static function createDefaultUserPermissionsAllDimension(Contact $user, $dimension_id, $remove_previous = true) { $role_id = $user->getUserType(); $permission_group_id = $user->getPermissionGroupId(); $dimension = Dimensions::getDimensionById($dimension_id); if (!$dimension instanceof Dimension || !$dimension->getDefinesPermissions()) { return; } try { $shtab_permissions = array(); $new_permissions = array(); $role_permissions = self::findAll(array('conditions' => "role_id = '{$role_id}'")); $members = Members::findAll(array('conditions' => 'dimension_id = ' . $dimension_id)); foreach ($members as $member) { $member_id = $member->getId(); if ($remove_previous) { ContactMemberPermissions::delete("permission_group_id = {$permission_group_id} AND member_id = {$member_id}"); } foreach ($role_permissions as $role_perm) { if ($member->canContainObject($role_perm->getObjectTypeId())) { $cmp = new ContactMemberPermission(); $cmp->setPermissionGroupId($permission_group_id); $cmp->setMemberId($member_id); $cmp->setObjectTypeId($role_perm->getObjectTypeId()); $cmp->setCanDelete($role_perm->getCanDelete()); $cmp->setCanWrite($role_perm->getCanWrite()); $cmp->save(); $new_permissions[] = $cmp; $perm = new stdClass(); $perm->m = $member_id; $perm->r = 1; $perm->w = $role_perm->getCanWrite(); $perm->d = $role_perm->getCanDelete(); $perm->o = $role_perm->getObjectTypeId(); $shtab_permissions[] = $perm; } } } if (count($shtab_permissions)) { $cdp = ContactDimensionPermissions::instance()->findOne(array('conditions' => "permission_group_id = '{$permission_group_id}' AND dimension_id = {$dimension_id}")); if (!$cdp instanceof ContactDimensionPermission) { $cdp = new ContactDimensionPermission(); $cdp->setPermissionGroupId($permission_group_id); $cdp->setContactDimensionId($dimension_id); $cdp->setPermissionType('check'); $cdp->save(); } else { if ($cdp->getPermissionType() == 'deny all') { $cdp->setPermissionType('check'); $cdp->save(); } } $stCtrl = new SharingTableController(); $stCtrl->afterPermissionChanged($permission_group_id, $shtab_permissions); } return $new_permissions; } catch (Exception $e) { throw $e; } }
static function userHasSystemPermission(Contact $user, $system_permission) { if ($user instanceof Contact && $user->isAdministrator()) { return true; } if (array_var(self::$permission_cache, $user->getId())) { if (array_key_exists($system_permission, self::$permission_cache[$user->getId()])) { return array_var(self::$permission_cache[$user->getId()], $system_permission); } } if (array_var(self::$permission_group_ids_cache, $user->getId())) { $contact_pg_ids = self::$permission_group_ids_cache[$user->getId()]; } else { $contact_pg_ids = ContactPermissionGroups::getPermissionGroupIdsByContactCSV($user->getId(), false); self::$permission_group_ids_cache[$user->getId()] = $contact_pg_ids; } $permission = self::findOne(array('conditions' => "`{$system_permission}` = 1 AND `permission_group_id` IN ({$contact_pg_ids})")); // check max system permission $max_role_system_permissions = MaxSystemPermissions::findOne(array('conditions' => 'permission_group_id = ' . $user->getUserType())); if ($max_role_system_permissions instanceof MaxSystemPermission) { $max_val = $max_role_system_permissions->getColumnValue($system_permission); if (!$max_val) { $permission = null; } } if (!array_var(self::$permission_cache, $user->getId())) { self::$permission_cache[$user->getId()] = array(); } if (!array_key_exists($system_permission, self::$permission_cache[$user->getId()])) { self::$permission_cache[$user->getId()][$system_permission] = !is_null($permission); } if (!is_null($permission)) { return true; } return false; }
/** * Check if this user can update this users permissions * * @param Contact $user * @return boolean */ function canUpdatePermissions(Contact $user) { if (!$this->isUser()) { return false; } $actual_user_type = array_var(self::$pg_cache, $user->getUserType()); if (!$actual_user_type) { $actual_user_type = PermissionGroups::instance()->findOne(array("conditions" => "id = " . $user->getUserType())); } $this_user_type = array_var(self::$pg_cache, $this->getUserType()); if (!$this_user_type) { $this_user_type = PermissionGroups::instance()->findOne(array("conditions" => "id = " . $this->getUserType())); } $can_change_type = $actual_user_type->getId() < $this_user_type->getId() || $user->isAdminGroup() && $this->getId() == $user->getId() || $user->isAdministrator(); return can_manage_security($user) && $can_change_type; }
/** * Enter description here ... * @param Contact $contact * @param array of ObjectType $types * @param array of int $members */ function grantAllPermissions(Contact $contact, $members) { if ($contact->getUserType() > 0 && count($members)) { $userType = $contact->getUserTypeName(); $permissions = array(); // TO fill sharing table $gid = $contact->getPermissionGroupId(); foreach ($members as $member_id) { //new $member = Members::findById($member_id); $dimension = $member->getDimension(); $types = array(); $member_types = DimensionObjectTypeContents::getContentObjectTypeIds($dimension->getId(), $member->getObjectTypeId()); if (count($member_types)) { switch ($userType) { case 'Super Administrator': case 'Administrator': case 'Manager': case 'Executive': $types = $member_types; break; case 'Collaborator Customer': case 'Non-Exec Director': foreach (ObjectTypes::findAll(array("conditions" => " name NOT IN ('mail') ")) as $type) { //TODO This sucks $types[] = $type->getId(); } break; case 'Internal Collaborator': case 'External Collaborator': foreach (ObjectTypes::findAll(array("conditions" => " name NOT IN ('mail','contact', 'report') ")) as $type) { //TODO This sucks $types[] = $type->getId(); } break; case 'Guest Customer': foreach (ObjectTypes::findAll(array("conditions" => " name IN ('message', 'weblink', 'event', 'file') ")) as $type) { //TODO This sucks $types[] = $type->getId(); } break; case 'Guest': foreach (ObjectTypes::findAll(array("conditions" => " name IN ('message', 'weblink', 'event') ")) as $type) { //TODO This sucks $types[] = $type->getId(); } break; } } foreach ($types as $type_id) { if (!ContactMemberPermissions::instance()->findOne(array("conditions" => "permission_group_id = {$gid}\tAND \n\t\t\t\t\t\t\tmember_id = {$member_id} AND \n\t\t\t\t\t\t\tobject_type_id = {$type_id}"))) { $cmp = new ContactMemberPermission(); $cmp->setPermissionGroupId($gid); $cmp->setMemberId($member_id); $cmp->setObjectTypeId($type_id); if ($userType != "Guest" && $userType != "Guest Customer") { $cmp->setCanWrite(1); $cmp->setCanDelete(1); } else { $cmp->setCanWrite(0); $cmp->setCanDelete(0); } $cmp->save(); $perm = new stdClass(); $perm->m = $member_id; $perm->r = 1; $perm->w = 1; $perm->d = 1; $perm->o = $type_id; $permissions[] = $perm; } } } if (count($permissions)) { $stCtrl = new SharingTableController(); $stCtrl->afterPermissionChanged($contact->getPermissionGroupId(), $permissions); } } }
private function cut_max_user_permissions(Contact $user) { $admin_pg = PermissionGroups::findOne(array('conditions' => "`name`='Super Administrator'")); $all_roles_max_permissions = RoleObjectTypePermissions::getAllRoleObjectTypePermissionsInfo(); $admin_perms = $all_roles_max_permissions[$admin_pg->getId()]; $all_object_types = array(); foreach ($admin_perms as &$aperm) { $all_object_types[] = $aperm['object_type_id']; } $max_permissions = array_var($all_roles_max_permissions, $user->getUserType()); $pg_id = $user->getPermissionGroupId(); foreach ($all_object_types as $ot) { if (!$ot) { continue; } $max = array_var($max_permissions, $ot); if (!$max) { // cannot read -> delete in contact_member_permissions $sql = "DELETE FROM " . TABLE_PREFIX . "contact_member_permissions WHERE permission_group_id={$pg_id} AND object_type_id={$ot}"; DB::execute($sql); } else { // cut can_delete and can_write using max permissions $can_d = $max['can_delete'] ? "1" : "0"; $can_w = $max['can_write'] ? "1" : "0"; $sql = "UPDATE " . TABLE_PREFIX . "contact_member_permissions\r\n\t\t\t\tSET can_delete=(can_delete AND {$can_d}), can_write=(can_write AND {$can_w})\r\n\t\t\t\tWHERE permission_group_id={$pg_id} AND object_type_id={$ot}"; DB::execute($sql); } } // rebuild sharing table for permission group $pg_id $cmp_rows = DB::executeAll("SELECT * FROM " . TABLE_PREFIX . "contact_member_permissions WHERE permission_group_id={$pg_id}"); $permissions_array = array(); foreach ($cmp_rows as $row) { $p = new stdClass(); $p->m = array_var($row, 'member_id'); $p->o = array_var($row, 'object_type_id'); $p->d = array_var($row, 'can_delete'); $p->w = array_var($row, 'can_write'); $p->r = 1; $permissions[] = $p; } $sharing_table_controller = new SharingTableController(); $sharing_table_controller->after_permission_changed($pg_id, $permissions_array); }
/** * Return true is $user can access an $object. False otherwise. * * @param Contact $user * @param array $members * @param $object_type_id * @return boolean */ function can_access(Contact $user, $members, $object_type_id, $access_level, $allow_super_admin = true) { if ($allow_super_admin && $user->isAdministrator()) { return true; } $write = $access_level == ACCESS_LEVEL_WRITE; $delete = $access_level == ACCESS_LEVEL_DELETE; if ($user->isGuest() && $access_level != ACCESS_LEVEL_READ) { return false; } try { $contact_pg_ids = ContactPermissionGroups::getPermissionGroupIdsByContactCSV($user->getId(), false); $allow_all_cache = array(); $dimension_query_methods = array(); // if no manageable member then check if user has permissions wihout classifying $manageable_members = array(); foreach ($members as $mem) { if ($mem instanceof Member && $mem->getDimension()->getIsManageable() && $mem->getDimension()->getDefinesPermissions()) { $manageable_members[] = $mem->getId(); } } if (count($manageable_members) == 0) { $return = false; if (config_option('let_users_create_objects_in_root') && $contact_pg_ids != "" && ($user->isAdminGroup() || $user->isExecutive() || $user->isManager())) { $cond = $delete ? 'AND can_delete = 1' : ($write ? 'AND can_write = 1' : ''); $cmp = ContactMemberPermissions::findOne(array('conditions' => "member_id=0 AND object_type_id={$object_type_id} AND permission_group_id IN ({$contact_pg_ids}) {$cond}")); $return = $cmp instanceof ContactMemberPermission; } return $return; } $max_role_ot_perm = MaxRoleObjectTypePermissions::instance()->findOne(array('conditions' => "object_type_id='{$object_type_id}' AND role_id = '" . $user->getUserType() . "'")); $enabled_dimensions = config_option('enabled_dimensions'); $dimension_permissions = array(); foreach ($members as $k => $m) { if (!$m instanceof Member) { unset($members[$k]); continue; } $dimension = $m->getDimension(); if (!$dimension->getDefinesPermissions() || !in_array($dimension->getId(), $enabled_dimensions)) { continue; } $dimension_id = $dimension->getId(); if (!isset($dimension_permissions[$dimension_id])) { $dimension_permissions[$dimension_id] = false; } if (!$dimension_permissions[$dimension_id]) { if ($m->canContainObject($object_type_id)) { if (!isset($dimension_query_methods[$dimension->getId()])) { $dimension_query_methods[$dimension->getId()] = $dimension->getPermissionQueryMethod(); } //dimension defines permissions and user has maximum level of permissions if (isset($allow_all_cache[$dimension_id])) { $allow_all = $allow_all_cache[$dimension_id]; } else { $allow_all = $dimension->hasAllowAllForContact($contact_pg_ids); $allow_all_cache[$dimension_id] = $allow_all; } if ($allow_all) { $dimension_permissions[$dimension_id] = true; } //check individual members if (!$dimension_permissions[$dimension_id] && ContactMemberPermissions::contactCanReadObjectTypeinMember($contact_pg_ids, $m->getId(), $object_type_id, $write, $delete, $user)) { if ($max_role_ot_perm) { if ($access_level == ACCESS_LEVEL_DELETE && $max_role_ot_perm->getCanDelete() || $access_level == ACCESS_LEVEL_WRITE && $max_role_ot_perm->getCanWrite() || $access_level == ACCESS_LEVEL_READ) { $dimension_permissions[$dimension_id] = true; } } } } else { unset($dimension_permissions[$dimension_id]); } } } $allowed = true; // check that user has permissions in all mandatory query method dimensions $mandatory_count = 0; foreach ($dimension_query_methods as $dim_id => $qmethod) { if (!in_array($dim_id, $enabled_dimensions)) { continue; } if ($qmethod == DIMENSION_PERMISSION_QUERY_METHOD_MANDATORY) { $mandatory_count++; if (!array_var($dimension_permissions, $dim_id)) { // if one of the members belong to a mandatory dimension and user does not have permissions on it then return false return false; } } } // If no members in mandatory dimensions then check for not mandatory ones if ($allowed && $mandatory_count == 0) { foreach ($dimension_query_methods as $dim_id => $qmethod) { if ($qmethod == DIMENSION_PERMISSION_QUERY_METHOD_NOT_MANDATORY) { if (array_var($dimension_permissions, $dim_id)) { // if has permissions over any member of a non mandatory dimension then return true return true; } else { $allowed = false; } } } } if ($allowed && count($dimension_permissions)) { return true; } // Si hasta aca tienen perm en todas las dim, return true. Si hay alguna que no tiene perm sigo //Check Context Permissions $member_ids = array(); foreach ($members as $member_obj) { $member_ids[] = $member_obj->getId(); } $allowed_members = ContactMemberPermissions::getActiveContextPermissions($user, $object_type_id, $members, $member_ids, $write, $delete); $count = 0; foreach ($members as $m) { $count++; if (!in_array($m->getId(), $allowed_members)) { return false; } else { if ($count == count($members)) { return true; } } } } catch (Exception $e) { tpl_assign('error', $e); return false; } return false; }
function create_user($user_data, $permissionsString, $rp_permissions_data = array(), $save_permissions = true) { // try to find contact by some properties $contact_id = array_var($user_data, "contact_id"); $contact = Contacts::instance()->findById($contact_id); if (!is_valid_email(array_var($user_data, 'email'))) { throw new Exception(lang("email value is required")); } if (!$contact instanceof Contact) { // Create a new user $contact = new Contact(); $contact->setUsername(array_var($user_data, 'username')); $contact->setDisplayName(array_var($user_data, 'display_name')); $contact->setCompanyId(array_var($user_data, 'company_id')); $contact->setUserType(array_var($user_data, 'type')); $contact->setTimezone(array_var($user_data, 'timezone')); $contact->setFirstname($contact->getObjectName() != "" ? $contact->getObjectName() : $contact->getUsername()); $contact->setObjectName(); $user_from_contact = false; } else { // Create user from contact $contact->setUserType(array_var($user_data, 'type')); if (array_var($user_data, 'company_id')) { $contact->setCompanyId(array_var($user_data, 'company_id')); } $contact->setUsername(array_var($user_data, 'username')); $contact->setTimezone(array_var($user_data, 'timezone')); $user_from_contact = true; } $contact->save(); if (is_valid_email(array_var($user_data, 'email'))) { $user = Contacts::getByEmail(array_var($user_data, 'email')); if (!$user) { $contact->addEmail(array_var($user_data, 'email'), 'personal', true); } } //permissions $additional_name = ""; $tmp_pg = PermissionGroups::findOne(array('conditions' => "`name`='User " . $contact->getId() . " Personal'")); if ($tmp_pg instanceof PermissionGroup) { $additional_name = "_" . gen_id(); } $permission_group = new PermissionGroup(); $permission_group->setName('User ' . $contact->getId() . $additional_name . ' Personal'); $permission_group->setContactId($contact->getId()); $permission_group->setIsContext(false); $permission_group->setType("permission_groups"); $permission_group->save(); $contact->setPermissionGroupId($permission_group->getId()); $null = null; Hook::fire('on_create_user_perm_group', $permission_group, $null); $contact_pg = new ContactPermissionGroup(); $contact_pg->setContactId($contact->getId()); $contact_pg->setPermissionGroupId($permission_group->getId()); $contact_pg->save(); if (can_manage_security(logged_user())) { $sp = new SystemPermission(); if (!$user_from_contact) { $rol_permissions = SystemPermissions::getRolePermissions(array_var($user_data, 'type')); if (is_array($rol_permissions)) { foreach ($rol_permissions as $pr) { $sp->setPermission($pr); } } } $sp->setPermissionGroupId($permission_group->getId()); if (isset($user_data['can_manage_security'])) { $sp->setCanManageSecurity(array_var($user_data, 'can_manage_security')); } if (isset($user_data['can_manage_configuration'])) { $sp->setCanManageConfiguration(array_var($user_data, 'can_manage_configuration')); } if (isset($user_data['can_manage_templates'])) { $sp->setCanManageTemplates(array_var($user_data, 'can_manage_templates')); } if (isset($user_data['can_manage_time'])) { $sp->setCanManageTime(array_var($user_data, 'can_manage_time')); } if (isset($user_data['can_add_mail_accounts'])) { $sp->setCanAddMailAccounts(array_var($user_data, 'can_add_mail_accounts')); } if (isset($user_data['can_manage_dimensions'])) { $sp->setCanManageDimensions(array_var($user_data, 'can_manage_dimensions')); } if (isset($user_data['can_manage_dimension_members'])) { $sp->setCanManageDimensionMembers(array_var($user_data, 'can_manage_dimension_members')); } if (isset($user_data['can_manage_tasks'])) { $sp->setCanManageTasks(array_var($user_data, 'can_manage_tasks')); } if (isset($user_data['can_task_assignee'])) { $sp->setCanTasksAssignee(array_var($user_data, 'can_task_assignee')); } if (isset($user_data['can_manage_billing'])) { $sp->setCanManageBilling(array_var($user_data, 'can_manage_billing')); } if (isset($user_data['can_view_billing'])) { $sp->setCanViewBilling(array_var($user_data, 'can_view_billing')); } if (isset($user_data['can_see_assigned_to_other_tasks'])) { $sp->setColumnValue('can_see_assigned_to_other_tasks', array_var($user_data, 'can_see_assigned_to_other_tasks')); } Hook::fire('add_user_permissions', $sp, $other_permissions); if (!is_null($other_permissions) && is_array($other_permissions)) { foreach ($other_permissions as $k => $v) { $sp->setColumnValue($k, array_var($user_data, $k)); } } $sp->save(); $permissions_sent = array_var($_POST, 'manual_permissions_setted') == 1; // give permissions for user if user type defined in "give_member_permissions_to_new_users" config option $allowed_user_type_ids = config_option('give_member_permissions_to_new_users'); if ($contact->isAdministrator() || !$permissions_sent && in_array($contact->getUserType(), $allowed_user_type_ids)) { ini_set('memory_limit', '512M'); $permissions = array(); $default_permissions = RoleObjectTypePermissions::instance()->findAll(array('conditions' => 'role_id = ' . $contact->getUserType())); $dimensions = Dimensions::findAll(); foreach ($dimensions as $dimension) { if ($dimension->getDefinesPermissions()) { $cdp = ContactDimensionPermissions::findOne(array("conditions" => "`permission_group_id` = " . $contact->getPermissionGroupId() . " AND `dimension_id` = " . $dimension->getId())); if (!$cdp instanceof ContactDimensionPermission) { $cdp = new ContactDimensionPermission(); $cdp->setPermissionGroupId($contact->getPermissionGroupId()); $cdp->setContactDimensionId($dimension->getId()); } $cdp->setPermissionType('check'); $cdp->save(); // contact member permisssion entries $members = DB::executeAll('SELECT * FROM ' . TABLE_PREFIX . 'members WHERE dimension_id=' . $dimension->getId()); foreach ($members as $member) { foreach ($default_permissions as $p) { // Add persmissions to sharing table $perm = new stdClass(); $perm->m = $member['id']; $perm->r = 1; $perm->w = $p->getCanWrite(); $perm->d = $p->getCanDelete(); $perm->o = $p->getObjectTypeId(); $permissions[] = $perm; } } } } $_POST['permissions'] = json_encode($permissions); } else { if ($permissions_sent) { $_POST['permissions'] = $permissionsString; } else { $_POST['permissions'] = ""; } } if (config_option('let_users_create_objects_in_root') && ($contact->isAdminGroup() || $contact->isExecutive() || $contact->isManager())) { if ($permissions_sent) { foreach ($rp_permissions_data as $name => $value) { $ot_id = substr($name, strrpos($name, '_') + 1); $cmp = new ContactMemberPermission(); $cmp->setPermissionGroupId($permission_group->getId()); $cmp->setMemberId(0); $cmp->setObjectTypeId($ot_id); $cmp->setCanDelete($value >= 3); $cmp->setCanWrite($value >= 2); $cmp->save(); } } else { $default_permissions = RoleObjectTypePermissions::instance()->findAll(array('conditions' => 'role_id = ' . $contact->getUserType())); foreach ($default_permissions as $p) { $cmp = new ContactMemberPermission(); $cmp->setPermissionGroupId($permission_group->getId()); $cmp->setMemberId(0); $cmp->setObjectTypeId($p->getObjectTypeId()); $cmp->setCanDelete($p->getCanDelete()); $cmp->setCanWrite($p->getCanWrite()); $cmp->save(); } } } } if (!isset($_POST['sys_perm']) && !$user_from_contact) { $rol_permissions = SystemPermissions::getRolePermissions(array_var($user_data, 'type')); $_POST['sys_perm'] = array(); if (is_array($rol_permissions)) { foreach ($rol_permissions as $pr) { $_POST['sys_perm'][$pr] = 1; } } } if (!isset($_POST['mod_perm']) && !$user_from_contact) { $tabs_permissions = TabPanelPermissions::getRoleModules(array_var($user_data, 'type')); $_POST['mod_perm'] = array(); foreach ($tabs_permissions as $pr) { $_POST['mod_perm'][$pr] = 1; } } $password = ''; if (array_var($user_data, 'password_generator') == 'specify') { $perform_password_validation = true; // Validate input $password = array_var($user_data, 'password'); if (trim($password) == '') { throw new Error(lang('password value required')); } // if if ($password != array_var($user_data, 'password_a')) { throw new Error(lang('passwords dont match')); } // if } else { $user_data['password_generator'] = 'link'; $perform_password_validation = false; } $contact->setPassword($password); $contact->save(); $user_password = new ContactPassword(); $user_password->setContactId($contact->getId()); $user_password->setPasswordDate(DateTimeValueLib::now()); $user_password->setPassword(cp_encrypt($password, $user_password->getPasswordDate()->getTimestamp())); $user_password->password_temp = $password; $user_password->perform_validation = $perform_password_validation; $user_password->save(); if (array_var($user_data, 'autodetect_time_zone', 1) == 1) { set_user_config_option('autodetect_time_zone', 1, $contact->getId()); } /* create contact for this user*/ ApplicationLogs::createLog($contact, ApplicationLogs::ACTION_ADD); // Set role permissions for active members $active_context = active_context(); $sel_members = array(); if (is_array($active_context) && !$permissions_sent) { $tmp_perms = array(); if ($_POST['permissions'] != "") { $tmp_perms = json_decode($_POST['permissions']); } foreach ($active_context as $selection) { if ($selection instanceof Member) { $sel_members[] = $selection; $has_project_permissions = ContactMemberPermissions::instance()->count("permission_group_id = '" . $contact->getPermissionGroupId() . "' AND member_id = " . $selection->getId()) > 0; if (!$has_project_permissions) { $new_cmps = RoleObjectTypePermissions::createDefaultUserPermissions($contact, $selection); foreach ($new_cmps as $new_cmp) { $perm = new stdClass(); $perm->m = $new_cmp->getMemberId(); $perm->r = 1; $perm->w = $new_cmp->getCanWrite(); $perm->d = $new_cmp->getCanDelete(); $perm->o = $new_cmp->getObjectTypeId(); $tmp_perms[] = $perm; } } } } if (count($tmp_perms) > 0) { $_POST['permissions'] = json_encode($tmp_perms); } } if ($save_permissions) { //save_permissions($contact->getPermissionGroupId(), $contact->isGuest()); save_user_permissions_background(logged_user(), $contact->getPermissionGroupId(), $contact->isGuest()); } Hook::fire('after_user_add', $contact, $null); // add user content object to associated members if (count($sel_members) > 0) { ObjectMembers::addObjectToMembers($contact->getId(), $sel_members); $contact->addToSharingTable(); } return $contact; }