Application->recallObject($prefix.'-perm', null, Array('skip_autoload' => true)); $foreign_key = $this->Application->getUnitOption($prefix.'-perm', 'ForeignKey'); $foreign_value = $this->Application->GetVar($prefix.'_id'); $sql = 'SELECT * FROM '.$object->TableName.' WHERE '.$foreign_key.' = '.$foreign_value; $permissions = $this->Conn->Query($sql, 'Permission'); $this->Permissions = Array(); foreach ($permissions as $perm_name => $perm_options) { $perm_record['value'] = $perm_options['PermissionValue']; $perm_record['id'] = $perm_options['PermissionId']; $this->Permissions[$perm_name] = $perm_record; } } function getPermissionValue($perm_name) { return getArrayValue($this->Permissions, $perm_name) ? $this->Permissions[$perm_name]['value'] : 0; } function getPermissionID($perm_name) { return getArrayValue($this->Permissions, $perm_name) ? $this->Permissions[$perm_name]['id'] : 0; } /** * This is old permission like ADMIN or LOGIN * * @param string $section_name * @param string $perm_name * @return bool */ function isOldPermission($section_name, $perm_name) { return $section_name == 'in-portal:root' && $perm_name != 'view'; } /** * Returns permission names to check based on event name and item prefix (main item or subitem) * * @param kEvent $event * @return Array */ function getPermissionByEvent(&$event, $perm_mapping) { $top_prefix = $event->getEventParam('top_prefix'); $pefix_type = ($top_prefix == $event->Prefix) ? 'self' : 'subitem'; $perm_mapping = getArrayValue($perm_mapping, $event->Name); if (!$perm_mapping[$pefix_type]) { trigger_error('Permission mappings not defined for event '.$top_prefix.' <- '.$event->Prefix.':'.$event->Name.'', E_USER_ERROR); } if ($perm_mapping[$pefix_type] === true) { // event is defined in mapping but is not checked by permissions return true; } return explode('|', $perm_mapping[$pefix_type]); } /** * Common event permission checking method * * @param kEvent $event */ function CheckEventPermission(&$event, $perm_mapping) { $section = $event->getSection(); if (preg_match('/^CATEGORY:(.*)/', $section)) { return $this->CheckEventCategoryPermission($event, $perm_mapping); } $top_prefix = $event->getEventParam('top_prefix'); $check_perms = $this->getPermissionByEvent($event, $perm_mapping); if ($check_perms === true) { // event is defined in mapping but is not checked by permissions return true; } $perm_status = false; foreach ($check_perms as $perm_name) { // check if at least one of required permissions is set $perm_name = $section.'.'.$perm_name; $perm_status = $this->CheckPermission($perm_name, 1); if (($perm_name == $section.'.add') && $perm_status && ($top_prefix == $event->Prefix)) { // main item, add permission allowed, but ID is > 0, then deny permission // how to get id here } if ($perm_status) { return $perm_status; } } if (!$perm_status) { if ($this->Application->isDebugMode()) { // for debugging purposes $event->SetRedirectParam('section', $section); $event->SetRedirectParam('main_prefix', $top_prefix); $event->SetRedirectParam('event_name', $event->Name); $event->SetRedirectParam('next_template', $this->Application->GetVar('t')); } $event->status = erPERM_FAIL; } return $perm_status; } /** * Checks non-system permission on event per category basis * * @param kEvent $event */ function CheckEventCategoryPermission(&$event, $event_perm_mapping) { // mapping between specific permissions and common permissions $perm_mapping = Array('add' => 'ADD', 'edit' => 'MODIFY', 'delete' => 'DELETE', 'view' => 'VIEW'); $top_prefix = $event->getEventParam('top_prefix'); $event_handler =& $this->Application->recallObject($event->Prefix.'_EventHandler'); if ($event->Prefix != $top_prefix) { $top_event = new kEvent($top_prefix.':'.$event->Name); $id = $event_handler->getPassedID($top_event); } else { $id = $event_handler->getPassedID($event); } $item_prefix = $this->Application->getUnitOption($top_prefix, 'PermItemPrefix'); // 1. get primary category of category item $id_field = $this->Application->getUnitOption($top_prefix, 'IDField'); $table_name = $this->Application->getUnitOption($top_prefix, 'TableName'); $ci_table = $this->Application->getUnitOption('ci', 'TableName'); if (!$id) { // item being created -> check by current (before editing started, saved in OnPreCreate event) category permissions $category_id = $this->Application->RecallVar('m_cat_id'); } else { // item being edited -> check by it's primary category permissions $sql = 'SELECT ci.CategoryId FROM '.$table_name.' main_table LEFT JOIN '.$ci_table.' ci ON ci.ItemResourceId = main_table.ResourceId WHERE (main_table.'.$id_field.' = '.$id.') AND (ci.PrimaryCat = 1)'; $category_id = $this->Conn->GetOne($sql); } if ((substr($event->Name, 0, 9) == 'OnPreSave') || ($event->Name == 'OnSave')) { if ($event_handler->isNewItemCreate($event)) { return $this->CheckPermission($item_prefix.'.ADD', 0, $category_id); } else { return $this->CheckPermission($item_prefix.'.ADD', 0, $category_id) || $this->CheckPermission($item_prefix.'.MODIFY', 0, $category_id); } } $perm_status = false; $check_perms = $this->getPermissionByEvent($event, $event_perm_mapping); if ($check_perms === true) { // event is defined in mapping but is not checked by permissions return true; } foreach ($check_perms as $perm_name) { // check if at least one of required permissions is set if (!isset($perm_mapping[$perm_name])) { // not mapped permission (e.g. advanced:approve) -> skip continue; } $perm_name = $item_prefix.'.'.$perm_mapping[$perm_name]; $this->showDebug('Event '.$event->Name.' permission(-s): '.$perm_name.'', Array()); $perm_status = $this->CheckPermission($perm_name, 0, $category_id); if ($perm_status) { return $perm_status; } } if (!$perm_status) { $event->SetRedirectParam('index_file', 'index.php'); // because called from browse.php if ($this->Application->isDebugMode()) { // for debugging purposes $event->SetRedirectParam('section', $event->getSection()); $event->SetRedirectParam('main_prefix', $top_prefix); $event->SetRedirectParam('event_name', $event->Name); $event->SetRedirectParam('next_template', $this->Application->GetVar('t')); } $event->status = erPERM_FAIL; } return $perm_status; } function showDebug($text, $params) { $is_ajax = $this->Application->GetVar('ajax') == 'yes' || isset($params['ajax']) || isset($params['tab_init']); if (!$this->Application->isDebugMode() || $is_ajax) return true; echo $text.'
'; } function TagPermissionCheck($params, $tag_name) { $perm_event = getArrayValue($params, 'perm_event'); $permission_groups = getArrayValue($params, 'permissions'); if ($permission_groups) { $this->showDebug('Tag '.$tag_name.' permission(-s): '.$permission_groups.'', $params); $permission_groups = explode('|', $permission_groups); $group_has_permission = false; foreach ($permission_groups as $permission_group) { $permissions = explode(',', $permission_group); $has_permission = true; foreach ($permissions as $permission) { $has_permission = $has_permission && $this->CheckPermission($permission, isset($params['system']) && $params['system'] ? 1 : 0); } $group_has_permission = $group_has_permission || $has_permission; if ($group_has_permission) { return true; } } return false; } elseif ($perm_event) { $this->showDebug('Tag '.$tag_name.' permission_event: '.$perm_event.'', $params); list($prefix, $event) = explode(':', $perm_event); $event_handler =& $this->Application->recallObject($prefix.'_EventHandler'); return $event_handler->CheckPermission( new kEvent($perm_event) ); } return true; } /** * Returns no permission template to redirect to * * @param Array $params * @return Array */ function getPermissionTemplate($params) { $t = $this->Application->GetVar('t'); if ($next_t = getArrayValue($params, 'next_template')) { $t = $next_t; } if (!$this->Application->LoggedIn()) { $redirect_template = $params['login_template']; $redirect_params = Array('next_template' => $t); } else { if (isset($params['no_permissions_template'])) { $redirect_template = $params['no_permissions_template']; } else { $redirect_template = $this->Application->IsAdmin() ? 'no_permission' : $this->Application->ConfigValue('NoPermissionTemplate'); } $redirect_params = $this->Application->isDebugMode() ? Array('from_template' => 1, 'perms' => $params[ isset($params['permissions']) ? 'permissions' : 'perm_event'], 'next_template' => $t) : Array(); } if (isset($params['index_file']) && $params['index_file']) { $redirect_params['index_file'] = $params['index_file']; } return Array($redirect_template, $redirect_params); } /** * Check current user permissions based on it's group permissions in specified category (for non-system permissions) or just checks if system permission is set * * @param string $name permission name * @param int $cat_id category id, current used if not specified * @param int $type permission type {1 - system, 0 - per category} * @return int */ function CheckPermission($name, $type = 1, $cat_id = null) { if ($this->Application->GetVar('u_id') == -1) { // "root" is allowed anywhere return $name == 'SYSTEM_ACCESS.READONLY' ? 0 : 1; } if ($type == 1) { // "system" permission are always checked per "Home" category (ID = 0) $cat_id = 0; } if (!isset($cat_id)) { $cat_id = $this->Application->GetVar('m_cat_id'); } $cache_key = $name.'|'.$type.'|'.$cat_id; $perm_value = $this->Application->getCache('permissions', $cache_key); if ($perm_value !== false) { return $perm_value; } // perm cache is build only based on records in db, that's why if permission is not explicitly denied, then // that (perm cache creator) code thinks that it is allowed & adds corresponding record and code below will // return incorrect results /*if (preg_match('/(.*)\.VIEW$/', $name) && ($type == 0)) { // cached view permission of category: begin $sql = 'SELECT perm_cache.PermId FROM '.TABLE_PREFIX.'PermCache perm_cache LEFT JOIN '.TABLE_PREFIX.'PermissionConfig perm_config ON perm_cache.PermId = perm_config.PermissionConfigId WHERE (perm_config.PermissionName = '.$this->Conn->qstr($name).' AND perm_cache.CategoryId = '.$cat_id.')'; $view_filters = Array(); $groups = explode(',', $this->Application->RecallVar('UserGroups')); foreach ($groups as $group) { $view_filters[] = 'FIND_IN_SET('.$group.', perm_cache.ACL) || ((NOT FIND_IN_SET('.$group.', perm_cache.DACL)) AND perm_cache.ACL = \'\')'; } $sql .= ' AND ('.implode(' OR ', $view_filters).')'; $perm_value = $this->Conn->GetOne($sql) ? 1 : 0; $this->Application->setCache('permissions', $cache_key, $perm_value); return $perm_value; // cached view permission of category: end }*/ if ($cat_id == 0) { $cat_hierarchy = Array(0); } else { $sql = 'SELECT ParentPath FROM '.$this->Application->getUnitOption('c', 'TableName').' WHERE CategoryId = '.$cat_id; $cat_hierarchy = $this->Conn->GetOne($sql); $cat_hierarchy = explode('|', $cat_hierarchy); array_shift($cat_hierarchy); array_pop($cat_hierarchy); $cat_hierarchy = array_reverse($cat_hierarchy); array_push($cat_hierarchy, 0); } $perm_value = 0; $groups = $this->Application->RecallVar('UserGroups'); foreach ($cat_hierarchy as $category_id) { $sql = 'SELECT SUM(PermissionValue) FROM '.TABLE_PREFIX.'Permissions WHERE Permission = "'.$name.'" AND CatId = '.$category_id.' AND GroupId IN ('.$groups.') AND Type = '.$type; $res = $this->Conn->GetOne($sql); if ($res !== false) { $perm_value = $res ? 1 : 0; break; } } $this->Application->setCache('permissions', $cache_key, $perm_value); return $perm_value; } } ?>