/**
* Override method because this app requires special rights
* @see tine20/Setup/Setup_Initialize#_createInitialRights($_application)
*
* @todo make hard coded role name ('user role') configurable
*/
protected function _createInitialRights(Tinebase_Model_Application $_application)
{
parent::_createInitialRights($_application);
$roles = Tinebase_Acl_Roles::getInstance();
$userRole = $roles->getRoleByName('user role');
$roles->addSingleRight($userRole->getId(), $_application->getId(), Crm_Acl_Rights::MANAGE_LEADS);
}
/**
* tear down tests
*/
public function tearDown()
{
parent::tearDown();
Calendar_Controller_Event::getInstance()->sendNotifications(false);
Tinebase_Acl_Roles::getInstance()->resetClassCache();
if (!$this->_transactionId) {
if ($this->_backend != NULL) {
$events = $this->_backend->search(new Calendar_Model_EventFilter(array(array('field' => 'container_id', 'operator' => 'in', 'value' => $this->_testCalendars->getId()))), new Tinebase_Model_Pagination(array()));
// delete alarms
Tinebase_Alarm::getInstance()->deleteAlarmsOfRecord('Calendar_Model_Event', $events->getArrayOfIds());
foreach ($events as $event) {
$this->_backend->delete($event->getId());
}
}
foreach ($this->_testCalendars as $cal) {
Tinebase_Container::getInstance()->deleteContainer($cal, true);
}
}
$this->_testUserContact = NULL;
$this->_testCalendar = NULL;
$this->_testCalendars = NULL;
$this->_personas = NULL;
$this->_personasContacts = array();
$this->_personasDefaultCals = array();
}
/**
* the singleton pattern
*
* @return Tinebase_Acl_Roles
*/
public static function getInstance()
{
if (self::$_instance === NULL) {
self::$_instance = new Tinebase_Acl_Roles();
}
return self::$_instance;
}
/**
* Override method: Tinebase needs additional initialisation
*
* @see tine20/Setup/Setup_Initialize#_initialize($_application)
*/
public function _initialize(Tinebase_Model_Application $_application, $_options = null)
{
$this->_initProcedures();
$this->_setupConfigOptions($_options);
$this->_setupGroups();
Tinebase_Acl_Roles::getInstance()->createInitialRoles();
parent::_initialize($_application, $_options);
}
/**
* Override method because admin app requires special rights
* @see tine20/Setup/Setup_Initialize#_createInitialRights($_application)
*
* @todo make hard coded role name ('admin role') configurable
*/
protected function _createInitialRights(Tinebase_Model_Application $_application)
{
//do not call parent::_createInitialRights(); because this app is fopr admins only
$roles = Tinebase_Acl_Roles::getInstance();
$adminRole = $roles->getRoleByName('admin role');
$allRights = Tinebase_Application::getInstance()->getAllRights($_application->getId());
foreach ($allRights as $right) {
$roles->addSingleRight($adminRole->getId(), $_application->getId(), $right);
}
}
/**
* update function 1
* renames metacrm_products to metacrm_leads_products
* renames metacrm_productsource to metacrm_products
* adds MANAGE_LEADS right to user role
*/
public function update_1()
{
$this->renameTable('metacrm_product', 'metacrm_leads_products');
$this->renameTable('metacrm_productsource', 'metacrm_products');
$this->setTableVersion('metacrm_leads_products', '2');
$this->setTableVersion('metacrm_products', '2');
// add MANAGE_LEADS right to user role
$userRole = Tinebase_Acl_Roles::getInstance()->getRoleByName('user role');
if ($userRole) {
$application = Tinebase_Application::getInstance()->getApplicationByName('Crm');
Tinebase_Acl_Roles::getInstance()->addSingleRight($userRole->getId(), $application->getId(), Crm_Acl_Rights::MANAGE_LEADS);
}
$this->setApplicationVersion('Crm', '0.2');
}
/**
* generic check admin rights function
* rules:
* - ADMIN right includes all other rights
* - MANAGE_* right includes VIEW_* right
* - results are cached if caching is active (with cache tag 'rights')
*
* @param string $_right to check
* @param boolean $_throwException [optional]
* @param boolean $_includeTinebaseAdmin [optional]
* @return boolean
* @throws Tinebase_Exception_UnexpectedValue
* @throws Tinebase_Exception_AccessDenied
*
* @todo move that to *_Acl_Rights
*/
public function checkRight($_right, $_throwException = TRUE, $_includeTinebaseAdmin = TRUE)
{
if (empty($this->_applicationName)) {
throw new Tinebase_Exception_UnexpectedValue('No application name defined!');
}
$right = strtoupper($_right);
$cache = Tinebase_Core::get(Tinebase_Core::CACHE);
$cacheId = convertCacheId('checkRight' . Tinebase_Core::getUser()->getId() . $_right . $this->_applicationName);
$result = $cache->load($cacheId);
if (!$result) {
$applicationRightsClass = $this->_applicationName . '_Acl_Rights';
// array with the rights that should be checked, ADMIN is in it per default
$rightsToCheck = $_includeTinebaseAdmin ? array(Tinebase_Acl_Rights::ADMIN) : array();
if (preg_match("/MANAGE_/", $right)) {
$rightsToCheck[] = constant($applicationRightsClass . '::' . $right);
}
if (preg_match("/VIEW_([A-Z_]*)/", $right, $matches)) {
$rightsToCheck[] = constant($applicationRightsClass . '::' . $right);
// manage right includes view right
$rightsToCheck[] = constant($applicationRightsClass . '::MANAGE_' . $matches[1]);
}
$result = FALSE;
foreach ($rightsToCheck as $rightToCheck) {
//echo "check right: " . $rightToCheck;
if (Tinebase_Acl_Roles::getInstance()->hasRight($this->_applicationName, Tinebase_Core::getUser()->getId(), $rightToCheck)) {
$result = TRUE;
break;
}
}
$cache->save($result, $cacheId, array('rights'), 120);
}
if (!$result && $_throwException) {
throw new Tinebase_Exception_AccessDenied("You are not allowed to {$right} in application {$this->_applicationName} !");
}
return $result;
}
/**
* create inital rights
*
* @todo make hard coded role names ('user role' and 'admin role') configurable
*
* @param Tinebase_Application $application
* @return void
*/
public static function createInitialRights(Tinebase_Model_Application $_application)
{
Setup_Core::getLogger()->info(__METHOD__ . '::' . __LINE__ . ' Creating initial rights for application ' . $_application->name);
$allRights = Tinebase_Application::getInstance()->getAllRights($_application->getId());
$userRights = static::$_userRoleRights;
if (in_array(Tinebase_Acl_Rights::USE_PERSONAL_TAGS, $allRights)) {
$userRights[] = Tinebase_Acl_Rights::USE_PERSONAL_TAGS;
}
$roleRights = array('user role' => $userRights, 'admin role' => $allRights);
foreach ($roleRights as $roleName => $rights) {
try {
$role = Tinebase_Acl_Roles::getInstance()->getRoleByName($roleName);
} catch (Tinebase_Exception_NotFound $tenf) {
Tinebase_Core::getLogger()->warn(__METHOD__ . '::' . __LINE__ . ' ' . $tenf->getMessage());
continue;
}
foreach ($rights as $right) {
try {
Tinebase_Acl_Roles::getInstance()->addSingleRight($role->getId(), $_application->getId(), $right);
} catch (Exception $e) {
Tinebase_Core::getLogger()->warn(__METHOD__ . '::' . __LINE__ . ' Cannot add right: ' . $right . ' for application: ' . $_application->name . ' - ' . $roleName . ' - ' . print_r($e->getMessage(), true));
}
}
}
}
/**
* try to delete roles
*/
public function testDeleteRoles()
{
$this->testAddRole();
$role = Tinebase_Acl_Roles::getInstance()->getRoleByName($this->objects['role']->name);
$result = $this->_json->deleteRoles(array($role->getId()));
$this->assertTrue($result['success']);
// try to get it, shouldn't be found
$this->setExpectedException('Tinebase_Exception_NotFound');
$role = Tinebase_Acl_Roles::getInstance()->getRoleByName($this->objects['role']->name);
}
/**
* create inital rights
*
* @todo make hard coded role names ('user role' and 'admin role') configurable
*
* @param Tinebase_Application $application
* @return void
*/
protected function _createInitialRights(Tinebase_Model_Application $_application)
{
$roleRights = array('user role' => $this->_userRoleRights, 'admin role' => Tinebase_Application::getInstance()->getAllRights($_application->getId()));
foreach ($roleRights as $roleName => $rights) {
try {
$role = Tinebase_Acl_Roles::getInstance()->getRoleByName($roleName);
} catch (Tinebase_Exception_NotFound $tenf) {
Tinebase_Core::getLogger()->warn(__METHOD__ . '::' . __LINE__ . ' ' . $tenf->getMessage());
continue;
}
foreach ($rights as $right) {
try {
Tinebase_Acl_Roles::getInstance()->addSingleRight($role->getId(), $_application->getId(), $right);
} catch (Exception $e) {
Tinebase_Core::getLogger()->warn(__METHOD__ . '::' . __LINE__ . ' Cannot add right: ' . $right . ' for application: ' . $_application->name . ' - ' . $roleName . ' - ' . print_r($e->getMessage(), true));
}
}
}
}
/**
* migrate from SQL account storage to another one (for example LDAP)
* - deletes all users, groups and roles because they will be
* imported from new accounts storage backend
*/
protected function _migrateFromSqlAccountsStorage()
{
Setup_Core::getLogger()->info(__METHOD__ . '::' . __LINE__ . ' Deleting all user accounts, groups, roles and rights');
Tinebase_User::factory(Tinebase_User::SQL)->deleteAllUsers();
$contactSQLBackend = new Addressbook_Backend_Sql();
$allUserContactIds = $contactSQLBackend->search(new Addressbook_Model_ContactFilter(array('type' => 'user')), null, true);
if (count($allUserContactIds) > 0) {
$contactSQLBackend->delete($allUserContactIds);
}
Tinebase_Group::factory(Tinebase_Group::SQL)->deleteAllGroups();
$listsSQLBackend = new Addressbook_Backend_List();
$allGroupListIds = $listsSQLBackend->search(new Addressbook_Model_ListFilter(array('type' => 'group')), null, true);
if (count($allGroupListIds) > 0) {
$listsSQLBackend->delete($allGroupListIds);
}
$roles = Tinebase_Acl_Roles::getInstance();
$roles->deleteAllRoles();
// import users (from new backend) / create initial users (SQL)
Tinebase_User::syncUsers(array('syncContactData' => TRUE));
$roles->createInitialRoles();
$applications = Tinebase_Application::getInstance()->getApplications(NULL, 'id');
foreach ($applications as $application) {
Setup_Initialize::initializeApplicationRights($application);
}
}
/**
* remove right in all users roles
*
* @param string $applicationName
* @param string $right
* @param boolean $removeAdminRight
* @return array original role rights by role id
*/
protected function _removeRoleRight($applicationName, $rightToRemove, $removeAdminRight = true)
{
$app = Tinebase_Application::getInstance()->getApplicationByName($applicationName);
$rolesOfUser = Tinebase_Acl_Roles::getInstance()->getRoleMemberships(Tinebase_Core::getUser()->getId());
$this->_invalidateRolesCache = true;
$roleRights = array();
foreach ($rolesOfUser as $roleId) {
$roleRights[$roleId] = $rights = Tinebase_Acl_Roles::getInstance()->getRoleRights($roleId);
foreach ($rights as $idx => $right) {
if ($right['application_id'] === $app->getId() && ($right['right'] === $rightToRemove || $right['right'] === Tinebase_Acl_Rights_Abstract::ADMIN)) {
if (Tinebase_Core::isLogLevel(Zend_Log::DEBUG)) {
Tinebase_Core::getLogger()->debug(__METHOD__ . '::' . __LINE__ . ' Removing right ' . $right['right'] . ' from app ' . $applicationName . ' in role (id) ' . $roleId);
}
unset($rights[$idx]);
}
}
Tinebase_Acl_Roles::getInstance()->setRoleRights($roleId, $rights);
}
return $roleRights;
}
/**
* Search for roles
*
* @param array $_filter
* @param array $_paging
* @return array
*/
public function searchRoles($filter, $paging)
{
$result = array('results' => array(), 'totalcount' => 0);
$filter = new Tinebase_Model_RoleFilter(array('name' => '%' . $filter[0]['value'] . '%', 'description' => '%' . $filter[0]['value'] . '%'));
$paging['sort'] = isset($paging['sort']) ? $paging['sort'] : 'name';
$paging['dir'] = isset($paging['dir']) ? $paging['dir'] : 'ASC';
$result['results'] = Tinebase_Acl_Roles::getInstance()->searchRoles($filter, new Tinebase_Model_Pagination($paging))->toArray();
$result['totalcount'] = Tinebase_Acl_Roles::getInstance()->searchCount($filter);
return $result;
}
/**
* try to delete a role
*
*/
public function testDeleteRole()
{
$this->testSetRoleMemberships();
// remove role members and rights first
Tinebase_Acl_Roles::getInstance()->setRoleRights($this->objects['role']->getId(), array());
Tinebase_Acl_Roles::getInstance()->setRoleMembers($this->objects['role']->getId(), array());
Tinebase_Acl_Roles::getInstance()->setRoleMembers($this->objects['role_2']->getId(), array());
Tinebase_Acl_Roles::getInstance()->deleteRoles(array($this->objects['role']->getId(), $this->objects['role_2']->getId()));
$this->setExpectedException('Tinebase_Exception_NotFound');
Tinebase_Acl_Roles::getInstance()->getRoleById($this->objects['role']->getId());
}
protected function _resetOriginalRoleRights()
{
if (!empty($this->_originalRoleRights)) {
foreach ($this->_originalRoleRights as $roleId => $rights) {
