function view_revoke_request() { require_once __DIR__ . '/../../../../lib/Gocdb_Services/Factory.php'; require_once __DIR__ . '/../../components/Get_User_Principle.php'; require_once __DIR__ . '/../utils.php'; $dn = Get_User_Principle(); $user = \Factory::getUserService()->getUserByPrinciple($dn); if ($user == null) { throw new Exception("Unregistered users can't revoke roles"); } //Check the portal is not in read only mode, returns exception if it is and user is not an admin checkPortalIsNotReadOnlyOrUserIsAdmin($user); $requestId = $_POST['id']; if (!isset($requestId) || !is_numeric($requestId)) { throw new LogicException("Invalid role id"); } // Either a self revocation or revoke is requested by 2nd party // check to see that user has permission to revoke role $role = \Factory::getRoleService()->getRoleById($requestId); \Factory::getRoleService()->revokeRole($role, $user); if ($role->getUser() != $user) { // revoke by 2nd party show_view('political_role/role_revoked.php'); } else { // Self revocation show_view('political_role/role_self_revoked.php'); } die; }
function view_ngi() { require_once __DIR__ . '/../../../../lib/Gocdb_Services/Factory.php'; require_once __DIR__ . '/../utils.php'; require_once __DIR__ . '/../../../web_portal/components/Get_User_Principle.php'; if (!isset($_GET['id']) || !is_numeric($_GET['id'])) { throw new Exception("An id must be specified"); } $ngiId = $_GET['id']; //get user for case that portal is read only and user is admin, so they can still see edit links $dn = Get_User_Principle(); $user = \Factory::getUserService()->getUserByPrinciple($dn); $params['portalIsReadOnly'] = portalIsReadOnlyAndUserIsNotAdmin($user); $params['UserIsAdmin'] = false; if (!is_null($user)) { $params['UserIsAdmin'] = $user->isAdmin(); } $params['authenticated'] = false; if ($user != null) { $params['authenticated'] = true; } $ngiServ = \Factory::getNgiService(); $siteServ = \Factory::getSiteService(); $ngi = $ngiServ->getNgi($ngiId); // Does current viewer have edit permissions over NGI ? $params['ShowEdit'] = false; if (count($ngiServ->authorizeAction(\Action::EDIT_OBJECT, $ngi, $user)) >= 1) { $params['ShowEdit'] = true; } // Add ngi to params $params['ngi'] = $ngi; // Add all roles over ngi to params $allRoles = $ngi->getRoles(); $roles = array(); foreach ($allRoles as $role) { if ($role->getStatus() == \RoleStatus::GRANTED) { $roles[] = $role; } } $params['roles'] = $roles; // Add ngi's project to params $projects = $ngi->getProjects(); $params['Projects'] = $projects; // Add sites and scopes to params $params['SitesAndScopes'] = array(); foreach ($ngi->getSites() as $site) { $params['SitesAndScopes'][] = array('Site' => $site, 'Scopes' => $siteServ->getScopesWithParentScopeInfo($site)); } // Add RoleActionRecords to params $params['RoleActionRecords'] = \Factory::getRoleService()->getRoleActionRecordsById_Type($ngi->getId(), 'ngi'); show_view('ngi/view_ngi.php', $params, $ngi->getName()); die; }
function view_user() { require_once __DIR__ . '/../../../../lib/Gocdb_Services/Factory.php'; require_once __DIR__ . '/../../components/Get_User_Principle.php'; if (!isset($_GET['id']) || !is_numeric($_GET['id'])) { throw new Exception("An id must be specified"); } $userId = $_GET['id']; $user = \Factory::getUserService()->getUser($userId); if ($user === null) { throw new Exception("No user with that ID"); } $params['user'] = $user; // get the targetUser's roles $roles = \Factory::getRoleService()->getUserRoles($user, \RoleStatus::GRANTED); //$user->getRoles(); $callingUser = \Factory::getUserService()->getUserByPrinciple(Get_User_Principle()); // can the calling user revoke the targetUser's roles? if ($user != $callingUser) { foreach ($roles as $r) { //$ownedEntityDetail = $r->getOwnedEntity()->getName(). ' ('. $r->getOwnedEntity()->getType().')'; $authorisingRoleNames = \Factory::getRoleService()->authorizeAction(\Action::REVOKE_ROLE, $r->getOwnedEntity(), $callingUser); if (count($authorisingRoleNames) >= 1) { $allAuthorisingRoleNames = ''; foreach ($authorisingRoleNames as $arName) { $allAuthorisingRoleNames .= $arName . ', '; } $allAuthorisingRoleNames = substr($allAuthorisingRoleNames, 0, strlen($allAuthorisingRoleNames) - 2); $r->setDecoratorObject('[' . $allAuthorisingRoleNames . '] '); } } } else { // current user is viewing their own roles, so they can revoke their own roles foreach ($roles as $r) { $r->setDecoratorObject('[Self revoke own role]'); } } // Check to see if the current calling user has permission to edit the target user try { \Factory::getUserService()->editUserAuthorization($user, $callingUser); $params['ShowEdit'] = true; } catch (Exception $e) { $params['ShowEdit'] = false; } /* @var $authToken \org\gocdb\security\authentication\IAuthentication */ $authToken = Get_User_AuthToken(); $params['authAttributes'] = $authToken->getDetails(); $params['roles'] = $roles; $params['portalIsReadOnly'] = \Factory::getConfigService()->IsPortalReadOnly(); $title = $user->getFullName(); show_view("user/view_user.php", $params, $title); }
function startPage() { require_once __DIR__ . '/../../../lib/Gocdb_Services/Factory.php'; require_once __DIR__ . '/../components/Get_User_Principle.php'; $dn = Get_User_Principle(); $user = \Factory::getUserService()->getUserByPrinciple($dn); $roles = \Factory::getRoleService()->getPendingRolesUserCanApprove($user); $configServ = \Factory::getConfigService(); $showMap = $configServ->getShowMapOnStartPage(); $apiKey = $configServ->getGoogleAPIKey(); $params = array('roles' => $roles, 'googleAPIKey' => $apiKey, 'showMap' => $showMap); $title = "GOCDB"; show_view('start_page.php', $params, $title, null); }
/** * Processes a role request submission * @param type $roleName * @param type $entityId * @param \User $user current user * @throws Exception */ function submitRoleRequest($roleName, $entityId, \User $user = null) { // validate the enityId is numeric if (!is_numeric($entityId)) { throw new Exception('Invalid entityId'); } // Get the owned entity instance $entity = \Factory::getOwnedEntityService()->getOwnedEntityById($entityId); // Create a new Role linking user, entity and roletype. The addRole // perfoms role validation and throws exceptios accordingly. $newRole = \Factory::getRoleService()->addRole($roleName, $user, $entity); if (\Factory::getConfigService()->getSendEmails()) { \Factory::getNotificationService()->roleRequest($entity); } show_view('political_role/new_request.php'); }
function showServiceGroup() { require_once __DIR__ . '/../../../web_portal/components/Get_User_Principle.php'; require_once __DIR__ . '/../utils.php'; if (!isset($_GET['id']) || !is_numeric($_GET['id'])) { throw new Exception("An id must be specified"); } $sGroupId = $_GET['id']; $sGroup = \Factory::getServiceGroupService()->getServiceGroup($sGroupId); $params['sGroup'] = $sGroup; // get downtimes that affect services under this service group // 31 = the number of days worth of historical downtimes to show $downtimes = \Factory::getServiceGroupService()->getDowntimes($sGroupId, 31); $params['downtimes'] = $downtimes; //get user for case that portal is read only and user is admin, so they can still see edit links $dn = Get_User_Principle(); $user = \Factory::getUserService()->getUserByPrinciple($dn); $params['portalIsReadOnly'] = portalIsReadOnlyAndUserIsNotAdmin($user); $params['authenticated'] = false; if ($user != null) { $params['authenticated'] = true; } $allRoles = $sGroup->getRoles(); $roles = array(); foreach ($allRoles as $role) { if ($role->getStatus() == \RoleStatus::GRANTED) { $roles[] = $role; } } $params['Roles'] = $roles; // Does current viewer have edit permissions over object ? $params['ShowEdit'] = false; if (count(\Factory::getServiceGroupService()->authorizeAction(\Action::EDIT_OBJECT, $sGroup, $user)) >= 1) { $params['ShowEdit'] = true; } // Add RoleActionRecords to params $params['RoleActionRecords'] = \Factory::getRoleService()->getRoleActionRecordsById_Type($sGroup->getId(), 'servicegroup'); $title = $sGroup->getName(); show_view("service_group/view_sgroup.php", $params, $title); }
function show_project() { require_once __DIR__ . '/../../../../lib/Gocdb_Services/Factory.php'; require_once __DIR__ . '/../utils.php'; require_once __DIR__ . '/../../../../htdocs/web_portal/components/Get_User_Principle.php'; if (!isset($_GET['id']) || !is_numeric($_GET['id'])) { throw new Exception("An id must be specified"); } $projId = $_GET['id']; $serv = \Factory::getProjectService(); $project = $serv->getProject($projId); $allRoles = $project->getRoles(); $roles = array(); foreach ($allRoles as $role) { if ($role->getStatus() == \RoleStatus::GRANTED && $role->getRoleType()->getName() != \RoleTypeName::CIC_STAFF) { $roles[] = $role; } } //get user for case that portal is read only and user is admin, so they can still see edit links $dn = Get_User_Principle(); $user = \Factory::getUserService()->getUserByPrinciple($dn); $params['ShowEdit'] = false; if (count($serv->authorizeAction(\Action::EDIT_OBJECT, $project, $user)) >= 1) { $params['ShowEdit'] = true; } $params['authenticated'] = false; if ($user != null) { $params['authenticated'] = true; } // Add RoleActionRecords to params $params['RoleActionRecords'] = \Factory::getRoleService()->getRoleActionRecordsById_Type($project->getId(), 'project'); $params['Name'] = $project->getName(); $params['Description'] = $project->getDescription(); $params['ID'] = $project->getId(); $params['NGIs'] = $project->getNgis(); $params['Sites'] = $serv->getSites($project); $params['Roles'] = $roles; $params['portalIsReadOnly'] = portalIsReadOnlyAndUserIsNotAdmin($user); show_view('project/view_project.php', $params, $params['Name']); }
function view_deny_request() { require_once __DIR__ . '/../../../../lib/Gocdb_Services/Factory.php'; require_once __DIR__ . '/../../components/Get_User_Principle.php'; require_once __DIR__ . '/../utils.php'; $dn = Get_User_Principle(); $user = \Factory::getUserService()->getUserByPrinciple($dn); if ($user == null) { throw new Exception("Unregistered users can't view/deny role requests"); } $requestId = $_POST['id']; //Check the portal is not in read only mode, returns exception if it is and user is not an admin checkPortalIsNotReadOnlyOrUserIsAdmin($user); if (!isset($requestId) || !is_numeric($requestId)) { throw new LogicException("Invalid role request id"); } // Lookup role request with id $roleRequest = \Factory::getRoleService()->getRoleById($requestId); \Factory::getRoleService()->rejectRoleRequest($roleRequest, $user); show_view('political_role/request_denied.php'); die; }
function view_requests() { require_once __DIR__ . '/../../../../lib/Gocdb_Services/Factory.php'; require_once __DIR__ . '/../../components/Get_User_Principle.php'; require_once __DIR__ . '/../utils.php'; $dn = Get_User_Principle(); $user = \Factory::getUserService()->getUserByPrinciple($dn); if ($user == null) { throw new Exception("Unregistered users can't view/request roles"); } // Entites is a two-dimensional array that lists both the id and name of // OwnedEntities that a user can reqeust a role over (Projects, NGIs, Sites, // ServiceGroups). If an inner dimesional array does not contain an Object_ID // array key, then it is used as a section title in a pull-down list. $entities = array(); $entities[] = array('Name' => 'Projects'); $allProjects = \Factory::getProjectService()->getProjects(); foreach ($allProjects as $proj) { $entities[] = array('Object_ID' => $proj->getId(), 'Name' => $proj->getName()); } $entities[] = array('Name' => 'NGIs'); $allNGIs = \Factory::getNgiService()->getNGIs(); foreach ($allNGIs as $ngi) { $entities[] = array('Object_ID' => $ngi->getId(), 'Name' => $ngi->getName()); } $entities[] = array('Name' => 'Sites'); $allSites = \Factory::getSiteService()->getSitesBy(); foreach ($allSites as $site) { $entities[] = array('Object_ID' => $site->getId(), 'Name' => $site->getShortName()); } $entities[] = array('Name' => 'ServiceGroups'); $allSGs = \Factory::getServiceGroupService()->getServiceGroups(); foreach ($allSGs as $sg) { $entities[] = array('Object_ID' => $sg->getId(), 'Name' => $sg->getName()); } // Current user's own pending roles $myPendingRoleRequests = \Factory::getRoleService()->getUserRoles($user, \RoleStatus::PENDING); // foreach role, lookup corresponding RoleActionRecord (if any) and populate // the role.decoratorObject with the roleActionRecord for subsequent display // foreach($myPendingRoleRequests as $role){ // $rar = \Factory::getRoleService()->getRoleActionRecordByRoleId($role->getId()); // $role->setDecoratorObject($rar); // } // Other roles current user can approve $otherRolesUserCanApprove = \Factory::getRoleService()->getPendingRolesUserCanApprove($user); // can the calling user grant or reject each role? foreach ($otherRolesUserCanApprove as $r) { $grantRejectRoleNamesArray = array(); $grantRejectRoleNamesArray['grant'] = ''; $grantRejectRoleNamesArray['deny'] = ''; // get list of roles that allows user to to grant the role request $grantRoleAuthorisingRoleNames = \Factory::getRoleService()->authorizeAction(\Action::GRANT_ROLE, $r->getOwnedEntity(), $user); if (count($grantRoleAuthorisingRoleNames) >= 1) { $allAuthorisingRoleNames = ''; foreach ($grantRoleAuthorisingRoleNames as $arName) { $allAuthorisingRoleNames .= $arName . ', '; } $allAuthorisingRoleNames = substr($allAuthorisingRoleNames, 0, strlen($allAuthorisingRoleNames) - 2); $grantRejectRoleNamesArray['grant'] = '[' . $allAuthorisingRoleNames . ']'; } // get list of roles that allows user to reject the role request $denyRoleAuthorisingRoleNames = \Factory::getRoleService()->authorizeAction(\Action::REJECT_ROLE, $r->getOwnedEntity(), $user); if (count($denyRoleAuthorisingRoleNames) >= 1) { $allAuthorisingRoleNames = ''; foreach ($denyRoleAuthorisingRoleNames as $arName) { $allAuthorisingRoleNames .= $arName . ', '; } $allAuthorisingRoleNames = substr($allAuthorisingRoleNames, 0, strlen($allAuthorisingRoleNames) - 2); $grantRejectRoleNamesArray['deny'] = '[' . $allAuthorisingRoleNames . ']'; } // store array of role names in decorator object $r->setDecoratorObject($grantRejectRoleNamesArray); } $params = array(); $params['entities'] = $entities; $params['myRequests'] = $myPendingRoleRequests; $params['allRequests'] = $otherRolesUserCanApprove; $params['portalIsReadOnly'] = portalIsReadOnlyAndUserIsNotAdmin($user); show_view("political_role/view_requests.php", $params, "Role Requests"); die; }
/** * Draws a form to add a new downtime * @param \User $user current user * @return null */ function draw(\User $user = null) { if (is_null($user)) { throw new Exception("Unregistered users can't add a downtime."); } $nowUtcDateTime = new \DateTime(null, new \DateTimeZone("UTC")); //$twoDaysAgoUtcDateTime = $nowUtcDateTime->sub(\DateInterval::createFromDateString('2 days')); //$twoDaysAgoUtc = $twoDaysAgoUtcDateTime->format('d/m/Y H:i'); //e.g. 02/10/2013 13:20 // URL mapping // Return the specified site's timezone label and the offset from now in UTC // Used in ajax requests for display purposes if (isset($_GET['siteid_timezone']) && is_numeric($_GET['siteid_timezone'])) { $site = \Factory::getSiteService()->getSite($_GET['siteid_timezone']); if ($site != null) { $siteTzId = $site->getTimeZoneId(); if (!empty($siteTzId)) { $nowInTargetTz = new \DateTime(null, new \DateTimeZone($siteTzId)); $offsetInSecsFromUtc = $nowInTargetTz->getOffset(); } else { $siteTzId = 'UTC'; $offsetInSecsFromUtc = 0; // assume 0 (no offset from UTC) } $timezoneId_Offset = array($siteTzId, $offsetInSecsFromUtc); die(json_encode($timezoneId_Offset)); } die(json_encode(array('UTC', 0))); } else { if (isset($_GET['site'])) { $site = \Factory::getSiteService()->getSite($_GET['site']); //old way: \Factory::getSiteService()->edit Authorization($site, $user); if (count(\Factory::getSiteService()->authorizeAction(\Action::EDIT_OBJECT, $site, $user)) == 0) { throw new \Exception("You don't have permission over {$site}"); } $ses = $site->getServices(); $params = array('ses' => $ses, 'nowUtc' => $nowUtcDateTime->format('H:i T'), 'selectAll' => true); show_view("downtime/add_downtime.php", $params); die; } else { if (isset($_GET['se'])) { $se = \Factory::getServiceService()->getService($_GET['se']); $site = \Factory::getSiteService()->getSite($se->getParentSite()->getId()); if (count(\Factory::getServiceService()->authorizeAction(\Action::EDIT_OBJECT, $se, $user)) == 0) { throw new \Exception("You do not have permission over {$se}."); } //$ses = array($se); $ses = $site->getServices(); $params = array('ses' => $ses, 'nowUtc' => $nowUtcDateTime->format('H:i T'), 'selectAll' => true); show_view("downtime/add_downtime.php", $params); die; } else { $ses = array(); if ($user->isAdmin()) { //If a user is an admin, return all SEs instead $ses = \Factory::getServiceService()->getAllSesJoinParentSites(); } else { //$allSites = \Factory::getUserService()->getSitesFromRoles($user); // Get all ses where the user has a GRANTED role over one of its // parent OwnedObjects (includes Site and NGI but not currently Project) $sesAll = \Factory::getRoleService()->getReachableServicesFromOwnedObjectRoles($user); // drop the ses where the user does not have edit permissions over foreach ($sesAll as $se) { if (count(\Factory::getServiceService()->authorizeAction(\Action::EDIT_OBJECT, $se, $user)) > 0) { $ses[] = $se; } } } if (empty($ses)) { throw new Exception("You don't hold a role over a NGI " . "or site with child services."); } $params = array('ses' => $ses, 'nowUtc' => $nowUtcDateTime->format('H:i T')); show_view("downtime/add_downtime.php", $params); die; } } } }
/** * Authorization: does the user hold a role that would allow them to add a * new SE? (e.g. a role over the virtual site) * @return null */ function authorize($vSiteId) { // check to see if the user has a role over the virtual site if (!Factory::getRoleService()->userHasRoleOverVsite($vSiteId)) { show_view("error.php", "You do not have permission to add a service to this service group."); die; } }