1: <?php
  2: /**
  3:  * This file contains the the permission class.
  4:  *
  5:  * @package Core
  6:  * @subpackage Backend
  7:  * @author Boris Erdmann
  8:  * @author Kristian Koehntopp
  9:  * @copyright four for business AG <www.4fb.de>
 10:  * @license http://www.contenido.org/license/LIZENZ.txt
 11:  * @link http://www.4fb.de
 12:  * @link http://www.contenido.org
 13:  */
 14: 
 15: defined('CON_FRAMEWORK') || die('Illegal call: Missing framework initialization - request aborted.');
 16: 
 17: /**
 18:  * This class handles the permission management
 19:  *
 20:  * @package Core
 21:  * @subpackage Backend
 22:  */
 23: class cPermission {
 24: 
 25:     /**
 26:      * Permission class name
 27:      *
 28:      * @var string
 29:      */
 30:     public $classname = 'cPermission';
 31: 
 32:     /**
 33:      * Area cache
 34:      *
 35:      * @var array
 36:      */
 37:     public $areacache = array();
 38: 
 39:     /**
 40:      * Actions cache
 41:      *
 42:      * @var array
 43:      */
 44:     public $actioncache = array();
 45: 
 46:     /**
 47:      * CONTENIDO database object
 48:      *
 49:      * @var cDb
 50:      */
 51:     public $db;
 52: 
 53:     /**
 54:      * Returns all groups of a user
 55:      *
 56:      * @param string $userId
 57:      *
 58:      * @return array
 59:      *         List of group ids
 60:      *
 61:      * @throws cDbException
 62:      * @throws cException
 63:      */
 64:     public function getGroupsForUser($userId) {
 65:         $groups = array();
 66: 
 67:         $oGroupMemberColl = new cApiGroupMemberCollection();
 68:         $oGroupMemberColl->select("user_id='" . $oGroupMemberColl->escape($userId) . "'");
 69:         while (false !== $oItem = $oGroupMemberColl->next()) {
 70:             $groups[] = $oItem->get('group_id');
 71:         }
 72: 
 73:         return $groups;
 74:     }
 75: 
 76:     /**
 77:      * Returns the id of an area.
 78:      * If passed area is numeric, it will returned directly.
 79:      *
 80:      * @deprecated [2015-05-21]
 81:      *         This method is no longer supported (no replacement)
 82:      * @param string|int $area
 83:      *
 84:      * @return int
 85:      *
 86:      * @throws cDbException
 87:      * @throws cException
 88:      */
 89:     public function getIDForArea($area) {
 90:         if (is_numeric($area)) {
 91:             return $area;
 92:         } elseif (isset($this->areacache[$area])) {
 93:             return $this->areacache[$area];
 94:         }
 95: 
 96:         $oAreaColl = new cApiAreaCollection();
 97:         $oAreaColl->select("name='" . $oAreaColl->escape($area) . "'");
 98:         if (false !== $oItem = $oAreaColl->next()) {
 99:             $this->areacache[$area] = $oItem->get('idarea');
100:             $area = $oItem->get('idarea');
101:         }
102: 
103:         return $area;
104:     }
105: 
106:     /**
107:      * Returns the id of an action.
108:      * If passed action is numeric, it will returned directly.
109:      *
110:      * @param string|int $action
111:      *
112:      * @return int
113:      *
114:      * @throws cDbException
115:      * @throws cException
116:      */
117:     public function getIDForAction($action) {
118:         if (is_numeric($action)) {
119:             return $action;
120:         } elseif (isset($this->actioncache[$action])) {
121:             return $this->actioncache[$action];
122:         }
123: 
124:         $oActionColl = new cApiActionCollection();
125:         $oActionColl->select("name='" . $oActionColl->escape($action) . "'");
126:         if (false !== $oItem = $oActionColl->next()) {
127:             $this->actioncache[$action] = $oItem->get('idaction');
128:             $action = $oItem->get('idaction');
129:         }
130: 
131:         return $action;
132:     }
133: 
134:     /**
135:      * Loads all permissions of groups where current logged in user is a member
136:      * and saves them in session.