Tinebase_Acl_Roles::getInstance()->setRoleRights($roleId, $rights);
}
$this->_originalRoleRights = null;
}
}
/**
* generic check admin rights function
* rules:
* - ADMIN right includes all other rights
* - MANAGE_* right includes VIEW_* right
* - results are cached if caching is active (with cache tag 'rights')
*
* @param string $_right to check
* @param boolean $_throwException [optional]
* @param boolean $_includeTinebaseAdmin [optional]
* @return boolean
* @throws Tinebase_Exception_UnexpectedValue
* @throws Tinebase_Exception_AccessDenied
* @throws Tinebase_Exception
*
* @todo move that to *_Acl_Rights
* @todo include Tinebase admin? atm only the application admin right is checked
* @todo think about moving the caching to Tinebase_Acl_Roles and use only a class cache as it is difficult (and slow?) to invalidate
*/
public function checkRight($_right, $_throwException = TRUE, $_includeTinebaseAdmin = TRUE)
{
if (empty($this->_applicationName)) {
throw new Tinebase_Exception_UnexpectedValue('No application name defined!');
}
if (!is_object(Tinebase_Core::getUser())) {
throw new Tinebase_Exception('No user found for right check!');
}
$right = strtoupper($_right);
$cache = Tinebase_Core::getCache();
$cacheId = Tinebase_Helper::convertCacheId('checkRight' . Tinebase_Core::getUser()->getId() . $right . $this->_applicationName);
$result = $cache->load($cacheId);
if (Tinebase_Core::isLogLevel(Zend_Log::TRACE)) {
Tinebase_Core::getLogger()->trace(__METHOD__ . '::' . __LINE__ . ' ' . $cacheId);
}
if (!$result) {
$applicationRightsClass = $this->_applicationName . '_Acl_Rights';
// array with the rights that should be checked, ADMIN is in it per default
$rightsToCheck = $_includeTinebaseAdmin ? array(Tinebase_Acl_Rights::ADMIN) : array();
if (preg_match("/VIEW_([A-Z_]*)/", $right, $matches)) {
// manage right includes view right
$rightsToCheck[] = constant($applicationRightsClass . '::MANAGE_' . $matches[1]);
}
$rightsToCheck[] = constant($applicationRightsClass . '::' . $right);
$result = FALSE;
if (Tinebase_Core::isLogLevel(Zend_Log::TRACE)) {
Tinebase_Core::getLogger()->trace(__METHOD__ . '::' . __LINE__ . ' Checking rights: ' . print_r($rightsToCheck, TRUE));
}
foreach ($rightsToCheck as $rightToCheck) {
if (Tinebase_Acl_Roles::getInstance()->hasRight($this->_applicationName, Tinebase_Core::getUser()->getId(), $rightToCheck)) {
$result = TRUE;
break;
}
}
$cache->save($result, $cacheId, array('rights'), 120);
}
if (!$result && $_throwException) {
throw new Tinebase_Exception_AccessDenied("You are not allowed to {$right} in application {$this->_applicationName} !");
}
return $result;
}
/**
* update function 2
* adds roles (tables and user/admin role)
*
*/
public function update_2()
{
/************ create roles tables **************/
$tableDefinitions = array('<table>
<name>roles</name>
<version>1</version>
<declaration>
<field>
<name>id</name>
<type>integer</type>
<autoincrement>true</autoincrement>
</field>
<field>
<name>name</name>
<type>text</type>
<length>128</length>
<notnull>true</notnull>
</field>
<field>
<name>description</name>
<type>text</type>
<length>255</length>
<notnull>false</notnull>
</field>
<field>
<name>created_by</name>
<type>integer</type>
</field>
<field>
<name>creation_time</name>
<type>datetime</type>
</field>
<field>
<name>last_modified_by</name>
<type>integer</type>
</field>
<field>
<name>last_modified_time</name>
<type>datetime</type>
</field>
<index>
<name>id</name>
<primary>true</primary>
<field>
<name>id</name>
</field>
</index>
<index>
<name>name</name>
<unique>true</unique>
<field>
<name>name</name>
</field>
</index>
</declaration>
</table>
', '<table>
<name>role_rights</name>
<version>1</version>
<declaration>
<field>
<name>id</name>
<type>integer</type>
<autoincrement>true</autoincrement>
</field>
<field>
<name>role_id</name>
<type>integer</type>
<unsigned>true</unsigned>
<notnull>true</notnull>
</field>
<field>
<name>application_id</name>
<type>integer</type>
<length>11</length>
<unsigned>true</unsigned>
<notnull>true</notnull>
</field>
<field>
<name>right</name>
<type>text</type>
<length>64</length>
<notnull>true</notnull>
</field>
<index>
<name>id</name>
<primary>true</primary>
<field>
<name>id</name>
</field>
</index>
<index>
<name>role_id</name>
<field>
<name>role_id</name>
</field>
</index>
<index>
<name>application_id</name>
<field>
<name>application_id</name>
</field>
</index>
<index>
<name>role_rights::application_id--applications::id</name>
<field>
<name>application_id</name>
</field>
<foreign>true</foreign>
<reference>
<table>applications</table>
<field>id</field>
</reference>
</index>
<index>
<name>role_rights::role_id--roles::id</name>
<field>
<name>role_id</name>
</field>
<foreign>true</foreign>
<reference>
<table>roles</table>
<field>id</field>
</reference>
</index>
</declaration>
</table>', '<table>
<name>role_accounts</name>
<version>1</version>
<declaration>
<field>
<name>id</name>
<type>integer</type>
<autoincrement>true</autoincrement>
</field>
<field>
<name>role_id</name>
<type>integer</type>
<unsigned>true</unsigned>
<notnull>true</notnull>
</field>
<field>
<name>account_type</name>
<type>enum</type>
<value>anyone</value>
<value>user</value>
<value>group</value>
<notnull>true</notnull>
</field>
<field>
<name>account_id</name>
<type>integer</type>
<unsigned>true</unsigned>
<notnull>false</notnull>
</field>
<index>
<name>id</name>
<primary>true</primary>
<field>
<name>id</name>
</field>
</index>
<index>
<name>account_id-account_type-role_id</name>
<unique>true</unique>
<field>
<name>role_id</name>
</field>
<field>
<name>account_id</name>
</field>
<field>
<name>account_type</name>
</field>
</index>
<index>
<name>role_accounts::role_id--roles::id</name>
<field>
<name>role_id</name>
</field>
<foreign>true</foreign>
<reference>
<table>roles</table>
<field>id</field>
</reference>
</index>
</declaration>
</table>');
foreach ($tableDefinitions as $tableDefinition) {
$table = Setup_Backend_Schema_Table_Factory::factory('String', $tableDefinition);
$this->_backend->createTable($table);
}
/************ create roles ***************/
// get admin and user groups
$adminGroup = Tinebase_Group::getInstance()->getDefaultAdminGroup();
$userGroup = Tinebase_Group::getInstance()->getDefaultGroup();
# add roles and add the groups to the roles
$adminRole = new Tinebase_Model_Role(array('name' => 'admin role', 'description' => 'admin role for tine. this role has all rights per default.'));
$adminRole = Tinebase_Acl_Roles::getInstance()->createRole($adminRole);
Tinebase_Acl_Roles::getInstance()->setRoleMembers($adminRole->getId(), array(array('id' => $adminGroup->getId(), 'type' => Tinebase_Acl_Rights::ACCOUNT_TYPE_GROUP)));
$userRole = new Tinebase_Model_Role(array('name' => 'user role', 'description' => 'userrole for tine. this role has only the run rights for all applications per default.'));
$userRole = Tinebase_Acl_Roles::getInstance()->createRole($userRole);
Tinebase_Acl_Roles::getInstance()->setRoleMembers($userRole->getId(), array(array('id' => $userGroup->getId(), 'type' => Tinebase_Acl_Rights::ACCOUNT_TYPE_GROUP)));
# enable the applications for the user group/role
# give all rights to the admin group/role for all applications
$applications = Tinebase_Application::getInstance()->getApplications();
foreach ($applications as $application) {
if ($application->name !== 'Admin') {
/***** All applications except Admin *****/
// run right for user role
Tinebase_Acl_Roles::getInstance()->addSingleRight($userRole->getId(), $application->getId(), Tinebase_Acl_Rights::RUN);
// all rights for admin role
$allRights = Tinebase_Application::getInstance()->getAllRights($application->getId());
foreach ($allRights as $right) {
Tinebase_Acl_Roles::getInstance()->addSingleRight($adminRole->getId(), $application->getId(), $right);
}
} else {
/***** Admin application *****/
// all rights for admin role
$allRights = Tinebase_Application::getInstance()->getAllRights($application->getId());
foreach ($allRights as $right) {
Tinebase_Acl_Roles::getInstance()->addSingleRight($adminRole->getId(), $application->getId(), $right);
}
}
}
// end foreach applications
$this->setApplicationVersion('Tinebase', '0.3');
}
/**
* returns list of applications the current user is able to use
*
* this function takes group memberships into user. Applications the user is able to use
* must have the 'run' right set
*
* @param boolean $_anyRight is any right enough to geht app?
* @return array list of enabled applications for this user
*/
public function getApplications($_anyRight = FALSE)
{
$roles = Tinebase_Acl_Roles::getInstance();
$result = $roles->getApplications($this->accountId, $_anyRight);
if (Tinebase_Controller::getInstance()->userAccountChanged()) {
// TODO this information should be saved in application table
$disabledAppsForChangedUserAccounts = array('Felamimail');
foreach ($result as $key => $app) {
if (in_array($app, $disabledAppsForChangedUserAccounts)) {
if (Tinebase_Core::isLogLevel(Zend_Log::DEBUG)) {
Tinebase_Core::getLogger()->debug(__METHOD__ . '::' . __LINE__ . ' Skipping ' . $app . ' because app is disabled for changed user accounts');
}
unset($result[$key]);
}
}
}
return $result;
}
protected function _createNewAdminRoleForAdmin($adminRoleName)
{
$adminRole = new Tinebase_Model_Role(array('name' => $adminRoleName, 'description' => 'admin role for tine. this role has all rights per default.'));
$adminRole = Tinebase_Acl_Roles::getInstance()->createRole($adminRole);
// add all rights for all apps
$enabledApps = Tinebase_Application::getInstance()->getApplicationsByState(Tinebase_Application::ENABLED);
$roleRights = array();
foreach ($enabledApps as $application) {
$allRights = Tinebase_Application::getInstance()->getAllRights($application->getId());
foreach ($allRights as $right) {
$roleRights[] = array('application_id' => $application->getId(), 'right' => $right);
}
}
Tinebase_Acl_Roles::getInstance()->setRoleRights($adminRole->getId(), $roleRights);
return $adminRole;
}
/**
* check if user has given right
*
* @param string $right the right to check
* @return boolean
*/
protected function _hasModuleRight($right)
{
return Tinebase_Acl_Roles::getInstance()->hasRight($this->_getApplication(), Tinebase_Core::getUser(), $right);
}
/**
* returns list of applications the current user is able to use
*
* this function takes group memberships into user. Applications the user is able to use
* must have the 'run' right set
*
* @param boolean $_anyRight is any right enough to geht app?
* @return array list of enabled applications for this user
*/
public function getApplications($_anyRight = FALSE)
{
$roles = Tinebase_Acl_Roles::getInstance();
$result = $roles->getApplications($this->accountId, $_anyRight);
return $result;
}
/**
* update to 3.26
* - assign MANAGE_OWN_STATE right to all roles
*/
public function update_25()
{
$roles = Tinebase_Acl_Roles::getInstance()->searchRoles(new Tinebase_Model_RoleFilter(array()), new Tinebase_Model_Pagination(array()));
foreach ($roles as $role) {
Tinebase_Acl_Roles::getInstance()->addSingleRight($role->getId(), Tinebase_Application::getInstance()->getApplicationByName('Tinebase')->getId(), Tinebase_Acl_Rights::MANAGE_OWN_STATE);
}
$this->setApplicationVersion('Tinebase', '3.26');
}
/**
* save admin preferences for this app
*
* @param array $_data
* @param boolean $_adminMode
*
* @todo use generic savePreference fn
*/
public function saveAdminPreferences($_data)
{
// only admins are allowed to update app pref defaults/forced prefs
if (!Tinebase_Acl_Roles::getInstance()->hasRight($this->_application, Tinebase_Core::getUser()->getId(), Tinebase_Acl_Rights_Abstract::ADMIN)) {
throw new Tinebase_Exception_AccessDenied('You are not allowed to change the preference defaults.');
}
// create prefs that don't exist in the db
foreach ($_data as $id => $prefData) {
if (preg_match('/^default/', $id) && array_key_exists('name', $prefData) && $prefData['value'] != Tinebase_Model_Preference::DEFAULT_VALUE) {
$newPref = $this->getApplicationPreferenceDefaults($prefData['name']);
$newPref->value = $prefData['value'];
$newPref->type = $prefData['type'] == Tinebase_Model_Preference::TYPE_FORCED ? $prefData['type'] : Tinebase_Model_Preference::TYPE_ADMIN;
unset($newPref->id);
$this->create($newPref);
unset($_data[$id]);
}
}
// update default/forced preferences
$records = $this->getMultiple(array_keys($_data));
foreach ($records as $preference) {
if ($_data[$preference->getId()]['value'] == Tinebase_Model_Preference::DEFAULT_VALUE) {
$this->delete($preference->getId());
} else {
$preference->value = $_data[$preference->getId()]['value'];
$preference->type = $_data[$preference->getId()]['type'] == Tinebase_Model_Preference::TYPE_FORCED ? $_data[$preference->getId()]['type'] : Tinebase_Model_Preference::TYPE_ADMIN;
$this->update($preference);
}
}
}
/**
* save user
*
* @param array $recordData data of Tinebase_Model_FullUser
* @return array
*/
public function saveUser($recordData)
{
$password = isset($recordData['accountPassword']) ? $recordData['accountPassword'] : '';
$account = new Tinebase_Model_FullUser();
// always re-evaluate fullname
unset($recordData['accountFullName']);
try {
$account->setFromArray($recordData);
if (isset($recordData['sambaSAM'])) {
$account->sambaSAM = new Tinebase_Model_SAMUser($recordData['sambaSAM']);
}
if (isset($recordData['emailUser'])) {
$account->emailUser = new Tinebase_Model_EmailUser($recordData['emailUser']);
$account->imapUser = new Tinebase_Model_EmailUser($recordData['emailUser']);
$account->smtpUser = new Tinebase_Model_EmailUser($recordData['emailUser']);
}
} catch (Tinebase_Exception_Record_Validation $e) {
// invalid data in some fields sent from client
$result = array('errors' => $account->getValidationErrors(), 'errorMessage' => 'invalid data for some fields', 'status' => 'failure');
return $result;
}
if ($account->getId() == NULL) {
if (!Tinebase_User_Registration::getInstance()->checkUniqueUsername($account->accountLoginName)) {
$result = array('errors' => 'invalid username', 'errorMessage' => 'Username already used.', 'status' => 'failure');
return $result;
}
$account = Admin_Controller_User::getInstance()->create($account, $password, $password);
} else {
$account = Admin_Controller_User::getInstance()->update($account, $password, $password);
}
// after user update or creation add user to selected roles
if (isset($recordData['accountRoles']) && $recordData['accountRoles']) {
Tinebase_Acl_Roles::getInstance()->setRoleMemberships(array('id' => $account->accountId, 'type' => Tinebase_Acl_Rights::ACCOUNT_TYPE_USER), $recordData['accountRoles']);
}
$result = $this->_recordToJson($account);
// add primary group to account for the group selection combo box
$group = Tinebase_Group::getInstance()->getGroupById($account->accountPrimaryGroup);
// add user groups
$userGroups = Tinebase_Group::getInstance()->getMultiple(Tinebase_Group::getInstance()->getGroupMemberships($account->accountId))->toArray();
// add user roles
$userRoles = Tinebase_Acl_Roles::getInstance()->getMultiple(Tinebase_Acl_Roles::getInstance()->getRoleMemberships($account->accountId))->toArray();
// encode the account array
$result['accountPrimaryGroup'] = $group;
// encode the groups array
$result['groups'] = array('results' => $userGroups, 'totalcount' => count($userGroups));
// encode the roles array
$result['accountRoles'] = array('results' => $userRoles, 'totalcount' => count($userRoles));
return $result;
}
/**
* save admin preferences for this app
*
* @param array $_data
* @param boolean $_adminMode
* @return void
*
* @todo use generic savePreference fn
*/
public function saveAdminPreferences($_data)
{
// only admins are allowed to update app pref defaults/forced prefs
if (!Tinebase_Acl_Roles::getInstance()->hasRight($this->_application, Tinebase_Core::getUser()->getId(), Tinebase_Acl_Rights_Abstract::ADMIN)) {
throw new Tinebase_Exception_AccessDenied('You are not allowed to change the preference defaults.');
}
// create prefs that don't exist in the db
foreach ($_data as $id => $prefData) {
if (preg_match('/^default/', $id) && (isset($prefData['name']) || array_key_exists('name', $prefData)) && ($prefData['type'] == Tinebase_Model_Preference::TYPE_FORCED || (string) $prefData['value'] != Tinebase_Model_Preference::DEFAULT_VALUE)) {
if (Tinebase_Core::isLogLevel(Zend_Log::DEBUG)) {
Tinebase_Core::getLogger()->debug(__METHOD__ . '::' . __LINE__ . ' Create admin pref: ' . $prefData['name'] . ' = ' . $prefData['value']);
}
$newPref = $this->getApplicationPreferenceDefaults($prefData['name']);
$newPref->value = $prefData['value'];
$newPref->type = $prefData['type'] == Tinebase_Model_Preference::TYPE_FORCED ? $prefData['type'] : Tinebase_Model_Preference::TYPE_ADMIN;
unset($newPref->id);
$this->create($newPref);
unset($_data[$id]);
}
}
// update default/forced preferences
$records = $this->getMultiple(array_keys($_data));
if (Tinebase_Core::isLogLevel(Zend_Log::DEBUG)) {
Tinebase_Core::getLogger()->debug(__METHOD__ . '::' . __LINE__ . ' Saving admin prefs: ' . print_r($records->name, TRUE));
}
foreach ($records as $preference) {
if ($_data[$preference->getId()]['value'] == Tinebase_Model_Preference::DEFAULT_VALUE) {
$this->delete($preference->getId());
} else {
$preference->value = $_data[$preference->getId()]['value'];
$preference->type = $_data[$preference->getId()]['type'] == Tinebase_Model_Preference::TYPE_FORCED ? $_data[$preference->getId()]['type'] : Tinebase_Model_Preference::TYPE_ADMIN;
$this->update($preference);
}
}
}
/**
* Tears down the fixture
* This method is called after a test is executed.
*
* @access protected
*/
protected function tearDown()
{
Tinebase_TransactionManager::getInstance()->rollBack();
Tinebase_Acl_Roles::getInstance()->resetClassCache();
}
/**
* handle events for Tinebase
*
* @param Tinebase_Event_Abstract $_eventObject
*/
protected function _handleEvent(Tinebase_Event_Abstract $_eventObject)
{
switch (get_class($_eventObject)) {
case 'Admin_Event_DeleteGroup':
foreach ($_eventObject->groupIds as $groupId) {
if (Tinebase_Core::isLogLevel(Zend_Log::DEBUG)) {
Tinebase_Core::getLogger()->debug(__METHOD__ . '::' . __LINE__ . ' Removing role memberships of group ' . $groupId);
}
$roleIds = Tinebase_Acl_Roles::getInstance()->getRoleMemberships($groupId, Tinebase_Acl_Rights::ACCOUNT_TYPE_GROUP);
foreach ($roleIds as $roleId) {
Tinebase_Acl_Roles::getInstance()->removeRoleMember($roleId, array('id' => $groupId, 'type' => Tinebase_Acl_Rights::ACCOUNT_TYPE_GROUP));
}
}
break;
}
}
/**
* try to delete role and then search
*/
public function testSearchRoles()
{
$role = Tinebase_Acl_Roles::getInstance()->createRole($this->_objects['role']);
$filter = array(array('field' => 'query', 'operator' => 'contains', 'value' => 'phpunit test role'));
$paging = array('start' => 0, 'limit' => 1);
$roles = $this->_instance->searchRoles($filter, $paging);
$this->assertGreaterThan(0, $roles['totalcount']);
$this->assertEquals($this->_objects['role']->name, $roles['results'][0]['name']);
// delete role
Tinebase_Acl_Roles::getInstance()->deleteRoles($role->id);
}
/**
* Override method because this app requires special rights
* @see tine20/Setup/Setup_Initialize#_createInitialRights($_application)
*
* @todo make hard coded role name ('user role') configurable
*/
protected function _createInitialRights(Tinebase_Model_Application $_application)
{
parent::_createInitialRights($_application);
$roles = Tinebase_Acl_Roles::getInstance();
$userRole = $roles->getRoleByName('user role');
$roles->addSingleRight($userRole->getId(), $_application->getId(), Tinebase_Acl_Rights::CHECK_VERSION);
$roles->addSingleRight($userRole->getId(), $_application->getId(), Tinebase_Acl_Rights::REPORT_BUGS);
$roles->addSingleRight($userRole->getId(), $_application->getId(), Tinebase_Acl_Rights::MANAGE_OWN_STATE);
}
/**
* Deletes (set state "deleted") tags identified by their ids
*
* @param string|array $ids to delete
* @param boolean $ignoreAcl
* @throws Tinebase_Exception_AccessDenied
*/
public function deleteTags($ids, $ignoreAcl = FALSE)
{
$tags = $this->getTagsById($ids, Tinebase_Model_TagRight::VIEW_RIGHT, $ignoreAcl);
if (count($tags) != count((array) $ids)) {
throw new Tinebase_Exception_AccessDenied('You are not allowed to delete the tag(s).');
}
$currentAccountId = is_object(Tinebase_Core::getUser()) ? Tinebase_Core::getUser()->getId() : 'setupuser';
if (!$ignoreAcl) {
$manageSharedTagsRight = Tinebase_Acl_Roles::getInstance()->hasRight('Admin', $currentAccountId, Admin_Acl_Rights::MANAGE_SHARED_TAGS);
foreach ($tags as $tag) {
if ($tag->type == Tinebase_Model_Tag::TYPE_PERSONAL && $tag->owner == $currentAccountId || $tag->type == Tinebase_Model_Tag::TYPE_SHARED && $manageSharedTagsRight) {
continue;
} else {
throw new Tinebase_Exception_AccessDenied('You are not allowed to delete this tags');
}
}
}
if (Tinebase_Core::isLogLevel(Zend_Log::DEBUG)) {
Tinebase_Core::getLogger()->debug(__METHOD__ . '::' . __LINE__ . ' Deleting ' . count($tags) . ' tags.');
}
if (count($tags) > 0) {
$this->_db->update(SQL_TABLE_PREFIX . 'tags', array('is_deleted' => true, 'deleted_by' => $currentAccountId, 'deleted_time' => Tinebase_DateTime::now()->get(Tinebase_Record_Abstract::ISO8601LONG)), $this->_db->quoteInto($this->_db->quoteIdentifier('id') . ' IN (?)', $tags->getArrayOfIds()));
}
}