1: <?php
  2: /**
  3:  * This file contains the the permission class.
  4:  *
  5:  * @package Core
  6:  * @subpackage Backend
  7:  * @version SVN Revision $Rev:$
  8:  *
  9:  * @author Boris Erdmann, Kristian Koehntopp
 10:  * @copyright four for business AG <www.4fb.de>
 11:  * @license http://www.contenido.org/license/LIZENZ.txt
 12:  * @link http://www.4fb.de
 13:  * @link http://www.contenido.org
 14:  */
 15: 
 16: defined('CON_FRAMEWORK') || die('Illegal call: Missing framework initialization - request aborted.');
 17: 
 18: /**
 19:  * This class handles the permission management
 20:  *
 21:  * @package Core
 22:  * @subpackage Backend
 23:  */
 24: class cPermission {
 25: 
 26:     /**
 27:      * Permission class name
 28:      *
 29:      * @var string
 30:      */
 31:     public $classname = 'cPermission';
 32: 
 33:     /**
 34:      * Area cache
 35:      *
 36:      * @var array
 37:      */
 38:     public $areacache = array();
 39: 
 40:     /**
 41:      * Actions cache
 42:      *
 43:      * @var array
 44:      */
 45:     public $actioncache = array();
 46: 
 47:     /**
 48:      * Database instance
 49:      *
 50:      * @var cDb
 51:      */
 52:     public $db;
 53: 
 54:     /**
 55:      * Returns all groups of a user
 56:      *
 57:      * @param string $userId
 58:      * @return array List of group ids
 59:      */
 60:     public function getGroupsForUser($userId) {
 61:         $groups = array();
 62: 
 63:         $oGroupMemberColl = new cApiGroupMemberCollection();
 64:         $oGroupMemberColl->select("user_id='" . $oGroupMemberColl->escape($userId) . "'");
 65:         while (false !== $oItem = $oGroupMemberColl->next()) {
 66:             $groups[] = $oItem->get('group_id');
 67:         }
 68: 
 69:         return $groups;
 70:     }
 71: 
 72:     /**
 73:      * Returns the id of an area.
 74:      * If passed area is numeric, it will returned directly.
 75:      *
 76:      * @param string|int $area
 77:      * @return int
 78:      */
 79:     public function getIDForArea($area) {
 80:         if (is_numeric($area)) {
 81:             return $area;
 82:         } elseif (isset($this->areacache[$area])) {
 83:             return $this->areacache[$area];
 84:         }
 85: 
 86:         $oAreaColl = new cApiAreaCollection();
 87:         $oAreaColl->select("name='" . $oAreaColl->escape($area) . "'");
 88:         if (false !== $oItem = $oAreaColl->next()) {
 89:             $this->areacache[$area] = $oItem->get('idarea');
 90:             $area = $oItem->get('idarea');
 91:         }
 92: 
 93:         return $area;
 94:     }
 95: 
 96:     /**
 97:      * Returns the id of an action.
 98:      * If passed action is numeric, it will returned directly.
 99:      *
100:      * @param string|int $action
101:      * @return int
102:      */
103:     public function getIDForAction($action) {
104:         if (is_numeric($action)) {
105:             return $action;
106:         } elseif (isset($this->actioncache[$action])) {
107:             return $this->actioncache[$action];
108:         }
109: 
110:         $oActionColl = new cApiActionCollection();
111:         $oActionColl->select("name='" . $oActionColl->escape($action) . "'");
112:         if (false !== $oItem = $oActionColl->next()) {
113:             $this->actioncache[$action] = $oItem->get('idaction');
114:             $action = $oItem->get('idaction');
115:         }
116: 
117:         return $action;
118:     }
119: 
120:     /**
121:      * Loads all permissions of groups where current logged in user is a member
122:      * and saves them in session.
123:      *
124:      * @param bool $force Flag to force loading, event if they were ccached
125:      *        before
126:      * @return string Returns diffrent values, depending on state:
127:      *         '1' (string) if permissions couldn't loaded
128:      *         '3' (string) if permissions were successfull loaded
129:      */
130:     public function load_permissions($force = false) {
131:         global $sess, $area_rights, $item_rights, $auth, $changelang, $changeclient;
132: 
133:         $return = '1';
134: 
135:         // if not admin or sysadmin
136:         if (!$this->have_perm()) {
137:             $return = isset($area_rights);
138: 
139:             if (!isset($area_rights) || !isset($item_rights) || isset($changeclient) || isset($changelang) || $force) {
140:                 $return = '3';
141:                 // register variables
142:                 $sess->register('area_rights');
143:                 $sess->register('item_rights');
144:                 $item_rights = array();
145:                 $groups = $this->getGroupsForUser($auth->auth['uid']);
146: 
147:                 if (is_array($groups)) {
148:                     foreach ($groups as $group) {
149:                         $this->load_permissions_for_user($group);
150:                     }
151:                 }
152: 
153:                 $this->load_permissions_for_user($auth->auth['uid']);
154:             }
155:         }
156: 
157:         return $return;
158:     }
159: 
160:     /**
161:      * Loads all permissions for a specific user or group.
162:      * Stores area rights in global variable $area_rights.
163:      * Stores item rights in global variable $item_rights.
164:      *
165:      * @param string $user User Id hash
166:      */
167:     public function load_permissions_for_user($user) {
168:         global $client, $lang;
169:         global $area_rights, $item_rights;
170: 
171:         $oRightColl = new cApiRightCollection();
172:         $sWhere = "user_id='" . $oRightColl->escape($user) . "'";
173:         $sWhere .= " AND idcat=0 AND " . "idclient=" . (int) $client;
174:         $sWhere .= " AND idlang=" . (int) $lang;
175:         $oRightColl->select($sWhere);
176: 
177:         // define $area_rights if not already done so
178:         if (!is_array($area_rights)) {
179:             $area_rights = array();
180:         }
181:         while (false !== $oItem = $oRightColl->next()) {
182:             $idarea = $oItem->get('idarea');
183:             $idaction = $oItem->get('idaction');
184:             $area_rights[$idarea][$idaction] = true;
185:         }
186: 
187:         // Select Rights for Article and Sructure (Attention Hard code Areas)
188:         $oAreaColl = new cApiAreaCollection();
189:         $oAreaColl->select();
190:         while (false !== $oItem = $oAreaColl->next()) {
191:             $idarea = $oItem->get('idarea');
192:             $tmp_area[] = $idarea;
193:         }
194: 
195:         $tmp_area_string = implode("','", array_values($tmp_area));
196:         $sWhere = "user_id='" . $oRightColl->escape($user) . "'";
197:         $sWhere .= " AND idclient=" . (int) $client;
198:         $sWhere .= " AND idlang=" . (int) $lang;
199:         $sWhere .= " AND idarea IN ('$tmp_area_string')";
200:         $sWhere .= "AND idcat != 0";
201:         $oRightColl->select($sWhere);
202:         while (false !== $oItem = $oRightColl->next()) {
203:             $idarea = $oItem->get('idarea');
204:             $idaction = $oItem->get('idaction');
205:             $idcat = $oItem->get('idcat');
206:             $item_rights[$idarea][$idaction][$idcat] = $idcat;
207:         }
208:     }
209: 
210:     /**
211:      *
212:      * @param string $area
213:      * @param string $action
214:      * @return boolean
215:      */
216:     public function have_perm_area_action_anyitem($area, $action = 0) {
217:         global $item_rights;
218: 
219:         if ($this->have_perm_area_action($area, $action)) {
220:             return true;
221:         }
222: 
223:         $area = $this->getIDForArea($area);
224:         $action = $this->getIDForAction($action);
225: 
226:         return (isset($item_rights[$area][$action]));
227:     }
228: 
229:     /**
230:      *
231:      * @param string $area
232:      * @param string $action
233:      * @param mixed $itemid
234:      * @return boolean
235:      */
236:     public function have_perm_area_action_item($area, $action, $itemid) {
237:         global $item_rights, $auth, $client, $lang, $cfg;
238: 
239:         if ($this->have_perm()) {
240:             return true;
241:         }
242: 
243:         $area = $this->getIDForArea($area);
244:         $action = $this->getIDForAction($action);
245: 
246:         // If the user has a right on this action in this area check for the
247:         // items
248:         if ($this->have_perm_area_action($area, $action)) {
249:             return true;
250:         }
251: 
252:         // Check rights for the action in this area at this item
253:         if (isset($item_rights[$area][$action][$itemid])) {
254:             // If have action for area + action +item check right for client and
255:             // lang
256:             return true;
257:         }
258: 
259:         if ($item_rights[$area] != 'noright') {
260:             $groupsForUser = $this->getGroupsForUser($auth->auth['uid']);
261:             $groupsForUser[] = $auth->auth['uid'];
262: 
263:             $userIdIn = implode("','", $groupsForUser);
264: 
265:             $oRightsColl = new cApiRightCollection();
266:             $where = "user_id IN ('" . $userIdIn . "') AND idclient=" . (int) $client . " AND idlang=" . (int) $lang . " AND idarea=$area AND idcat != 0";
267: 
268:             if (!$oRightsColl->select($where)) {
269:                 $item_rights[$area] = 'noright';
270:                 return false;
271:             }
272: 
273:             while (false !== $oItem = $oRightsColl->next()) {
274:                 $item_rights[$oItem->get('idarea')][$oItem->get('idaction')][$oItem->get('idcat')] = $oItem->get('idcat');
275:             }
276: 
277:             // Check
278:             if (isset($item_rights[$area][$action][$itemid])) {
279:                 // If have action for area + action +item check right for client
280:                 // and lang
281:                 return true;
282:             }
283:         }
284:         return false;
285:     }
286: 
287:     /**
288:      *
289:      * @param string $area
290:      * @return Ambigous <string, int|string, mixed, unknown>
291:      */
292:     public function getParentAreaId($area) {
293:         $oAreaColl = new cApiAreaCollection();
294:         return $oAreaColl->getParentAreaID($area);
295:     }
296: 
297:     /**
298:      *
299:      * @param string $area
300:      * @param string $action
301:      * @return boolean
302:      */
303:     public function have_perm_area_action($area, $action = 0) {
304:         global $area_rights, $client, $lang, $cfg;
305: 
306:         $area = $this->getIDForArea($area);
307:         $action = $this->getIDForAction($action);
308: 
309:         if ($action == 0) {
310:             $area = $this->getParentAreaId($area);
311:         }
312: 
313:         $area = $this->getIDForArea($area);
314: 
315:         if (!$this->have_perm()) {
316:             if ($action == 0 && $area_rights[$area]) {
317:                 // If have action for area + action check right for client and
318:                 // lang
319:                 return ($this->have_perm_client_lang($client, $lang));
320:             }
321: 
322:             // check rights for the action in this area
323:             if ($area_rights[$area][$action]) {
324:                 // If have action for area + action check right for client and
325:                 // lang
326:                 return $this->have_perm_client_lang($client, $lang);
327:             }
328: 
329:             return false;
330:         }
331:         return true;
332:     }
333: 
334:     /**
335:      *
336:      * @param int $client
337:      * @param int $lang
338:      * @return boolean
339:      */
340:     public function have_perm_client_lang($client, $lang) {
341:         global $auth;
342: 
343:         // Changed back to a full featured function, as have_perm
344:         // needs $client as global variable - not provided by this
345:         // function
346:         // return ($this->have_perm("client[$client],lang[$lang]"));
347: 
348:         if (!isset($auth->auth['perm'])) {
349:             $auth->auth['perm'] = '';
350:         }
351: 
352:         // Split the permissions of the user
353:         $userperm = explode(',', $auth->auth['perm']);
354: 
355:         if (in_array('sysadmin', $userperm)) {
356:             return true; // User is sysadmin
357:         } elseif (in_array("admin[$client]", $userperm)) {
358:             return true; // User is admin
359:         } else {
360:             // Check rights for the client and the language
361:             $pageperm = explode(',', "client[$client],lang[$lang]");
362:             foreach ($pageperm as $value) {
363:                 if (!in_array($value, $userperm)) {
364:                     return false;
365:                 }
366:             }
367:         }
368:         return true;
369:     }
370: 
371:     /**
372:      * Checks if a user has access rights for a specific client.
373:      *
374:      * @param int $iClient idclient to check, or false for the current client
375:      * @param object $oUser User object to check against, or false for the
376:      *        current user
377:      * @return bool
378:      */
379:     public function hasClientPermission($iClient = false, $oUser = false) {
380:         global $auth, $client;
381: 
382:         if ($iClient === false) {
383:             $iClient = $client;
384:         }
385: 
386:         $oUser = $this->_checkUserObject($oUser);
387: 
388:         if ($this->isSysadmin($oUser) || $this->isClientAdmin($iClient, $oUser) || $this->isClientUser($iClient, $oUser)) {
389:             return true;
390:         } else {
391:             return false;
392:         }
393:         /*
394:          * Commented out Timo Trautmann, because here only client access is
395:          * checked, possibility for admin or sysadmin access was ignored
396:          * functions isSysadmin isClientAdmin isClientUser also handles
397:          * permission for groups #Check clients' rights of users' group(s)
398:          * $aGroups = $this->getGroupsForUser($auth->auth["uid"]); if
399:          * (is_array($aGroups)) { foreach ($aGroups as $group) { $oGroup = new
400:          * cApiGroup($group); if ($this->isClientGroup($iClient, $oGroup)) {
401:          * return true; } } } return false; }
402:          */
403:     }
404: 
405:     /**
406:      * Checks if the given user has access permission for a client
407:      *
408:      * @param int $iClient idclient to check
409:      * @param object $oUser User object to check against
410:      * @return bool
411:      */
412:     public function isClientUser($iClient, $oUser) {
413:         $oUser = $this->_checkUserObject($oUser);
414: 
415:         $aPermissions = explode(',', $oUser->getEffectiveUserPerms());
416: 
417:         if (in_array("client[$iClient]", $aPermissions)) {
418:             return true;
419:         }
420: 
421:         return false;
422:     }
423: 
424:     /**
425:      * Checks if the given group has access permission for a client
426:      *
427:      * @param int $iClient idclient to check
428:      * @param object $oGroup Group object to check against
429:      * @return bool
430:      */
431:     public function isClientGroup($iClient, $oGroup) {
432:         $aPermissions = explode(',', $oGroup->getField('perms'));
433: 
434:         if (in_array("client[$iClient]", $aPermissions)) {
435:             return true;
436:         }
437: 
438:         return false;
439:     }
440: 
441:     /**
442:      * Checks if the given user has an admin permission
443:      *
444:      * @param int $iClient idclient to check
445:      * @param object $oUser User object to check against
446:      * @return bool
447:      */
448:     public function isClientAdmin($iClient, $oUser) {
449:         $oUser = $this->_checkUserObject($oUser);
450: 
451:         $aPermissions = explode(',', $oUser->getEffectiveUserPerms());
452: 
453:         if (in_array("admin[$iClient]", $aPermissions)) {
454:             return true;
455:         }
456: 
457:         return false;
458:     }
459: 
460:     /**
461:      * Checks if the given user has sysadmin permission
462:      *
463:      * @param object $oUser User object to check against
464:      * @return boolean
465:      */
466:     public function isSysadmin($oUser) {
467:         $oUser = $this->_checkUserObject($oUser);
468: 
469:         $aPermissions = explode(',', $oUser->getEffectiveUserPerms());
470: 
471:         if (in_array('sysadmin', $aPermissions)) {
472:             return true;
473:         }
474: 
475:         return false;
476:     }
477: 
478:     /**
479:      * Checks if the given object is a user object.
480:      *
481:      * If oUser is false, initialize the object from the currently logged in
482:      * user. If oUser is not an object of the class cApiUser, throw an
483:      * exception.
484:      *
485:      * @param object $oUser User object
486:      * @throws cInvalidArgumentException if the given or constructed user is not
487:      *         a cApiUser object
488:      * @return object
489:      */
490:     private function _checkUserObject($oUser) {
491:         if ($oUser === false) {
492:             global $currentuser;
493:             $oUser = $currentuser;
494:         }
495: 
496:         if (!is_object($oUser)) {
497:             global $auth;
498:             $oUser = new cApiUser($auth->auth['uid']);
499:         }
500: 
501:         if (get_class($oUser) != 'cApiUser') {
502:             throw new cInvalidArgumentException('oUser parameter is not of type User');
503:         }
504: 
505:         return $oUser;
506:     }
507: 
508:     /**
509:      *
510:      * @param string $p
511:      * @return boolean
512:      */
513:     public function have_perm_client($p = 'x') {
514:         global $auth, $client;
515: 
516:         if (!isset($auth->auth['perm'])) {
517:             $auth->auth['perm'] = '';
518:         }
519: 
520:         // Split the permissions of the user
521:         $userperm = explode(',', $auth->auth['perm']);
522: 
523:         // If User is sysadmin or admin at this client return true
524:         if (in_array('sysadmin', $userperm)) {
525:             return true;
526:         }
527: 
528:         // If there are more permissions to ask split them
529:         $pageperm = explode(',', $p);
530:         foreach ($pageperm as $value) {
531:             if (!in_array($value, $userperm)) {
532:                 return false;
533:             }
534:         }
535:         return true;
536:     }
537: 
538:     /**
539:      * Checks if user has permissions to passed perm.
540:      * - Sysadmin has allways permission
541:      * - Client admin has allways permission
542:      *
543:      * @param string $p Permissions (comma separated list of perms) to check
544:      * @return bool
545:      */
546:     public function have_perm($perm = 'x') {
547:         global $auth, $client;
548: 
549:         if (!isset($auth->auth['perm'])) {
550:             $auth->auth['perm'] = '';
551:         }
552: 
553:         // Split the permissions of the user
554:         $userperm = explode(',', $auth->auth['perm']);
555: 
556:         // If User is sysadmin or admin at this client return true
557:         if (in_array('sysadmin', $userperm)) {
558:             return true;
559:         } elseif (in_array("admin[$client]", $userperm)) {
560:             return true;
561:             // Else check rights for the client and the language
562:         } else {
563:             // If there are more permissions to ask split them
564:             $pageperm = explode(',', $perm);
565:             foreach ($pageperm as $value) {
566:                 if (!in_array($value, $userperm)) {
567:                     return false;
568:                 }
569:             }
570:         }
571:         return true;
572:     }
573: 
574:     /**
575:      * Checks if an item have any perms
576:      *
577:      * @param string|int $mainarea
578:      * @param int $itemid
579:      * @return bool
580:      */
581:     public function have_perm_item($mainarea, $itemid) {
582:         global $cfg, $item_rights, $cfg, $client, $lang, $auth, $area_tree, $sess;
583: 
584:         $mainarea = $this->getIDForArea($mainarea);
585: 
586:         // If is admin or sysadmin
587:         if ($this->have_perm()) {
588:             return true;
589:         }
590: 
591:         // If is not admin or sysadmin
592: 
593:         if (!is_object($this->db)) {
594:             $this->db = cRegistry::getDb();
595:         }
596: 
597:         $this->showareas($mainarea);
598: 
599:         $flg = false;
600:         // Check if there are any rights for this areas
601:         foreach ($area_tree[$mainarea] as $value) {
602:             // If the flag noright is set there are no rights in this area
603:             if ($item_rights[$value] == 'noright') {
604:                 continue;
605:             } elseif (is_array($item_rights[$value])) {
606:                 // If there are any rights
607:                 foreach ($item_rights[$value] as $value2) {
608:                     if (in_array($itemid, $value2)) {
609:                         return true;
610:                     }
611:                 }
612:             } elseif ($item_rights[$value] != 'noright') {
613:                 $groupsForUser = $this->getGroupsForUser($auth->auth['uid']);
614:                 $groupsForUser[] = $auth->auth['uid'];
615: 
616:                 // else search for rights for this user in this area
617:                 $sql = "SELECT
618:                             *
619:                          FROM
620:                             " . $cfg['tab']['rights'] . "
621:                          WHERE
622:                             user_id IN ('" . implode("','", $groupsForUser) . "') AND
623:                             idclient = " . cSecurity::toInteger($client) . " AND
624:                             idlang = " . cSecurity::toInteger($lang) . " AND
625:                             idarea = '$value' AND
626:                             idcat != 0";
627:                 $this->db->query($sql);
628: 
629:                 // If there are no rights for this area set the flag norights
630:                 if ($this->db->affectedRows() == 0) {
631:                     $item_rights[$value] = 'noright';
632:                 }
633: 
634:                 // Set the rights
635:                 while ($this->db->nextRecord()) {
636:                     if ($this->db->f('idcat') == $itemid) {
637:                         $flg = true;
638:                     }
639:                     $item_rights[$this->db->f('idarea')][$this->db->f('idaction')][$this->db->f('idcat')] = $this->db->f('idcat');
640:                 }
641:             }
642:         }
643:         return $flg;
644:     }
645: 
646:     /**
647:      *
648:      * @param string|int $mainarea
649:      * @return Ambigous <number, string|int, multitype:, mixed, boolean>
650:      */
651:     public function showareas($mainarea) {
652:         global $area_tree, $sess, $perm, $cfg;
653: 
654:         if (!is_object($this->db)) {
655:             $this->db = cRegistry::getDb();
656:         }
657: 
658:         $mainarea = $this->getIDForArea($mainarea);
659: 
660:         // If $area_tree for this area is not register
661:         if (!isset($area_tree[$mainarea])) {
662:             $sess->register('area_tree');
663: 
664:             // parent_id uses the name not the idarea
665:             $sql = "SELECT name FROM " . $cfg['tab']['area'] . " WHERE idarea=$mainarea";
666:             $this->db->query($sql);
667:             $this->db->nextRecord();
668:             $name = $this->db->f('name');
669: 
670:             // Check which subareas are there and write them in the array
671:             $sql = "SELECT idarea FROM " . $cfg['tab']['area'] . " WHERE parent_id='$name' OR idarea=$mainarea";
672:             $this->db->query($sql);
673:             $area_tree[$mainarea] = array();
674:             while ($this->db->nextRecord()) {
675:                 $area_tree[$mainarea][] = $this->db->f('idarea');
676:             }
677:         }
678:         return $mainarea;
679:     }
680: }
681: