/** * PreDispatch function. * * Only admin users can access to these actions, * if the user is not an admin, is redirected to the login form or throws an exception. * * @throws Zend_Controller_Action_Exception If the user is not an admin. * * @return void */ public function preDispatch() { parent::preDispatch(); if (!Phprojekt_Auth::isAdminUser()) { $this->getResponse()->setRawHeader('HTTP/1.1 401 Authorization Required'); $this->getResponse()->sendHeaders(); exit; } }
/** * Returns all global modules. * * Returns a list of all the global modules with: * <pre> * - id => id of the module. * - name => Name of the module. * - label => Display for the module. * </pre> * Also return in the metadata, if the user is an admin or not. * * The return is in JSON format. * * @return array */ function jsonGetGlobalModulesAction() { $modules = array(); $model = new Phprojekt_Module_Module(); foreach ($model->fetchAll('active = 1 AND (save_type = 1 OR save_type = 2)', 'name ASC') as $module) { $modules['data'][$module->id] = array(); $modules['data'][$module->id]['id'] = $module->id; $modules['data'][$module->id]['name'] = $module->name; $modules['data'][$module->id]['label'] = $module->label; } $modules['metadata'] = Phprojekt_Auth::isAdminUser(); Phprojekt_Converter_Json::echoConvert($modules); }
/** * Init function. * * Only admin users can access to these actions, * if the user is not an admin, is redirected to the login form or throws an exception. * * @throws Phprojekt_PublishedException If the user is not an admin. * * @return void */ public function init() { parent::init(); if (!Phprojekt_Auth::isAdminUser()) { // If is a GET, show the login page // If is a POST, send message in json format if (!$this->getFrontController()->getRequest()->isGet()) { throw new Phprojekt_PublishedException('Admin section is only for admin users', 500); } else { $this->_redirect(Phprojekt::getInstance()->getConfig()->webpath . 'index.php/Login/logout'); } exit; } }
/** * Init function. * * There are only a few actions that a normal user can do requesting the Core controller. * The function check them, and allow the acction or not, * if not, the user is redirected to the login form or throws an exception. * * @throws Zend_Controller_Action_Exception If the user is not an admin. * * @return void */ public function preDispatch() { parent::preDispatch(); if (!Phprojekt_Auth::isAdminUser()) { $valid = false; // Add exceptions for public calls into the Core $controller = strtolower($this->getRequest()->getControllerName()); $action = $this->getRequest()->getActionName(); if ($controller == 'history' && $action == 'jsonList') { $valid = true; } else { if ($controller == 'module' && $action == 'jsonGetGlobalModules') { $valid = true; } else { if ($controller == 'role' && $action == 'jsonGetModulesAccess') { $valid = true; } else { if ($controller == 'user' && $action == 'jsonGetUsers') { $valid = true; } else { if ($controller == 'user' && $action == 'jsonGetProxyableUsers') { $valid = true; } else { if ($controller == 'tab' && $action == 'jsonList') { $valid = true; } else { if ($controller == 'setting') { $valid = true; } else { if ($controller == 'upgrade') { $valid = true; } } } } } } } } if (!$valid) { $this->getResponse()->setRawHeader('HTTP/1.1 401 Authorization Require'); $this->getResponse()->sendHeaders(); exit; } } }
/** * Init function. * * There are only a few actions that a normal user can do requesting the Core controller. * The function check them, and allow the acction or not, * if not, the user is redirected to the login form or throws an exception. * * @throws Phprojekt_PublishedException If the user is not an admin. * * @return void */ public function init() { parent::init(); if (!Phprojekt_Auth::isAdminUser()) { $valid = false; // Add exceptions for public calls into the Core if ($this->getRequest()->getControllerName() == 'history' && $this->getRequest()->getActionName() == 'jsonList') { $valid = true; } else { if ($this->getRequest()->getControllerName() == 'module' && $this->getRequest()->getActionName() == 'jsonGetGlobalModules') { $valid = true; } else { if ($this->getRequest()->getControllerName() == 'role' && $this->getRequest()->getActionName() == 'jsonGetModulesAccess') { $valid = true; } else { if ($this->getRequest()->getControllerName() == 'user' && $this->getRequest()->getActionName() == 'jsonGetUsers') { $valid = true; } else { if ($this->getRequest()->getControllerName() == 'tab' && $this->getRequest()->getActionName() == 'jsonList') { $valid = true; } else { if ($this->getRequest()->getControllerName() == 'setting') { $valid = true; } } } } } } if (!$valid) { // If is a GET, show the login page // If is a POST, send message in json format if (!$this->getFrontController()->getRequest()->isGet()) { throw new Phprojekt_PublishedException('Admin section is only for admin users', 500); } else { $this->_redirect(Phprojekt::getInstance()->getConfig()->webpath . 'index.php/Login/logout'); } exit; } } }
/** * Perform the upgrade for a single module. * * The module is taken from the 'upgradeModule' parameter of the request. * * @return void */ public function jsonUpgradeAction() { if (!Phprojekt_Auth::isAdminUser()) { throw new Zend_Controller_Action_Exception('Insufficient rights.', 403); } $extensions = new Phprojekt_Extensions(PHPR_CORE_PATH); $migration = new Phprojekt_Migration($extensions); $failed = true; try { $migration->performUpgrade($this->getRequest()->getParam('upgradeModule')); $failed = false; } catch (Phprojekt_Migration_IKilledTheDatabaseException $e) { Phprojekt::getInstance()->getLog()->debug("IKilledTheDatabaseException occurred while migrating: " . $e->getFile() . ':' . $e->getLine() . "\n" . $e->getMessage() . "\n" . $e->getTraceAsString() . "\n"); Phprojekt_Converter_Json::echoConvert(array('type' => 'fatalFailure', 'message' => 'A fatal error has occured.')); } catch (Exception $e) { Phprojekt::getInstance()->getLog()->debug("Exception occurred while migrating: " . $e->getFile() . ':' . $e->getLine() . "\n" . $e->getMessage() . "\n" . $e->getTraceAsString() . "\n"); Phprojekt_Converter_Json::echoConvert(array('type' => 'failure', 'message' => 'An error has occured.')); } if (!$failed) { Phprojekt_Converter_Json::echoConvert(array('type' => 'success', 'message' => 'The module was upgraded correctly')); } }
public function hasRight($userId, $right, $projectId = null) { if (Phprojekt_Auth::isAdminUser() || $this->isNew()) { return true; } $projectId = is_null($projectId) ? $this->projectId : $projectId; $moduleId = Phprojekt_Module::getId($this->getModelName()); $rights = Phprojekt_Right::getRightsForItems($moduleId, $projectId, $userId, array($this->id)); if (!isset($rights[$this->id])) { return Phprojekt_Acl::NONE; } return ($rights[$this->id] & $right) == $right; }
/** * Check if the user has write access to the item if is not a global module. * * @param Phprojekt_Model_Interface $model The model to save. * @param string $moduleName The current module. * * @return boolean False if not. */ private static function _checkItemRights($model, $moduleName) { $canWrite = false; if ($moduleName == 'Core') { return Phprojekt_Auth::isAdminUser(); } else { if (Phprojekt_Module::saveTypeIsNormal(Phprojekt_Module::getId($moduleName))) { $itemRights = $model->getRights(); if (isset($itemRights['currentUser'])) { if (!$itemRights['currentUser']['write'] && !$itemRights['currentUser']['create'] && !$itemRights['currentUser']['copy'] && !$itemRights['currentUser']['admin']) { $canWrite = false; } else { $canWrite = true; } } } else { $canWrite = true; } } return $canWrite; }
