/** * check admin permission * if account id is not set, get it from admin cookie. * * @param string $page_name * @param string $action * @param integer $account_id * @return boolean */ public static function checkAdminPermission($page_name = '', $action = '', $account_id = '') { if ($account_id == null) { // account id is empty, get it from cookie. $model_accounts = new \Model_Accounts(); $ca_account = $model_accounts->getAccountCookie('admin'); $account_id = isset($ca_account['account_id']) ? $ca_account['account_id'] : '0'; unset($ca_account, $model_accounts); } // check level or role's permission. $permission_result = static::checkLevelPermission($page_name, $action, $account_id); if ($permission_result === true) { return true; } else { // level or role's permission return false. check user's permission. return \Model_AccountPermission::checkAccountPermission($page_name, $action, $account_id); } }
public function action_save($account_id = '') { // set redirect url $redirect = $this->getAndSetSubmitRedirection(); // check permission if (\Model_AccountLevelPermission::checkAdminPermission('acperm_perm', 'acperm_manage_user_perm') == false) { \Session::set_flash('form_status', array('form_status' => 'error', 'form_status_message' => \Lang::get('admin_permission_denied', array('page' => \Uri::string())))); \Response::redirect($redirect); } // if account id not set if (!is_numeric($account_id)) { $cookie_account = \Model_Accounts::forge()->getAccountCookie('admin'); $account_id = 0; if (isset($cookie_account['account_id'])) { $account_id = $cookie_account['account_id']; } unset($cookie_account); } $output['account_id'] = $account_id; // check target account $account_check_result = $this->checkAccountData($account_id); $output['account_check_result'] = is_object($account_check_result) || is_array($account_check_result) ? true : $account_check_result; unset($account_check_result); if ($output['account_check_result'] === true) { // if form submitted if (\Input::method() == 'POST') { if (\Extension\NoCsrf::check()) { $data['permission_core'] = (int) trim(\Input::post('permission_core')); if ($data['permission_core'] != '1') { $data['permission_core'] = '0'; } $data['module_system_name'] = \Security::strip_tags(trim(\Input::post('module_system_name'))); if ($data['module_system_name'] == null || $data['permission_core'] == '1') { $data['module_system_name'] = null; } $data['account_id'] = \Input::post('account_id'); $data['permission_page'] = \Input::post('permission_page'); $data['permission_action'] = \Input::post('permission_action'); \Model_AccountPermission::savePermissions($account_id, $data); // set success message \Session::set_flash('form_status', array('form_status' => 'success', 'form_status_message' => \Lang::get('admin_saved'))); } else { // nocsrf error, set error msg. \Session::set_flash('form_status', array('form_status' => 'error', 'form_status_message' => \Lang::get('fslang_invalid_csrf_token'))); } // endif nocsrf check } // endif form submitted } else { // failed to check account. set error msg. \Session::set_flash('form_status', array('form_status' => 'error', 'form_status_message' => $output['account_check_result'])); } // endif check account result. // go back \Response::redirect($redirect); }