/**
* return the value of the right on the given subject (and on the optional resource).
*
* The resource "-" (meaning 'all resources') has the priority over specific resources.
* It means that if you give a specific resource, it will be ignored if there is a positive right
* with "-". The right on the given resource will be checked if there is no rights for "-".
*
* @param string $subject the key of the subject
* @param string $resource the id of a resource
* @return boolean true if the user has the right on the given subject
*/
public function getRight($subject, $resource = '-')
{
if (empty($resource)) {
$resource = '-';
}
if (!jAuth::isConnected()) {
return self::getAnonymousRight($subject, $resource);
}
$groups = null;
if (self::$acl === null) {
// let's load all rights for the groups on which the current user is attached
$groups = jAcl2DbUserGroup::getGroups();
self::$acl = array();
if (count($groups)) {
$dao = jDao::get('jacl2db~jacl2rights', 'jacl2_profile');
foreach ($dao->getRightsByGroups($groups) as $rec) {
// if there is already a right on a same subject on an other group
// we should take care when this rights says "cancel"
if (isset(self::$acl[$rec->id_aclsbj])) {
if ($rec->canceled) {
self::$acl[$rec->id_aclsbj] = false;
}
} else {
self::$acl[$rec->id_aclsbj] = $rec->canceled ? false : true;
}
}
}
}
if (!isset(self::$acl[$subject])) {
self::$acl[$subject] = false;
}
// no resource given, just return the global right for the given subject
if ($resource == '-') {
return self::$acl[$subject];
}
// if we already have loaded the corresponding right, returns it
if (isset(self::$aclres[$subject][$resource])) {
return self::$aclres[$subject][$resource];
}
// default right for the resource is the global right
self::$aclres[$subject][$resource] = self::$acl[$subject];
// if the general right is not given, check the specific right for the resource
if (!self::$acl[$subject]) {
if ($groups === null) {
$groups = jAcl2DbUserGroup::getGroups();
}
if (count($groups)) {
$dao = jDao::get('jacl2db~jacl2rights', 'jacl2_profile');
$right = $dao->getRightWithRes($subject, $groups, $resource);
self::$aclres[$subject][$resource] = $right != false ? $right->canceled ? false : true : false;
}
return self::$aclres[$subject][$resource];
} else {
return true;
}
}
/**
* return the value of the right on the given subject (and on the optional resource)
* @param string $subject the key of the subject
* @param string $resource the id of a resource
* @return boolean true if the right is ok
*/
public function getRight($subject, $resource = null)
{
if (!jAuth::isConnected()) {
return self::getAnonymousRight($subject, $resource);
}
$groups = null;
if (self::$acl === null) {
$groups = jAcl2DbUserGroup::getGroups();
self::$acl = array();
if (count($groups)) {
$dao = jDao::get('jacl2db~jacl2rights', 'jacl2_profile');
foreach ($dao->getRightsByGroups($groups) as $rec) {
// if there is already a right on a same subject on an other group
// we should take care when this rights says "cancel"
if (isset(self::$acl[$rec->id_aclsbj])) {
if ($rec->canceled) {
self::$acl[$rec->id_aclsbj] = false;
}
} else {
self::$acl[$rec->id_aclsbj] = $rec->canceled ? false : true;
}
}
}
}
if (!isset(self::$acl[$subject])) {
self::$acl[$subject] = false;
}
if ($resource === null) {
return self::$acl[$subject];
}
if (isset(self::$aclres[$subject][$resource])) {
return self::$aclres[$subject][$resource];
}
self::$aclres[$subject][$resource] = self::$acl[$subject];
// if the general right is not set, check the specific right for the resource
if (!self::$acl[$subject]) {
if ($groups === null) {
$groups = jAcl2DbUserGroup::getGroups();
}
if (count($groups)) {
$dao = jDao::get('jacl2db~jacl2rights', 'jacl2_profile');
$right = $dao->getRightWithRes($subject, $groups, $resource);
self::$aclres[$subject][$resource] = $right != false ? $right->canceled ? false : true : false;
}
return self::$aclres[$subject][$resource];
} else {
return true;
}
}
/**
* return the value of the right on the given subject (and on the optional resource)
* @param string $subject the key of the subject
* @param string $resource the id of a resource
* @return boolean true if the right is ok
*/
public function getRight($subject, $resource = null)
{
if (!jAuth::isConnected()) {
return self::getAnonymousRight($subject, $resource);
}
$groups = null;
if (self::$acl === null) {
$groups = jAcl2DbUserGroup::getGroups();
self::$acl = array();
if (count($groups)) {
$dao = jDao::get('jelix~jacl2rights', jAcl2Db::getProfile());
foreach ($dao->getRightsByGroups($groups) as $rec) {
self::$acl[$rec->id_aclsbj] = true;
}
}
}
if (!isset(self::$acl[$subject])) {
self::$acl[$subject] = false;
}
if ($resource === null) {
return self::$acl[$subject];
}
if (isset(self::$aclres[$subject][$resource])) {
return self::$aclres[$subject][$resource];
}
self::$aclres[$subject][$resource] = self::$acl[$subject];
if (!self::$acl[$subject]) {
if ($groups === null) {
$groups = jAcl2DbUserGroup::getGroups();
}
if (count($groups)) {
$dao = jDao::get('jelix~jacl2rights', jAcl2Db::getProfile());
$right = $dao->getRightWithRes($subject, $groups, $resource);
self::$aclres[$subject][$resource] = $right != false;
}
return self::$aclres[$subject][$resource];
} else {
return true;
}
}
/**
* Filter data by login if necessary
* as configured in the plugin for login filtered layers.
*/
protected function filterDataByLogin()
{
// Optionnaly add a filter parameter
$lproj = lizmap::getProject($this->repository->getKey() . '~' . $this->project->getKey());
$request = strtolower($this->params['request']);
if ($request == 'getfeature') {
$layers = $this->params["typename"];
} else {
$layers = $this->params["layers"];
}
$pConfig = $lproj->getFullCfg();
// Filter only if needed
if ($lproj->hasLoginFilteredLayers() and $pConfig->loginFilteredLayers) {
// Add client side filter before changing it server side
$v = '';
$filter = '';
$clientExpFilter = Null;
if (array_key_exists('exp_filter', $this->params)) {
$clientExpFilter = $this->params['exp_filter'];
}
$clientFilter = Null;
if (array_key_exists('filter', $this->params)) {
$clientFilter = $this->params['filter'];
}
// Check if a user is authenticated
$isConnected = jAuth::isConnected();
// Check need for filter foreach layer
foreach (explode(',', $layers) as $layername) {
if (property_exists($pConfig->loginFilteredLayers, $layername)) {
$oAttribute = $pConfig->loginFilteredLayers->{$layername}->filterAttribute;
$attribute = strtolower($oAttribute);
$pre = "{$layername}:";
if ($request == 'getfeature') {
$pre = '';
}
if ($isConnected) {
$user = jAuth::getUserSession();
$login = $user->login;
if (property_exists($pConfig->loginFilteredLayers->{$layername}, 'filterPrivate') && $pConfig->loginFilteredLayers->{$layername}->filterPrivate == 'True') {
$filter .= $v . "{$pre}\"{$attribute}\" IN ( '" . $login . "' , 'all' )";
} else {
$userGroups = jAcl2DbUserGroup::getGroups();
$flatGroups = implode("' , '", $userGroups);
$filter .= $v . "{$pre}\"{$attribute}\" IN ( '" . $flatGroups . "' , 'all' )";
}
$v = ';';
} else {
// The user is not authenticated: only show data with attribute = 'all'
$filter .= $v . "{$pre}\"{$attribute}\" = 'all'";
$v = ';';
}
if (!empty($clientFilter)) {
$filter .= " AND " . str_replace($pre, '', $clientFilter);
}
}
}
// Set filter when multiple layers concerned
if ($filter) {
// WFS : EXP_FILTER
if ($request == 'getfeature') {
if (!empty($clientExpFilter)) {
$filter .= " AND " . $clientExpFilter;
}
$this->params['exp_filter'] = $filter;
if (array_key_exists('propertyname', $this->params)) {
$propertyName = trim($this->params["propertyname"]);
if (!empty($propertyName)) {
$this->params["propertyname"] .= ",{$oAttribute}";
}
}
} else {
$this->params['filter'] = $filter;
}
}
}
}
/**
* Filter data by login if necessary
* as configured in the plugin for login filtered layers.
*/
protected function filterDataByLogin()
{
// Optionnaly add a filter parameter
$lproj = $this->project;
$request = strtolower($this->params['request']);
if ($request == 'getfeature') {
$layers = $this->params["typename"];
} else {
$layers = $this->params["layers"];
}
$pConfig = $lproj->getFullCfg();
// Filter only if needed
if ($lproj->hasLoginFilteredLayers() and $pConfig->loginFilteredLayers) {
// Add client side filter before changing it server side
$clientExpFilter = Null;
if (array_key_exists('exp_filter', $this->params)) {
$clientExpFilter = $this->params['exp_filter'];
}
$clientFilter = Null;
if (array_key_exists('filter', $this->params)) {
$clientFilter = $this->params['filter'];
}
// Check if a user is authenticated
$isConnected = jAuth::isConnected();
// Check need for filter foreach layer
$serverFilterArray = array();
foreach (explode(',', $layers) as $layername) {
if (property_exists($pConfig->loginFilteredLayers, $layername)) {
$oAttribute = $pConfig->loginFilteredLayers->{$layername}->filterAttribute;
$attribute = strtolower($oAttribute);
if ($isConnected) {
$user = jAuth::getUserSession();
$login = $user->login;
if (property_exists($pConfig->loginFilteredLayers->{$layername}, 'filterPrivate') && $pConfig->loginFilteredLayers->{$layername}->filterPrivate == 'True') {
$serverFilterArray[$layername] = "\"{$attribute}\" IN ( '" . $login . "' , 'all' )";
} else {
$userGroups = jAcl2DbUserGroup::getGroups();
$flatGroups = implode("' , '", $userGroups);
$serverFilterArray[$layername] = "\"{$attribute}\" IN ( '" . $flatGroups . "' , 'all' )";
}
} else {
// The user is not authenticated: only show data with attribute = 'all'
$serverFilterArray[$layername] = "\"{$attribute}\" = 'all'";
}
}
}
// Set filter if needed
if (count($serverFilterArray) > 0) {
// WFS : EXP_FILTER
if ($request == 'getfeature') {
$filter = '';
$s = '';
if (!empty($clientExpFilter)) {
$filter = $clientExpFilter;
$s = ' AND ';
}
if (count($serverFilterArray) > 0) {
foreach ($serverFilterArray as $lname => $lfilter) {
$filter .= $s . $lfilter;
$s = ' AND ';
}
}
$this->params['exp_filter'] = $filter;
if (array_key_exists('propertyname', $this->params)) {
$propertyName = trim($this->params["propertyname"]);
if (!empty($propertyName)) {
$this->params["propertyname"] .= ",{$oAttribute}";
}
}
} else {
if (!empty($clientFilter)) {
$cfexp = explode(';', $clientFilter);
foreach ($cfexp as $a) {
$b = explode(':', $a);
$lname = trim($b[0]);
$lfilter = trim($b[1]);
if (array_key_exists($lname, $serverFilterArray)) {
$serverFilterArray[$lname] .= ' AND ' . $lfilter;
} else {
$serverFilterArray[$lname] = $lfilter;
}
}
}
$filter = '';
$s = '';
foreach ($serverFilterArray as $lname => $lfilter) {
$filter .= $s . $lname . ':' . $lfilter;
$s = ';';
}
if (count($serverFilterArray) > 0) {
$this->params['filter'] = $filter;
}
}
}
}
}
/**
* Dynamically update form by modifying the filter by login control
*
* @param object $form Jelix form to modify control.
* @param string $save does the form will be used for update or insert.
* @return modified form.
*/
private function updateFormByLogin($form, $save)
{
if (!is_array($this->loginFilteredLayers)) {
//&& $this->loginFilteredOveride )
$this->filterDataByLogin($this->layerName);
}
if (is_array($this->loginFilteredLayers)) {
$type = $this->loginFilteredLayers['type'];
$attribute = $this->loginFilteredLayers['attribute'];
// Check if a user is authenticated
if (!jAuth::isConnected()) {
return True;
}
$user = jAuth::getUserSession();
if (!$this->loginFilteredOveride) {
if ($type == 'login') {
$user = jAuth::getUserSession();
$form->setData($attribute, $user->login);
$form->setReadOnly($attribute, True);
} else {
$oldCtrl = $form->getControl($attribute);
$userGroups = jAcl2DbUserGroup::getGroups();
$userGroups[] = 'all';
$uGroups = array();
foreach ($userGroups as $uGroup) {
if ($uGroup != 'users' and substr($uGroup, 0, 7) != "__priv_") {
$uGroups[$uGroup] = $uGroup;
}
}
$dataSource = new jFormsStaticDatasource();
$dataSource->data = $uGroups;
$ctrl = new jFormsControlMenulist($attribute);
$ctrl->required = true;
if ($oldCtrl != null) {
$ctrl->label = $oldCtrl->label;
} else {
$ctrl->label = $attribute;
}
$ctrl->datasource = $dataSource;
$value = null;
if ($oldCtrl != null) {
$value = $form->getData($attribute);
$form->removeControl($attribute);
}
$form->addControl($ctrl);
if ($value != null) {
$form->setData($attribute, $value);
}
}
} else {
$oldCtrl = $form->getControl($attribute);
$value = null;
if ($oldCtrl != null) {
$value = $form->getData($attribute);
}
$data = array();
if ($type == 'login') {
$plugin = jApp::coord()->getPlugin('auth');
if ($plugin->config['driver'] == 'Db') {
$authConfig = $plugin->config['Db'];
$dao = jDao::get($authConfig['dao'], $authConfig['profile']);
$cond = jDao::createConditions();
$cond->addItemOrder('login', 'asc');
$us = $dao->findBy($cond);
foreach ($us as $u) {
$data[$u->login] = $u->login;
}
}
} else {
$gp = jAcl2DbUserGroup::getGroupList();
foreach ($gp as $g) {
if ($g->id_aclgrp != 'users') {
$data[$g->id_aclgrp] = $g->id_aclgrp;
}
}
$data['all'] = 'all';
}
$dataSource = new jFormsStaticDatasource();
$dataSource->data = $data;
$ctrl = new jFormsControlMenulist($attribute);
$ctrl->required = true;
if ($oldCtrl != null) {
$ctrl->label = $oldCtrl->label;
} else {
$ctrl->label = $attribute;
}
$ctrl->datasource = $dataSource;
$form->removeControl($attribute);
$form->addControl($ctrl);
if ($value != null) {
$form->setData($attribute, $value);
} else {
if ($type == 'login') {
$form->setData($attribute, $user->login);
}
}
}
}
return True;
}
/**
* return the value of the right on the given subject (and on the optional resource).
*
* The resource "-" (meaning 'all resources') has the priority over specific resources.
* It means that if you give a specific resource, it will be ignored if there is a positive right
* with "-". The right on the given resource will be checked if there is no rights for "-".
*
* @param string $subject the key of the subject
* @param string $resource the id of a resource
* @return boolean true if the user has the right on the given subject
*/
public function getRight($subject, $resource = '-')
{
if (!jAuth::isConnected()) {
return $this->getAnonymousRight($subject, $resource);
}
if (empty($resource)) {
$resource = '-';
}
$login = jCache::normalizeKey(jAuth::getUserSession()->login);
$rightkey = 'acl2db/' . $login . '/rights';
$groups = null;
if ($this->acl === null) {
$rights = jCache::get($rightkey, 'acl2db');
if ($rights === false) {
$this->acl = array();
// let's load all rights for the groups on which the current user is attached
$groups = jAcl2DbUserGroup::getGroups();
if (count($groups)) {
$dao = jDao::get('jacl2db~jacl2rights', 'jacl2_profile');
foreach ($dao->getRightsByGroups($groups) as $rec) {
// if there is already a right on a same subject on an other group
// we should take care when this rights says "cancel"
if (isset($this->acl[$rec->id_aclsbj])) {
if ($rec->canceled) {
$this->acl[$rec->id_aclsbj] = false;
}
} else {
$this->acl[$rec->id_aclsbj] = $rec->canceled ? false : true;
}
}
}
jCache::set($rightkey, $this->acl, null, 'acl2db');
} else {
$this->acl = $rights;
}
}
if (!isset($this->acl[$subject])) {
$this->acl[$subject] = false;
jCache::set($rightkey, $this->acl, null, 'acl2db');
}
// no resource given, just return the global right for the given subject
if ($resource == '-') {
return $this->acl[$subject];
}
$rightreskey = 'acl2db/' . $login . '/rightsres/' . $subject;
if (!isset($this->aclres[$subject])) {
$rights = jCache::get($rightreskey, 'acl2db');
if ($rights !== false) {
$this->aclres[$subject] = $rights;
}
}
// if we already have loaded the corresponding right, returns it
if (isset($this->aclres[$subject][$resource])) {
return $this->aclres[$subject][$resource];
}
// default right for the resource is the global right
$this->aclres[$subject][$resource] = $this->acl[$subject];
// if the general right is not given, check the specific right for the resource
if (!$this->acl[$subject]) {
if ($groups === null) {
$groups = jAcl2DbUserGroup::getGroups();
}
if (count($groups)) {
$dao = jDao::get('jacl2db~jacl2rights', 'jacl2_profile');
$right = $dao->getRightWithRes($subject, $groups, $resource);
$this->aclres[$subject][$resource] = $right != false ? $right->canceled ? false : true : false;
}
jCache::set($rightreskey, $this->aclres[$subject], null, 'acl2db');
return $this->aclres[$subject][$resource];
} else {
jCache::set($rightreskey, $this->aclres[$subject], null, 'acl2db');
return true;
}
}
/**
* Query a QuickFinder database
* @param text $query A query on OpenStreetMap object
* @param text $bbox A bounding box in EPSG:4326 Optionnal
* @return GeoJSON.
*/
function get()
{
$rep = $this->getResponse('binary');
$rep->outputFileName = 'search_results.json';
$rep->mimeType = 'application/json';
$content = '[]';
$rep->content = $content;
// Get project and repository, and check rights
$project = $this->param('project');
$repository = $this->param('repository');
$lrep = lizmap::getRepository($repository);
$lproj = null;
try {
$lproj = lizmap::getProject($repository . '~' . $project);
if (!$lproj) {
jMessage::add('The lizmapProject ' . strtoupper($project) . ' does not exist !', 'ProjectNotDefined');
return $rep;
}
} catch (UnknownLizmapProjectException $e) {
jLog::logEx($e, 'error');
jMessage::add('The lizmapProject ' . strtoupper($project) . ' does not exist !', 'ProjectNotDefined');
return $rep;
}
if (!$lproj->checkAcl()) {
jMessage::add(jLocale::get('view~default.repository.access.denied'), 'AuthorizationRequired');
return $rep;
}
// Parameters
$pquery = $this->param('query');
if (!$pquery) {
return $rep;
}
$pquery = filter_var($pquery, FILTER_SANITIZE_STRING, FILTER_FLAG_NO_ENCODE_QUOTES);
// Get FTS searches
$ftsSearches = $lproj->hasFtsSearches();
if (!$ftsSearches) {
return $rep;
}
$searches = $ftsSearches['searches'];
$jdb_profile = $ftsSearches['jdb_profile'];
// Limitations
$limit_tot = 30;
$limit_search = 15;
$cnx = jDb::getConnection($jdb_profile);
// Create FTS query
$words = explode(' ', $pquery);
$matches = implode('* ', $words) . '*';
$sql = "SELECT search_id,content,wkb_geom FROM quickfinder_data WHERE";
$sql .= " content MATCH " . $cnx->quote($matches);
// Add filter by groups and user if the user is authenticated
if (!jAcl2::check('lizmap.tools.loginFilteredLayers.override', $lrep->getKey())) {
$sql .= " AND ( content LIKE '%@@all' OR content NOT LIKE '%@@%'";
$isConnected = jAuth::isConnected();
if ($isConnected) {
// Ok if any group matches
$userGroups = jAcl2DbUserGroup::getGroups();
foreach ($userGroups as $g) {
$sql .= " OR content LIKE '%@@" . $g . "'";
}
// Ok if user matches
$user = jAuth::getUserSession();
$login = $user->login;
$sql .= " OR content LIKE '%@@" . $login . "'";
}
$sql .= ' )';
}
// Query and format data for each search key
$nb = array('search' => array(), 'tot' => 0);
$data = array();
foreach ($searches as $skey => $sval) {
// Add filter to get only data for given search key
$sql_search = $sql . ' AND search_id = ' . $cnx->quote($skey);
$limit = $limit_search;
$sql_search .= " LIMIT " . $limit;
//jLog::log($sql_search);
// Run query
$res = $cnx->query($sql_search);
// Format data
foreach ($res as $item) {
$key = $item->search_id;
if (!array_key_exists($key, $nb['search'])) {
$nb['search'][$key] = 0;
}
if ($nb['search'][$key] >= $limit_search) {
continue;
}
if ($nb['tot'] >= $limit_tot) {
break;
}
if (!array_key_exists($key, $data)) {
$data[$key] = array();
}
$data[$key]['search_name'] = $searches[$key]['search_name'];
$data[$key]['layer_name'] = $searches[$key]['layer_name'];
$data[$key]['srid'] = $searches[$key]['srid'];
if (!array_key_exists('features', $data[$key])) {
$data[$key]['features'] = array();
}
$data[$key]['features'][] = array('label' => preg_replace('#@@.+#', '', $item->content), 'geometry' => $item->wkb_geom);
$nb['search'][$key] += 1;
$nb['tot'] += 1;
}
}
$rep->content = json_encode($data);
return $rep;
}
/**
* Check acl rights on the project
*/
public function checkAcl()
{
// Check right on repository
if (!jAcl2::check('lizmap.repositories.view', $this->repository->getKey())) {
return False;
}
// Check acl option is configured in project config
if (!property_exists($this->cfg->options, 'acl') || !is_array($this->cfg->options->acl) || empty($this->cfg->options->acl)) {
return True;
}
// Check user is authenticated
if (!jAuth::isConnected()) {
return False;
}
// Check if configured groups white list and authenticated user groups list intersects
$aclGroups = $this->cfg->options->acl;
$userGroups = jAcl2DbUserGroup::getGroups();
if (array_intersect($aclGroups, $userGroups)) {
return True;
}
return False;
}
