/** * return the value of the right on the given subject (and on the optional resource). * * The resource "-" (meaning 'all resources') has the priority over specific resources. * It means that if you give a specific resource, it will be ignored if there is a positive right * with "-". The right on the given resource will be checked if there is no rights for "-". * * @param string $subject the key of the subject * @param string $resource the id of a resource * @return boolean true if the user has the right on the given subject */ public function getRight($subject, $resource = '-') { if (empty($resource)) { $resource = '-'; } if (!jAuth::isConnected()) { return self::getAnonymousRight($subject, $resource); } $groups = null; if (self::$acl === null) { // let's load all rights for the groups on which the current user is attached $groups = jAcl2DbUserGroup::getGroups(); self::$acl = array(); if (count($groups)) { $dao = jDao::get('jacl2db~jacl2rights', 'jacl2_profile'); foreach ($dao->getRightsByGroups($groups) as $rec) { // if there is already a right on a same subject on an other group // we should take care when this rights says "cancel" if (isset(self::$acl[$rec->id_aclsbj])) { if ($rec->canceled) { self::$acl[$rec->id_aclsbj] = false; } } else { self::$acl[$rec->id_aclsbj] = $rec->canceled ? false : true; } } } } if (!isset(self::$acl[$subject])) { self::$acl[$subject] = false; } // no resource given, just return the global right for the given subject if ($resource == '-') { return self::$acl[$subject]; } // if we already have loaded the corresponding right, returns it if (isset(self::$aclres[$subject][$resource])) { return self::$aclres[$subject][$resource]; } // default right for the resource is the global right self::$aclres[$subject][$resource] = self::$acl[$subject]; // if the general right is not given, check the specific right for the resource if (!self::$acl[$subject]) { if ($groups === null) { $groups = jAcl2DbUserGroup::getGroups(); } if (count($groups)) { $dao = jDao::get('jacl2db~jacl2rights', 'jacl2_profile'); $right = $dao->getRightWithRes($subject, $groups, $resource); self::$aclres[$subject][$resource] = $right != false ? $right->canceled ? false : true : false; } return self::$aclres[$subject][$resource]; } else { return true; } }
/** * return the value of the right on the given subject (and on the optional resource) * @param string $subject the key of the subject * @param string $resource the id of a resource * @return boolean true if the right is ok */ public function getRight($subject, $resource = null) { if (!jAuth::isConnected()) { return self::getAnonymousRight($subject, $resource); } $groups = null; if (self::$acl === null) { $groups = jAcl2DbUserGroup::getGroups(); self::$acl = array(); if (count($groups)) { $dao = jDao::get('jacl2db~jacl2rights', 'jacl2_profile'); foreach ($dao->getRightsByGroups($groups) as $rec) { // if there is already a right on a same subject on an other group // we should take care when this rights says "cancel" if (isset(self::$acl[$rec->id_aclsbj])) { if ($rec->canceled) { self::$acl[$rec->id_aclsbj] = false; } } else { self::$acl[$rec->id_aclsbj] = $rec->canceled ? false : true; } } } } if (!isset(self::$acl[$subject])) { self::$acl[$subject] = false; } if ($resource === null) { return self::$acl[$subject]; } if (isset(self::$aclres[$subject][$resource])) { return self::$aclres[$subject][$resource]; } self::$aclres[$subject][$resource] = self::$acl[$subject]; // if the general right is not set, check the specific right for the resource if (!self::$acl[$subject]) { if ($groups === null) { $groups = jAcl2DbUserGroup::getGroups(); } if (count($groups)) { $dao = jDao::get('jacl2db~jacl2rights', 'jacl2_profile'); $right = $dao->getRightWithRes($subject, $groups, $resource); self::$aclres[$subject][$resource] = $right != false ? $right->canceled ? false : true : false; } return self::$aclres[$subject][$resource]; } else { return true; } }
