function fetchMenu($user_id)
{
// First, get the user's group membership
$groups = fetchUserGroups($user_id);
// Construct an array of group id's. Group id of '0' is considered public, everyone has access to these nav options.
$group_ids = array('0');
$group_ids = array_merge($group_ids, array_keys($groups));
try {
global $db_table_prefix;
$db = pdoConnect();
$results = array();
// Safe to interpolate directly because group_ids are trusted data
$group_list = "(" . join(',', $group_ids) . ")";
$query = "SELECT\n *\n FROM " . $db_table_prefix . "nav AS n\n JOIN " . $db_table_prefix . "nav_group_matches as m ON (n.id = m.menu_id)\n WHERE m.group_id IN {$group_list} ORDER BY n.position";
$stmt = $db->prepare($query);
$stmt->execute();
while ($r = $stmt->fetch(PDO::FETCH_ASSOC)) {
$id = $r['id'];
$results[$id] = $r;
}
$stmt = null;
return $results;
} catch (PDOException $e) {
addAlert("danger", "Oops, looks like our database encountered an error.");
error_log("Error in " . $e->getFile() . " on line " . $e->getLine() . ": " . $e->getMessage());
return false;
} catch (ErrorException $e) {
addAlert("danger", "Oops, looks like our server might have goofed. If you're an admin, please check the PHP error logs.");
return false;
}
}
/**
* Add user to specified group
* @param int $user_id the id of the user to load.
* @param int $group_id the group to add the user to
* @return boolean true for success, false if failed
*/
function addUserToGroup($user_id, $group_id)
{
// This block automatically checks this action against the permissions database before running.
if (!checkActionPermissionSelf(__FUNCTION__, func_get_args())) {
addAlert("danger", "Sorry, you do not have permission to access this resource.");
return false;
}
$userGroups = fetchUserGroups($user_id);
$add = array();
// Only try to add if the user is not already part of this group
if (!isset($userGroups[$group_id])) {
if ($count = dbAddUserToGroups($user_id, $group_id)) {
if ($count > 0) {
$group = fetchGroupDetails($group_id);
addAlert("success", lang("ACCOUNT_GROUP_ADDED", array($group['name'])));
}
return true;
} else {
return false;
}
}
}
/** Load action permissions for the logged in user, and check the specified action with the specified arguments. */
function checkActionPermission($action_function, $args)
{
global $db_table_prefix, $loggedInUser, $master_account;
// Error if user is not logged in
if (!isUserLoggedIn()) {
if (LOG_AUTH_FAILURES) {
error_log("Authorization failed: user is not logged in.");
}
return false;
}
// Root user automatically has access to everything
if ($loggedInUser->user_id == $master_account) {
return true;
}
// Error if the specified function does not exist.
if (!function_exists($action_function)) {
if (LOG_AUTH_FAILURES) {
error_log("Authorization failed: action '{$action_function}' does not exist.");
}
return false;
}
// Fetch individual level permits
$action_permits = fetchUserPermits($loggedInUser->user_id, $action_function);
// Fetch permits for each group that the user belongs to
$groups = fetchUserGroups($loggedInUser->user_id);
foreach ($groups as $group_id => $group) {
$action_permits = array_merge($action_permits, fetchGroupPermits($group_id, $action_function));
}
// For each mapping, run the appropriate handlers
// If the handlers pass, return true. Otherwise, move on to the next mapping.
foreach ($action_permits as $idx => $action_permit) {
$action = $action_permit['action'];
// Process permits for this mapping
$permits_str = $action_permit['permits'];
$permits = explode('&', $permits_str);
if (checkActionPermits($permits, $args)) {
return true;
}
}
// Return false if no mappings pass.
if (LOG_AUTH_FAILURES) {
error_log("Authorization failed: User {$loggedInUser->username} (user_id={$loggedInUser->user_id}) could not be validated for {$action_function} on arguments " . print_r($args, true));
}
return false;
}
/** Load action permissions for the logged in user, and check the specified action with the specified arguments. */
function checkActionPermission($action_function, $args)
{
global $db_table_prefix, $loggedInUser, $master_account;
// Error if user is not logged in
if (!isUserLoggedIn()) {
return false;
}
// Root user automatically has access to everything
if ($loggedInUser->user_id == $master_account) {
return true;
}
// Error if the specified function does not exist.
if (!function_exists($action_function)) {
//echo "FAILED: action '$action_function' does not exist.<br><br>";
return false;
}
/*
$parameters = $method->getParameters();
//echo var_dump($parameters);
foreach ($parameters as $id => $param ){
echo $param->getName() . "<br>";
}
*/
// Fetch individual level permits
$action_permits = fetchUserPermits($loggedInUser->user_id, $action_function);
// Fetch permits for each group that the user belongs to
$groups = fetchUserGroups($loggedInUser->user_id);
foreach ($groups as $group_id => $group) {
$action_permits = array_merge($action_permits, fetchGroupPermits($group_id, $action_function));
}
// For each mapping, run the appropriate handlers
// If the handlers pass, return true. Otherwise, move on to the next mapping.
foreach ($action_permits as $idx => $action_permit) {
$action = $action_permit['action'];
//echo "Checking action $action<br>";
// Get names of action parameters
/*
$action_param_str = array();
preg_match('/\((*?)\)/i', $action, $action_param_str);
$action_params = split(',', $action_param_str);
*/
// Process permits for this mapping
$permits_str = $action_permit['permits'];
$permits = explode('&', $permits_str);
//echo "Checking $action_function on arguments " . print_r($args, true) . "<br><br>";
if (checkActionPermits($permits, $args)) {
return true;
}
}
// Return false if no mappings pass.
//echo "FAILED validating $action_function on arguments " . print_r($args, true) . "<br><br>";
return false;
}