/**
* covering code
* @return void
*/
public function testCovering()
{
$rez = DM\UsersGroups::getAvailableGroups();
$this->assertTrue(!empty($rez), 'Empty groups');
$rez = DM\UsersGroups::getAvailableUsers();
$this->assertTrue(!empty($rez), 'Empty users');
$rez = DM\UsersGroups::getMemberGroupIds(1);
$this->assertTrue(empty($rez), 'Empty member groups');
$rez = DM\UsersGroups::getGroupUserIds(2);
$this->assertTrue(empty($rez), '!Empty group users for everyone');
$rez = DM\UsersGroups::getDisplayData();
$this->assertTrue(!empty($rez), 'Display data');
}
/**
* Returns estimated bidimentional array of access bits, from object acl, for a user or group
*
* Used for access display in interface
* Returned array has to array elements:
* first - array bits for allow access
* second - array bits for deny access
* Each bit can have the following values:
* -2 - deny, inherited from a parent
* -1 - deny, directly set for the object
* 0 - not set
* 1 - allow, directly set for the object
* 2 - allow, inherited from a parent
*
* Permission Precedence:
* Explicit Deny (access set for input object_id, not estimated in summary with near accesses for input object_id)
* Explicit Allow (access set for input object_id, not estimated in summary with near accesses for input object_id)
* Inherited Deny (access inherited from all parents)
* Inherited allow (access inherited from all parents)
*/
private static function getUserGroupAccessForObject($object_id, $user_group_id = false)
{
/* if no user is specified as parameter then calculating for current loged user */
if ($user_group_id === false) {
$user_group_id = User::getId();
}
/* prepearing result array (filling it with zeroes)*/
$rez = array(array_fill(0, 12, 0), array_fill(0, 12, 0));
$user_group_ids = array($user_group_id);
$everyoneGroupId = static::getSystemGroupId('everyone');
if ($user_group_id !== $everyoneGroupId) {
$user_group_ids[] = $everyoneGroupId;
}
/* getting object ids that have inherit set to true */
$ids = array();
$res = DB\dbQuery('SELECT ts.set `ids`
FROM tree_info ti
JOIN tree_acl_security_sets ts ON ti.security_set_id = ts.id
WHERE ti.id = $1', $object_id);
if ($r = $res->fetch_assoc()) {
$ids = explode(',', $r['ids']);
}
$res->close();
/* reversing array for iterations from object to top parent */
$ids = array_reverse($ids);
/* getting group ids where passed $user_group_id is a member*/
$user_group_ids = array_merge($user_group_ids, DM\UsersGroups::getMemberGroupIds($user_group_id));
$user_group_ids = array_unique($user_group_ids);
$user_group_ids = Util\toNumericArray($user_group_ids);
/* end of getting group ids where passed $user_group_id is a member*/
$acl_order = array_flip($ids);
$acl = array();
// selecting access list set for our path ids
$res = DB\dbQuery('SELECT
node_id
,user_group_id
,allow
,deny
FROM tree_acl
WHERE node_id IN (0' . implode(',', $ids) . ')
AND user_group_id IN (' . implode(',', $user_group_ids) . ')');
while ($r = $res->fetch_assoc()) {
$acl[$acl_order[$r['node_id']]][$r['user_group_id']] = array($r['allow'], $r['deny']);
}
$res->close();
/* now iterating the $acl table and determine final set of bits/**/
$set_bits = 0;
$i = 0;
ksort($acl, SORT_NUMERIC);
reset($acl);
while (current($acl) !== false && $set_bits < 12) {
$i = key($acl);
$inherited = $i > 0 || !isset($acl_order[$object_id]);
$allowDirectAccess = array_fill(0, 12, 0);
/* check firstly if direct access is specified for passed user_group_id */
if (!empty($acl[$i][$user_group_id])) {
$deny = intval($acl[$i][$user_group_id][1]);
for ($j = 0; $j < sizeof($rez[1]); $j++) {
if (empty($rez[0][$j]) && empty($rez[1][$j]) && $deny & 1) {
$rez[1][$j] = -(1 + $inherited);
$set_bits++;
}
$deny = $deny >> 1;
}
$allow = intval($acl[$i][$user_group_id][0]);
for ($j = 0; $j < sizeof($rez[0]); $j++) {
if (empty($rez[0][$j]) && empty($rez[1][$j]) && $allow & 1) {
$rez[0][$j] = 1 + $inherited;
$allowDirectAccess[$j] = 1 + $inherited;
$set_bits++;
}
$allow = $allow >> 1;
}
}
/* if we have direct access specified to requested user_group
for input object_id then return just this direct access
and exclude any other access at the same level (for our object_id) */
if (isset($acl_order[$object_id]) && $acl_order[$object_id] == $i) {
next($acl);
continue;
}
if (!empty($acl[$i])) {
foreach ($acl[$i] as $key => $value) {
if ($key == $user_group_id || $key == $everyoneGroupId) {
//skip direct access setting because analized above and everyone group id will be analized last
continue;
}
$deny = intval($value[1]);
for ($j = 0; $j < sizeof($rez[1]); $j++) {
if (empty($rez[0][$j]) && empty($rez[1][$j]) && $deny & 1 && empty($allowDirectAccess[$j])) {
//set deny access only if not set directly for that credential allow access
$rez[1][$j] = -(1 + $inherited);
$set_bits++;
}
$deny = $deny >> 1;
}
$allow = intval($value[0]);
for ($j = 0; $j < sizeof($rez[0]); $j++) {
if (empty($rez[0][$j]) && empty($rez[1][$j]) && $allow & 1) {
$rez[0][$j] = 1 + $inherited;
$set_bits++;
}
$allow = $allow >> 1;
}
}
}
// now analize for everyone group id if set, but only for higher levels (inherited parents)
if (!empty($acl[$i][$everyoneGroupId])) {
$value = $acl[$i][$everyoneGroupId];
$deny = intval($value[1]);
for ($j = 0; $j < sizeof($rez[1]); $j++) {
if (empty($rez[0][$j]) && empty($rez[1][$j]) && $deny & 1 && empty($allowDirectAccess[$j])) {
//set deny access only if not set directly for that credential allow access
$rez[1][$j] = -(1 + $inherited);
$set_bits++;
}
$deny = $deny >> 1;
}
$allow = intval($value[0]);
for ($j = 0; $j < sizeof($rez[0]); $j++) {
if (empty($rez[0][$j]) && empty($rez[1][$j]) && $allow & 1) {
$rez[0][$j] = 1 + $inherited;
$set_bits++;
}
$allow = $allow >> 1;
}
}
next($acl);
}
return $rez;
}
