protected function DoCheckToDelete(&$oDeletionPlan)
{
parent::DoCheckToDelete($oDeletionPlan);
// Plugins
//
foreach (MetaModel::EnumPlugins('iApplicationObjectExtension') as $oExtensionInstance) {
$aNewIssues = $oExtensionInstance->OnCheckToDelete($this);
if (count($aNewIssues) > 0) {
$this->m_aDeleteIssues = array_merge($this->m_aDeleteIssues, $aNewIssues);
}
}
// User rights
//
$bDeleteAllowed = UserRights::IsActionAllowed(get_class($this), UR_ACTION_DELETE, DBObjectSet::FromObject($this));
if (!$bDeleteAllowed) {
// Security issue
$this->m_bSecurityIssue = true;
$this->m_aDeleteIssues[] = Dict::S('UI:Delete:NotAllowedToDelete');
}
}
/**
* Displays the details of a request
* @param WebPage $oP The current web page
* @param Object $oObj The target object
* @return void
*/
function ShowDetailsRequest(WebPage $oP, $oObj)
{
$sClass = get_class($oObj);
$sLogAttCode = GetConstant($sClass, 'PUBLIC_LOG');
$sUserCommentAttCode = GetConstant($sClass, 'USER_COMMENT');
$bIsReopenButton = false;
$bIsCloseButton = false;
$bIsEscalateButton = false;
$bEditAttachments = false;
$aEditAtt = array();
// List of attributes editable in the main form
if (!MetaModel::DBIsReadOnly()) {
switch ($oObj->GetState()) {
case 'resolved':
$aEditAtt = array();
$aTransitions = $oObj->EnumTransitions();
$oSet = DBObjectSet::FromObject($oObj);
// Add the "Reopen" button if this is valid action
if (array_key_exists('ev_reopen', $aTransitions) && UserRights::IsStimulusAllowed($sClass, 'ev_reopen', $oSet)) {
$bIsReopenButton = true;
MakeStimulusForm($oP, $oObj, 'ev_reopen', array($sLogAttCode));
}
// Add the "Close" button if this is valid action
if (array_key_exists('ev_close', $aTransitions) && UserRights::IsStimulusAllowed($sClass, 'ev_close', $oSet)) {
$bIsCloseButton = true;
MakeStimulusForm($oP, $oObj, 'ev_close', array('user_satisfaction', $sUserCommentAttCode));
}
break;
case 'closed':
// By convention 'closed' is the final state of a ticket and nothing can be done in such a state
break;
default:
// In all other states, the only possible action is to update the ticket (both the case log and the attachments)
// This update is possible only if the case log field is not read-only or hidden in the current state
$iFlags = $oObj->GetAttributeFlags($sLogAttCode);
$bReadOnly = ($iFlags & (OPT_ATT_READONLY | OPT_ATT_HIDDEN)) != 0;
if ($bReadOnly) {
$aEditAtt = array();
$bEditAttachments = false;
} else {
$aEditAtt = array($sLogAttCode => '????');
$bEditAttachments = true;
}
break;
}
}
// REFACTORISER LA MISE EN FORME
$oP->add("<h1 id=\"title_request_details\">" . $oObj->GetIcon() . " " . Dict::Format('Portal:TitleRequestDetailsFor_Request', $oObj->GetName()) . "</h1>\n");
$aAttList = json_decode(GetConstant($sClass, 'DETAILS_ZLIST'), true);
switch ($oObj->GetState()) {
case 'closed':
$aAttList['centered'][] = 'user_satisfaction';
$aAttList['centered'][] = $sUserCommentAttCode;
}
// Remove the edited attribute from the shown attributes
//
foreach ($aEditAtt as $sAttCode => $foo) {
foreach ($aAttList as $col => $aColumn) {
if (in_array($sAttCode, $aColumn)) {
if (($index = array_search($sAttCode, $aColumn)) !== false) {
unset($aAttList[$col][$index]);
}
}
}
}
$oP->add("<div class=\"wizContainer\" id=\"form_commment_request\">\n");
$oP->WizardFormStart('request_form', null);
$oP->add('<div id="request_details">');
$oP->add('<table id="request_details_table">');
$oP->add('<tr>');
$oP->add('<td style="vertical-align:top;">');
$oP->DisplayObjectDetails($oObj, $aAttList['col:left']);
$oP->add('</td>');
$oP->add('<td style="vertical-align:top;">');
$oP->DisplayObjectDetails($oObj, $aAttList['col:right']);
$oP->add('</td>');
$oP->add('</tr>');
if (array_key_exists('centered', $aAttList)) {
$oP->add('<tr>');
$oP->add('<td style="vertical-align:top;" colspan="2">');
$oP->DisplayObjectDetails($oObj, $aAttList['centered']);
$oP->add('</td>');
$oP->add('</tr>');
}
// REFACTORISER
$oP->add('<tr>');
$oP->add('<td colspan="2" style="vertical-align:top;">');
$oAttPlugin = new AttachmentPlugIn();
if ($bEditAttachments) {
$oAttPlugin->EnableDelete(false);
$oAttPlugin->OnDisplayRelations($oObj, $oP, true);
} else {
$oAttPlugin->OnDisplayRelations($oObj, $oP, false);
}
$oP->add('</td>');
$oP->add('</tr>');
$oP->add('<tr>');
$oP->add('<td colspan="2" style="vertical-align:top;">');
//$oP->add("<form action=\"../portal/index.php\" id=\"request_form\" method=\"post\">\n");
//$oP->add('<table id=""><tr><td style="vertical-align:top;">');
//$oP->add("<h1 id=\"title_request_details\">".Dict::Format('Portal:CommentsFor_Request', $oObj->GetName())."</h1>\n");
$oP->add("<input type=\"hidden\" name=\"class\" value=\"{$sClass}\">");
$oP->add("<input type=\"hidden\" name=\"id\" value=\"" . $oObj->GetKey() . "\">");
$oP->add("<input type=\"hidden\" name=\"operation\" value=\"update_request\">");
$oP->add("<input type=\"hidden\" id=\"stimulus_to_apply\" name=\"apply_stimulus\" value=\"\">\n");
$oP->add_script(<<<EOF
\tfunction SetStimulusToApply(sStimulusCode)
\t{
\t\t\$('#stimulus_to_apply').val(sStimulusCode);
\t}
EOF
);
$aEditFields = array();
// Intermediate array to avoid code duplication while splitting btw ticket_log and the rest
foreach ($aEditAtt as $sAttCode => $foo) {
$sValue = $oObj->Get($sAttCode);
$sDisplayValue = $oObj->GetEditValue($sAttCode);
$aArgs = array('this' => $oObj, 'formPrefix' => '');
$oAttDef = MetaModel::GetAttributeDef($sClass, $sAttCode);
$sInputId = 'input_' . $sAttCode;
$sHTMLValue = "<span id=\"field_{$sInputId}\">" . cmdbAbstractObject::GetFormElementForField($oP, $sClass, $sAttCode, $oAttDef, $sValue, $sDisplayValue, $sInputId, '', 0, $aArgs) . '</span>';
$aEditFields[$sAttCode] = array('label' => MetaModel::GetLabel($sClass, $sAttCode), 'value' => $sHTMLValue);
}
foreach ($aEditFields as $sAttCode => $aFieldSpec) {
if ($sAttCode == $sLogAttCode) {
// Skip, the public log will be displayed below the buttons
continue;
}
$oP->add("<div class=\"edit_item\">");
$oP->add('<h1>' . $aFieldSpec['label'] . '</h1>');
$oP->add($aFieldSpec['value']);
$oP->add('</div>');
}
if ($bIsReopenButton) {
$sStimulusCode = 'ev_reopen';
$sTitle = addslashes(Dict::S('Portal:Button:ReopenTicket'));
$sOk = addslashes(Dict::S('UI:Button:Ok'));
$oP->p('<input type="button" onClick="RunStimulusDialog(\'' . $sStimulusCode . '\', \'' . $sTitle . '\', \'' . $sOk . '\');" value="' . $sTitle . '...">');
}
if ($bIsCloseButton) {
$sStimulusCode = 'ev_close';
$sTitle = addslashes(Dict::S('Portal:Button:CloseTicket'));
$sOk = addslashes(Dict::S('UI:Button:Ok'));
$oP->p('<input type="button" onClick="RunStimulusDialog(\'' . $sStimulusCode . '\', \'' . $sTitle . '\', \'' . $sOk . '\');" value="' . $sTitle . '...">');
} elseif (count($aEditAtt) > 0) {
$oP->p('<input type="submit" value="' . Dict::S('Portal:Button:UpdateRequest') . '">');
}
if ($bIsEscalateButton) {
$sStimulusCode = 'ev_timeout';
$oP->p('<input type="submit" onClick="SetStimulusToApply(\'' . $sStimulusCode . '\');" value="' . Dict::S('Portal:ButtonEscalate') . '">');
}
$oP->add('</td>');
$oP->add('</tr>');
$oP->add('<tr>');
$oP->add('<td colspan="2" style="vertical-align:top;">');
if (isset($aEditFields[$sLogAttCode])) {
$oP->add("<div class=\"edit_item\">");
$oP->add('<h1>' . $aEditFields[$sLogAttCode]['label'] . '</h1>');
$oP->add($aEditFields[$sLogAttCode]['value']);
$oP->add('</div>');
} else {
$oP->add('<h1>' . MetaModel::GetLabel($sClass, $sLogAttCode) . '</h1>');
$oP->add($oObj->GetAsHTML($sLogAttCode));
}
$oP->add('</td>');
$oP->add('</tr>');
$oP->add('</table>');
$oP->add('</div>');
$oP->WizardFormEnd();
$oP->add('</div>');
}
// Fall through
///////////////////////////////////////////////////////////////////////////////////////////
// Fall through
///////////////////////////////////////////////////////////////////////////////////////////
case 'delete':
case 'bulk_delete':
// Actual bulk deletion (if confirmed)
$sClass = utils::ReadParam('class', '', false, 'class');
$sClassLabel = MetaModel::GetName($sClass);
$aObjects = array();
