/** * Check if the user can perform the requested action. * * @param integer $project_id * @param string $action * @param boolean $fetchProjectRoles * * @return bool */ public function hasPermission($action, $projectId, $fetchProjectRoles = false) { // Admins are godlike if ($this->is_admin) { return true; } if (!isset($this->permissions[$projectId])) { $this->permissions[$projectId] = null; } // No need to fetch permissions if we already have if ($this->permissions[$projectId] === null) { // Get group permissions $group = Permission::getPermissions($projectId, $this->group_id); // Get role permissions $role = []; if (!$fetchProjectRoles && isset($this->project_role_id) && $this->project_role_id) { $role = Permission::getPermissions($projectId, $this->project_role_id, 'role'); } else { $roles = $this->fetchProjectRolesIds(); if (isset($roles[$projectId])) { $role = Permission::getPermissions($projectId, $roles[$projectId], 'role'); } } // Merge group and role permissions $this->permissions[$projectId] = array_merge(Permissions::getPermissions(), array_merge($group, $role)); } return isset($this->permissions[$projectId][$action]) ? $this->permissions[$projectId][$action] : null; }
/** * Always call this when defining `__construct()` in sub-classes. */ public function __construct() { $this->db = ConnectionManager::getConnection(); // Modal? if (Request::$headers->has('X-Modal')) { $this->isModal = Request::$headers->get('X-Modal') == true; } // Get current project. if (Request::$properties->has('pslug')) { $this->currentProject = Project::find('slug', Request::$properties->get('pslug')) ?: null; $GLOBALS['current_project'] = $this->currentProject; $this->before('*', function () { if (!$this->hasPermission('view', $this->currentProject)) { return $this->show404(); } }); } else { $GLOBALS['current_project'] = null; } // Get current user. if ($sessionHash = Request::$cookies->get('traq')) { if ($this->currentProject) { $user = User::select('u.*')->addSelect('pur.project_role_id')->leftJoin('u', UserRole::tableName(), 'pur', 'pur.project_id = :project_id AND pur.user_id = u.id'); $user->where('u.session_hash = :session_hash'); $user->setParameter('project_id', $this->currentProject['id']); $user->setParameter('session_hash', $sessionHash); $this->currentUser = $user->fetch() ?: null; } else { $this->currentUser = User::find('session_hash', $sessionHash) ?: null; } $GLOBALS['current_user'] = $this->currentUser; } else { $GLOBALS['current_user'] = null; } $GLOBALS['permissions'] = Permission::getPermissions($this->currentUser, $this->currentProject); // Add Traq as first breadcrumb. $this->addCrumb(setting('title'), $this->generateUrl('root')); // Check if the user has permission to view the current project if (isset($this->currentProject)) { $this->before('*', function () { if (!$this->hasPermission('view')) { return $this->show403(); } }); } // If the user has a `sha1` hashed password, require them to change it because // as of Traq 4.1, only mcrypt passwords will work. if ($this->currentUser['password_ver'] == 'sha1') { $this->before('*', function () { if (Request::$properties['controller'] != 'Traq\\Controllers\\UserCP' && Request::$properties['controller'] != 'Traq\\Controllers\\Sessions') { return $this->redirectTo('usercp_password'); } }); } }
/** * Insert permissions. */ public function insertPermissions() { $permissions = [['project_id' => 0, 'type' => 'usergroup', 'type_id' => 0, 'permissions' => json_decode('{"view":true,"project_settings":false,"delete_timeline_events":false,"view_tickets":true,"create_tickets":true,"update_tickets":true,"delete_tickets":false,"move_tickets":false,"comment_on_tickets":true,"edit_ticket_description":false,"vote_on_tickets":true,"add_attachments":true,"view_attachments":true,"delete_attachments":false,"perform_mass_actions":false,"ticket_properties_set_assigned_to":false,"ticket_properties_set_milestone":true,"ticket_properties_set_version":true,"ticket_properties_set_component":false,"ticket_properties_set_severity":false,"ticket_properties_set_priority":false,"ticket_properties_set_status":false,"ticket_properties_set_tasks":false,"ticket_properties_set_related_tickets":false,"ticket_properties_change_type":false,"ticket_properties_change_assigned_to":false,"ticket_properties_change_milestone":false,"ticket_properties_change_version":false,"ticket_properties_change_component":true,"ticket_properties_change_severity":false,"ticket_properties_change_priority":false,"ticket_properties_change_status":false,"ticket_properties_change_summary":false,"ticket_properties_change_tasks":false,"ticket_properties_change_related_tickets":false,"ticket_properties_complete_tasks":false,"edit_ticket_history":false,"delete_ticket_history":false,"create_wiki_page":false,"edit_wiki_page":false,"delete_wiki_page":false}', true)], ['project_id' => 0, 'type' => 'usergroup', 'type_id' => 3, 'permissions' => json_decode('{"create_tickets":false,"comment_on_tickets":false,"update_tickets":false,"vote_on_tickets":false,"add_attachments":false}', true)], ['project_id' => 0, 'type' => 'role', 'type_id' => 0, 'permissions' => json_decode('{"view":true,"project_settings":false,"delete_timeline_events":false,"view_tickets":true,"create_tickets":true,"update_tickets":true,"delete_tickets":false,"move_tickets":false,"comment_on_tickets":true,"edit_ticket_description":false,"vote_on_tickets":true,"add_attachments":true,"view_attachments":true,"delete_attachments":false,"perform_mass_actions":false,"ticket_properties_set_assigned_to":true,"ticket_properties_set_milestone":true,"ticket_properties_set_version":true,"ticket_properties_set_component":true,"ticket_properties_set_severity":true,"ticket_properties_set_priority":true,"ticket_properties_set_status":true,"ticket_properties_set_tasks":true,"ticket_properties_set_related_tickets":true,"ticket_properties_change_type":true,"ticket_properties_change_assigned_to":true,"ticket_properties_change_milestone":true,"ticket_properties_change_version":true,"ticket_properties_change_component":true,"ticket_properties_change_severity":true,"ticket_properties_change_priority":true,"ticket_properties_change_status":true,"ticket_properties_change_summary":true,"ticket_properties_change_tasks":true,"ticket_properties_change_related_tickets":true,"ticket_properties_complete_tasks":true,"edit_ticket_history":false,"delete_ticket_history":false,"create_wiki_page":false,"edit_wiki_page":false,"delete_wiki_page":false}', true)], ['project_id' => 0, 'type' => 'role', 'type_id' => 1, 'permissions' => json_decode('{"project_settings":true,"delete_timeline_events":true,"delete_tickets":true,"move_tickets":true,"edit_ticket_description":true,"delete_attachments":true,"edit_ticket_history":true,"delete_ticket_history":true,"perform_mass_actions":true,"create_wiki_page":true,"edit_wiki_page":true,"delete_wiki_page":true}', true)]]; foreach ($permissions as $permission) { $perm = new Permission($permission); $perm->save(); } }
/** * Fetches all the data for the permission listing page. */ private function permissions_for($type) { // Fetch groups, set permissions and actions arrays if ($type == 'usergroup') { $groups = Group::select()->where('is_admin', 1, '!=')->exec()->fetch_all(); $groups = array_merge(array(new Group(array('id' => 0, 'name' => l('defaults')))), $groups); } elseif ($type == 'role') { $groups = ProjectRole::select()->custom_sql("WHERE project_id = 0 OR project_id = {$this->project->id}")->exec()->fetch_all(); $groups = array_merge(array(new ProjectRole(array('id' => 0, 'name' => l('defaults'), 'project_id' => 0))), $groups); } $permissions = array(); // Loop over the groups foreach ($groups as $group) { // Set the group array in the permissions array if (!isset($permissions[$group->id])) { $permissions[$group->id] = array(); } // Loop over the permissions for the group foreach (Permission::get_permissions($this->project->id, $group->id, $type) as $action => $perm) { // Add the permission object to the permissions array $permissions[$group->id][$action] = $perm; } } // Send it all the to view. View::set('groups', $groups); View::set('permissions', $permissions); View::set('actions', permission_actions()); }
/** * Check users permission. * * @param string $action * @param Project $project * * @return boolean */ function hasPermission($action, Project $project = null) { // Admins can do everything, regardless of permissions. if (currentUser() && currentUser()->isAdmin()) { return true; } $permissions = $project ? Permission::getPermissions(currentUser(), $project) : $GLOBALS['permissions']; return isset($permissions[$action]) ? $permissions[$action] : null; }