function fetchMenu($user_id) { // First, get the user's group membership $groups = fetchUserGroups($user_id); // Construct an array of group id's. Group id of '0' is considered public, everyone has access to these nav options. $group_ids = array('0'); $group_ids = array_merge($group_ids, array_keys($groups)); try { global $db_table_prefix; $db = pdoConnect(); $results = array(); // Safe to interpolate directly because group_ids are trusted data $group_list = "(" . join(',', $group_ids) . ")"; $query = "SELECT\n *\n FROM " . $db_table_prefix . "nav AS n\n JOIN " . $db_table_prefix . "nav_group_matches as m ON (n.id = m.menu_id)\n WHERE m.group_id IN {$group_list} ORDER BY n.position"; $stmt = $db->prepare($query); $stmt->execute(); while ($r = $stmt->fetch(PDO::FETCH_ASSOC)) { $id = $r['id']; $results[$id] = $r; } $stmt = null; return $results; } catch (PDOException $e) { addAlert("danger", "Oops, looks like our database encountered an error."); error_log("Error in " . $e->getFile() . " on line " . $e->getLine() . ": " . $e->getMessage()); return false; } catch (ErrorException $e) { addAlert("danger", "Oops, looks like our server might have goofed. If you're an admin, please check the PHP error logs."); return false; } }
/** * Add user to specified group * @param int $user_id the id of the user to load. * @param int $group_id the group to add the user to * @return boolean true for success, false if failed */ function addUserToGroup($user_id, $group_id) { // This block automatically checks this action against the permissions database before running. if (!checkActionPermissionSelf(__FUNCTION__, func_get_args())) { addAlert("danger", "Sorry, you do not have permission to access this resource."); return false; } $userGroups = fetchUserGroups($user_id); $add = array(); // Only try to add if the user is not already part of this group if (!isset($userGroups[$group_id])) { if ($count = dbAddUserToGroups($user_id, $group_id)) { if ($count > 0) { $group = fetchGroupDetails($group_id); addAlert("success", lang("ACCOUNT_GROUP_ADDED", array($group['name']))); } return true; } else { return false; } } }
/** Load action permissions for the logged in user, and check the specified action with the specified arguments. */ function checkActionPermission($action_function, $args) { global $db_table_prefix, $loggedInUser, $master_account; // Error if user is not logged in if (!isUserLoggedIn()) { if (LOG_AUTH_FAILURES) { error_log("Authorization failed: user is not logged in."); } return false; } // Root user automatically has access to everything if ($loggedInUser->user_id == $master_account) { return true; } // Error if the specified function does not exist. if (!function_exists($action_function)) { if (LOG_AUTH_FAILURES) { error_log("Authorization failed: action '{$action_function}' does not exist."); } return false; } // Fetch individual level permits $action_permits = fetchUserPermits($loggedInUser->user_id, $action_function); // Fetch permits for each group that the user belongs to $groups = fetchUserGroups($loggedInUser->user_id); foreach ($groups as $group_id => $group) { $action_permits = array_merge($action_permits, fetchGroupPermits($group_id, $action_function)); } // For each mapping, run the appropriate handlers // If the handlers pass, return true. Otherwise, move on to the next mapping. foreach ($action_permits as $idx => $action_permit) { $action = $action_permit['action']; // Process permits for this mapping $permits_str = $action_permit['permits']; $permits = explode('&', $permits_str); if (checkActionPermits($permits, $args)) { return true; } } // Return false if no mappings pass. if (LOG_AUTH_FAILURES) { error_log("Authorization failed: User {$loggedInUser->username} (user_id={$loggedInUser->user_id}) could not be validated for {$action_function} on arguments " . print_r($args, true)); } return false; }
/** Load action permissions for the logged in user, and check the specified action with the specified arguments. */ function checkActionPermission($action_function, $args) { global $db_table_prefix, $loggedInUser, $master_account; // Error if user is not logged in if (!isUserLoggedIn()) { return false; } // Root user automatically has access to everything if ($loggedInUser->user_id == $master_account) { return true; } // Error if the specified function does not exist. if (!function_exists($action_function)) { //echo "FAILED: action '$action_function' does not exist.<br><br>"; return false; } /* $parameters = $method->getParameters(); //echo var_dump($parameters); foreach ($parameters as $id => $param ){ echo $param->getName() . "<br>"; } */ // Fetch individual level permits $action_permits = fetchUserPermits($loggedInUser->user_id, $action_function); // Fetch permits for each group that the user belongs to $groups = fetchUserGroups($loggedInUser->user_id); foreach ($groups as $group_id => $group) { $action_permits = array_merge($action_permits, fetchGroupPermits($group_id, $action_function)); } // For each mapping, run the appropriate handlers // If the handlers pass, return true. Otherwise, move on to the next mapping. foreach ($action_permits as $idx => $action_permit) { $action = $action_permit['action']; //echo "Checking action $action<br>"; // Get names of action parameters /* $action_param_str = array(); preg_match('/\((*?)\)/i', $action, $action_param_str); $action_params = split(',', $action_param_str); */ // Process permits for this mapping $permits_str = $action_permit['permits']; $permits = explode('&', $permits_str); //echo "Checking $action_function on arguments " . print_r($args, true) . "<br><br>"; if (checkActionPermits($permits, $args)) { return true; } } // Return false if no mappings pass. //echo "FAILED validating $action_function on arguments " . print_r($args, true) . "<br><br>"; return false; }