1: <?php
  2: /**
  3:  * This file contains the the permission class.
  4:  *
  5:  * @package Core
  6:  * @subpackage Backend
  7:  * @author Boris Erdmann
  8:  * @author Kristian Koehntopp
  9:  * @copyright four for business AG <www.4fb.de>
 10:  * @license http://www.contenido.org/license/LIZENZ.txt
 11:  * @link http://www.4fb.de
 12:  * @link http://www.contenido.org
 13:  */
 14: 
 15: defined('CON_FRAMEWORK') || die('Illegal call: Missing framework initialization - request aborted.');
 16: 
 17: /**
 18:  * This class handles the permission management
 19:  *
 20:  * @package Core
 21:  * @subpackage Backend
 22:  */
 23: class cPermission {
 24: 
 25:     /**
 26:      * Permission class name
 27:      *
 28:      * @var string
 29:      */
 30:     public $classname = 'cPermission';
 31: 
 32:     /**
 33:      * Area cache
 34:      *
 35:      * @var array
 36:      */
 37:     public $areacache = array();
 38: 
 39:     /**
 40:      * Actions cache
 41:      *
 42:      * @var array
 43:      */
 44:     public $actioncache = array();
 45: 
 46:     /**
 47:      * CONTENIDO database object
 48:      *
 49:      * @var cDb
 50:      */
 51:     public $db;
 52: 
 53:     /**
 54:      * Returns all groups of a user
 55:      *
 56:      * @param string $userId
 57:      *
 58:      * @return array
 59:      *         List of group ids
 60:      *
 61:      * @throws cDbException
 62:      * @throws cException
 63:      */
 64:     public function getGroupsForUser($userId) {
 65:         $groups = array();
 66: 
 67:         $oGroupMemberColl = new cApiGroupMemberCollection();
 68:         $oGroupMemberColl->select("user_id='" . $oGroupMemberColl->escape($userId) . "'");
 69:         while (false !== $oItem = $oGroupMemberColl->next()) {
 70:             $groups[] = $oItem->get('group_id');
 71:         }
 72: 
 73:         return $groups;
 74:     }
 75: 
 76:     /**
 77:      * Returns the id of an area.
 78:      * If passed area is numeric, it will returned directly.
 79:      *
 80:      * @deprecated [2015-05-21]
 81:      *         This method is no longer supported (no replacement)
 82:      * @param string|int $area
 83:      *
 84:      * @return int
 85:      *
 86:      * @throws cDbException
 87:      * @throws cException
 88:      */
 89:     public function getIDForArea($area) {
 90:         if (is_numeric($area)) {
 91:             return $area;
 92:         } elseif (isset($this->areacache[$area])) {
 93:             return $this->areacache[$area];
 94:         }
 95: 
 96:         $oAreaColl = new cApiAreaCollection();
 97:         $oAreaColl->select("name='" . $oAreaColl->escape($area) . "'");
 98:         if (false !== $oItem = $oAreaColl->next()) {
 99:             $this->areacache[$area] = $oItem->get('idarea');
100:             $area = $oItem->get('idarea');
101:         }
102: 
103:         return $area;
104:     }
105: 
106:     /**
107:      * Returns the id of an action.
108:      * If passed action is numeric, it will returned directly.
109:      *
110:      * @param string|int $action
111:      *
112:      * @return int
113:      *
114:      * @throws cDbException
115:      * @throws cException
116:      */
117:     public function getIDForAction($action) {
118:         if (is_numeric($action)) {
119:             return $action;
120:         } elseif (isset($this->actioncache[$action])) {
121:             return $this->actioncache[$action];
122:         }
123: 
124:         $oActionColl = new cApiActionCollection();
125:         $oActionColl->select("name='" . $oActionColl->escape($action) . "'");
126:         if (false !== $oItem = $oActionColl->next()) {
127:             $this->actioncache[$action] = $oItem->get('idaction');
128:             $action = $oItem->get('idaction');
129:         }
130: 
131:         return $action;
132:     }
133: 
134:     /**
135:      * Loads all permissions of groups where current logged in user is a member
136:      * and saves them in session.
