/** * Displays a list of user groups. * * @param boolean $includeSuperAdmin true to include super admin groups, false to exclude them * * @return array An array containing a list of user groups. * * @since 11.4 */ public static function groups($includeSuperAdmin = false) { $db = Factory::getDbo(); $query = $db->getQuery(true); $query->select('a.id AS value, a.title AS text, COUNT(DISTINCT b.id) AS level'); $query->from($db->quoteName('#__usergroups') . ' AS a'); $query->join('LEFT', $db->quoteName('#__usergroups') . ' AS b ON a.lft > b.lft AND a.rgt < b.rgt'); $query->group('a.id, a.title, a.lft, a.rgt'); $query->order('a.lft ASC'); $db->setQuery($query); $options = $db->loadObjectList(); for ($i = 0, $n = count($options); $i < $n; $i++) { $options[$i]->text = str_repeat('- ', $options[$i]->level) . $options[$i]->text; $groups[] = Html::_('select.option', $options[$i]->value, $options[$i]->text); } // Exclude super admin groups if requested if (!$includeSuperAdmin) { $filteredGroups = array(); foreach ($groups as $group) { if (!AccessAccess::checkGroup($group->value, 'core.admin')) { $filteredGroups[] = $group; } } $groups = $filteredGroups; } return $groups; }
/** * Method to get the field input markup for Access Control Lists. * Optionally can be associated with a specific component and section. * * TODO: Add access check. * * @return string The field input markup. * * @since 11.1 */ protected function getInput() { Html::_('behavior.tooltip'); // Initialise some field attributes. $section = $this->element['section'] ? (string) $this->element['section'] : ''; $component = $this->element['component'] ? (string) $this->element['component'] : ''; $assetField = $this->element['asset_field'] ? (string) $this->element['asset_field'] : 'asset_id'; // Get the actions for the asset. $actions = Access::getActionsFromFile(JPATH_ADMINISTRATOR . '/components/' . $component . '/access.xml', "/access/section[@name='" . $section . "']/"); // Iterate over the children and add to the actions. foreach ($this->element->children() as $el) { if ($el->getName() == 'action') { $actions[] = (object) array('name' => (string) $el['name'], 'title' => (string) $el['title'], 'description' => (string) $el['description']); } } // Get the explicit rules for this asset. if ($section == 'component') { // Need to find the asset id by the name of the component. $db = Factory::getDbo(); $query = $db->getQuery(true); $query->select($db->quoteName('id')); $query->from($db->quoteName('#__assets')); $query->where($db->quoteName('name') . ' = ' . $db->quote($component)); $db->setQuery($query); $assetId = (int) $db->loadResult(); } else { // Find the asset id of the content. // Note that for global configuration, com_config injects asset_id = 1 into the form. $assetId = $this->form->getValue($assetField); } // Use the compact form for the content rules (deprecated). /* @todo remove code: if (!empty($component) && $section != 'component') { return Html::_('rules.assetFormWidget', $actions, $assetId, $assetId ? null : $component, $this->name, $this->id); } */ // Full width format. // Get the rules for just this asset (non-recursive). $assetRules = Access::getAssetRules($assetId); // Get the available user groups. $groups = $this->getUserGroups(); // Build the form control. $curLevel = 0; // Prepare output $html = array(); $html[] = '<div id="permissions-sliders" class="pane-sliders">'; $html[] = '<p class="rule-desc">' . Text::_('JLIB_RULES_SETTINGS_DESC') . '</p>'; $html[] = '<ul id="rules">'; // Start a row for each user group. foreach ($groups as $group) { $difLevel = $group->level - $curLevel; if ($difLevel > 0) { $html[] = '<li><ul>'; } elseif ($difLevel < 0) { $html[] = str_repeat('</ul></li>', -$difLevel); } $html[] = '<li>'; $html[] = '<div class="panel">'; $html[] = '<h3 class="pane-toggler title"><a href="javascript:void(0);"><span>'; $html[] = str_repeat('<span class="level">|–</span> ', $curLevel = $group->level) . $group->text; $html[] = '</span></a></h3>'; $html[] = '<div class="pane-slider content pane-hide">'; $html[] = '<div class="mypanel">'; $html[] = '<table class="group-rules">'; $html[] = '<thead>'; $html[] = '<tr>'; $html[] = '<th class="actions" id="actions-th' . $group->value . '">'; $html[] = '<span class="acl-action">' . Text::_('JLIB_RULES_ACTION') . '</span>'; $html[] = '</th>'; $html[] = '<th class="settings" id="settings-th' . $group->value . '">'; $html[] = '<span class="acl-action">' . Text::_('JLIB_RULES_SELECT_SETTING') . '</span>'; $html[] = '</th>'; // The calculated setting is not shown for the root group of global configuration. $canCalculateSettings = $group->parent_id || !empty($component); if ($canCalculateSettings) { $html[] = '<th id="aclactionth' . $group->value . '">'; $html[] = '<span class="acl-action">' . Text::_('JLIB_RULES_CALCULATED_SETTING') . '</span>'; $html[] = '</th>'; } $html[] = '</tr>'; $html[] = '</thead>'; $html[] = '<tbody>'; foreach ($actions as $action) { $html[] = '<tr>'; $html[] = '<td headers="actions-th' . $group->value . '">'; $html[] = '<label class="hasTip" for="' . $this->id . '_' . $action->name . '_' . $group->value . '" title="' . htmlspecialchars(Text::_($action->title) . '::' . Text::_($action->description), ENT_COMPAT, 'UTF-8') . '">'; $html[] = Text::_($action->title); $html[] = '</label>'; $html[] = '</td>'; $html[] = '<td headers="settings-th' . $group->value . '">'; $html[] = '<select name="' . $this->name . '[' . $action->name . '][' . $group->value . ']" id="' . $this->id . '_' . $action->name . '_' . $group->value . '" title="' . Text::sprintf('JLIB_RULES_SELECT_ALLOW_DENY_GROUP', Text::_($action->title), trim($group->text)) . '">'; $inheritedRule = Access::checkGroup($group->value, $action->name, $assetId); // Get the actual setting for the action for this group. $assetRule = $assetRules->allow($action->name, $group->value); // Build the dropdowns for the permissions sliders // The parent group has "Not Set", all children can rightly "Inherit" from that. $html[] = '<option value=""' . ($assetRule === null ? ' selected="selected"' : '') . '>' . Text::_(empty($group->parent_id) && empty($component) ? 'JLIB_RULES_NOT_SET' : 'JLIB_RULES_INHERITED') . '</option>'; $html[] = '<option value="1"' . ($assetRule === true ? ' selected="selected"' : '') . '>' . Text::_('JLIB_RULES_ALLOWED') . '</option>'; $html[] = '<option value="0"' . ($assetRule === false ? ' selected="selected"' : '') . '>' . Text::_('JLIB_RULES_DENIED') . '</option>'; $html[] = '</select>  '; // If this asset's rule is allowed, but the inherited rule is deny, we have a conflict. if ($assetRule === true && $inheritedRule === false) { $html[] = Text::_('JLIB_RULES_CONFLICT'); } $html[] = '</td>'; // Build the Calculated Settings column. // The inherited settings column is not displayed for the root group in global configuration. if ($canCalculateSettings) { $html[] = '<td headers="aclactionth' . $group->value . '">'; // This is where we show the current effective settings considering currrent group, path and cascade. // Check whether this is a component or global. Change the text slightly. if (Access::checkGroup($group->value, 'core.admin') !== true) { if ($inheritedRule === null) { $html[] = '<span class="icon-16-unset">' . Text::_('JLIB_RULES_NOT_ALLOWED') . '</span>'; } elseif ($inheritedRule === true) { $html[] = '<span class="icon-16-allowed">' . Text::_('JLIB_RULES_ALLOWED') . '</span>'; } elseif ($inheritedRule === false) { if ($assetRule === false) { $html[] = '<span class="icon-16-denied">' . Text::_('JLIB_RULES_NOT_ALLOWED') . '</span>'; } else { $html[] = '<span class="icon-16-denied"><span class="icon-16-locked">' . Text::_('JLIB_RULES_NOT_ALLOWED_LOCKED') . '</span></span>'; } } } elseif (!empty($component)) { $html[] = '<span class="icon-16-allowed"><span class="icon-16-locked">' . Text::_('JLIB_RULES_ALLOWED_ADMIN') . '</span></span>'; } else { // Special handling for groups that have global admin because they can't be denied. // The admin rights can be changed. if ($action->name === 'core.admin') { $html[] = '<span class="icon-16-allowed">' . Text::_('JLIB_RULES_ALLOWED') . '</span>'; } elseif ($inheritedRule === false) { // Other actions cannot be changed. $html[] = '<span class="icon-16-denied"><span class="icon-16-locked">' . Text::_('JLIB_RULES_NOT_ALLOWED_ADMIN_CONFLICT') . '</span></span>'; } else { $html[] = '<span class="icon-16-allowed"><span class="icon-16-locked">' . Text::_('JLIB_RULES_ALLOWED_ADMIN') . '</span></span>'; } } $html[] = '</td>'; } $html[] = '</tr>'; } $html[] = '</tbody>'; $html[] = '</table></div>'; $html[] = '</div></div>'; $html[] = '</li>'; } $html[] = str_repeat('</ul></li>', $curLevel); $html[] = '</ul><div class="rule-notes">'; if ($section == 'component' || $section == null) { $html[] = Text::_('JLIB_RULES_SETTING_NOTES'); } else { $html[] = Text::_('JLIB_RULES_SETTING_NOTES_ITEM'); } $html[] = '</div></div>'; // Get the JInput object $input = Factory::getApplication()->input; $js = "window.addEvent('domready', function(){ new Fx.Accordion(\$\$('div#permissions-sliders.pane-sliders .panel h3.pane-toggler')," . "\$\$('div#permissions-sliders.pane-sliders .panel div.pane-slider'), {onActive: function(toggler, i) {toggler.addClass('pane-toggler-down');" . "toggler.removeClass('pane-toggler');i.addClass('pane-down');i.removeClass('pane-hide');Cookie.write('jpanesliders_permissions-sliders" . $component . "',\$\$('div#permissions-sliders.pane-sliders .panel h3').indexOf(toggler));}," . "onBackground: function(toggler, i) {toggler.addClass('pane-toggler');toggler.removeClass('pane-toggler-down');i.addClass('pane-hide');" . "i.removeClass('pane-down');}, duration: 300, display: " . $input->cookie->get('jpanesliders_permissions-sliders' . $component, 0, 'integer') . ", show: " . $input->cookie->get('jpanesliders_permissions-sliders' . $component, 0, 'integer') . ", alwaysHide:true, opacity: false}); });"; Factory::getDocument()->addScriptDeclaration($js); return implode("\n", $html); }
/** * Creates the HTML for the permissions widget * * @param array $actions Array of action objects * @param integer $assetId Id of a specific asset to create a widget for. * @param integer $parent Id of the parent of the asset * @param string $control The form control * @param string $idPrefix Prefix for the ids assigned to specific action-group pairs * * @return string HTML for the permissions widget * * @since 11.1 * * @see JAccess * @see JFormFieldRules */ public static function assetFormWidget($actions, $assetId = null, $parent = null, $control = 'jform[rules]', $idPrefix = 'jform_rules') { $images = self::_getImagesArray(); // Get the user groups. $groups = self::_getUserGroups(); // Get the incoming inherited rules as well as the asset specific rules. $inheriting = Access::getAssetRules($parent ? $parent : self::_getParentAssetId($assetId), true); $inherited = Access::getAssetRules($assetId, true); $rules = Access::getAssetRules($assetId); $html = array(); $html[] = '<div class="acl-options">'; $html[] = Html::_('tabs.start', 'acl-rules-' . $assetId, array('useCookie' => 1)); $html[] = Html::_('tabs.panel', Text::_('JLIB_HTML_ACCESS_SUMMARY'), 'summary'); $html[] = ' <p>' . Text::_('JLIB_HTML_ACCESS_SUMMARY_DESC') . '</p>'; $html[] = ' <table class="aclsummary-table" summary="' . Text::_('JLIB_HTML_ACCESS_SUMMARY_DESC') . '">'; $html[] = ' <caption>' . Text::_('JLIB_HTML_ACCESS_SUMMARY_DESC_CAPTION') . '</caption>'; $html[] = ' <tr>'; $html[] = ' <th class="col1 hidelabeltxt">' . Text::_('JLIB_RULES_GROUPS') . '</th>'; foreach ($actions as $i => $action) { $html[] = ' <th class="col' . ($i + 2) . '">' . Text::_($action->title) . '</th>'; } $html[] = ' </tr>'; foreach ($groups as $i => $group) { $html[] = ' <tr class="row' . $i % 2 . '">'; $html[] = ' <td class="col1">' . $group->text . '</td>'; foreach ($actions as $j => $action) { $html[] = ' <td class="col' . ($j + 2) . '">' . ($assetId ? $inherited->allow($action->name, $group->identities) ? $images['allow'] : $images['deny'] : ($inheriting->allow($action->name, $group->identities) ? $images['allow'] : $images['deny'])) . '</td>'; } $html[] = ' </tr>'; } $html[] = ' </table>'; foreach ($actions as $action) { $actionTitle = Text::_($action->title); $actionDesc = Text::_($action->description); $html[] = Html::_('tabs.panel', $actionTitle, $action->name); $html[] = ' <p>' . $actionDesc . '</p>'; $html[] = ' <table class="aclmodify-table" summary="' . strip_tags($actionDesc) . '">'; $html[] = ' <caption>' . Text::_('JLIB_HTML_ACCESS_MODIFY_DESC_CAPTION_ACL') . ' ' . $actionTitle . ' ' . Text::_('JLIB_HTML_ACCESS_MODIFY_DESC_CAPTION_TABLE') . '</caption>'; $html[] = ' <tr>'; $html[] = ' <th class="col1 hidelabeltxt">' . Text::_('JLIB_RULES_GROUP') . '</th>'; $html[] = ' <th class="col2">' . Text::_('JLIB_RULES_INHERIT') . '</th>'; $html[] = ' <th class="col3 hidelabeltxt">' . Text::_('JMODIFY') . '</th>'; $html[] = ' <th class="col4">' . Text::_('JCURRENT') . '</th>'; $html[] = ' </tr>'; foreach ($groups as $i => $group) { $selected = $rules->allow($action->name, $group->value); $html[] = ' <tr class="row' . $i % 2 . '">'; $html[] = ' <td class="col1">' . $group->text . '</td>'; $html[] = ' <td class="col2">' . ($inheriting->allow($action->name, $group->identities) ? $images['allow-i'] : $images['deny-i']) . '</td>'; $html[] = ' <td class="col3">'; $html[] = ' <select id="' . $idPrefix . '_' . $action->name . '_' . $group->value . '" class="inputbox" size="1" name="' . $control . '[' . $action->name . '][' . $group->value . ']" title="' . Text::sprintf('JLIB_RULES_SELECT_ALLOW_DENY_GROUP', $actionTitle, $group->text) . '">'; $html[] = ' <option value=""' . ($selected === null ? ' selected="selected"' : '') . '>' . Text::_('JLIB_RULES_INHERIT') . '</option>'; $html[] = ' <option value="1"' . ($selected === true ? ' selected="selected"' : '') . '>' . Text::_('JLIB_RULES_ALLOWED') . '</option>'; $html[] = ' <option value="0"' . ($selected === false ? ' selected="selected"' : '') . '>' . Text::_('JLIB_RULES_DENIED') . '</option>'; $html[] = ' </select>'; $html[] = ' </td>'; $html[] = ' <td class="col4">' . ($assetId ? $inherited->allow($action->name, $group->identities) ? $images['allow'] : $images['deny'] : ($inheriting->allow($action->name, $group->identities) ? $images['allow'] : $images['deny'])) . '</td>'; $html[] = ' </tr>'; } $html[] = ' </table>'; } $html[] = Html::_('tabs.end'); // Build the footer with legend and special purpose buttons. $html[] = ' <div class="clr"></div>'; $html[] = ' <ul class="acllegend fltlft">'; $html[] = ' <li class="acl-allowed">' . Text::_('JLIB_RULES_ALLOWED') . '</li>'; $html[] = ' <li class="acl-denied">' . Text::_('JLIB_RULES_DENIED') . '</li>'; $html[] = ' </ul>'; $html[] = '</div>'; return implode("\n", $html); }
/** * Returns a UL list of actions with check boxes * * @param string $name The name of the checkbox controls array * @param array $selected An array of the checked boxes * @param string $component The component the permissions apply to * @param string $section The section (within a component) the permissions apply to * * @return string * * @see JAccess * @since 11.1 */ public static function actions($name, $selected, $component, $section = 'global') { static $count; $count++; $actions = AuthorizationAccess::getActionsFromFile(JPATH_ADMINISTRATOR . '/components/' . $component . '/access.xml', "/access/section[@name='" . $section . "']/"); $html = array(); $html[] = '<ul class="checklist access-actions">'; for ($i = 0, $n = count($actions); $i < $n; $i++) { $item =& $actions[$i]; // Setup the variable attributes. $eid = $count . 'action_' . $item->id; $checked = in_array($item->id, $selected) ? ' checked="checked"' : ''; // Build the HTML for the item. $html[] = ' <li>'; $html[] = ' <input type="checkbox" name="' . $name . '[]" value="' . $item->id . '" id="' . $eid . '"'; $html[] = ' ' . $checked . ' />'; $html[] = ' <label for="' . $eid . '">'; $html[] = ' ' . Text::_($item->title); $html[] = ' </label>'; $html[] = ' </li>'; } $html[] = '</ul>'; return implode("\n", $html); }
/** * Method to save the JUser object to the database * * @param boolean $updateOnly Save the object only if not a new user * Currently only used in the user reset password method. * * @return boolean True on success * * @since 11.1 * @throws RuntimeException */ public function save($updateOnly = false) { // Create the user table object $table = $this->getTable(); $this->params = (string) $this->_params; $table->bind($this->getProperties()); // Allow an exception to be thrown. try { // Check and store the object. if (!$table->check()) { $this->setError($table->getError()); return false; } // If user is made a Super Admin group and user is NOT a Super Admin // @todo ACL - this needs to be acl checked $my = Factory::getUser(); // Are we creating a new user $isNew = empty($this->id); // If we aren't allowed to create new users return if ($isNew && $updateOnly) { return true; } // Get the old user $oldUser = new User($this->id); // Access Checks // The only mandatory check is that only Super Admins can operate on other Super Admin accounts. // To add additional business rules, use a user plugin and throw an Exception with onUserBeforeSave. // Check if I am a Super Admin $iAmSuperAdmin = $my->authorise('core.admin'); // We are only worried about edits to this account if I am not a Super Admin. if ($iAmSuperAdmin != true) { if ($isNew) { // Check if the new user is being put into a Super Admin group. foreach ($this->groups as $groupId) { if (Access::checkGroup($groupId, 'core.admin')) { throw new RuntimeException('User not Super Administrator'); } } } else { // I am not a Super Admin, and this one is, so fail. if (Access::check($this->id, 'core.admin')) { throw new RuntimeException('User not Super Administrator'); } if ($this->groups != null) { // I am not a Super Admin and I'm trying to make one. foreach ($this->groups as $groupId) { if (Access::checkGroup($groupId, 'core.admin')) { throw new RuntimeException('User not Super Administrator'); } } } } } // Fire the onUserBeforeSave event. PluginHelper::importPlugin('user'); $dispatcher = Dispatcher::getInstance(); $result = $dispatcher->trigger('onUserBeforeSave', array($oldUser->getProperties(), $isNew, $this->getProperties())); if (in_array(false, $result, true)) { // Plugin will have to raise its own error or throw an exception. return false; } // Store the user data in the database $result = $table->store(); // Set the id for the JUser object in case we created a new user. if (empty($this->id)) { $this->id = $table->get('id'); } if ($my->id == $table->id) { $registry = new Registry(); $registry->loadString($table->params); $my->setParameters($registry); } // Fire the onUserAfterSave event $dispatcher->trigger('onUserAfterSave', array($this->getProperties(), $isNew, $result, $this->getError())); } catch (Exception $e) { $this->setError($e->getMessage()); return false; } return $result; }
/** * Method to get the list of possible permission action names for the form field. * * @param SimpleXMLElement $element The SimpleXMLElement object representing the <field /> tag for the * form field object. * * @return array A list of permission action names from the form field element definition. * * @since 11.1 */ protected function getFieldActions(SimpleXMLElement $element) { $actions = array(); // Initialise some field attributes. $section = $element['section'] ? (string) $element['section'] : ''; $component = $element['component'] ? (string) $element['component'] : ''; // Get the asset actions for the element. $elActions = Access::getActionsFromFile(JPATH_ADMINISTRATOR . '/components/' . $component . '/access.xml', "/access/section[@name='" . $section . "']/"); // Iterate over the asset actions and add to the actions. foreach ($elActions as $item) { $actions[] = $item->name; } // Iterate over the children and add to the actions. foreach ($element->children() as $el) { if ($el->getName() == 'action') { $actions[] = (string) $el['name']; } } return $actions; }