1: <?php
  2: /**
  3:  * This file contains the the permission class.
  4:  *
  5:  * @package Core
  6:  * @subpackage Backend
  7:  * @version SVN Revision $Rev:$
  8:  *
  9:  * @author Boris Erdmann, Kristian Koehntopp
 10:  * @copyright four for business AG <www.4fb.de>
 11:  * @license http://www.contenido.org/license/LIZENZ.txt
 12:  * @link http://www.4fb.de
 13:  * @link http://www.contenido.org
 14:  */
 15: 
 16: defined('CON_FRAMEWORK') || die('Illegal call: Missing framework initialization - request aborted.');
 17: 
 18: /**
 19:  * This class handles the permission management
 20:  *
 21:  * @package Core
 22:  * @subpackage Backend
 23:  */
 24: class cPermission {
 25: 
 26:     /**
 27:      * Permission class name
 28:      *
 29:      * @var string
 30:      */
 31:     public $classname = 'cPermission';
 32: 
 33:     /**
 34:      * Area cache
 35:      *
 36:      * @var array
 37:      */
 38:     public $areacache = array();
 39: 
 40:     /**
 41:      * Actions cache
 42:      *
 43:      * @var array
 44:      */
 45:     public $actioncache = array();
 46: 
 47:     /**
 48:      * Database instance
 49:      *
 50:      * @var cDb
 51:      */
 52:     public $db;
 53: 
 54:     /**
 55:      * Returns all groups of a user
 56:      *
 57:      * @param string $userId
 58:      * @return array
 59:      *         List of group ids
 60:      */
 61:     public function getGroupsForUser($userId) {
 62:         $groups = array();
 63: 
 64:         $oGroupMemberColl = new cApiGroupMemberCollection();
 65:         $oGroupMemberColl->select("user_id='" . $oGroupMemberColl->escape($userId) . "'");
 66:         while (false !== $oItem = $oGroupMemberColl->next()) {
 67:             $groups[] = $oItem->get('group_id');
 68:         }
 69: 
 70:         return $groups;
 71:     }
 72: 
 73:     /**
 74:      * Returns the id of an area.
 75:      * If passed area is numeric, it will returned directly.
 76:      *
 77:      * @deprecated [2015-05-21]
 78:      *         This method is no longer supported (no replacement)
 79:      * @param string|int $area
 80:      * @return int
 81:      */
 82:     public function getIDForArea($area) {
 83:         if (is_numeric($area)) {
 84:             return $area;
 85:         } elseif (isset($this->areacache[$area])) {
 86:             return $this->areacache[$area];
 87:         }
 88: 
 89:         $oAreaColl = new cApiAreaCollection();
 90:         $oAreaColl->select("name='" . $oAreaColl->escape($area) . "'");
 91:         if (false !== $oItem = $oAreaColl->next()) {
 92:             $this->areacache[$area] = $oItem->get('idarea');
 93:             $area = $oItem->get('idarea');
 94:         }
 95: 
 96:         return $area;
 97:     }
 98: 
 99:     /**
100:      * Returns the id of an action.
101:      * If passed action is numeric, it will returned directly.
102:      *
103:      * @param string|int $action
104:      * @return int
105:      */
106:     public function getIDForAction($action) {
107:         if (is_numeric($action)) {
108:             return $action;
109:         } elseif (isset($this->actioncache[$action])) {
110:             return $this->actioncache[$action];
111:         }
112: 
113:         $oActionColl = new cApiActionCollection();
114:         $oActionColl->select("name='" . $oActionColl->escape($action) . "'");
115:         if (false !== $oItem = $oActionColl->next()) {
116:             $this->actioncache[$action] = $oItem->get('idaction');
117:             $action = $oItem->get('idaction');
118:         }
119: 
120:         return $action;
121:     }
122: 
123:     /**
124:      * Loads all permissions of groups where current logged in user is a member
125:      * and saves them in session.
126:      *
127:      * @param bool $force [optional]
128:      *         Flag to force loading, event if they were cached before
129:      * @return string
130:      *         Returns diffrent values, depending on state:
131:      *         '1' (string) if permissions couldn't loaded
132:      *         '3' (string) if permissions were successfull loaded
133:      */
134:     public function load_permissions($force = false) {
135:         global $sess, $area_rights, $item_rights, $auth, $changelang, $changeclient;
136: 
137:         $return = '1';
138: 
139:         // if not admin or sysadmin
140:         if (!$this->have_perm()) {
141:             $return = isset($area_rights);
142: 
143:             if (!isset($area_rights) || !isset($item_rights) || isset($changeclient) || isset($changelang) || $force) {
144:                 $return = '3';
145:                 // register variables
146:                 $sess->register('area_rights');
147:                 $sess->register('item_rights');
148:                 $item_rights = array();
149:                 $groups = $this->getGroupsForUser($auth->auth['uid']);
150: 
151:                 if (is_array($groups)) {
152:                     foreach ($groups as $group) {
153:                         $this->load_permissions_for_user($group);
154:                     }
155:                 }
156: 
157:                 $this->load_permissions_for_user($auth->auth['uid']);
158:             }
159:         }
160: 
161:         return $return;
162:     }
163: 
164:     /**
165:      * Loads all permissions for a specific user or group.
166:      * Stores area rights in global variable $area_rights.
167:      * Stores item rights in global variable $item_rights.
168:      *
169:      * @param string $user
170:      *         User Id hash
171:      */
172:     public function load_permissions_for_user($user) {
173:         global $client, $lang;
174:         global $area_rights, $item_rights;
175: 
176:         $oRightColl = new cApiRightCollection();
177:         $sWhere = "user_id='" . $oRightColl->escape($user) . "'";
178:         $sWhere .= " AND idcat=0 AND " . "idclient=" . (int) $client;
179:         $sWhere .= " AND idlang=" . (int) $lang;
180:         $oRightColl->select($sWhere);
181: 
182:         // define $area_rights if not already done so
183:         if (!is_array($area_rights)) {
184:             $area_rights = array();
185:         }
186:         while (false !== $oItem = $oRightColl->next()) {
187:             $idarea = $oItem->get('idarea');
188:             $idaction = $oItem->get('idaction');
189:             $area_rights[$idarea][$idaction] = true;
190:         }
191: 
192:         // Select Rights for Article and Sructure (Attention Hard code Areas)
193:         $oAreaColl = new cApiAreaCollection();
194:         $oAreaColl->select();
195:         while (false !== $oItem = $oAreaColl->next()) {
196:             $idarea = $oItem->get('idarea');
197:             $tmp_area[] = $idarea;
198:         }
199: 
200:         $tmp_area_string = implode("','", array_values($tmp_area));
201:         $sWhere = "user_id='" . $oRightColl->escape($user) . "'";
202:         $sWhere .= " AND idclient=" . (int) $client;
203:         $sWhere .= " AND idlang=" . (int) $lang;
204:         $sWhere .= " AND idarea IN ('$tmp_area_string')";
205:         $sWhere .= "AND idcat != 0";
206:         $oRightColl->select($sWhere);
207:         while (false !== $oItem = $oRightColl->next()) {
208:             $idarea = $oItem->get('idarea');
209:             $idaction = $oItem->get('idaction');
210:             $idcat = $oItem->get('idcat');
211:             $item_rights[$idarea][$idaction][$idcat] = $idcat;
212:         }
213:     }
214: 
215:     /**
216:      *
217:      * @param string $area
218:      * @param string $action [optional]
219:      * @return bool
220:      */
221:     public function have_perm_area_action_anyitem($area, $action = 0) {
222:         global $item_rights;
223: 
224:         if ($this->have_perm_area_action($area, $action)) {
225:             return true;
226:         }
227: 
228:         $oAreaColl = new cApiAreaCollection();
229:         $area = $oAreaColl->getAreaID($area);
230: 
231:         $action = $this->getIDForAction($action);
232: 
233:         return isset($item_rights[$area][$action]);
234:     }
235: 
236:     /**
237:      *
238:      * @param string $area
239:      * @param string $action
240:      * @param mixed $itemid
241:      * @return bool
242:      */
243:     public function have_perm_area_action_item($area, $action, $itemid) {
244:         global $item_rights, $auth, $client, $lang, $cfg;
