/**
* check grant for action (CRUD)
*
* @param Tinebase_Record_Interface $record
* @param string $action
* @param boolean $throw
* @param string $errorMessage
* @param Tinebase_Record_Interface $oldRecord
* @return boolean
* @throws Tinebase_Exception_AccessDenied
*
* @todo allow to skip this (ignoreACL)
*/
protected function _checkGrant($record, $action, $throw = true, $errorMessage = 'No Permission.', $oldRecord = null)
{
$hasGrant = parent::_checkGrant($record, $action, $throw, $errorMessage, $oldRecord);
if (!$record->getId() || $action === 'create') {
// no record based grants for new records
return $hasGrant;
}
// always get current record grants
$currentRecord = $this->_backend->get($record->getId());
$this->_getGrants($currentRecord);
if (Tinebase_Core::isLogLevel(Zend_Log::TRACE)) {
Tinebase_Core::getLogger()->trace(__METHOD__ . '::' . __LINE__ . ' Checked record (incl. grants): ' . print_r($currentRecord->toArray(), true));
}
switch ($action) {
case 'get':
$hasGrant = $this->hasGrant($currentRecord, Tinebase_Model_Grants::GRANT_READ);
break;
case 'update':
$hasGrant = $this->hasGrant($currentRecord, Tinebase_Model_Grants::GRANT_EDIT);
break;
case 'delete':
$hasGrant = $this->hasGrant($currentRecord, Tinebase_Model_Grants::GRANT_DELETE);
break;
}
if (!$hasGrant) {
Tinebase_Core::getLogger()->notice(__METHOD__ . '::' . __LINE__ . ' No permissions to ' . $action . ' record.');
if ($throw) {
throw new Tinebase_Exception_AccessDenied($errorMessage);
}
}
return $hasGrant;
}
protected function _checkGrant($_record, $_action, $_throw = TRUE, $_errorMessage = 'No Permission.', $_oldRecord = NULL)
{
$this->doContainerACLChecks($this->_doContainerACLChecks && !Tinebase_Core::getUser()->hasRight('Calendar', Calendar_Acl_Rights::MANAGE_RESOURCES));
return parent::_checkGrant($_record, $_action, $_throw, $_errorMessage, $_oldRecord);
}