137:      *
138:      * @param bool $force [optional]
139:      *                    Flag to force loading, event if they were cached before
140:      *
141:      * @return string
142:      *         Returns diffrent values, depending on state:
143:      *         '1' (string) if permissions couldn't loaded
144:      *         '3' (string) if permissions were loaded successfully
145:      *
146:      * @throws cDbException
147:      * @throws cException
148:      */
149:     public function load_permissions($force = false) {
150:         global $sess, $area_rights, $item_rights, $auth, $changelang, $changeclient;
151: 
152:         $return = '1';
153: 
154:         // if not admin or sysadmin
155:         if (!$this->have_perm()) {
156:             $return = isset($area_rights);
157: 
158:             if (!isset($area_rights) || !isset($item_rights) || isset($changeclient) || isset($changelang) || $force) {
159:                 $return = '3';
160:                 // register variables
161:                 $sess->register('area_rights');
162:                 $sess->register('item_rights');
163:                 $item_rights = array();
164:                 $groups = $this->getGroupsForUser($auth->auth['uid']);
165: 
166:                 if (is_array($groups)) {
167:                     foreach ($groups as $group) {
168:                         $this->load_permissions_for_user($group);
169:                     }
170:                 }
171: 
172:                 $this->load_permissions_for_user($auth->auth['uid']);
173:             }
174:         }
175: 
176:         return $return;
177:     }
178: 
179:     /**
180:      * Loads all permissions for a specific user or group.
181:      * Stores area rights in global variable $area_rights.
182:      * Stores item rights in global variable $item_rights.
183:      *
184:      * @param string $user
185:      *         User Id hash
186:      *
187:      * @throws cDbException
188:      * @throws cException
189:      */
190:     public function load_permissions_for_user($user) {
191:         global $client, $lang;
192:         global $area_rights, $item_rights;
193: 
194:         $oRightColl = new cApiRightCollection();
195:         $sWhere = "user_id='" . $oRightColl->escape($user) . "'";
196:         $sWhere .= " AND idcat=0 AND " . "idclient=" . (int) $client;
197:         $sWhere .= " AND idlang=" . (int) $lang;
198:         $oRightColl->select($sWhere);
199: 
200:         // define $area_rights if not already done so
201:         if (!is_array($area_rights)) {
202:             $area_rights = array();
203:         }
204:         while (false !== $oItem = $oRightColl->next()) {
205:             $idarea = $oItem->get('idarea');
206:             $idaction = $oItem->get('idaction');
207:             $area_rights[$idarea][$idaction] = true;
208:         }
209: 
210:         // Select Rights for Article and Sructure (Attention Hard code Areas)
211:         $oAreaColl = new cApiAreaCollection();
212:         $oAreaColl->select();
213:         while (false !== $oItem = $oAreaColl->next()) {
214:             $idarea = $oItem->get('idarea');
215:             $tmp_area[] = $idarea;
216:         }
217: 
218:         $tmp_area_string = implode("','", array_values($tmp_area));
219:         $sWhere = "user_id='" . $oRightColl->escape($user) . "'";
220:         $sWhere .= " AND idclient=" . (int) $client;
221:         $sWhere .= " AND idlang=" . (int) $lang;
222:         $sWhere .= " AND idarea IN ('$tmp_area_string')";
223:         $sWhere .= "AND idcat != 0";
224:         $oRightColl->select($sWhere);
225:         while (false !== $oItem = $oRightColl->next()) {
226:             $idarea = $oItem->get('idarea');
227:             $idaction = $oItem->get('idaction');
228:             $idcat = $oItem->get('idcat');
229:             $item_rights[$idarea][$idaction][$idcat] = $idcat;
230:         }
231:     }
232: 
233:     /**
234:      *
235:      * @param string $area
236:      * @param int    $action [optional]
237:      *
238:      * @return bool
239:      *
240:      * @throws cDbException
241:      * @throws cException
242:      */
243:     public function have_perm_area_action_anyitem($area, $action = 0) {
244:         global $item_rights;
245: 
246:         if ($this->have_perm_area_action($area, $action)) {
247:             return true;
248:         }
249: 
250:         $oAreaColl = new cApiAreaCollection();
251:         $area = $oAreaColl->getAreaID($area);
252: 
253:         $action = $this->getIDForAction($action);
254: 
255:         return isset($item_rights[$area][$action]);
256:     }
257: 
258:     /**
259:      *
260:      * @param string $area
261:      * @param string $action
262:      * @param mixed  $itemid
263:      *
264:      * @return bool
265:      *
266:      * @throws cDbException
267:      * @throws cException
268:      */
269:     public function have_perm_area_action_item($area, $action, $itemid) {
270:         global $item_rights, $auth, $client, $lang, $cfg;
271: 
272:         if ($this->have_perm()) {
273:             return true;
274:         }
275: 
276:         $oAreaColl = new cApiAreaCollection();
277:         $area = $oAreaColl->getAreaID($area);
278:         $action = $this->getIDForAction($action);
279: 
280:         // If the user has a right on this action in this area check for the
281:         // items
282:         if ($this->have_perm_area_action($area, $action)) {
283:             return true;
284:         }
285: 
286:         // Check rights for the action in this area at this item
287:         if (isset($item_rights[$area][$action][$itemid])) {
288:             // If have action for area + action +item check right for client and
289:             // lang
290:             return true;
291:         }
292: 
293:         if ($item_rights[$area] != 'noright') {
294:             $groupsForUser = $this->getGroupsForUser($auth->auth['uid']);
295:             $groupsForUser[] = $auth->auth['uid'];
296: 
297:             $userIdIn = implode("','", $groupsForUser);
298: 
299:             $oRightsColl = new cApiRightCollection();
300:             $where = "user_id IN ('" . $userIdIn . "') AND idclient=" . (int) $client . " AND idlang=" . (int) $lang . " AND idarea=$area AND idcat != 0";
301: 
302:             if (!$oRightsColl->select($where)) {
303:                 $item_rights[$area] = 'noright';
304:                 return false;
305:             }
306: 
307:             while (false !== $oItem = $oRightsColl->next()) {
308:                 $item_rights[$oItem->get('idarea')][$oItem->get('idaction')][$oItem->get('idcat')] = $oItem->get('idcat');
309:             }
310: 
311:             // Check
312:             if (isset($item_rights[$area][$action][$itemid])) {
313:                 // If have action for area + action +item check right for client
314:                 // and lang
315:                 return true;
316:             }
317:         }
318:         return false;
319:     }
320: 
321:     /**
322:      * Returns the parent id of passed area
323:      *
324:      * @deprecated [2015-05-21]
325:      *         This method is no longer supported (no replacement)
326:      * @param int|string $area
327:      *         Area id or name
328:      *
329:      * @return string|int
330:      *         name of parent area or passed area
331:      *
332:      * @throws cDbException
333:      */
334:     public function getParentAreaId($area) {
335:         $oAreaColl = new cApiAreaCollection();
336:         return $oAreaColl->getParentAreaID($area);
337:     }
338: 
339:     /**
340:      *
341:      * @param string $area
342:      * @param int    $action [optional]
343:      *
344:      * @return bool
345:      *
346:      * @throws cDbException
347:      * @throws cException
348:      */
349:     public function have_perm_area_action($area, $action = 0) {
350:         global $area_rights, $client, $lang, $cfg;
351: 
352:         $oAreaColl = new cApiAreaCollection();
353:         $area = $oAreaColl->getAreaID($area);
354:         $action = $this->getIDForAction($action);
355: 
356:         if ($action == 0) {
357:             $area = $oAreaColl->getParentAreaID($area);
358:         }
359: 
360:         $area = $oAreaColl->getAreaID($area);
361: 
362:         if (!$this->have_perm()) {
363:             if ($action == 0 && $area_rights[$area]) {
364:                 // If have action for area + action check right for client and
365:                 // lang
366:                 return $this->have_perm_client_lang($client, $lang);
367:             }
368: 
369:             // check rights for the action in this area
370:             if ($area_rights[$area][$action]) {
371:                 // If have action for area + action check right for client and
372:                 // lang
373:                 return $this->have_perm_client_lang($client, $lang);
374:             }
375: 
376:             return false;
377:         }
378: 
379:         return true;
380:     }
381: 
382:     /**
383:      *
384:      * @param int $client
385:      * @param int $lang
386:      * @return bool
387:      */
388:     public function have_perm_client_lang($client, $lang) {
389:         global $auth;
390: 
391:         // Changed back to a full featured function, as have_perm
392:         // needs $client as global variable - not provided by this
393:         // function
394:         // return $this->have_perm("client[$client],lang[$lang]");
395: 
396:         if (!isset($auth->auth['perm'])) {
397:             $auth->auth['perm'] = '';
398:         }
399: 
400:         // Split the permissions of the user
401:         $userperm = explode(',', $auth->auth['perm']);
402: 
403:         if (in_array('sysadmin', $userperm)) {
