/**
* @param string $modelClassName
* @param null | string $attributeIndexes
* @param null | string $attributeIndexPrefix
*/
public static function resolveAttributeIndexes($modelClassName, &$attributeIndexes, $attributeIndexPrefix = null)
{
assert('is_string($modelClassName)');
assert('is_string($attributeIndexPrefix) || $attributeIndexPrefix == null');
$moduleClassName = $modelClassName::getModuleClassName();
if (is_subclass_of($modelClassName, 'SecurableItem') && $modelClassName::hasReadPermissionsOptimization() && $moduleClassName != null && is_subclass_of($moduleClassName, 'SecurableModule')) {
$permission = PermissionsUtil::getActualPermissionDataForReadByModuleNameForUser($moduleClassName);
if ($permission == Permission::NONE || $permission == Permission::DENY) {
$indexes = array();
$indexes[] = 'owner__User';
$mungeIds = AllPermissionsOptimizationUtil::getMungeIdsByUser(Yii::app()->user->userModel);
if (count($mungeIds) > 0 && $permission == Permission::NONE) {
$indexes[] = 'ReadOptimization';
}
$attributeIndexes[$attributeIndexPrefix] = $indexes;
}
}
}
/**
* @param $requiredPermissions
* @param OwnedSecurableItem $ownedSecurableItem
* @param User $user
* @return bool
* @throws NotSupportedException
* @throws AccessDeniedSecurityException
*/
protected static function checkPermissionsHasRead($requiredPermissions, OwnedSecurableItem $ownedSecurableItem, User $user)
{
$modelClassName = get_class($ownedSecurableItem);
$moduleClassName = $modelClassName::getModuleClassName();
$permission = PermissionsUtil::getActualPermissionDataForReadByModuleNameForUser($moduleClassName, $user);
if ($permission == Permission::NONE) {
$mungeIds = static::getMungeIdsByUser($user);
if (count($mungeIds) > 0 && $permission == Permission::NONE) {
$quote = DatabaseCompatibilityUtil::getQuote();
$mungeTableName = ReadPermissionsOptimizationUtil::getMungeTableName($modelClassName);
$sql = "select id from " . $mungeTableName . " where {$quote}securableitem_id{$quote} = " . $ownedSecurableItem->getClassId('SecurableItem') . " and {$quote}munge_id{$quote} in ('" . join("', '", $mungeIds) . "') limit 1";
$id = ZurmoRedBean::getCol($sql);
if (!empty($id)) {
return true;
} else {
throw new AccessDeniedSecurityException($user, $requiredPermissions, Permission::NONE);
}
} else {
throw new NotSupportedException();
}
} elseif ($permission == Permission::DENY) {
throw new AccessDeniedSecurityException($user, $requiredPermissions, Permission::DENY);
} else {
return true;
}
}
/**
* @param User $user
* @param RedBeanModelJoinTablesQueryAdapter $joinTablesAdapter
* @param $where
* @param $selectDistinct
* @throws NotSupportedException
*/
public static function resolveReadPermissionsOptimizationToSqlQuery(User $user, RedBeanModelJoinTablesQueryAdapter $joinTablesAdapter, &$where, &$selectDistinct)
{
assert('$where == null || is_string($where)');
assert('is_bool($selectDistinct)');
$modelClassName = get_called_class();
$moduleClassName = $modelClassName::getModuleClassName();
//Currently only adds munge if the module is securable and this model supports it.
if (static::hasReadPermissionsOptimization() && $moduleClassName != null && is_subclass_of($moduleClassName, 'SecurableModule')) {
$permission = PermissionsUtil::getActualPermissionDataForReadByModuleNameForUser($moduleClassName);
if (($permission == Permission::NONE || $permission == Permission::DENY) && !static::bypassReadPermissionsOptimizationToSqlQueryBasedOnWhere($where)) {
$quote = DatabaseCompatibilityUtil::getQuote();
$modelAttributeToDataProviderAdapter = new OwnedSecurableItemIdToDataProviderAdapter($modelClassName, null);
$builder = new ModelJoinBuilder($modelAttributeToDataProviderAdapter, $joinTablesAdapter);
$ownedTableAliasName = $builder->resolveJoins();
$ownerColumnName = static::getForeignKeyName('OwnedSecurableItem', 'owner');
$mungeIds = AllPermissionsOptimizationUtil::getMungeIdsByUser($user);
if ($where != null) {
$where = '(' . $where . ') and ';
}
if (count($mungeIds) > 0 && $permission == Permission::NONE) {
$extraOnQueryPart = " and {$quote}munge_id{$quote} in ('" . join("', '", $mungeIds) . "')";
$mungeTableName = ReadPermissionsOptimizationUtil::getMungeTableName($modelClassName);
$mungeTableAliasName = $joinTablesAdapter->addLeftTableAndGetAliasName($mungeTableName, 'securableitem_id', $ownedTableAliasName, 'securableitem_id', $extraOnQueryPart);
$where .= "({$quote}{$ownedTableAliasName}{$quote}.{$quote}{$ownerColumnName}{$quote} = {$user->id} OR ";
// Not Coding Standard
$where .= "{$quote}{$mungeTableName}{$quote}.{$quote}munge_id{$quote} IS NOT NULL)";
// Not Coding Standard
$selectDistinct = true;
//must use distinct since adding munge table query.
} elseif ($permission == Permission::DENY) {
$where .= "{$quote}{$ownedTableAliasName}{$quote}.{$quote}{$ownerColumnName}{$quote} = {$user->id}";
// Not Coding Standard
} else {
throw new NotSupportedException();
}
}
}
}
