/** * Adds limits to a db select query to only pull items the user * has permissions to view * * Note that BEFORE this is called, the developer should check whether * the user has ANY rights to edit items in the first place. * In other words, if Current_User::allow('module', 'edit_permission') == false * then they shouldn't even use this function. If it is used anyway, a forced negative * will be added (i.e. where 1 = 0); * If you wish to add other qualifications, use the $db->addWhere() group 'key_id' * in your module code. * * @modified Eloi George * @param object db : Database object to modify * @param string module : Calling module * @param string edit_permission : Name of the editing permission * @param string source_table : (optional) Name of the main table being searched * @param string key_id_column : (optional) Usually "key_id". Only use this if you allow edits where "key_id=0" * @param string owner_id_column : (optional) Only use this if you allow edits on content created by the user */ public static function restrictEdit($db, $module, $edit_permission = null, $source_table = null, $key_id_column = null, $owner_id_column = null) { if (Current_User::isDeity()) { return; } // if the user doesn't have rights for the module or subpermissions, // then we just stymie the whole query if (!Current_User::allow($module, $edit_permission)) { $db->setQWhere('1=0'); return; } // If the current user has unrestricted rights to edit the item // linked to this key, no further restrictions are necessary if (Current_User::isUnrestricted($module)) { return; } else { $db->setDistinct(1); if (empty($source_table)) { $source_table = $db->tables[0]; } if (!empty($key_id_column)) { $db->addWhere($source_table . '.' . $key_id_column, 0, null, 'or', 'key_1'); } if (!empty($owner_id_column)) { $db->addWhere($source_table . '.' . $owner_id_column, Current_User::getId(), null, 'or', 'key_1'); } $groups = Current_User::getGroups(); if (!empty($groups)) { $db->addJoin('left', $source_table, 'phpws_key_edit', 'key_id', 'key_id'); $db->addWhere('phpws_key_edit.group_id', $groups, 'in', 'or', 'key_1'); } return; } }
public static function isUser() { return self::isMasquerading() || Current_User::isLogged() && !Current_User::isUnrestricted('hms'); }
public function getTpl() { $vars['block_id'] = $this->getId(); if (Current_User::allow('block', 'edit_block', $this->id)) { $vars['action'] = 'edit'; $links[] = PHPWS_Text::secureLink(Icon::show('edit', dgettext('block', 'Edit')), 'block', $vars); if ($this->allPinned()) { $vars['action'] = 'remove'; $links[] = PHPWS_Text::secureLink("<i class='fa fa-flag' title='" . dgettext('block', 'Remove block from all pages') . "'></i>", 'block', $vars); } else { $vars['action'] = 'pin_all'; $links[] = PHPWS_Text::secureLink("<i class='fa fa-flag-o' title='" . dgettext('block', 'Display block on all pages') . "'></i>", 'block', $vars); } if (Current_User::isUnrestricted('block')) { $links[] = Current_User::popupPermission($this->key_id, null, 'icon'); } } if (Current_User::allow('block', 'delete_block')) { $vars['action'] = 'delete'; $confirm_vars['QUESTION'] = dgettext('block', 'Are you sure you want to permanently delete this block?'); $confirm_vars['ADDRESS'] = PHPWS_Text::linkAddress('block', $vars, TRUE); $confirm_vars['LINK'] = '<i class="fa fa-trash-o" title="' . dgettext('block', 'Delete') . '"></i>'; $links[] = javascript('confirm', $confirm_vars); } if (!empty($links)) { $template['ACTION'] = implode('', $links); } else { $template['ACTION'] = ' '; } if (empty($this->title)) { $template['TITLE'] = '<em>' . dgettext('block', 'Untitled') . '</em>'; } if (empty($this->content)) { $template['CONTENT'] = '<em>' . dgettext('block', 'Empty') . '</em>'; } else { $template['CONTENT'] = $this->summarize(); } return $template; }
/** * routes administrative commands */ public function main() { if (!Current_User::allow('calendar')) { Current_User::disallow(); return; } $panel = $this->getPanel(); if (isset($_REQUEST['aop'])) { $command = $_REQUEST['aop']; } elseif (isset($_REQUEST['tab'])) { $command = $_REQUEST['tab']; } else { $command = $panel->getCurrentTab(); } switch ($command) { case 'get_event_json': $this->getEventJson(); break; case 'post_event': if (!$this->calendar->schedule->checkPermissions(true)) { Current_User::disallow(); } $this->postEvent(); break; case 'schedule_json': $this->scheduleJSON(filter_input(INPUT_GET, 'sch_id', FILTER_SANITIZE_NUMBER_INT)); exit; break; case 'approval': $this->approval(); break; case 'approve_suggestion': $this->approveSuggestion($_GET['suggestion_id']); PHPWS_Core::goBack(); break; case 'create_event': $panel->setCurrentTab('schedules'); $event = $this->calendar->schedule->loadEvent(); if ($this->calendar->current_date) { $event->start_time = mktime(12, 0, 0, $this->calendar->int_month, $this->calendar->int_day, $this->calendar->int_year); $event->end_time = mktime(12, 0, 0, $this->calendar->int_month, $this->calendar->int_day, $this->calendar->int_year); } $this->editEvent($event); break; case 'create_schedule': if (!Current_User::allow('calendar') || !Current_User::allow('calendar', 'edit_public') && !PHPWS_Settings::get('calendar', 'personal_schedules')) { Current_User::disallow(); } $this->calendar->schedule = new Calendar_Schedule(); $panel->setCurrentTab('schedules'); $this->editSchedule(); break; case 'blog_event': if (PHPWS_Core::moduleExists('blog') && Current_User::allow('blog', 'edit_blog') && $this->calendar->schedule->checkPermissions(true)) { $event = $this->calendar->schedule->loadEvent(); $this->blogEvent(); } break; case 'post_blog': if (PHPWS_Core::moduleExists('blog') && Current_User::allow('blog', 'edit_blog') && $this->calendar->schedule->checkPermissions(true)) { $this->postBlog(); } javascript('close_refresh'); Layout::nakedDisplay(); break; case 'edit_event': $panel->setCurrentTab('schedules'); if (!$this->calendar->schedule->checkPermissions()) { Current_User::disallow(); } $event = $this->calendar->schedule->loadEvent(); $this->editEvent($event); break; case 'delete_event': if ($this->calendar->schedule->checkPermissions(true)) { $event = $this->calendar->schedule->loadEvent(); $result = $event->delete(); if (PHPWS_Error::isError($result)) { PHPWS_Error::log($result); } } PHPWS_Core::goBack(); break; case 'delete_schedule': if (Current_User::authorized('calendar', 'delete_schedule') && Current_User::isUnrestricted('calendar')) { $this->calendar->schedule->delete(); $this->sendMessage(dgettext('calendar', 'Schedule deleted.'), 'aop=schedules'); } else { Current_User::disallow(); } break; case 'disapprove_suggestion': $this->disapproveSuggestion($_GET['suggestion_id']); PHPWS_Core::goBack(); break; case 'edit_schedule': if (empty($_REQUEST['sch_id'])) { PHPWS_Core::errorPage('404'); } if (!$this->calendar->schedule->checkPermissions()) { Current_User::disallow(); } $panel->setCurrentTab('schedules'); $this->editSchedule(); break; case 'make_default_public': if (Current_User::isUnrestricted('calendar')) { PHPWS_Settings::set('calendar', 'public_schedule', (int) $_REQUEST['sch_id']); PHPWS_Settings::save('calendar'); $this->message = dgettext('calendar', 'Default public schedule set.'); } $this->scheduleListing(); break; case 'post_schedule': $this->postSchedule(); break; case 'post_settings': if (!Current_User::authorized('calendar', 'settings')) { Current_User::disallow(); } $this->postSettings(); $this->message = dgettext('calendar', 'Settings saved'); $this->settings(); break; case 'repeat_event': $panel->setCurrentTab('schedules'); $event = $this->calendar->schedule->loadEvent(); $this->repeatEvent($event); break; case 'reset_cache': if (!Current_User::allow('calendar')) { Current_User::disallow(); } PHPWS_Cache::remove($_REQUEST['key']); PHPWS_Core::goBack(); break; case 'schedules': $panel->setCurrentTab('schedules'); $this->scheduleListing(); break; case 'settings': $this->settings(); break; case 'upload_event': if (!$this->calendar->schedule->checkPermissions()) { Current_User::disallow(); } $this->uploadEvent(); break; case 'post_upload': if (!$this->calendar->schedule->checkPermissions(true)) { Current_User::disallow(); } $this->postUpload(); break; } $tpl['CONTENT'] = $this->content; $tpl['TITLE'] = $this->title; if (is_array($this->message)) { $tpl['MESSAGE'] = implode('<br />', $this->message); } else { $tpl['MESSAGE'] = $this->message; } // Clears in case of js window opening $this->content = $this->title = $this->message = null; $final = PHPWS_Template::process($tpl, 'calendar', 'admin/main.tpl'); if (PHPWS_Calendar::isJS()) { Layout::nakedDisplay($final); } else { $panel->setContent($final); Layout::add(PHPWS_ControlPanel::display($panel->display())); } }
public function loadPanel() { PHPWS_Core::initModClass('controlpanel', 'Panel.php'); $this->panel = new PHPWS_Panel('pagesmith'); $link = 'index.php?module=pagesmith&aop=menu'; $tabs['list'] = array('title' => dgettext('pagesmith', 'List'), 'link' => $link); if (Current_User::isUnrestricted('pagesmith') && Current_User::allow('pagesmith', 'settings')) { $tabs['settings'] = array('title' => dgettext('pagesmith', 'Settings'), 'link' => $link); } $this->panel->quickSetTabs($tabs); $this->panel->setModule('pagesmith'); }
public function rowTag() { $vars['sheet_id'] = $this->id; if (Current_User::allow('signup', 'edit_sheet', $this->id, 'sheet')) { if (Current_User::isUnrestricted('signup')) { $vars['aop'] = 'edit_sheet'; $links[] = PHPWS_Text::secureLink(\Icon::show('edit', dgettext('signup', 'Edit')), 'signup', $vars); } $vars['aop'] = 'edit_slots'; $links[] = PHPWS_Text::secureLink(\Icon::show('th-list', dgettext('signup', 'Slots')), 'signup', $vars); if (Current_User::isUnrestricted('signup')) { $links[] = Current_User::popupPermission($this->key_id, null, 'icon'); } } $vars['aop'] = 'report'; $links[] = PHPWS_Text::secureLink(\Icon::show('file-text', dgettext('signup', 'Report')), 'signup', $vars); if (Current_User::isUnrestricted('signup')) { $vars['aop'] = 'delete_sheet'; $js['ADDRESS'] = PHPWS_Text::linkAddress('signup', $vars, true); $js['QUESTION'] = dgettext('signup', 'Are you sure you want to delete this sheet?\\nAll slots and signup information will be permanently removed.'); $js['LINK'] = \Icon::show('delete'); $links[] = javascript('confirm', $js); } $tpl['START_TIME'] = strftime("%D %R", $this->start_time); // MM/DD/YY hh:mm 24-hour time format $tpl['END_TIME'] = strftime("%D %R", $this->end_time); // MM/DD/YY hh:mm 24-hour time format $tpl['TITLE'] = $this->viewLink(); $tpl['ACTION'] = implode(' ', $links); return $tpl; }
public function rowTags() { if ($this->checkPermissions()) { $links[] = '<i class="fa fa-plus add-event" style="cursor:pointer" data-schedule-id="' . $this->id . '" data-date="' . time() . '"></i>'; //$links[] = $this->addEventLink(null, true, true); $links[] = $this->uploadEventsLink(null, true); $links[] = $this->downloadEventsLink(null, true); $links[] = '<i class="fa fa-edit" id="edit-schedule" data-schedule-id="' . $this->id . '" style="cursor:pointer" title="' . dgettext('calendar', 'Edit schedule') . '"></i>'; } if (Current_User::allow('calendar', 'delete_schedule') && Current_User::isUnrestricted('calendar')) { $js['QUESTION'] = dgettext('calendar', 'Are you sure you want to delete this schedule?'); $js['ADDRESS'] = sprintf('index.php?module=calendar&aop=delete_schedule&sch_id=%s&authkey=%s', $this->id, Current_User::getAuthKey()); $js['LINK'] = Icon::show('delete'); $links[] = javascript('confirm', $js); } if ($this->public && Current_User::isUnrestricted('calendar')) { $public_schedule = PHPWS_Settings::get('calendar', 'public_schedule'); if ($public_schedule != $this->id) { $link_vars['aop'] = 'make_default_public'; $link_vars['sch_id'] = $this->id; $links[] = PHPWS_Text::secureLink(dgettext('calendar', 'Make default public'), 'calendar', $link_vars); } else { $links[] = dgettext('calendar', 'Default public'); } } if (!empty($links)) { $tags['ADMIN'] = implode(' ', $links); } else { $tags['ADMIN'] = dgettext('calendar', 'None'); } $tags['TITLE'] = $this->getViewLink(); if ($this->public) { $tags['AVAILABILITY'] = dgettext('calendar', 'Public'); } else { $tags['AVAILABILITY'] = dgettext('calendar', 'Private'); } return $tags; }
function loadPanel() { PHPWS_Core::initModClass('controlpanel', 'Panel.php'); $this->panel = new PHPWS_Panel('whatsnew-panel'); $link = 'index.php?module=whatsnew&aop=menu'; if (Current_User::isUnrestricted('whatsnew')) { $tags['settings'] = array('title' => dgettext('whatsnew', 'Settings'), 'link' => $link); $tags['info'] = array('title' => dgettext('whatsnew', 'Read me'), 'link' => $link); } $this->panel->quickSetTabs($tags); }
public static function getPermissionForm(Key $key) { if (Current_User::isUnrestricted($key->module) && Current_User::allow($key->module, $key->edit_permission)) { $tpl = User_Form::permissionMenu($key, true); return PHPWS_Template::process($tpl, 'users', 'forms/permission_pop.tpl'); } }
public function loadPanel() { PHPWS_Core::initModClass('controlpanel', 'Panel.php'); $this->panel = new PHPWS_Panel('signup-panel'); $link = 'index.php?module=signup&aop=menu'; if (Current_User::isUnrestricted('signup')) { $tags['new'] = array('title' => dgettext('signup', 'New'), 'link' => $link); } $tags['list'] = array('title' => dgettext('signup', 'List'), 'link' => $link); $this->panel->quickSetTabs($tags); }
public static function main() { if (!Current_User::authorized('blog')) { Current_User::disallow(dgettext('blog', 'User attempted access to Blog administration.')); return; } $title = $content = NULL; $message = Blog_Admin::getForward(); $panel = Blog_Admin::cpanel(); $panel->enableSecure(); if (isset($_REQUEST['command'])) { $command = $_REQUEST['command']; } else { $command = $panel->getCurrentTab(); } if (isset($_REQUEST['blog_id'])) { $blog = new Blog((int) $_REQUEST['blog_id']); } else { $blog = new Blog(); } switch ($command) { case 'edit': $panel->setCurrentTab('list'); if (!Current_User::isUser($blog->author_id) && !Current_User::authorized('blog', 'edit_blog', $_REQUEST['blog_id'], 'entry')) { Current_User::disallow(dgettext('blog', 'User tried to edit a blog.')); return; } $title = dgettext('blog', 'Update Blog Entry'); $content = Blog_Form::edit($blog); break; case 'new': $title = dgettext('blog', 'New Blog Entry'); $content = Blog_Form::edit($blog); break; case 'delete': //Blog_Admin::resetCache(); $result = $blog->delete(); Blog_Admin::setForward(dgettext('blog', 'Blog entry deleted.'), 'list'); break; case 'list': $title = dgettext('blog', 'Blog Entries'); $content = Blog_Admin::entry_list(); break; case 'menu_submit_link': Menu::pinLink(dgettext('blog', 'Submit entry'), 'index.php?module=blog&action=user&action=submit'); PHPWS_Core::reroute('index.php?module=blog&action=admin&tab=settings&authkey=' . Current_User::getAuthKey()); break; case 'sticky': if (!Current_User::isUnrestricted('blog')) { Current_User::disallow(); } Blog_Admin::sticky($blog); PHPWS_Core::goBack(); break; case 'unsticky': if (!Current_User::isUnrestricted('blog')) { Current_User::disallow(); } Blog_Admin::unsticky($blog); PHPWS_Core::goBack(); break; case 'post_entry': $title = dgettext('blog', 'Blog Archive'); $panel->setCurrentTab('list'); $blog->post_entry(); $link_back = PHPWS_Text::linkAddress('blog', array('action' => 'admin', 'tab' => 'list'), TRUE); if ($blog->_error) { if (empty($blog->id)) { $panel->setCurrentTab('new'); } $content = Blog_Form::edit($blog); } else { if (!isset($_POST['blog_id']) && PHPWS_Core::isPosted()) { Blog_Admin::setForward(dgettext('blog', 'Entry saved successfully.'), 'list'); } $result = $blog->save(); //Blog_Admin::resetCache(); if (PHPWS_Error::isError($result)) { $message = dgettext('blog', 'An error occurred when trying to save your entry. Please check your logs.'); PHPWS_Error::log($result); Blog_Admin::setForward($message, 'list'); } if (!$blog->approved) { Blog_Admin::setForward(dgettext('blog', 'Your entry is being held for approval.'), 'list'); } else { PHPWS_Core::reroute($blog->getViewLink(true)); } } break; case 'reset_cache': Blog_Admin::resetCache(); PHPWS_Core::goBack(); break; case 'post_settings': if (!Current_User::authorized('blog', 'settings')) { Current_User::disallow(); return; } if (Current_User::isDeity() && isset($_POST['purge_confirm'])) { $title = dgettext('blog', 'Purge Blog Entries'); $content = Blog_Admin::confirmPurge($_POST['purge_date']); break; } Blog_Admin::postSettings(); $message = dgettext('blog', 'Blog settings saved.'); case 'settings': if (!Current_User::allow('blog', 'settings')) { Current_User::disallow(); return; } $panel->setCurrentTab('settings'); $title = dgettext('blog', 'Blog Settings'); $content = Blog_Form::settings(); break; case 'purge_entries': if (Current_User::authorized('blog') && Current_User::isDeity()) { Blog_Admin::purgeEntries($_GET['pd']); $message = dgettext('blog', 'Blog entries purged.'); } $content = Blog_Form::settings(); } Layout::add(PHPWS_ControlPanel::display($panel->display($content, $title, $message))); }
public function getListAction() { $link['action'] = 'admin'; $link['blog_id'] = $this->id; if (Current_User::allow('blog', 'edit_blog') && Current_User::getId() == $this->author_id || Current_User::allow('blog', 'edit_blog', $this->id, 'entry')) { $link['command'] = 'edit'; $icon = Icon::show('edit', dgettext('blog', 'Edit blog entry')); $list[] = PHPWS_Text::secureLink($icon, 'blog', $link); } if (Current_User::allow('blog', 'delete_blog')) { $link['command'] = 'delete'; $confirm_vars['QUESTION'] = dgettext('blog', 'Are you sure you want to permanently delete this blog entry?'); $confirm_vars['ADDRESS'] = PHPWS_Text::linkAddress('blog', $link, true); $confirm_vars['LINK'] = '<i class="fa fa-trash-o" title="' . dgettext('blog', 'Delete blog entry') . '"></i>'; $list[] = Layout::getJavascript('confirm', $confirm_vars); } if (Current_User::isUnrestricted('blog')) { if ($this->sticky) { $link['command'] = 'unsticky'; $icon = Icon::show('flag', dgettext('blog', 'Remove from front page')); $list[] = PHPWS_Text::secureLink($icon, 'blog', $link); } else { $link['command'] = 'sticky'; $icon = Icon::show('flag-alt', dgettext('blog', 'Force to front page')); $list[] = PHPWS_Text::secureLink($icon, 'blog', $link); } } if (isset($list)) { $response = implode(' ', $list); } else { $response = dgettext('blog', 'No action'); } return $response; }
public static function permissionMenu() { $key = Key::getCurrent(); if (empty($key) || $key->isDummy() || empty($key->edit_permission)) { return; } if (Current_User::isUnrestricted($key->module) && Current_User::allow($key->module, $key->edit_permission)) { if (!javascriptEnabled()) { $tpl = User_Form::permissionMenu($key); $content = PHPWS_Template::process($tpl, 'users', 'forms/permission_menu.tpl'); Layout::add($content, 'users', 'permissions'); } else { $links[] = Current_User::popupPermission($key->id, sprintf(dgettext('users', 'Set permissions'), $key->title)); MiniAdmin::add('users', $links); } } }