245: 
246:         if ($this->have_perm()) {
247:             return true;
248:         }
249: 
250:         $oAreaColl = new cApiAreaCollection();
251:         $area = $oAreaColl->getAreaID($area);
252:         $action = $this->getIDForAction($action);
253: 
254:         // If the user has a right on this action in this area check for the
255:         // items
256:         if ($this->have_perm_area_action($area, $action)) {
257:             return true;
258:         }
259: 
260:         // Check rights for the action in this area at this item
261:         if (isset($item_rights[$area][$action][$itemid])) {
262:             // If have action for area + action +item check right for client and
263:             // lang
264:             return true;
265:         }
266: 
267:         if ($item_rights[$area] != 'noright') {
268:             $groupsForUser = $this->getGroupsForUser($auth->auth['uid']);
269:             $groupsForUser[] = $auth->auth['uid'];
270: 
271:             $userIdIn = implode("','", $groupsForUser);
272: 
273:             $oRightsColl = new cApiRightCollection();
274:             $where = "user_id IN ('" . $userIdIn . "') AND idclient=" . (int) $client . " AND idlang=" . (int) $lang . " AND idarea=$area AND idcat != 0";
275: 
276:             if (!$oRightsColl->select($where)) {
277:                 $item_rights[$area] = 'noright';
278:                 return false;
279:             }
280: 
281:             while (false !== $oItem = $oRightsColl->next()) {
282:                 $item_rights[$oItem->get('idarea')][$oItem->get('idaction')][$oItem->get('idcat')] = $oItem->get('idcat');
283:             }
284: 
285:             // Check
286:             if (isset($item_rights[$area][$action][$itemid])) {
287:                 // If have action for area + action +item check right for client
288:                 // and lang
289:                 return true;
290:             }
291:         }
292:         return false;
293:     }
294: 
295:     /**
296:      * Returns the parent id of passed area
297:      *
298:      * @deprecated [2015-05-21]
299:      *         This method is no longer supported (no replacement)
300:      * @param int|string $area
301:      *         Area id or name
302:      * @return string|int
303:      *         name of parent area or passed area
304:      */
305:     public function getParentAreaId($area) {
306:         $oAreaColl = new cApiAreaCollection();
307:         return $oAreaColl->getParentAreaID($area);
308:     }
309: 
310:     /**
311:      *
312:      * @param string $area
313:      * @param string $action [optional]
314:      * @return bool
315:      */
316:     public function have_perm_area_action($area, $action = 0) {
317:         global $area_rights, $client, $lang, $cfg;
318: 
319:         $oAreaColl = new cApiAreaCollection();
320:         $area = $oAreaColl->getAreaID($area);
321:         $action = $this->getIDForAction($action);
322: 
323:         if ($action == 0) {
324:             $area = $this->getParentAreaId($area);
325:         }
326: 
327:         $oAreaColl = new cApiAreaCollection();
328:         $area = $oAreaColl->getAreaID($area);
329: 
330:         if (!$this->have_perm()) {
331:             if ($action == 0 && $area_rights[$area]) {
332:                 // If have action for area + action check right for client and
333:                 // lang
334:                 return $this->have_perm_client_lang($client, $lang);
335:             }
336: 
337:             // check rights for the action in this area
338:             if ($area_rights[$area][$action]) {
339:                 // If have action for area + action check right for client and
340:                 // lang
341:                 return $this->have_perm_client_lang($client, $lang);
342:             }
343: 
344:             return false;
345:         }
346:         return true;
347:     }
348: 
349:     /**
350:      *
351:      * @param int $client
352:      * @param int $lang
353:      * @return bool
354:      */
355:     public function have_perm_client_lang($client, $lang) {
356:         global $auth;
357: 
358:         // Changed back to a full featured function, as have_perm
359:         // needs $client as global variable - not provided by this
360:         // function
361:         // return $this->have_perm("client[$client],lang[$lang]");
362: 
363:         if (!isset($auth->auth['perm'])) {
364:             $auth->auth['perm'] = '';
365:         }
366: 
367:         // Split the permissions of the user
368:         $userperm = explode(',', $auth->auth['perm']);
369: 
