/** * move an object to $pid or over $targetId * * we'll use the same principle as for copy * * @param int $pid if not specified then will be set to pid of targetId * @param int $targetId * @return int the id of moved object or false */ public function moveTo($pid = false, $targetId = false) { // check input params if (!is_numeric($this->id) || !is_numeric($pid) && !is_numeric($targetId)) { return false; } /* security check */ if (!\CB\Security::canRead($this->id)) { return false; } /* end of security check */ //load current object from db into a variable to be passed to log and events $this->oldObject = clone $this; $this->oldObject->load($this->id); if (is_numeric($targetId)) { /* target security check */ if (!\CB\Security::canWrite($targetId)) { return false; } /* end of target security check */ // marking overwriten object with dstatus = 3 DB\dbQuery('UPDATE tree SET updated = 1 ,dstatus = 3 ,did = $2 WHERE id = $1', array($targetId, $_SESSION['user']['id'])) or die(DB\dbQueryError()); //get pid from target if not specified $res = DB\dbQuery('SELECT pid FROM tree WHERE id = $1', $targetId) or die(DB\dbQueryError()); if ($r = $res->fetch_assoc()) { $pid = $r['pid']; } $res->close(); } else { /* pid security check */ if (!\CB\Security::canWrite($pid)) { return false; } /* end of pid security check */ } /* check again if we have pid set It can be unset when not existent $targetId is specified */ if (!is_numeric($pid)) { return false; } // moving the object to $pid DB\dbQuery('UPDATE tree SET updated = 1 ,pid = $2 WHERE id = $1', array($this->id, $pid)) or die(DB\dbQueryError()); $this->moveCustomDataTo($pid); // move childs from overwriten targetId (which has been marked with dstatus = 3) // to newly copied object if (is_numeric($targetId)) { DB\dbQuery('UPDATE tree SET updated = 1 ,pid = $2 WHERE pid = $1 AND dstatus = 0', array($targetId, $this->id)) or die(DB\dbQueryError()); } $this->load(); $this->logAction('move', array('old' => $this->oldObject)); return $this->id; }
/** * add allow for everyone security rule to root node * @return int object id */ public function addAllowSecurityRule() { $class = new \CB\Api\Security(); $data = array('node_id' => 1, 'user_group_id' => \CB\Security::getSystemGroupId('everyone'), 'allow' => 'full_control'); $rez = $class->updateNodeAccess($data); return $rez; }
/** * get assign security sets to filters * dont check if 'skipSecurity = true' * it's used in Objects fields where we show all nodes * without permission filtering * @param array &$p * @return varchar */ protected function getSecuritySetsParam(&$p) { $rez = ''; if (!Security::isAdmin() && empty($p['skipSecurity'])) { $pids = false; if (!empty($p['pid'])) { $pids = $p['pid']; } elseif (!empty($p['pids'])) { $pids = $p['pids']; } $sets = Security::getSecuritySets(false, 5, $pids); if (!empty($sets)) { $rez = 'security_set_id:(' . implode(' OR ', $sets) . ') OR oid:' . User::getId(); } else { //for created users that doesnt belong to any group //and dont have any security sets associated $rez = '!security_set_id:[* TO *]'; } } return $rez; }
/** * get action flags that a user can do this task * @param int $userId * @return array */ public function getActionFlags($userId = false) { $d =& $this->data; if ($userId === false) { $userId = $_SESSION['user']['id']; } $isAdmin = \CB\Security::isAdmin($userId); $isOwner = $this->isOwner($userId); $isClosed = $this->isClosed(); $canEdit = !$isClosed && ($isAdmin || $isOwner); $rez = array('edit' => $canEdit, 'close' => $canEdit, 'reopen' => $isClosed && $isOwner, 'complete' => !$isClosed && $this->getUserStatus($userId) == static::$USERSTATUS_ONGOING); return $rez; }
/** * function to check if a user cam manage task * * This function returns true if specified user can manage/update specified task. * User can manage a task if he is Administrator, Creator of the task * or is one of the responsible task users. * * @param int $taskId id of the task to be checked * @param int $userId id of the user to be checked * @return boolean returns true in case of the user can manage the task */ public static function canManageTask($taskId, $userId = false) { $rez = false; if ($userId == false) { $userId = User::getId(); } $task = Objects::getCachedObject($taskId); $data = $task->getData(); $rez = $data['cid'] == $userId || in_array($userId, $data['sys_data']['task_u_ongoing']) || in_array($userId, $data['sys_data']['task_u_done']); if (!$rez) { $rez = Security::isAdmin($userId); } return $rez; }
/** * clear user sessions * @param int $userId * @return boolean */ public static function clearUserSessions($userId) { if (!Security::canEditUser($userId)) { return false; } DB\dbQuery('DELETE FROM sessions WHERE user_id = $1', $userId) or die(DB\dbQueryError()); return true; }
public function updateFileProperties($p) { if (empty($p['id'])) { return array('success' => false, 'msg' => L\get('Wrong_input_data')); } if (!Security::canWrite($p['id'])) { return array('success' => false, 'msg' => L\get('Access_denied')); } $p['title'] = strip_tags(@$p['title']); DB\dbQuery('UPDATE files SET `date` = $2 ,title = $3 ,uid = $4 ,udate = CURRENT_TIMESTAMP WHERE id = $1', array($p['id'], Util\dateISOToMysql($p['date']), @$p['title'], $_SESSION['user']['id'])) or die(DB\dbQueryError()); Objects::updateCaseUpdateInfo($p['id']); return array('success' => true); }
/** * Rename group */ public function renameGroup($p) { if (!User::isVerified()) { return array('success' => false, 'verify' => true); } $title = Purify::humanName($p['title']); if (empty($title)) { throw new \Exception(L\get('Wrong_input_data')); } $id = $this->extractId($p['id']); if (!Security::canEditUser($id)) { throw new \Exception(L\get('Access_denied')); } DB\dbQuery('UPDATE users_groups SET name = $2, uid = $3 WHERE id = $1 AND type = 1', array($id, $title, $_SESSION['user']['id'])) or die(DB\dbQueryError()); return array('success' => true, 'title' => $title); }
/** * remove users photo * @param object $p json decoded object * @return array json responce */ public function removePhoto($p) { if (!$this->isVerified()) { return array('success' => false, 'verify' => true); } if (!is_numeric($p['id'])) { return array('success' => false, 'msg' => L\get('Wrong_id')); } if (!Security::canEditUser($p['id'])) { throw new \Exception(L\get('Access_denied')); } /* delete photo file*/ $r = DM\Users::read($p['id']); if (!empty($r['photo'])) { @unlink(Config::get('photos_path') . $r['photo']); } /* enddelete photo file */ // update db record DM\Users::update(array('id' => $p['id'], 'photo' => null)); return array('success' => true); }
/** * change status for a task * @param int $status * @param int $id * @return json response */ protected function changeStatus($id, $status) { $obj = Objects::getCachedObject($id); $data = $obj->getData(); //status change for task is allowed only for owner or admin if (!$obj->isOwner() && !Security::isAdmin()) { return array('success' => false, 'msg' => L\get('No_access_for_this_action')); } switch ($status) { case Objects\Task::$STATUS_ACTIVE: $obj->setActive(); break; case Objects\Task::$STATUS_CLOSED: $obj->setClosed(); break; default: return array('success' => false, 'id' => $id); } $this->afterUpdate($id); return array('success' => true, 'id' => $id); }
/** * check if current class is configured to return any result for * given path and request params * @param array &$pathArray * @param array &$requestParams * @return boolean */ protected function acceptedPath(&$pathArray, &$requestParams) { return parent::acceptedPath($pathArray, $requestParams) && Security::isAdmin(); }
public function takeOwnership($ids) { $ids = Util\toNumericArray($ids); $rez = array('success' => true, 'data' => $ids); if (empty($ids)) { return $rez; } //check if user has rights to take ownership on each object foreach ($ids as $id) { if (!Security::canTakeOwnership($id)) { throw new \Exception(L\get('Access_denied')); } } //set the owner DB\dbQuery('UPDATE tree SET oid = $1 ,uid = $1 WHERE id IN (' . implode(',', $ids) . ') AND `system` = 0', $_SESSION['user']['id']) or die(DB\dbQueryError()); //TODO: view if needed to mark all childs as updated, for security to be changed .... Solr\Client::runCron(); return $rez; }
/** * move an object to $pid or over $targetId * * we'll use the same principle as for copy * * @param int $pid if not specified then will be set to pid of targetId * @param int $targetId * @return int the id of moved object or false */ public function moveTo($pid = false, $targetId = false) { // check input params if (!is_numeric($this->id) || !is_numeric($pid) && !is_numeric($targetId)) { return false; } /* security check */ if (!\CB\Security::canRead($this->id)) { return false; } /* end of security check */ //load current object from db into a variable to be passed to log and events $this->oldObject = clone $this; $this->oldObject->load($this->id); if (is_numeric($targetId)) { /* target security check */ if (!\CB\Security::canWrite($targetId)) { return false; } /* end of target security check */ // marking overwriten object with dstatus = 3 DM\Tree::update(array('id' => $targetId, 'updated' => 1, 'dstatus' => 3, 'did' => User::getId())); $r = DM\Tree::read($targetId); if (!empty($r)) { $pid = $r['pid']; } } else { /* pid security check */ if (!\CB\Security::canWrite($pid)) { return false; } /* end of pid security check */ } /* check again if we have pid set It can be unset when not existent $targetId is specified */ if (!is_numeric($pid)) { return false; } // moving the object to $pid DM\Tree::update(array('id' => $this->id, 'pid' => $pid, 'updated' => 1)); $this->moveCustomDataTo($pid); // move childs from overwriten targetId (which has been marked with dstatus = 3) // to newly copied object if (is_numeric($targetId)) { DM\Tree::moveActiveChildren($targetId, $this->id); } $this->load(); $this->logAction('move', array('old' => $this->oldObject)); return $this->id; }
public function saveFile($p) { $incommingFilesDir = Config::get('incomming_files_dir'); $files = new Files(); /* clean previous unhandled uploads if any */ $a = $files->getUploadParams(); if ($a !== false && !empty($a['files'])) { @unlink($incommingFilesDir . $_SESSION['key']); $files->removeIncomingFiles($a['files']); } /* end of clean previous unhandled uploads if any */ $F =& $_FILES; if (empty($p['pid'])) { return array('success' => false, 'msg' => L\get('Error_uploading_file')); } $p['pid'] = Path::detectRealTargetId($p['pid']); if (empty($F)) { //update only file properties (no files were uploaded) return $files->updateFileProperties($p); } else { foreach ($F as $k => $v) { $F[$k]['name'] = Purify::filename(@$F[$k]['name']); $v = $v; //dummy codacy assignment } } if (!Objects::idExists($p['pid'])) { return array('success' => false, 'msg' => L\get('TargetFolderDoesNotExist')); } /*checking if there is no upload error (for any type of upload: single, multiple, archive) */ foreach ($F as $f) { if (!in_array($f['error'], array(UPLOAD_ERR_OK, UPLOAD_ERR_NO_FILE))) { return array('success' => false, 'msg' => L\get('Error_uploading_file') . ': ' . $f['error']); } } /* retreiving files list */ switch (@$p['uploadType']) { case 'archive': $archiveFiles = array(); foreach ($F as $fk => $f) { $files->extractUploadedArchive($F[$fk]); $archiveFiles = array_merge($archiveFiles, $F[$fk]); } $F = $archiveFiles; break; default: $files->moveUploadedFilesToIncomming($F) or die('cannot move file to incomming dir'); break; } $p['existentFilenames'] = $files->getExistentFilenames($F, $p['pid']); $p['files'] =& $F; if (!empty($p['existentFilenames'])) { //check if can write target file if (!Security::canWrite($p['existentFilenames'][0]['existentFileId'])) { return array('success' => false, 'msg' => L\get('Access_denied')); } // store current state serialized in a local file in incomming folder $files->saveUploadParams($p); if (!empty($p['response'])) { //it is supposed to work only for single files upload return $this->confirmUploadRequest($p); } $allow_new_version = false; foreach ($p['existentFilenames'] as $f) { $mfvc = Files::getMFVC($f['name']); if ($mfvc > 0) { $allow_new_version = true; } } $rez = array('success' => false, 'type' => 'filesexist', 'allow_new_version' => $allow_new_version, 'count' => sizeof($p['existentFilenames'])); if ($rez['count'] == 1) { $rez['msg'] = empty($p['existentFilenames'][0]['msg']) ? str_replace('{filename}', '"' . $p['existentFilenames'][0]['name'] . '"', L\get('FilenameExistsInTarget')) : $p['existentFilenames'][0]['msg']; //$rez['filename'] = $p['existentFilenames'][0]['name']; $rez['suggestedFilename'] = $p['existentFilenames'][0]['suggestedFilename']; } else { $rez['msg'] = L\get('SomeFilenamesExistsInTarget'); } return $rez; } else { //check if can write in target folder if (!Security::canWrite($p['pid'])) { return array('success' => false, 'msg' => L\get('Access_denied')); } } $files->storeFiles($p); //if everithing is ok then store files Solr\Client::runCron(); $rez = array('success' => true, 'data' => array('pid' => $p['pid'])); $files->attachPostUploadInfo($F, $rez); return $rez; }
public function updateFileProperties($p) { if (empty($p['id'])) { return array('success' => false, 'msg' => L\get('Wrong_input_data')); } if (!Security::canWrite($p['id'])) { return array('success' => false, 'msg' => L\get('Access_denied')); } $p['title'] = strip_tags(@$p['title']); DM\Files::update(array('id' => $p['id'], 'date' => Util\dateISOToMysql($p['date']), 'title' => @$p['title'], 'uid' => User::getId(), 'udate' => 'CURRENT_TIMESTAMP')); Objects::updateCaseUpdateInfo($p['id']); return array('success' => true); }
/** * add comments for an objects * @param array $p input params (id, msg) */ public function addComment($p) { $rez = array('success' => false); if (empty($p['id']) || !is_numeric($p['id']) || empty($p['msg'])) { $rez['msg'] = L\get('Wrong_input_data'); return $rez; } if (!Security::canRead($p['id'])) { throw new \Exception(L\get('Access_denied')); } $commentTemplates = Templates::getIdsByType('comment'); if (empty($commentTemplates)) { $rez['msg'] = 'No comment templates found'; return $rez; } $co = new Objects\Comment(); $data = array('pid' => $p['id'], 'draftId' => @$p['draftId'], 'template_id' => array_shift($commentTemplates), 'system' => 2, 'data' => array('_title' => $p['msg'])); $id = $co->create($data); Solr\Client::runCron(); return array('success' => true, 'data' => \CB\Objects\Plugins\Comments::loadComment($id)); }
/** * create shorcut(s) * @param object $p input params * @return json responce */ public function shortcut($p) { if (!$this->validateParams($p)) { return array('success' => false, 'msg' => L\get('ErroneousInputData')); } /* security checks */ foreach ($p['sourceIds'] as $sourceId) { if (!\CB\Security::canRead($sourceId)) { return array('success' => false, 'msg' => L\get('Access_denied')); } } if (!\CB\Security::canWrite($p['targetId'])) { return array('success' => false, 'msg' => L\get('Access_denied')); } $rez = array('success' => true, 'targetId' => $p['targetId'], 'processedIds' => array()); $shortcutObject = new Objects\Shortcut(); foreach ($p['sourceIds'] as $id) { $rez['processedIds'][] = $shortcutObject->create(array('id' => null, 'pid' => $p['targetId'], 'target_id' => $id)); } Solr\Client::runCron(); return $rez; }
/** * clear user sessions * @param int $userId * @return boolean */ public static function clearUserSessions($userId) { if (!Security::canEditUser($userId)) { return false; } DM\Sessions::deleteByUserId($userId); return true; }