/**
* Displays a list of user groups.
*
* @param boolean $includeSuperAdmin true to include super admin groups, false to exclude them
*
* @return array An array containing a list of user groups.
*
* @since 11.4
*/
public static function groups($includeSuperAdmin = false)
{
$db = Factory::getDbo();
$query = $db->getQuery(true);
$query->select('a.id AS value, a.title AS text, COUNT(DISTINCT b.id) AS level');
$query->from($db->quoteName('#__usergroups') . ' AS a');
$query->join('LEFT', $db->quoteName('#__usergroups') . ' AS b ON a.lft > b.lft AND a.rgt < b.rgt');
$query->group('a.id, a.title, a.lft, a.rgt');
$query->order('a.lft ASC');
$db->setQuery($query);
$options = $db->loadObjectList();
for ($i = 0, $n = count($options); $i < $n; $i++) {
$options[$i]->text = str_repeat('- ', $options[$i]->level) . $options[$i]->text;
$groups[] = Html::_('select.option', $options[$i]->value, $options[$i]->text);
}
// Exclude super admin groups if requested
if (!$includeSuperAdmin) {
$filteredGroups = array();
foreach ($groups as $group) {
if (!AccessAccess::checkGroup($group->value, 'core.admin')) {
$filteredGroups[] = $group;
}
}
$groups = $filteredGroups;
}
return $groups;
}
/**
* Method to get the field input markup for Access Control Lists.
* Optionally can be associated with a specific component and section.
*
* TODO: Add access check.
*
* @return string The field input markup.
*
* @since 11.1
*/
protected function getInput()
{
Html::_('behavior.tooltip');
// Initialise some field attributes.
$section = $this->element['section'] ? (string) $this->element['section'] : '';
$component = $this->element['component'] ? (string) $this->element['component'] : '';
$assetField = $this->element['asset_field'] ? (string) $this->element['asset_field'] : 'asset_id';
// Get the actions for the asset.
$actions = Access::getActionsFromFile(JPATH_ADMINISTRATOR . '/components/' . $component . '/access.xml', "/access/section[@name='" . $section . "']/");
// Iterate over the children and add to the actions.
foreach ($this->element->children() as $el) {
if ($el->getName() == 'action') {
$actions[] = (object) array('name' => (string) $el['name'], 'title' => (string) $el['title'], 'description' => (string) $el['description']);
}
}
// Get the explicit rules for this asset.
if ($section == 'component') {
// Need to find the asset id by the name of the component.
$db = Factory::getDbo();
$query = $db->getQuery(true);
$query->select($db->quoteName('id'));
$query->from($db->quoteName('#__assets'));
$query->where($db->quoteName('name') . ' = ' . $db->quote($component));
$db->setQuery($query);
$assetId = (int) $db->loadResult();
} else {
// Find the asset id of the content.
// Note that for global configuration, com_config injects asset_id = 1 into the form.
$assetId = $this->form->getValue($assetField);
}
// Use the compact form for the content rules (deprecated).
/* @todo remove code:
if (!empty($component) && $section != 'component') {
return Html::_('rules.assetFormWidget', $actions, $assetId, $assetId ? null : $component, $this->name, $this->id);
}
*/
// Full width format.
// Get the rules for just this asset (non-recursive).
$assetRules = Access::getAssetRules($assetId);
// Get the available user groups.
$groups = $this->getUserGroups();
// Build the form control.
$curLevel = 0;
// Prepare output
$html = array();
$html[] = '<div id="permissions-sliders" class="pane-sliders">';
$html[] = '<p class="rule-desc">' . Text::_('JLIB_RULES_SETTINGS_DESC') . '</p>';
$html[] = '<ul id="rules">';
// Start a row for each user group.
foreach ($groups as $group) {
$difLevel = $group->level - $curLevel;
if ($difLevel > 0) {
$html[] = '<li><ul>';
} elseif ($difLevel < 0) {
$html[] = str_repeat('</ul></li>', -$difLevel);
}
$html[] = '<li>';
$html[] = '<div class="panel">';
$html[] = '<h3 class="pane-toggler title"><a href="javascript:void(0);"><span>';
$html[] = str_repeat('<span class="level">|–</span> ', $curLevel = $group->level) . $group->text;
$html[] = '</span></a></h3>';
$html[] = '<div class="pane-slider content pane-hide">';
$html[] = '<div class="mypanel">';
$html[] = '<table class="group-rules">';
$html[] = '<thead>';
$html[] = '<tr>';
$html[] = '<th class="actions" id="actions-th' . $group->value . '">';
$html[] = '<span class="acl-action">' . Text::_('JLIB_RULES_ACTION') . '</span>';
$html[] = '</th>';
$html[] = '<th class="settings" id="settings-th' . $group->value . '">';
$html[] = '<span class="acl-action">' . Text::_('JLIB_RULES_SELECT_SETTING') . '</span>';
$html[] = '</th>';
// The calculated setting is not shown for the root group of global configuration.
