/** * _checkUserResourcePermission * Check if user have access to all of the resources that trigger email record has defined * * We need to do this here, because currently API shuldn't be checking any user permission. * Once user permission are being used in API, we can deprecate this function * * @param Array $record Associated array of the record * @param User_API $user User API * * @return Boolean Returns TRUE if user have all permission, FALSE otherwise * * @todo deprecate this when API take account user permission */ private function _checkUserResourcePermission($record, $user) { // If admin, don't worry about evaluating permission if ($user->Admin()) { return true; } $error = false; $userLists = $user->GetLists(); $userNewsletters = $user->GetNewsletters(); // Check if user have access to particular list if ($record['triggertype'] == 'f' && isset($record['data']['listid']) && !array_key_exists($record['data']['listid'], $userLists)) { trigger_error('Does not have access to contact list', E_USER_NOTICE); $error = true; } // Check if user have access to particular newsletter specified for link if ($record['triggertype'] == 'l' && isset($record['data']['linkid_newsletterid']) && !array_key_exists($record['data']['linkid_newsletterid'], $userNewsletters)) { trigger_error('Does not have access to specified newsletter', E_USER_NOTICE); $error = true; } // Check newsletter ID defined for "Newsletter Opened" event if ($record['triggertype'] == 'n' && isset($record['data']['newsletterid']) && !array_key_exists($record['data']['newsletterid'], $userNewsletters)) { trigger_error('Does not have access to specified newsletter', E_USER_NOTICE); $error = true; } // Check if list IDs defined for static date exists if ($record['triggertype'] == 's' && isset($record['data']['staticdate_listids'])) { foreach ($record['data']['staticdate_listids'] as $each) { if (!array_key_exists($each, $userLists)) { trigger_error('Does not have access to specified list', E_USER_NOTICE); $error = true; break; } } } // ----- The following are required for "send" action if (isset($record['triggeractions']['send']) && isset($record['triggeractions']['send']['enabled']) && $record['triggeractions']['send']['enabled']) { if (isset($record['triggeractions']['send']['newsletterid']) && !array_key_exists($record['triggeractions']['send']['newsletterid'], $userNewsletters)) { trigger_error('Newsletter does not exits', E_USER_NOTICE); return false; } } // ----- // ----- The following are required for "addlist" action if (isset($record['triggeractions']['addlist']) && isset($record['triggeractions']['addlist']['enabled']) && $record['triggeractions']['addlist']['enabled']) { if (isset($record['triggeractions']['addlist']['listid'])) { foreach ($record['triggeractions']['addlist']['listid'] as $each) { if (!array_key_exists($each, $userLists)) { trigger_error('Does not have access to specified newsletter', E_USER_NOTICE); $error = true; break; } } } } // ----- return !$error; }
/** * MakeViewPopupMenu * Return "view" popup menus * * @param Array $search_info Search info * @param User_API $user (REF) Current user record * @return String Returns "View" popup menu HTML string * * @uses GetLang() * @uses SendStudio_Functions::ParseTemplate() */ function MakeViewPopupMenu($search_info, &$user) { $tempCommonRows = array(); $tempListRows = array(); $tempSegmentRows = array(); $tempSelectedListID = 0; $tempSelectedSegmentID = '-'; $tempSelectedAllList = false; if (array_key_exists('List', $search_info)) { $tempSelectedListID = intval($search_info['List']); } if (array_key_exists('Segment', $search_info) && is_array($search_info['Segment'])) { $tempSelectedSegmentID = $search_info['Segment']; } $tempSelectedAllList = ($tempSelectedListID == 0 && $tempSelectedSegmentID == 0); /** * List views */ if ($user->HasAccess('Lists') && !empty($search_info['List'])) { $tempListList = $user->GetLists(); foreach ($tempListList as $tempListID => $tempListRecord) { $GLOBALS['RowAction'] = 'index.php?Page=Subscribers&Action=Manage&Lists[]=' . $tempListID; $GLOBALS['RowTitle'] = htmlspecialchars($tempListRecord['name'], ENT_QUOTES, SENDSTUDIO_CHARSET); $GLOBALS['RowCaption'] = ' <img border="0" src="images/nodejoinsmall.gif" /> ' . htmlspecialchars($this->TruncateName($tempListRecord['name'], 55), ENT_QUOTES, SENDSTUDIO_CHARSET); if ($tempSelectedListID == $tempListID) { $GLOBALS['RowCaption'] = '<b>' . $GLOBALS['RowCaption'] . '</b>'; } array_push($tempListRows, $this->ParseTemplate('Subscribers_Manage_ViewPicker_Row', true)); } unset($tempListList); } else { $GLOBALS['DisplayStyleList'] = 'none'; } /** * ----- */ /** * Segment views */ if ($user->HasAccess('Segments') && !empty($search_info['Segment'])) { $tempSegmentList = $user->GetSegmentList(); if (count($tempSegmentList) == 0) { $GLOBALS['SegmentDisplay'] = 'none'; } else { $GLOBALS['SegmentDisplay'] = ''; foreach ($tempSegmentList as $tempSegmentID => $tempSegmentRecord) { $GLOBALS['RowAction'] = 'index.php?Page=Subscribers&Action=Manage&Segment=' . $tempSegmentID; $GLOBALS['RowTitle'] = htmlspecialchars($tempSegmentRecord['segmentname'], ENT_QUOTES, SENDSTUDIO_CHARSET); $GLOBALS['RowCaption'] = ' <img border="0" src="images/nodejoinsmall.gif" /> ' . htmlspecialchars($this->TruncateName($tempSegmentRecord['segmentname'], 55), ENT_QUOTES, SENDSTUDIO_CHARSET); if ($tempSelectedSegmentID == $tempSegmentID) { $GLOBALS['RowCaption'] = '<b>' . $GLOBALS['RowCaption'] . '</b>'; } array_push($tempSegmentRows, $this->ParseTemplate('Subscribers_Manage_ViewPicker_Row', true)); } unset($tempSegmentList); } } else { $GLOBALS['DisplayStyleSegment'] = 'none'; } /** * ----- */ unset($GLOBALS['RowCaption']); unset($GLOBALS['RowTitle']); unset($GLOBALS['RowAction']); $GLOBALS['CommonViews'] = implode('', $tempCommonRows); $GLOBALS['ListViews'] = implode('', $tempListRows); $GLOBALS['SegmentViews'] = implode('', $tempSegmentRows); $output = $this->ParseTemplate('Subscribers_Manage_ViewPicker', true); unset($GLOBALS['SegmentViews']); unset($GLOBALS['ListViews']); unset($GLOBALS['CommonViews']); return $output; }
/** * _checkPermissionCanEdit * Check whether or not a user can edit a segment * * Checking user privilege in this instance will also means checking * whether or not a user have access to all mailing list used in a segment. * Once lists used in a segment become "restricted" to a user, user should not be able to edit * the segment at all. * * Here's the logic: * (1) If Admin go to (7), otherwise go to (2) * (2) If segment is owned by user, go to (3), otherwise go (4) * (3) If user have "edit" permission, go to (7), otherwise (6) * (4) If user is allowed to have "edit" access to the segment, then check (5), otherwise go (7) * (5) If user DO NOT have access to all the lists in the segment, go (6), otherwise go (7) * (6) CANNOT EDIT * (7) CAN EDIT * * @param Segment_API $segmentapi Current segment API * @param User_API $userapi Current user API * * @return Boolean Returns TRUE if user have edit privilege on segment, FALSE otherwise * * @uses User_API::HasAccess() * @uses User_API::GetLists() * * @access private */ function _checkPermissionCanEdit($segmentapi, $userapi) { if ($userapi->Admin()) { return true; } $haveAccess = false; $userList = array_keys($userapi->GetLists()); if ($segmentapi->ownerid == $userapi->userid) { if ($userapi->HasAccess('Segments', 'Edit')) { $haveAccess = true; } } else { if ($userapi->HasAccess('Segments', 'Edit', $segmentapi->segmentid)) { if (count(array_intersect($userList, $segmentapi->searchinfo['Lists'])) == count($segmentapi->searchinfo['Lists'])) { $haveAccess = true; } } } return $haveAccess; }