function do_update() { $aOptions = array('redirect_to' => array('main', 'fFolderId=' . $this->oFolder->getId())); if (!KTBrowseUtil::inAdminMode($this->oUser, $this->oFolder)) { $this->oValidator->userHasPermissionOnItem($this->oUser, $this->_sEditShowPermission, $this->oFolder, $aOptions); } $aFoo = $_REQUEST['foo']; $aPermissions = KTPermission::getList(); /* --- This section has been commented out to remove these checks when permissions --- are updated. --------------------------------------------------------------------------------- //------------------- //This section is used to make sure that a user doesn't disable the admin groups //Manage security permission or the Manage Security permission of a group they //are currently a member of. // Check which groups have permission to manage security $aNewGroups = (isset($aFoo[4]['group']) ? $aFoo[4]['group'] : array()); $aNewRoles = (isset($aFoo[4]['role']) ? $aFoo[4]['role'] : array()); $iUserId = $this->oUser->getId(); //Check that they aren't removing the sys admin Manage Security permission //1 in this case is the admin group. if(!in_array('1', $aNewGroups)) { $this->addErrorMessage(_kt('You cannot remove the Manage Security permission from the System Administrators Group')); $this->redirectTo('edit', 'fFolderId=' . $this->oFolder->getId()); exit(0); } //Check that they aren't removing the Manage Security permission from a group //They are a member of. if(!GroupUtil::checkUserInGroups($iUserId, array(1))) { //Ensure the user is not removing his/her own permission to update the folder permissions (manage security) if(!in_array(-3, $aNewRoles)) { if(!GroupUtil::checkUserInGroups($iUserId, $aNewGroups)) { // If user no longer has permission, return an error. $this->addErrorMessage(_kt('You cannot remove the Manage Security permission from a group you belong to.')); $this->redirectTo('edit', 'fFolderId=' . $this->oFolder->getId()); exit(0); } } } //----------------- */ require_once KT_LIB_DIR . '/documentmanagement/observers.inc.php'; $oPO = KTPermissionObject::get($this->oFolder->getPermissionObjectId()); foreach ($aPermissions as $oPermission) { $iPermId = $oPermission->getId(); $aAllowed = KTUtil::arrayGet($aFoo, $iPermId, array()); KTPermissionUtil::setPermissionForId($oPermission, $oPO, $aAllowed); } $oTransaction = KTFolderTransaction::createFromArray(array('folderid' => $this->oFolder->getId(), 'comment' => _kt('Updated permissions'), 'transactionNS' => 'ktcore.transactions.permissions_change', 'userid' => $_SESSION['userID'], 'ip' => Session::getClientIP())); $aOptions = array('defaultmessage' => _kt('Error updating permissions'), 'redirect_to' => array('edit', sprintf('fFolderId=%d', $this->oFolder->getId()))); $this->oValidator->notErrorFalse($oTransaction, $aOptions); $po =& new JavascriptObserver($this); $po->start(); $oChannel =& KTPermissionChannel::getSingleton(); $oChannel->addObserver($po); KTPermissionUtil::updatePermissionLookupForPO($oPO); $this->commitTransaction(); $this->addInfoMessage(_kt('Permissions on folder updated')); $po->redirect(KTUtil::addQueryString($_SERVER['PHP_SELF'], 'action=edit&fFolderId=' . $this->oFolder->getId())); exit(0); }
/** * Update's the permission lookup on one folder or document, * non-recursively. */ function updatePermissionLookup(&$oFolderOrDocument, $aOptions = null) { $is_a_folder = is_a($oFolderOrDocument, 'Folder'); $is_a_document = is_a($oFolderOrDocument, 'Document') || is_a($oFolderOrDocument, 'KTDocumentCore'); //ensure that the document shortcut is being updated. if ($is_a_document && $oFolderOrDocument->isSymbolicLink()) { $oFolderOrDocument->switchToRealCore(); } $oChannel = null; $aMapPermAllowed = null; $oPermLookup = null; if (!is_null($aOptions)) { $oChannel = $aOptions['channel']; $aMapPermAllowed = $aOptions['map_allowed']; $oPermLookup = $aOptions['perm_lookup']; } if (!$is_a_folder && !$is_a_document) { return; // we occasionally get handed a PEAR::raiseError. Just ignore it. } if (is_null($oChannel)) { $oChannel =& KTPermissionChannel::getSingleton(); } if ($is_a_folder) { $msg = sprintf("Updating folder %s", join('/', $oFolderOrDocument->getPathArray())); } else { if (is_a($oFolderOrDocument, 'Document')) { //modify the message to reflect that a shortcut is begin updated if ($oFolderOrDocument->isSymbolicLink()) { $msg = sprintf("Updating shortcut to %s", $oFolderOrDocument->getName()); } else { $msg = sprintf("Updating document %s", $oFolderOrDocument->getName()); } } else { $msg = sprintf("Updating document %d", $oFolderOrDocument->getId()); } } $oChannel->sendMessage(new KTPermissionGenericMessage($msg)); //var_dump($msg); $iPermissionObjectId = $oFolderOrDocument->getPermissionObjectID(); if (empty($iPermissionObjectId)) { return; } $oPO = KTPermissionObject::get($iPermissionObjectId); if (is_null($aMapPermAllowed)) { $aPAs = KTPermissionAssignment::getByObjectMulti($oPO); $aMapPermAllowed = array(); foreach ($aPAs as $oPA) { $oPD = KTPermissionDescriptor::get($oPA->getPermissionDescriptorID()); $aGroupIDs = $oPD->getGroups(); $aUserIDs = array(); $aRoleIDs = $oPD->getRoles(); $aAllowed = array('group' => $aGroupIDs, 'user' => $aUserIDs, 'role' => $aRoleIDs); $aMapPermAllowed[$oPA->getPermissionID()] = $aAllowed; } } if (!$is_a_folder) { $aDynamicConditions = KTPermissionDynamicCondition::getByPermissionObject($oPO); if (!PEAR::isError($aDynamicConditions)) { foreach ($aDynamicConditions as $oDynamicCondition) { $iConditionId = $oDynamicCondition->getConditionId(); if (KTSearchUtil::testConditionOnDocument($iConditionId, $oFolderOrDocument)) { $iGroupId = $oDynamicCondition->getGroupId(); $aPermissionIds = $oDynamicCondition->getAssignment(); foreach ($aPermissionIds as $iPermissionId) { $aCurrentAllowed = KTUtil::arrayGet($aMapPermAllowed, $iPermissionId, array()); $aCurrentAllowed['group'][] = $iGroupId; $aMapPermAllowed[$iPermissionId] = $aCurrentAllowed; } } } } } if (!$is_a_folder) { $oState = KTWorkflowUtil::getWorkflowStateForDocument($oFolderOrDocument); if (!(PEAR::isError($oState) || is_null($oState) || $oState == false)) { $aWorkflowStatePermissionAssignments = KTWorkflowStatePermissionAssignment::getByState($oState); foreach ($aWorkflowStatePermissionAssignments as $oAssignment) { $iPermissionId = $oAssignment->getPermissionId(); $iPermissionDescriptorId = $oAssignment->getDescriptorId(); $oPD = KTPermissionDescriptor::get($iPermissionDescriptorId); $aGroupIDs = $oPD->getGroups(); $aUserIDs = array(); $aRoleIDs = $oPD->getRoles(); $aAllowed = array('group' => $aGroupIDs, 'user' => $aUserIDs, 'role' => $aRoleIDs); $aMapPermAllowed[$iPermissionId] = $aAllowed; } } } // if we have roles: nearest folder. $iRoleSourceFolder = null; if ($is_a_document) { $iRoleSourceFolder = $oFolderOrDocument->getFolderID(); } else { $iRoleSourceFolder = $oFolderOrDocument->getId(); } // very minor perf win: map role_id (in context) to PD. $_roleCache = array(); foreach ($aMapPermAllowed as $iPermissionId => $aAllowed) { $aAfterRoles = array(); if (array_key_exists('role', $aAllowed)) { foreach ($aAllowed['role'] as $k => $iRoleId) { // store the PD <-> RoleId map // special-case "all" or "authenticated". if ($iRoleId == -3 || $iRoleId == -4) { $aAfterRoles[] = $iRoleId; continue; } if (!array_key_exists($iRoleId, $_roleCache)) { $oRoleAllocation = null; if ($is_a_document) { $oRoleAllocation =& DocumentRoleAllocation::getAllocationsForDocumentAndRole($oFolderOrDocument->getId(), $iRoleId); if (PEAR::isError($oRoleAllocation)) { $oRoleAllocation = null; } } // if that's null - not set _on_ the document, then if (is_null($oRoleAllocation)) { $oRoleAllocation =& RoleAllocation::getAllocationsForFolderAndRole($iRoleSourceFolder, $iRoleId); } $_roleCache[$iRoleId] = $oRoleAllocation; } // roles are _not_ always assigned (can be null at root) if (!is_null($_roleCache[$iRoleId])) { $aMapPermAllowed[$iPermissionId]['user'] = kt_array_merge($aMapPermAllowed[$iPermissionId]['user'], $_roleCache[$iRoleId]->getUserIds()); $aMapPermAllowed[$iPermissionId]['group'] = kt_array_merge($aMapPermAllowed[$iPermissionId]['group'], $_roleCache[$iRoleId]->getGroupIds()); // naturally, roles cannot be assigned roles, or madness follows. } unset($aAllowed['role'][$k]); } } unset($aMapPermAllowed[$iPermissionId]['role']); if (!empty($aAfterRoles)) { $aMapPermAllowed[$iPermissionId]['role'] = $aAfterRoles; } } /* print '<pre>'; print '=======' . $oFolderOrDocument->getName(); print '<br />'; var_dump($aMapPermAllowed); print '</pre>'; */ //if (is_null($oPermLookup)) { $aMapPermDesc = array(); foreach ($aMapPermAllowed as $iPermissionId => $aAllowed) { $oLookupPD = KTPermissionUtil::getOrCreateDescriptor($aAllowed); $aMapPermDesc[$iPermissionId] = $oLookupPD->getID(); } $oPermLookup = KTPermissionLookupAssignment::findOrCreateLookupByPermissionDescriptorMap($aMapPermDesc); //} $oFolderOrDocument->setPermissionLookupID($oPermLookup->getID()); $oFolderOrDocument->update(); }
function _performUpgrade() { $this->_deleteSmartyFiles(); $this->_deleteProxyFiles(); require_once KT_LIB_DIR . '/cache/cache.inc.php'; $oCache =& KTCache::getSingleton(); $oCache->deleteAllCaches(); require_once KT_LIB_DIR . '/permissions/permissionutil.inc.php'; $po =& new KTRebuildPermissionObserver($this); $po->start(); $oChannel =& KTPermissionChannel::getSingleton(); $oChannel->addObserver($po); set_time_limit(0); ignore_user_abort(true); KTPermissionUtil::rebuildPermissionLookups(true); $po->end(); $versionFile = KT_DIR . '/docs/VERSION-NAME.txt'; $fp = fopen($versionFile, 'rt'); $systemVersion = fread($fp, filesize($versionFile)); fclose($fp); $query = "UPDATE system_settings SET value = ? WHERE name = ?"; $aParams = array($systemVersion, "knowledgetreeVersion"); DBUtil::runQuery(array($query, $aParams)); $query = "UPDATE system_settings SET value = ? WHERE name = ?"; $aParams = array($this->version, "databaseVersion"); return DBUtil::runQuery(array($query, $aParams)); }