/**
* move an object to $pid or over $targetId
*
* we'll use the same principle as for copy
*
* @param int $pid if not specified then will be set to pid of targetId
* @param int $targetId
* @return int the id of moved object or false
*/
public function moveTo($pid = false, $targetId = false)
{
// check input params
if (!is_numeric($this->id) || !is_numeric($pid) && !is_numeric($targetId)) {
return false;
}
/* security check */
if (!\CB\Security::canRead($this->id)) {
return false;
}
/* end of security check */
//load current object from db into a variable to be passed to log and events
$this->oldObject = clone $this;
$this->oldObject->load($this->id);
if (is_numeric($targetId)) {
/* target security check */
if (!\CB\Security::canWrite($targetId)) {
return false;
}
/* end of target security check */
// marking overwriten object with dstatus = 3
DB\dbQuery('UPDATE tree
SET updated = 1
,dstatus = 3
,did = $2
WHERE id = $1', array($targetId, $_SESSION['user']['id'])) or die(DB\dbQueryError());
//get pid from target if not specified
$res = DB\dbQuery('SELECT pid FROM tree WHERE id = $1', $targetId) or die(DB\dbQueryError());
if ($r = $res->fetch_assoc()) {
$pid = $r['pid'];
}
$res->close();
} else {
/* pid security check */
if (!\CB\Security::canWrite($pid)) {
return false;
}
/* end of pid security check */
}
/* check again if we have pid set
It can be unset when not existent $targetId is specified
*/
if (!is_numeric($pid)) {
return false;
}
// moving the object to $pid
DB\dbQuery('UPDATE tree
SET updated = 1
,pid = $2
WHERE id = $1', array($this->id, $pid)) or die(DB\dbQueryError());
$this->moveCustomDataTo($pid);
// move childs from overwriten targetId (which has been marked with dstatus = 3)
// to newly copied object
if (is_numeric($targetId)) {
DB\dbQuery('UPDATE tree
SET updated = 1
,pid = $2
WHERE pid = $1 AND
dstatus = 0', array($targetId, $this->id)) or die(DB\dbQueryError());
}
$this->load();
$this->logAction('move', array('old' => $this->oldObject));
return $this->id;
}
/**
* add allow for everyone security rule to root node
* @return int object id
*/
public function addAllowSecurityRule()
{
$class = new \CB\Api\Security();
$data = array('node_id' => 1, 'user_group_id' => \CB\Security::getSystemGroupId('everyone'), 'allow' => 'full_control');
$rez = $class->updateNodeAccess($data);
return $rez;
}
/**
* get assign security sets to filters
* dont check if 'skipSecurity = true'
* it's used in Objects fields where we show all nodes
* without permission filtering
* @param array &$p
* @return varchar
*/
protected function getSecuritySetsParam(&$p)
{
$rez = '';
if (!Security::isAdmin() && empty($p['skipSecurity'])) {
$pids = false;
if (!empty($p['pid'])) {
$pids = $p['pid'];
} elseif (!empty($p['pids'])) {
$pids = $p['pids'];
}
$sets = Security::getSecuritySets(false, 5, $pids);
if (!empty($sets)) {
$rez = 'security_set_id:(' . implode(' OR ', $sets) . ') OR oid:' . User::getId();
} else {
//for created users that doesnt belong to any group
//and dont have any security sets associated
$rez = '!security_set_id:[* TO *]';
}
}
return $rez;
}
/**
* get action flags that a user can do this task
* @param int $userId
* @return array
*/
public function getActionFlags($userId = false)
{
$d =& $this->data;
if ($userId === false) {
$userId = $_SESSION['user']['id'];
}
$isAdmin = \CB\Security::isAdmin($userId);
$isOwner = $this->isOwner($userId);
$isClosed = $this->isClosed();
$canEdit = !$isClosed && ($isAdmin || $isOwner);
$rez = array('edit' => $canEdit, 'close' => $canEdit, 'reopen' => $isClosed && $isOwner, 'complete' => !$isClosed && $this->getUserStatus($userId) == static::$USERSTATUS_ONGOING);
return $rez;
}
/**
* function to check if a user cam manage task
*
* This function returns true if specified user can manage/update specified task.
* User can manage a task if he is Administrator, Creator of the task
* or is one of the responsible task users.
*
* @param int $taskId id of the task to be checked
* @param int $userId id of the user to be checked
* @return boolean returns true in case of the user can manage the task
*/
public static function canManageTask($taskId, $userId = false)
{
$rez = false;
if ($userId == false) {
$userId = User::getId();
}
$task = Objects::getCachedObject($taskId);
$data = $task->getData();
$rez = $data['cid'] == $userId || in_array($userId, $data['sys_data']['task_u_ongoing']) || in_array($userId, $data['sys_data']['task_u_done']);
if (!$rez) {
$rez = Security::isAdmin($userId);
}
return $rez;
}
/**
* clear user sessions
* @param int $userId
* @return boolean
*/
public static function clearUserSessions($userId)
{
if (!Security::canEditUser($userId)) {
return false;
}
DB\dbQuery('DELETE FROM sessions WHERE user_id = $1', $userId) or die(DB\dbQueryError());
return true;
}
public function updateFileProperties($p)
{
if (empty($p['id'])) {
return array('success' => false, 'msg' => L\get('Wrong_input_data'));
}
if (!Security::canWrite($p['id'])) {
return array('success' => false, 'msg' => L\get('Access_denied'));
}
$p['title'] = strip_tags(@$p['title']);
DB\dbQuery('UPDATE files
SET `date` = $2
,title = $3
,uid = $4
,udate = CURRENT_TIMESTAMP
WHERE id = $1', array($p['id'], Util\dateISOToMysql($p['date']), @$p['title'], $_SESSION['user']['id'])) or die(DB\dbQueryError());
Objects::updateCaseUpdateInfo($p['id']);
return array('success' => true);
}
/**
* Rename group
*/
public function renameGroup($p)
{
if (!User::isVerified()) {
return array('success' => false, 'verify' => true);
}
$title = Purify::humanName($p['title']);
if (empty($title)) {
throw new \Exception(L\get('Wrong_input_data'));
}
$id = $this->extractId($p['id']);
if (!Security::canEditUser($id)) {
throw new \Exception(L\get('Access_denied'));
}
DB\dbQuery('UPDATE users_groups
SET name = $2, uid = $3
WHERE id = $1 AND type = 1', array($id, $title, $_SESSION['user']['id'])) or die(DB\dbQueryError());
return array('success' => true, 'title' => $title);
}
/**
* remove users photo
* @param object $p json decoded object
* @return array json responce
*/
public function removePhoto($p)
{
if (!$this->isVerified()) {
return array('success' => false, 'verify' => true);
}
if (!is_numeric($p['id'])) {
return array('success' => false, 'msg' => L\get('Wrong_id'));
}
if (!Security::canEditUser($p['id'])) {
throw new \Exception(L\get('Access_denied'));
}
/* delete photo file*/
$r = DM\Users::read($p['id']);
if (!empty($r['photo'])) {
@unlink(Config::get('photos_path') . $r['photo']);
}
/* enddelete photo file */
// update db record
DM\Users::update(array('id' => $p['id'], 'photo' => null));
return array('success' => true);
}
/**
* change status for a task
* @param int $status
* @param int $id
* @return json response
*/
protected function changeStatus($id, $status)
{
$obj = Objects::getCachedObject($id);
$data = $obj->getData();
//status change for task is allowed only for owner or admin
if (!$obj->isOwner() && !Security::isAdmin()) {
return array('success' => false, 'msg' => L\get('No_access_for_this_action'));
}
switch ($status) {
case Objects\Task::$STATUS_ACTIVE:
$obj->setActive();
break;
case Objects\Task::$STATUS_CLOSED:
$obj->setClosed();
break;
default:
return array('success' => false, 'id' => $id);
}
$this->afterUpdate($id);
return array('success' => true, 'id' => $id);
}
/**
* check if current class is configured to return any result for
* given path and request params
* @param array &$pathArray
* @param array &$requestParams
* @return boolean
*/
protected function acceptedPath(&$pathArray, &$requestParams)
{
return parent::acceptedPath($pathArray, $requestParams) && Security::isAdmin();
}
public function takeOwnership($ids)
{
$ids = Util\toNumericArray($ids);
$rez = array('success' => true, 'data' => $ids);
if (empty($ids)) {
return $rez;
}
//check if user has rights to take ownership on each object
foreach ($ids as $id) {
if (!Security::canTakeOwnership($id)) {
throw new \Exception(L\get('Access_denied'));
}
}
//set the owner
DB\dbQuery('UPDATE tree
SET oid = $1
,uid = $1
WHERE id IN (' . implode(',', $ids) . ')
AND `system` = 0', $_SESSION['user']['id']) or die(DB\dbQueryError());
//TODO: view if needed to mark all childs as updated, for security to be changed ....
Solr\Client::runCron();
return $rez;
}
/**
* move an object to $pid or over $targetId
*
* we'll use the same principle as for copy
*
* @param int $pid if not specified then will be set to pid of targetId
* @param int $targetId
* @return int the id of moved object or false
*/
public function moveTo($pid = false, $targetId = false)
{
// check input params
if (!is_numeric($this->id) || !is_numeric($pid) && !is_numeric($targetId)) {
return false;
}
/* security check */
if (!\CB\Security::canRead($this->id)) {
return false;
}
/* end of security check */
//load current object from db into a variable to be passed to log and events
$this->oldObject = clone $this;
$this->oldObject->load($this->id);
if (is_numeric($targetId)) {
/* target security check */
if (!\CB\Security::canWrite($targetId)) {
return false;
}
/* end of target security check */
// marking overwriten object with dstatus = 3
DM\Tree::update(array('id' => $targetId, 'updated' => 1, 'dstatus' => 3, 'did' => User::getId()));
$r = DM\Tree::read($targetId);
if (!empty($r)) {
$pid = $r['pid'];
}
} else {
/* pid security check */
if (!\CB\Security::canWrite($pid)) {
return false;
}
/* end of pid security check */
}
/* check again if we have pid set
It can be unset when not existent $targetId is specified
*/
if (!is_numeric($pid)) {
return false;
}
// moving the object to $pid
DM\Tree::update(array('id' => $this->id, 'pid' => $pid, 'updated' => 1));
$this->moveCustomDataTo($pid);
// move childs from overwriten targetId (which has been marked with dstatus = 3)
// to newly copied object
if (is_numeric($targetId)) {
DM\Tree::moveActiveChildren($targetId, $this->id);
}
$this->load();
$this->logAction('move', array('old' => $this->oldObject));
return $this->id;
}
public function saveFile($p)
{
$incommingFilesDir = Config::get('incomming_files_dir');
$files = new Files();
/* clean previous unhandled uploads if any */
$a = $files->getUploadParams();
if ($a !== false && !empty($a['files'])) {
@unlink($incommingFilesDir . $_SESSION['key']);
$files->removeIncomingFiles($a['files']);
}
/* end of clean previous unhandled uploads if any */
$F =& $_FILES;
if (empty($p['pid'])) {
return array('success' => false, 'msg' => L\get('Error_uploading_file'));
}
$p['pid'] = Path::detectRealTargetId($p['pid']);
if (empty($F)) {
//update only file properties (no files were uploaded)
return $files->updateFileProperties($p);
} else {
foreach ($F as $k => $v) {
$F[$k]['name'] = Purify::filename(@$F[$k]['name']);
$v = $v;
//dummy codacy assignment
}
}
if (!Objects::idExists($p['pid'])) {
return array('success' => false, 'msg' => L\get('TargetFolderDoesNotExist'));
}
/*checking if there is no upload error (for any type of upload: single, multiple, archive) */
foreach ($F as $f) {
if (!in_array($f['error'], array(UPLOAD_ERR_OK, UPLOAD_ERR_NO_FILE))) {
return array('success' => false, 'msg' => L\get('Error_uploading_file') . ': ' . $f['error']);
}
}
/* retreiving files list */
switch (@$p['uploadType']) {
case 'archive':
$archiveFiles = array();
foreach ($F as $fk => $f) {
$files->extractUploadedArchive($F[$fk]);
$archiveFiles = array_merge($archiveFiles, $F[$fk]);
}
$F = $archiveFiles;
break;
default:
$files->moveUploadedFilesToIncomming($F) or die('cannot move file to incomming dir');
break;
}
$p['existentFilenames'] = $files->getExistentFilenames($F, $p['pid']);
$p['files'] =& $F;
if (!empty($p['existentFilenames'])) {
//check if can write target file
if (!Security::canWrite($p['existentFilenames'][0]['existentFileId'])) {
return array('success' => false, 'msg' => L\get('Access_denied'));
}
// store current state serialized in a local file in incomming folder
$files->saveUploadParams($p);
if (!empty($p['response'])) {
//it is supposed to work only for single files upload
return $this->confirmUploadRequest($p);
}
$allow_new_version = false;
foreach ($p['existentFilenames'] as $f) {
$mfvc = Files::getMFVC($f['name']);
if ($mfvc > 0) {
$allow_new_version = true;
}
}
$rez = array('success' => false, 'type' => 'filesexist', 'allow_new_version' => $allow_new_version, 'count' => sizeof($p['existentFilenames']));
if ($rez['count'] == 1) {
$rez['msg'] = empty($p['existentFilenames'][0]['msg']) ? str_replace('{filename}', '"' . $p['existentFilenames'][0]['name'] . '"', L\get('FilenameExistsInTarget')) : $p['existentFilenames'][0]['msg'];
//$rez['filename'] = $p['existentFilenames'][0]['name'];
$rez['suggestedFilename'] = $p['existentFilenames'][0]['suggestedFilename'];
} else {
$rez['msg'] = L\get('SomeFilenamesExistsInTarget');
}
return $rez;
} else {
//check if can write in target folder
if (!Security::canWrite($p['pid'])) {
return array('success' => false, 'msg' => L\get('Access_denied'));
}
}
$files->storeFiles($p);
//if everithing is ok then store files
Solr\Client::runCron();
$rez = array('success' => true, 'data' => array('pid' => $p['pid']));
$files->attachPostUploadInfo($F, $rez);
return $rez;
}
public function updateFileProperties($p)
{
if (empty($p['id'])) {
return array('success' => false, 'msg' => L\get('Wrong_input_data'));
}
if (!Security::canWrite($p['id'])) {
return array('success' => false, 'msg' => L\get('Access_denied'));
}
$p['title'] = strip_tags(@$p['title']);
DM\Files::update(array('id' => $p['id'], 'date' => Util\dateISOToMysql($p['date']), 'title' => @$p['title'], 'uid' => User::getId(), 'udate' => 'CURRENT_TIMESTAMP'));
Objects::updateCaseUpdateInfo($p['id']);
return array('success' => true);
}
/**
* add comments for an objects
* @param array $p input params (id, msg)
*/
public function addComment($p)
{
$rez = array('success' => false);
if (empty($p['id']) || !is_numeric($p['id']) || empty($p['msg'])) {
$rez['msg'] = L\get('Wrong_input_data');
return $rez;
}
if (!Security::canRead($p['id'])) {
throw new \Exception(L\get('Access_denied'));
}
$commentTemplates = Templates::getIdsByType('comment');
if (empty($commentTemplates)) {
$rez['msg'] = 'No comment templates found';
return $rez;
}
$co = new Objects\Comment();
$data = array('pid' => $p['id'], 'draftId' => @$p['draftId'], 'template_id' => array_shift($commentTemplates), 'system' => 2, 'data' => array('_title' => $p['msg']));
$id = $co->create($data);
Solr\Client::runCron();
return array('success' => true, 'data' => \CB\Objects\Plugins\Comments::loadComment($id));
}
/**
* create shorcut(s)
* @param object $p input params
* @return json responce
*/
public function shortcut($p)
{
if (!$this->validateParams($p)) {
return array('success' => false, 'msg' => L\get('ErroneousInputData'));
}
/* security checks */
foreach ($p['sourceIds'] as $sourceId) {
if (!\CB\Security::canRead($sourceId)) {
return array('success' => false, 'msg' => L\get('Access_denied'));
}
}
if (!\CB\Security::canWrite($p['targetId'])) {
return array('success' => false, 'msg' => L\get('Access_denied'));
}
$rez = array('success' => true, 'targetId' => $p['targetId'], 'processedIds' => array());
$shortcutObject = new Objects\Shortcut();
foreach ($p['sourceIds'] as $id) {
$rez['processedIds'][] = $shortcutObject->create(array('id' => null, 'pid' => $p['targetId'], 'target_id' => $id));
}
Solr\Client::runCron();
return $rez;
}
/**
* clear user sessions
* @param int $userId
* @return boolean
*/
public static function clearUserSessions($userId)
{
if (!Security::canEditUser($userId)) {
return false;
}
DM\Sessions::deleteByUserId($userId);
return true;
}
