/**
  * Finish the installation - create owner company and administrator
  *
  * @param void
  * @return null
  */
 function complete_installation()
 {
     if (Contacts::getOwnerCompany() instanceof Contact) {
         die('Owner company already exists');
         // Somebody is trying to access this method even if the user already exists
     }
     // if
     $form_data = array_var($_POST, 'form');
     tpl_assign('form_data', $form_data);
     if (array_var($form_data, 'submited') == 'submited') {
         try {
             $admin_password = trim(array_var($form_data, 'admin_password'));
             $admin_password_a = trim(array_var($form_data, 'admin_password_a'));
             if (trim($admin_password) == '') {
                 throw new Error(lang('password value required'));
             }
             // if
             if ($admin_password != $admin_password_a) {
                 throw new Error(lang('passwords dont match'));
             }
             // if
             DB::beginWork();
             Contacts::delete();
             // clear users table
             // Create a company
             $company = new Contact();
             $company->setFirstName(array_var($form_data, 'company_name'));
             $company->setObjectName();
             $company->setIsCompany(true);
             $company->save();
             // Init default colors
             set_config_option('brand_colors_head_back', "424242");
             set_config_option('brand_colors_tabs_back', "e7e7e7");
             set_config_option('brand_colors_head_font', "FFFFFF");
             set_config_option('brand_colors_tabs_font', "333333");
             // Create the administrator user
             $administrator = new Contact();
             $pergroup = PermissionGroups::findOne(array('conditions' => "`name`='Super Administrator'"));
             $administrator->setUserType($pergroup->getId());
             $administrator->setCompanyId($company->getId());
             $administrator->setUsername(array_var($form_data, 'admin_username'));
             $administrator->setPassword($admin_password);
             $administrator->setFirstname(array_var($form_data, 'admin_username'));
             $administrator->setObjectName();
             $administrator->save();
             $user_password = new ContactPassword();
             $user_password->setContactId($administrator->getId());
             $user_password->password_temp = $admin_password;
             $user_password->setPasswordDate(DateTimeValueLib::now());
             $user_password->setPassword(cp_encrypt($admin_password, $user_password->getPasswordDate()->getTimestamp()));
             $user_password->save();
             //Add email after save because is needed.
             $administrator->addEmail(array_var($form_data, 'admin_email'), 'personal', true);
             //permissions
             $permission_group = new PermissionGroup();
             $permission_group->setName('Account Owner');
             $permission_group->setContactId($administrator->getId());
             $permission_group->setIsContext(false);
             $permission_group->setType("permission_groups");
             $permission_group->save();
             $administrator->setPermissionGroupId($permission_group->getId());
             $administrator->save();
             $company->setCreatedById($administrator->getId());
             $company->setUpdatedById($administrator->getId());
             $company->save();
             $contact_pg = new ContactPermissionGroup();
             $contact_pg->setContactId($administrator->getId());
             $contact_pg->setPermissionGroupId($permission_group->getId());
             $contact_pg->save();
             // tab panel permissions
             $panels = TabPanels::getEnabled();
             foreach ($panels as $panel) {
                 $tpp = new TabPanelPermission();
                 $tpp->setPermissionGroupId($administrator->getPermissionGroupId());
                 $tpp->setTabPanelId($panel->getId());
                 $tpp->save();
             }
             // dimension permissions
             $dimensions = Dimensions::findAll();
             foreach ($dimensions as $dimension) {
                 if ($dimension->getDefinesPermissions()) {
                     $cdp = ContactDimensionPermissions::findOne(array("conditions" => "`permission_group_id` = " . $administrator->getPermissionGroupId() . " AND `dimension_id` = " . $dimension->getId()));
                     if (!$cdp instanceof ContactDimensionPermission) {
                         $cdp = new ContactDimensionPermission();
                         $cdp->setPermissionGroupId($administrator->getPermissionGroupId());
                         $cdp->setContactDimensionId($dimension->getId());
                     }
                     $cdp->setPermissionType('allow all');
                     $cdp->save();
                     // contact member permisssion entries
                     $members = $dimension->getAllMembers();
                     foreach ($members as $member) {
                         $ots = DimensionObjectTypeContents::getContentObjectTypeIds($dimension->getId(), $member->getObjectTypeId());
                         $ots[] = $member->getObjectId();
                         foreach ($ots as $ot) {
                             $cmp = ContactMemberPermissions::findOne();
                             if (!$cmp instanceof ContactMemberPermission) {
                                 $cmp = new ContactMemberPermission(array("conditions" => "`permission_group_id` = " . $administrator->getPermissionGroupId() . " AND `member_id` = " . $member->getId() . " AND `object_type_id` = {$ot}"));
                                 $cmp->setPermissionGroupId($administrator->getPermissionGroupId());
                                 $cmp->setMemberId($member->getId());
                                 $cmp->setObjectTypeId($ot);
                             }
                             $cmp->setCanWrite(1);
                             $cmp->setCanDelete(1);
                             $cmp->save();
                         }
                     }
                 }
             }
             // system permissions
             $sp = new SystemPermission();
             $sp->setPermissionGroupId($administrator->getPermissionGroupId());
             $sp->setAllPermissions(true);
             $sp->save();
             // root permissions
             DB::executeAll("\r\n\t\t\t\tINSERT INTO " . TABLE_PREFIX . "contact_member_permissions (permission_group_id, member_id, object_type_id, can_delete, can_write)\r\n\t\t\t\t  SELECT " . $administrator->getPermissionGroupId() . ", 0, rtp.object_type_id, rtp.can_delete, rtp.can_write FROM " . TABLE_PREFIX . "role_object_type_permissions rtp \r\n\t\t\t\t  WHERE rtp.object_type_id NOT IN (SELECT id FROM " . TABLE_PREFIX . "object_types WHERE name IN ('mail','template','file_revision')) AND rtp.role_id in (\r\n\t\t\t\t    SELECT pg.id FROM " . TABLE_PREFIX . "permission_groups pg WHERE pg.type='roles' AND pg.name IN ('Super Administrator','Administrator','Manager','Executive')\r\n\t\t\t\t  )\r\n\t\t\t\tON DUPLICATE KEY UPDATE member_id=0;");
             Hook::fire('after_user_add', $administrator, $null);
             DB::commit();
             $this->redirectTo('access', 'login');
         } catch (Exception $e) {
             tpl_assign('error', $e);
             DB::rollback();
         }
         // try
     }
     // if
 }
Example #2
0
function save_permissions($pg_id, $is_guest = false)
{
    $sys_permissions_data = array_var($_POST, 'sys_perm');
    $changed_members = array();
    //module permissions
    $mod_permissions_data = array_var($_POST, 'mod_perm');
    TabPanelPermissions::clearByPermissionGroup($pg_id);
    if (!is_null($mod_permissions_data) && is_array($mod_permissions_data)) {
        foreach ($mod_permissions_data as $tab_id => $val) {
            $tpp = new TabPanelPermission();
            $tpp->setPermissionGroupId($pg_id);
            $tpp->setTabPanelId($tab_id);
            $tpp->save();
        }
    }
    //system permissions
    $system_permissions = SystemPermissions::findById($pg_id);
    if (!$system_permissions instanceof SystemPermission) {
        $system_permissions = new SystemPermission();
        $system_permissions->setPermissionGroupId($pg_id);
    }
    $system_permissions->setAllPermissions(false);
    $other_permissions = array();
    Hook::fire('add_user_permissions', $pg_id, $other_permissions);
    foreach ($other_permissions as $k => $v) {
        $system_permissions->setColumnValue($k, false);
    }
    $sys_permissions_data['can_task_assignee'] = !$is_guest;
    $system_permissions->setFromAttributes($sys_permissions_data);
    $system_permissions->save();
    //member permissions
    $permissionsString = array_var($_POST, 'permissions');
    if ($permissionsString && $permissionsString != '') {
        $permissions = json_decode($permissionsString);
    }
    if (isset($permissions) && !is_null($permissions) && is_array($permissions)) {
        $allowed_members_ids = array();
        foreach ($permissions as $perm) {
            if (!isset($all_perm_deleted[$perm->m])) {
                $all_perm_deleted[$perm->m] = true;
            }
            $allowed_members_ids[$perm->m] = array();
            $allowed_members_ids[$perm->m]['pg'] = $pg_id;
            $cmp = ContactMemberPermissions::findById(array('permission_group_id' => $pg_id, 'member_id' => $perm->m, 'object_type_id' => $perm->o));
            if (!$cmp instanceof ContactMemberPermission) {
                $cmp = new ContactMemberPermission();
                $cmp->setPermissionGroupId($pg_id);
                $cmp->setMemberId($perm->m);
                $cmp->setObjectTypeId($perm->o);
            }
            $cmp->setCanWrite($is_guest ? false : $perm->w);
            $cmp->setCanDelete($is_guest ? false : $perm->d);
            if ($perm->r) {
                if (isset($allowed_members_ids[$perm->m]['w'])) {
                    if ($allowed_members_ids[$perm->m]['w'] != 1) {
                        $allowed_members_ids[$perm->m]['w'] = $is_guest ? false : $perm->w;
                    }
                } else {
                    $allowed_members_ids[$perm->m]['w'] = $is_guest ? false : $perm->w;
                }
                if (isset($allowed_members_ids[$perm->m]['d'])) {
                    if ($allowed_members_ids[$perm->m]['d'] != 1) {
                        $allowed_members_ids[$perm->m]['d'] = $is_guest ? false : $perm->d;
                    }
                } else {
                    $allowed_members_ids[$perm->m]['d'] = $is_guest ? false : $perm->d;
                }
                $cmp->save();
                $all_perm_deleted[$perm->m] = false;
            } else {
                $cmp->delete();
            }
            $changed_members[] = $perm->m;
        }
        $sharingTablecontroller = new SharingTableController();
        $sharingTablecontroller->afterPermissionChanged($pg_id, $permissions);
        foreach ($allowed_members_ids as $key => $mids) {
            $mbm = Members::findById($key);
            $root_cmp = ContactMemberPermissions::findById(array('permission_group_id' => $mids['pg'], 'member_id' => $key, 'object_type_id' => $mbm->getObjectTypeId()));
            if (!$root_cmp instanceof ContactMemberPermission) {
                $root_cmp = new ContactMemberPermission();
                $root_cmp->setPermissionGroupId($mids['pg']);
                $root_cmp->setMemberId($key);
                $root_cmp->setObjectTypeId($mbm->getObjectTypeId());
            }
            $root_cmp->setCanWrite($mids['w']);
            $root_cmp->setCanDelete($mids['d']);
            $root_cmp->save();
        }
        foreach ($all_perm_deleted as $mid => $pd) {
            if ($pd) {
                ContactMemberPermissions::instance()->delete("`permission_group_id` = {$pg_id} AND `member_id` = {$mid}");
            }
        }
    }
    // set all permissiions to read_only
    if ($is_guest) {
        $all_saved_permissions = ContactMemberPermissions::findAll(array("conditions" => "`permission_group_id` = {$pg_id}"));
        foreach ($all_saved_permissions as $sp) {
            /* @var $sp ContactMemberPermission */
            if ($sp->getCanDelete() || $sp->getCanWrite()) {
                $sp->setCanDelete(false);
                $sp->setCanWrite(false);
                $sp->save();
            }
        }
        $cdps = ContactDimensionPermissions::findAll(array("conditions" => "`permission_type` = 'allow all'"));
        foreach ($cdps as $cdp) {
            $cdp->setPermissionType('check');
            $cdp->save();
        }
    }
    // check the status of the changed dimensions to set 'allow_all', 'deny_all' or 'check'
    $dimensions = Dimensions::findAll(array("conditions" => array("`id` IN (SELECT DISTINCT `dimension_id` FROM " . Members::instance()->getTableName(true) . " WHERE `id` IN (?))", $changed_members)));
    foreach ($dimensions as $dimension) {
        $mem_ids = $dimension->getAllMembers(true);
        if (count($mem_ids) == 0) {
            $mem_ids[] = 0;
        }
        $count = ContactMemberPermissions::count(array('conditions' => "`permission_group_id`={$pg_id} AND `member_id` IN (" . implode(",", $mem_ids) . ") AND `can_delete` = 0"));
        if ($count > 0) {
            $dimension->setContactDimensionPermission($pg_id, 'check');
        } else {
            $count = ContactMemberPermissions::count(array('conditions' => "`permission_group_id`={$pg_id} AND `member_id` IN (" . implode(",", $mem_ids) . ")"));
            if ($count == 0) {
                $dimension->setContactDimensionPermission($pg_id, 'deny all');
            } else {
                $allow_all = true;
                $dim_obj_types = $dimension->getAllowedObjectTypeContents();
                $members = Members::findAll("`id` IN (" . implode(",", $mem_ids) . ")");
                foreach ($dim_obj_types as $dim_obj_type) {
                    $mem_ids_for_ot = array();
                    foreach ($members as $member) {
                        if ($dim_obj_type->getDimensionObjectTypeId() == $member->getObjectTypeId()) {
                            $mem_ids_for_ot[] = $member->getId();
                        }
                    }
                    if (count($mem_ids_for_ot) == 0) {
                        $mem_ids_for_ot[] = 0;
                    }
                    $count = ContactMemberPermissions::count(array('conditions' => "`permission_group_id`={$pg_id} AND \n\t\t\t\t\t\t`object_type_id` = " . $dim_obj_type->getContentObjectTypeId() . " AND `can_delete` = 1 AND `member_id` IN (" . implode(",", $mem_ids_for_ot) . ")"));
                    if ($count != count($mem_ids_for_ot)) {
                        $allow_all = false;
                        break;
                    }
                }
                if ($allow_all) {
                    $dimension->setContactDimensionPermission($pg_id, 'allow all');
                } else {
                    $dimension->setContactDimensionPermission($pg_id, 'check');
                }
            }
        }
    }
}
	/**
	 * Finish the installation - create owner company and administrator
	 *
	 * @param void
	 * @return null
	 */
	function complete_installation() {
		
		if(Contacts::getOwnerCompany() instanceof Contact) {
			die('Owner company already exists'); // Somebody is trying to access this method even if the user already exists
		} // if

		$form_data = array_var($_POST, 'form');
		tpl_assign('form_data', $form_data);

		if(array_var($form_data, 'submited') == 'submited') {
			try {
				$admin_password = trim(array_var($form_data, 'admin_password'));
				$admin_password_a = trim(array_var($form_data, 'admin_password_a'));

				if(trim($admin_password) == '') {
					throw new Error(lang('password value required'));
				} // if

				if($admin_password <> $admin_password_a) {
					throw new Error(lang('passwords dont match'));
				} // if

				DB::beginWork();

				Contacts::delete(); // clear users table

				// Create a company
				$company = new Contact();
				$company->setFirstName(array_var($form_data, 'company_name'));
				$company->setObjectName();
				$company->setIsCompany(true);
				$company->save();
				
				// Init default colors
				set_config_option('brand_colors_head_back', "000000");
				set_config_option('brand_colors_tabs_back', "14780e");
				set_config_option('brand_colors_head_font', "ffffff");
				set_config_option('brand_colors_tabs_font', "ffffff");

				// Create the administrator user
				$administrator = new Contact();
				$pergroup = PermissionGroups::findOne(array('conditions'=>"`name`='Super Administrator'"));
				$administrator->setUserType($pergroup->getId());
				$administrator->setCompanyId($company->getId());
				$administrator->setUsername(array_var($form_data, 'admin_username'));
				
				
				$administrator->setPassword($admin_password);
				$administrator->setFirstname(array_var($form_data, 'admin_username'));
				$administrator->setObjectName();
				$administrator->save();
				
				$user_password = new ContactPassword();
				$user_password->setContactId($administrator->getId());
				$user_password->password_temp = $admin_password;
				$user_password->setPasswordDate(DateTimeValueLib::now());
				$user_password->setPassword(cp_encrypt($admin_password, $user_password->getPasswordDate()->getTimestamp()));
				$user_password->save();
				
				//Add email after save because is needed. 
				$administrator->addEmail(array_var($form_data, 'admin_email'), 'personal', true);
				
				//permissions
				$permission_group = new PermissionGroup();
				$permission_group->setName('Account Owner');
				$permission_group->setContactId($administrator->getId());
				$permission_group->setIsContext(false);
				$permission_group->setType("permission_groups");
				$permission_group->save();
				
				$administrator->setPermissionGroupId($permission_group->getId());
				$administrator->save();
				
				$company->setCreatedById($administrator->getId());
				$company->setUpdatedById($administrator->getId());
				$company->save();
				
				$contact_pg = new ContactPermissionGroup();
				$contact_pg->setContactId($administrator->getId());
				$contact_pg->setPermissionGroupId($permission_group->getId());
				$contact_pg->save();
				
				// tab panel permissions
				$panels = TabPanels::getEnabled();
				foreach ($panels as $panel) {
					$tpp = new TabPanelPermission();
					$tpp->setPermissionGroupId($administrator->getPermissionGroupId());
					$tpp->setTabPanelId($panel->getId());
					$tpp->save();
				}
				
				// dimension permissions
				$dimensions = Dimensions::findAll();
				foreach ($dimensions as $dimension) {
					if ($dimension->getDefinesPermissions()) {
						$cdp = ContactDimensionPermissions::findOne(array("conditions" => "`permission_group_id` = ".$administrator->getPermissionGroupId()." AND `dimension_id` = ".$dimension->getId()));
						if (!$cdp instanceof ContactDimensionPermission) {
							$cdp = new ContactDimensionPermission();
							$cdp->setPermissionGroupId($administrator->getPermissionGroupId());
							$cdp->setContactDimensionId($dimension->getId());
						}
						$cdp->setPermissionType('allow all');
						$cdp->save();
						
						// contact member permisssion entries
						$members = $dimension->getAllMembers();
						foreach ($members as $member) {
							$ots = DimensionObjectTypeContents::getContentObjectTypeIds($dimension->getId(), $member->getObjectTypeId());
							$ots[]=$member->getObjectId();
							foreach ($ots as $ot) {
								$cmp = ContactMemberPermissions::findOne();
								if (!$cmp instanceof ContactMemberPermission) {
									$cmp = new ContactMemberPermission(array("conditions" => "`permission_group_id` = ".$administrator->getPermissionGroupId()." AND `member_id` = ".$member->getId()." AND `object_type_id` = $ot"));
									$cmp->setPermissionGroupId($administrator->getPermissionGroupId());
									$cmp->setMemberId($member->getId());
									$cmp->setObjectTypeId($ot);
								}
								$cmp->setCanWrite(1);
								$cmp->setCanDelete(1);
								$cmp->save();
							}
						}
					}
				}
				
				// system permissions
				$sp = new SystemPermission();
				$sp->setPermissionGroupId($administrator->getPermissionGroupId());
				$sp->setAllPermissions(true);
				$sp->save();
				
				Hook::fire('after_user_add', $administrator, $null);
				
				DB::commit();

				$this->redirectTo('access', 'login');
			} catch(Exception $e) {
				tpl_assign('error', $e);
				DB::rollback();
			} // try
		} // if
	} // complete_installation
Example #4
0
function save_permissions($pg_id, $is_guest = false, $permissions_data = null, $save_cmps = true, $update_sharing_table = true, $fire_hook = true, $update_contact_member_cache = true, $users_ids_to_check = array(), $only_member_permissions = false)
{
    if (is_null($permissions_data)) {
        // system permissions
        $sys_permissions_data = array_var($_POST, 'sys_perm');
        // module permissions
        $mod_permissions_data = array_var($_POST, 'mod_perm');
        // root permissions
        if ($rp_genid = array_var($_POST, 'root_perm_genid')) {
            $rp_permissions_data = array();
            foreach ($_POST as $name => $value) {
                if (str_starts_with($name, $rp_genid . 'rg_root_')) {
                    $rp_permissions_data[$name] = $value;
                }
            }
        }
        // member permissions
        $permissionsString = array_var($_POST, 'permissions');
    } else {
        // system permissions
        $sys_permissions_data = array_var($permissions_data, 'sys_perm');
        // module permissions
        $mod_permissions_data = array_var($permissions_data, 'mod_perm');
        // root permissions
        $rp_genid = array_var($permissions_data, 'root_perm_genid');
        $rp_permissions_data = array_var($permissions_data, 'root_perm');
        // member permissions
        $permissionsString = array_var($permissions_data, 'permissions');
    }
    try {
        DB::beginWork();
        $changed_members = array();
        // save module permissions
        if (!$only_member_permissions) {
            try {
                TabPanelPermissions::clearByPermissionGroup($pg_id, true);
                if (!is_null($mod_permissions_data) && is_array($mod_permissions_data)) {
                    foreach ($mod_permissions_data as $tab_id => $val) {
                        DB::execute("INSERT INTO " . TABLE_PREFIX . "tab_panel_permissions (permission_group_id,tab_panel_id) VALUES ('{$pg_id}','{$tab_id}') ON DUPLICATE KEY UPDATE permission_group_id=permission_group_id");
                    }
                }
            } catch (Exception $e) {
                Logger::log("Error saving module permissions for permission group {$pg_id}: " . $e->getMessage() . "\n" . $e->getTraceAsString());
                throw $e;
            }
        }
        $root_permissions_sharing_table_delete = array();
        $root_permissions_sharing_table_add = array();
        if (logged_user() instanceof Contact && can_manage_security(logged_user())) {
            try {
                if (!$only_member_permissions) {
                    // save system permissions
                    $system_permissions = SystemPermissions::findById($pg_id);
                    if (!$system_permissions instanceof SystemPermission) {
                        $system_permissions = new SystemPermission();
                        $system_permissions->setPermissionGroupId($pg_id);
                    }
                    $system_permissions->setAllPermissions(false);
                    $other_permissions = array();
                    Hook::fire('add_user_permissions', $pg_id, $other_permissions);
                    foreach ($other_permissions as $k => $v) {
                        $system_permissions->setColumnValue($k, false);
                    }
                    // check max permissions for role, in case of modifying user's permissions
                    $role_id = "-1";
                    $tmp_contact = Contacts::findOne(array('conditions' => 'permission_group_id = ' . $pg_id));
                    if ($tmp_contact instanceof Contact) {
                        $role_id = $tmp_contact->getUserType();
                    }
                    $max_role_system_permissions = MaxSystemPermissions::findOne(array('conditions' => 'permission_group_id = ' . $role_id));
                    if ($max_role_system_permissions instanceof MaxSystemPermission) {
                        foreach ($sys_permissions_data as $col => &$val) {
                            $max_val = $max_role_system_permissions->getColumnValue($col);
                            if (!$max_val) {
                                unset($sys_permissions_data[$col]);
                            }
                        }
                    }
                    // don't allow to write emails for collaborators and guests
                    if ($tmp_contact instanceof Contact) {
                        $user_type_name = $tmp_contact->getUserTypeName();
                        if (!in_array($user_type_name, array('Super Administrator', 'Administrator', 'Manager', 'Executive'))) {
                            $mail_ot = ObjectTypes::findByName('mail');
                            if ($mail_ot instanceof ObjectType) {
                                DB::executeAll("UPDATE " . TABLE_PREFIX . "contact_member_permissions SET can_write=0, can_delete=0 WHERE object_type_id=" . $mail_ot->getId() . " AND permission_group_id={$pg_id}");
                            }
                        }
                    }
                    $sys_permissions_data['can_task_assignee'] = !$is_guest;
                    $system_permissions->setFromAttributes($sys_permissions_data);
                    $system_permissions->setUseOnDuplicateKeyWhenInsert(true);
                    $system_permissions->save();
                    //object type root permissions
                    $can_have_root_permissions = config_option('let_users_create_objects_in_root') && in_array($user_type_name, array('Super Administrator', 'Administrator', 'Manager', 'Executive'));
                    if ($rp_genid && $can_have_root_permissions) {
                        ContactMemberPermissions::delete("permission_group_id = {$pg_id} AND member_id = 0");
                        foreach ($rp_permissions_data as $name => $value) {
                            if (str_starts_with($name, $rp_genid . 'rg_root_')) {
                                $rp_ot = substr($name, strrpos($name, '_') + 1);
                                if (is_numeric($rp_ot) && $rp_ot > 0 && $value == 0) {
                                    $root_permissions_sharing_table_delete[] = $rp_ot;
                                }
                                if (!is_numeric($rp_ot) || $rp_ot <= 0 || $value < 1) {
                                    continue;
                                }
                                $root_permissions_sharing_table_add[] = $rp_ot;
                                // save with member_id = 0
                                $root_perm_cmp = new ContactMemberPermission();
                                $root_perm_cmp->setPermissionGroupId($pg_id);
                                $root_perm_cmp->setMemberId('0');
                                $root_perm_cmp->setObjectTypeId($rp_ot);
                                $root_perm_cmp->setCanWrite($value >= 2);
                                $root_perm_cmp->setCanDelete($value >= 3);
                                $root_perm_cmp->save();
                            }
                        }
                    }
                    if (!$can_have_root_permissions) {
                        ContactMemberPermissions::delete("permission_group_id = {$pg_id} AND member_id = 0");
                        $sh_controller = new SharingTableController();
                        $all_object_type_ids = ObjectTypes::findAll(array('id' => true));
                        $sh_controller->adjust_root_permissions($pg_id, array('root_permissions_sharing_table_delete' => $all_object_type_ids));
                    }
                }
            } catch (Exception $e) {
                Logger::log("Error saving system and root permissions for permission group {$pg_id}: " . $e->getMessage() . "\n" . $e->getTraceAsString());
                throw $e;
            }
        }
        // set all permissions to read_only if user is guest
        if ($is_guest) {
            try {
                $all_saved_permissions = ContactMemberPermissions::findAll(array("conditions" => "`permission_group_id` = {$pg_id}"));
                foreach ($all_saved_permissions as $sp) {
                    /* @var $sp ContactMemberPermission */
                    if ($sp->getCanDelete() || $sp->getCanWrite()) {
                        $sp->setCanDelete(false);
                        $sp->setCanWrite(false);
                        $sp->save();
                    }
                }
                $cdps = ContactDimensionPermissions::findAll(array("conditions" => "`permission_type` = 'allow all'"));
                foreach ($cdps as $cdp) {
                    $cdp->setPermissionType('check');
                    $cdp->save();
                }
            } catch (Exception $e) {
                Logger::log("Error setting guest user permissions to read_only for permission group {$pg_id}: " . $e->getMessage() . "\n" . $e->getTraceAsString());
                throw $e;
            }
        }
        // check the status of the changed dimensions to set 'allow_all', 'deny_all' or 'check'
        try {
            $dimensions = Dimensions::findAll(array("conditions" => array("`id` IN (SELECT DISTINCT `dimension_id` FROM " . Members::instance()->getTableName(true) . " WHERE `id` IN (?))", $changed_members)));
            foreach ($dimensions as $dimension) {
                $dimension->setContactDimensionPermission($pg_id, 'check');
            }
        } catch (Exception $e) {
            Logger::log("Error setting dimension permissions for permission group {$pg_id}: " . $e->getMessage() . "\n" . $e->getTraceAsString());
            throw $e;
        }
        //member permissions
        if ($permissionsString && $permissionsString != '') {
            $permissions = json_decode($permissionsString);
        }
        if (isset($permissions) && !is_null($permissions) && is_array($permissions)) {
            try {
                $tmp_contact = Contacts::findOne(array('conditions' => 'permission_group_id = ' . $pg_id));
                if ($tmp_contact instanceof Contact) {
                    $user_type_name = $tmp_contact->getUserTypeName();
                    $role_id = $tmp_contact->getUserType();
                    $max_role_ot_perms = MaxRoleObjectTypePermissions::instance()->findAll(array('conditions' => "role_id = '{$role_id}'"));
                }
                $mail_ot = ObjectTypes::findByName('mail');
                $sql_insert_values = "";
                $member_object_types_to_delete = array();
                $allowed_members_ids = array();
                foreach ($permissions as &$perm) {
                    if (!isset($all_perm_deleted[$perm->m])) {
                        $all_perm_deleted[$perm->m] = true;
                    }
                    $allowed_members_ids[$perm->m] = array();
                    $allowed_members_ids[$perm->m]['pg'] = $pg_id;
                    if ($perm->r) {
                        if (isset($allowed_members_ids[$perm->m]['w'])) {
                            if ($allowed_members_ids[$perm->m]['w'] != 1) {
                                $allowed_members_ids[$perm->m]['w'] = $is_guest ? false : $perm->w;
                            }
                        } else {
                            $allowed_members_ids[$perm->m]['w'] = $is_guest ? false : $perm->w;
                        }
                        if (isset($allowed_members_ids[$perm->m]['d'])) {
                            if ($allowed_members_ids[$perm->m]['d'] != 1) {
                                $allowed_members_ids[$perm->m]['d'] = $is_guest ? false : $perm->d;
                            }
                        } else {
                            $allowed_members_ids[$perm->m]['d'] = $is_guest ? false : $perm->d;
                        }
                        // check max permissions for user type
                        if ($tmp_contact instanceof Contact) {
                            $max_perm = null;
                            foreach ($max_role_ot_perms as $max_role_ot_perm) {
                                if ($max_role_ot_perm->getObjectTypeId() == $perm->o) {
                                    $max_perm = $max_role_ot_perm;
                                }
                            }
                            if ($max_perm) {
                                if (!$max_perm->getCanDelete()) {
                                    $perm->d = 0;
                                }
                                if (!$max_perm->getCanWrite()) {
                                    $perm->w = 0;
                                }
                            } else {
                                $perm->d = 0;
                                $perm->w = 0;
                                $perm->r = 0;
                            }
                        }
                        if ($save_cmps) {
                            // don't allow to write emails for collaborators and guests
                            if ($tmp_contact instanceof Contact && !in_array($user_type_name, array('Super Administrator', 'Administrator', 'Manager', 'Executive'))) {
                                if ($mail_ot instanceof ObjectType && $perm->o == $mail_ot->getId()) {
                                    $perm->d = 0;
                                    $perm->w = 0;
                                }
                            }
                            $sql_insert_values .= ($sql_insert_values == "" ? "" : ",") . "('" . $pg_id . "','" . $perm->m . "','" . $perm->o . "','" . $perm->d . "','" . $perm->w . "')";
                            if (!isset($member_object_types_to_delete[$perm->m])) {
                                $member_object_types_to_delete[$perm->m] = array();
                            }
                            $member_object_types_to_delete[$perm->m][] = $perm->o;
                        }
                        $all_perm_deleted[$perm->m] = false;
                    } else {
                        if (is_numeric($perm->m) && is_numeric($perm->o)) {
                            DB::execute("DELETE FROM " . TABLE_PREFIX . "contact_member_permissions WHERE member_id='" . $perm->m . "' AND object_type_id='" . $perm->o . "' AND permission_group_id={$pg_id}");
                        }
                    }
                    $changed_members[] = $perm->m;
                }
                if ($save_cmps) {
                    if (count($all_perm_deleted) > 0) {
                        $member_ids_to_delete = array();
                        foreach ($all_perm_deleted as $mid => $del) {
                            // also check in contact_member_permissions
                            $cmps = ContactMemberPermissions::findAll(array('conditions' => 'permission_group_id=' . $pg_id . " AND member_id={$mid}"));
                            if ($del && (!is_array($cmps) || count($cmps) == 0)) {
                                $member_ids_to_delete[] = $mid;
                            }
                        }
                        if (count($member_ids_to_delete) > 0) {
                            DB::execute("DELETE FROM " . TABLE_PREFIX . "contact_member_permissions WHERE member_id IN (" . implode(',', $member_ids_to_delete) . ") AND permission_group_id={$pg_id}");
                        }
                    }
                    foreach ($member_object_types_to_delete as $mid => $obj_type_ids) {
                        if (count($obj_type_ids) > 0) {
                            DB::execute("DELETE FROM " . TABLE_PREFIX . "contact_member_permissions WHERE member_id={$mid} AND object_type_id IN (" . implode(',', $obj_type_ids) . ") AND permission_group_id={$pg_id}");
                        }
                    }
                    if ($sql_insert_values != "") {
                        DB::execute("INSERT INTO " . TABLE_PREFIX . "contact_member_permissions (permission_group_id, member_id, object_type_id, can_delete, can_write) VALUES {$sql_insert_values} ON DUPLICATE KEY UPDATE member_id=member_id");
                    }
                }
            } catch (Exception $e) {
                Logger::log("Error saving member permissions for permission group {$pg_id}: " . $e->getMessage() . "\n" . $e->getTraceAsString());
                throw $e;
            }
        }
        DB::commit();
    } catch (Exception $e) {
        Logger::log("Error saving permissions for permission group {$pg_id}: " . $e->getMessage() . "\n" . $e->getTraceAsString());
        DB::rollback();
    }
    try {
        if (isset($permissions) && !is_null($permissions) && is_array($permissions)) {
            if ($update_sharing_table) {
                try {
                    $sharingTablecontroller = new SharingTableController();
                    $rp_info = array('root_permissions_sharing_table_delete' => $root_permissions_sharing_table_delete, 'root_permissions_sharing_table_add' => $root_permissions_sharing_table_add);
                    $sharingTablecontroller->afterPermissionChanged($pg_id, $permissions, $rp_info);
                } catch (Exception $e) {
                    Logger::log("Error saving permissions to sharing table for permission group {$pg_id}: " . $e->getMessage() . "\n" . $e->getTraceAsString());
                    throw $e;
                }
            }
            if ($update_contact_member_cache) {
                try {
                    $contactMemberCacheController = new ContactMemberCacheController();
                    $group = PermissionGroups::findById($pg_id);
                    $real_group = null;
                    if ($group->getType() == 'user_groups') {
                        $real_group = $group;
                    }
                    $users = $group->getUsers();
                    $users_ids_checked = array();
                    foreach ($users as $us) {
                        $users_ids_checked[] = $us->getId();
                        $contactMemberCacheController->afterUserPermissionChanged($us, $permissions, $real_group);
                    }
                    //check all users related to the group
                    foreach ($users_ids_to_check as $us_id) {
                        if (!in_array($us_id, $users_ids_checked)) {
                            $users_ids_checked[] = $us_id;
                            $us = Contacts::findById($us_id);
                            if ($us instanceof Contact) {
                                $contactMemberCacheController->afterUserPermissionChanged($us, $permissions, $real_group);
                            }
                        }
                    }
                } catch (Exception $e) {
                    Logger::log("Error saving permissions to contact member cache for permission group {$pg_id}: " . $e->getMessage() . "\n" . $e->getTraceAsString());
                    throw $e;
                }
            }
        }
    } catch (Exception $e) {
        Logger::log("Error saving module permissions for permission group {$pg_id}: " . $e->getMessage() . "\n" . $e->getTraceAsString());
    }
    if ($fire_hook) {
        Hook::fire('after_save_contact_permissions', $pg_id, $pg_id);
    }
    // remove contact object from members where permissions were deleted
    $user = Contacts::findOne(array('conditions' => 'permission_group_id=' . $pg_id));
    if ($user instanceof Contact) {
        $to_remove = array();
        if (isset($all_perm_deleted) && is_array($all_perm_deleted)) {
            foreach ($all_perm_deleted as $m_id => $must_remove) {
                if ($must_remove) {
                    $to_remove[] = $m_id;
                }
            }
            ObjectMembers::removeObjectFromMembers($user, logged_user(), null, $to_remove);
        }
    }
}