public function before()
{
Cache::$default = 'memcache';
$controller = $this->request->controller();
$action = $this->request->action();
if (!Auth::instance()->logged_in()) {
if (!in_array($action, ['login', 'logout']) && $_SERVER['REQUEST_URI'] != '/') {
$this->redirect('/');
}
$this->template = 'not_auth';
} else {
if ($controller == 'Index' && $action == 'index') {
$this->redirect('/clients');
}
//подключаем меню
$menu = Kohana::$config->load('menu');
$content = View::factory('includes/menu')->bind('menu', $menu);
View::set_global('menu', $content);
}
parent::before();
$allow = Access::allow(strtolower($controller . '_' . $action));
//если не аяксовый запрос
if (!$this->request->is_ajax()) {
if ($allow == false) {
throw new HTTP_Exception_403();
}
//рендерим шаблон страницы
if (!in_array($controller, ['Index'])) {
$this->tpl = View::factory('pages/' . strtolower($controller) . '/' . $action);
}
$this->_checkCustomDesign();
$this->_appendFilesBefore();
}
//если все таки аякс
if ($allow == false) {
echo '<script>alert("У вас недостаточно прав доступа");</script>';
die;
}
}
<div class="tabs_vertical_block tabs_switcher">
<div class="tabs_v">
<div class="tab_v active" tab="1"><div>
<a href="#"><span class="icon-dailes f20"></span> Повседневные</a>
</div></div>
<?if(Access::allow('view_balance_sheet')){?>
<div class="tab_v" tab="4"><div>
<a href="#"><span class="icon-dailes f20"></span> Оборотно-сальдовая ведомость</a>
</div></div>
<?}?>
<?/*div class="tab_v" tab="2"><div>
<a href="#"><span class="icon-summary f20"></span> Итоговые</a>
</div></div>
<div class="tab_v" tab="3"><div>
<a href="#"><span class="icon-analytics f20"></span> Аналитические</a>
</div></div*/?>
</div>
<div class="tabs_v_content">
<div class="tab_v_content active" tab_content="1">
<table form_report="daily">
<tr>
<td class="gray right" width="160">Период:</td>
<td>
<input type="text" name="fr_date_start" class="input_big datepicker" readonly value="<?php
echo date('01.m.Y');
?>
"> -
<input type="text" name="fr_date_end" class="input_big datepicker" readonly value="<?php
echo date('d.m.Y');
?>
">
?>
</td>
</tr>
<?}?>
</table>
<?}else{?><div class="gray">Не указаны</div><?}?>
<br>
<div class="ajax_block_operations_history_<?php
echo $card['CARD_ID'];
?>
_out">
<b class="f18">История операций:</b>
</div>
<?if(Access::allow('clients_card_edit')){?>
<?php
echo $popupCardEdit;
?>
<?}?>
<script>
$(function(){
paginationAjax('/clients/card_operations_history/<?php
echo $card['CARD_ID'];
?>
', 'ajax_block_operations_history_<?php
echo $card['CARD_ID'];
?>
', renderAjaxPaginationOperationsHistory);
});
echo $contract['DATE_BEGIN'];
?>
<?if($contract['DATE_END'] != '31.12.2099'){?>до <?php
echo $contract['DATE_END'];
?>
<?}?></option>
<?}}?>
</select>
<?if(Access::allow('clients_contract_add')){?>
<a href="#contract_add" class="btn fancy">+ Создать договор</a>
<?php
echo $popupContractAdd;
?>
<?}?>
<?if(Access::allow('client_cabinet_create')){?>
<?php
echo $popupCabinetCreate;
?>
<?}?>
<div class="ajax_contract_block"></div>
<script>
var clientId = <?php
echo $client['CLIENT_ID'];
?>
;
</script>
$(function(){
renderElements();
$("select[name=scheme]").on('change', function(){
var t = $(this);
if(t.val() == 1){ //безлимит
$("[name=AUTOBLOCK_LIMIT]").val(0).prop('disabled', true);
}else if(t.val() == 2){ //предоплата
$("[name=AUTOBLOCK_LIMIT]").val(0).prop('disabled', true);
}else{ //порог отключения
$("[name=AUTOBLOCK_LIMIT]").prop('disabled', false);
}
});
<?if(Access::allow('clients_contract_edit')){?>
$(".btn_contract_save").on('click', function(){
var params = {
contract:{
CONTRACT_NAME: $("[name=CONTRACT_NAME]").val(),
DATE_BEGIN: $("[name=DATE_BEGIN]").val(),
DATE_END: $("[name=DATE_END]").val(),
STATE_ID: $("[name=STATE_ID]").val()
},
settings:{
TARIF_ONLINE: $("[name=TARIF_ONLINE]").val(),
TARIF_OFFLINE: $("[name=TARIF_OFFLINE]").val(),
AUTOBLOCK_LIMIT: $("[name=AUTOBLOCK_LIMIT]").val(),
PENALTIES: $("[name=PENALTIES]").val(),
OVERDRAFT: $("[name=OVERDRAFT]").val(),
INVOICE_PERIOD_TYPE: $("[name=INVOICE_PERIOD_TYPE]").val(),
<h1>
Новости
<?if(Access::allow('news_news_edit')){?>
<a href="#news_edit" class="btn fancy">Добавить новость</a>
<?}?>
</h1>
<div class="block list">
<div class="ajax_block_news_out">
</div>
</div>
<?if(Access::allow('news_news_edit')){?>
<?php
echo $popupNewsAdd;
?>
<?}?>
<script>
$(function(){
paginationAjax('/news/', 'ajax_block_news', renderAjaxPaginationNews);
});
function renderAjaxPaginationNews(data, block)
{
for(var i in data){
var tpl = $('<div class="news_elem"><div class="n_img" /><a class="n_title"></a><div class="n_date gray"></div><div class="n_body" /><div class="n_link"><a>Читать подробнее</a></div></div>');
tpl.find('.n_title').text(data[i]['TITLE']).attr('href', '/news/' + data[i].NEWS_ID);
tpl.find('.n_date').text(data[i]['DATE_CREATE_WEB']);
</div>
<div tab_content="clients" class="tab_content" manager_id="<?php
echo $managerId;
?>
">
<div class="clients_btn">
<a href="#manager_add_clients" class="fancy btn">Добавить клиентов</a>
</div>
<div class="client_list"></div>
</div>
</div>
</div>
<script>
<?if(Access::allow('manager_toggle')) {?>
function managerStateToggle(managerId, t)
{
var comment = '';
if(t.hasClass('btn_red')){
comment = prompt('Причина блокировки:');
}
if(comment != null) {
var params = {
manager_id: managerId,
comment: comment
};
$.post('/managers/manager_toggle', {params:params}, function (data) {
function run($f3)
{
$test = new \Test();
//Default policy: allow
$access = new \Access();
$access->policy('allow');
$access->deny('/back', '*');
$access->allow('/back', 'admin,prod');
$access->deny('/back/users', 'prod');
$test->expect($access::ALLOW == $access->policy(), 'Default policy: ' . $access::ALLOW);
$test->expect($access->granted('GET /blog', 'client'), 'Access granted by default');
$test->expect(!$access->granted('GET /back', 'client'), 'Access to a specific path denied to all');
$test->expect($access->granted('GET /back', 'prod'), 'Access to a path granted to a specific subject');
$test->expect(!$access->granted('GET /back/users', 'prod'), 'Access to a subpath denied to a specific subject');
//Default policy: deny
$access = new \Access();
$access->policy('deny');
$access->allow('/admin', 'admin,prod');
$access->deny('/admin/part2', '*');
$access->allow('/admin/part2', 'admin');
$test->expect($access::DENY == $access->policy(), 'Default policy: ' . $access::DENY);
$test->expect(!$access->granted('GET /blog', 'client'), 'Access denied by default');
$test->expect(!$access->granted('GET /admin', 'client') && $access->granted('GET /admin', 'admin') && $access->granted('GET /admin', 'prod'), 'Access to a specific path granted to specific subjects');
$test->expect($access->granted('GET /admin/part2', 'admin'), 'Access to a subpath granted to a specific subject (subpath precedence)');
$test->expect(!$access->granted('GET /admin/part2', 'prod'), 'Access to a subpath denied to others (subpath precedence)');
//Wildcards
$access = new \Access();
$access->policy('allow');
$access->deny('/admin*');
$access->allow('/admin*', 'admin');
$test->expect(!$access->granted('/admin') && !$access->granted('/admin/foo/bar') && $access->granted('/admin', 'admin') && $access->granted('/admin/foo/bar', 'admin'), 'Wildcard suffix');
$access->deny('/*/edit');
$access->allow('/*/edit', 'admin');
$test->expect(!$access->granted('/blog/entry/edit') && $access->granted('/blog/entry/edit', 'admin'), 'Wildcard prefix');
$access->allow('/admin');
$access->allow('/admin/special/path');
$test->expect($access->granted('/admin') && !$access->granted('/admin/foo/bar') && $access->granted('/admin', 'admin') && $access->granted('/admin/foo/bar', 'admin') && $access->granted('/admin/special/path') && $access->granted('/admin/special/path', 'admin'), 'Wildcard precedence order');
//Tokens
$access = new \Access();
$access->deny('/@lang/foo');
$test->expect(!$access->granted('/en/foo') && $access->granted('/en/bar/foo'), 'Route tokens support');
$access->deny('/foo/@/baz');
$test->expect(!$access->granted('/foo/bar/baz') && $access->granted('/foo/bar/baz/bis'), 'Route tokens optional naming');
//Named routes
$f3->route('GET @blog_entry:/blog/@id/@slug', 'Blog->Entry');
$access->deny('@blog_entry');
$test->expect(!$access->granted('/blog/1/hello') && $access->granted('/blog/1/hello/form') && $access->granted('/blog/1'), 'Named routes support');
//Verb-level control
$access = new \Access();
$access->policy('allow');
$access->deny('POST|PUT|DELETE /blog/entry', '*');
$access->allow('* /blog/entry', 'admin');
$test->expect($access->granted('GET /blog/entry', 'client') && !$access->granted('PUT /blog/entry', 'client') && $access->granted('PUT /blog/entry', 'admin'), 'Verb-level access control');
//Multiple subjects
$test->expect($access->granted('GET /blog/entry', array('client', 'customer')) && !$access->granted('PUT /blog/entry', array('client', 'customer')) && $access->granted('PUT /blog/entry', array('client', 'admin')), 'Check access for a set of subjects');
//Authorize method
$f3->HALT = FALSE;
$f3->VERB = 'GET';
$f3->PATH = '/blog/entry';
$f3->clear('ERROR');
$f3->ONERROR = function ($f3) {
};
//do nothing
$test->expect($access->authorize() && !$f3->get('ERROR.code'), 'Authorize an unidentified subject');
$f3->VERB = 'POST';
$f3->clear('ERROR');
$f3->ONERROR = function ($f3) {
};
//do nothing
$test->expect(!$access->authorize() && $f3->get('ERROR.code') == 401, 'Unauthorize an unidentified subject (401 error)');
$f3->clear('ERROR');
$f3->ONERROR = function ($f3) {
};
//do nothing
$test->expect($access->authorize('admin') && !$f3->get('ERROR.code'), 'Authorize an identified subject');
$f3->clear('ERROR');
$f3->ONERROR = function ($f3) {
};
//do nothing
$test->expect(!$access->authorize('client') && $f3->get('ERROR.code') == 403, 'Unauthorize an identified subject (403 error)');
$f3->clear('ERROR');
$f3->ONERROR = function ($f3) {
};
//do nothing
$test->expect($access->authorize(array('client', 'admin')) && !$f3->get('ERROR.code'), 'Authorize a set of identified subjects');
$f3->clear('ERROR');
$f3->ONERROR = function ($f3) {
};
//do nothing
$test->expect(!$access->authorize(array('client', 'customer')) && $f3->get('ERROR.code') == 403, 'Unauthorize a set of identified subjects');
//Config variable
$f3->HALT = TRUE;
$f3->ONERROR = NULL;
$f3->set('ACCESS.policy', 'deny');
$f3->set('ACCESS.rules', array('ALLOW * /foo' => '*', 'DENY DELETE /foo' => '*', 'ALLOW DELETE /foo' => 'admin'));
$access = new \Access();
$test->expect(!$access->granted('/') && !$access->granted('/', 'admin'), 'ACCESS.default config variable');
$test->expect($access->granted('GET /foo') && !$access->granted('DELETE /foo') && $access->granted('DELETE /foo', 'admin'), 'ACCESS.rules config variable');
$f3->set('results', $test->results());
}
?>
<?}?>
<?if(Access::allow('clients_bill_add')){?>
<?php
echo $popupContractBillAdd;
?>
<?}?>
<?if(Access::allow('clients_bill_print')){?>
<?php
echo $popupContractBillPrint;
?>
<?}?>
<script>
$(function(){
<?if(Access::allow('clients_payment_del')){?>
$(document).off('click', '.link_del_contract_payment').on('click', '.link_del_contract_payment', function(){
var t = $(this);
var row = t.closest('[guid]');
if(!confirm('Удалить платеж ' + row.find('b.line_inner_150').text())){
return false;
}
var params = {
contract_id: $('[name=contracts_list]').val(),
guid: row.attr('guid')
};
$.post('/clients/contract_payment_delete', {params:params}, function(data){
if(data.success){