if ($operation == 'delete') {
// Single object
$id = utils::ReadParam('id', '');
$oObj = MetaModel::GetObject($sClass, $id);
$aObjects[] = $oObj;
if (!UserRights::IsActionAllowed($sClass, UR_ACTION_DELETE, DBObjectSet::FromObject($oObj))) {
throw new SecurityException(Dict::Format('UI:Error:DeleteNotAllowedOn_Class', $sClassLabel));
}
} else {
// Several objects
$sFilter = utils::ReadPostedParam('filter', '');
$oFullSetFilter = DBObjectSearch::unserialize($sFilter);
$aSelectObject = utils::ReadMultipleSelection($oFullSetFilter);
if (empty($sClass) || empty($aSelectObject)) {
throw new ApplicationException(Dict::Format('UI:Error:2ParametersMissing', 'class', 'selectObject[]'));
}
foreach ($aSelectObject as $iId) {
$aObjects[] = MetaModel::GetObject($sClass, $iId);
}
if (count($aObjects) == 1) {
if (!UserRights::IsActionAllowed($sClass, UR_ACTION_DELETE, DBObjectSet::FromArray($sClass, $aObjects))) {
public function CreateAdministrator($sAdminUser, $sAdminPwd, $sLanguage = 'EN US')
{
CMDBObject::SetTrackInfo('Initialization');
$oChange = CMDBObject::GetCurrentChange();
$iContactId = 0;
// Support drastic data model changes: no organization class (or not writable)!
if (MetaModel::IsValidClass('Organization') && !MetaModel::IsAbstract('Organization')) {
$oOrg = new Organization();
$oOrg->Set('name', 'My Company/Department');
$oOrg->Set('code', 'SOMECODE');
$iOrgId = $oOrg->DBInsertTrackedNoReload($oChange, true);
// Support drastic data model changes: no Person class (or not writable)!
if (MetaModel::IsValidClass('Person') && !MetaModel::IsAbstract('Person')) {
$oContact = new Person();
$oContact->Set('name', 'My last name');
$oContact->Set('first_name', 'My first name');
if (MetaModel::IsValidAttCode('Person', 'org_id')) {
$oContact->Set('org_id', $iOrgId);
}
if (MetaModel::IsValidAttCode('Person', 'phone')) {
$oContact->Set('phone', '+00 000 000 000');
}
$oContact->Set('email', '*****@*****.**');
$iContactId = $oContact->DBInsertTrackedNoReload($oChange, true);
}
}
$oUser = new UserLocal();
$oUser->Set('login', $sAdminUser);
$oUser->Set('password', $sAdminPwd);
if (MetaModel::IsValidAttCode('UserLocal', 'contactid') && $iContactId != 0) {
$oUser->Set('contactid', $iContactId);
}
$oUser->Set('language', $sLanguage);
// Language was chosen during the installation
// Add this user to the very specific 'admin' profile
$oAdminProfile = MetaModel::GetObjectFromOQL("SELECT URP_Profiles WHERE name = :name", array('name' => ADMIN_PROFILE_NAME), true);
if (is_object($oAdminProfile)) {
$oUserProfile = new URP_UserProfile();
//$oUserProfile->Set('userid', $iUserId);
$oUserProfile->Set('profileid', $oAdminProfile->GetKey());
$oUserProfile->Set('reason', 'By definition, the administrator must have the administrator profile');
//$oUserProfile->DBInsertTrackedNoReload($oChange, true /* skip security */);
$oSet = DBObjectSet::FromObject($oUserProfile);
$oUser->Set('profile_list', $oSet);
}
$iUserId = $oUser->DBInsertTrackedNoReload($oChange, true);
return true;
}
/**
* Helper to ultimately check user rights before writing (Insert, Update or Delete)
* The check should never fail, because the UI should prevent from such a usage
* Anyhow, if the user has found a workaround... the security gets enforced here
*/
protected function CheckUserRights($bSkipStrongSecurity, $iActionCode)
{
if (is_null($bSkipStrongSecurity)) {
// This is temporary
// We have implemented this safety net right before releasing iTop 1.0
// and we decided that it was too risky to activate it
// Anyhow, users willing to have a very strong security could set
// skip_strong_security = 0, in the config file
$bSkipStrongSecurity = MetaModel::GetConfig()->Get('skip_strong_security');
}
if (!$bSkipStrongSecurity) {
$sClass = get_class($this);
$oSet = DBObjectSet::FromObject($this);
if (!UserRights::IsActionAllowed($sClass, $iActionCode, $oSet)) {
// Intrusion detected
throw new SecurityException('You are not allowed to modify objects of class: ' . $sClass);
}
}
}
