1: <?php
  2: /**
  3:  * This file contains the the permission class.
  4:  *
  5:  * @package Core
  6:  * @subpackage Backend
  7:  * @author Boris Erdmann
  8:  * @author Kristian Koehntopp
  9:  * @copyright four for business AG <www.4fb.de>
 10:  * @license http://www.contenido.org/license/LIZENZ.txt
 11:  * @link http://www.4fb.de
 12:  * @link http://www.contenido.org
 13:  */
 14: 
 15: defined('CON_FRAMEWORK') || die('Illegal call: Missing framework initialization - request aborted.');
 16: 
 17: /**
 18:  * This class handles the permission management
 19:  *
 20:  * @package Core
 21:  * @subpackage Backend
 22:  */
 23: class cPermission {
 24: 
 25:     /**
 26:      * Permission class name
 27:      *
 28:      * @var string
 29:      */
 30:     public $classname = 'cPermission';
 31: 
 32:     /**
 33:      * Area cache
 34:      *
 35:      * @var array
 36:      */
 37:     public $areacache = array();
 38: 
 39:     /**
 40:      * Actions cache
 41:      *
 42:      * @var array
 43:      */
 44:     public $actioncache = array();
 45: 
 46:     /**
 47:      * Database instance
 48:      *
 49:      * @var cDb
 50:      */
 51:     public $db;
 52: 
 53:     /**
 54:      * Returns all groups of a user
 55:      *
 56:      * @param string $userId
 57:      * @return array
 58:      *         List of group ids
 59:      */
 60:     public function getGroupsForUser($userId) {
 61:         $groups = array();
 62: 
 63:         $oGroupMemberColl = new cApiGroupMemberCollection();
 64:         $oGroupMemberColl->select("user_id='" . $oGroupMemberColl->escape($userId) . "'");
 65:         while (false !== $oItem = $oGroupMemberColl->next()) {
 66:             $groups[] = $oItem->get('group_id');
 67:         }
 68: 
 69:         return $groups;
 70:     }
 71: 
 72:     /**
 73:      * Returns the id of an area.
 74:      * If passed area is numeric, it will returned directly.
 75:      *
 76:      * @deprecated [2015-05-21]
 77:      *         This method is no longer supported (no replacement)
 78:      * @param string|int $area
 79:      * @return int
 80:      */
 81:     public function getIDForArea($area) {
 82:         if (is_numeric($area)) {
 83:             return $area;
 84:         } elseif (isset($this->areacache[$area])) {
 85:             return $this->areacache[$area];
 86:         }
 87: 
 88:         $oAreaColl = new cApiAreaCollection();
 89:         $oAreaColl->select("name='" . $oAreaColl->escape($area) . "'");
 90:         if (false !== $oItem = $oAreaColl->next()) {
 91:             $this->areacache[$area] = $oItem->get('idarea');
 92:             $area = $oItem->get('idarea');
 93:         }
 94: 
 95:         return $area;
 96:     }
 97: 
 98:     /**
 99:      * Returns the id of an action.
100:      * If passed action is numeric, it will returned directly.
101:      *
102:      * @param string|int $action
103:      * @return int
104:      */
105:     public function getIDForAction($action) {
106:         if (is_numeric($action)) {
107:             return $action;
108:         } elseif (isset($this->actioncache[$action])) {
109:             return $this->actioncache[$action];
110:         }
111: 
112:         $oActionColl = new cApiActionCollection();
113:         $oActionColl->select("name='" . $oActionColl->escape($action) . "'");
114:         if (false !== $oItem = $oActionColl->next()) {
115:             $this->actioncache[$action] = $oItem->get('idaction');
116:             $action = $oItem->get('idaction');
117:         }
118: 
119:         return $action;
120:     }
121: 
122:     /**
123:      * Loads all permissions of groups where current logged in user is a member
124:      * and saves them in session.
125:      *
126:      * @param bool $force [optional]
127:      *         Flag to force loading, event if they were cached before
128:      * @return string
129:      *         Returns diffrent values, depending on state:
130:      *         '1' (string) if permissions couldn't loaded
131:      *         '3' (string) if permissions were successfull loaded
132:      */
133:     public function load_permissions($force = false) {
134:         global $sess, $area_rights, $item_rights, $auth, $changelang, $changeclient;
135: 
136:         $return = '1';
137: 
138:         // if not admin or sysadmin
139:         if (!$this->have_perm()) {
140:             $return = isset($area_rights);
141: 
142:             if (!isset($area_rights) || !isset($item_rights) || isset($changeclient) || isset($changelang) || $force) {
143:                 $return = '3';
144:                 // register variables
145:                 $sess->register('area_rights');
146:                 $sess->register('item_rights');
147:                 $item_rights = array();
148:                 $groups = $this->getGroupsForUser($auth->auth['uid']);
149: 
150:                 if (is_array($groups)) {
151:                     foreach ($groups as $group) {
152:                         $this->load_permissions_for_user($group);
153:                     }
154:                 }
155: 
156:                 $this->load_permissions_for_user($auth->auth['uid']);
157:             }
158:         }
159: 
160:         return $return;
161:     }
162: 
163:     /**
164:      * Loads all permissions for a specific user or group.
165:      * Stores area rights in global variable $area_rights.
166:      * Stores item rights in global variable $item_rights.
167:      *
168:      * @param string $user
169:      *         User Id hash
170:      */
171:     public function load_permissions_for_user($user) {
172:         global $client, $lang;
173:         global $area_rights, $item_rights;
174: 
175:         $oRightColl = new cApiRightCollection();
176:         $sWhere = "user_id='" . $oRightColl->escape($user) . "'";
177:         $sWhere .= " AND idcat=0 AND " . "idclient=" . (int) $client;
178:         $sWhere .= " AND idlang=" . (int) $lang;
179:         $oRightColl->select($sWhere);
180: 
181:         // define $area_rights if not already done so
182:         if (!is_array($area_rights)) {
183:             $area_rights = array();
184:         }
185:         while (false !== $oItem = $oRightColl->next()) {
186:             $idarea = $oItem->get('idarea');
187:             $idaction = $oItem->get('idaction');
188:             $area_rights[$idarea][$idaction] = true;
189:         }
190: 
191:         // Select Rights for Article and Sructure (Attention Hard code Areas)
192:         $oAreaColl = new cApiAreaCollection();
193:         $oAreaColl->select();
194:         while (false !== $oItem = $oAreaColl->next()) {
195:             $idarea = $oItem->get('idarea');
196:             $tmp_area[] = $idarea;
197:         }
198: 
199:         $tmp_area_string = implode("','", array_values($tmp_area));
200:         $sWhere = "user_id='" . $oRightColl->escape($user) . "'";
201:         $sWhere .= " AND idclient=" . (int) $client;
202:         $sWhere .= " AND idlang=" . (int) $lang;
203:         $sWhere .= " AND idarea IN ('$tmp_area_string')";
204:         $sWhere .= "AND idcat != 0";
205:         $oRightColl->select($sWhere);
206:         while (false !== $oItem = $oRightColl->next()) {
207:             $idarea = $oItem->get('idarea');
208:             $idaction = $oItem->get('idaction');
209:             $idcat = $oItem->get('idcat');
210:             $item_rights[$idarea][$idaction][$idcat] = $idcat;
211:         }
212:     }
213: 
214:     /**
215:      *
216:      * @param string $area
217:      * @param string $action [optional]
218:      * @return bool
219:      */
220:     public function have_perm_area_action_anyitem($area, $action = 0) {
221:         global $item_rights;
222: 
223:         if ($this->have_perm_area_action($area, $action)) {
224:             return true;
225:         }
226: 
227:         $oAreaColl = new cApiAreaCollection();
228:         $area = $oAreaColl->getAreaID($area);
229: 
230:         $action = $this->getIDForAction($action);
231: 
232:         return isset($item_rights[$area][$action]);
233:     }
234: 
235:     /**
236:      *
237:      * @param string $area
238:      * @param string $action
239:      * @param mixed $itemid
240:      * @return bool
241:      */
242:     public function have_perm_area_action_item($area, $action, $itemid) {
243:         global $item_rights, $auth, $client, $lang, $cfg;
244: 
245:         if ($this->have_perm()) {
246:             return true;
247:         }
248: 
249:         $oAreaColl = new cApiAreaCollection();
250:         $area = $oAreaColl->getAreaID($area);
251:         $action = $this->getIDForAction($action);
252: 
253:         // If the user has a right on this action in this area check for the
254:         // items
255:         if ($this->have_perm_area_action($area, $action)) {
256:             return true;
257:         }
258: 
259:         // Check rights for the action in this area at this item
260:         if (isset($item_rights[$area][$action][$itemid])) {
261:             // If have action for area + action +item check right for client and
262:             // lang
263:             return true;
264:         }
265: 
266:         if ($item_rights[$area] != 'noright') {
267:             $groupsForUser = $this->getGroupsForUser($auth->auth['uid']);
268:             $groupsForUser[] = $auth->auth['uid'];
269: 
270:             $userIdIn = implode("','", $groupsForUser);
271: 
272:             $oRightsColl = new cApiRightCollection();
273:             $where = "user_id IN ('" . $userIdIn . "') AND idclient=" . (int) $client . " AND idlang=" . (int) $lang . " AND idarea=$area AND idcat != 0";
274: 
275:             if (!$oRightsColl->select($where)) {
276:                 $item_rights[$area] = 'noright';
277:                 return false;
278:             }
279: 
280:             while (false !== $oItem = $oRightsColl->next()) {
281:                 $item_rights[$oItem->get('idarea')][$oItem->get('idaction')][$oItem->get('idcat')] = $oItem->get('idcat');
282:             }
283: 
284:             // Check
285:             if (isset($item_rights[$area][$action][$itemid])) {
286:                 // If have action for area + action +item check right for client
287:                 // and lang
288:                 return true;
289:             }
290:         }
291:         return false;
292:     }
293: 
294:     /**
295:      * Returns the parent id of passed area
296:      *
297:      * @deprecated [2015-05-21]
298:      *         This method is no longer supported (no replacement)
299:      * @param int|string $area
300:      *         Area id or name
301:      * @return string|int
302:      *         name of parent area or passed area
303:      */
304:     public function getParentAreaId($area) {
305:         $oAreaColl = new cApiAreaCollection();
306:         return $oAreaColl->getParentAreaID($area);
307:     }
308: 
309:     /**
310:      *
311:      * @param string $area
312:      * @param string $action [optional]
313:      * @return bool
314:      */
315:     public function have_perm_area_action($area, $action = 0) {
316:         global $area_rights, $client, $lang, $cfg;
317: 
318:         $oAreaColl = new cApiAreaCollection();
319:         $area = $oAreaColl->getAreaID($area);
320:         $action = $this->getIDForAction($action);
321: 
322:         if ($action == 0) {
323:             $area = $oAreaColl->getParentAreaID($area);
324:         }
325: 
326:         $area = $oAreaColl->getAreaID($area);
327: 
328:         if (!$this->have_perm()) {
329:             if ($action == 0 && $area_rights[$area]) {
330:                 // If have action for area + action check right for client and
331:                 // lang
332:                 return $this->have_perm_client_lang($client, $lang);
333:             }
334: 
335:             // check rights for the action in this area
336:             if ($area_rights[$area][$action]) {
337:                 // If have action for area + action check right for client and
338:                 // lang
339:                 return $this->have_perm_client_lang($client, $lang);
340:             }
341: 
342:             return false;
343:         }
344: 
345:         return true;
346:     }
347: 
348:     /**
349:      *
350:      * @param int $client
351:      * @param int $lang
352:      * @return bool
353:      */
354:     public function have_perm_client_lang($client, $lang) {
355:         global $auth;
356: 
357:         // Changed back to a full featured function, as have_perm
358:         // needs $client as global variable - not provided by this
359:         // function
360:         // return $this->have_perm("client[$client],lang[$lang]");
361: 
362:         if (!isset($auth->auth['perm'])) {
363:             $auth->auth['perm'] = '';
364:         }
365: 
366:         // Split the permissions of the user
367:         $userperm = explode(',', $auth->auth['perm']);
368: 
369:         if (in_array('sysadmin', $userperm)) {
370:             return true; // User is sysadmin
371:         } elseif (in_array("admin[$client]", $userperm)) {
372:             return true; // User is admin
373:         } else {
374:             // Check rights for the client and the language
375:             $pageperm = explode(',', "client[$client],lang[$lang]");
376:             foreach ($pageperm as $value) {
377:                 if (!in_array($value, $userperm)) {
378:                     return false;
379:                 }
380:             }
381:         }
382:         return true;
383:     }
384: 
385:     /**
386:      * Checks if a user has access rights for a specific client.
387:      *
388:      * @param int $iClient [optional]
389:      *         idclient to check, or false for the current client
390:      * @param object $oUser [optional]
391:      *         User object to check against, or false for the current user
392:      * @return bool
393:      */
394:     public function hasClientPermission($iClient = false, $oUser = false) {
395:         global $auth, $client;
396: 
397:         if ($iClient === false) {
398:             $iClient = $client;
399:         }
400: 
401:         $oUser = $this->_checkUserObject($oUser);
402: 
403:         if ($this->isSysadmin($oUser) || $this->isClientAdmin($iClient, $oUser) || $this->isClientUser($iClient, $oUser)) {
404:             return true;
405:         } else {
406:             return false;
407:         }
408:         /*
409:          * Commented out Timo Trautmann, because here only client access is
410:          * checked, possibility for admin or sysadmin access was ignored
411:          * functions isSysadmin isClientAdmin isClientUser also handles
412:          * permission for groups #Check clients' rights of users' group(s)
413:          * $aGroups = $this->getGroupsForUser($auth->auth["uid"]); if
414:          * (is_array($aGroups)) { foreach ($aGroups as $group) { $oGroup = new
415:          * cApiGroup($group); if ($this->isClientGroup($iClient, $oGroup)) {
416:          * return true; } } } return false; }
417:          */
418:     }
419: 
420:     /**
421:      * Checks if the given user has access permission for a client
422:      *
423:      * @param int $iClient
424:      *         idclient to check
425:      * @param object $oUser
426:      *         User object to check against
427:      * @return bool
428:      */
429:     public function isClientUser($iClient, $oUser) {
430:         $oUser = $this->_checkUserObject($oUser);
431: 
432:         $aPermissions = explode(',', $oUser->getEffectiveUserPerms());
433: 
434:         if (in_array("client[$iClient]", $aPermissions)) {
435:             return true;
436:         }
437: 
438:         return false;
439:     }
440: 
441:     /**
442:      * Checks if the given group has access permission for a client
443:      *
444:      * @param int $iClient
445:      *         idclient to check
446:      * @param object $oGroup
447:      *         Group object to check against
448:      * @return bool
449:      */
450:     public function isClientGroup($iClient, $oGroup) {
451:         $aPermissions = explode(',', $oGroup->getField('perms'));
452: 
453:         if (in_array("client[$iClient]", $aPermissions)) {
454:             return true;
455:         }
456: 
457:         return false;
458:     }
459: 
460:     /**
461:      * Checks if the given user has an admin permission
462:      *
463:      * @param int $iClient
464:      *         idclient to check
465:      * @param object $oUser
466:      *         User object to check against
467:      * @return bool
468:      */
469:     public function isClientAdmin($iClient, $oUser) {
470:         $oUser = $this->_checkUserObject($oUser);
471: 
472:         $aPermissions = explode(',', $oUser->getEffectiveUserPerms());
473: 
474:         if (in_array("admin[$iClient]", $aPermissions)) {
475:             return true;
476:         }
477: 
478:         return false;
479:     }
480: 
481:     /**
482:      * Checks if the given user has sysadmin permission
483:      *
484:      * @param object $oUser
485:      *         User object to check against
486:      * @return bool
487:      */
488:     public function isSysadmin($oUser) {
489:         $oUser = $this->_checkUserObject($oUser);
490: 
491:         $aPermissions = explode(',', $oUser->getEffectiveUserPerms());
492: 
493:         if (in_array('sysadmin', $aPermissions)) {
494:             return true;
495:         }
496: 
497:         return false;
498:     }
499: 
500:     /**
501:      * Checks if the given object is a user object.
502:      *
503:      * If oUser is false, initialize the object from the currently logged in
504:      * user. If oUser is not an object of the class cApiUser, throw an
505:      * exception.
506:      *
507:      * @param object $oUser
508:      *         User object
509:      * @throws cInvalidArgumentException
510:      *         if the given or constructed user is not a cApiUser object
511:      * @return object
512:      */
513:     private function _checkUserObject($oUser) {
514:         if ($oUser === false) {
515:             global $currentuser;
516:             $oUser = $currentuser;
517:         }
518: 
519:         if (!is_object($oUser)) {
520:             global $auth;
521:             $oUser = new cApiUser($auth->auth['uid']);
522:         }
523: 
524:         if (get_class($oUser) != 'cApiUser') {
525:             throw new cInvalidArgumentException('oUser parameter is not of type User');
526:         }
527: 
528:         return $oUser;
529:     }
530: 
531:     /**
532:      *
533:      * @param string $p [optional]
534:      * @return bool
535:      */
536:     public function have_perm_client($perm = 'x') {
537:         global $auth, $client;
538: 
539:         if (!isset($auth->auth['perm'])) {
540:             $auth->auth['perm'] = '';
541:         }
542: 
543:         // Split the permissions of the user
544:         $userperm = explode(',', $auth->auth['perm']);
545: 
546:         // If User is sysadmin or admin at this client return true
547:         if (in_array('sysadmin', $userperm)) {
548:             return true;
549:         }
550: 
551:         // If there are more permissions to ask split them
552:         $pageperm = explode(',', $perm);
553:         foreach ($pageperm as $value) {
554:             if (!in_array($value, $userperm)) {
555:                 return false;
556:             }
557:         }
558:         return true;
559:     }
560: 
561:     /**
562:      * Checks if user has permissions to passed perm.
563:      * - Sysadmin has allways permission
564:      * - Client admin has allways permission
565:      *
566:      * @param string $perm [optional]
567:      *         Permissions (comma separated list of perms) to check
568:      * @return bool
569:      */
570:     public function have_perm($perm = 'x') {
571:         global $auth, $client;
572: 
573:         if (!isset($auth->auth['perm'])) {
574:             $auth->auth['perm'] = '';
575:         }
576: 
577:         // Split the permissions of the user
578:         $userperm = explode(',', $auth->auth['perm']);
579: 
580:         // If User is sysadmin or admin at this client return true
581:         if (in_array('sysadmin', $userperm)) {
582:             return true;
583:         } elseif (in_array("admin[$client]", $userperm)) {
584:             return true;
585:             // Else check rights for the client and the language
586:         } else {
587:             // If there are more permissions to ask split them
588:             $pageperm = explode(',', $perm);
589:             foreach ($pageperm as $value) {
590:                 if (!in_array($value, $userperm)) {
591:                     return false;
592:                 }
593:             }
594:         }
595:         return true;
596:     }
597: 
598:     /**
599:      * Checks if an item have any perms
600:      *
601:      * @param string|int $mainarea
602:      * @param int $itemid
603:      * @return bool
604:      */
605:     public function have_perm_item($mainarea, $itemid) {
606:         global $cfg, $item_rights, $cfg, $client, $lang, $auth, $area_tree, $sess;
607: 
608:         $oAreaColl = new cApiAreaCollection();
609:         $mainarea = $oAreaColl->getAreaID($mainarea);
610: 
611:         // If is admin or sysadmin
612:         if ($this->have_perm()) {
613:             return true;
614:         }
615: 
616:         // If is not admin or sysadmin
617: 
618:         if (!is_object($this->db)) {
619:             $this->db = cRegistry::getDb();
620:         }
621: 
622:         $this->showareas($mainarea);
623: 
624:         $flg = false;
625:         // Check if there are any rights for this areas
626:         foreach ($area_tree[$mainarea] as $value) {
627:             // If the flag noright is set there are no rights in this area
628:             if ($item_rights[$value] == 'noright') {
629:                 continue;
630:             } elseif (is_array($item_rights[$value])) {
631:                 // If there are any rights
632:                 foreach ($item_rights[$value] as $value2) {
633:                     if (in_array($itemid, $value2)) {
634:                         return true;
635:                     }
636:                 }
637:             } elseif ($item_rights[$value] != 'noright') {
638:                 $groupsForUser = $this->getGroupsForUser($auth->auth['uid']);
639:                 $groupsForUser[] = $auth->auth['uid'];
640: 
641:                 // else search for rights for this user in this area
642:                 $sql = "SELECT
643:                             *
644:                          FROM
645:                             " . $cfg['tab']['rights'] . "
646:                          WHERE
647:                             user_id IN ('" . implode("','", $groupsForUser) . "') AND
648:                             idclient = " . cSecurity::toInteger($client) . " AND
649:                             idlang = " . cSecurity::toInteger($lang) . " AND
650:                             idarea = '$value' AND
651:                             idcat != 0";
652:                 $this->db->query($sql);
653: 
654:                 // If there are no rights for this area set the flag norights
655:                 if ($this->db->affectedRows() == 0) {
656:                     $item_rights[$value] = 'noright';
657:                 }
658: 
659:                 // Set the rights
660:                 while ($this->db->nextRecord()) {
661:                     if ($this->db->f('idcat') == $itemid) {
662:                         $flg = true;
663:                     }
664:                     $item_rights[$this->db->f('idarea')][$this->db->f('idaction')][$this->db->f('idcat')] = $this->db->f('idcat');
665:                 }
666:             }
667:         }
668:         return $flg;
669:     }
670: 
671:     /**
672:      *
673:      * @param string|int $mainarea
674:      * @return int
675:      */
676:     public function showareas($mainarea) {
677:         global $area_tree, $sess, $perm, $cfg;
678: 
679:         if (!is_object($this->db)) {
680:             $this->db = cRegistry::getDb();
681:         }
682: 
683:         $oAreaColl = new cApiAreaCollection();
684:         $mainarea = $oAreaColl->getAreaID($mainarea);
685: 
686:         // If $area_tree for this area is not register
687:         if (!isset($area_tree[$mainarea])) {
688:             $sess->register('area_tree');
689: 
690:             // parent_id uses the name not the idarea
691:             $sql = "SELECT name FROM " . $cfg['tab']['area'] . " WHERE idarea=$mainarea";
692:             $this->db->query($sql);
693:             $this->db->nextRecord();
694:             $name = $this->db->f('name');
695: 
696:             // Check which subareas are there and write them in the array
697:             $sql = "SELECT idarea FROM " . $cfg['tab']['area'] . " WHERE parent_id='$name' OR idarea=$mainarea";
698:             $this->db->query($sql);
699:             $area_tree[$mainarea] = array();
700:             while ($this->db->nextRecord()) {
701:                 $area_tree[$mainarea][] = $this->db->f('idarea');
702:             }
703:         }
704:         return $mainarea;
705:     }
706: }
707: