1: <?php
  2: /**
  3:  * This file contains the the permission class.
  4:  *
  5:  * @package    Core
  6:  * @subpackage Backend
  7:  * @version    SVN Revision $Rev:$
  8:  *
  9:  * @author     Boris Erdmann, Kristian Koehntopp
 10:  * @copyright  four for business AG <www.4fb.de>
 11:  * @license    http://www.contenido.org/license/LIZENZ.txt
 12:  * @link       http://www.4fb.de
 13:  * @link       http://www.contenido.org
 14:  */
 15: 
 16: defined('CON_FRAMEWORK') || die('Illegal call: Missing framework initialization - request aborted.');
 17: 
 18: /**
 19:  * This class handles the permission management
 20:  *
 21:  * @package    Core
 22:  * @subpackage Backend
 23:  */
 24: class cPermission {
 25: 
 26:     /**
 27:      * Permission class name
 28:      *
 29:      * @var string
 30:      */
 31:     public $classname = 'cPermission';
 32: 
 33:     /**
 34:      * Area cache
 35:      *
 36:      * @var array
 37:      */
 38:     public $areacache = array();
 39: 
 40:     /**
 41:      * Actions cache
 42:      *
 43:      * @var array
 44:      */
 45:     public $actioncache = array();
 46: 
 47:     /**
 48:      * Database instance
 49:      *
 50:      * @var cDb
 51:      */
 52:     public $db;
 53: 
 54:     /**
 55:      * Returns all groups of a user
 56:      *
 57:      * @param string $userId
 58:      * @return array List of group ids
 59:      */
 60:     public function getGroupsForUser($userId) {
 61:         $groups = array();
 62: 
 63:         $oGroupMemberColl = new cApiGroupMemberCollection();
 64:         $oGroupMemberColl->select("user_id='" . $oGroupMemberColl->escape($userId) . "'");
 65:         while ($oItem = $oGroupMemberColl->next()) {
 66:             $groups[] = $oItem->get('group_id');
 67:         }
 68: 
 69:         return $groups;
 70:     }
 71: 
 72:     /**
 73:      * Returns the id of an area.
 74:      * If passed area is numeric, it will returned directly.
 75:      *
 76:      * @param string|int $area
 77:      * @return int
 78:      */
 79:     public function getIDForArea($area) {
 80:         if (is_numeric($area)) {
 81:             return $area;
 82:         } elseif (isset($this->areacache[$area])) {
 83:             return $this->areacache[$area];
 84:         }
 85: 
 86:         $oAreaColl = new cApiAreaCollection();
 87:         $oAreaColl->select("name='" . $oAreaColl->escape($area) . "'");
 88:         if ($oItem = $oAreaColl->next()) {
 89:             $this->areacache[$area] = $oItem->get('idarea');
 90:             $area = $oItem->get('idarea');
 91:         }
 92: 
 93:         return $area;
 94:     }
 95: 
 96:     /**
 97:      * Returns the id of an action.
 98:      * If passed action is numeric, it will returned directly.
 99:      *
100:      * @param string|int $action
101:      * @return int
102:      */
103:     public function getIDForAction($action) {
104:         if (is_numeric($action)) {
105:             return $action;
106:         } elseif (isset($this->actioncache[$action])) {
107:             return $this->actioncache[$action];
108:         }
109: 
110:         $oActionColl = new cApiActionCollection();
111:         $oActionColl->select("name='" . $oActionColl->escape($action) . "'");
112:         if ($oItem = $oActionColl->next()) {
113:             $this->actioncache[$action] = $oItem->get('idaction');
114:             $action = $oItem->get('idaction');
115:         }
116: 
117:         return $action;
118:     }
119: 
120:     /**
121:      * Loads all permissions of groups where current logged in user is a member
122:      * and saves them in session.
123:      *
124:      * @param bool $force Flag to force loading, event if they were ccached
125:      *        before
126:      * @return string Returns diffrent values, depending on state:
127:      *         '1' (string) if permissions couldn't loaded
128:      *         '3' (string) if permissions were successfull loaded
129:      */
130:     public function load_permissions($force = false) {
131:         global $sess, $area_rights, $item_rights, $auth, $changelang, $changeclient;
132: 
133:         $return = '1';
134: 
135:         // if not admin or sysadmin
136:         if (!$this->have_perm()) {
137:             $return = isset($area_rights);
138: 
139:             if (!isset($area_rights) || !isset($item_rights) || isset($changeclient) || isset($changelang) || $force) {
140:                 $return = '3';
141:                 // register variables
142:                 $sess->register('area_rights');
143:                 $sess->register('item_rights');
144:                 $item_rights = array();
145:                 $groups = $this->getGroupsForUser($auth->auth['uid']);
146: 
147:                 if (is_array($groups)) {
148:                     foreach ($groups as $group) {
149:                         $this->load_permissions_for_user($group);
150:                     }
151:                 }
152: 
153:                 $this->load_permissions_for_user($auth->auth['uid']);
154:             }
155:         }
156: 
157:         return $return;
158:     }
159: 
160:     /**
161:      * Loads all permissions for a specific user or group.
162:      * Stores area rights in global variable $area_rights.
163:      * Stores item rights in global variable $item_rights.
164:      *
165:      * @param string $user User Id hash
166:      */
167:     public function load_permissions_for_user($user) {
168:         global $client, $lang;
169:         global $area_rights, $item_rights;
170: 
171:         $oRightColl = new cApiRightCollection();
172:         $sWhere = "user_id='" . $oRightColl->escape($user) . "'";
173:         $sWhere .= " AND idcat=0 AND " . "idclient=" . (int) $client;
174:         $sWhere .= " AND idlang=" . (int) $lang;
175:         $oRightColl->select($sWhere);
176: 
177:         // define $area_rights if not already done so
178:         if (!is_array($area_rights)) {
179:             $area_rights = array();
180:         }
181:         while ($oItem = $oRightColl->next()) {
182:             $idarea = $oItem->get('idarea');
183:             $idaction = $oItem->get('idaction');
184:             $area_rights[$idarea][$idaction] = true;
185:         }
186: 
187:         // Select Rights for Article and Sructure (Attention Hard code Areas)
188:         $oAreaColl = new cApiAreaCollection();
189:         $oAreaColl->select();
190:         while ($oItem = $oAreaColl->next()) {
191:             $idarea = $oItem->get('idarea');
192:             $tmp_area[] = $idarea;
193:         }
194: 
195:         $tmp_area_string = implode("','", array_values($tmp_area));
196:         $sWhere = "user_id='" . $oRightColl->escape($user) . "'";
197:         $sWhere .= " AND idclient=" . (int) $client;
198:         $sWhere .= " AND idlang=" . (int) $lang;
199:         $sWhere .= " AND idarea IN ('$tmp_area_string')";
200:         $sWhere .= "AND idcat != 0";
201:         $oRightColl->select($sWhere);
202:         while ($oItem = $oRightColl->next()) {
203:             $idarea = $oItem->get('idarea');
204:             $idaction = $oItem->get('idaction');
205:             $idcat = $oItem->get('idcat');
206:             $item_rights[$idarea][$idaction][$idcat] = $idcat;
207:         }
208:     }
209: 
210:     public function have_perm_area_action_anyitem($area, $action = 0) {
211:         global $item_rights;
212: 
213:         if ($this->have_perm_area_action($area, $action)) {
214:             return true;
215:         }
216: 
217:         $area = $this->getIDForArea($area);
218:         $action = $this->getIDForAction($action);
219: 
220:         return (isset($item_rights[$area][$action]));
221:     }
222: 
223:     public function have_perm_area_action_item($area, $action, $itemid) {
224:         global $item_rights, $auth, $client, $lang, $cfg;
225: 
226:         if ($this->have_perm()) {
227:             return true;
228:         }
229: 
230:         $area = $this->getIDForArea($area);
231:         $action = $this->getIDForAction($action);
232: 
233:         // If the user has a right on this action in this area check for the
234:         // items
235:         if ($this->have_perm_area_action($area, $action)) {
236:             return true;
237:         }
238: 
239:         // Check rights for the action in this area at this item
240:         if (isset($item_rights[$area][$action][$itemid])) {
241:             // If have action for area + action +item check right for client and
242:             // lang
243:             return true;
244:         }
245: 
246:         if ($item_rights[$area] != 'noright') {
247:             $groupsForUser = $this->getGroupsForUser($auth->auth['uid']);
248:             $groupsForUser[] = $auth->auth['uid'];
249: 
250:             $userIdIn = implode("','", $groupsForUser);
251: 
252:             $oRightsColl = new cApiRightCollection();
253:             $where = "user_id IN ('" . $userIdIn . "') AND idclient=" . (int) $client . " AND idlang=" . (int) $lang . " AND idarea=$area AND idcat != 0";
254: 
255:             if (!$oRightsColl->select($where)) {
256:                 $item_rights[$area] = 'noright';
257:                 return false;
258:             }
259: 
260:             while ($oItem = $oRightsColl->next()) {
261:                 $item_rights[$oItem->get('idarea')][$oItem->get('idaction')][$oItem->get('idcat')] = $oItem->get('idcat');
262:             }
263: 
264:             // Check
265:             if (isset($item_rights[$area][$action][$itemid])) {
266:                 // If have action for area + action +item check right for client
267:                 // and lang
268:                 return true;
269:             }
270:         }
271:         return false;
272:     }
273: 
274:     public function getParentAreaId($area) {
275:         $oAreaColl = new cApiAreaCollection();
276:         return $oAreaColl->getParentAreaID($area);
277:     }
278: 
279:     public function have_perm_area_action($area, $action = 0) {
280:         global $area_rights, $client, $lang, $cfg;
281: 
282:         $area = $this->getIDForArea($area);
283:         $action = $this->getIDForAction($action);
284: 
285:         if ($action == 0) {
286:             $area = $this->getParentAreaId($area);
287:         }
288: 
289:         $area = $this->getIDForArea($area);
290: 
291:         if (!$this->have_perm()) {
292:             if ($action == 0 && $area_rights[$area]) {
293:                 // If have action for area + action check right for client and
294:                 // lang
295:                 return ($this->have_perm_client_lang($client, $lang));
296:             }
297: 
298:             // check rights for the action in this area
299:             if ($area_rights[$area][$action]) {
300:                 // If have action for area + action check right for client and
301:                 // lang
302:                 return $this->have_perm_client_lang($client, $lang);
303:             }
304: 
305:             return false;
306:         }
307:         return true;
308:     }
309: 
310:     public function have_perm_client_lang($client, $lang) {
311:         global $auth;
312: 
313:         // Changed back to a full featured function, as have_perm
314:         // needs $client as global variable - not provided by this
315:         // function
316:         // return ($this->have_perm("client[$client],lang[$lang]"));
317: 
318:         if (!isset($auth->auth['perm'])) {
319:             $auth->auth['perm'] = '';
320:         }
321: 
322:         // Split the permissions of the user
323:         $userperm = explode(',', $auth->auth['perm']);
324: 
325:         if (in_array('sysadmin', $userperm)) {
326:             return true; // User is sysadmin
327:         } elseif (in_array("admin[$client]", $userperm)) {
328:             return true; // User is admin
329:         } else {
330:             // Check rights for the client and the language
331:             $pageperm = explode(',', "client[$client],lang[$lang]");
332:             foreach ($pageperm as $value) {
333:                 if (!in_array($value, $userperm)) {
334:                     return false;
335:                 }
336:             }
337:         }
338:         return true;
339:     }
340: 
341:     /**
342:      * Checks if a user has access rights for a specific client.
343:      *
344:      * @param int $iClient idclient to check, or false for the current client
345:      * @param object $oUser User object to check against, or false for the
346:      *        current user
347:      * @return bool
348:      */
349:     public function hasClientPermission($iClient = false, $oUser = false) {
350:         global $auth, $client;
351: 
352:         if ($iClient === false) {
353:             $iClient = $client;
354:         }
355: 
356:         $oUser = $this->_checkUserObject($oUser);
357: 
358:         if ($this->isSysadmin($oUser) || $this->isClientAdmin($iClient, $oUser) || $this->isClientUser($iClient, $oUser)) {
359:             return true;
360:         } else {
361:             return false;
362:         }
363:         /*
364:          * Commented out Timo Trautmann, because here only client access is
365:          * checked, possibility for admin or sysadmin access was ignored
366:          * functions isSysadmin isClientAdmin isClientUser also handles
367:          * permission for groups #Check clients' rights of users' group(s)
368:          * $aGroups = $this->getGroupsForUser($auth->auth["uid"]); if
369:          * (is_array($aGroups)) { foreach ($aGroups as $group) { $oGroup = new
370:          * cApiGroup($group); if ($this->isClientGroup($iClient, $oGroup)) {
371:          * return true; } } } return false; }
372:          */
373:     }
374: 
375:     /**
376:      * Checks if the given user has access permission for a client
377:      *
378:      * @param int $iClient idclient to check
379:      * @param object $oUser User object to check against
380:      * @return bool
381:      */
382:     public function isClientUser($iClient, $oUser) {
383:         $oUser = $this->_checkUserObject($oUser);
384: 
385:         $aPermissions = explode(',', $oUser->getEffectiveUserPerms());
386: 
387:         if (in_array("client[$iClient]", $aPermissions)) {
388:             return true;
389:         }
390: 
391:         return false;
392:     }
393: 
394:     /**
395:      * Checks if the given group has access permission for a client
396:      *
397:      * @param int $iClient idclient to check
398:      * @param object $oGroup Group object to check against
399:      * @return bool
400:      */
401:     public function isClientGroup($iClient, $oGroup) {
402:         $aPermissions = explode(',', $oGroup->getField('perms'));
403: 
404:         if (in_array("client[$iClient]", $aPermissions)) {
405:             return true;
406:         }
407: 
408:         return false;
409:     }
410: 
411:     /**
412:      * Checks if the given user has an admin permission
413:      *
414:      * @param integer $iClient idclient to check
415:      * @param object $oUser User object to check against
416:      * @return bool
417:      */
418:     public function isClientAdmin($iClient, $oUser) {
419:         $oUser = $this->_checkUserObject($oUser);
420: 
421:         $aPermissions = explode(',', $oUser->getEffectiveUserPerms());
422: 
423:         if (in_array("admin[$iClient]", $aPermissions)) {
424:             return true;
425:         }
426: 
427:         return false;
428:     }
429: 
430:     /**
431:      * Checks if the given user has sysadmin permission
432:      *
433:      * @param object $oUser User object to check against
434:      */
435:     public function isSysadmin($oUser) {
436:         $oUser = $this->_checkUserObject($oUser);
437: 
438:         $aPermissions = explode(',', $oUser->getEffectiveUserPerms());
439: 
440:         if (in_array('sysadmin', $aPermissions)) {
441:             return true;
442:         }
443: 
444:         return false;
445:     }
446: 
447:     /**
448:      * Checks if the given object is a user object.
449:      *
450:      * If oUser is false, initialize the object from the currently logged in
451:      * user. If oUser is not an object of the class cApiUser, throw an exception.
452:      *
453:      * @param object $oUser User object
454:      * @throws cInvalidArgumentException if the given or constructed user is not a cApiUser object
455:      * @return object
456:      */
457:     private function _checkUserObject($oUser) {
458:         if ($oUser === false) {
459:             global $currentuser;
460:             $oUser = $currentuser;
461:         }
462: 
463:         if (!is_object($oUser)) {
464:             global $auth;
465:             $oUser = new cApiUser($auth->auth['uid']);
466:         }
467: 
468:         if (get_class($oUser) != 'cApiUser') {
469:             throw new cInvalidArgumentException('oUser parameter is not of type User');
470:         }
471: 
472:         return $oUser;
473:     }
474: 
475:     public function have_perm_client($p = 'x') {
476:         global $auth, $client;
477: 
478:         if (!isset($auth->auth['perm'])) {
479:             $auth->auth['perm'] = '';
480:         }
481: 
482:         // Split the permissions of the user
483:         $userperm = explode(',', $auth->auth['perm']);
484: 
485:         // If User is sysadmin or admin at this client return true
486:         if (in_array('sysadmin', $userperm)) {
487:             return true;
488:         }
489: 
490:         // If there are more permissions to ask split them
491:         $pageperm = explode(',', $p);
492:         foreach ($pageperm as $value) {
493:             if (!in_array($value, $userperm)) {
494:                 return false;
495:             }
496:         }
497:         return true;
498:     }
499: 
500:     /**
501:      * Checks if user has permissions to passed perm.
502:      * - Sysadmin has allways permission
503:      * - Client admin has allways permission
504:      *
505:      * @param string $p Permissions (comma separated list of perms) to check
506:      * @return bool
507:      */
508:     public function have_perm($perm = 'x') {
509:         global $auth, $client;
510: 
511:         if (!isset($auth->auth['perm'])) {
512:             $auth->auth['perm'] = '';
513:         }
514: 
515:         // Split the permissions of the user
516:         $userperm = explode(',', $auth->auth['perm']);
517: 
518:         // If User is sysadmin or admin at this client return true
519:         if (in_array('sysadmin', $userperm)) {
520:             return true;
521:         } elseif (in_array("admin[$client]", $userperm)) {
522:             return true;
523:             // Else check rights for the client and the language
524:         } else {
525:             // If there are more permissions to ask split them
526:             $pageperm = explode(',', $perm);
527:             foreach ($pageperm as $value) {
528:                 if (!in_array($value, $userperm)) {
529:                     return false;
530:                 }
531:             }
532:         }
533:         return true;
534:     }
535: 
536:     /**
537:      * Checks if an item have any perms
538:      *
539:      * @param string|int $mainarea
540:      * @param int $itemid
541:      * @return bool
542:      */
543:     public function have_perm_item($mainarea, $itemid) {
544:         global $cfg, $item_rights, $cfg, $client, $lang, $auth, $area_tree, $sess;
545: 
546:         $mainarea = $this->getIDForArea($mainarea);
547: 
548:         // If is admin or sysadmin
549:         if ($this->have_perm()) {
550:             return true;
551:         }
552: 
553:         // If is not admin or sysadmin
554: 
555:         if (!is_object($this->db)) {
556:             $this->db = cRegistry::getDb();
557:         }
558: 
559:         $this->showareas($mainarea);
560: 
561:         $flg = false;
562:         // Check if there are any rights for this areas
563:         foreach ($area_tree[$mainarea] as $value) {
564:             // If the flag noright is set there are no rights in this area
565:             if ($item_rights[$value] == 'noright') {
566:                 continue;
567:             } elseif (is_array($item_rights[$value])) {
568:                 // If there are any rights
569:                 foreach ($item_rights[$value] as $value2) {
570:                     if (in_array($itemid, $value2)) {
571:                         return true;
572:                     }
573:                 }
574:             } elseif ($item_rights[$value] != 'noright') {
575:                 $groupsForUser = $this->getGroupsForUser($auth->auth[uid]);
576:                 $groupsForUser[] = $auth->auth[uid];
577: 
578:                 // else search for rights for this user in this area
579:                 $sql = "SELECT
580:                             *
581:                          FROM
582:                             " . $cfg['tab']['rights'] . "
583:                          WHERE
584:                             user_id IN ('" . implode("','", $groupsForUser) . "') AND
585:                             idclient = " . cSecurity::toInteger($client) . " AND
586:                             idlang = " . cSecurity::toInteger($lang) . " AND
587:                             idarea = '$value' AND
588:                             idcat != 0";
589:                 $this->db->query($sql);
590: 
591:                 // If there are no rights for this area set the flag norights
592:                 if ($this->db->affectedRows() == 0) {
593:                     $item_rights[$value] = 'noright';
594:                 }
595: 
596:                 // Set the rights
597:                 while ($this->db->nextRecord()) {
598:                     if ($this->db->f('idcat') == $itemid) {
599:                         $flg = true;
600:                     }
601:                     $item_rights[$this->db->f('idarea')][$this->db->f('idaction')][$this->db->f('idcat')] = $this->db->f('idcat');
602:                 }
603:             }
604:         }
605:         return $flg;
606:     }
607: 
608:     public function showareas($mainarea) {
609:         global $area_tree, $sess, $perm, $cfg;
610: 
611:         if (!is_object($this->db)) {
612:             $this->db = cRegistry::getDb();
613:         }
614: 
615:         $mainarea = $this->getIDForArea($mainarea);
616: 
617:         // If $area_tree for this area is not register
618:         if (!isset($area_tree[$mainarea])) {
619:             $sess->register('area_tree');
620: 
621:             // parent_id uses the name not the idarea
622:             $sql = "SELECT name FROM " . $cfg['tab']['area'] . " WHERE idarea=$mainarea";
623:             $this->db->query($sql);
624:             $this->db->nextRecord();
625:             $name = $this->db->f('name');
626: 
627:             // Check which subareas are there and write them in the array
628:             $sql = "SELECT idarea FROM " . $cfg['tab']['area'] . " WHERE parent_id='$name' OR idarea=$mainarea";
629:             $this->db->query($sql);
630:             $area_tree[$mainarea] = array();
631:             while ($this->db->nextRecord()) {
632:                 $area_tree[$mainarea][] = $this->db->f('idarea');
633:             }
634:         }
635:         return $mainarea;
636:     }
637: 
638: }
639: