/**
* Check if the user can perform the requested action.
*
* @param integer $project_id
* @param string $action
* @param boolean $fetchProjectRoles
*
* @return bool
*/
public function hasPermission($action, $projectId, $fetchProjectRoles = false)
{
// Admins are godlike
if ($this->is_admin) {
return true;
}
if (!isset($this->permissions[$projectId])) {
$this->permissions[$projectId] = null;
}
// No need to fetch permissions if we already have
if ($this->permissions[$projectId] === null) {
// Get group permissions
$group = Permission::getPermissions($projectId, $this->group_id);
// Get role permissions
$role = [];
if (!$fetchProjectRoles && isset($this->project_role_id) && $this->project_role_id) {
$role = Permission::getPermissions($projectId, $this->project_role_id, 'role');
} else {
$roles = $this->fetchProjectRolesIds();
if (isset($roles[$projectId])) {
$role = Permission::getPermissions($projectId, $roles[$projectId], 'role');
}
}
// Merge group and role permissions
$this->permissions[$projectId] = array_merge(Permissions::getPermissions(), array_merge($group, $role));
}
return isset($this->permissions[$projectId][$action]) ? $this->permissions[$projectId][$action] : null;
}
/**
* Always call this when defining `__construct()` in sub-classes.
*/
public function __construct()
{
$this->db = ConnectionManager::getConnection();
// Modal?
if (Request::$headers->has('X-Modal')) {
$this->isModal = Request::$headers->get('X-Modal') == true;
}
// Get current project.
if (Request::$properties->has('pslug')) {
$this->currentProject = Project::find('slug', Request::$properties->get('pslug')) ?: null;
$GLOBALS['current_project'] = $this->currentProject;
$this->before('*', function () {
if (!$this->hasPermission('view', $this->currentProject)) {
return $this->show404();
}
});
} else {
$GLOBALS['current_project'] = null;
}
// Get current user.
if ($sessionHash = Request::$cookies->get('traq')) {
if ($this->currentProject) {
$user = User::select('u.*')->addSelect('pur.project_role_id')->leftJoin('u', UserRole::tableName(), 'pur', 'pur.project_id = :project_id AND pur.user_id = u.id');
$user->where('u.session_hash = :session_hash');
$user->setParameter('project_id', $this->currentProject['id']);
$user->setParameter('session_hash', $sessionHash);
$this->currentUser = $user->fetch() ?: null;
} else {
$this->currentUser = User::find('session_hash', $sessionHash) ?: null;
}
$GLOBALS['current_user'] = $this->currentUser;
} else {
$GLOBALS['current_user'] = null;
}
$GLOBALS['permissions'] = Permission::getPermissions($this->currentUser, $this->currentProject);
// Add Traq as first breadcrumb.
$this->addCrumb(setting('title'), $this->generateUrl('root'));
// Check if the user has permission to view the current project
if (isset($this->currentProject)) {
$this->before('*', function () {
if (!$this->hasPermission('view')) {
return $this->show403();
}
});
}
// If the user has a `sha1` hashed password, require them to change it because
// as of Traq 4.1, only mcrypt passwords will work.
if ($this->currentUser['password_ver'] == 'sha1') {
$this->before('*', function () {
if (Request::$properties['controller'] != 'Traq\\Controllers\\UserCP' && Request::$properties['controller'] != 'Traq\\Controllers\\Sessions') {
return $this->redirectTo('usercp_password');
}
});
}
}
/**
* Insert permissions.
*/
public function insertPermissions()
{
$permissions = [['project_id' => 0, 'type' => 'usergroup', 'type_id' => 0, 'permissions' => json_decode('{"view":true,"project_settings":false,"delete_timeline_events":false,"view_tickets":true,"create_tickets":true,"update_tickets":true,"delete_tickets":false,"move_tickets":false,"comment_on_tickets":true,"edit_ticket_description":false,"vote_on_tickets":true,"add_attachments":true,"view_attachments":true,"delete_attachments":false,"perform_mass_actions":false,"ticket_properties_set_assigned_to":false,"ticket_properties_set_milestone":true,"ticket_properties_set_version":true,"ticket_properties_set_component":false,"ticket_properties_set_severity":false,"ticket_properties_set_priority":false,"ticket_properties_set_status":false,"ticket_properties_set_tasks":false,"ticket_properties_set_related_tickets":false,"ticket_properties_change_type":false,"ticket_properties_change_assigned_to":false,"ticket_properties_change_milestone":false,"ticket_properties_change_version":false,"ticket_properties_change_component":true,"ticket_properties_change_severity":false,"ticket_properties_change_priority":false,"ticket_properties_change_status":false,"ticket_properties_change_summary":false,"ticket_properties_change_tasks":false,"ticket_properties_change_related_tickets":false,"ticket_properties_complete_tasks":false,"edit_ticket_history":false,"delete_ticket_history":false,"create_wiki_page":false,"edit_wiki_page":false,"delete_wiki_page":false}', true)], ['project_id' => 0, 'type' => 'usergroup', 'type_id' => 3, 'permissions' => json_decode('{"create_tickets":false,"comment_on_tickets":false,"update_tickets":false,"vote_on_tickets":false,"add_attachments":false}', true)], ['project_id' => 0, 'type' => 'role', 'type_id' => 0, 'permissions' => json_decode('{"view":true,"project_settings":false,"delete_timeline_events":false,"view_tickets":true,"create_tickets":true,"update_tickets":true,"delete_tickets":false,"move_tickets":false,"comment_on_tickets":true,"edit_ticket_description":false,"vote_on_tickets":true,"add_attachments":true,"view_attachments":true,"delete_attachments":false,"perform_mass_actions":false,"ticket_properties_set_assigned_to":true,"ticket_properties_set_milestone":true,"ticket_properties_set_version":true,"ticket_properties_set_component":true,"ticket_properties_set_severity":true,"ticket_properties_set_priority":true,"ticket_properties_set_status":true,"ticket_properties_set_tasks":true,"ticket_properties_set_related_tickets":true,"ticket_properties_change_type":true,"ticket_properties_change_assigned_to":true,"ticket_properties_change_milestone":true,"ticket_properties_change_version":true,"ticket_properties_change_component":true,"ticket_properties_change_severity":true,"ticket_properties_change_priority":true,"ticket_properties_change_status":true,"ticket_properties_change_summary":true,"ticket_properties_change_tasks":true,"ticket_properties_change_related_tickets":true,"ticket_properties_complete_tasks":true,"edit_ticket_history":false,"delete_ticket_history":false,"create_wiki_page":false,"edit_wiki_page":false,"delete_wiki_page":false}', true)], ['project_id' => 0, 'type' => 'role', 'type_id' => 1, 'permissions' => json_decode('{"project_settings":true,"delete_timeline_events":true,"delete_tickets":true,"move_tickets":true,"edit_ticket_description":true,"delete_attachments":true,"edit_ticket_history":true,"delete_ticket_history":true,"perform_mass_actions":true,"create_wiki_page":true,"edit_wiki_page":true,"delete_wiki_page":true}', true)]];
foreach ($permissions as $permission) {
$perm = new Permission($permission);
$perm->save();
}
}
/**
* Fetches all the data for the permission listing page.
*/
private function permissions_for($type)
{
// Fetch groups, set permissions and actions arrays
if ($type == 'usergroup') {
$groups = Group::select()->where('is_admin', 1, '!=')->exec()->fetch_all();
$groups = array_merge(array(new Group(array('id' => 0, 'name' => l('defaults')))), $groups);
} elseif ($type == 'role') {
$groups = ProjectRole::select()->custom_sql("WHERE project_id = 0 OR project_id = {$this->project->id}")->exec()->fetch_all();
$groups = array_merge(array(new ProjectRole(array('id' => 0, 'name' => l('defaults'), 'project_id' => 0))), $groups);
}
$permissions = array();
// Loop over the groups
foreach ($groups as $group) {
// Set the group array in the permissions array
if (!isset($permissions[$group->id])) {
$permissions[$group->id] = array();
}
// Loop over the permissions for the group
foreach (Permission::get_permissions($this->project->id, $group->id, $type) as $action => $perm) {
// Add the permission object to the permissions array
$permissions[$group->id][$action] = $perm;
}
}
// Send it all the to view.
View::set('groups', $groups);
View::set('permissions', $permissions);
View::set('actions', permission_actions());
}
/**
* Check users permission.
*
* @param string $action
* @param Project $project
*
* @return boolean
*/
function hasPermission($action, Project $project = null)
{
// Admins can do everything, regardless of permissions.
if (currentUser() && currentUser()->isAdmin()) {
return true;
}
$permissions = $project ? Permission::getPermissions(currentUser(), $project) : $GLOBALS['permissions'];
return isset($permissions[$action]) ? $permissions[$action] : null;
}
