1: <?php
  2: 
  3: /**
  4:  * This file contains the CONTENIDO rights functions.
  5:  *
  6:  * @package          Core
  7:  * @subpackage       Backend
  8:  * @author           Martin Horwath
  9:  * @author           Murat Purc <murat@purc.de>
 10:  * @copyright        four for business AG <www.4fb.de>
 11:  * @license          http://www.contenido.org/license/LIZENZ.txt
 12:  * @link             http://www.4fb.de
 13:  * @link             http://www.contenido.org
 14:  */
 15: 
 16: defined('CON_FRAMEWORK') || die('Illegal call: Missing framework initialization - request aborted.');
 17: 
 18: /**
 19:  * Function checks if a language is associated with a given list of clients
 20:  *
 21:  * @param array $aClients
 22:  *         array of clients to check
 23:  * @param int $iLang
 24:  *         language id which should be checked
 25:  * @param array $aCfg
 26:  *         CONTENIDO configruation array (no more needed)
 27:  * @param cDb $oDb
 28:  *         CONTENIDO database object (no more needed)
 29:  * @return boolean
 30:  *         status
 31:  *         If language id corresponds to list of clients true otherwise false.
 32:  */
 33: function checkLangInClients($aClients, $iLang, $aCfg, $oDb) {
 34:     $oClientLanguageCollection = new cApiClientLanguageCollection();
 35:     return $oClientLanguageCollection->hasLanguageInClients($iLang, $aClients);
 36: }
 37: 
 38: /**
 39:  * Duplicate rights for any element.
 40:  *
 41:  * @param string $area
 42:  *         Main area name (e. g. 'lay', 'mod', 'str', 'tpl', etc.)
 43:  * @param int $iditem
 44:  *         ID of element to copy
 45:  * @param int $newiditem
 46:  *         ID of the new element
 47:  * @param int $idlang
 48:  *         ID of language, if passed only rights for this language
 49:  *         will be created, otherwise for all existing languages
 50:  * @return bool
 51:  *         True on success otherwise false
 52:  */
 53: function copyRightsForElement($area, $iditem, $newiditem, $idlang = false) {
 54:     global $perm, $auth, $area_tree;
 55: 
 56:     if (!is_object($perm)) {
 57:         return false;
 58:     }
 59:     if (!is_object($auth)) {
 60:         return false;
 61:     }
 62: 
 63:     $oDestRightCol = new cApiRightCollection();
 64:     $oSourceRighsColl = new cApiRightCollection();
 65:     $whereUsers = array();
 66:     $whereAreaActions = array();
 67: 
 68:     // get all user_id values for con_rights
 69:     $userIDContainer = $perm->getGroupsForUser($auth->auth['uid']); // add
 70:     // groups if
 71:     // available
 72:     $userIDContainer[] = $auth->auth['uid']; // add user_id of current user
 73:     foreach ($userIDContainer as $key) {
 74:         $whereUsers[] = "user_id = '" . $oDestRightCol->escape($key) . "'";
 75:     }
 76:     $whereUsers = '(' . implode(' OR ', $whereUsers) . ')'; // only duplicate on
 77:     // user and where
 78:     // user is member of
 79:     // get all idarea values for $area
 80:     $areaContainer = $area_tree[$perm->showareas($area)];
 81: 
 82:     // get all actions for corresponding area
 83:     $oActionColl = new cApiActionCollection();
 84:     $oActionColl->select('idarea IN (' . implode(',', $areaContainer) . ')');
 85:     while (($oItem = $oActionColl->next()) !== false) {
 86:         $whereAreaActions[] = '(idarea = ' . (int) $oItem->get('idarea') . ' AND idaction = ' . (int) $oItem->get('idaction') . ')';
 87:     }
 88:     $whereAreaActions = '(' . implode(' OR ', $whereAreaActions) . ')'; // only
 89:     // correct
 90:     // area
 91:     // action
 92:     // pairs
 93:     // possible
 94:     // final where clause to get all affected elements in con_right
 95:     $sWhere = "{$whereAreaActions} AND {$whereUsers} AND idcat = {$iditem}";
 96:     if ($idlang) {
 97:         $sWhere .= ' AND idlang=' . (int) $idlang;
 98:     }
 99: 
100:     $oSourceRighsColl->select($sWhere);
101:     while (($oItem = $oSourceRighsColl->next()) !== false) {
102:         $rs = $oItem->toObject();
103:         $oDestRightCol->create($rs->user_id, $rs->idarea, $rs->idaction, $newiditem, $rs->idclient, $rs->idlang, $rs->type);
104:     }
105: 
106:     // permissions reloaded...
