/**
* @param string $modelClassName
* @param User $user
* @param $canAccess
* @return string
*/
public static function resolveModelElementTypeByActionSecurity($modelClassName, $user, &$canAccess)
{
assert('is_string($modelClassName)');
assert('$user instanceof User && $user->id > 0');
if ($modelClassName == 'Contact') {
$canAccessContacts = RightsUtil::canUserAccessModule('ContactsModule', $user);
$canAccessLeads = RightsUtil::canUserAccessModule('LeadsModule', $user);
if ($canAccessContacts && $canAccessLeads) {
return 'AllStatesContact';
} elseif (!$canAccessContacts && $canAccessLeads) {
return 'Lead';
} elseif ($canAccessContacts && !$canAccessLeads) {
return 'Contact';
} else {
$canAccess = false;
return 'Contact';
}
} else {
$moduleClassName = $modelClassName::getModuleClassName();
if (!RightsUtil::canUserAccessModule($moduleClassName, $user)) {
$canAccess = false;
}
return $modelClassName;
}
}
/**
* Override so it only render if to recipient is a Contact
* and the user has the right to access Email Templates
* @return string
*/
protected function renderControlEditable()
{
if ($this->shouldUseTemplate() && RightsUtil::canUserAccessModule('EmailTemplatesModule', Yii::app()->user->userModel)) {
return parent::renderControlEditable();
}
return null;
}
/**
* Based on the current user, return the importRules types and their display labels. Only include import rules
* that the user has a right to access its corresponding module.
* @return array of import rules types and display labels.
*/
public static function getImportRulesTypesForCurrentUser()
{
//todo: cache results to improve performance if needed.
$importRulesTypes = array();
$modules = Module::getModuleObjects();
foreach ($modules as $module) {
$rulesClassNames = $module::getAllClassNamesByPathFolder('rules');
foreach ($rulesClassNames as $ruleClassName) {
$classToEvaluate = new ReflectionClass($ruleClassName);
if (is_subclass_of($ruleClassName, 'ImportRules') && !$classToEvaluate->isAbstract()) {
$moduleClassNames = $ruleClassName::getModuleClassNames();
$addToArray = true;
foreach ($moduleClassNames as $moduleClassNameToCheckAccess) {
if (!RightsUtil::canUserAccessModule($moduleClassNameToCheckAccess, Yii::app()->user->userModel) || !RightsUtil::doesUserHaveAllowByRightName($moduleClassNameToCheckAccess, $moduleClassNameToCheckAccess::getCreateRight(), Yii::app()->user->userModel)) {
$addToArray = false;
}
}
if ($addToArray) {
$importRulesTypes[$ruleClassName::getType()] = $ruleClassName::getDisplayLabel();
}
}
}
}
return $importRulesTypes;
}
/**
* @return string content
* @param EmailMessage object $emailMessage
* @param User object $user
*/
public static function renderEmailMessageToMatchContent(EmailMessage $emailMessage, $user)
{
$userCanAccessContacts = RightsUtil::canUserAccessModule('ContactsModule', $user);
$userCanAccessLeads = RightsUtil::canUserAccessModule('LeadsModule', $user);
$userCanCreateContact = RightsUtil::doesUserHaveAllowByRightName('ContactsModule', ContactsModule::getCreateRight(), $user);
$userCanCreateLead = RightsUtil::doesUserHaveAllowByRightName('LeadsModule', LeadsModule::getCreateRight(), $user);
if ($userCanAccessLeads && $userCanAccessContacts) {
$selectForm = new AnyContactSelectForm();
} elseif (!$userCanAccessLeads && $userCanAccessContacts) {
$selectForm = new ContactSelectForm();
} else {
$selectForm = new LeadSelectForm();