137:      *
138:      * @param bool $force [optional]
139:      *                    Flag to force loading, event if they were cached before
140:      *
141:      * @return string
142:      *         Returns diffrent values, depending on state:
143:      *         '1' (string) if permissions couldn't loaded
144:      *         '3' (string) if permissions were loaded successfully
145:      *
146:      * @throws cDbException
147:      * @throws cException
148:      */
149:     public function load_permissions($force = false) {
150:         global $sess, $area_rights, $item_rights, $auth, $changelang, $changeclient;
151: 
152:         $return = '1';
153: 
154:         // if not admin or sysadmin
155:         if (!$this->have_perm()) {
156:             $return = isset($area_rights);
157: 
158:             if (!isset($area_rights) || !isset($item_rights) || isset($changeclient) || isset($changelang) || $force) {
159:                 $return = '3';
160:                 // register variables
161:                 $sess->register('area_rights');
162:                 $sess->register('item_rights');
163:                 $item_rights = array();
164:                 $groups = $this->getGroupsForUser($auth->auth['uid']);
165: 
166:                 if (is_array($groups)) {
167:                     foreach ($groups as $group) {
168:                         $this->load_permissions_for_user($group);
169:                     }
170:                 }
171: 
172:                 $this->load_permissions_for_user($auth->auth['uid']);
173:             }
174:         }
175: 
176:         return $return;
177:     }
178: 
179:     /**
180:      * Loads all permissions for a specific user or group.
181:      * Stores area rights in global variable $area_rights.
182:      * Stores item rights in global variable $item_rights.
183:      *
184:      * @param string $user
185:      *         User Id hash
186:      *
187:      * @throws cDbException
188:      * @throws cException
189:      */
190:     public function load_permissions_for_user($user) {
191:         global $client, $lang;
192:         global $area_rights, $item_rights;
193: 
194:         $oRightColl = new cApiRightCollection();
195:         $sWhere = "user_id='" . $oRightColl->escape($user) . "'";
196:         $sWhere .= " AND idcat=0 AND " . "idclient=" . (int) $client;
197:         $sWhere .= " AND idlang=" . (int) $lang;
198:         $oRightColl->select($sWhere);
199: 
200:         // define $area_rights if not already done so
201:         if (!is_array($area_rights)) {
202:             $area_rights = array();
203:         }
204:         while (false !== $oItem = $oRightColl->next()) {
205:             $idarea = $oItem->get('idarea');
206:             $idaction = $oItem->get('idaction');
207:             $area_rights[$idarea][$idaction] = true;
208:         }
209: 
210:         // Select Rights for Article and Sructure (Attention Hard code Areas)
211:         $oAreaColl = new cApiAreaCollection();
212:         $oAreaColl->select();
213:         while (false !== $oItem = $oAreaColl->next()) {
214:             $idarea = $oItem->get('idarea');
215:             $tmp_area[] = $idarea;
216:         }
217: 
218:         $tmp_area_string = implode("','", array_values($tmp_area));
219:         $sWhere = "user_id='" . $oRightColl->escape($user) . "'";
220:         $sWhere .= " AND idclient=" . (int) $client;
221:         $sWhere .= " AND idlang=" . (int) $lang;
222:         $sWhere .= " AND idarea IN ('$tmp_area_string')";
223:         $sWhere .= "AND idcat != 0";
224:         $oRightColl->select($sWhere);
225:         while (false !== $oItem = $oRightColl->next()) {
226:             $idarea = $oItem->get('idarea');
227:             $idaction = $oItem->get('idaction');
228:             $idcat = $oItem->get('idcat');
229:             $item_rights[$idarea][$idaction][$idcat] = $idcat;
230:         }
231:     }
232: 
233:     /**
234:      *
235:      * @param string $area
236:      * @param int    $action [optional]
237:      *
238:      * @return bool
239:      *
240:      * @throws cDbException
241:      * @throws cException
242:      */
243:     public function have_perm_area_action_anyitem($area, $action = 0) {
244:         global $item_rights;
245: 
246:         if ($this->have_perm_area_action($area, $action)) {
247:             return true;
248:         }
249: 
250:         $oAreaColl = new cApiAreaCollection();
251:         $area = $oAreaColl->getAreaID($area);
252: 
253:         $action = $this->getIDForAction($action);
254: 
255:         return isset($item_rights[$area][$action]);
256:     }
257: 
258:     /**
259:      *
260:      * @param string $area
261:      * @param string $action
262:      * @param mixed  $itemid
263:      *
264:      * @return bool
265:      *
266:      * @throws cDbException
267:      * @throws cException
268:      */
269:     public function have_perm_area_action_item($area, $action, $itemid) {
270:         global $item_rights, $auth, $client, $lang, $cfg;
271: 
272:         if ($this->have_perm()) {
273:             return true;
274:         }
275: 
276:         $oAreaColl = new cApiAreaCollection();
277:         $area = $oAreaColl->getAreaID($area);
278:         $action = $this->getIDForAction($action);
279: 
280:         // If the user has a right on this action in this area check for the
281:         // items
282:         if ($this->have_perm_area_action($area, $action)) {
283:             return true;
284:         }
285: 
286:         // Check rights for the action in this area at this item
287:         if (isset($item_rights[$area][$action][$itemid])) {
288:             // If have action for area + action +item check right for client and
289:             // lang
290:             return true;
291:         }
292: 
293:         if ($item_rights[$area] != 'noright') {
294:             $groupsForUser = $this->getGroupsForUser($auth->auth['uid']);
295:             $groupsForUser[] = $auth->auth['uid'];
296: 
297:             $userIdIn = implode("','", $groupsForUser);
298: 
299:             $oRightsColl = new cApiRightCollection();
300:             $where = "user_id IN ('" . $userIdIn . "') AND idclient=" . (int) $client . " AND idlang=" . (int) $lang . " AND idarea=$area AND idcat != 0";
301: 
302:             if (!$oRightsColl->select($where)) {
303:                 $item_rights[$area] = 'noright';
304:                 return false;
305:             }
306: 
307:             while (false !== $oItem = $oRightsColl->next()) {
308:                 $item_rights[$oItem->get('idarea')][$oItem->get('idaction')][$oItem->get('idcat')] = $oItem->get('idcat');
309:             }
310: 
311:             // Check
312:             if (isset($item_rights[$area][$action][$itemid])) {
313:                 // If have action for area + action +item check right for client
314:                 // and lang
315:                 return true;
316:             }
317:         }
318:         return false;
319:     }
320: 
321:     /**
322:      * Returns the parent id of passed area
323:      *
324:      * @deprecated [2015-05-21]
325:      *         This method is no longer supported (no replacement)
326:      * @param int|string $area
327:      *         Area id or name
328:      *
329:      * @return string|int
330:      *         name of parent area or passed area
331:      *
332:      * @throws cDbException
333:      */
334:     public function getParentAreaId($area) {
335:         $oAreaColl = new cApiAreaCollection();
336:         return $oAreaColl->getParentAreaID($area);
337:     }
338: 
339:     /**
340:      *
341:      * @param string $area
342:      * @param int    $action [optional]
343:      *
344:      * @return bool
345:      *
346:      * @throws cDbException
347:      * @throws cException
348:      */
349:     public function have_perm_area_action($area, $action = 0) {
350:         global $area_rights, $client, $lang, $cfg;
351: 
352:         $oAreaColl = new cApiAreaCollection();
353:         $area = $oAreaColl->getAreaID($area);
354:         $action = $this->getIDForAction($action);
355: 
356:         if ($action == 0) {
357:             $area = $oAreaColl->getParentAreaID($area);
358:         }
359: 
360:         $area = $oAreaColl->getAreaID($area);
361: 
362:         if (!$this->have_perm()) {
363:             if ($action == 0 && $area_rights[$area]) {
364:                 // If have action for area + action check right for client and
365:                 // lang
366:                 return $this->have_perm_client_lang($client, $lang);
367:             }
368: 
369:             // check rights for the action in this area
370:             if ($area_rights[$area][$action]) {
371:                 // If have action for area + action check right for client and
372:                 // lang
373:                 return $this->have_perm_client_lang($client, $lang);
374:             }
375: 
376:             return false;
377:         }
378: 
379:         return true;
380:     }
381: 
382:     /**
383:      *
384:      * @param int $client
385:      * @param int $lang
386:      * @return bool
387:      */
388:     public function have_perm_client_lang($client, $lang) {
389:         global $auth;
390: 
391:         // Changed back to a full featured function, as have_perm
392:         // needs $client as global variable - not provided by this
393:         // function
394:         // return $this->have_perm("client[$client],lang[$lang]");
395: 
396:         if (!isset($auth->auth['perm'])) {
397:             $auth->auth['perm'] = '';
398:         }
399: 
400:         // Split the permissions of the user
401:         $userperm = explode(',', $auth->auth['perm']);
402: 
403:         if (in_array('sysadmin', $userperm)) {
404:             return true; // User is sysadmin
405:         } elseif (in_array("admin[$client]", $userperm)) {
406:             return true; // User is admin
407:         } else {
408:             // Check rights for the client and the language
409:             $pageperm = explode(',', "client[$client],lang[$lang]");
410:             foreach ($pageperm as $value) {
411:                 if (!in_array($value, $userperm)) {
412:                     return false;
413:                 }
414:             }
415:         }
416:         return true;
417:     }
418: 
419:     /**
420:      * Checks if a user has access rights for a specific client.
421:      *
422:      * @param bool $iClient [optional]
423:      *                      idclient to check, or false for the current client
424:      * @param object $oUser   [optional]
425:      *                      User object to check against, or false for the current user
426:      *
427:      * @return bool
428:      *
429:      * @throws cInvalidArgumentException
430:      */
431:     public function hasClientPermission($iClient = false, $oUser = false) {
432:         global $client;
433: 
434:         if ($iClient === false) {
435:             $iClient = $client;
436:         }
437: 
438:         $oUser = $this->_checkUserObject($oUser);
439: 
440:         if ($this->isSysadmin($oUser)) {
441:             return true;
442:         } elseif ($this->isClientAdmin($iClient, $oUser)) {
443:             return true;
444:         } elseif ($this->isClientUser($iClient, $oUser)) {
445:             return true;
446:         } else {
447:             return false;
448:         }
449: 
450:         // Commented out by Timo Trautmann, because here only client access is checked,
451:         // possibility for admin or sysadmin access was ignored.
452:         // functions isSysadmin isClientAdmin isClientUser also handles permission for groups
453: 
454:         // Check clients' rights of users' group(s)
455:         // global $auth;
456:         // $aGroups = $this->getGroupsForUser($auth->auth["uid"]);
457:         // if (is_array($aGroups)) {
458:         //     foreach ($aGroups as $group) {
459:         //         $oGroup = new cApiGroup($group);
460:         //         if ($this->isClientGroup($iClient, $oGroup)) {
461:         //             return true;
462:         //         }
463:         //     }
464:         // }
465:         //
466:         // return false;
467:     }
468: 
469:     /**
470:      * Checks if the given user has access permission for a client
471:      *
472:      * @param int    $iClient
473:      *         idclient to check
474:      * @param object $oUser
475:      *         User object to check against
476:      *
477:      * @return bool
478:      *
479:      * @throws cInvalidArgumentException
480:      */
481:     public function isClientUser($iClient, $oUser) {
482:         $oUser = $this->_checkUserObject($oUser);
483: 
484:         $aPermissions = explode(',', $oUser->getEffectiveUserPerms());
485: 
486:         if (in_array("client[$iClient]", $aPermissions)) {
487:             return true;
488:         }
489: 
490:         return false;
491:     }
492: 
493:     /**
494:      * Checks if the given group has access permission for a client
495:      *
496:      * @param int $iClient
497:      *         idclient to check
498:      * @param object $oGroup
499:      *         Group object to check against
500:      * @return bool
501:      */
502:     public function isClientGroup($iClient, $oGroup) {
503:         $aPermissions = explode(',', $oGroup->getField('perms'));
504: 
505:         if (in_array("client[$iClient]", $aPermissions)) {
506:             return true;
507:         }
508: 
509:         return false;
510:     }
511: 
512:     /**
513:      * Checks if the given user has an admin permission
514:      *
515:      * @param int    $iClient
516:      *         idclient to check
517:      * @param object $oUser
518:      *         User object to check against
519:      *
520:      * @return bool
521:      *
522:      * @throws cInvalidArgumentException
523:      */
524:     public function isClientAdmin($iClient, $oUser) {
525:         $oUser = $this->_checkUserObject($oUser);
526: 
527:         $aPermissions = explode(',', $oUser->getEffectiveUserPerms());
528: 
529:         if (in_array("admin[$iClient]", $aPermissions)) {
530:             return true;
531:         }
532: 
533:         return false;
534:     }
535: 
536:     /**
537:      * Checks if the given user has sysadmin permission
538:      *
539:      * @param object $oUser
540:      *         User object to check against
541:      *
542:      * @return bool
543:      *
544:      * @throws cInvalidArgumentException
545:      */
546:     public function isSysadmin($oUser) {
547:         $oUser = $this->_checkUserObject($oUser);
548: 
549:         $aPermissions = explode(',', $oUser->getEffectiveUserPerms());
550: 
551:         if (in_array('sysadmin', $aPermissions)) {
552:             return true;
553:         }
554: 
555:         return false;
556:     }
557: 
558:     /**
559:      * Checks if the given object is a user object.