/** * return the value of the right on the given subject (and on the optional resource) * @param string $subject the key of the subject * @param string $resource the id of a resource * @return boolean true if the right is ok */ public function getRight($subject, $resource = null) { if (!jAuth::isConnected()) { return self::getAnonymousRight($subject, $resource); } $groups = null; if (self::$acl === null) { $groups = jAcl2DbUserGroup::getGroups(); self::$acl = array(); if (count($groups)) { $dao = jDao::get('jelix~jacl2rights', jAcl2Db::getProfile()); foreach ($dao->getRightsByGroups($groups) as $rec) { self::$acl[$rec->id_aclsbj] = true; } } } if (!isset(self::$acl[$subject])) { self::$acl[$subject] = false; } if ($resource === null) { return self::$acl[$subject]; } if (isset(self::$aclres[$subject][$resource])) { return self::$aclres[$subject][$resource]; } self::$aclres[$subject][$resource] = self::$acl[$subject]; if (!self::$acl[$subject]) { if ($groups === null) { $groups = jAcl2DbUserGroup::getGroups(); } if (count($groups)) { $dao = jDao::get('jelix~jacl2rights', jAcl2Db::getProfile()); $right = $dao->getRightWithRes($subject, $groups, $resource); self::$aclres[$subject][$resource] = $right != false; } return self::$aclres[$subject][$resource]; } else { return true; } }
/** * Filter data by login if necessary * as configured in the plugin for login filtered layers. */ protected function filterDataByLogin() { // Optionnaly add a filter parameter $lproj = lizmap::getProject($this->repository->getKey() . '~' . $this->project->getKey()); $request = strtolower($this->params['request']); if ($request == 'getfeature') { $layers = $this->params["typename"]; } else { $layers = $this->params["layers"]; } $pConfig = $lproj->getFullCfg(); // Filter only if needed if ($lproj->hasLoginFilteredLayers() and $pConfig->loginFilteredLayers) { // Add client side filter before changing it server side $v = ''; $filter = ''; $clientExpFilter = Null; if (array_key_exists('exp_filter', $this->params)) { $clientExpFilter = $this->params['exp_filter']; } $clientFilter = Null; if (array_key_exists('filter', $this->params)) { $clientFilter = $this->params['filter']; } // Check if a user is authenticated $isConnected = jAuth::isConnected(); // Check need for filter foreach layer foreach (explode(',', $layers) as $layername) { if (property_exists($pConfig->loginFilteredLayers, $layername)) { $oAttribute = $pConfig->loginFilteredLayers->{$layername}->filterAttribute; $attribute = strtolower($oAttribute); $pre = "{$layername}:"; if ($request == 'getfeature') { $pre = ''; } if ($isConnected) { $user = jAuth::getUserSession(); $login = $user->login; if (property_exists($pConfig->loginFilteredLayers->{$layername}, 'filterPrivate') && $pConfig->loginFilteredLayers->{$layername}->filterPrivate == 'True') { $filter .= $v . "{$pre}\"{$attribute}\" IN ( '" . $login . "' , 'all' )"; } else { $userGroups = jAcl2DbUserGroup::getGroups(); $flatGroups = implode("' , '", $userGroups); $filter .= $v . "{$pre}\"{$attribute}\" IN ( '" . $flatGroups . "' , 'all' )"; } $v = ';'; } else { // The user is not authenticated: only show data with attribute = 'all' $filter .= $v . "{$pre}\"{$attribute}\" = 'all'"; $v = ';'; } if (!empty($clientFilter)) { $filter .= " AND " . str_replace($pre, '', $clientFilter); } } } // Set filter when multiple layers concerned if ($filter) { // WFS : EXP_FILTER if ($request == 'getfeature') { if (!empty($clientExpFilter)) { $filter .= " AND " . $clientExpFilter; } $this->params['exp_filter'] = $filter; if (array_key_exists('propertyname', $this->params)) { $propertyName = trim($this->params["propertyname"]); if (!empty($propertyName)) { $this->params["propertyname"] .= ",{$oAttribute}"; } } } else { $this->params['filter'] = $filter; } } } }
/** * Filter data by login if necessary * as configured in the plugin for login filtered layers. */ protected function filterDataByLogin() { // Optionnaly add a filter parameter $lproj = $this->project; $request = strtolower($this->params['request']); if ($request == 'getfeature') { $layers = $this->params["typename"]; } else { $layers = $this->params["layers"]; } $pConfig = $lproj->getFullCfg(); // Filter only if needed if ($lproj->hasLoginFilteredLayers() and $pConfig->loginFilteredLayers) { // Add client side filter before changing it server side $clientExpFilter = Null; if (array_key_exists('exp_filter', $this->params)) { $clientExpFilter = $this->params['exp_filter']; } $clientFilter = Null; if (array_key_exists('filter', $this->params)) { $clientFilter = $this->params['filter']; } // Check if a user is authenticated $isConnected = jAuth::isConnected(); // Check need for filter foreach layer $serverFilterArray = array(); foreach (explode(',', $layers) as $layername) { if (property_exists($pConfig->loginFilteredLayers, $layername)) { $oAttribute = $pConfig->loginFilteredLayers->{$layername}->filterAttribute; $attribute = strtolower($oAttribute); if ($isConnected) { $user = jAuth::getUserSession(); $login = $user->login; if (property_exists($pConfig->loginFilteredLayers->{$layername}, 'filterPrivate') && $pConfig->loginFilteredLayers->{$layername}->filterPrivate == 'True') { $serverFilterArray[$layername] = "\"{$attribute}\" IN ( '" . $login . "' , 'all' )"; } else { $userGroups = jAcl2DbUserGroup::getGroups(); $flatGroups = implode("' , '", $userGroups); $serverFilterArray[$layername] = "\"{$attribute}\" IN ( '" . $flatGroups . "' , 'all' )"; } } else { // The user is not authenticated: only show data with attribute = 'all' $serverFilterArray[$layername] = "\"{$attribute}\" = 'all'"; } } } // Set filter if needed if (count($serverFilterArray) > 0) { // WFS : EXP_FILTER if ($request == 'getfeature') { $filter = ''; $s = ''; if (!empty($clientExpFilter)) { $filter = $clientExpFilter; $s = ' AND '; } if (count($serverFilterArray) > 0) { foreach ($serverFilterArray as $lname => $lfilter) { $filter .= $s . $lfilter; $s = ' AND '; } } $this->params['exp_filter'] = $filter; if (array_key_exists('propertyname', $this->params)) { $propertyName = trim($this->params["propertyname"]); if (!empty($propertyName)) { $this->params["propertyname"] .= ",{$oAttribute}"; } } } else { if (!empty($clientFilter)) { $cfexp = explode(';', $clientFilter); foreach ($cfexp as $a) { $b = explode(':', $a); $lname = trim($b[0]); $lfilter = trim($b[1]); if (array_key_exists($lname, $serverFilterArray)) { $serverFilterArray[$lname] .= ' AND ' . $lfilter; } else { $serverFilterArray[$lname] = $lfilter; } } } $filter = ''; $s = ''; foreach ($serverFilterArray as $lname => $lfilter) { $filter .= $s . $lname . ':' . $lfilter; $s = ';'; } if (count($serverFilterArray) > 0) { $this->params['filter'] = $filter; } } } } }
/** * Dynamically update form by modifying the filter by login control * * @param object $form Jelix form to modify control. * @param string $save does the form will be used for update or insert. * @return modified form. */ private function updateFormByLogin($form, $save) { if (!is_array($this->loginFilteredLayers)) { //&& $this->loginFilteredOveride ) $this->filterDataByLogin($this->layerName); } if (is_array($this->loginFilteredLayers)) { $type = $this->loginFilteredLayers['type']; $attribute = $this->loginFilteredLayers['attribute']; // Check if a user is authenticated if (!jAuth::isConnected()) { return True; } $user = jAuth::getUserSession(); if (!$this->loginFilteredOveride) { if ($type == 'login') { $user = jAuth::getUserSession(); $form->setData($attribute, $user->login); $form->setReadOnly($attribute, True); } else { $oldCtrl = $form->getControl($attribute); $userGroups = jAcl2DbUserGroup::getGroups(); $userGroups[] = 'all'; $uGroups = array(); foreach ($userGroups as $uGroup) { if ($uGroup != 'users' and substr($uGroup, 0, 7) != "__priv_") { $uGroups[$uGroup] = $uGroup; } } $dataSource = new jFormsStaticDatasource(); $dataSource->data = $uGroups; $ctrl = new jFormsControlMenulist($attribute); $ctrl->required = true; if ($oldCtrl != null) { $ctrl->label = $oldCtrl->label; } else { $ctrl->label = $attribute; } $ctrl->datasource = $dataSource; $value = null; if ($oldCtrl != null) { $value = $form->getData($attribute); $form->removeControl($attribute); } $form->addControl($ctrl); if ($value != null) { $form->setData($attribute, $value); } } } else { $oldCtrl = $form->getControl($attribute); $value = null; if ($oldCtrl != null) { $value = $form->getData($attribute); } $data = array(); if ($type == 'login') { $plugin = jApp::coord()->getPlugin('auth'); if ($plugin->config['driver'] == 'Db') { $authConfig = $plugin->config['Db']; $dao = jDao::get($authConfig['dao'], $authConfig['profile']); $cond = jDao::createConditions(); $cond->addItemOrder('login', 'asc'); $us = $dao->findBy($cond); foreach ($us as $u) { $data[$u->login] = $u->login; } } } else { $gp = jAcl2DbUserGroup::getGroupList(); foreach ($gp as $g) { if ($g->id_aclgrp != 'users') { $data[$g->id_aclgrp] = $g->id_aclgrp; } } $data['all'] = 'all'; } $dataSource = new jFormsStaticDatasource(); $dataSource->data = $data; $ctrl = new jFormsControlMenulist($attribute); $ctrl->required = true; if ($oldCtrl != null) { $ctrl->label = $oldCtrl->label; } else { $ctrl->label = $attribute; } $ctrl->datasource = $dataSource; $form->removeControl($attribute); $form->addControl($ctrl); if ($value != null) { $form->setData($attribute, $value); } else { if ($type == 'login') { $form->setData($attribute, $user->login); } } } } return True; }
/** * return the value of the right on the given subject (and on the optional resource). * * The resource "-" (meaning 'all resources') has the priority over specific resources. * It means that if you give a specific resource, it will be ignored if there is a positive right * with "-". The right on the given resource will be checked if there is no rights for "-". * * @param string $subject the key of the subject * @param string $resource the id of a resource * @return boolean true if the user has the right on the given subject */ public function getRight($subject, $resource = '-') { if (!jAuth::isConnected()) { return $this->getAnonymousRight($subject, $resource); } if (empty($resource)) { $resource = '-'; } $login = jCache::normalizeKey(jAuth::getUserSession()->login); $rightkey = 'acl2db/' . $login . '/rights'; $groups = null; if ($this->acl === null) { $rights = jCache::get($rightkey, 'acl2db'); if ($rights === false) { $this->acl = array(); // let's load all rights for the groups on which the current user is attached $groups = jAcl2DbUserGroup::getGroups(); if (count($groups)) { $dao = jDao::get('jacl2db~jacl2rights', 'jacl2_profile'); foreach ($dao->getRightsByGroups($groups) as $rec) { // if there is already a right on a same subject on an other group // we should take care when this rights says "cancel" if (isset($this->acl[$rec->id_aclsbj])) { if ($rec->canceled) { $this->acl[$rec->id_aclsbj] = false; } } else { $this->acl[$rec->id_aclsbj] = $rec->canceled ? false : true; } } } jCache::set($rightkey, $this->acl, null, 'acl2db'); } else { $this->acl = $rights; } } if (!isset($this->acl[$subject])) { $this->acl[$subject] = false; jCache::set($rightkey, $this->acl, null, 'acl2db'); } // no resource given, just return the global right for the given subject if ($resource == '-') { return $this->acl[$subject]; } $rightreskey = 'acl2db/' . $login . '/rightsres/' . $subject; if (!isset($this->aclres[$subject])) { $rights = jCache::get($rightreskey, 'acl2db'); if ($rights !== false) { $this->aclres[$subject] = $rights; } } // if we already have loaded the corresponding right, returns it if (isset($this->aclres[$subject][$resource])) { return $this->aclres[$subject][$resource]; } // default right for the resource is the global right $this->aclres[$subject][$resource] = $this->acl[$subject]; // if the general right is not given, check the specific right for the resource if (!$this->acl[$subject]) { if ($groups === null) { $groups = jAcl2DbUserGroup::getGroups(); } if (count($groups)) { $dao = jDao::get('jacl2db~jacl2rights', 'jacl2_profile'); $right = $dao->getRightWithRes($subject, $groups, $resource); $this->aclres[$subject][$resource] = $right != false ? $right->canceled ? false : true : false; } jCache::set($rightreskey, $this->aclres[$subject], null, 'acl2db'); return $this->aclres[$subject][$resource]; } else { jCache::set($rightreskey, $this->aclres[$subject], null, 'acl2db'); return true; } }
