/**
* PreDispatch function.
*
* Only admin users can access to these actions,
* if the user is not an admin, is redirected to the login form or throws an exception.
*
* @throws Zend_Controller_Action_Exception If the user is not an admin.
*
* @return void
*/
public function preDispatch()
{
parent::preDispatch();
if (!Phprojekt_Auth::isAdminUser()) {
$this->getResponse()->setRawHeader('HTTP/1.1 401 Authorization Required');
$this->getResponse()->sendHeaders();
exit;
}
}
/**
* Returns all global modules.
*
* Returns a list of all the global modules with:
* <pre>
* - id => id of the module.
* - name => Name of the module.
* - label => Display for the module.
* </pre>
* Also return in the metadata, if the user is an admin or not.
*
* The return is in JSON format.
*
* @return array
*/
function jsonGetGlobalModulesAction()
{
$modules = array();
$model = new Phprojekt_Module_Module();
foreach ($model->fetchAll('active = 1 AND (save_type = 1 OR save_type = 2)', 'name ASC') as $module) {
$modules['data'][$module->id] = array();
$modules['data'][$module->id]['id'] = $module->id;
$modules['data'][$module->id]['name'] = $module->name;
$modules['data'][$module->id]['label'] = $module->label;
}
$modules['metadata'] = Phprojekt_Auth::isAdminUser();
Phprojekt_Converter_Json::echoConvert($modules);
}
/**
* Init function.
*
* Only admin users can access to these actions,
* if the user is not an admin, is redirected to the login form or throws an exception.
*
* @throws Phprojekt_PublishedException If the user is not an admin.
*
* @return void
*/
public function init()
{
parent::init();
if (!Phprojekt_Auth::isAdminUser()) {
// If is a GET, show the login page
// If is a POST, send message in json format
if (!$this->getFrontController()->getRequest()->isGet()) {
throw new Phprojekt_PublishedException('Admin section is only for admin users', 500);
} else {
$this->_redirect(Phprojekt::getInstance()->getConfig()->webpath . 'index.php/Login/logout');
}
exit;
}
}
/**
* Init function.
*
* There are only a few actions that a normal user can do requesting the Core controller.
* The function check them, and allow the acction or not,
* if not, the user is redirected to the login form or throws an exception.
*
* @throws Zend_Controller_Action_Exception If the user is not an admin.
*
* @return void
*/
public function preDispatch()
{
parent::preDispatch();
if (!Phprojekt_Auth::isAdminUser()) {
$valid = false;
// Add exceptions for public calls into the Core
$controller = strtolower($this->getRequest()->getControllerName());
$action = $this->getRequest()->getActionName();
if ($controller == 'history' && $action == 'jsonList') {
$valid = true;
} else {
if ($controller == 'module' && $action == 'jsonGetGlobalModules') {
$valid = true;
} else {
if ($controller == 'role' && $action == 'jsonGetModulesAccess') {
$valid = true;
} else {
if ($controller == 'user' && $action == 'jsonGetUsers') {
$valid = true;
} else {
if ($controller == 'user' && $action == 'jsonGetProxyableUsers') {
$valid = true;
} else {
if ($controller == 'tab' && $action == 'jsonList') {
$valid = true;
} else {
if ($controller == 'setting') {
$valid = true;
} else {
if ($controller == 'upgrade') {
$valid = true;
}
}
}
}
}
}
}
}
if (!$valid) {
$this->getResponse()->setRawHeader('HTTP/1.1 401 Authorization Require');
$this->getResponse()->sendHeaders();
exit;
}
}
}
/**
* Init function.
*
* There are only a few actions that a normal user can do requesting the Core controller.
* The function check them, and allow the acction or not,
* if not, the user is redirected to the login form or throws an exception.
*
* @throws Phprojekt_PublishedException If the user is not an admin.
*
* @return void
*/
public function init()
{
parent::init();
if (!Phprojekt_Auth::isAdminUser()) {
$valid = false;
// Add exceptions for public calls into the Core
if ($this->getRequest()->getControllerName() == 'history' && $this->getRequest()->getActionName() == 'jsonList') {
$valid = true;
} else {
if ($this->getRequest()->getControllerName() == 'module' && $this->getRequest()->getActionName() == 'jsonGetGlobalModules') {
$valid = true;
} else {
if ($this->getRequest()->getControllerName() == 'role' && $this->getRequest()->getActionName() == 'jsonGetModulesAccess') {
$valid = true;
} else {
if ($this->getRequest()->getControllerName() == 'user' && $this->getRequest()->getActionName() == 'jsonGetUsers') {
$valid = true;
} else {
if ($this->getRequest()->getControllerName() == 'tab' && $this->getRequest()->getActionName() == 'jsonList') {
$valid = true;
} else {
if ($this->getRequest()->getControllerName() == 'setting') {
$valid = true;
}
}
}
}
}
}
if (!$valid) {
// If is a GET, show the login page
// If is a POST, send message in json format
if (!$this->getFrontController()->getRequest()->isGet()) {
throw new Phprojekt_PublishedException('Admin section is only for admin users', 500);
} else {
$this->_redirect(Phprojekt::getInstance()->getConfig()->webpath . 'index.php/Login/logout');
}
exit;
}
}
}
/**
* Perform the upgrade for a single module.
*
* The module is taken from the 'upgradeModule' parameter of the request.
*
* @return void
*/
public function jsonUpgradeAction()
{
if (!Phprojekt_Auth::isAdminUser()) {
throw new Zend_Controller_Action_Exception('Insufficient rights.', 403);
}
$extensions = new Phprojekt_Extensions(PHPR_CORE_PATH);
$migration = new Phprojekt_Migration($extensions);
$failed = true;
try {
$migration->performUpgrade($this->getRequest()->getParam('upgradeModule'));
$failed = false;
} catch (Phprojekt_Migration_IKilledTheDatabaseException $e) {
Phprojekt::getInstance()->getLog()->debug("IKilledTheDatabaseException occurred while migrating: " . $e->getFile() . ':' . $e->getLine() . "\n" . $e->getMessage() . "\n" . $e->getTraceAsString() . "\n");
Phprojekt_Converter_Json::echoConvert(array('type' => 'fatalFailure', 'message' => 'A fatal error has occured.'));
} catch (Exception $e) {
Phprojekt::getInstance()->getLog()->debug("Exception occurred while migrating: " . $e->getFile() . ':' . $e->getLine() . "\n" . $e->getMessage() . "\n" . $e->getTraceAsString() . "\n");
Phprojekt_Converter_Json::echoConvert(array('type' => 'failure', 'message' => 'An error has occured.'));
}
if (!$failed) {
Phprojekt_Converter_Json::echoConvert(array('type' => 'success', 'message' => 'The module was upgraded correctly'));
}
}
public function hasRight($userId, $right, $projectId = null)
{
if (Phprojekt_Auth::isAdminUser() || $this->isNew()) {
return true;
}
$projectId = is_null($projectId) ? $this->projectId : $projectId;
$moduleId = Phprojekt_Module::getId($this->getModelName());
$rights = Phprojekt_Right::getRightsForItems($moduleId, $projectId, $userId, array($this->id));
if (!isset($rights[$this->id])) {
return Phprojekt_Acl::NONE;
}
return ($rights[$this->id] & $right) == $right;
}
/**
* Check if the user has write access to the item if is not a global module.
*
* @param Phprojekt_Model_Interface $model The model to save.
* @param string $moduleName The current module.
*
* @return boolean False if not.
*/
private static function _checkItemRights($model, $moduleName)
{
$canWrite = false;
if ($moduleName == 'Core') {
return Phprojekt_Auth::isAdminUser();
} else {
if (Phprojekt_Module::saveTypeIsNormal(Phprojekt_Module::getId($moduleName))) {
$itemRights = $model->getRights();
if (isset($itemRights['currentUser'])) {
if (!$itemRights['currentUser']['write'] && !$itemRights['currentUser']['create'] && !$itemRights['currentUser']['copy'] && !$itemRights['currentUser']['admin']) {
$canWrite = false;
} else {
$canWrite = true;
}
}
} else {
$canWrite = true;
}
}
return $canWrite;
}
/**
* Returns all global modules.
*
* Returns a list of all the global modules with:
* <pre>
* - id => id of the module.
* - name => Name of the module.
* - label => Display for the module.
* </pre>
* Also return in the metadata, if the user is an admin or not.
*
* The return is in JSON format.
*
* @return array
*/
function jsonGetGlobalModulesAction()
{
$modules = array();
$model = Phprojekt_Loader::getLibraryClass('Phprojekt_Module_Module');
foreach ($model->fetchAll('active = 1 AND (save_type = 1 OR save_type = 2)', 'name ASC') as $module) {
$modules['data'][$module->id] = array();
$modules['data'][$module->id]['id'] = $module->id;
$modules['data'][$module->id]['name'] = $module->name;
$modules['data'][$module->id]['label'] = Phprojekt::getInstance()->translate($module->label, null, $module->name);
}
$modules['metadata'] = Phprojekt_Auth::isAdminUser();
Phprojekt_Converter_Json::echoConvert($modules);
}
/**
* Check if the user has delete access to the item if is not a global module.
*
* @param Phprojekt_ActiveRecord_Abstract $model The model to save.
* @param string $moduleName The current module.
*
* @return boolean True for a valid right.
*/
private static function _checkItemRights(Phprojekt_ActiveRecord_Abstract $model, $moduleName)
{
$canDelete = false;
if ($moduleName == 'Core') {
return Phprojekt_Auth::isAdminUser();
} else {
if (Phprojekt_Module::saveTypeIsNormal(Phprojekt_Module::getId($moduleName)) && method_exists($model, 'hasRight')) {
return $model->hasRight(Phprojekt_Auth_Proxy::getEffectiveUserId(), Phprojekt_Acl::DELETE);
} else {
return true;
}
}
}
/**
* Returns project-module && user-role-project permissions.
*
* Returns the permissions,
* ("none", "read", "write", "access", "create", "copy", "delete", "download", "admin")
* for each module that have the project,
* for the current logged user,
* depending on their role and access, in the project.
*
* REQUIRES request parameters:
* <pre>
* - integer <b>nodeId</b> The projectId for consult.
* </pre>
*
* The return is in JSON format.
*
* @return void
*/
public function jsonGetModulesPermissionAction()
{
$projectId = (int) $this->getRequest()->getParam('nodeId');
$relation = new Project_Models_ProjectModulePermissions();
$modules = $relation->getProjectModulePermissionsById($projectId);
if ($projectId == 0) {
$data = array();
// there is no rights or invalid project
} else {
$allowedModules = array();
$rights = new Phprojekt_RoleRights($projectId);
foreach ($modules['data'] as $module) {
if ($module['inProject']) {
$tmpPermission = Phprojekt_Acl::NONE;
if ($rights->hasRight('admin', $module['id'])) {
$tmpPermission = $tmpPermission | Phprojekt_Acl::ADMIN;
}
if ($rights->hasRight('create', $module['id'])) {
$tmpPermission = $tmpPermission | Phprojekt_Acl::CREATE;
}
if ($rights->hasRight('write', $module['id'])) {
$tmpPermission = $tmpPermission | Phprojekt_Acl::WRITE;
}
if ($rights->hasRight('read', $module['id'])) {
$tmpPermission = $tmpPermission | Phprojekt_Acl::READ;
}
// Return modules with at least one access
if ($tmpPermission != Phprojekt_Acl::NONE || Phprojekt_Auth::isAdminUser()) {
$module['rights'] = Phprojekt_Acl::convertBitmaskToArray($tmpPermission);
$allowedModules[] = $module;
}
}
}
$data = $allowedModules;
}
Phprojekt_Converter_Json::echoConvert($data);
}
/**
* Delete the projects where the user don't have access.
*
* @param Phprojekt_Tree_Node_Database $object Tree class.
*
* @return Phprojekt_Tree_Node_Database The tree class with only the allowed nodes.
*/
public function applyRights(Phprojekt_Tree_Node_Database $object)
{
if (Phprojekt_Auth::isAdminUser()) {
return $object;
}
$projectIds = array_keys($object->_index);
// We don't use the effective user id here to make access management more simple. This way, a user really needs
// read access to be able to look at a project.
$rights = Phprojekt_Right::getRightsForItems(1, 1, Phprojekt_Auth::getUserId(), $projectIds);
$currentRight = Phprojekt_Acl::ALL;
foreach ($object as $index => $node) {
$currentRight = isset($rights[$node->id]) ? $rights[$node->id] : $currentRight;
/* delete node cannot update the iterator reference, so we check if it's still in the index or already
* removed */
if ((Phprojekt_Acl::READ & $currentRight) <= 0 && isset($object->_index[$node->id])) {
$object->deleteNode($object, $node->id);
}
}
return $object;
}
