/** * check grant for action * * @param Timetracker_Model_Timeaccount $_record * @param string $_action * @param boolean $_throw * @param string $_errorMessage * @param Timetracker_Model_Timesheet $_oldRecord * @return boolean * @throws Tinebase_Exception_AccessDenied * * @todo think about just setting the default values when user * hasn't the required grant to change the field (instead of throwing exception) */ protected function _checkGrant($_record, $_action, $_throw = TRUE, $_errorMessage = 'No Permission.', $_oldRecord = NULL) { // users with MANAGE_TIMEACCOUNTS have all grants here if ($this->checkRight(Timetracker_Acl_Rights::MANAGE_TIMEACCOUNTS, FALSE) || Timetracker_Model_TimeaccountGrants::hasGrant($_record->timeaccount_id, Tinebase_Model_Grants::GRANT_ADMIN)) { return TRUE; } // only TA managers are allowed to alter TS of closed TAs if ($_action != 'get') { $timeaccount = Timetracker_Controller_Timeaccount::getInstance()->get($_record->timeaccount_id); if (!$timeaccount->is_open) { return FALSE; } // check if timeaccount->is_billable is false => set default in fieldGrants to 0 and allow only managers to change it if (!$timeaccount->is_billable) { $this->_fieldGrants['is_billable']['default'] = 0; $this->_fieldGrants['is_billable']['requiredGrant'] = Tinebase_Model_Grants::GRANT_ADMIN; } } $hasGrant = FALSE; switch ($_action) { case 'get': $hasGrant = Timetracker_Model_TimeaccountGrants::hasGrant($_record->timeaccount_id, array(Timetracker_Model_TimeaccountGrants::VIEW_ALL, Timetracker_Model_TimeaccountGrants::BOOK_ALL)) || $_record->account_id == $this->_currentAccount->getId() && Timetracker_Model_TimeaccountGrants::hasGrant($_record->timeaccount_id, Timetracker_Model_TimeaccountGrants::BOOK_OWN); break; case 'create': $hasGrant = $_record->account_id == $this->_currentAccount->getId() && Timetracker_Model_TimeaccountGrants::hasGrant($_record->timeaccount_id, Timetracker_Model_TimeaccountGrants::BOOK_OWN) || Timetracker_Model_TimeaccountGrants::hasGrant($_record->timeaccount_id, Timetracker_Model_TimeaccountGrants::BOOK_ALL); if ($hasGrant) { foreach ($this->_fieldGrants as $field => $config) { if (isset($_record->{$field}) && $_record->{$field} != $config['default']) { $hasGrant &= Timetracker_Model_TimeaccountGrants::hasGrant($_record->timeaccount_id, $config['requiredGrant']); } } } break; case 'update': $hasGrant = $_record->account_id == $this->_currentAccount->getId() && Timetracker_Model_TimeaccountGrants::hasGrant($_record->timeaccount_id, Timetracker_Model_TimeaccountGrants::BOOK_OWN) || Timetracker_Model_TimeaccountGrants::hasGrant($_record->timeaccount_id, Timetracker_Model_TimeaccountGrants::BOOK_ALL); if ($hasGrant) { foreach ($this->_fieldGrants as $field => $config) { if (isset($_record->{$field}) && $_record->{$field} != $_oldRecord->{$field}) { $hasGrant &= Timetracker_Model_TimeaccountGrants::hasGrant($_record->timeaccount_id, $config['requiredGrant']); } } } break; case 'delete': $hasGrant = $_record->account_id == $this->_currentAccount->getId() && Timetracker_Model_TimeaccountGrants::hasGrant($_record->timeaccount_id, Timetracker_Model_TimeaccountGrants::BOOK_OWN) || Timetracker_Model_TimeaccountGrants::hasGrant($_record->timeaccount_id, Timetracker_Model_TimeaccountGrants::BOOK_ALL); break; } if ($_throw && !$hasGrant) { throw new Tinebase_Exception_AccessDenied($_errorMessage); } return $hasGrant; }
/** * check grant for action (CRUD) * * @param Timetracker_Model_Timeaccount $_record * @param string $_action * @param boolean $_throw * @param string $_errorMessage * @param Timetracker_Model_Timeaccount $_oldRecord * @return boolean * @throws Tinebase_Exception_AccessDenied */ protected function _checkGrant($_record, $_action, $_throw = TRUE, $_errorMessage = 'No Permission.', $_oldRecord = NULL) { if ($_action == 'create' || $this->_doGrantChecks == FALSE) { // no check here because the MANAGE_TIMEACCOUNTS right has been already checked before return TRUE; } $hasGrant = Timetracker_Model_TimeaccountGrants::hasGrant($_record->getId(), Tinebase_Model_Grants::GRANT_ADMIN); switch ($_action) { case 'get': $hasGrant = $hasGrant || Timetracker_Model_TimeaccountGrants::hasGrant($_record->getId(), array(Timetracker_Model_TimeaccountGrants::VIEW_ALL, Timetracker_Model_TimeaccountGrants::BOOK_OWN, Timetracker_Model_TimeaccountGrants::BOOK_ALL, Timetracker_Model_TimeaccountGrants::MANAGE_BILLABLE)); case 'delete': case 'update': $hasGrant = $hasGrant || $this->checkRight(Timetracker_Acl_Rights::MANAGE_TIMEACCOUNTS, FALSE); break; } if ($_throw && !$hasGrant) { throw new Tinebase_Exception_AccessDenied($_errorMessage); } return $hasGrant; }
/** * check grant for action * * @param Timetracker_Model_Timeaccount $_record * @param string $_action * @param boolean $_throw * @param string $_errorMessage * @param Timetracker_Model_Timesheet $_oldRecord * @return boolean * @throws Tinebase_Exception_AccessDenied * * @todo think about just setting the default values when user * hasn't the required grant to change the field (instead of throwing exception) */ protected function _checkGrant($_record, $_action, $_throw = TRUE, $_errorMessage = 'No Permission.', $_oldRecord = NULL) { $isAdmin = false; // users with MANAGE_TIMEACCOUNTS have all grants here if ($this->checkRight(Timetracker_Acl_Rights::MANAGE_TIMEACCOUNTS, FALSE) || Timetracker_Model_TimeaccountGrants::hasGrant($_record->timeaccount_id, Tinebase_Model_Grants::GRANT_ADMIN)) { $isAdmin = true; } // only TA managers are allowed to alter TS of closed TAs, but they have to confirm first that they really want to do it if ($_action != 'get') { $timeaccount = Timetracker_Controller_Timeaccount::getInstance()->get($_record->timeaccount_id); if (!$timeaccount->is_open) { if (Tinebase_Core::isLogLevel(Zend_Log::DEBUG)) { Tinebase_Core::getLogger()->debug(__METHOD__ . '::' . __LINE__ . ' This Timeaccount is already closed!'); } if ($isAdmin === true) { if (is_array($this->_requestContext) && isset($this->_requestContext['skipClosedCheck']) && $this->_requestContext['skipClosedCheck']) { return true; } } if ($_throw) { throw new Timetracker_Exception_ClosedTimeaccount(); } return FALSE; } // check if timeaccount->is_billable is false => set default in fieldGrants to 0 and allow only managers to change it if (!$timeaccount->is_billable) { $this->_fieldGrants['is_billable']['default'] = 0; $this->_fieldGrants['is_billable']['requiredGrant'] = Tinebase_Model_Grants::GRANT_ADMIN; } } if ($isAdmin === true) { return true; } $hasGrant = FALSE; switch ($_action) { case 'get': $hasGrant = Timetracker_Model_TimeaccountGrants::hasGrant($_record->timeaccount_id, array(Timetracker_Model_TimeaccountGrants::VIEW_ALL, Timetracker_Model_TimeaccountGrants::BOOK_ALL)) || $_record->account_id == Tinebase_Core::getUser()->getId() && Timetracker_Model_TimeaccountGrants::hasGrant($_record->timeaccount_id, Timetracker_Model_TimeaccountGrants::BOOK_OWN); break; case 'create': $hasGrant = $_record->account_id == Tinebase_Core::getUser()->getId() && Timetracker_Model_TimeaccountGrants::hasGrant($_record->timeaccount_id, Timetracker_Model_TimeaccountGrants::BOOK_OWN) || Timetracker_Model_TimeaccountGrants::hasGrant($_record->timeaccount_id, Timetracker_Model_TimeaccountGrants::BOOK_ALL); if ($hasGrant) { foreach ($this->_fieldGrants as $field => $config) { if (isset($_record->{$field}) && $_record->{$field} != $config['default']) { $hasGrant &= Timetracker_Model_TimeaccountGrants::hasGrant($_record->timeaccount_id, $config['requiredGrant']); } } } break; case 'update': $hasGrant = $_record->account_id == Tinebase_Core::getUser()->getId() && Timetracker_Model_TimeaccountGrants::hasGrant($_record->timeaccount_id, Timetracker_Model_TimeaccountGrants::BOOK_OWN) || Timetracker_Model_TimeaccountGrants::hasGrant($_record->timeaccount_id, Timetracker_Model_TimeaccountGrants::BOOK_ALL); if ($hasGrant) { foreach ($this->_fieldGrants as $field => $config) { if (isset($_record->{$field}) && $_record->{$field} != $_oldRecord->{$field}) { $hasGrant &= Timetracker_Model_TimeaccountGrants::hasGrant($_record->timeaccount_id, $config['requiredGrant']); } } } break; case 'delete': $hasGrant = $_record->account_id == Tinebase_Core::getUser()->getId() && Timetracker_Model_TimeaccountGrants::hasGrant($_record->timeaccount_id, Timetracker_Model_TimeaccountGrants::BOOK_OWN) || Timetracker_Model_TimeaccountGrants::hasGrant($_record->timeaccount_id, Timetracker_Model_TimeaccountGrants::BOOK_ALL); break; } if ($_throw && !$hasGrant) { throw new Tinebase_Exception_AccessDenied($_errorMessage); } return $hasGrant; }