$canCalculateSettings = $group->parent_id || !empty($component);
if ($canCalculateSettings) {
$html[] = '<th id="aclactionth' . $group->value . '">';
$html[] = '<span class="acl-action">' . Text::_('JLIB_RULES_CALCULATED_SETTING') . '</span>';
$html[] = '</th>';
}
$html[] = '</tr>';
$html[] = '</thead>';
$html[] = '<tbody>';
foreach ($actions as $action) {
$html[] = '<tr>';
$html[] = '<td headers="actions-th' . $group->value . '">';
$html[] = '<label class="hasTip" for="' . $this->id . '_' . $action->name . '_' . $group->value . '" title="' . htmlspecialchars(Text::_($action->title) . '::' . Text::_($action->description), ENT_COMPAT, 'UTF-8') . '">';
$html[] = Text::_($action->title);
$html[] = '</label>';
$html[] = '</td>';
$html[] = '<td headers="settings-th' . $group->value . '">';
$html[] = '<select name="' . $this->name . '[' . $action->name . '][' . $group->value . ']" id="' . $this->id . '_' . $action->name . '_' . $group->value . '" title="' . Text::sprintf('JLIB_RULES_SELECT_ALLOW_DENY_GROUP', Text::_($action->title), trim($group->text)) . '">';
$inheritedRule = Access::checkGroup($group->value, $action->name, $assetId);
// Get the actual setting for the action for this group.
$assetRule = $assetRules->allow($action->name, $group->value);
// Build the dropdowns for the permissions sliders
// The parent group has "Not Set", all children can rightly "Inherit" from that.
$html[] = '<option value=""' . ($assetRule === null ? ' selected="selected"' : '') . '>' . Text::_(empty($group->parent_id) && empty($component) ? 'JLIB_RULES_NOT_SET' : 'JLIB_RULES_INHERITED') . '</option>';
$html[] = '<option value="1"' . ($assetRule === true ? ' selected="selected"' : '') . '>' . Text::_('JLIB_RULES_ALLOWED') . '</option>';
$html[] = '<option value="0"' . ($assetRule === false ? ' selected="selected"' : '') . '>' . Text::_('JLIB_RULES_DENIED') . '</option>';
$html[] = '</select>  ';
// If this asset's rule is allowed, but the inherited rule is deny, we have a conflict.
if ($assetRule === true && $inheritedRule === false) {
$html[] = Text::_('JLIB_RULES_CONFLICT');
}
$html[] = '</td>';
// Build the Calculated Settings column.
// The inherited settings column is not displayed for the root group in global configuration.
if ($canCalculateSettings) {
$html[] = '<td headers="aclactionth' . $group->value . '">';
// This is where we show the current effective settings considering currrent group, path and cascade.
// Check whether this is a component or global. Change the text slightly.
if (Access::checkGroup($group->value, 'core.admin') !== true) {
if ($inheritedRule === null) {
$html[] = '<span class="icon-16-unset">' . Text::_('JLIB_RULES_NOT_ALLOWED') . '</span>';
} elseif ($inheritedRule === true) {
$html[] = '<span class="icon-16-allowed">' . Text::_('JLIB_RULES_ALLOWED') . '</span>';
} elseif ($inheritedRule === false) {
if ($assetRule === false) {
$html[] = '<span class="icon-16-denied">' . Text::_('JLIB_RULES_NOT_ALLOWED') . '</span>';
} else {
$html[] = '<span class="icon-16-denied"><span class="icon-16-locked">' . Text::_('JLIB_RULES_NOT_ALLOWED_LOCKED') . '</span></span>';
}
}
} elseif (!empty($component)) {
$html[] = '<span class="icon-16-allowed"><span class="icon-16-locked">' . Text::_('JLIB_RULES_ALLOWED_ADMIN') . '</span></span>';
} else {
// Special handling for groups that have global admin because they can't be denied.
// The admin rights can be changed.
if ($action->name === 'core.admin') {
$html[] = '<span class="icon-16-allowed">' . Text::_('JLIB_RULES_ALLOWED') . '</span>';
} elseif ($inheritedRule === false) {
// Other actions cannot be changed.
$html[] = '<span class="icon-16-denied"><span class="icon-16-locked">' . Text::_('JLIB_RULES_NOT_ALLOWED_ADMIN_CONFLICT') . '</span></span>';
} else {
$html[] = '<span class="icon-16-allowed"><span class="icon-16-locked">' . Text::_('JLIB_RULES_ALLOWED_ADMIN') . '</span></span>';
}
}
$html[] = '</td>';
}
$html[] = '</tr>';
}
$html[] = '</tbody>';
$html[] = '</table></div>';
$html[] = '</div></div>';
$html[] = '</li>';
}
$html[] = str_repeat('</ul></li>', $curLevel);
$html[] = '</ul><div class="rule-notes">';
if ($section == 'component' || $section == null) {
$html[] = Text::_('JLIB_RULES_SETTING_NOTES');
} else {
$html[] = Text::_('JLIB_RULES_SETTING_NOTES_ITEM');
}
$html[] = '</div></div>';
// Get the JInput object
$input = Factory::getApplication()->input;
$js = "window.addEvent('domready', function(){ new Fx.Accordion(\$\$('div#permissions-sliders.pane-sliders .panel h3.pane-toggler')," . "\$\$('div#permissions-sliders.pane-sliders .panel div.pane-slider'), {onActive: function(toggler, i) {toggler.addClass('pane-toggler-down');" . "toggler.removeClass('pane-toggler');i.addClass('pane-down');i.removeClass('pane-hide');Cookie.write('jpanesliders_permissions-sliders" . $component . "',\$\$('div#permissions-sliders.pane-sliders .panel h3').indexOf(toggler));}," . "onBackground: function(toggler, i) {toggler.addClass('pane-toggler');toggler.removeClass('pane-toggler-down');i.addClass('pane-hide');" . "i.removeClass('pane-down');}, duration: 300, display: " . $input->cookie->get('jpanesliders_permissions-sliders' . $component, 0, 'integer') . ", show: " . $input->cookie->get('jpanesliders_permissions-sliders' . $component, 0, 'integer') . ", alwaysHide:true, opacity: false}); });";
Factory::getDocument()->addScriptDeclaration($js);
return implode("\n", $html);
}
/**
* Creates the HTML for the permissions widget
*
* @param array $actions Array of action objects
* @param integer $assetId Id of a specific asset to create a widget for.
* @param integer $parent Id of the parent of the asset
* @param string $control The form control
* @param string $idPrefix Prefix for the ids assigned to specific action-group pairs
*
* @return string HTML for the permissions widget
*
* @since 11.1
*
* @see JAccess
* @see JFormFieldRules
*/
public static function assetFormWidget($actions, $assetId = null, $parent = null, $control = 'jform[rules]', $idPrefix = 'jform_rules')
{
$images = self::_getImagesArray();
// Get the user groups.
$groups = self::_getUserGroups();
// Get the incoming inherited rules as well as the asset specific rules.
$inheriting = Access::getAssetRules($parent ? $parent : self::_getParentAssetId($assetId), true);
$inherited = Access::getAssetRules($assetId, true);
$rules = Access::getAssetRules($assetId);
$html = array();
$html[] = '<div class="acl-options">';
$html[] = Html::_('tabs.start', 'acl-rules-' . $assetId, array('useCookie' => 1));
$html[] = Html::_('tabs.panel', Text::_('JLIB_HTML_ACCESS_SUMMARY'), 'summary');
$html[] = ' <p>' . Text::_('JLIB_HTML_ACCESS_SUMMARY_DESC') . '</p>';
$html[] = ' <table class="aclsummary-table" summary="' . Text::_('JLIB_HTML_ACCESS_SUMMARY_DESC') . '">';
$html[] = ' <caption>' . Text::_('JLIB_HTML_ACCESS_SUMMARY_DESC_CAPTION') . '</caption>';
$html[] = ' <tr>';
$html[] = ' <th class="col1 hidelabeltxt">' . Text::_('JLIB_RULES_GROUPS') . '</th>';
foreach ($actions as $i => $action) {
$html[] = ' <th class="col' . ($i + 2) . '">' . Text::_($action->title) . '</th>';
}
$html[] = ' </tr>';
foreach ($groups as $i => $group) {
$html[] = ' <tr class="row' . $i % 2 . '">';
$html[] = ' <td class="col1">' . $group->text . '</td>';
foreach ($actions as $j => $action) {
$html[] = ' <td class="col' . ($j + 2) . '">' . ($assetId ? $inherited->allow($action->name, $group->identities) ? $images['allow'] : $images['deny'] : ($inheriting->allow($action->name, $group->identities) ? $images['allow'] : $images['deny'])) . '</td>';
}
$html[] = ' </tr>';
}
$html[] = ' </table>';
foreach ($actions as $action) {
$actionTitle = Text::_($action->title);
$actionDesc = Text::_($action->description);
$html[] = Html::_('tabs.panel', $actionTitle, $action->name);
$html[] = ' <p>' . $actionDesc . '</p>';
$html[] = ' <table class="aclmodify-table" summary="' . strip_tags($actionDesc) . '">';
$html[] = ' <caption>' . Text::_('JLIB_HTML_ACCESS_MODIFY_DESC_CAPTION_ACL') . ' ' . $actionTitle . ' ' . Text::_('JLIB_HTML_ACCESS_MODIFY_DESC_CAPTION_TABLE') . '</caption>';
$html[] = ' <tr>';
$html[] = ' <th class="col1 hidelabeltxt">' . Text::_('JLIB_RULES_GROUP') . '</th>';
$html[] = ' <th class="col2">' . Text::_('JLIB_RULES_INHERIT') . '</th>';
$html[] = ' <th class="col3 hidelabeltxt">' . Text::_('JMODIFY') . '</th>';
$html[] = ' <th class="col4">' . Text::_('JCURRENT') . '</th>';
$html[] = ' </tr>';
foreach ($groups as $i => $group) {
$selected = $rules->allow($action->name, $group->value);
$html[] = ' <tr class="row' . $i % 2 . '">';
$html[] = ' <td class="col1">' . $group->text . '</td>';
$html[] = ' <td class="col2">' . ($inheriting->allow($action->name, $group->identities) ? $images['allow-i'] : $images['deny-i']) . '</td>';
$html[] = ' <td class="col3">';
$html[] = ' <select id="' . $idPrefix . '_' . $action->name . '_' . $group->value . '" class="inputbox" size="1" name="' . $control . '[' . $action->name . '][' . $group->value . ']" title="' . Text::sprintf('JLIB_RULES_SELECT_ALLOW_DENY_GROUP', $actionTitle, $group->text) . '">';
$html[] = ' <option value=""' . ($selected === null ? ' selected="selected"' : '') . '>' . Text::_('JLIB_RULES_INHERIT') . '</option>';
$html[] = ' <option value="1"' . ($selected === true ? ' selected="selected"' : '') . '>' . Text::_('JLIB_RULES_ALLOWED') . '</option>';
$html[] = ' <option value="0"' . ($selected === false ? ' selected="selected"' : '') . '>' . Text::_('JLIB_RULES_DENIED') . '</option>';
$html[] = ' </select>';
$html[] = ' </td>';
$html[] = ' <td class="col4">' . ($assetId ? $inherited->allow($action->name, $group->identities) ? $images['allow'] : $images['deny'] : ($inheriting->allow($action->name, $group->identities) ? $images['allow'] : $images['deny'])) . '</td>';
$html[] = ' </tr>';
}
$html[] = ' </table>';
}
$html[] = Html::_('tabs.end');
// Build the footer with legend and special purpose buttons.
$html[] = ' <div class="clr"></div>';
$html[] = ' <ul class="acllegend fltlft">';
$html[] = ' <li class="acl-allowed">' . Text::_('JLIB_RULES_ALLOWED') . '</li>';
$html[] = ' <li class="acl-denied">' . Text::_('JLIB_RULES_DENIED') . '</li>';
$html[] = ' </ul>';
$html[] = '</div>';
return implode("\n", $html);
}
/**
* Returns a UL list of actions with check boxes
*
* @param string $name The name of the checkbox controls array
* @param array $selected An array of the checked boxes
* @param string $component The component the permissions apply to
* @param string $section The section (within a component) the permissions apply to
*
* @return string
*
* @see JAccess
* @since 11.1
*/
public static function actions($name, $selected, $component, $section = 'global')
{
static $count;
$count++;
$actions = AuthorizationAccess::getActionsFromFile(JPATH_ADMINISTRATOR . '/components/' . $component . '/access.xml', "/access/section[@name='" . $section . "']/");
$html = array();
$html[] = '<ul class="checklist access-actions">';
for ($i = 0, $n = count($actions); $i < $n; $i++) {
$item =& $actions[$i];
// Setup the variable attributes.
$eid = $count . 'action_' . $item->id;
$checked = in_array($item->id, $selected) ? ' checked="checked"' : '';
// Build the HTML for the item.
$html[] = ' <li>';
$html[] = ' <input type="checkbox" name="' . $name . '[]" value="' . $item->id . '" id="' . $eid . '"';
$html[] = ' ' . $checked . ' />';
$html[] = ' <label for="' . $eid . '">';
$html[] = ' ' . Text::_($item->title);
$html[] = ' </label>';
$html[] = ' </li>';
}
$html[] = '</ul>';
return implode("\n", $html);
}
/**
* Method to save the JUser object to the database
*
* @param boolean $updateOnly Save the object only if not a new user
* Currently only used in the user reset password method.
*
* @return boolean True on success
*
* @since 11.1
* @throws RuntimeException
*/
public function save($updateOnly = false)
{
// Create the user table object
$table = $this->getTable();
$this->params = (string) $this->_params;
$table->bind($this->getProperties());
// Allow an exception to be thrown.
try {
// Check and store the object.
if (!$table->check()) {
$this->setError($table->getError());
return false;
}
// If user is made a Super Admin group and user is NOT a Super Admin
// @todo ACL - this needs to be acl checked
$my = Factory::getUser();
// Are we creating a new user
$isNew = empty($this->id);
// If we aren't allowed to create new users return
if ($isNew && $updateOnly) {
return true;
}
// Get the old user
$oldUser = new User($this->id);
// Access Checks
// The only mandatory check is that only Super Admins can operate on other Super Admin accounts.
// To add additional business rules, use a user plugin and throw an Exception with onUserBeforeSave.
// Check if I am a Super Admin
$iAmSuperAdmin = $my->authorise('core.admin');
// We are only worried about edits to this account if I am not a Super Admin.
if ($iAmSuperAdmin != true) {
if ($isNew) {
// Check if the new user is being put into a Super Admin group.
foreach ($this->groups as $groupId) {
if (Access::checkGroup($groupId, 'core.admin')) {
throw new RuntimeException('User not Super Administrator');
}
}
} else {
// I am not a Super Admin, and this one is, so fail.
if (Access::check($this->id, 'core.admin')) {
throw new RuntimeException('User not Super Administrator');
}
if ($this->groups != null) {
// I am not a Super Admin and I'm trying to make one.
foreach ($this->groups as $groupId) {
if (Access::checkGroup($groupId, 'core.admin')) {
throw new RuntimeException('User not Super Administrator');
}
}
}
}
}
// Fire the onUserBeforeSave event.
PluginHelper::importPlugin('user');
$dispatcher = Dispatcher::getInstance();
$result = $dispatcher->trigger('onUserBeforeSave', array($oldUser->getProperties(), $isNew, $this->getProperties()));
if (in_array(false, $result, true)) {
// Plugin will have to raise its own error or throw an exception.
return false;
}
// Store the user data in the database
$result = $table->store();
// Set the id for the JUser object in case we created a new user.
if (empty($this->id)) {
$this->id = $table->get('id');
}
if ($my->id == $table->id) {
$registry = new Registry();
$registry->loadString($table->params);
$my->setParameters($registry);
}
// Fire the onUserAfterSave event
$dispatcher->trigger('onUserAfterSave', array($this->getProperties(), $isNew, $result, $this->getError()));
} catch (Exception $e) {
$this->setError($e->getMessage());
return false;
}
return $result;
}
/**
* Method to get the list of possible permission action names for the form field.
*
* @param SimpleXMLElement $element The SimpleXMLElement object representing the <field /> tag for the
* form field object.
*
* @return array A list of permission action names from the form field element definition.
*
* @since 11.1
*/
protected function getFieldActions(SimpleXMLElement $element)
{
$actions = array();
// Initialise some field attributes.
$section = $element['section'] ? (string) $element['section'] : '';
$component = $element['component'] ? (string) $element['component'] : '';
// Get the asset actions for the element.
$elActions = Access::getActionsFromFile(JPATH_ADMINISTRATOR . '/components/' . $component . '/access.xml', "/access/section[@name='" . $section . "']/");
// Iterate over the asset actions and add to the actions.
foreach ($elActions as $item) {
$actions[] = $item->name;
}
// Iterate over the children and add to the actions.
foreach ($element->children() as $el) {
if ($el->getName() == 'action') {
$actions[] = (string) $el['name'];
}
}
return $actions;
}