}
if ($userCanCreateContact && $userCanCreateLead) {
$gridSize = 3;
} elseif ($userCanCreateContact || $userCanCreateLead) {
$gridSize = 2;
} else {
$gridSize = 1;
}
$contact = new Contact();
self::resolveEmailAddressAndNameToContact($emailMessage, $contact);
$view = new ArchivedEmailMatchingView('default', 'emailMessages', $emailMessage, $contact, $selectForm, $userCanAccessLeads, $userCanAccessContacts, $userCanCreateContact, $userCanCreateLead, $gridSize);
return $view->render();
}
public function testResolvePortletsForCurrentUser()
{
$betty = User::getByUsername('betty');
$this->assertFalse(RightsUtil::canUserAccessModule('AccountsModule', $betty));
$this->assertFalse(RightsUtil::canUserAccessModule('ContactsModule', $betty));
$this->assertFalse(RightsUtil::canUserAccessModule('TasksModule', $betty));
Yii::app()->user->userModel = $betty;
$portlet1 = new Portlet();
$portlet1->viewType = 'AccountsRelatedList';
$portlet2 = new Portlet();
$portlet2->viewType = 'ContactsRelatedList';
$portlet3 = new Portlet();
$portlet3->viewType = 'TasksMyList';
$portlets = array();
$portlets[0][0] = $portlet1;
$portlets[0][1] = $portlet2;
$portlets[0][2] = $portlet3;
$portlets[1][0] = $portlet3;
$portlets[1][1] = $portlet1;
$portlets[1][2] = $portlet3;
$this->assertEquals(2, count($portlets));
$resolvedPortlets = PortletsSecurityUtil::resolvePortletsForCurrentUser($portlets);
$comparePortlets = array();
$comparePortlets[0][0] = $portlet3;
$comparePortlets[1][0] = $portlet3;
$comparePortlets[1][1] = $portlet3;
$this->assertEquals(0, count($resolvedPortlets));
Yii::app()->user->userModel = User::getByUsername('super');
$resolvedPortlets = PortletsSecurityUtil::resolvePortletsForCurrentUser($portlets);
$this->assertEquals($portlets, $resolvedPortlets);
}
/**
* In order for a user to have access to an accountContactAffiliation portlet, the user must have access rights
* to the Accounts and Contacts module as well as rights to the AccountContactAffiliations module.
* @param User $user
* @return bool
*/
public function canUserAccessPortlet(User $user)
{
if (RightsUtil::canUserAccessModule('AccountsModule', $user) && RightsUtil::canUserAccessModule('ContactsModule', $user)) {
return true;
}
return false;
}
protected static function makeModelClassNamesAndSearchAttributeData($partialTerm, User $user, $scopeData)
{
assert('is_string($partialTerm)');
assert('$user->id > 0');
assert('$scopeData == null || is_array($scopeData)');
$modelClassNamesAndSearchAttributeData = array();
$modelNamesAndLabels = WorkflownQueuesSearchForm::getInQueueSearchableModelNamesAndLabels();
foreach ($modelNamesAndLabels as $modelClassName => $notUsed) {
$moduleClassName = $modelClassName::getModuleClassName();
$module = Yii::app()->findModule($moduleClassName::getDirectoryName());
$globalSearchFormClassName = $moduleClassName::getGlobalSearchFormClassName();
if ($globalSearchFormClassName != null && RightsUtil::canUserAccessModule(get_class($module), $user) && ($scopeData == null || in_array($modelClassName, $scopeData))) {
$searchAttributes = MixedTermSearchUtil::getGlobalSearchAttributeByModuleAndPartialTerm($module, $partialTerm);
if (!empty($searchAttributes)) {
$model = new $modelClassName(false);
assert('$model instanceof RedBeanModel');
$searchForm = new $globalSearchFormClassName($model);
assert('$searchForm instanceof SearchForm');
