Exemplo n.º 1
0
 /**
  * Adds limits to a db select query to only pull items the user
  * has permissions to view
  *
  * Note that BEFORE this is called, the developer should check whether
  * the user has ANY rights to edit items in the first place.
  * In other words, if Current_User::allow('module', 'edit_permission') == false
  * then they shouldn't even use this function. If it is used anyway, a forced negative
  * will be added (i.e. where 1 = 0);
  * If you wish to add other qualifications, use the $db->addWhere() group 'key_id'
  * in your module code.
  *
  * @modified Eloi George
  * @param  object   db : Database object to modify
  * @param  string   module : Calling module
  * @param  string   edit_permission : Name of the editing permission
  * @param  string   source_table : (optional) Name of the main table being searched
  * @param  string   key_id_column : (optional) Usually "key_id".  Only use this if you allow edits where "key_id=0"
  * @param  string   owner_id_column : (optional) Only use this if you allow edits on content created by the user
  */
 public static function restrictEdit($db, $module, $edit_permission = null, $source_table = null, $key_id_column = null, $owner_id_column = null)
 {
     if (Current_User::isDeity()) {
         return;
     }
     // if the user doesn't have rights for the module or subpermissions,
     // then we just stymie the whole query
     if (!Current_User::allow($module, $edit_permission)) {
         $db->setQWhere('1=0');
         return;
     }
     // If the current user has unrestricted rights to edit the item
     // linked to this key, no further restrictions are necessary
     if (Current_User::isUnrestricted($module)) {
         return;
     } else {
         $db->setDistinct(1);
         if (empty($source_table)) {
             $source_table = $db->tables[0];
         }
         if (!empty($key_id_column)) {
             $db->addWhere($source_table . '.' . $key_id_column, 0, null, 'or', 'key_1');
         }
         if (!empty($owner_id_column)) {
             $db->addWhere($source_table . '.' . $owner_id_column, Current_User::getId(), null, 'or', 'key_1');
         }
         $groups = Current_User::getGroups();
         if (!empty($groups)) {
             $db->addJoin('left', $source_table, 'phpws_key_edit', 'key_id', 'key_id');
             $db->addWhere('phpws_key_edit.group_id', $groups, 'in', 'or', 'key_1');
         }
         return;
     }
 }
Exemplo n.º 2
0
 public static function isUser()
 {
     return self::isMasquerading() || Current_User::isLogged() && !Current_User::isUnrestricted('hms');
 }
Exemplo n.º 3
0
 public function getTpl()
 {
     $vars['block_id'] = $this->getId();
     if (Current_User::allow('block', 'edit_block', $this->id)) {
         $vars['action'] = 'edit';
         $links[] = PHPWS_Text::secureLink(Icon::show('edit', dgettext('block', 'Edit')), 'block', $vars);
         if ($this->allPinned()) {
             $vars['action'] = 'remove';
             $links[] = PHPWS_Text::secureLink("<i class='fa fa-flag' title='" . dgettext('block', 'Remove block from all pages') . "'></i>", 'block', $vars);
         } else {
             $vars['action'] = 'pin_all';
             $links[] = PHPWS_Text::secureLink("<i class='fa fa-flag-o' title='" . dgettext('block', 'Display block on all pages') . "'></i>", 'block', $vars);
         }
         if (Current_User::isUnrestricted('block')) {
             $links[] = Current_User::popupPermission($this->key_id, null, 'icon');
         }
     }
     if (Current_User::allow('block', 'delete_block')) {
         $vars['action'] = 'delete';
         $confirm_vars['QUESTION'] = dgettext('block', 'Are you sure you want to permanently delete this block?');
         $confirm_vars['ADDRESS'] = PHPWS_Text::linkAddress('block', $vars, TRUE);
         $confirm_vars['LINK'] = '<i class="fa fa-trash-o" title="' . dgettext('block', 'Delete') . '"></i>';
         $links[] = javascript('confirm', $confirm_vars);
     }
     if (!empty($links)) {
         $template['ACTION'] = implode('', $links);
