Get permissions for the user and project and merge them.
|
public static getPermissions ( |
||
| $user | ||
| $project | ||
| return | array | |
/**
* Always call this when defining `__construct()` in sub-classes.
*/
public function __construct()
{
$this->db = ConnectionManager::getConnection();
// Modal?
if (Request::$headers->has('X-Modal')) {
$this->isModal = Request::$headers->get('X-Modal') == true;
}
// Get current project.
if (Request::$properties->has('pslug')) {
$this->currentProject = Project::find('slug', Request::$properties->get('pslug')) ?: null;
$GLOBALS['current_project'] = $this->currentProject;
$this->before('*', function () {
if (!$this->hasPermission('view', $this->currentProject)) {
return $this->show404();
}
});
} else {
$GLOBALS['current_project'] = null;
}
// Get current user.
if ($sessionHash = Request::$cookies->get('traq')) {
if ($this->currentProject) {
$user = User::select('u.*')->addSelect('pur.project_role_id')->leftJoin('u', UserRole::tableName(), 'pur', 'pur.project_id = :project_id AND pur.user_id = u.id');
$user->where('u.session_hash = :session_hash');
$user->setParameter('project_id', $this->currentProject['id']);
$user->setParameter('session_hash', $sessionHash);
$this->currentUser = $user->fetch() ?: null;
} else {
$this->currentUser = User::find('session_hash', $sessionHash) ?: null;
}
$GLOBALS['current_user'] = $this->currentUser;
} else {
$GLOBALS['current_user'] = null;
}
$GLOBALS['permissions'] = Permission::getPermissions($this->currentUser, $this->currentProject);
// Add Traq as first breadcrumb.
$this->addCrumb(setting('title'), $this->generateUrl('root'));
// Check if the user has permission to view the current project
if (isset($this->currentProject)) {
$this->before('*', function () {
if (!$this->hasPermission('view')) {
return $this->show403();
}
});
}
// If the user has a `sha1` hashed password, require them to change it because
// as of Traq 4.1, only mcrypt passwords will work.
if ($this->currentUser['password_ver'] == 'sha1') {
$this->before('*', function () {
if (Request::$properties['controller'] != 'Traq\\Controllers\\UserCP' && Request::$properties['controller'] != 'Traq\\Controllers\\Sessions') {
return $this->redirectTo('usercp_password');
}
});
}
}
/**
* Check if the user can perform the requested action.
*
* @param integer $project_id
* @param string $action
* @param boolean $fetchProjectRoles
*
* @return bool
*/
public function hasPermission($action, $projectId, $fetchProjectRoles = false)
{
// Admins are godlike
if ($this->is_admin) {
return true;
}
if (!isset($this->permissions[$projectId])) {
$this->permissions[$projectId] = null;
}
// No need to fetch permissions if we already have
if ($this->permissions[$projectId] === null) {
// Get group permissions
$group = Permission::getPermissions($projectId, $this->group_id);
// Get role permissions
$role = [];
if (!$fetchProjectRoles && isset($this->project_role_id) && $this->project_role_id) {
$role = Permission::getPermissions($projectId, $this->project_role_id, 'role');
} else {
$roles = $this->fetchProjectRolesIds();
if (isset($roles[$projectId])) {
$role = Permission::getPermissions($projectId, $roles[$projectId], 'role');
}
}
// Merge group and role permissions
$this->permissions[$projectId] = array_merge(Permissions::getPermissions(), array_merge($group, $role));
}
return isset($this->permissions[$projectId][$action]) ? $this->permissions[$projectId][$action] : null;
}
/**
* Check users permission.
*
* @param string $action
* @param Project $project
*
* @return boolean
*/
function hasPermission($action, Project $project = null)
{
// Admins can do everything, regardless of permissions.
if (currentUser() && currentUser()->isAdmin()) {
return true;
}
$permissions = $project ? Permission::getPermissions(currentUser(), $project) : $GLOBALS['permissions'];
return isset($permissions[$action]) ? $permissions[$action] : null;
}