/** * Returns all global modules. * * Returns a list of all the global modules with: * <pre> * - id => id of the module. * - name => Name of the module. * - label => Display for the module. * </pre> * Also return in the metadata, if the user is an admin or not. * * The return is in JSON format. * * @return array */ function jsonGetGlobalModulesAction() { $modules = array(); $model = Phprojekt_Loader::getLibraryClass('Phprojekt_Module_Module'); foreach ($model->fetchAll('active = 1 AND (save_type = 1 OR save_type = 2)', 'name ASC') as $module) { $modules['data'][$module->id] = array(); $modules['data'][$module->id]['id'] = $module->id; $modules['data'][$module->id]['name'] = $module->name; $modules['data'][$module->id]['label'] = Phprojekt::getInstance()->translate($module->label, null, $module->name); } $modules['metadata'] = Phprojekt_Auth::isAdminUser(); Phprojekt_Converter_Json::echoConvert($modules); }
/** * Check if the user has delete access to the item if is not a global module. * * @param Phprojekt_ActiveRecord_Abstract $model The model to save. * @param string $moduleName The current module. * * @return boolean True for a valid right. */ private static function _checkItemRights(Phprojekt_ActiveRecord_Abstract $model, $moduleName) { $canDelete = false; if ($moduleName == 'Core') { return Phprojekt_Auth::isAdminUser(); } else { if (Phprojekt_Module::saveTypeIsNormal(Phprojekt_Module::getId($moduleName)) && method_exists($model, 'hasRight')) { return $model->hasRight(Phprojekt_Auth_Proxy::getEffectiveUserId(), Phprojekt_Acl::DELETE); } else { return true; } } }
/** * Returns project-module && user-role-project permissions. * * Returns the permissions, * ("none", "read", "write", "access", "create", "copy", "delete", "download", "admin") * for each module that have the project, * for the current logged user, * depending on their role and access, in the project. * * REQUIRES request parameters: * <pre> * - integer <b>nodeId</b> The projectId for consult. * </pre> * * The return is in JSON format. * * @return void */ public function jsonGetModulesPermissionAction() { $projectId = (int) $this->getRequest()->getParam('nodeId'); $relation = new Project_Models_ProjectModulePermissions(); $modules = $relation->getProjectModulePermissionsById($projectId); if ($projectId == 0) { $data = array(); // there is no rights or invalid project } else { $allowedModules = array(); $rights = new Phprojekt_RoleRights($projectId); foreach ($modules['data'] as $module) { if ($module['inProject']) { $tmpPermission = Phprojekt_Acl::NONE; if ($rights->hasRight('admin', $module['id'])) { $tmpPermission = $tmpPermission | Phprojekt_Acl::ADMIN; } if ($rights->hasRight('create', $module['id'])) { $tmpPermission = $tmpPermission | Phprojekt_Acl::CREATE; } if ($rights->hasRight('write', $module['id'])) { $tmpPermission = $tmpPermission | Phprojekt_Acl::WRITE; } if ($rights->hasRight('read', $module['id'])) { $tmpPermission = $tmpPermission | Phprojekt_Acl::READ; } // Return modules with at least one access if ($tmpPermission != Phprojekt_Acl::NONE || Phprojekt_Auth::isAdminUser()) { $module['rights'] = Phprojekt_Acl::convertBitmaskToArray($tmpPermission); $allowedModules[] = $module; } } } $data = $allowedModules; } Phprojekt_Converter_Json::echoConvert($data); }
/** * Delete the projects where the user don't have access. * * @param Phprojekt_Tree_Node_Database $object Tree class. * * @return Phprojekt_Tree_Node_Database The tree class with only the allowed nodes. */ public function applyRights(Phprojekt_Tree_Node_Database $object) { if (Phprojekt_Auth::isAdminUser()) { return $object; } $projectIds = array_keys($object->_index); // We don't use the effective user id here to make access management more simple. This way, a user really needs // read access to be able to look at a project. $rights = Phprojekt_Right::getRightsForItems(1, 1, Phprojekt_Auth::getUserId(), $projectIds); $currentRight = Phprojekt_Acl::ALL; foreach ($object as $index => $node) { $currentRight = isset($rights[$node->id]) ? $rights[$node->id] : $currentRight; /* delete node cannot update the iterator reference, so we check if it's still in the index or already * removed */ if ((Phprojekt_Acl::READ & $currentRight) <= 0 && isset($object->_index[$node->id])) { $object->deleteNode($object, $node->id); } } return $object; }