/**
* Checks access control list for currently loaded row for the specified user and returns an access value. Values are:
*
* __CA_ACL_NO_ACCESS__ (0)
* __CA_ACL_READONLY_ACCESS__ (1)
* __CA_ACL_EDIT_ACCESS__ (2)
* __CA_ACL_EDIT_DELETE_ACCESS__ (3)
*
* @param ca_users $t_user A ca_users object
* @param int $pn_id Optional row_id to check ACL for; if omitted currently loaded row_id is used
* @return int An access value
*/
public function checkACLAccessForUser($t_user, $pn_id = null)
{
if (!$this->supportsACL()) {
return __CA_ACL_EDIT_DELETE_ACCESS__;
}
if (!$pn_id) {
$pn_id = (int) $this->getPrimaryKey();
if (!$pn_id) {
return null;
}
}
if ($t_user->canDoAction('is_administrator')) {
return __CA_ACL_EDIT_DELETE_ACCESS__;
}
require_once __CA_MODELS_DIR__ . '/ca_acl.php';
return ca_acl::accessForRow($t_user, $this->tableNum(), $pn_id);
}
/**
* Determines if user has access to a set at a specified access level.
*
* @param int $pn_user_id user_id of user to check set access for
* @param int $pn_access type of access required. Use __CA_SET_READ_ACCESS__ for read-only access or __CA_SET_EDIT_ACCESS__ for editing (full) access
* @param int $pn_set_id The id of the set to check. If omitted then currently loaded set will be checked.
* @param array $pa_options No options yet
* @return bool True if user has access, false if not
*/
public function haveAccessToSet($pn_user_id, $pn_access, $pn_set_id = null, $pa_options = null)
{
if ($this->getAppConfig()->get('dont_enforce_access_control_for_ca_sets')) {
return true;
}
if ($pn_set_id) {
$vn_set_id = $pn_set_id;
$t_set = new ca_sets($vn_set_id);
$vn_set_user_id = $t_set->get('user_id');
} else {
$t_set = $this;
$vn_set_user_id = $t_set->get('user_id');
}
if (!$vn_set_id && !($vn_set_id = $t_set->getPrimaryKey())) {
return true;
// new set
}
if ($t_set->get('deleted') != 0) {
return false;
}
// set is deleted
if (isset(ca_sets::$s_have_access_to_set_cache[$vn_set_id . '/' . $pn_user_id . '/' . $pn_access])) {
return ca_sets::$s_have_access_to_set_cache[$vn_set_id . '/' . $pn_user_id . '/' . $pn_access];
}
if ($vn_set_user_id == $pn_user_id) {
// owners have all access
return ca_sets::$s_have_access_to_set_cache[$vn_set_id . '/' . $pn_user_id . '/' . $pn_access] = true;
}
if ($t_set->get('access') > 0 && $pn_access == __CA_SET_READ_ACCESS__) {
// public sets are readable by all
return ca_sets::$s_have_access_to_set_cache[$vn_set_id . '/' . $pn_user_id . '/' . $pn_access] = true;
}
//
// If user is admin or has set admin privs allow them access to the set
//
$t_user = new ca_users();
if ($t_user->load($pn_user_id) && ($t_user->canDoAction('is_administrator') || $t_user->canDoAction('can_administrate_sets'))) {
return ca_sets::$s_have_access_to_set_cache[$vn_set_id . '/' . $pn_user_id . '/' . $pn_access] = true;
}
$o_db = $this->getDb();
$qr_res = $o_db->query($vs_sql = "\n\t\t\tSELECT sxg.set_id \n\t\t\tFROM ca_sets_x_user_groups sxg \n\t\t\tINNER JOIN ca_user_groups AS ug ON sxg.group_id = ug.group_id\n\t\t\tINNER JOIN ca_users_x_groups AS uxg ON uxg.group_id = ug.group_id\n\t\t\tWHERE \n\t\t\t\t(sxg.access >= ?) AND (uxg.user_id = ?) AND (sxg.set_id = ?)\n\t\t\t\tAND\n\t\t\t\t(\n\t\t\t\t\t(sxg.sdatetime <= " . time() . " AND sxg.edatetime >= " . time() . ")\n\t\t\t\t\tOR\n\t\t\t\t\t(sxg.sdatetime IS NULL and sxg.edatetime IS NULL)\n\t\t\t\t)\n\t\t", (int) $pn_access, (int) $pn_user_id, (int) $vn_set_id);
if ($qr_res->numRows() > 0) {
return ca_sets::$s_have_access_to_set_cache[$vn_set_id . '/' . $pn_user_id . '/' . $pn_access] = true;
}
$qr_res = $o_db->query("\n\t\t\tSELECT sxu.set_id \n\t\t\tFROM ca_sets_x_users sxu\n\t\t\tINNER JOIN ca_users AS u ON sxu.user_id = u.user_id\n\t\t\tWHERE \n\t\t\t\t(sxu.access >= ?) AND (u.user_id = ?) AND (sxu.set_id = ?)\n\t\t\t\tAND\n\t\t\t\t(\n\t\t\t\t\t(sxu.sdatetime <= " . time() . " AND sxu.edatetime >= " . time() . ")\n\t\t\t\t\tOR\n\t\t\t\t\tsxu.sdatetime IS NULL and sxu.edatetime IS NULL\n\t\t\t\t)\n\t\t", (int) $pn_access, (int) $pn_user_id, (int) $vn_set_id);
if ($qr_res->numRows() > 0) {
return ca_sets::$s_have_access_to_set_cache[$vn_set_id . '/' . $pn_user_id . '/' . $pn_access] = true;
}
return ca_sets::$s_have_access_to_set_cache[$vn_set_id . '/' . $pn_user_id . '/' . $pn_access] = false;
}
public function userCanAccess($pn_user_id, $pa_module_path, $ps_controller, $ps_action, $pa_fake_parameters = array())
{
if (!$this->opo_acr_config->get("enforce_access_restrictions")) {
// admin doesn't want us to enforce any restrictions
return true;
}
if (!$this->opo_request) {
// there is no "real" request, i.e. we're running a CLI script or something
// we need some context information from the request to determine if a user
// can access something though -> always return false here!
return false;
}
if ($this->opt_user->getPrimaryKey() != $pn_user_id) {
$this->opt_user->load($pn_user_id);
}
if ($this->opt_user->canDoAction("is_administrator")) {
// almighty admin!
return true;
}
$va_groups_to_check = array();
// check module components
if (!is_array($pa_module_path)) {
$pa_module_path = explode("/", $pa_module_path);
}
if (is_array($pa_module_path)) {
$va_modules_to_check = array();
foreach ($pa_module_path as $vs_module) {
$va_modules_to_check[] = $vs_module;
$vs_module_part_path = join("/", $va_modules_to_check);
if (is_array($this->opa_acr[$vs_module_part_path])) {
foreach ($this->opa_acr[$vs_module_part_path] as $va_group) {
$va_groups_to_check[] = $va_group;
}
}
}
}
// check controller
$vs_controller_path = join("/", is_array($pa_module_path) ? $pa_module_path : array()) . "/" . ucfirst($ps_controller) . 'Controller';
if (is_array($this->opa_acr[$vs_controller_path])) {
foreach ($this->opa_acr[$vs_controller_path] as $va_group) {
$va_groups_to_check[] = $va_group;
}
}
// check action
$vs_action_path = join("/", is_array($pa_module_path) ? $pa_module_path : array()) . "/" . ucfirst($ps_controller) . "Controller/" . $ps_action;
if (is_array($this->opa_acr[$vs_action_path])) {
foreach ($this->opa_acr[$vs_action_path] as $va_group) {
$va_groups_to_check[] = $va_group;
}
}
// check rules
foreach ($va_groups_to_check as $va_group) {
if (!is_array($va_group) || !is_array($va_group["actions"])) {
continue;
}
// group without action restrictions
$vb_group_passed = false;
// check if parameter restrictions apply
if (is_array($va_group["parameters"])) {
if (!$this->_parameterRestrictionsApply($va_group["parameters"], $ps_controller, $ps_action, $pa_fake_parameters)) {
continue;
// auto-pass
}
}
if (isset($va_group["operator"]) && $va_group["operator"] == "OR") {
// OR
foreach ($va_group["actions"] as $vs_action) {
if ($this->opt_user->canDoAction($vs_action)) {
$vb_group_passed = true;
break;
}
}
} else {
// AND
foreach ($va_group["actions"] as $vs_action) {
if (!$this->opt_user->canDoAction($vs_action)) {
return false;
}
}
$vb_group_passed = true;
// passed all AND-ed conditions
}
if (!$vb_group_passed) {
// one has to pass ALL groups!
return false;
}
}
return true;
// all groups passed
}
/**
*
*/
public function haveAccessToMessage($pn_user_id, $pn_communication_id = null)
{
$t_user = new ca_users($pn_user_id);
if ($t_user->canDoAction('can_manage_clients')) {
return true;
}
if ($pn_communication_id) {
$t_comm = new ca_commerce_communications($pn_communication_id);
if (!$t_comm->getPrimaryKey()) {
return false;
}
} else {
$t_comm = $this;
}
$t_trans = new ca_commerce_transactions($t_comm->get('transaction_id'));
if ($t_trans->getPrimaryKey()) {
if ($t_trans->get('user_id') == $pn_user_id) {
return true;
}
}
return false;
}
/**
* Duplicate all items in this set
* @param int $pn_user_id
* @param array $pa_options
* @return ca_sets|bool
*/
public function duplicateItemsInSet($pn_user_id, $pa_options = array())
{
if (!$this->getPrimaryKey()) {
return false;
}
if ($this->getItemCount() < 1) {
return false;
}
$t_user = new ca_users($pn_user_id);
if (!$t_user->getPrimaryKey()) {
return false;
}
// we need a user for duplication
global $g_ui_locale_id;
if (caGetOption('addToCurrentSet', $pa_options, false)) {
$t_set_to_add_dupes_to = $this;
} else {
// create new set for dupes
$t_set_to_add_dupes_to = new ca_sets();
$t_set_to_add_dupes_to->set('type_id', $this->get('type_id'));
$t_set_to_add_dupes_to->set('table_num', $this->get('table_num'));
$t_set_to_add_dupes_to->set('user_id', $this->get('user_id'));
$t_set_to_add_dupes_to->set('set_code', $this->get('set_code') . '-' . _t('dupes'));
$t_set_to_add_dupes_to->setMode(ACCESS_WRITE);
$t_set_to_add_dupes_to->insert();
if (!$t_set_to_add_dupes_to->getPrimaryKey()) {
$this->errors = $t_set_to_add_dupes_to->errors;
return false;
}
$t_set_to_add_dupes_to->addLabel(array('name' => $this->getLabelForDisplay() . ' ' . _t('[Duplicates]')), $g_ui_locale_id, null, true);
}
$va_items = array_keys($this->getItemRowIDs());
$va_dupes = array();
foreach ($va_items as $vn_row_id) {
/** @var BundlableLabelableBaseModelWithAttributes $t_instance */
$t_instance = $this->getAppDatamodel()->getInstance($this->get('table_num'));
if (!$t_user->canDoAction('can_duplicate_' . $t_instance->tableName())) {
$this->postError(2580, _t('You do not have permission to duplicate these items'), 'ca_sets->duplicateItemsInSet()');
return false;
}
if (!$t_instance->load($vn_row_id)) {
continue;
}
// let's dupe
$t_dupe = $t_instance->duplicate(array('user_id' => $pn_user_id, 'duplicate_nonpreferred_labels' => $t_user->getPreference($t_instance->tableName() . '_duplicate_nonpreferred_labels'), 'duplicate_attributes' => $t_user->getPreference($t_instance->tableName() . '_duplicate_attributes'), 'duplicate_relationships' => $t_user->getPreference($t_instance->tableName() . '_duplicate_relationships'), 'duplicate_media' => $t_user->getPreference($t_instance->tableName() . '_duplicate_media'), 'duplicate_subitems' => $t_user->getPreference($t_instance->tableName() . '_duplicate_subitems')));
if ($t_dupe instanceof BaseModel) {
$va_dupes[] = $t_dupe->getPrimaryKey();
}
}
$t_set_to_add_dupes_to->addItems($va_dupes);
return $t_set_to_add_dupes_to;
}