$metadataAdapter = new SearchDataProviderMetadataAdapter($searchForm, $user->id, $searchAttributes);
$metadata = $metadataAdapter->getAdaptedMetadata(false);
$modelClassNamesAndSearchAttributeData[$globalSearchFormClassName] = array($modelClassName => $metadata);
}
}
}
return $modelClassNamesAndSearchAttributeData;
}
protected function renderContent()
{
$content = $this->renderTitleContent();
$content .= '<ul class="configuration-list">';
$modules = Module::getModuleObjects();
$moduleClassNamesAndLabels = array();
foreach ($modules as $module) {
$moduleTreeMenuItems = $module->getDesignerMenuItems();
if ($module->isEnabled() && !empty($moduleTreeMenuItems)) {
$moduleClassNamesAndLabels[get_class($module)] = $module::getModuleLabelByTypeAndLanguage('Plural');
}
}
asort($moduleClassNamesAndLabels);
foreach ($moduleClassNamesAndLabels as $moduleClassName => $label) {
if (RightsUtil::canUserAccessModule($moduleClassName, Yii::app()->user->userModel)) {
$route = $this->moduleId . '/' . $this->controllerId . '/modulesMenu/';
$content .= ZurmoHtml::openTag('li');
$content .= '<h4>' . $label . '</h4>';
$content .= ZurmoHtml::link(ZurmoHtml::wrapLabel(Zurmo::t('Core', 'Configure')), Yii::app()->createUrl($route, array('moduleClassName' => $moduleClassName)), array('class' => 'white-button'));
$content .= ZurmoHtml::closeTag('li');
}
}
$content .= '</ul>';
return $content;
}
/**
* @param User $user
* @return bool
*/
public static function canUserAccessModuleInAVariableState(User $user)
{
assert('$user->id > 0');
if (RightsUtil::canUserAccessModule('ContactsModule', $user) || RightsUtil::canUserAccessModule('LeadsModule', $user)) {
return true;
}
return false;
}
/**
* @return string
*/
public function render()
{
if (RightsUtil::canUserAccessModule('ProductTemplatesModule', Yii::app()->user->userModel)) {
return ZurmoHtml::link($this->resolveLabelAndWrap(), $this->route, $this->getHtmlOptions());
} else {
return '';
}
}
/**
* @return string
*/
public function render()
{
if (RightsUtil::canUserAccessModule('ProductTemplatesModule', Yii::app()->user->userModel)) {
return parent::render();
} else {
return '';
}
}
/**
* Override to handle special cases for the user status attribute.
* @see DetailsView::resolveElementInformationDuringFormLayoutRender()
*/
protected function resolveElementInformationDuringFormLayoutRender(&$elementInformation)
{
if ($elementInformation['type'] == 'DerivedUserStatus' && !UserStatusUtil::canUserEditStatusOnAnotherUser(Yii::app()->user->userModel, $this->model)) {
$elementInformation['type'] = 'ReadOnlyDerivedUserStatus';
}
if ($elementInformation['attributeName'] == 'role' && !RightsUtil::canUserAccessModule('RolesModule', Yii::app()->user->userModel)) {
$elementInformation['type'] = 'ReadOnlyModel';
}
}
public function testCanUserAccessModule()
{
$user = User::getByUsername('billy');
$this->assertTrue(RightsUtil::canUserAccessModule('HomeModule', $user));
$this->assertFalse(RightsUtil::canUserAccessModule('AccountsModule', $user));
$user->setRight('AccountsModule', AccountsModule::RIGHT_ACCESS_ACCOUNTS);
$saved = $user->save();
$this->assertTrue($saved);
$this->assertTrue(RightsUtil::canUserAccessModule('AccountsModule', $user));
}
/**
* @param string $moduleClassName
* @return bool
*/
public static function canCurrentUserCanAccessModule($moduleClassName)
{
assert('is_string($moduleClassName)');
if ($moduleClassName::getStateMetadataAdapterClassName() != null) {
$workflowRules = WorkflowRules::makeByModuleClassName($moduleClassName);
return $workflowRules->canUserAccessModuleInAVariableState(Yii::app()->user->userModel);
} else {
return RightsUtil::canUserAccessModule($moduleClassName, Yii::app()->user->userModel);
}
}
/**
* @param int $userId
*/
public static function resolveCanCurrentUserAccessAction($userId)
{
if (Yii::app()->user->userModel->id == $userId || RightsUtil::canUserAccessModule('SendGridModule', Yii::app()->user->userModel)) {
return;
}
$messageView = new AccessFailureView();
$view = new AccessFailurePageView($messageView);
echo $view->render();
Yii::app()->end(0, false);
}
protected static function resolveRelatedItemIdsByModelAndUser(Item $model, &$relatedItemIds, User $user)
{
assert('is_array($relatedItemIds)');
if (RightsUtil::canUserAccessModule($model::getModuleClassName(), $user)) {
$itemId = $model->getClassId('Item');
if (!in_array($itemId, $relatedItemIds)) {
$relatedItemIds[] = $itemId;
}
}
}
protected static function resolveAndRenderPostingAndContinueLinksContent(GameNotification $notification, $index)
{
if (!RightsUtil::canUserAccessModule('SocialItemsModule', Yii::app()->user->userModel)) {
return ZurmoHtml::link(Zurmo::t('Core', 'Continue'), '#', array('class' => 'close-ModalGameNotification default-btn', 'onclick' => '$("#ModalGameNotification' . $index . '").dialog("close"); return false;'));
} else {
$content = ZurmoHtml::link(Zurmo::t('Core', 'Skip'), '#', array('class' => 'close-ModalGameNotification simple-link', 'onclick' => '$("#ModalGameNotification' . $index . '").dialog("close"); return false;'));
$content .= static::renderPostToProfileLinkContent($notification, $index);
return $content;
}
}
/**
* Checks if the user has permission to add portlet from modal
* @param Object $portletRules
* @return bool
*/
public static function doesCurrentUserHavePermissionToAddPortlet($portletRules)
{
$user = Yii::app()->user->userModel;
$viewClassName = $portletRules->getType() . 'View';
$moduleClassName = $viewClassName::getModuleClassName();
if ($portletRules->canUserAccessPortlet($user) && RightsUtil::canUserAccessModule($moduleClassName, $user)) {
return true;
}
return false;
}
protected function preFilter($filterChain)
{
if (!RightsUtil::canUserAccessModule('MarketingListsModule', Yii::app()->user->userModel)) {
$messageView = new UserIsMissingMarketingListAccessSplashView();
$pageViewClassName = $this->controller->getModule()->getPluralCamelCasedName() . 'PageView';
$view = new $pageViewClassName(ZurmoDefaultAdminViewUtil::makeStandardViewForCurrentUser($this->controller, $messageView));
echo $view->render();
return false;
}
return true;
}
public function render()
{
if (!RightsUtil::canUserAccessModule('SocialItemsModule', Yii::app()->user->userModel)) {
return parent::render();
}
$postToProfileContent = ZurmoHtml::tag('span', array(), Zurmo::t('ZurmoModule', 'Post to Profile'));
$postToProfileContent .= static::renderHelpSpan();
$postToProfileContent .= ZurmoHtml::checkBox('postToProfile', false);
$content = parent::render();
$content .= ZurmoHtml::tag('div', array('class' => 'post-to-profile clearfix'), $postToProfileContent);
return $content;
}
/**
* Runs through relations and makes sure the user can access at least one relation. If at least one is
* accessible, true is returned.
*/
public function canUserPerformAction()
{
$metadata = Activity::getMetadata();
foreach ($metadata['Activity']['activityItemsModelClassNames'] as $modelClassName) {
if (is_subclass_of($modelClassName, 'Item') && $modelClassName::getModuleClassName() != null) {
if (RightsUtil::canUserAccessModule($modelClassName::getModuleClassName(), $this->user)) {
}
return true;
}
}
return false;
}
protected static function findGlobalSearchScopingModuleNamesAndLabelsDataByUser(User $user)
{
assert('$user->id > 0');
$moduleNamesAndLabels = array();
$modules = Module::getModuleObjects();
foreach ($modules as $module) {
$globalSearchFormClassName = $module::getGlobalSearchFormClassName();
if (GlobalSearchUtil::resolveIfModuleShouldBeGloballySearched($module) && $globalSearchFormClassName != null && RightsUtil::canUserAccessModule(get_class($module), $user)) {
$moduleNamesAndLabels[$module->getName()] = $module::getModuleLabelByTypeAndLanguage('Plural');
}
}
return $moduleNamesAndLabels;
}
public function testResolveCanUserProperlyConvertLeadFinalStep()
{
$billy = User::getByUsername('billy');
$billy->setRight('ContactsModule', ContactsModule::RIGHT_ACCESS_CONTACTS, Right::ALLOW);
$billy->setRight('OpportunitiesModule', OpportunitiesModule::RIGHT_ACCESS_OPPORTUNITIES, Right::ALLOW);
$saved = $billy->save();
$this->assertTrue($saved);
$userCanAccessContacts = RightsUtil::canUserAccessModule('ContactsModule', $billy);
$userCanAccessOpportunities = RightsUtil::canUserAccessModule('OpportunitiesModule', $billy);
$convertToOpportunitySetting = LeadsModule::CONVERT_OPPORTUNITY_NOT_REQUIRED;
$content = LeadsControllerSecurityUtil::resolveCanUserProperlyConvertLead($userCanAccessContacts, $userCanAccessOpportunities, $convertToOpportunitySetting);
$this->assertNull($content);
}
protected function getDefaultRoute()
{
if (!empty($this->modelId)) {
$convertToAccountSetting = LeadsModule::getConvertToAccountSetting();
$userCanAccessAccounts = RightsUtil::canUserAccessModule('AccountsModule', Yii::app()->user->userModel);
if ($convertToAccountSetting == LeadsModule::CONVERT_NO_ACCOUNT || $convertToAccountSetting == LeadsModule::CONVERT_ACCOUNT_NOT_REQUIRED && !$userCanAccessAccounts) {
return Yii::app()->createUrl($this->moduleId . '/' . $this->controllerId . '/details/', array('id' => $this->modelId));
} else {
return Yii::app()->createUrl($this->moduleId . '/' . $this->controllerId . '/convert/', array('id' => $this->modelId));
}
} else {
throw new NotSupportedException();
}
}
protected static function getActivityItemsDerivedAttributeTypesAndResolveAccessByCurrentUser()
{
$metadata = Activity::getMetadata();
$derivedAttributeTypes = array();
$activityItemsModelClassNames = $metadata['Activity']['activityItemsModelClassNames'];
foreach ($activityItemsModelClassNames as $modelClassName) {
$moduleClassName = $modelClassName::getModuleClassName();
if (RightsUtil::canUserAccessModule($moduleClassName, Yii::app()->user->userModel)) {
$derivedAttributeTypes[] = $modelClassName . 'Derived';
}
//todo: add support for leads.
}
return $derivedAttributeTypes;
}
protected function renderControlNonEditable()
{
$avatarImage = $this->model->getAvatarImage(110);
$content = '<div class="gravatar-container">';
if (Yii::app()->user->userModel->id == $this->model->id || RightsUtil::canUserAccessModule('UsersModule', Yii::app()->user->userModel)) {
$span = ZurmoHtml::tag('span', array('id' => 'profile-picture-tooltip'), Zurmo::t('UsersModule', 'Change Profile Picture'), true);
$url = Yii::app()->createUrl('/users/default/changeAvatar', array('id' => $this->model->id));
$modalTitle = ModalView::getAjaxOptionsForModalLink(Zurmo::t('UsersModule', 'Change Profile Picture') . ": " . strval($this->model));
$content .= ZurmoHtml::ajaxLink($span . $avatarImage, $url, $modalTitle);
} else {
$content .= $avatarImage;
}
$content .= '</div>';
return $content;
}
/**
* Resolve a link to a related model. Used by @see ListView
* for each row of a list for example. If the current user can Permission::READ
* the related model, then check if the current user has RIGHT_ACCESS_ to
* the model's related module. If current user has access then
* return link, otherwise return text. If current user cannot Permission::READ
* then return null.
* @param $model
* @param $moduleClassName
* @param $linkContent
* @return null|string
*/
public static function resolveViewLinkToModelForCurrentUser($model, $moduleClassName, $linkContent)
{
assert('$model instanceof Item');
assert('is_string($moduleClassName)');
assert('is_string($linkContent)');
if ($model->id <= 0) {
return null;
}
if (!ActionSecurityUtil::canCurrentUserPerformAction('Details', $model)) {
return null;
}
if (RightsUtil::canUserAccessModule($moduleClassName, Yii::app()->user->userModel)) {
return $linkContent;
}
return null;
}
public function actionDetails($id, $runReport = false)
{
$savedReport = SavedReport::getById((int) $id);
ControllerSecurityUtil::resolveCanCurrentUserAccessModule($savedReport->moduleClassName);
ControllerSecurityUtil::resolveAccessCanCurrentUserReadModel($savedReport, true);
$report = SavedReportToReportAdapter::makeReportBySavedReport($savedReport);
$portlet = Portlet::getById(intval($_GET['portletId']));
$portlet->params = array('controllerId' => 'default', 'relationModuleId' => $this->getModule()->getId(), 'relationModel' => $report, 'redirectUrl' => Yii::app()->request->getRequestUri(), 'dataProvider' => $this->getDataProvider($report, $report->getId(), (bool) $runReport));
$portletView = $portlet->getView();
if (!RightsUtil::canUserAccessModule($portletView::getModuleClassName(), Yii::app()->user->userModel)) {
$messageView = new AccessFailureView();
$view = new AccessFailurePageView($messageView);
echo $view->render();
Yii::app()->end(0, false);
}
$view = new AjaxPageView($portletView);
echo $view->render();
}
public static function getAvailableModelNamesArray()
{
$modules = Module::getModuleObjects();
$availableModels = array();
foreach ($modules as $module) {
$moduleClassName = get_class($module);
if ($moduleClassName::canHaveContentTemplates() && RightsUtil::canUserAccessModule($moduleClassName, Yii::app()->user->userModel) && method_exists($moduleClassName, 'getPrimaryModelName')) {
try {
$modelClassName = $moduleClassName::getPrimaryModelName();
if (!isset($availableModels[$modelClassName])) {
$availableModels[$modelClassName] = $modelClassName::getModelLabelByTypeAndLanguage('Plural');
}
} catch (NotSupportedException $e) {
}
}
}
asort($availableModels);
return $availableModels;
}
public function actionChangeAvatar($id)
{
if (Yii::app()->user->userModel->id == intval($id) || RightsUtil::canUserAccessModule('UsersModule', Yii::app()->user->userModel)) {
$user = User::getById(intval($id));
if (UserAccessUtil::resolveCanCurrentUserAccessRootUser($user, false) && UserAccessUtil::resolveAccessingASystemUser($user, false)) {
$userAvatarForm = new UserAvatarForm($user);
$this->attemptToValidateAjaxFromPost($userAvatarForm, 'UserAvatarForm');
$viewForModal = new UserChangeAvatarView($this->getId(), $this->getModule()->getId(), $userAvatarForm);
$this->attemptToSaveModelFromPost($userAvatarForm);
} else {
$viewForModal = new AccessFailureView();
}
} else {
$viewForModal = new AccessFailureView();
}
$view = new ModalView($this, $viewForModal);
Yii::app()->getClientScript()->setToAjaxMode();
echo $view->render();
}