     } else {
         $template['ACTION'] = ' ';
     }
     if (empty($this->title)) {
         $template['TITLE'] = '<em>' . dgettext('block', 'Untitled') . '</em>';
     }
     if (empty($this->content)) {
         $template['CONTENT'] = '<em>' . dgettext('block', 'Empty') . '</em>';
     } else {
         $template['CONTENT'] = $this->summarize();
     }
     return $template;
 }
Exemplo n.º 4
0
 /**
  * routes administrative commands
  */
 public function main()
 {
     if (!Current_User::allow('calendar')) {
         Current_User::disallow();
         return;
     }
     $panel = $this->getPanel();
     if (isset($_REQUEST['aop'])) {
         $command = $_REQUEST['aop'];
     } elseif (isset($_REQUEST['tab'])) {
         $command = $_REQUEST['tab'];
     } else {
         $command = $panel->getCurrentTab();
     }
     switch ($command) {
         case 'get_event_json':
             $this->getEventJson();
             break;
         case 'post_event':
             if (!$this->calendar->schedule->checkPermissions(true)) {
                 Current_User::disallow();
             }
             $this->postEvent();
             break;
         case 'schedule_json':
             $this->scheduleJSON(filter_input(INPUT_GET, 'sch_id', FILTER_SANITIZE_NUMBER_INT));
             exit;
             break;
         case 'approval':
             $this->approval();
             break;
         case 'approve_suggestion':
             $this->approveSuggestion($_GET['suggestion_id']);
             PHPWS_Core::goBack();
             break;
         case 'create_event':
             $panel->setCurrentTab('schedules');
             $event = $this->calendar->schedule->loadEvent();
             if ($this->calendar->current_date) {
                 $event->start_time = mktime(12, 0, 0, $this->calendar->int_month, $this->calendar->int_day, $this->calendar->int_year);
                 $event->end_time = mktime(12, 0, 0, $this->calendar->int_month, $this->calendar->int_day, $this->calendar->int_year);
             }
             $this->editEvent($event);
             break;
         case 'create_schedule':
             if (!Current_User::allow('calendar') || !Current_User::allow('calendar', 'edit_public') && !PHPWS_Settings::get('calendar', 'personal_schedules')) {
                 Current_User::disallow();
             }
             $this->calendar->schedule = new Calendar_Schedule();
             $panel->setCurrentTab('schedules');
             $this->editSchedule();
             break;
         case 'blog_event':
             if (PHPWS_Core::moduleExists('blog') && Current_User::allow('blog', 'edit_blog') && $this->calendar->schedule->checkPermissions(true)) {
                 $event = $this->calendar->schedule->loadEvent();
                 $this->blogEvent();
             }
             break;
         case 'post_blog':
             if (PHPWS_Core::moduleExists('blog') && Current_User::allow('blog', 'edit_blog') && $this->calendar->schedule->checkPermissions(true)) {
                 $this->postBlog();
             }
             javascript('close_refresh');
             Layout::nakedDisplay();
             break;
         case 'edit_event':
             $panel->setCurrentTab('schedules');
             if (!$this->calendar->schedule->checkPermissions()) {
                 Current_User::disallow();
             }
             $event = $this->calendar->schedule->loadEvent();
             $this->editEvent($event);
             break;
         case 'delete_event':
             if ($this->calendar->schedule->checkPermissions(true)) {
                 $event = $this->calendar->schedule->loadEvent();
                 $result = $event->delete();
                 if (PHPWS_Error::isError($result)) {
                     PHPWS_Error::log($result);
                 }
             }
             PHPWS_Core::goBack();
             break;
         case 'delete_schedule':
             if (Current_User::authorized('calendar', 'delete_schedule') && Current_User::isUnrestricted('calendar')) {
                 $this->calendar->schedule->delete();
                 $this->sendMessage(dgettext('calendar', 'Schedule deleted.'), 'aop=schedules');
             } else {
                 Current_User::disallow();
             }
             break;
         case 'disapprove_suggestion':
             $this->disapproveSuggestion($_GET['suggestion_id']);
             PHPWS_Core::goBack();
             break;
         case 'edit_schedule':
             if (empty($_REQUEST['sch_id'])) {
                 PHPWS_Core::errorPage('404');
             }
             if (!$this->calendar->schedule->checkPermissions()) {
                 Current_User::disallow();
             }
             $panel->setCurrentTab('schedules');
             $this->editSchedule();
             break;
         case 'make_default_public':
             if (Current_User::isUnrestricted('calendar')) {
                 PHPWS_Settings::set('calendar', 'public_schedule', (int) $_REQUEST['sch_id']);
                 PHPWS_Settings::save('calendar');
                 $this->message = dgettext('calendar', 'Default public schedule set.');
             }
             $this->scheduleListing();
             break;
         case 'post_schedule':
             $this->postSchedule();
             break;
         case 'post_settings':
             if (!Current_User::authorized('calendar', 'settings')) {
                 Current_User::disallow();
             }
             $this->postSettings();
             $this->message = dgettext('calendar', 'Settings saved');
             $this->settings();
             break;
         case 'repeat_event':
             $panel->setCurrentTab('schedules');
             $event = $this->calendar->schedule->loadEvent();
             $this->repeatEvent($event);
             break;
         case 'reset_cache':
             if (!Current_User::allow('calendar')) {
                 Current_User::disallow();
             }
             PHPWS_Cache::remove($_REQUEST['key']);
             PHPWS_Core::goBack();
             break;
         case 'schedules':
             $panel->setCurrentTab('schedules');
             $this->scheduleListing();
             break;
         case 'settings':
             $this->settings();
             break;
         case 'upload_event':
             if (!$this->calendar->schedule->checkPermissions()) {
                 Current_User::disallow();
             }
             $this->uploadEvent();
             break;
         case 'post_upload':
             if (!$this->calendar->schedule->checkPermissions(true)) {
                 Current_User::disallow();
             }
             $this->postUpload();
             break;
     }
     $tpl['CONTENT'] = $this->content;
     $tpl['TITLE'] = $this->title;
     if (is_array($this->message)) {
         $tpl['MESSAGE'] = implode('<br />', $this->message);
     } else {
         $tpl['MESSAGE'] = $this->message;
     }
     // Clears in case of js window opening
     $this->content = $this->title = $this->message = null;
     $final = PHPWS_Template::process($tpl, 'calendar', 'admin/main.tpl');
     if (PHPWS_Calendar::isJS()) {
         Layout::nakedDisplay($final);
     } else {
         $panel->setContent($final);
         Layout::add(PHPWS_ControlPanel::display($panel->display()));
     }
 }
Exemplo n.º 5
0
 public function loadPanel()
 {
     PHPWS_Core::initModClass('controlpanel', 'Panel.php');
     $this->panel = new PHPWS_Panel('pagesmith');
     $link = 'index.php?module=pagesmith&amp;aop=menu';
     $tabs['list'] = array('title' => dgettext('pagesmith', 'List'), 'link' => $link);
     if (Current_User::isUnrestricted('pagesmith') && Current_User::allow('pagesmith', 'settings')) {
         $tabs['settings'] = array('title' => dgettext('pagesmith', 'Settings'), 'link' => $link);
     }
     $this->panel->quickSetTabs($tabs);
     $this->panel->setModule('pagesmith');
 }
Exemplo n.º 6
0
 public function rowTag()
 {
     $vars['sheet_id'] = $this->id;
     if (Current_User::allow('signup', 'edit_sheet', $this->id, 'sheet')) {
         if (Current_User::isUnrestricted('signup')) {
             $vars['aop'] = 'edit_sheet';
             $links[] = PHPWS_Text::secureLink(\Icon::show('edit', dgettext('signup', 'Edit')), 'signup', $vars);
         }
         $vars['aop'] = 'edit_slots';
         $links[] = PHPWS_Text::secureLink(\Icon::show('th-list', dgettext('signup', 'Slots')), 'signup', $vars);
         if (Current_User::isUnrestricted('signup')) {
             $links[] = Current_User::popupPermission($this->key_id, null, 'icon');
         }
     }
     $vars['aop'] = 'report';
     $links[] = PHPWS_Text::secureLink(\Icon::show('file-text', dgettext('signup', 'Report')), 'signup', $vars);
     if (Current_User::isUnrestricted('signup')) {
         $vars['aop'] = 'delete_sheet';
         $js['ADDRESS'] = PHPWS_Text::linkAddress('signup', $vars, true);
         $js['QUESTION'] = dgettext('signup', 'Are you sure you want to delete this sheet?\\nAll slots and signup information will be permanently removed.');
         $js['LINK'] = \Icon::show('delete');
         $links[] = javascript('confirm', $js);
     }
     $tpl['START_TIME'] = strftime("%D %R", $this->start_time);
     // MM/DD/YY hh:mm 24-hour time format
     $tpl['END_TIME'] = strftime("%D %R", $this->end_time);
     // MM/DD/YY hh:mm 24-hour time format
     $tpl['TITLE'] = $this->viewLink();
     $tpl['ACTION'] = implode('&nbsp;', $links);
     return $tpl;
 }
Exemplo n.º 7
0
 public function rowTags()
 {
     if ($this->checkPermissions()) {
         $links[] = '<i class="fa fa-plus add-event" style="cursor:pointer" data-schedule-id="' . $this->id . '" data-date="' . time() . '"></i>';
         //$links[] = $this->addEventLink(null, true, true);
         $links[] = $this->uploadEventsLink(null, true);
         $links[] = $this->downloadEventsLink(null, true);
         $links[] = '<i class="fa fa-edit" id="edit-schedule" data-schedule-id="' . $this->id . '" style="cursor:pointer" title="' . dgettext('calendar', 'Edit schedule') . '"></i>';
     }
     if (Current_User::allow('calendar', 'delete_schedule') && Current_User::isUnrestricted('calendar')) {
         $js['QUESTION'] = dgettext('calendar', 'Are you sure you want to delete this schedule?');
         $js['ADDRESS'] = sprintf('index.php?module=calendar&amp;aop=delete_schedule&amp;sch_id=%s&amp;authkey=%s', $this->id, Current_User::getAuthKey());
         $js['LINK'] = Icon::show('delete');
         $links[] = javascript('confirm', $js);
     }
     if ($this->public && Current_User::isUnrestricted('calendar')) {
         $public_schedule = PHPWS_Settings::get('calendar', 'public_schedule');
         if ($public_schedule != $this->id) {
             $link_vars['aop'] = 'make_default_public';
             $link_vars['sch_id'] = $this->id;
             $links[] = PHPWS_Text::secureLink(dgettext('calendar', 'Make default public'), 'calendar', $link_vars);
         } else {
             $links[] = dgettext('calendar', 'Default public');
         }
     }
     if (!empty($links)) {
         $tags['ADMIN'] = implode(' ', $links);
     } else {
         $tags['ADMIN'] = dgettext('calendar', 'None');
     }
     $tags['TITLE'] = $this->getViewLink();
     if ($this->public) {
         $tags['AVAILABILITY'] = dgettext('calendar', 'Public');
     } else {
         $tags['AVAILABILITY'] = dgettext('calendar', 'Private');
     }
     return $tags;
 }
Exemplo n.º 8
0
 function loadPanel()
 {
     PHPWS_Core::initModClass('controlpanel', 'Panel.php');
     $this->panel = new PHPWS_Panel('whatsnew-panel');
     $link = 'index.php?module=whatsnew&aop=menu';
     if (Current_User::isUnrestricted('whatsnew')) {
         $tags['settings'] = array('title' => dgettext('whatsnew', 'Settings'), 'link' => $link);
         $tags['info'] = array('title' => dgettext('whatsnew', 'Read me'), 'link' => $link);
     }
     $this->panel->quickSetTabs($tags);
 }
Exemplo n.º 9
0
 public static function getPermissionForm(Key $key)
 {
     if (Current_User::isUnrestricted($key->module) && Current_User::allow($key->module, $key->edit_permission)) {
         $tpl = User_Form::permissionMenu($key, true);
         return PHPWS_Template::process($tpl, 'users', 'forms/permission_pop.tpl');
     }
 }
Exemplo n.º 10
0
 public function loadPanel()
 {
     PHPWS_Core::initModClass('controlpanel', 'Panel.php');
     $this->panel = new PHPWS_Panel('signup-panel');
     $link = 'index.php?module=signup&aop=menu';
     if (Current_User::isUnrestricted('signup')) {
         $tags['new'] = array('title' => dgettext('signup', 'New'), 'link' => $link);
     }
     $tags['list'] = array('title' => dgettext('signup', 'List'), 'link' => $link);
     $this->panel->quickSetTabs($tags);
 }
Exemplo n.º 11
0
 public static function main()
 {
     if (!Current_User::authorized('blog')) {
         Current_User::disallow(dgettext('blog', 'User attempted access to Blog administration.'));
         return;
     }
     $title = $content = NULL;
     $message = Blog_Admin::getForward();
     $panel = Blog_Admin::cpanel();
     $panel->enableSecure();
     if (isset($_REQUEST['command'])) {
         $command = $_REQUEST['command'];
     } else {
         $command = $panel->getCurrentTab();
     }
     if (isset($_REQUEST['blog_id'])) {
         $blog = new Blog((int) $_REQUEST['blog_id']);
     } else {
         $blog = new Blog();
     }
     switch ($command) {
         case 'edit':
             $panel->setCurrentTab('list');
             if (!Current_User::isUser($blog->author_id) && !Current_User::authorized('blog', 'edit_blog', $_REQUEST['blog_id'], 'entry')) {
                 Current_User::disallow(dgettext('blog', 'User tried to edit a blog.'));
                 return;
             }
             $title = dgettext('blog', 'Update Blog Entry');
             $content = Blog_Form::edit($blog);
             break;
         case 'new':
             $title = dgettext('blog', 'New Blog Entry');
             $content = Blog_Form::edit($blog);
             break;
         case 'delete':
             //Blog_Admin::resetCache();
             $result = $blog->delete();
             Blog_Admin::setForward(dgettext('blog', 'Blog entry deleted.'), 'list');
             break;
         case 'list':
             $title = dgettext('blog', 'Blog Entries');
             $content = Blog_Admin::entry_list();
             break;
         case 'menu_submit_link':
             Menu::pinLink(dgettext('blog', 'Submit entry'), 'index.php?module=blog&action=user&action=submit');
             PHPWS_Core::reroute('index.php?module=blog&action=admin&tab=settings&authkey=' . Current_User::getAuthKey());
             break;
         case 'sticky':
             if (!Current_User::isUnrestricted('blog')) {
                 Current_User::disallow();
             }
             Blog_Admin::sticky($blog);
             PHPWS_Core::goBack();
             break;
         case 'unsticky':
             if (!Current_User::isUnrestricted('blog')) {
                 Current_User::disallow();
             }
             Blog_Admin::unsticky($blog);
             PHPWS_Core::goBack();
             break;
         case 'post_entry':
             $title = dgettext('blog', 'Blog Archive');
             $panel->setCurrentTab('list');
             $blog->post_entry();
             $link_back = PHPWS_Text::linkAddress('blog', array('action' => 'admin', 'tab' => 'list'), TRUE);
             if ($blog->_error) {
                 if (empty($blog->id)) {
                     $panel->setCurrentTab('new');
                 }
                 $content = Blog_Form::edit($blog);
             } else {
                 if (!isset($_POST['blog_id']) && PHPWS_Core::isPosted()) {
                     Blog_Admin::setForward(dgettext('blog', 'Entry saved successfully.'), 'list');
                 }
                 $result = $blog->save();
                 //Blog_Admin::resetCache();
                 if (PHPWS_Error::isError($result)) {
                     $message = dgettext('blog', 'An error occurred when trying to save your entry. Please check your logs.');
                     PHPWS_Error::log($result);
                     Blog_Admin::setForward($message, 'list');
                 }
                 if (!$blog->approved) {
                     Blog_Admin::setForward(dgettext('blog', 'Your entry is being held for approval.'), 'list');
                 } else {
                     PHPWS_Core::reroute($blog->getViewLink(true));
                 }
             }
             break;
         case 'reset_cache':
             Blog_Admin::resetCache();
             PHPWS_Core::goBack();
             break;
         case 'post_settings':
             if (!Current_User::authorized('blog', 'settings')) {
                 Current_User::disallow();
                 return;
             }
             if (Current_User::isDeity() && isset($_POST['purge_confirm'])) {
                 $title = dgettext('blog', 'Purge Blog Entries');
                 $content = Blog_Admin::confirmPurge($_POST['purge_date']);
                 break;
             }
             Blog_Admin::postSettings();
             $message = dgettext('blog', 'Blog settings saved.');
         case 'settings':
             if (!Current_User::allow('blog', 'settings')) {
                 Current_User::disallow();
                 return;
             }
             $panel->setCurrentTab('settings');
             $title = dgettext('blog', 'Blog Settings');
             $content = Blog_Form::settings();
             break;
         case 'purge_entries':
             if (Current_User::authorized('blog') && Current_User::isDeity()) {
                 Blog_Admin::purgeEntries($_GET['pd']);
                 $message = dgettext('blog', 'Blog entries purged.');
             }
             $content = Blog_Form::settings();
     }
     Layout::add(PHPWS_ControlPanel::display($panel->display($content, $title, $message)));
 }
Exemplo n.º 12
0
 public function getListAction()
 {
     $link['action'] = 'admin';
     $link['blog_id'] = $this->id;
     if (Current_User::allow('blog', 'edit_blog') && Current_User::getId() == $this->author_id || Current_User::allow('blog', 'edit_blog', $this->id, 'entry')) {
         $link['command'] = 'edit';
         $icon = Icon::show('edit', dgettext('blog', 'Edit blog entry'));
         $list[] = PHPWS_Text::secureLink($icon, 'blog', $link);
     }
     if (Current_User::allow('blog', 'delete_blog')) {
         $link['command'] = 'delete';
         $confirm_vars['QUESTION'] = dgettext('blog', 'Are you sure you want to permanently delete this blog entry?');
         $confirm_vars['ADDRESS'] = PHPWS_Text::linkAddress('blog', $link, true);
         $confirm_vars['LINK'] = '<i class="fa fa-trash-o" title="' . dgettext('blog', 'Delete blog entry') . '"></i>';
         $list[] = Layout::getJavascript('confirm', $confirm_vars);
     }
     if (Current_User::isUnrestricted('blog')) {
         if ($this->sticky) {
             $link['command'] = 'unsticky';
             $icon = Icon::show('flag', dgettext('blog', 'Remove from front page'));
             $list[] = PHPWS_Text::secureLink($icon, 'blog', $link);
         } else {
             $link['command'] = 'sticky';
             $icon = Icon::show('flag-alt', dgettext('blog', 'Force to front page'));
             $list[] = PHPWS_Text::secureLink($icon, 'blog', $link);
         }
     }
     if (isset($list)) {
         $response = implode(' ', $list);
     } else {
         $response = dgettext('blog', 'No action');
     }
     return $response;
 }
Exemplo n.º 13
0
 public static function permissionMenu()
 {
     $key = Key::getCurrent();
     if (empty($key) || $key->isDummy() || empty($key->edit_permission)) {
         return;
     }
     if (Current_User::isUnrestricted($key->module) && Current_User::allow($key->module, $key->edit_permission)) {
         if (!javascriptEnabled()) {
             $tpl = User_Form::permissionMenu($key);
             $content = PHPWS_Template::process($tpl, 'users', 'forms/permission_menu.tpl');
             Layout::add($content, 'users', 'permissions');
         } else {
             $links[] = Current_User::popupPermission($key->id, sprintf(dgettext('users', 'Set permissions'), $key->title));
             MiniAdmin::add('users', $links);
         }
     }
 }