/** * Query a QuickFinder database * @param text $query A query on OpenStreetMap object * @param text $bbox A bounding box in EPSG:4326 Optionnal * @return GeoJSON. */ function get() { $rep = $this->getResponse('binary'); $rep->outputFileName = 'search_results.json'; $rep->mimeType = 'application/json'; $content = '[]'; $rep->content = $content; // Get project and repository, and check rights $project = $this->param('project'); $repository = $this->param('repository'); $lrep = lizmap::getRepository($repository); $lproj = null; try { $lproj = lizmap::getProject($repository . '~' . $project); if (!$lproj) { jMessage::add('The lizmapProject ' . strtoupper($project) . ' does not exist !', 'ProjectNotDefined'); return $rep; } } catch (UnknownLizmapProjectException $e) { jLog::logEx($e, 'error'); jMessage::add('The lizmapProject ' . strtoupper($project) . ' does not exist !', 'ProjectNotDefined'); return $rep; } if (!$lproj->checkAcl()) { jMessage::add(jLocale::get('view~default.repository.access.denied'), 'AuthorizationRequired'); return $rep; } // Parameters $pquery = $this->param('query'); if (!$pquery) { return $rep; } $pquery = filter_var($pquery, FILTER_SANITIZE_STRING, FILTER_FLAG_NO_ENCODE_QUOTES); // Get FTS searches $ftsSearches = $lproj->hasFtsSearches(); if (!$ftsSearches) { return $rep; } $searches = $ftsSearches['searches']; $jdb_profile = $ftsSearches['jdb_profile']; // Limitations $limit_tot = 30; $limit_search = 15; $cnx = jDb::getConnection($jdb_profile); // Create FTS query $words = explode(' ', $pquery); $matches = implode('* ', $words) . '*'; $sql = "SELECT search_id,content,wkb_geom FROM quickfinder_data WHERE"; $sql .= " content MATCH " . $cnx->quote($matches); // Add filter by groups and user if the user is authenticated if (!jAcl2::check('lizmap.tools.loginFilteredLayers.override', $lrep->getKey())) { $sql .= " AND ( content LIKE '%@@all' OR content NOT LIKE '%@@%'"; $isConnected = jAuth::isConnected(); if ($isConnected) { // Ok if any group matches $userGroups = jAcl2DbUserGroup::getGroups(); foreach ($userGroups as $g) { $sql .= " OR content LIKE '%@@" . $g . "'"; } // Ok if user matches $user = jAuth::getUserSession(); $login = $user->login; $sql .= " OR content LIKE '%@@" . $login . "'"; } $sql .= ' )'; } // Query and format data for each search key $nb = array('search' => array(), 'tot' => 0); $data = array(); foreach ($searches as $skey => $sval) { // Add filter to get only data for given search key $sql_search = $sql . ' AND search_id = ' . $cnx->quote($skey); $limit = $limit_search; $sql_search .= " LIMIT " . $limit; //jLog::log($sql_search); // Run query $res = $cnx->query($sql_search); // Format data foreach ($res as $item) { $key = $item->search_id; if (!array_key_exists($key, $nb['search'])) { $nb['search'][$key] = 0; } if ($nb['search'][$key] >= $limit_search) { continue; } if ($nb['tot'] >= $limit_tot) { break; } if (!array_key_exists($key, $data)) { $data[$key] = array(); } $data[$key]['search_name'] = $searches[$key]['search_name']; $data[$key]['layer_name'] = $searches[$key]['layer_name']; $data[$key]['srid'] = $searches[$key]['srid']; if (!array_key_exists('features', $data[$key])) { $data[$key]['features'] = array(); } $data[$key]['features'][] = array('label' => preg_replace('#@@.+#', '', $item->content), 'geometry' => $item->wkb_geom); $nb['search'][$key] += 1; $nb['tot'] += 1; } } $rep->content = json_encode($data); return $rep; }
/** * Check acl rights on the project */ public function checkAcl() { // Check right on repository if (!jAcl2::check('lizmap.repositories.view', $this->repository->getKey())) { return False; } // Check acl option is configured in project config if (!property_exists($this->cfg->options, 'acl') || !is_array($this->cfg->options->acl) || empty($this->cfg->options->acl)) { return True; } // Check user is authenticated if (!jAuth::isConnected()) { return False; } // Check if configured groups white list and authenticated user groups list intersects $aclGroups = $this->cfg->options->acl; $userGroups = jAcl2DbUserGroup::getGroups(); if (array_intersect($aclGroups, $userGroups)) { return True; } return False; }