404:             return true; // User is sysadmin
405:         } elseif (in_array("admin[$client]", $userperm)) {
406:             return true; // User is admin
407:         } else {
408:             // Check rights for the client and the language
409:             $pageperm = explode(',', "client[$client],lang[$lang]");
410:             foreach ($pageperm as $value) {
411:                 if (!in_array($value, $userperm)) {
412:                     return false;
413:                 }
414:             }
415:         }
416:         return true;
417:     }
418: 
419:     /**
420:      * Checks if a user has access rights for a specific client.
421:      *
422:      * @param bool $iClient [optional]
423:      *                      idclient to check, or false for the current client
424:      * @param bool $oUser   [optional]
425:      *                      User object to check against, or false for the current user
426:      *
427:      * @return bool
428:      *
429:      * @throws cInvalidArgumentException
430:      */
431:     public function hasClientPermission($iClient = false, $oUser = false) {
432:         global $auth, $client;
433: 
434:         if ($iClient === false) {
435:             $iClient = $client;
436:         }
437: 
438:         $oUser = $this->_checkUserObject($oUser);
439: 
440:         if ($this->isSysadmin($oUser) || $this->isClientAdmin($iClient, $oUser) || $this->isClientUser($iClient, $oUser)) {
441:             return true;
442:         } else {
443:             return false;
444:         }
445:         /*
446:          * Commented out Timo Trautmann, because here only client access is
447:          * checked, possibility for admin or sysadmin access was ignored
448:          * functions isSysadmin isClientAdmin isClientUser also handles
449:          * permission for groups #Check clients' rights of users' group(s)
450:          * $aGroups = $this->getGroupsForUser($auth->auth["uid"]); if
451:          * (is_array($aGroups)) { foreach ($aGroups as $group) { $oGroup = new
452:          * cApiGroup($group); if ($this->isClientGroup($iClient, $oGroup)) {
453:          * return true; } } } return false; }
454:          */
455:     }
456: 
457:     /**
458:      * Checks if the given user has access permission for a client
459:      *
460:      * @param int    $iClient
461:      *         idclient to check
462:      * @param object $oUser
463:      *         User object to check against
464:      *
465:      * @return bool
466:      *
467:      * @throws cInvalidArgumentException
468:      */
469:     public function isClientUser($iClient, $oUser) {
470:         $oUser = $this->_checkUserObject($oUser);
471: 
472:         $aPermissions = explode(',', $oUser->getEffectiveUserPerms());
473: 
474:         if (in_array("client[$iClient]", $aPermissions)) {
475:             return true;
476:         }
477: 
478:         return false;
479:     }
480: 
481:     /**
482:      * Checks if the given group has access permission for a client
483:      *
484:      * @param int $iClient
485:      *         idclient to check
486:      * @param object $oGroup
487:      *         Group object to check against
488:      * @return bool
489:      */
490:     public function isClientGroup($iClient, $oGroup) {
491:         $aPermissions = explode(',', $oGroup->getField('perms'));
492: 
493:         if (in_array("client[$iClient]", $aPermissions)) {
494:             return true;
495:         }
496: 
497:         return false;
498:     }
499: 
500:     /**
501:      * Checks if the given user has an admin permission
502:      *
503:      * @param int    $iClient
504:      *         idclient to check
505:      * @param object $oUser
506:      *         User object to check against
507:      *
508:      * @return bool
509:      *
510:      * @throws cInvalidArgumentException
511:      */
512:     public function isClientAdmin($iClient, $oUser) {
513:         $oUser = $this->_checkUserObject($oUser);
514: 
515:         $aPermissions = explode(',', $oUser->getEffectiveUserPerms());
516: 
517:         if (in_array("admin[$iClient]", $aPermissions)) {
518:             return true;
519:         }
520: 
521:         return false;
522:     }
523: 
524:     /**
525:      * Checks if the given user has sysadmin permission
526:      *
527:      * @param object $oUser
528:      *         User object to check against
529:      *
530:      * @return bool
531:      *
532:      * @throws cInvalidArgumentException
533:      */
534:     public function isSysadmin($oUser) {
535:         $oUser = $this->_checkUserObject($oUser);
536: 
537:         $aPermissions = explode(',', $oUser->getEffectiveUserPerms());
538: 
539:         if (in_array('sysadmin', $aPermissions)) {
540:             return true;
541:         }
542: 
543:         return false;
544:     }
545: 
546:     /**
547:      * Checks if the given object is a user object.
548:      *
549:      * If oUser is false, initialize the object from the currently logged in
550:      * user. If oUser is not an object of the class cApiUser, throw an
551:      * exception.
552:      *
553:      * @param object $oUser
554:      *         User object
555:      *
556:      * @return object
557:      *
558:      * @throws cInvalidArgumentException
559:      *         if the given or constructed user is not a cApiUser object
560:      */
561:     private function _checkUserObject($oUser) {
562:         if ($oUser === false) {
563:             global $currentuser;
564:             $oUser = $currentuser;
565:         }
566: 
567:         if (!is_object($oUser)) {
568:             global $auth;
569:             $oUser = new cApiUser($auth->auth['uid']);
570:         }
571: 
572:         if (get_class($oUser) != 'cApiUser') {
573:             throw new cInvalidArgumentException('oUser parameter is not of type User');
574:         }
575: 
576:         return $oUser;
577:     }
578: 
579:     /**
580:      *
581:      * @param string $perm [optional]
582:      *
583:      * @return bool
584:      */
585:     public function have_perm_client($perm = 'x') {
586:         global $auth, $client;
587: 
588:         if (!isset($auth->auth['perm'])) {
589:             $auth->auth['perm'] = '';
590:         }
591: 
592:         // Split the permissions of the user
593:         $userperm = explode(',', $auth->auth['perm']);
594: 
595:         // If User is sysadmin or admin at this client return true
596:         if (in_array('sysadmin', $userperm)) {
597:             return true;
598:         }
599: 
600:         // If there are more permissions to ask split them
601:         $pageperm = explode(',', $perm);
602:         foreach ($pageperm as $value) {
603:             if (!in_array($value, $userperm)) {
604:                 return false;
605:             }
606:         }
607:         return true;
608:     }
609: 
610:     /**
611:      * Checks if user has permissions to passed perm.
612:      * - Sysadmin has allways permission
613:      * - Client admin has allways permission
614:      *
615:      * @param string $perm [optional]
616:      *         Permissions (comma separated list of perms) to check
617:      * @return bool
618:      */
619:     public function have_perm($perm = 'x') {
620:         global $auth, $client;
621: 
622:         if (!isset($auth->auth['perm'])) {
623:             $auth->auth['perm'] = '';
624:         }
625: 
626:         // Split the permissions of the user
627:         $userperm = explode(',', $auth->auth['perm']);
628: 
629:         // If User is sysadmin or admin at this client return true
630:         if (in_array('sysadmin', $userperm)) {
631:             return true;
632:         } elseif (in_array("admin[$client]", $userperm)) {
633:             return true;
634:             // Else check rights for the client and the language
635:         } else {
636:             // If there are more permissions to ask split them
637:             $pageperm = explode(',', $perm);
638:             foreach ($pageperm as $value) {
639:                 if (!in_array($value, $userperm)) {
640:                     return false;
641:                 }
642:             }
643:         }
644:         return true;
645:     }
646: 
647:     /**
648:      * Checks if an item have any perms
649:      *
650:      * @param string|int $mainarea
651:      * @param int        $itemid
652:      *
653:      * @return bool
654:      *
655:      * @throws cDbException
656:      * @throws cException
657:      */
658:     public function have_perm_item($mainarea, $itemid) {
659:         global $cfg, $item_rights, $cfg, $client, $lang, $auth, $area_tree, $sess;
660: 
661:         $oAreaColl = new cApiAreaCollection();
662:         $mainarea = $oAreaColl->getAreaID($mainarea);
663: 
664:         // If is admin or sysadmin
665:         if ($this->have_perm()) {
666:             return true;
667:         }
668: 
669:         // If is not admin or sysadmin
670: 
671:         if (!is_object($this->db)) {
672:             $this->db = cRegistry::getDb();
673:         }
674: 
675:         $this->showareas($mainarea);
676: 
677:         $flg = false;
678:         // Check if there are any rights for this areas
679:         foreach ($area_tree[$mainarea] as $value) {
680:             // If the flag noright is set there are no rights in this area
681:             if ($item_rights[$value] == 'noright') {
682:                 continue;
683:             } elseif (is_array($item_rights[$value])) {
684:                 // If there are any rights
685:                 foreach ($item_rights[$value] as $value2) {
686:                     if (in_array($itemid, $value2)) {
687:                         return true;
688:                     }
689:                 }
690:             } elseif ($item_rights[$value] != 'noright') {
691:                 $groupsForUser = $this->getGroupsForUser($auth->auth['uid']);
692:                 $groupsForUser[] = $auth->auth['uid'];
693: 
694:                 // else search for rights for this user in this area
695:                 $sql = "SELECT
696:                             *
697:                          FROM
698:                             " . $cfg['tab']['rights'] . "
699:                          WHERE
700:                             user_id IN ('" . implode("','", $groupsForUser) . "') AND
701:                             idclient = " . cSecurity::toInteger($client) . " AND
702:                             idlang = " . cSecurity::toInteger($lang) . " AND
703:                             idarea = '$value' AND
704:                             idcat != 0";
705:                 $this->db->query($sql);
706: 
707:                 // If there are no rights for this area set the flag norights
708:                 if ($this->db->affectedRows() == 0) {
709:                     $item_rights[$value] = 'noright';
710:                 }
711: 
712:                 // Set the rights
713:                 while ($this->db->nextRecord()) {
714:                     if ($this->db->f('idcat') == $itemid) {
715:                         $flg = true;
716:                     }
717:                     $item_rights[$this->db->f('idarea')][$this->db->f('idaction')][$this->db->f('idcat')] = $this->db->f('idcat');
718:                 }
719:             }
720:         }
721:         return $flg;
722:     }
723: 
724:     /**
725:      *
726:      * @param string|int $mainarea
727:      *
728:      * @return int
729:      *
730:      * @throws cDbException
731:      * @throws cException
732:      */
733:     public function showareas($mainarea) {
734:         global $area_tree, $sess, $perm, $cfg;
735: 
736:         if (!is_object($this->db)) {
737:             $this->db = cRegistry::getDb();
738:         }
739: 
740:         $oAreaColl = new cApiAreaCollection();
741:         $mainarea = $oAreaColl->getAreaID($mainarea);
742: 
743:         // If $area_tree for this area is not register
744:         if (!isset($area_tree[$mainarea])) {
745:             $sess->register('area_tree');
746: 
747:             // parent_id uses the name not the idarea
748:             $sql = "SELECT name FROM " . $cfg['tab']['area'] . " WHERE idarea=$mainarea";
749:             $this->db->query($sql);
750:             $this->db->nextRecord();
751:             $name = $this->db->f('name');
752: 
753:             // Check which subareas are there and write them in the array
754:             $sql = "SELECT idarea FROM " . $cfg['tab']['area'] . " WHERE parent_id='$name' OR idarea=$mainarea";
755:             $this->db->query($sql);
756:             $area_tree[$mainarea] = array();
757:             while ($this->db->nextRecord()) {
758:                 $area_tree[$mainarea][] = $this->db->f('idarea');
759:             }
760:         }
761:         return $mainarea;
762:     }
763: }
764: