/** * internal function executing a copy or move action * @param array $sourceIds ids to be copied * @param int $targetId * @return array processed ids */ private function doAction($action, $objectIds, $targetId) { $rez = array(); // all the copy process will be made in a single transaction DB\startTransaction(); //get security sets to which this user has //read access for copy or delete access for move $this->securitySetsFilter = ''; if (!Security::isAdmin()) { $ss = array(); switch ($action) { case 'copy': $ss = \CB\Security::getSecuritySets(); break; case 'move': //check if the user can move, because it doesnt anctually delete the obj, but just move it $ss = \CB\Security::getSecuritySets(false, 5); break; } $this->securitySetsFilter = 'AND ti.security_set_id in (0' . implode(',', $ss) . ')'; } /* select only objects that current user can delete */ $accessibleIds = array(); $res = DB\dbQuery('SELECT t.id FROM tree t JOIN tree_info ti ON t.id = ti.id ' . $this->securitySetsFilter . ' WHERE t.id in (' . implode(',', $objectIds) . ') AND t.dstatus = 0'); while ($r = $res->fetch_assoc()) { $accessibleIds[] = $r['id']; } $res->close(); if (!empty($accessibleIds)) { $this->objectsClass = new \CB\Objects(); $rez = $this->doRecursiveAction($action, $accessibleIds, $targetId); } else { throw new \Exception(L\get('Access_denied'), 1); } DB\commitTransaction(); return $rez; }
/** * get assign security sets to filters * dont check if 'skipSecurity = true' * it's used in Objects fields where we show all nodes * without permission filtering * @param array &$p * @return varchar */ protected function getSecuritySetsParam(&$p) { $rez = ''; if (!Security::isAdmin() && empty($p['skipSecurity'])) { $pids = false; if (!empty($p['pid'])) { $pids = $p['pid']; } elseif (!empty($p['pids'])) { $pids = $p['pids']; } $sets = Security::getSecuritySets(false, 5, $pids); if (!empty($sets)) { $rez = 'security_set_id:(' . implode(' OR ', $sets) . ') OR oid:' . User::getId(); } else { //for created users that doesnt belong to any group //and dont have any security sets associated $rez = '!security_set_id:[* TO *]'; } } return $rez; }