107:     $perm->load_permissions(true);
108: 
109:     return true;
110: }
111: 
112: /**
113:  * Create rights for any element
114:  *
115:  * @param string $area
116:  *         Main area name (e. g. 'lay', 'mod', 'str', 'tpl', etc.)
117:  * @param int $iditem
118:  *         ID of new element
119:  * @param int $idlang
120:  *         ID of language, if passed only rights for this language
121:  *         will be created, otherwise for all existing languages
122:  * @return bool
123:  *         True on success otherwise false
124:  */
125: function createRightsForElement($area, $iditem, $idlang = false) {
126:     global $perm, $auth, $area_tree, $client;
127: 
128:     if (!is_object($perm)) {
129:         return false;
130:     }
131:     if (!is_object($auth)) {
132:         return false;
133:     }
134: 
135:     $oDestRightCol = new cApiRightCollection();
136:     $oSourceRighsColl = new cApiRightCollection();
137:     $whereUsers = array();
138:     $rightsCache = array();
139: 
140:     // get all user_id values for con_rights
141:     $userIDContainer = $perm->getGroupsForUser($auth->auth['uid']); // add
142:     // groups if
143:     // available
144:     $userIDContainer[] = $auth->auth['uid']; // add user_id of current user
145:     foreach ($userIDContainer as $key) {
146:         $whereUsers[] = "user_id = '" . $oDestRightCol->escape($key) . "'";
147:     }
148:     $whereUsers = '(' . implode(' OR ', $whereUsers) . ')'; // only duplicate on
149:     // user and where
150:     // user is member of
151:     // get all idarea values for $area short way
152:     $areaContainer = $area_tree[$perm->showareas($area)];
153: 
154:     // statement to get all existing actions/areas for corresponding area.
155:     // all existing rights for same area will be taken over to new item.
156:     $sWhere = 'idclient=' . (int) $client . ' AND idarea IN (' . implode(',', $areaContainer) . ')' . ' AND idcat != 0 AND idaction != 0 AND ' . $whereUsers;
157:     if ($idlang) {
158:         $sWhere .= ' AND idlang=' . (int) $idlang;
159:     }
160: 
161:     $oSourceRighsColl->select($sWhere);
162:     while (($oItem = $oSourceRighsColl->next()) !== false) {
163:         $rs = $oItem->toObject();
164: 
165:         // concatenate a key to use it to prevent double entries
166:         $key = $rs->user_id . '-' . $rs->idarea . '-' . $rs->idaction . '-' . $iditem . '-' . $rs->idclient . '-' . $rs->idlang . '-' . $rs->type;
167:         if (isset($rightsCache[$key])) {
168:             continue;
169:         }
170: 
171:         // create new right entry
172:         $oDestRightCol->create($rs->user_id, $rs->idarea, $rs->idaction, $iditem, $rs->idclient, $rs->idlang, $rs->type);
173: 
174:         $rightsCache[$key] = true;
175:     }
176: 
177:     // permissions reloaded...
178:     $perm->load_permissions(true);
179: 
180:     return true;
181: }
182: 
183: /**
184:  * Delete rights for any element
185:  *
186:  * @param string $area
187:  *         main area name
188:  * @param int $iditem
189:  *         ID of new element
190:  * @param int $idlang
191:  *         ID of lang parameter
192:  */
193: function deleteRightsForElement($area, $iditem, $idlang = false) {
194:     global $perm, $area_tree, $client;
195: 
196:     // get all idarea values for $area
197:     $areaContainer = $area_tree[$perm->showareas($area)];
198: 
199:     $sWhere = "idcat=" . (int) $iditem . " AND idclient=" . (int) $client . " AND idarea IN (" . implode(',', $areaContainer) . ")";
200:     if ($idlang) {
201:         $sWhere .= " AND idlang=" . (int) $idlang;
202:     }
203: 
204:     $oRightColl = new cApiRightCollection();
205:     $oRightColl->deleteByWhereClause($sWhere);
206: 
207:     // permissions reloaded...
208:     $perm->load_permissions(true);
209: }
210: 
211: /**
212:  * Builds user/group permissions (sysadmin, admin, client and language) by
213:  * processing request variables ($msysadmin, $madmin, $mclient, $mlang) and
214:  * returns the build permissions array.
215:  *
216:  * @todo Do we really need to add other perms, if the user/group gets the
217:  *       'sysadmin' permission?
218:  * @param bool $bAddUserToClient
219:  *         Flag to add current user to current client, if no client is specified.
220:  * @return array
221:  */
222: function buildUserOrGroupPermsFromRequest($bAddUserToClient = false) {
223:     global $cfg, $msysadmin, $madmin, $mclient, $mlang, $auth, $client;
224: 
225:     $aPerms = array();
226: 
227:     // check and prevalidation
228: 
229:     $bSysadmin = (isset($msysadmin) && $msysadmin);
230: 
231:     $aAdmin = (isset($madmin) && is_array($madmin)) ? $madmin : array();
232:     foreach ($aAdmin as $p => $value) {
233:         if (!is_numeric($value)) {
234:             unset($aAdmin[$p]);
235:         }
236:     }
237: 
238:     $aClient = (isset($mclient) && is_array($mclient)) ? $mclient : array();
239:     foreach ($aClient as $p => $value) {
240:         if (!is_numeric($value)) {
241:             unset($aClient[$p]);
242:         }
243:     }
244: 
245:     $aLang = (isset($mlang) && is_array($mlang)) ? $mlang : array();
246:     foreach ($aLang as $p => $value) {
247:         if (!is_numeric($value)) {
248:             unset($aLang[$p]);
249:         }
250:     }
251: 
252:     // build permissions array
253: 
254:     if ($bSysadmin) {
255:         $aPerms[] = 'sysadmin';
256:     }
257: 
258:     foreach ($aAdmin as $value) {
259:         $aPerms[] = sprintf('admin[%s]', $value);
260:     }
261: 
262:     foreach ($aClient as $value) {
263:         $aPerms[] = sprintf('client[%s]', $value);
264:     }
265: 
266:     if (count($aClient) == 0 && $bAddUserToClient) {
267:         // Add user to the current client, if the current user isn't sysadmin
268:         // and
269:         // no client has been specified. This avoids new accounts which are not
270:         // accessible by the current user (client admin) anymore.
271:         $aUserPerm = explode(',', $auth->auth['perm']);
272:         if (!in_array('sysadmin', $aUserPerm)) {
273:             $aPerms[] = sprintf('client[%s]', $client);
274:         }
275:     }
276: 
277:     if (count($aLang) > 0 && count($aClient) > 0) {
278:         // adding language perms makes sense if we have also at least one
279:         // selected client
280:         $db = cRegistry::getDb();
281:         foreach ($aLang as $value) {
282:             if (checkLangInClients($aClient, $value, $cfg, $db)) {
283:                 $aPerms[] = sprintf('lang[%s]', $value);
284:             }
285:         }
286:     }
287: 
288:     return $aPerms;
289: }
290: 
291: /**
292:  *
293:  * @return boolean
294:  */
295: function saveRights() {
296:     global $perm, $notification, $db, $userid;
297:     global $rights_list, $rights_list_old, $rights_client, $rights_lang;
298:     global $aArticleRights, $aCategoryRights, $aTemplateRights;
299: 
300:     // If no checkbox is checked
301:     if (!is_array($rights_list)) {
302:         $rights_list = array();
303:     }
304: 
305:     // Search all checks which are not in the new rights_list for deleting
306:     $arraydel = array_diff(array_keys($rights_list_old), array_keys($rights_list));
307: 
308:     // Search all checks which are not in the rights_list_old for saving
309:     $arraysave = array_diff(array_keys($rights_list), array_keys($rights_list_old));
310:     $oAreaColl = new cApiAreaCollection();
311: 
312:     if (is_array($arraydel)) {
313:         foreach ($arraydel as $value) {
314: 
315:             $data = explode('|', $value);
316: 
317:             // Do not delete rights that does not display at this moment
318:             if (!empty($_REQUEST['filter_rights'])) {
319:                 if (($_REQUEST['filter_rights'] != 'article' && in_array($data[1], $aArticleRights)) ||
320:                     ($_REQUEST['filter_rights'] != 'category' && in_array($data[1], $aCategoryRights)) ||
321:                     ($_REQUEST['filter_rights'] != 'template' && in_array($data[1], $aTemplateRights))) {
322:                     continue;
323:                 }
324: 
325:                 if ($_REQUEST['filter_rights'] != 'other' && !in_array($data[1], array_merge($aArticleRights, $aCategoryRights, $aTemplateRights))) {
326:                     continue;
327:                 }
328:             }
329: 
330:             $data[0] = $oAreaColl->getAreaID($data[0]);
331:             $data[1] = $perm->getIDForAction($data[1]);
332: 
333:             $where = "user_id = '" . $db->escape($userid) . "' AND idclient = " . (int) $rights_client . " AND idlang = " . (int) $rights_lang . " AND idarea = " . (int) $data[0] . " AND idcat = " . (int) $data[2] . " AND idaction = " . (int) $data[1] . " AND type = 0";
334:             $oRightColl = new cApiRightCollection();
335:             $oRightColl->deleteByWhereClause($where);
336:         }
337:     }
338: 
339:     unset($data);
340: 
341:     // Search for all mentioned checkboxes
342:     if (is_array($arraysave)) {
343:         foreach ($arraysave as $value) {
344:             // Explodes the key it consits areaid+actionid+itemid
345:             $data = explode('|', $value);
346: 
347:             // Since areas are stored in a numeric form in the rights table, we
348:             // have
349:             // to convert them from strings into numbers
350:             $data[0] = $oAreaColl->getAreaID($data[0]);
351:             $data[1] = $perm->getIDForAction($data[1]);
352: 
353:             if (!isset($data[1])) {
354:                 $data[1] = 0;
355:             }
356: 
357:             // Insert new right
358:             $oRightColl = new cApiRightCollection();
359:             $oRightColl->create($userid, $data[0], $data[1], $data[2], $rights_client, $rights_lang, 0);
360:         }
361:     }
362: 
363:     $rights_list_old = $rights_list;
364: 
365:     return true;
366: 
367: }
368: 
369: /**
370:  *
371:  * @return boolean
372:  */
373: function saveGroupRights() {
374:     global $perm, $notification, $db, $groupid;
375:     global $rights_list, $rights_list_old, $rights_client, $rights_lang;
376:     global $aArticleRights, $aCategoryRights, $aTemplateRights;
377: 
378:     // If no checkbox is checked
379:     if (!is_array($rights_list)) {
380:         $rights_list = array();
381:     }
382: 
383:     // Search all checks which are not in the new rights_list for deleting
384:     $arraydel = array_diff(array_keys($rights_list_old), array_keys($rights_list));
385: 
386:     // Search all checks which are not in the rights_list_old for saving
387:     $arraysave = array_diff(array_keys($rights_list), array_keys($rights_list_old));
388: 
389:     $oAreaColl = new cApiAreaCollection();
390: 
391:     if (is_array($arraydel)) {
392:         foreach ($arraydel as $value) {
393:             $data = explode('|', $value);
394: 
395:             // Do not delete grouprights that does not display at this moment
396:             if (!empty($_REQUEST['filter_rights'])) {
397:                 if (($_REQUEST['filter_rights'] != 'article' && in_array($data[1], $aArticleRights)) ||
398:                     ($_REQUEST['filter_rights'] != 'category' && in_array($data[1], $aCategoryRights)) ||
399:                     ($_REQUEST['filter_rights'] != 'template' && in_array($data[1], $aTemplateRights))) {
400:                     continue;
401:                 }
402: 
403:                 if ($_REQUEST['filter_rights'] != 'other' && !in_array($data[1], array_merge($aArticleRights, $aCategoryRights, $aTemplateRights))) {
404:                     continue;
405:                 }
406:             }
407: 
408:             $data[0] = $oAreaColl->getAreaID($data[0]);
409:             $data[1] = $perm->getIDForAction($data[1]);
410: 
411:             $where = "user_id = '" . $db->escape($groupid) . "' AND idclient = " . (int) $rights_client . " AND idlang = " . (int) $rights_lang . " AND idarea = " . (int) $data[0] . " AND idcat = " . (int) $data[2] . " AND idaction = " . (int) $data[1] . " AND type = 1";
412:             $oRightColl = new cApiRightCollection();
413:             $oRightColl->deleteByWhereClause($where);
414:         }
415:     }
416: 
417:     unset($data);
418: 
419:     // Search for all mentioned checkboxes
420:     if (is_array($arraysave)) {
421:         foreach ($arraysave as $value) {
422:             // Explodes the key it consits areaid+actionid+itemid
423:             $data = explode('|', $value);
424: 
425:             // Since areas are stored in a numeric form in the rights table, we
426:             // have
427:             // to convert them from strings into numbers
428:             $data[0] = $oAreaColl->getAreaID($data[0]);
429:             $data[1] = $perm->getIDForAction($data[1]);
430: 
431:             if (!isset($data[1])) {
432:                 $data[1] = 0;
433:             }
434: 
435:             // Insert new right
436:             $oRightColl = new cApiRightCollection();
437:             $oRightColl->create($groupid, $data[0], $data[1], $data[2], $rights_client, $rights_lang, 1);
438:         }
439:     }
440: 
441:     $rights_list_old = $rights_list;
442:     return true;
443: }
444: