/** * Set an access level to a given user for a list of websites ID. * * If access = 'noaccess' the current access (if any) will be deleted. * If access = 'view' or 'admin' the current access level is deleted and updated with the new value. * * @param string $userLogin The user login * @param string $access Access to grant. Must have one of the following value : noaccess, view, admin * @param int|array $idSites The array of idSites on which to apply the access level for the user. * If the value is "all" then we apply the access level to all the websites ID for which the current authentificated user has an 'admin' access. * * @throws Exception if the user doesn't exist * @throws Exception if the access parameter doesn't have a correct value * @throws Exception if any of the given website ID doesn't exist * * @return bool true on success */ public function setUserAccess($userLogin, $access, $idSites) { $this->checkAccessType($access); $this->checkUserExists($userLogin); $this->checkUserHasNotSuperUserAccess($userLogin); if ($userLogin == 'anonymous' && $access == 'admin') { throw new Exception(Piwik::translate("UsersManager_ExceptionAdminAnonymous")); } // in case idSites is all we grant access to all the websites on which the current connected user has an 'admin' access if ($idSites === 'all') { $idSites = \Piwik\Plugins\SitesManager\API::getInstance()->getSitesIdWithAdminAccess(); } else { $idSites = Site::getIdSitesFromIdSitesString($idSites); } if (empty($idSites)) { throw new Exception('Specify at least one website ID in &idSites='); } // it is possible to set user access on websites only for the websites admin // basically an admin can give the view or the admin access to any user for the websites he manages Piwik::checkUserHasAdminAccess($idSites); $this->model->deleteUserAccess($userLogin, $idSites); // if the access is noaccess then we don't save it as this is the default value // when no access are specified if ($access != 'noaccess') { $this->model->addUserAccess($userLogin, $access, $idSites); } else { if (!empty($idSites) && !is_array($idSites)) { $idSites = array($idSites); } Piwik::postEvent('UsersManager.removeSiteAccess', array($userLogin, $idSites)); } // we reload the access list which doesn't yet take in consideration this new user access Access::getInstance()->reloadAccess(); Cache::deleteTrackerCache(); }
/** * Uses information in LDAP user entity to set access levels in Piwik. * * @param string $piwikLogin The username of the Piwik user whose access will be set. * @param string[] $ldapUser The LDAP entity to use when synchronizing. */ public function synchronizePiwikAccessFromLdap($piwikLogin, $ldapUser) { if (empty($this->userAccessMapper)) { return; } $userAccess = $this->userAccessMapper->getPiwikUserAccessForLdapUser($ldapUser); if (empty($userAccess)) { Log::warning("UserSynchronizer::%s: User '%s' has no access in LDAP, but access synchronization is enabled.", __FUNCTION__, $piwikLogin); return; } $this->userModel->deleteUserAccess($piwikLogin); $usersManagerApi = $this->usersManagerApi; foreach ($userAccess as $userAccessLevel => $sites) { Access::doAsSuperUser(function () use($usersManagerApi, $userAccessLevel, $sites, $piwikLogin) { if ($userAccessLevel == 'superuser') { $usersManagerApi->setSuperUserAccess($piwikLogin, true); } else { $usersManagerApi->setUserAccess($piwikLogin, $userAccessLevel, $sites); } }); } }