1: <?php
  2: 
  3: /**
  4:  * This file contains the CONTENIDO rights functions.
  5:  *
  6:  * @package          Core
  7:  * @subpackage       Backend
  8:  * @author           Martin Horwath
  9:  * @author           Murat Purc <murat@purc.de>
 10:  * @copyright        four for business AG <www.4fb.de>
 11:  * @license          http://www.contenido.org/license/LIZENZ.txt
 12:  * @link             http://www.4fb.de
 13:  * @link             http://www.contenido.org
 14:  */
 15: 
 16: defined('CON_FRAMEWORK') || die('Illegal call: Missing framework initialization - request aborted.');
 17: 
 18: /**
 19:  * Function checks if a language is associated with a given list of clients
 20:  *
 21:  * @param array $aClients
 22:  *         array of clients to check
 23:  * @param int   $iLang
 24:  *         language id which should be checked
 25:  * @param array $aCfg
 26:  *         CONTENIDO configruation array (no more needed)
 27:  * @param cDb   $oDb
 28:  *         CONTENIDO database object (no more needed)
 29:  *
 30:  * @return bool
 31:  *         status
 32:  *         If language id corresponds to list of clients true otherwise false.
 33:  * 
 34:  * @throws cDbException
 35:  */
 36: function checkLangInClients($aClients, $iLang, $aCfg, $oDb) {
 37:     $oClientLanguageCollection = new cApiClientLanguageCollection();
 38:     return $oClientLanguageCollection->hasLanguageInClients($iLang, $aClients);
 39: }
 40: 
 41: /**
 42:  * Duplicate rights for any element.
 43:  *
 44:  * @param string $area
 45:  *         Main area name (e. g. 'lay', 'mod', 'str', 'tpl', etc.)
 46:  * @param int    $iditem
 47:  *         ID of element to copy
 48:  * @param int    $newiditem
 49:  *         ID of the new element
 50:  * @param bool   $idlang
 51:  *         ID of language, if passed only rights for this language
 52:  *         will be created, otherwise for all existing languages
 53:  *
 54:  * @return bool
 55:  *         True on success otherwise false
 56:  * 
 57:  * @throws cDbException
 58:  * @throws cException
 59:  * @throws cInvalidArgumentException
 60:  */
 61: function copyRightsForElement($area, $iditem, $newiditem, $idlang = false) {
 62:     global $perm, $auth, $area_tree;
 63: 
 64:     if (!is_object($perm)) {
 65:         return false;
 66:     }
 67:     if (!is_object($auth)) {
 68:         return false;
 69:     }
 70: 
 71:     $oDestRightCol = new cApiRightCollection();
 72:     $oSourceRighsColl = new cApiRightCollection();
 73:     $whereUsers = array();
 74:     $whereAreaActions = array();
 75: 
 76:     // get all user_id values for con_rights
 77:     $userIDContainer = $perm->getGroupsForUser($auth->auth['uid']); // add
 78:     // groups if
 79:     // available
 80:     $userIDContainer[] = $auth->auth['uid']; // add user_id of current user
 81:     foreach ($userIDContainer as $key) {
 82:         $whereUsers[] = "user_id = '" . $oDestRightCol->escape($key) . "'";
 83:     }
 84:     $whereUsers = '(' . implode(' OR ', $whereUsers) . ')'; // only duplicate on
 85:     // user and where
 86:     // user is member of
 87:     // get all idarea values for $area
 88:     $areaContainer = $area_tree[$perm->showareas($area)];
 89: 
 90:     // get all actions for corresponding area
 91:     $oActionColl = new cApiActionCollection();
 92:     $oActionColl->select('idarea IN (' . implode(',', $areaContainer) . ')');
 93:     while (($oItem = $oActionColl->next()) !== false) {
 94:         $whereAreaActions[] = '(idarea = ' . (int) $oItem->get('idarea') . ' AND idaction = ' . (int) $oItem->get('idaction') . ')';
 95:     }
 96:     $whereAreaActions = '(' . implode(' OR ', $whereAreaActions) . ')'; // only
 97:     // correct
 98:     // area
 99:     // action
100:     // pairs
101:     // possible
102:     // final where clause to get all affected elements in con_right
103:     $sWhere = "{$whereAreaActions} AND {$whereUsers} AND idcat = {$iditem}";
104:     if ($idlang) {
105:         $sWhere .= ' AND idlang=' . (int) $idlang;
106:     }
107: 
108:     $oSourceRighsColl->select($sWhere);
109:     while (($oItem = $oSourceRighsColl->next()) !== false) {
110:         $rs = $oItem->toObject();
111:         $oDestRightCol->create($rs->user_id, $rs->idarea, $rs->idaction, $newiditem, $rs->idclient, $rs->idlang, $rs->type);
112:     }
113: 
114:     // permissions reloaded...
115:     $perm->load_permissions(true);
116: 
117:     return true;
118: }
119: 
120: /**
121:  * Create rights for any element
122:  *
123:  * @param string $area
124:  *         Main area name (e. g. 'lay', 'mod', 'str', 'tpl', etc.)
125:  * @param int    $iditem
126:  *         ID of new element
127:  * @param bool   $idlang
128:  *         ID of language, if passed only rights for this language
129:  *         will be created, otherwise for all existing languages
130:  *
131:  * @return bool
132:  *         True on success otherwise false
133:  * 
134:  * @throws cDbException
135:  * @throws cException
136:  * @throws cInvalidArgumentException
137:  */
138: function createRightsForElement($area, $iditem, $idlang = false) {
139:     global $perm, $auth, $area_tree, $client;
140: 
141:     if (!is_object($perm)) {
142:         return false;
143:     }
144:     if (!is_object($auth)) {
145:         return false;
146:     }
147: 
148:     $oDestRightCol = new cApiRightCollection();
149:     $oSourceRighsColl = new cApiRightCollection();
150:     $whereUsers = array();
151:     $rightsCache = array();
152: 
153:     // get all user_id values for con_rights
154:     $userIDContainer = $perm->getGroupsForUser($auth->auth['uid']); // add
155:     // groups if
156:     // available
157:     $userIDContainer[] = $auth->auth['uid']; // add user_id of current user
158:     foreach ($userIDContainer as $key) {
159:         $whereUsers[] = "user_id = '" . $oDestRightCol->escape($key) . "'";
160:     }
161:     $whereUsers = '(' . implode(' OR ', $whereUsers) . ')'; // only duplicate on
162:     // user and where
163:     // user is member of
164:     // get all idarea values for $area short way
165:     $areaContainer = $area_tree[$perm->showareas($area)];
166: 
167:     // statement to get all existing actions/areas for corresponding area.
168:     // all existing rights for same area will be taken over to new item.
169:     $sWhere = 'idclient=' . (int) $client . ' AND idarea IN (' . implode(',', $areaContainer) . ')' . ' AND idcat != 0 AND idaction != 0 AND ' . $whereUsers;
170:     if ($idlang) {
171:         $sWhere .= ' AND idlang=' . (int) $idlang;
172:     }
173: 
174:     $oSourceRighsColl->select($sWhere);
175:     while (($oItem = $oSourceRighsColl->next()) !== false) {
176:         $rs = $oItem->toObject();
177: 
178:         // concatenate a key to use it to prevent double entries
179:         $key = $rs->user_id . '-' . $rs->idarea . '-' . $rs->idaction . '-' . $iditem . '-' . $rs->idclient . '-' . $rs->idlang . '-' . $rs->type;
180:         if (isset($rightsCache[$key])) {
181:             continue;
182:         }
183: 
184:         // create new right entry
185:         $oDestRightCol->create($rs->user_id, $rs->idarea, $rs->idaction, $iditem, $rs->idclient, $rs->idlang, $rs->type);
186: 
187:         $rightsCache[$key] = true;
188:     }
189: 
190:     // permissions reloaded...
191:     $perm->load_permissions(true);
192: 
193:     return true;
194: }
195: 
196: /**
197:  * Delete rights for any element
198:  *
199:  * @param string $area
200:  *         main area name
201:  * @param int    $iditem
202:  *         ID of new element
203:  * @param bool   $idlang
204:  *         ID of lang parameter
205:  *
206:  * @throws cDbException
207:  * @throws cInvalidArgumentException
208:  */
209: function deleteRightsForElement($area, $iditem, $idlang = false) {
210:     global $perm, $area_tree, $client;
211: 
212:     // get all idarea values for $area
213:     $areaContainer = $area_tree[$perm->showareas($area)];
214: 
215:     $sWhere = "idcat=" . (int) $iditem . " AND idclient=" . (int) $client . " AND idarea IN (" . implode(',', $areaContainer) . ")";
216:     if ($idlang) {
217:         $sWhere .= " AND idlang=" . (int) $idlang;
218:     }
219: 
220:     $oRightColl = new cApiRightCollection();
221:     $oRightColl->deleteByWhereClause($sWhere);
222: 
223:     // permissions reloaded...
224:     $perm->load_permissions(true);
225: }
226: 
227: /**
228:  * Builds user/group permissions (sysadmin, admin, client and language) by
229:  * processing request variables ($msysadmin, $madmin, $mclient, $mlang) and
230:  * returns the build permissions array.
231:  *
232:  * @todo Do we really need to add other perms, if the user/group gets the
233:  *       'sysadmin' permission?
234:  *
235:  * @param bool $bAddUserToClient
236:  *         Flag to add current user to current client, if no client is specified.
237:  *
238:  * @return array
239:  * 
240:  * @throws cDbException
241:  */
242: function buildUserOrGroupPermsFromRequest($bAddUserToClient = false) {
243:     global $cfg, $msysadmin, $madmin, $mclient, $mlang, $auth, $client;
244: 
245:     $aPerms = array();
246: 
247:     // check and prevalidation
248: 
249:     $bSysadmin = (isset($msysadmin) && $msysadmin);
250: 
251:     $aAdmin = (isset($madmin) && is_array($madmin)) ? $madmin : array();
252:     foreach ($aAdmin as $p => $value) {
253:         if (!is_numeric($value)) {
254:             unset($aAdmin[$p]);
255:         }
256:     }
257: 
258:     $aClient = (isset($mclient) && is_array($mclient)) ? $mclient : array();
259:     foreach ($aClient as $p => $value) {
260:         if (!is_numeric($value)) {
261:             unset($aClient[$p]);
262:         }
263:     }
264: 
265:     $aLang = (isset($mlang) && is_array($mlang)) ? $mlang : array();
266:     foreach ($aLang as $p => $value) {
267:         if (!is_numeric($value)) {
268:             unset($aLang[$p]);
269:         }
270:     }
271: 
272:     // build permissions array
273: 
274:     if ($bSysadmin) {
275:         $aPerms[] = 'sysadmin';
276:     }
277: 
278:     foreach ($aAdmin as $value) {
279:         $aPerms[] = sprintf('admin[%s]', $value);
280:     }
281: 
282:     foreach ($aClient as $value) {
283:         $aPerms[] = sprintf('client[%s]', $value);
284:     }
285: 
286:     if (count($aClient) == 0 && $bAddUserToClient) {
287:         // Add user to the current client, if the current user isn't sysadmin
288:         // and
289:         // no client has been specified. This avoids new accounts which are not
290:         // accessible by the current user (client admin) anymore.
291:         $aUserPerm = explode(',', $auth->auth['perm']);
292:         if (!in_array('sysadmin', $aUserPerm)) {
293:             $aPerms[] = sprintf('client[%s]', $client);
294:         }
295:     }
296: 
297:     if (count($aLang) > 0 && count($aClient) > 0) {
298:         // adding language perms makes sense if we have also at least one
299:         // selected client
300:         $db = cRegistry::getDb();
301:         foreach ($aLang as $value) {
302:             if (checkLangInClients($aClient, $value, $cfg, $db)) {
303:                 $aPerms[] = sprintf('lang[%s]', $value);
304:             }
305:         }
306:     }
307: 
308:     return $aPerms;
309: }
310: 
311: /**
312:  *
313:  * @return bool
314:  * 
315:  * @throws cDbException
316:  * @throws cException
317:  * @throws cInvalidArgumentException
318:  */
319: function saveRights() {
320:     global $perm, $notification, $db, $userid;
321:     global $rights_list, $rights_list_old, $rights_client, $rights_lang;
322:     global $aArticleRights, $aCategoryRights, $aTemplateRights;
323: 
324:     // If no checkbox is checked
325:     if (!is_array($rights_list)) {
326:         $rights_list = array();
327:     }
328: 
329:     // Search all checks which are not in the new rights_list for deleting
330:     $arraydel = array_diff(array_keys($rights_list_old), array_keys($rights_list));
331: 
332:     // Search all checks which are not in the rights_list_old for saving
333:     $arraysave = array_diff(array_keys($rights_list), array_keys($rights_list_old));
334:     $oAreaColl = new cApiAreaCollection();
335: 
336:     if (is_array($arraydel)) {
337:         foreach ($arraydel as $value) {
338: 
339:             $data = explode('|', $value);
340: 
341:             // Do not delete rights that does not display at this moment
342:             if (!empty($_REQUEST['filter_rights'])) {
343:                 if (($_REQUEST['filter_rights'] != 'article' && in_array($data[1], $aArticleRights)) ||
344:                     ($_REQUEST['filter_rights'] != 'category' && in_array($data[1], $aCategoryRights)) ||
345:                     ($_REQUEST['filter_rights'] != 'template' && in_array($data[1], $aTemplateRights))) {
346:                     continue;
347:                 }
348: 
349:                 if ($_REQUEST['filter_rights'] != 'other' && !in_array($data[1], array_merge($aArticleRights, $aCategoryRights, $aTemplateRights))) {
350:                     continue;
351:                 }
352:             }
353: 
354:             $data[0] = $oAreaColl->getAreaID($data[0]);
355:             $data[1] = $perm->getIDForAction($data[1]);
356: 
357:             $where = "user_id = '" . $db->escape($userid) . "' AND idclient = " . (int) $rights_client . " AND idlang = " . (int) $rights_lang . " AND idarea = " . (int) $data[0] . " AND idcat = " . (int) $data[2] . " AND idaction = " . (int) $data[1] . " AND type = 0";
358:             $oRightColl = new cApiRightCollection();
359:             $oRightColl->deleteByWhereClause($where);
360:         }
361:     }
362: 
363:     unset($data);
364: 
365:     // Search for all mentioned checkboxes
366:     if (is_array($arraysave)) {
367:         foreach ($arraysave as $value) {
368:             // Explodes the key it consits areaid+actionid+itemid
369:             $data = explode('|', $value);
370: 
371:             // Since areas are stored in a numeric form in the rights table, we
372:             // have
373:             // to convert them from strings into numbers
374:             $data[0] = $oAreaColl->getAreaID($data[0]);
375:             $data[1] = $perm->getIDForAction($data[1]);
376: 
377:             if (!isset($data[1])) {
378:                 $data[1] = 0;
379:             }
380: 
381:             // Insert new right
382:             $oRightColl = new cApiRightCollection();
383:             $oRightColl->create($userid, $data[0], $data[1], $data[2], $rights_client, $rights_lang, 0);
384:         }
385:     }
386: 
387:     $rights_list_old = $rights_list;
388: 
389:     return true;
390: 
391: }
392: 
393: /**
394:  *
395:  * @return bool
396:  * 
397:  * @throws cDbException
398:  * @throws cException
399:  * @throws cInvalidArgumentException
400:  */
401: function saveGroupRights() {
402:     global $perm, $notification, $db, $groupid;
403:     global $rights_list, $rights_list_old, $rights_client, $rights_lang;
404:     global $aArticleRights, $aCategoryRights, $aTemplateRights;
405: 
406:     // If no checkbox is checked
407:     if (!is_array($rights_list)) {
408:         $rights_list = array();
409:     }
410: 
411:     // Search all checks which are not in the new rights_list for deleting
412:     $arraydel = array_diff(array_keys($rights_list_old), array_keys($rights_list));
413: 
414:     // Search all checks which are not in the rights_list_old for saving
415:     $arraysave = array_diff(array_keys($rights_list), array_keys($rights_list_old));
416: 
417:     $oAreaColl = new cApiAreaCollection();
418: 
419:     if (is_array($arraydel)) {
420:         foreach ($arraydel as $value) {
421:             $data = explode('|', $value);
422: 
423:             // Do not delete grouprights that does not display at this moment
424:             if (!empty($_REQUEST['filter_rights'])) {
425:                 if (($_REQUEST['filter_rights'] != 'article' && in_array($data[1], $aArticleRights)) ||
426:                     ($_REQUEST['filter_rights'] != 'category' && in_array($data[1], $aCategoryRights)) ||
427:                     ($_REQUEST['filter_rights'] != 'template' && in_array($data[1], $aTemplateRights))) {
428:                     continue;
429:                 }
430: 
431:                 if ($_REQUEST['filter_rights'] != 'other' && !in_array($data[1], array_merge($aArticleRights, $aCategoryRights, $aTemplateRights))) {
432:                     continue;
433:                 }
434:             }
435: 
436:             $data[0] = $oAreaColl->getAreaID($data[0]);
437:             $data[1] = $perm->getIDForAction($data[1]);
438: 
439:             $where = "user_id = '" . $db->escape($groupid) . "' AND idclient = " . (int) $rights_client . " AND idlang = " . (int) $rights_lang . " AND idarea = " . (int) $data[0] . " AND idcat = " . (int) $data[2] . " AND idaction = " . (int) $data[1] . " AND type = 1";
440:             $oRightColl = new cApiRightCollection();
441:             $oRightColl->deleteByWhereClause($where);
442:         }
443:     }
444: 
445:     unset($data);
446: 
447:     // Search for all mentioned checkboxes
448:     if (is_array($arraysave)) {
449:         foreach ($arraysave as $value) {
450:             // Explodes the key it consits areaid+actionid+itemid
451:             $data = explode('|', $value);
452: 
453:             // Since areas are stored in a numeric form in the rights table, we
454:             // have
455:             // to convert them from strings into numbers
456:             $data[0] = $oAreaColl->getAreaID($data[0]);
457:             $data[1] = $perm->getIDForAction($data[1]);
458: 
459:             if (!isset($data[1])) {
460:                 $data[1] = 0;
461:             }
462: 
463:             // Insert new right
464:             $oRightColl = new cApiRightCollection();
465:             $oRightColl->create($groupid, $data[0], $data[1], $data[2], $rights_client, $rights_lang, 1);
466:         }
467:     }
468: 
469:     $rights_list_old = $rights_list;
470:     return true;
471: }
472: 
473: /**
474:  * Build list of rights for all relevant and online areas except "login" and their relevant actions.
475:  *
476:  * @return array
477:  */
478: function getRightsList()
479: {
480:     $areas   = new cApiAreaCollection();
481:     $navSubs = new cApiNavSubCollection();
482:     $actions = new cApiActionCollection();
483: 
484:     try {
485:         $rights = [];
486: 
487:         $areas->select('relevant = 1 AND online = 1 AND name != "login"');
488:         while ($area = $areas->next()) {
489:             $right = [
490:                 'perm'     => $area->get('name'),
491:                 'location' => '',
492:             ];
493: 
494:             // get location
495:             $navSubs->select('idarea = ' . (int)$area->get('idarea'));
496:             if ($navSubItem = $navSubs->next()) {
497:                 $right['location'] = $navSubItem->get('location');
498:             }
499: 
500:             // get relevant actions
501:             $actions->select('relevant = 1 AND idarea = ' . (int)$area->get('idarea'));
502:             while ($action = $actions->next()) {
503:                 $right['action'][] = $action->get('name');
504:             }
505: 
506:             // insert into list
507:             if ($area->get('parent_id') == '0') {
508:                 $key = $area->get('name');
509:             } else {
510:                 $key = $area->get('parent_id');
511:             }
512:             $rights[$key][$area->get('name')] = $right;
513:         }
514:     } catch (cDbException $e) {
515:         $rights = [];
516:     } catch (cException $e) {
517:         $rights = [];
518:     }
519: 
520:     return $rights;
521: }
522: