<?php
class Page_PermissionManager extends Page
{
/**
* Called before any page rendering happens - early hook to check parameters etc.
*/
protected function doPreprocess()
{
User::load();
if (!User::isLoggedIn()) {
Message::addError('main.no-permission');
Util::redirect('?do=Main'); // does not return
}
$action = Request::any('action', 'show', 'string');
if ($action === 'addRoleToUser') {
User::assertPermission('users.edit-roles');
$users = Request::post('users', [], 'array');
$roles = Request::post('roles', [], 'array');
PermissionDbUpdate::addRoleToUser($users, $roles);
} elseif ($action === 'removeRoleFromUser') {
User::assertPermission('users.edit-roles');
$users = Request::post('users', [], 'array');
$roles = Request::post('roles', [], 'array');
PermissionDbUpdate::removeRoleFromUser($users, $roles);
} elseif ($action === 'deleteRole') {
User::assertPermission('roles.edit');
$id = Request::post('deleteId', false, 'int');
$this->denyActionIfBuiltin($id);
PermissionDbUpdate::deleteRole($id);
} elseif ($action === 'saveRole') {
User::assertPermission('roles.edit');
$roleID = Request::post("roleid", Request::REQUIRED_EMPTY, 'int');
$this->denyActionIfBuiltin($roleID);
$roleName = Request::post("rolename", '', 'string');
if (empty($roleName)) {
Message::addError('main.parameter-empty', 'rolename');
Util::redirect('?do=permissionmanager');
}
$roleDescription = Request::post('roledescription', '', 'string');
$locations = self::processLocations(Request::post("locations", [], 'array'));
$permissions = self::processPermissions(Request::post("permissions"));
PermissionDbUpdate::saveRole($roleName, $roleDescription, $locations, $permissions, $roleID);
}
if (Request::isPost()) {
Util::redirect('?do=permissionmanager&show=' . Request::get("show", "roles"));
}
}
/**
* Menu etc. has already been generated, now it's time to generate page content.
*/
protected function doRender()
{
$show = Request::get("show", false, 'string');
// "Public" page -- nice "permission denied" message
if ($show === 'denied') {
Render::addTemplate('page-permission-denied', [
'name' => User::getName(),
'permission' => Request::get('permission', false, 'string'),
]);
return;
}
if ($show === false) {
foreach (['roles', 'users', 'locations'] as $show) {
if (User::hasPermission($show . '.*'))
break;
}
}
// switch between tables, but always show menu to switch tables
// get menu button colors
$data = array();
if ($show === "roleEditor") {
$data['groupClass'] = 'btn-group-muted';
$data['rolesButtonClass'] = 'active';
} else {
$data[$show . 'ButtonClass'] = 'active';
}
Permission::addGlobalTags($data['perms'], null, ['roles.*', 'users.*', 'locations.*']);
Render::addtemplate('header-menu', $data);
if ($show === "roles") {
User::assertPermission('roles.*');
$data = array("roles" => GetPermissionData::getRoles(GetPermissionData::WITH_USER_COUNT));
Permission::addGlobalTags($data['perms'], null, ['roles.edit']);
Render::addTemplate('rolestable', $data);
} elseif ($show === "users") {
User::assertPermission('users.*');
$data = array("user" => GetPermissionData::getUserData());
if (User::hasPermission('users.edit-roles')) {
$data['allroles'] = GetPermissionData::getRoles();
}
Permission::addGlobalTags($data['perms'], null, ['users.edit-roles']);
Render::addTemplate('role-filter-selectize', $data);
Render::addTemplate('userstable', $data);
} elseif ($show === "locations") {
User::assertPermission('locations.*');
$data = array("location" => GetPermissionData::getLocationData(), "allroles" => GetPermissionData::getRoles());
Render::addTemplate('role-filter-selectize', $data);
Render::addTemplate('locationstable', $data);
} elseif ($show === "roleEditor") {
User::assertPermission('roles.*');
$data = array("cancelShow" => Request::get("cancel", "roles", 'string'));
Permission::addGlobalTags($data['perms'], null, ['roles.edit']);
$selectedPermissions = array();
$selectedLocations = array();
$roleid = Request::get("roleid", false, 'int');
if ($roleid !== false) {
$role = GetPermissionData::getRoleData($roleid);
if ($role === null) {
Message::addError('invalid-role-id', $roleid);
Util::redirect('?do=permissionmanager');
}
if ($role['builtin']) {
// Copy the role, as it's builtin
$role['roleid'] = '';
$role['rolename'] .= ' (2)';
}
$data += $role;
$selectedPermissions = $data["permissions"];
$selectedLocations = $data["locations"];
}
$data["permissionHTML"] = self::generatePermissionHTML(PermissionUtil::getPermissions(), $selectedPermissions,
false, '', ['perms' => $data['perms']]);
$data["locationHTML"] = self::generateLocationHTML(Location::getTree(), $selectedLocations,
$roleid === false, true, ['perms' => $data['perms']]);
Render::addTemplate('roleeditor', $data);
}
}
/**
* Recursively generate HTML code for the permission selection tree.
*
* @param array $permissions the permission tree
* @param array $selectedPermissions permissions that should be preselected
* @param bool $selectAll true if all permissions should be preselected, false if only those in $selectedPermissions
* @param string $permString the prefix permission string with which all permissions in the permission tree should start
* @return string generated html code
*/
private static function generatePermissionHTML(array $permissions, array $selectedPermissions = [],
bool $selectAll = false, string $permString = "", array $tags = []): string
{
$res = "";
$toplevel = $permString == "";
if ($toplevel && in_array("*", $selectedPermissions)) {
$selectAll = true;
}
foreach ($permissions as $k => $v) {
$selected = $selectAll;
$nextPermString = $permString ? $permString . "." . $k : $k;
if ($toplevel) {
$displayName = Module::get($k)->getDisplayName();
} else {
$displayName = $k;
}
do {
$leaf = isset($v['isLeaf']) && $v['isLeaf'];
$id = $leaf ? $nextPermString : $nextPermString . ".*";
$selected = $selected || in_array($id, $selectedPermissions);
if ($leaf || count($v) !== 1)
break;
reset($v);
$k = key($v);
$v = $v[$k];
$nextPermString .= '.' . $k;
$displayName .= '.' . $k;
} while (true);
$data = array(
"id" => $id,
"name" => $displayName,
"toplevel" => $toplevel,
"checkboxname" => "permissions",
"selected" => $selected,
"HTML" => $leaf ? "" : self::generatePermissionHTML($v, $selectedPermissions, $selected, $nextPermString, $tags),
);
if ($leaf) {
$data += $v;
}
$res .= Render::parse("treenode", $data + $tags);
}
if ($toplevel) {
$res = Render::parse("treepanel",
array("id" => "*",
"name" => Dictionary::translateFile("template-tags", "lang_permissions"),
"checkboxname" => "permissions",
"selected" => $selectAll,
"HTML" => $res) + $tags);
}
return $res;
}
/**
* Recursively generate HTML code for the location selection tree.
*
* @param array $locations the location tree
* @param array $selectedLocations locations that should be preselected
* @param bool $selectAll true if all locations should be preselected, false if only those in $selectedLocations
* @param bool $toplevel true if the location tree are the children of the root location, false if not
* @return string generated html code
*/
private static function generateLocationHTML(array $locations, array $selectedLocations = [],
bool $selectAll = false, bool $toplevel = true, array $tags = []): string
{
$res = "";
if ($toplevel && in_array(0, $selectedLocations)) {
$selectAll = true;
}
foreach ($locations as $location) {
$selected = $selectAll || in_array($location["locationid"], $selectedLocations);
$res .= Render::parse("treenode",
array("id" => $location["locationid"],
"name" => $location["locationname"],
"toplevel" => $toplevel,
"checkboxname" => "locations",
"selected" => $selected,
"HTML" => array_key_exists("children", $location) ?
self::generateLocationHTML($location["children"], $selectedLocations, $selected, false, $tags) : "")
+ $tags);
}
if ($toplevel) {
$res = Render::parse("treepanel",
array("id" => 0,
"name" => Dictionary::translateFile("template-tags", "lang_locations"),
"checkboxname" => "locations",
"selected" => $selectAll,
"HTML" => $res) + $tags);
}
return $res;
}
/**
* Remove locations that are already covered by parent locations from the array.
*
* @param array $locations the locationid array
* @return array the locationid array without redundant locationids
*/
private static function processLocations(array $locations): array
{
if (in_array(0, $locations))
return array(null);
$result = array();
foreach ($locations as $location) {
$rootchain = array_reverse(Location::getLocationRootChain($location));
foreach ($rootchain as $l) {
if (in_array($l, $result))
break;
if (in_array($l, $locations)) {
$result[] = $l;
break;
}
}
}
return $result;
}
/**
* Remove permissions that are already covered by parent permissions from the array.
*
* @param array $permissions the permissionid array
* @return array the permissionid array without redundant permissionids
*/
private static function processPermissions(array $permissions): array
{
if (in_array("*", $permissions))
return array("*");
$result = array();
foreach ($permissions as $permission) {
$x =& $result;
foreach (explode(".", $permission) as $p) {
$x =& $x[$p];
}
}
return self::extractPermissions($result);
}
/**
* Convert a multidimensional array of permissions to a flat array of permissions.
*
* @param array $permissions multidimensional array of permissionids
* @return array flat array of permissionids
*/
private static function extractPermissions(array $permissions): array
{
$result = array();
foreach ($permissions as $permission => $a) {
if (is_array($a)) {
if (array_key_exists("*", $a)) {
$result[] = $permission . ".*";
} else {
foreach (self::extractPermissions($a) as $subPermission) {
$result[] = $permission . "." . $subPermission;
}
}
} else {
$result[] = $permission;
}
}
return $result;
}
private function denyActionIfBuiltin(string $roleID): void
{
if ($roleID) {
$existing = GetPermissionData::getRole($roleID);
if ($existing === false) {
Message::addError('invalid-role-id', $roleID);
Util::redirect('?do=permissionmanager');
}
if ($existing['builtin']) {
Message::addError('builtin-role', $existing['rolename']);
Util::redirect('?do=permissionmanager');
}
}
}
}