370:         if (in_array('sysadmin', $userperm)) {
371:             return true; // User is sysadmin
372:         } elseif (in_array("admin[$client]", $userperm)) {
373:             return true; // User is admin
374:         } else {
375:             // Check rights for the client and the language
376:             $pageperm = explode(',', "client[$client],lang[$lang]");
377:             foreach ($pageperm as $value) {
378:                 if (!in_array($value, $userperm)) {
379:                     return false;
380:                 }
381:             }
382:         }
383:         return true;
384:     }
385: 
386:     /**
387:      * Checks if a user has access rights for a specific client.
388:      *
389:      * @param int $iClient [optional]
390:      *         idclient to check, or false for the current client
391:      * @param object $oUser [optional]
392:      *         User object to check against, or false for the current user
393:      * @return bool
394:      */
395:     public function hasClientPermission($iClient = false, $oUser = false) {
396:         global $auth, $client;
397: 
398:         if ($iClient === false) {
399:             $iClient = $client;
400:         }
401: 
402:         $oUser = $this->_checkUserObject($oUser);
403: 
404:         if ($this->isSysadmin($oUser) || $this->isClientAdmin($iClient, $oUser) || $this->isClientUser($iClient, $oUser)) {
405:             return true;
406:         } else {
407:             return false;
408:         }
409:         /*
410:          * Commented out Timo Trautmann, because here only client access is
411:          * checked, possibility for admin or sysadmin access was ignored
412:          * functions isSysadmin isClientAdmin isClientUser also handles
413:          * permission for groups #Check clients' rights of users' group(s)
414:          * $aGroups = $this->getGroupsForUser($auth->auth["uid"]); if
415:          * (is_array($aGroups)) { foreach ($aGroups as $group) { $oGroup = new
416:          * cApiGroup($group); if ($this->isClientGroup($iClient, $oGroup)) {
417:          * return true; } } } return false; }
418:          */
419:     }
420: 
421:     /**
422:      * Checks if the given user has access permission for a client
423:      *
424:      * @param int $iClient
425:      *         idclient to check
426:      * @param object $oUser
427:      *         User object to check against
428:      * @return bool
429:      */
430:     public function isClientUser($iClient, $oUser) {
431:         $oUser = $this->_checkUserObject($oUser);
432: 
433:         $aPermissions = explode(',', $oUser->getEffectiveUserPerms());
434: 
435:         if (in_array("client[$iClient]", $aPermissions)) {
436:             return true;
437:         }
438: 
439:         return false;
440:     }
441: 
442:     /**
443:      * Checks if the given group has access permission for a client
444:      *
445:      * @param int $iClient
446:      *         idclient to check
447:      * @param object $oGroup
448:      *         Group object to check against
449:      * @return bool
450:      */
451:     public function isClientGroup($iClient, $oGroup) {
452:         $aPermissions = explode(',', $oGroup->getField('perms'));
453: 
454:         if (in_array("client[$iClient]", $aPermissions)) {
455:             return true;
456:         }
457: 
458:         return false;
459:     }
460: 
461:     /**
462:      * Checks if the given user has an admin permission
463:      *
464:      * @param int $iClient
465:      *         idclient to check
466:      * @param object $oUser
467:      *         User object to check against
468:      * @return bool
469:      */
470:     public function isClientAdmin($iClient, $oUser) {
471:         $oUser = $this->_checkUserObject($oUser);
472: 
473:         $aPermissions = explode(',', $oUser->getEffectiveUserPerms());
474: 
475:         if (in_array("admin[$iClient]", $aPermissions)) {
476:             return true;
477:         }
478: 
479:         return false;
480:     }
481: 
482:     /**
483:      * Checks if the given user has sysadmin permission
484:      *
485:      * @param object $oUser
486:      *         User object to check against
487:      * @return bool
488:      */
489:     public function isSysadmin($oUser) {
490:         $oUser = $this->_checkUserObject($oUser);
491: 
492:         $aPermissions = explode(',', $oUser->getEffectiveUserPerms());
493: 
494:         if (in_array('sysadmin', $aPermissions)) {
495:             return true;
496:         }
497: 
498:         return false;
499:     }
500: 
501:     /**
502:      * Checks if the given object is a user object.
503:      *
504:      * If oUser is false, initialize the object from the currently logged in
505:      * user. If oUser is not an object of the class cApiUser, throw an
506:      * exception.
507:      *
508:      * @param object $oUser
509:      *         User object
510:      * @throws cInvalidArgumentException
511:      *         if the given or constructed user is not a cApiUser object
512:      * @return object
513:      */
514:     private function _checkUserObject($oUser) {
515:         if ($oUser === false) {
516:             global $currentuser;
517:             $oUser = $currentuser;
518:         }
519: 
520:         if (!is_object($oUser)) {
521:             global $auth;
522:             $oUser = new cApiUser($auth->auth['uid']);
523:         }
524: 
525:         if (get_class($oUser) != 'cApiUser') {
526:             throw new cInvalidArgumentException('oUser parameter is not of type User');
527:         }
528: 
529:         return $oUser;
530:     }
531: 
532:     /**
533:      *
534:      * @param string $p [optional]
535:      * @return bool
536:      */
537:     public function have_perm_client($perm = 'x') {
538:         global $auth, $client;
539: 
540:         if (!isset($auth->auth['perm'])) {
541:             $auth->auth['perm'] = '';
542:         }
543: 
544:         // Split the permissions of the user
545:         $userperm = explode(',', $auth->auth['perm']);
546: 
547:         // If User is sysadmin or admin at this client return true
548:         if (in_array('sysadmin', $userperm)) {
549:             return true;
550:         }
551: 
552:         // If there are more permissions to ask split them
553:         $pageperm = explode(',', $perm);
554:         foreach ($pageperm as $value) {
555:             if (!in_array($value, $userperm)) {
556:                 return false;
557:             }
558:         }
559:         return true;
560:     }
561: 
562:     /**
563:      * Checks if user has permissions to passed perm.
564:      * - Sysadmin has allways permission
565:      * - Client admin has allways permission
566:      *
567:      * @param string $perm [optional]
568:      *         Permissions (comma separated list of perms) to check
569:      * @return bool
570:      */
571:     public function have_perm($perm = 'x') {
572:         global $auth, $client;
573: 
574:         if (!isset($auth->auth['perm'])) {
575:             $auth->auth['perm'] = '';
576:         }
577: 
578:         // Split the permissions of the user
579:         $userperm = explode(',', $auth->auth['perm']);
580: 
581:         // If User is sysadmin or admin at this client return true
582:         if (in_array('sysadmin', $userperm)) {
583:             return true;
584:         } elseif (in_array("admin[$client]", $userperm)) {
585:             return true;
586:             // Else check rights for the client and the language
587:         } else {
588:             // If there are more permissions to ask split them
589:             $pageperm = explode(',', $perm);
590:             foreach ($pageperm as $value) {
591:                 if (!in_array($value, $userperm)) {
592:                     return false;
593:                 }
594:             }
595:         }
596:         return true;
597:     }
598: 
599:     /**
600:      * Checks if an item have any perms
601:      *
602:      * @param string|int $mainarea
603:      * @param int $itemid
604:      * @return bool
605:      */
606:     public function have_perm_item($mainarea, $itemid) {
607:         global $cfg, $item_rights, $cfg, $client, $lang, $auth, $area_tree, $sess;
608: 
609:         $oAreaColl = new cApiAreaCollection();
610:         $mainarea = $oAreaColl->getAreaID($mainarea);
611: 
612:         // If is admin or sysadmin
613:         if ($this->have_perm()) {
614:             return true;
615:         }
616: 
617:         // If is not admin or sysadmin
618: 
619:         if (!is_object($this->db)) {
620:             $this->db = cRegistry::getDb();
621:         }
622: 
623:         $this->showareas($mainarea);
624: 
625:         $flg = false;
626:         // Check if there are any rights for this areas
627:         foreach ($area_tree[$mainarea] as $value) {
628:             // If the flag noright is set there are no rights in this area
629:             if ($item_rights[$value] == 'noright') {
630:                 continue;
631:             } elseif (is_array($item_rights[$value])) {
632:                 // If there are any rights
633:                 foreach ($item_rights[$value] as $value2) {
634:                     if (in_array($itemid, $value2)) {
635:                         return true;
636:                     }
637:                 }
638:             } elseif ($item_rights[$value] != 'noright') {
639:                 $groupsForUser = $this->getGroupsForUser($auth->auth['uid']);
640:                 $groupsForUser[] = $auth->auth['uid'];
641: 
642:                 // else search for rights for this user in this area
643:                 $sql = "SELECT
644:                             *
645:                          FROM
646:                             " . $cfg['tab']['rights'] . "
647:                          WHERE
648:                             user_id IN ('" . implode("','", $groupsForUser) . "') AND
649:                             idclient = " . cSecurity::toInteger($client) . " AND
650:                             idlang = " . cSecurity::toInteger($lang) . " AND
651:                             idarea = '$value' AND
652:                             idcat != 0";
653:                 $this->db->query($sql);
654: 
655:                 // If there are no rights for this area set the flag norights
656:                 if ($this->db->affectedRows() == 0) {
657:                     $item_rights[$value] = 'noright';
658:                 }
659: 
660:                 // Set the rights
661:                 while ($this->db->nextRecord()) {
662:                     if ($this->db->f('idcat') == $itemid) {
663:                         $flg = true;
664:                     }
665:                     $item_rights[$this->db->f('idarea')][$this->db->f('idaction')][$this->db->f('idcat')] = $this->db->f('idcat');
666:                 }
667:             }
668:         }
669:         return $flg;
670:     }
671: 
672:     /**
673:      *
674:      * @param string|int $mainarea
675:      * @return int
676:      */
677:     public function showareas($mainarea) {
678:         global $area_tree, $sess, $perm, $cfg;
679: 
680:         if (!is_object($this->db)) {
681:             $this->db = cRegistry::getDb();
682:         }
683: 
684:         $oAreaColl = new cApiAreaCollection();
685:         $mainarea = $oAreaColl->getAreaID($mainarea);
686: 
687:         // If $area_tree for this area is not register
688:         if (!isset($area_tree[$mainarea])) {
689:             $sess->register('area_tree');
690: 
691:             // parent_id uses the name not the idarea
692:             $sql = "SELECT name FROM " . $cfg['tab']['area'] . " WHERE idarea=$mainarea";
693:             $this->db->query($sql);
694:             $this->db->nextRecord();
695:             $name = $this->db->f('name');
696: 
697:             // Check which subareas are there and write them in the array
698:             $sql = "SELECT idarea FROM " . $cfg['tab']['area'] . " WHERE parent_id='$name' OR idarea=$mainarea";
699:             $this->db->query($sql);
700:             $area_tree[$mainarea] = array();
701:             while ($this->db->nextRecord()) {
702:                 $area_tree[$mainarea][] = $this->db->f('idarea');
703:             }
704:         }
705:         return $mainarea;
706:     }
707: }
708: