/**
* Check whether a given user has the given permission on the given
* object, by virtue of a direct or indirect assignment due to the
* user, its groups, its roles, or the roles assigned to its groups,
* and so forth.
*/
function userHasPermissionOnItem($oUser, $oPermission, $oFolderOrDocument)
{
if (is_string($oPermission)) {
$oPermission =& KTPermission::getByName($oPermission);
}
if (PEAR::isError($oPermission)) {
return false;
}
if (PEAR::isError($oFolderOrDocument) || $oFolderOrDocument == null) {
return false;
}
// Quick fix for multiple permissions look ups.
// For the current lookup, if the permissions have been checked then return their value
$iPermId = $oPermission->getID();
$iDocId = $oFolderOrDocument->getID();
$lookup = 'folders';
if (is_a($oFolderOrDocument, 'Document') || is_a($oFolderOrDocument, 'DocumentProxy')) {
$lookup = 'docs';
}
// check if permission has been set
// $permArr[permId] = array('folders' => array('id' => bool), 'docs' => array('id' => bool));
if (isset(KTPermissionUtil::$permArr[$iPermId][$lookup][$iDocId])) {
//return KTPermissionUtil::$permArr[$iPermId][$lookup][$iDocId];
}
$oPL = KTPermissionLookup::get($oFolderOrDocument->getPermissionLookupID());
$oPLA = KTPermissionLookupAssignment::getByPermissionAndLookup($oPermission, $oPL);
if (PEAR::isError($oPLA)) {
//print $oPL->getID();
KTPermissionUtil::$permArr[$iPermId][$lookup][$iDocId] = false;
return false;
}
$oPD = KTPermissionDescriptor::get($oPLA->getPermissionDescriptorID());
// set permission array to true
KTPermissionUtil::$permArr[$iPermId][$lookup][$iDocId] = true;
// check for permissions
$aGroups = GroupUtil::listGroupsForUserExpand($oUser);
if ($oPD->hasRoles(array(-3))) {
return true;
} else {
if ($oPD->hasUsers(array($oUser))) {
return true;
} else {
if ($oPD->hasGroups($aGroups)) {
return true;
} else {
if ($oPD->hasRoles(array(-4)) && !$oUser->isAnonymous()) {
return true;
}
}
}
}
// permission isn't true, set to false
KTPermissionUtil::$permArr[$iPermId][$lookup][$iDocId] = false;
return false;
}
function do_resolved_users()
{
$this->oPage->setBreadcrumbDetails(_kt('Permissions'));
$oTemplate = $this->oValidator->validateTemplate('ktcore/folder/resolved_permissions_user');
$oPL = KTPermissionLookup::get($this->oFolder->getPermissionLookupID());
$aPermissions = KTPermission::getList();
$aMapPermissionGroup = array();
$aMapPermissionRole = array();
$aMapPermissionUser = array();
$aActiveUsers = array();
$aUsers = User::getList();
foreach ($aPermissions as $oPermission) {
$oPLA = KTPermissionLookupAssignment::getByPermissionAndLookup($oPermission, $oPL);
if (PEAR::isError($oPLA)) {
continue;
}
$oDescriptor =& KTPermissionDescriptor::get($oPLA->getPermissionDescriptorID());
$iPermissionID = $oPermission->getID();
$aMapPermissionGroup[$iPermissionID] = array();
$hasPermission = false;
$everyone = $oDescriptor->hasRoles(array(-3));
$authenticated = $oDescriptor->hasRoles(array(-4));
// TODO : paginate this page, when there are too many users
foreach ($aUsers as $oUser) {
if ($everyone || $authenticated && $oUser->isAnonymous() || KTPermissionUtil::userHasPermissionOnItem($oUser, $oPermission, $this->oFolder)) {
$aMapPermissionUser[$iPermissionID][$oUser->getId()] = true;
$aActiveUsers[$oUser->getId()] = $oUser->getName();
}
}
}
// now we constitute the actual sets.
$users = array();
$groups = array();
$roles = array();
// should _always_ be empty, barring a bug in permissions::updatePermissionLookup
$users = $aActiveUsers;
asort($users);
// ascending, per convention.
$bEdit = false;
$sInherited = '';
$aTemplateData = array('context' => $this, 'permissions' => $aPermissions, 'groups' => $groups, 'users' => $users, 'roles' => $roles, 'oFolder' => $this->oFolder, 'aMapPermissionGroup' => $aMapPermissionGroup, 'aMapPermissionRole' => $aMapPermissionRole, 'aMapPermissionUser' => $aMapPermissionUser, 'edit' => $bEdit, 'inherited' => $sInherited, 'foldername' => $this->oFolder->getName(), 'iFolderId' => $this->oFolder->getId());
return $oTemplate->render($aTemplateData);
}
function &findOrCreateLookupByPermissionDescriptorMap($aMapPermDesc)
{
$aOptions = array();
foreach ($aMapPermDesc as $iPermissionID => $iDescriptorID) {
$aThisOptions = array();
foreach (KTPermissionLookupAssignment::_getLookupIDsByPermissionIDAndDescriptorID($iPermissionID, $iDescriptorID) as $iPLID) {
$aThisOptions[] = $iPLID;
}
$aOptions[] = $aThisOptions;
}
if (count($aOptions) > 1) {
$aPLIDs = call_user_func_array('array_intersect', $aOptions);
} elseif (count($aOptions) == 1) {
$aPLIDs = $aOptions[0];
} else {
$aPLIDs = array();
}
if (empty($aPLIDs)) {
$oPL = KTPermissionLookup::createFromArray(array());
$iPLID = $oPL->getID();
foreach ($aMapPermDesc as $iPermissionID => $iDescriptorID) {
$res = KTPermissionLookupAssignment::createFromArray(array('permissionlookupid' => $iPLID, 'permissionid' => $iPermissionID, 'permissiondescriptorid' => $iDescriptorID));
}
return $oPL;
}
sort($aPLIDs);
$res = KTPermissionLookup::get($aPLIDs[0]);
return $res;
}
function do_resolved_users()
{
$this->oPage->setBreadcrumbDetails(_kt("Permissions"));
$oTemplate = $this->oValidator->validateTemplate("ktcore/document/resolved_permissions_user");
$oPL = KTPermissionLookup::get($this->oDocument->getPermissionLookupID());
$aPermissions = KTPermission::getList();
$aMapPermissionGroup = array();
$aMapPermissionRole = array();
$aMapPermissionUser = array();
$aUsers = User::getList();
foreach ($aPermissions as $oPermission) {
$oPLA = KTPermissionLookupAssignment::getByPermissionAndLookup($oPermission, $oPL);
if (PEAR::isError($oPLA)) {
continue;
}
$oDescriptor = KTPermissionDescriptor::get($oPLA->getPermissionDescriptorID());
$iPermissionID = $oPermission->getID();
$aMapPermissionGroup[$iPermissionID] = array();
foreach ($aUsers as $oUser) {
if (KTPermissionUtil::userHasPermissionOnItem($oUser, $oPermission, $this->oDocument)) {
$aMapPermissionUser[$iPermissionID][$oUser->getId()] = true;
$aActiveUsers[$oUser->getId()] = true;
}
}
}
// now we constitute the actual sets.
$users = array();
$groups = array();
$roles = array();
// should _always_ be empty, barring a bug in permissions::updatePermissionLookup
// this should be quite limited - direct role -> user assignment is typically rare.
foreach ($aActiveUsers as $id => $marker) {
$oUser = User::get($id);
$users[$oUser->getName()] = $oUser;
}
asort($users);
// ascending, per convention.
$bEdit = false;
$sInherited = '';
$aDynamicControls = array();
$aWorkflowControls = array();
// handle conditions
$iPermissionObjectId = $this->oDocument->getPermissionObjectID();
if (!empty($iPermissionObjectId)) {
$oPO = KTPermissionObject::get($iPermissionObjectId);
$aDynamicConditions = KTPermissionDynamicCondition::getByPermissionObject($oPO);
if (!PEAR::isError($aDynamicConditions)) {
foreach ($aDynamicConditions as $oDynamicCondition) {
$iConditionId = $oDynamicCondition->getConditionId();
if (KTSearchUtil::testConditionOnDocument($iConditionId, $this->oDocument)) {
$aPermissionIds = $oDynamicCondition->getAssignment();
foreach ($aPermissionIds as $iPermissionId) {
$aDynamicControls[$iPermissionId] = true;
}
}
}
}
}
// indicate that workflow controls a given permission
$oState = KTWorkflowUtil::getWorkflowStateForDocument($this->oDocument);
if (!(PEAR::isError($oState) || is_null($oState) || $oState == false)) {
$aWorkflowStatePermissionAssignments = KTWorkflowStatePermissionAssignment::getByState($oState);
foreach ($aWorkflowStatePermissionAssignments as $oAssignment) {
$aWorkflowControls[$oAssignment->getPermissionId()] = true;
unset($aDynamicControls[$oAssignment->getPermissionId()]);
}
}
$aTemplateData = array("context" => $this, "permissions" => $aPermissions, "groups" => $groups, "users" => $users, "roles" => $roles, "oDocument" => $this->oDocument, "aMapPermissionGroup" => $aMapPermissionGroup, "aMapPermissionRole" => $aMapPermissionRole, "aMapPermissionUser" => $aMapPermissionUser, "edit" => $bEdit, "inherited" => $sInherited, 'workflow_controls' => $aWorkflowControls, 'conditions_control' => $aDynamicControls);
return $oTemplate->render($aTemplateData);
}