/** * check grant for action (CRUD) * * @param Tinebase_Record_Interface $_record * @param string $_action * @param boolean $_throw * @param string $_errorMessage * @param Tinebase_Record_Interface $_oldRecord * @return boolean * @throws Tinebase_Exception_AccessDenied * * @todo use this function in other create + update functions * @todo invent concept for simple adding of grants (plugins?) */ protected function _checkGrant($_record, $_action, $_throw = TRUE, $_errorMessage = 'No Permission.', $_oldRecord = NULL) { if (!$this->_doContainerACLChecks || !empty($this->class) && $this->class === Calendar_Model_Event::CLASS_PUBLIC && $_record->container_id && Tinebase_Core::getUser()->hasGrant($_record->container_id, Tinebase_Model_Grants::GRANT_ADMIN) || $_record->hasExternalOrganizer()) { return true; } switch ($_action) { case 'get': // NOTE: free/busy is not a read grant! $hasGrant = $_record->hasGrant(Tinebase_Model_Grants::GRANT_READ); if (!$hasGrant) { $_record->doFreeBusyCleanup(); } break; case 'create': $hasGrant = Tinebase_Core::getUser()->hasGrant($_record->container_id, Tinebase_Model_Grants::GRANT_ADD); break; case 'update': $hasGrant = (bool) $_oldRecord->hasGrant(Tinebase_Model_Grants::GRANT_EDIT); if ($_oldRecord->container_id != $_record->container_id) { $hasGrant &= Tinebase_Core::getUser()->hasGrant($_record->container_id, Tinebase_Model_Grants::GRANT_ADD) && $_oldRecord->hasGrant(Tinebase_Model_Grants::GRANT_DELETE); } break; case 'delete': $hasGrant = (bool) $_record->hasGrant(Tinebase_Model_Grants::GRANT_DELETE); break; case 'sync': $hasGrant = (bool) $_record->hasGrant(Tinebase_Model_Grants::GRANT_SYNC); break; case 'export': $hasGrant = (bool) $_record->hasGrant(Tinebase_Model_Grants::GRANT_EXPORT); break; } if (!$hasGrant) { if ($_throw) { throw new Tinebase_Exception_AccessDenied($_errorMessage); } else { if (Tinebase_Core::isLogLevel(Zend_Log::DEBUG)) { Tinebase_Core::getLogger()->debug(__METHOD__ . '::' . __LINE__ . ' No permissions to ' . $_action . ' in container ' . $_record->container_id); } } } return $hasGrant; }