560:      *
561:      * If oUser is false, initialize the object from the currently logged in
562:      * user. If oUser is not an object of the class cApiUser, throw an
563:      * exception.
564:      *
565:      * @param object $oUser
566:      *         User object
567:      *
568:      * @return object
569:      *
570:      * @throws cInvalidArgumentException
571:      *         if the given or constructed user is not a cApiUser object
572:      */
573:     private function _checkUserObject($oUser) {
574:         if ($oUser === false) {
575:             global $currentuser;
576:             $oUser = $currentuser;
577:         }
578: 
579:         if (!is_object($oUser)) {
580:             global $auth;
581:             $oUser = new cApiUser($auth->auth['uid']);
582:         }
583: 
584:         if (get_class($oUser) != 'cApiUser') {
585:             throw new cInvalidArgumentException('oUser parameter is not of type User');
586:         }
587: 
588:         return $oUser;
589:     }
590: 
591:     /**
592:      *
593:      * @param string $perm [optional]
594:      *
595:      * @return bool
596:      */
597:     public function have_perm_client($perm = 'x') {
598:         global $auth, $client;
599: 
600:         if (!isset($auth->auth['perm'])) {
601:             $auth->auth['perm'] = '';
602:         }
603: 
604:         // Split the permissions of the user
605:         $userperm = explode(',', $auth->auth['perm']);
606: 
607:         // If User is sysadmin or admin at this client return true
608:         if (in_array('sysadmin', $userperm)) {
609:             return true;
610:         }
611: 
612:         // If there are more permissions to ask split them
613:         $pageperm = explode(',', $perm);
614:         foreach ($pageperm as $value) {
615:             if (!in_array($value, $userperm)) {
616:                 return false;
617:             }
618:         }
619:         return true;
620:     }
621: 
622:     /**
623:      * Checks if user has permissions to passed perm.
624:      * - Sysadmin has allways permission
625:      * - Client admin has allways permission
626:      *
627:      * @param string $perm [optional]
628:      *         Permissions (comma separated list of perms) to check
629:      * @return bool
630:      */
631:     public function have_perm($perm = 'x') {
632:         global $auth, $client;
633: 
634:         if (!isset($auth->auth['perm'])) {
635:             $auth->auth['perm'] = '';
636:         }
637: 
638:         // Split the permissions of the user
639:         $userperm = explode(',', $auth->auth['perm']);
640: 
641:         // If User is sysadmin or admin at this client return true
642:         if (in_array('sysadmin', $userperm)) {
643:             return true;
644:         } elseif (in_array("admin[$client]", $userperm)) {
645:             return true;
646:             // Else check rights for the client and the language
647:         } else {
648:             // If there are more permissions to ask split them
649:             $pageperm = explode(',', $perm);
650:             foreach ($pageperm as $value) {
651:                 if (!in_array($value, $userperm)) {
652:                     return false;
653:                 }
654:             }
655:         }
656:         return true;
657:     }
658: 
659:     /**
660:      * Checks if an item have any perms
661:      *
662:      * @param string|int $mainarea
663:      * @param int        $itemid
664:      *
665:      * @return bool
666:      *
667:      * @throws cDbException
668:      * @throws cException
669:      */
670:     public function have_perm_item($mainarea, $itemid) {
671:         global $cfg, $item_rights, $cfg, $client, $lang, $auth, $area_tree, $sess;
672: 
673:         $oAreaColl = new cApiAreaCollection();
674:         $mainarea = $oAreaColl->getAreaID($mainarea);
675: 
676:         // If is admin or sysadmin
677:         if ($this->have_perm()) {
678:             return true;
679:         }
680: 
681:         // If is not admin or sysadmin
682: 
683:         if (!is_object($this->db)) {
684:             $this->db = cRegistry::getDb();
685:         }
686: 
687:         $this->showareas($mainarea);
688: 
689:         $flg = false;
690:         // Check if there are any rights for this areas
691:         foreach ($area_tree[$mainarea] as $value) {
692:             // If the flag noright is set there are no rights in this area
693:             if ($item_rights[$value] == 'noright') {
694:                 continue;
695:             } elseif (is_array($item_rights[$value])) {
696:                 // If there are any rights
697:                 foreach ($item_rights[$value] as $value2) {
698:                     if (in_array($itemid, $value2)) {
699:                         return true;
700:                     }
701:                 }
702:             } elseif ($item_rights[$value] != 'noright') {
703:                 $groupsForUser = $this->getGroupsForUser($auth->auth['uid']);
704:                 $groupsForUser[] = $auth->auth['uid'];
705: 
706:                 // else search for rights for this user in this area
707:                 $sql = "SELECT
708:                             *
709:                          FROM
710:                             " . $cfg['tab']['rights'] . "
711:                          WHERE
712:                             user_id IN ('" . implode("','", $groupsForUser) . "') AND
713:                             idclient = " . cSecurity::toInteger($client) . " AND
714:                             idlang = " . cSecurity::toInteger($lang) . " AND
715:                             idarea = '$value' AND
716:                             idcat != 0";
717:                 $this->db->query($sql);
718: 
719:                 // If there are no rights for this area set the flag norights
720:                 if ($this->db->affectedRows() == 0) {
721:                     $item_rights[$value] = 'noright';
722:                 }
723: 
724:                 // Set the rights
725:                 while ($this->db->nextRecord()) {
726:                     if ($this->db->f('idcat') == $itemid) {
727:                         $flg = true;
728:                     }
729:                     $item_rights[$this->db->f('idarea')][$this->db->f('idaction')][$this->db->f('idcat')] = $this->db->f('idcat');
730:                 }
731:             }
732:         }
733:         return $flg;
734:     }
735: 
736:     /**
737:      *
738:      * @param string|int $mainarea
739:      *
740:      * @return int
741:      *
742:      * @throws cDbException
743:      * @throws cException
744:      */
745:     public function showareas($mainarea) {
746:         global $area_tree, $sess, $perm, $cfg;
747: 
748:         if (!is_object($this->db)) {
749:             $this->db = cRegistry::getDb();
750:         }
751: 
752:         $oAreaColl = new cApiAreaCollection();
753:         $mainarea = $oAreaColl->getAreaID($mainarea);
754: 
755:         // If $area_tree for this area is not register
756:         if (!isset($area_tree[$mainarea])) {
757:             $sess->register('area_tree');
758: 
759:             // parent_id uses the name not the idarea
760:             $sql = "SELECT name FROM " . $cfg['tab']['area'] . " WHERE idarea=$mainarea";
761:             $this->db->query($sql);
762:             $this->db->nextRecord();
763:             $name = $this->db->f('name');
764: 
765:             // Check which subareas are there and write them in the array
766:             $sql = "SELECT idarea FROM " . $cfg['tab']['area'] . " WHERE parent_id='$name' OR idarea=$mainarea";
767:             $this->db->query($sql);
768:             $area_tree[$mainarea] = array();
769:             while ($this->db->nextRecord()) {
770:                 $area_tree[$mainarea][] = $this->db->f('idarea');
771:             }
772:         }
773:         return $mainarea;
774:     }
775: }
776: