $user_id the ID of the user. If $user_id is 0, then we take the current user.
  * @return boolean true if the user has permissions to download the file, false otherwise
  */
 function userCanDownload($user_id = 0)
 {
     if ($user_id == 0) {
         $user_id = user_getid();
     }
     $user = UserManager::instance()->getUserById($user_id);
     if ($user) {
         if ($user->isSuperUser()) {
             return true;
         }
     }
     $user_can_download = false;
     if (!$this->isDeleted()) {
         $group = $this->getGroup();
         $group_id = $group->getID();
         if (permission_exist('RELEASE_READ', $this->getReleaseID())) {
             if (permission_is_authorized('RELEASE_READ', $this->getReleaseID(), $user_id, $group_id)) {
                 $user_can_download = true;
             }
         } else {
             if (permission_is_authorized('PACKAGE_READ', $this->getPackageID(), $user_id, $group_id)) {
                 $user_can_download = true;
             }
         }
     }
     return $user_can_download;
 }
Example #7
0
 /**
  * Return true if user can do "$permissionType" on "$objectId"
  *
  * Note: this method is not useable in trackerV2 because it doesn't use "instances" parameter of getUgroups.
  *
  * @param String  $permissionType Permission nature
  * @param String  $objectId       Object to test
  * @param Integer $groupId        Project the object belongs to
  *
  * @return Boolean
  */
 public function hasPermission($permissionType, $objectId, $groupId)
 {
     return permission_is_authorized($permissionType, $objectId, $this->getId(), $groupId);
 }
Example #8
0
/**
 Display list of docs in welcome page
*/
function display_doc_list($group_id)
{
    global $Language;
    //get a list of group numbers that this project owns
    $query = "select * " . "from doc_groups " . "where group_id = {$group_id} " . "order by group_rank, groupname";
    $result = db_query($query);
    $doc_displayed = 0;
    //otherwise, throw up an error
    if (db_numrows($result) > 0) {
        // Retain only document groupsthe user is authorized to access, or those that contain authorized documents...
        $authorized_user = false;
        if (user_ismember($group_id, 'D2') || user_ismember($group_id, 'A')) {
            $authorized_user = true;
        }
        while ($row = db_fetch_array($result)) {
            $doc_group = $row['doc_group'];
            $authorized = false;
            $authorized_on_docgroup = false;
            if ($authorized_user || permission_is_authorized('DOCGROUP_READ', $doc_group, user_getid(), $group_id)) {
                $authorized = true;
                $authorized_on_docgroup = true;
            } else {
                // Get corresponding documents and check access.
                // When set, the document permission overwrite document group permission
                $sql2 = "SELECT * FROM doc_data WHERE doc_group=" . $doc_group;
                $res2 = db_query($sql2);
                if (db_numrows($res2) > 0) {
                    while ($row2 = db_fetch_array($res2)) {
                        if (permission_exist('DOCUMENT_READ', $row2['docid'])) {
                            if (permission_is_authorized('DOCUMENT_READ', $row2['docid'], user_getid(), $group_id)) {
                                $authorized = true;
                                break;
                            }
                        }
                    }
                }
            }
            if ($authorized) {
                // get the groupings and display them with their members.
                $query = "select description, docid, title, doc_group " . "from doc_data " . "where doc_group = '" . $doc_group . "' ";
                $query .= " order by rank";
                $subresult = db_query($query);
                if (!(db_numrows($subresult) < 1)) {
                    print "<p><b>" . $row['groupname'] . "</b>";
                    if ($authorized_user) {
                        if (permission_exist('DOCGROUP_READ', $doc_group)) {
                            if (!$pv) {
                                print ' <a href="/docman/admin/editdocgrouppermissions.php?doc_group=' . $doc_group . '&group_id=' . $group_id . '"><img src="' . util_get_image_theme("ic/lock.png") . '" border="0"></a>';
                            }
                        }
                    }
                    print "\n<ul>\n";
                    while ($subrow = db_fetch_array($subresult)) {
                        if (permission_exist('DOCUMENT_READ', $subrow['docid'])) {
                            if (!permission_is_authorized('DOCUMENT_READ', $subrow['docid'], user_getid(), $group_id)) {
                                continue;
                            }
                        } else {
                            if (!$authorized_on_docgroup) {
                                continue;
                            }
                        }
                        // LJ We want the title and the description to
                        // possibly contain HTML but NOT php code
                        print "<li><a href=\"/docman/display_doc.php?docid=" . $subrow['docid'] . "&group_id=" . $group_id . "\" title=\"" . $subrow['docid'] . " - " . strip_tags(util_unconvert_htmlspecialchars($subrow['title'])) . "\">";
                        print util_unconvert_htmlspecialchars($subrow['title']);
                        print "</a>\n";
                        if ($authorized_user) {
                            if (permission_exist('DOCUMENT_READ', $subrow['docid'])) {
                                if (!isset($pv) || !$pv) {
                                    print ' <a href="/docman/admin/editdocpermissions.php?docid=' . $subrow['docid'] . '&group_id=' . $group_id . '"><img src="' . util_get_image_theme("ic/lock.png") . '" border="0"></a>';
                                }
                            }
                        }
                        print "<BR><i>" . $Language->getText('docman_index', 'description') . ":</i> ";
                        print util_unconvert_htmlspecialchars($subrow['description']);
                        $doc_displayed++;
                    }
                    print "</ul>\n\n";
                }
            }
        }
    }
    if ($doc_displayed < 1) {
        print "<b>" . $Language->getText('docman_index', 'nodoc') . "</b><p>";
    }
}
Example #9
0
function news_check_permission($forum_id, $group_id)
{
    /*
    	Takes a forum_id and checks if user is authorized to read the piece of news associated to this forum_id
    */
    //cast  input
    if ($group_id == $GLOBALS['sys_news_group']) {
        //search for the real group_id of the news
        $sql = "SELECT g.access FROM news_bytes AS n INNER JOIN groups AS g USING(group_id) WHERE n.forum_id = " . db_ei($forum_id);
        $res = db_query($sql);
        if ($res && db_numrows($res)) {
            $row = db_fetch_array($res);
            //see if it is public to continue permissions check
            if ($row['access'] === Project::ACCESS_PRIVATE) {
                return false;
            }
        }
    }
    if (permission_exist('NEWS_READ', $forum_id) && permission_is_authorized('NEWS_READ', $forum_id, user_getid(), $group_id) || !permission_exist('NEWS_READ', $forum_id)) {
        return true;
    } else {
        return false;
    }
}
 /**
  * @access public
  */
 public function isAutorized($uid)
 {
     require_once 'www/project/admin/permissions.php';
     return $this->permissionExist() == false || permission_is_authorized('PHPWIKIATTACHMENT_READ', $this->id, $uid, $this->gid);
 }
Example #11
0
//
require_once 'pre.php';
require_once 'www/project/admin/permissions.php';
$sql = "SELECT description,data,filename,filesize,filetype,doc_group FROM doc_data WHERE docid='{$docid}'";
$result = db_query($sql);
if ($result && db_numrows($result) > 0) {
    // Get group_id of the document group containing the doc.
    $res_group = db_query("SELECT group_id FROM doc_groups WHERE doc_group=" . db_result($result, 0, 'doc_group'));
    $object_group_id = db_result($res_group, 0, 'group_id');
    // Check permissions for document, then document group
    if (permission_exist('DOCUMENT_READ', $docid)) {
        if (!permission_is_authorized('DOCUMENT_READ', $docid, user_getid(), $object_group_id)) {
            exit_error($Language->getText('global', 'perm_denied'), $Language->getText('global', 'error_perm_denied'));
        }
    } else {
        if (!permission_is_authorized('DOCGROUP_READ', db_result($result, 0, 'doc_group'), user_getid(), $object_group_id)) {
            exit_error($Language->getText('global', 'perm_denied'), $Language->getText('global', 'error_perm_denied'));
        }
    }
    if (db_result($result, 0, 'filesize') == 0) {
        exit_error($Language->getText('global', 'error'), $Language->getText('docman_download', 'error_nofile'));
    } else {
        // Download the patch with the correct filetype
        header('Content-Type: ' . db_result($result, 0, 'filetype'));
        header('Content-Length: ' . db_result($result, 0, 'filesize'));
        header('Content-Disposition: filename="' . db_result($result, 0, 'filename') . '"');
        echo db_result($result, 0, 'data');
    }
} else {
    exit_error($Language->getText('global', 'error'), $Language->getText('docman_download', 'error_nodoc', array($docid)));
}
 protected function permission_is_authorized($type, $transition_id, $user_id, $group_id)
 {
     return permission_is_authorized($type, $transition_id, $user_id, $group_id);
 }
Example #13
0
function forum_utils_news_access($forum_id)
{
    /*
    	Takes a forum_id (associated to a news) and checks if the user is allowed to access the corresponding forum   	 
    */
    $qry1 = "SELECT group_id FROM news_bytes WHERE forum_id=" . db_ei($forum_id);
    $res1 = db_query($qry1);
    if ($res1 && db_numrows($res1) > 0) {
        //if the forum is accessed from Summary page (Latest News section), the group_id variable is not set
        $g_id = db_result($res1, 0, 'group_id');
        return permission_is_authorized('NEWS_READ', intval($forum_id), user_getid(), $g_id);
    }
    return true;
}
Example #14
0
 /**
  * @access public
  */
 function isAutorized($uid)
 {
     //Check for Docman Perms
     $eM =& EventManager::instance();
     $referenced = false;
     $eM->processEvent('isWikiPageReferenced', array('referenced' => &$referenced, 'wiki_page' => $this->pagename, 'group_id' => $this->gid));
     if ($referenced == true) {
         $userCanAccess = false;
         $eM->processEvent('userCanAccessWikiDocument', array('canAccess' => &$userCanAccess, 'wiki_page' => $this->pagename, 'group_id' => $this->gid));
         if (!$userCanAccess) {
             return false;
         }
     } else {
         // Check if user is authorized.
         if ($this->permissionExist()) {
             if (!permission_is_authorized('WIKIPAGE_READ', $this->id, $uid, $this->gid)) {
                 return false;
             }
         }
     }
     return true;
 }