function fetchMenu($user_id)
{
    // First, get the user's group membership
    $groups = fetchUserGroups($user_id);
    // Construct an array of group id's.  Group id of '0' is considered public, everyone has access to these nav options.
    $group_ids = array('0');
    $group_ids = array_merge($group_ids, array_keys($groups));
    try {
        global $db_table_prefix;
        $db = pdoConnect();
        $results = array();
        // Safe to interpolate directly because group_ids are trusted data
        $group_list = "(" . join(',', $group_ids) . ")";
        $query = "SELECT\n            *\n            FROM " . $db_table_prefix . "nav AS n\n            JOIN " . $db_table_prefix . "nav_group_matches as m ON (n.id = m.menu_id)\n            WHERE m.group_id IN {$group_list} ORDER BY n.position";
        $stmt = $db->prepare($query);
        $stmt->execute();
        while ($r = $stmt->fetch(PDO::FETCH_ASSOC)) {
            $id = $r['id'];
            $results[$id] = $r;
        }
        $stmt = null;
        return $results;
    } catch (PDOException $e) {
        addAlert("danger", "Oops, looks like our database encountered an error.");
        error_log("Error in " . $e->getFile() . " on line " . $e->getLine() . ": " . $e->getMessage());
        return false;
    } catch (ErrorException $e) {
        addAlert("danger", "Oops, looks like our server might have goofed.  If you're an admin, please check the PHP error logs.");
        return false;
    }
}
Esempio n. 2
0
/**
 * Add user to specified group
 * @param int $user_id the id of the user to load.
 * @param int $group_id the group to add the user to
 * @return boolean true for success, false if failed
 */
function addUserToGroup($user_id, $group_id)
{
    // This block automatically checks this action against the permissions database before running.
    if (!checkActionPermissionSelf(__FUNCTION__, func_get_args())) {
        addAlert("danger", "Sorry, you do not have permission to access this resource.");
        return false;
    }
    $userGroups = fetchUserGroups($user_id);
    $add = array();
    // Only try to add if the user is not already part of this group
    if (!isset($userGroups[$group_id])) {
        if ($count = dbAddUserToGroups($user_id, $group_id)) {
            if ($count > 0) {
                $group = fetchGroupDetails($group_id);
                addAlert("success", lang("ACCOUNT_GROUP_ADDED", array($group['name'])));
            }
            return true;
        } else {
            return false;
        }
    }
}
Esempio n. 3
0
/** Load action permissions for the logged in user, and check the specified action with the specified arguments. */
function checkActionPermission($action_function, $args)
{
    global $db_table_prefix, $loggedInUser, $master_account;
    // Error if user is not logged in
    if (!isUserLoggedIn()) {
        if (LOG_AUTH_FAILURES) {
            error_log("Authorization failed: user is not logged in.");
        }
        return false;
    }
    // Root user automatically has access to everything
    if ($loggedInUser->user_id == $master_account) {
        return true;
    }
    // Error if the specified function does not exist.
    if (!function_exists($action_function)) {
        if (LOG_AUTH_FAILURES) {
            error_log("Authorization failed: action '{$action_function}' does not exist.");
        }
        return false;
    }
    // Fetch individual level permits
    $action_permits = fetchUserPermits($loggedInUser->user_id, $action_function);
    // Fetch permits for each group that the user belongs to
    $groups = fetchUserGroups($loggedInUser->user_id);
    foreach ($groups as $group_id => $group) {
        $action_permits = array_merge($action_permits, fetchGroupPermits($group_id, $action_function));
    }
    // For each mapping, run the appropriate handlers
    // If the handlers pass, return true.  Otherwise, move on to the next mapping.
    foreach ($action_permits as $idx => $action_permit) {
        $action = $action_permit['action'];
        // Process permits for this mapping
        $permits_str = $action_permit['permits'];
        $permits = explode('&', $permits_str);
        if (checkActionPermits($permits, $args)) {
            return true;
        }
    }
    // Return false if no mappings pass.
    if (LOG_AUTH_FAILURES) {
        error_log("Authorization failed: User {$loggedInUser->username} (user_id={$loggedInUser->user_id}) could not be validated for {$action_function} on arguments " . print_r($args, true));
    }
    return false;
}
Esempio n. 4
0
/** Load action permissions for the logged in user, and check the specified action with the specified arguments. */
function checkActionPermission($action_function, $args)
{
    global $db_table_prefix, $loggedInUser, $master_account;
    // Error if user is not logged in
    if (!isUserLoggedIn()) {
        return false;
    }
    // Root user automatically has access to everything
    if ($loggedInUser->user_id == $master_account) {
        return true;
    }
    // Error if the specified function does not exist.
    if (!function_exists($action_function)) {
        //echo "FAILED: action '$action_function' does not exist.<br><br>";
        return false;
    }
    /*
    $parameters = $method->getParameters();
    //echo var_dump($parameters);
    foreach ($parameters as $id => $param ){
        echo $param->getName() . "<br>";
    }
    */
    // Fetch individual level permits
    $action_permits = fetchUserPermits($loggedInUser->user_id, $action_function);
    // Fetch permits for each group that the user belongs to
    $groups = fetchUserGroups($loggedInUser->user_id);
    foreach ($groups as $group_id => $group) {
        $action_permits = array_merge($action_permits, fetchGroupPermits($group_id, $action_function));
    }
    // For each mapping, run the appropriate handlers
    // If the handlers pass, return true.  Otherwise, move on to the next mapping.
    foreach ($action_permits as $idx => $action_permit) {
        $action = $action_permit['action'];
        //echo "Checking action $action<br>";
        // Get names of action parameters
        /*
        $action_param_str = array();
        preg_match('/\((*?)\)/i', $action, $action_param_str);
        $action_params = split(',', $action_param_str);
        */
        // Process permits for this mapping
        $permits_str = $action_permit['permits'];
        $permits = explode('&', $permits_str);
        //echo "Checking $action_function on arguments " . print_r($args, true) . "<br><br>";
        if (checkActionPermits($permits, $args)) {
            return true;
        }
    }
    // Return false if no mappings pass.
    //echo "FAILED validating $action_function on arguments " . print_r($args, true) . "<br><br>";
    return false;
}