/** * covering code * @return void */ public function testCovering() { $rez = DM\UsersGroups::getAvailableGroups(); $this->assertTrue(!empty($rez), 'Empty groups'); $rez = DM\UsersGroups::getAvailableUsers(); $this->assertTrue(!empty($rez), 'Empty users'); $rez = DM\UsersGroups::getMemberGroupIds(1); $this->assertTrue(empty($rez), 'Empty member groups'); $rez = DM\UsersGroups::getGroupUserIds(2); $this->assertTrue(empty($rez), '!Empty group users for everyone'); $rez = DM\UsersGroups::getDisplayData(); $this->assertTrue(!empty($rez), 'Display data'); }
/** * Returns estimated bidimentional array of access bits, from object acl, for a user or group * * Used for access display in interface * Returned array has to array elements: * first - array bits for allow access * second - array bits for deny access * Each bit can have the following values: * -2 - deny, inherited from a parent * -1 - deny, directly set for the object * 0 - not set * 1 - allow, directly set for the object * 2 - allow, inherited from a parent * * Permission Precedence: * Explicit Deny (access set for input object_id, not estimated in summary with near accesses for input object_id) * Explicit Allow (access set for input object_id, not estimated in summary with near accesses for input object_id) * Inherited Deny (access inherited from all parents) * Inherited allow (access inherited from all parents) */ private static function getUserGroupAccessForObject($object_id, $user_group_id = false) { /* if no user is specified as parameter then calculating for current loged user */ if ($user_group_id === false) { $user_group_id = User::getId(); } /* prepearing result array (filling it with zeroes)*/ $rez = array(array_fill(0, 12, 0), array_fill(0, 12, 0)); $user_group_ids = array($user_group_id); $everyoneGroupId = static::getSystemGroupId('everyone'); if ($user_group_id !== $everyoneGroupId) { $user_group_ids[] = $everyoneGroupId; } /* getting object ids that have inherit set to true */ $ids = array(); $res = DB\dbQuery('SELECT ts.set `ids` FROM tree_info ti JOIN tree_acl_security_sets ts ON ti.security_set_id = ts.id WHERE ti.id = $1', $object_id); if ($r = $res->fetch_assoc()) { $ids = explode(',', $r['ids']); } $res->close(); /* reversing array for iterations from object to top parent */ $ids = array_reverse($ids); /* getting group ids where passed $user_group_id is a member*/ $user_group_ids = array_merge($user_group_ids, DM\UsersGroups::getMemberGroupIds($user_group_id)); $user_group_ids = array_unique($user_group_ids); $user_group_ids = Util\toNumericArray($user_group_ids); /* end of getting group ids where passed $user_group_id is a member*/ $acl_order = array_flip($ids); $acl = array(); // selecting access list set for our path ids $res = DB\dbQuery('SELECT node_id ,user_group_id ,allow ,deny FROM tree_acl WHERE node_id IN (0' . implode(',', $ids) . ') AND user_group_id IN (' . implode(',', $user_group_ids) . ')'); while ($r = $res->fetch_assoc()) { $acl[$acl_order[$r['node_id']]][$r['user_group_id']] = array($r['allow'], $r['deny']); } $res->close(); /* now iterating the $acl table and determine final set of bits/**/ $set_bits = 0; $i = 0; ksort($acl, SORT_NUMERIC); reset($acl); while (current($acl) !== false && $set_bits < 12) { $i = key($acl); $inherited = $i > 0 || !isset($acl_order[$object_id]); $allowDirectAccess = array_fill(0, 12, 0); /* check firstly if direct access is specified for passed user_group_id */ if (!empty($acl[$i][$user_group_id])) { $deny = intval($acl[$i][$user_group_id][1]); for ($j = 0; $j < sizeof($rez[1]); $j++) { if (empty($rez[0][$j]) && empty($rez[1][$j]) && $deny & 1) { $rez[1][$j] = -(1 + $inherited); $set_bits++; } $deny = $deny >> 1; } $allow = intval($acl[$i][$user_group_id][0]); for ($j = 0; $j < sizeof($rez[0]); $j++) { if (empty($rez[0][$j]) && empty($rez[1][$j]) && $allow & 1) { $rez[0][$j] = 1 + $inherited; $allowDirectAccess[$j] = 1 + $inherited; $set_bits++; } $allow = $allow >> 1; } } /* if we have direct access specified to requested user_group for input object_id then return just this direct access and exclude any other access at the same level (for our object_id) */ if (isset($acl_order[$object_id]) && $acl_order[$object_id] == $i) { next($acl); continue; } if (!empty($acl[$i])) { foreach ($acl[$i] as $key => $value) { if ($key == $user_group_id || $key == $everyoneGroupId) { //skip direct access setting because analized above and everyone group id will be analized last continue; } $deny = intval($value[1]); for ($j = 0; $j < sizeof($rez[1]); $j++) { if (empty($rez[0][$j]) && empty($rez[1][$j]) && $deny & 1 && empty($allowDirectAccess[$j])) { //set deny access only if not set directly for that credential allow access $rez[1][$j] = -(1 + $inherited); $set_bits++; } $deny = $deny >> 1; } $allow = intval($value[0]); for ($j = 0; $j < sizeof($rez[0]); $j++) { if (empty($rez[0][$j]) && empty($rez[1][$j]) && $allow & 1) { $rez[0][$j] = 1 + $inherited; $set_bits++; } $allow = $allow >> 1; } } } // now analize for everyone group id if set, but only for higher levels (inherited parents) if (!empty($acl[$i][$everyoneGroupId])) { $value = $acl[$i][$everyoneGroupId]; $deny = intval($value[1]); for ($j = 0; $j < sizeof($rez[1]); $j++) { if (empty($rez[0][$j]) && empty($rez[1][$j]) && $deny & 1 && empty($allowDirectAccess[$j])) { //set deny access only if not set directly for that credential allow access $rez[1][$j] = -(1 + $inherited); $set_bits++; } $deny = $deny >> 1; } $allow = intval($value[0]); for ($j = 0; $j < sizeof($rez[0]); $j++) { if (empty($rez[0][$j]) && empty($rez[1][$j]) && $allow & 1) { $rez[0][$j] = 1 + $inherited; $set_bits++; } $allow = $allow >> 1; } } next($acl); } return $rez; }