/** * Checks access control list for currently loaded row for the specified user and returns an access value. Values are: * * __CA_ACL_NO_ACCESS__ (0) * __CA_ACL_READONLY_ACCESS__ (1) * __CA_ACL_EDIT_ACCESS__ (2) * __CA_ACL_EDIT_DELETE_ACCESS__ (3) * * @param ca_users $t_user A ca_users object * @param int $pn_id Optional row_id to check ACL for; if omitted currently loaded row_id is used * @return int An access value */ public function checkACLAccessForUser($t_user, $pn_id = null) { if (!$this->supportsACL()) { return __CA_ACL_EDIT_DELETE_ACCESS__; } if (!$pn_id) { $pn_id = (int) $this->getPrimaryKey(); if (!$pn_id) { return null; } } if ($t_user->canDoAction('is_administrator')) { return __CA_ACL_EDIT_DELETE_ACCESS__; } require_once __CA_MODELS_DIR__ . '/ca_acl.php'; return ca_acl::accessForRow($t_user, $this->tableNum(), $pn_id); }
/** * Determines if user has access to a set at a specified access level. * * @param int $pn_user_id user_id of user to check set access for * @param int $pn_access type of access required. Use __CA_SET_READ_ACCESS__ for read-only access or __CA_SET_EDIT_ACCESS__ for editing (full) access * @param int $pn_set_id The id of the set to check. If omitted then currently loaded set will be checked. * @param array $pa_options No options yet * @return bool True if user has access, false if not */ public function haveAccessToSet($pn_user_id, $pn_access, $pn_set_id = null, $pa_options = null) { if ($this->getAppConfig()->get('dont_enforce_access_control_for_ca_sets')) { return true; } if ($pn_set_id) { $vn_set_id = $pn_set_id; $t_set = new ca_sets($vn_set_id); $vn_set_user_id = $t_set->get('user_id'); } else { $t_set = $this; $vn_set_user_id = $t_set->get('user_id'); } if (!$vn_set_id && !($vn_set_id = $t_set->getPrimaryKey())) { return true; // new set } if ($t_set->get('deleted') != 0) { return false; } // set is deleted if (isset(ca_sets::$s_have_access_to_set_cache[$vn_set_id . '/' . $pn_user_id . '/' . $pn_access])) { return ca_sets::$s_have_access_to_set_cache[$vn_set_id . '/' . $pn_user_id . '/' . $pn_access]; } if ($vn_set_user_id == $pn_user_id) { // owners have all access return ca_sets::$s_have_access_to_set_cache[$vn_set_id . '/' . $pn_user_id . '/' . $pn_access] = true; } if ($t_set->get('access') > 0 && $pn_access == __CA_SET_READ_ACCESS__) { // public sets are readable by all return ca_sets::$s_have_access_to_set_cache[$vn_set_id . '/' . $pn_user_id . '/' . $pn_access] = true; } // // If user is admin or has set admin privs allow them access to the set // $t_user = new ca_users(); if ($t_user->load($pn_user_id) && ($t_user->canDoAction('is_administrator') || $t_user->canDoAction('can_administrate_sets'))) { return ca_sets::$s_have_access_to_set_cache[$vn_set_id . '/' . $pn_user_id . '/' . $pn_access] = true; } $o_db = $this->getDb(); $qr_res = $o_db->query($vs_sql = "\n\t\t\tSELECT sxg.set_id \n\t\t\tFROM ca_sets_x_user_groups sxg \n\t\t\tINNER JOIN ca_user_groups AS ug ON sxg.group_id = ug.group_id\n\t\t\tINNER JOIN ca_users_x_groups AS uxg ON uxg.group_id = ug.group_id\n\t\t\tWHERE \n\t\t\t\t(sxg.access >= ?) AND (uxg.user_id = ?) AND (sxg.set_id = ?)\n\t\t\t\tAND\n\t\t\t\t(\n\t\t\t\t\t(sxg.sdatetime <= " . time() . " AND sxg.edatetime >= " . time() . ")\n\t\t\t\t\tOR\n\t\t\t\t\t(sxg.sdatetime IS NULL and sxg.edatetime IS NULL)\n\t\t\t\t)\n\t\t", (int) $pn_access, (int) $pn_user_id, (int) $vn_set_id); if ($qr_res->numRows() > 0) { return ca_sets::$s_have_access_to_set_cache[$vn_set_id . '/' . $pn_user_id . '/' . $pn_access] = true; } $qr_res = $o_db->query("\n\t\t\tSELECT sxu.set_id \n\t\t\tFROM ca_sets_x_users sxu\n\t\t\tINNER JOIN ca_users AS u ON sxu.user_id = u.user_id\n\t\t\tWHERE \n\t\t\t\t(sxu.access >= ?) AND (u.user_id = ?) AND (sxu.set_id = ?)\n\t\t\t\tAND\n\t\t\t\t(\n\t\t\t\t\t(sxu.sdatetime <= " . time() . " AND sxu.edatetime >= " . time() . ")\n\t\t\t\t\tOR\n\t\t\t\t\tsxu.sdatetime IS NULL and sxu.edatetime IS NULL\n\t\t\t\t)\n\t\t", (int) $pn_access, (int) $pn_user_id, (int) $vn_set_id); if ($qr_res->numRows() > 0) { return ca_sets::$s_have_access_to_set_cache[$vn_set_id . '/' . $pn_user_id . '/' . $pn_access] = true; } return ca_sets::$s_have_access_to_set_cache[$vn_set_id . '/' . $pn_user_id . '/' . $pn_access] = false; }
public function userCanAccess($pn_user_id, $pa_module_path, $ps_controller, $ps_action, $pa_fake_parameters = array()) { if (!$this->opo_acr_config->get("enforce_access_restrictions")) { // admin doesn't want us to enforce any restrictions return true; } if (!$this->opo_request) { // there is no "real" request, i.e. we're running a CLI script or something // we need some context information from the request to determine if a user // can access something though -> always return false here! return false; } if ($this->opt_user->getPrimaryKey() != $pn_user_id) { $this->opt_user->load($pn_user_id); } if ($this->opt_user->canDoAction("is_administrator")) { // almighty admin! return true; } $va_groups_to_check = array(); // check module components if (!is_array($pa_module_path)) { $pa_module_path = explode("/", $pa_module_path); } if (is_array($pa_module_path)) { $va_modules_to_check = array(); foreach ($pa_module_path as $vs_module) { $va_modules_to_check[] = $vs_module; $vs_module_part_path = join("/", $va_modules_to_check); if (is_array($this->opa_acr[$vs_module_part_path])) { foreach ($this->opa_acr[$vs_module_part_path] as $va_group) { $va_groups_to_check[] = $va_group; } } } } // check controller $vs_controller_path = join("/", is_array($pa_module_path) ? $pa_module_path : array()) . "/" . ucfirst($ps_controller) . 'Controller'; if (is_array($this->opa_acr[$vs_controller_path])) { foreach ($this->opa_acr[$vs_controller_path] as $va_group) { $va_groups_to_check[] = $va_group; } } // check action $vs_action_path = join("/", is_array($pa_module_path) ? $pa_module_path : array()) . "/" . ucfirst($ps_controller) . "Controller/" . $ps_action; if (is_array($this->opa_acr[$vs_action_path])) { foreach ($this->opa_acr[$vs_action_path] as $va_group) { $va_groups_to_check[] = $va_group; } } // check rules foreach ($va_groups_to_check as $va_group) { if (!is_array($va_group) || !is_array($va_group["actions"])) { continue; } // group without action restrictions $vb_group_passed = false; // check if parameter restrictions apply if (is_array($va_group["parameters"])) { if (!$this->_parameterRestrictionsApply($va_group["parameters"], $ps_controller, $ps_action, $pa_fake_parameters)) { continue; // auto-pass } } if (isset($va_group["operator"]) && $va_group["operator"] == "OR") { // OR foreach ($va_group["actions"] as $vs_action) { if ($this->opt_user->canDoAction($vs_action)) { $vb_group_passed = true; break; } } } else { // AND foreach ($va_group["actions"] as $vs_action) { if (!$this->opt_user->canDoAction($vs_action)) { return false; } } $vb_group_passed = true; // passed all AND-ed conditions } if (!$vb_group_passed) { // one has to pass ALL groups! return false; } } return true; // all groups passed }
/** * */ public function haveAccessToMessage($pn_user_id, $pn_communication_id = null) { $t_user = new ca_users($pn_user_id); if ($t_user->canDoAction('can_manage_clients')) { return true; } if ($pn_communication_id) { $t_comm = new ca_commerce_communications($pn_communication_id); if (!$t_comm->getPrimaryKey()) { return false; } } else { $t_comm = $this; } $t_trans = new ca_commerce_transactions($t_comm->get('transaction_id')); if ($t_trans->getPrimaryKey()) { if ($t_trans->get('user_id') == $pn_user_id) { return true; } } return false; }
/** * Duplicate all items in this set * @param int $pn_user_id * @param array $pa_options * @return ca_sets|bool */ public function duplicateItemsInSet($pn_user_id, $pa_options = array()) { if (!$this->getPrimaryKey()) { return false; } if ($this->getItemCount() < 1) { return false; } $t_user = new ca_users($pn_user_id); if (!$t_user->getPrimaryKey()) { return false; } // we need a user for duplication global $g_ui_locale_id; if (caGetOption('addToCurrentSet', $pa_options, false)) { $t_set_to_add_dupes_to = $this; } else { // create new set for dupes $t_set_to_add_dupes_to = new ca_sets(); $t_set_to_add_dupes_to->set('type_id', $this->get('type_id')); $t_set_to_add_dupes_to->set('table_num', $this->get('table_num')); $t_set_to_add_dupes_to->set('user_id', $this->get('user_id')); $t_set_to_add_dupes_to->set('set_code', $this->get('set_code') . '-' . _t('dupes')); $t_set_to_add_dupes_to->setMode(ACCESS_WRITE); $t_set_to_add_dupes_to->insert(); if (!$t_set_to_add_dupes_to->getPrimaryKey()) { $this->errors = $t_set_to_add_dupes_to->errors; return false; } $t_set_to_add_dupes_to->addLabel(array('name' => $this->getLabelForDisplay() . ' ' . _t('[Duplicates]')), $g_ui_locale_id, null, true); } $va_items = array_keys($this->getItemRowIDs()); $va_dupes = array(); foreach ($va_items as $vn_row_id) { /** @var BundlableLabelableBaseModelWithAttributes $t_instance */ $t_instance = $this->getAppDatamodel()->getInstance($this->get('table_num')); if (!$t_user->canDoAction('can_duplicate_' . $t_instance->tableName())) { $this->postError(2580, _t('You do not have permission to duplicate these items'), 'ca_sets->duplicateItemsInSet()'); return false; } if (!$t_instance->load($vn_row_id)) { continue; } // let's dupe $t_dupe = $t_instance->duplicate(array('user_id' => $pn_user_id, 'duplicate_nonpreferred_labels' => $t_user->getPreference($t_instance->tableName() . '_duplicate_nonpreferred_labels'), 'duplicate_attributes' => $t_user->getPreference($t_instance->tableName() . '_duplicate_attributes'), 'duplicate_relationships' => $t_user->getPreference($t_instance->tableName() . '_duplicate_relationships'), 'duplicate_media' => $t_user->getPreference($t_instance->tableName() . '_duplicate_media'), 'duplicate_subitems' => $t_user->getPreference($t_instance->tableName() . '_duplicate_subitems'))); if ($t_dupe instanceof BaseModel) { $va_dupes[] = $t_dupe->getPrimaryKey(); } } $t_set_to_add_dupes_to->addItems($va_dupes); return $t_set_to_add_dupes_to; }