diff options
| author | Simon Rettberg | 2018-02-19 13:36:35 +0100 |
|---|---|---|
| committer | Simon Rettberg | 2018-02-19 13:36:35 +0100 |
| commit | 7afe5a3ffee64ff5c1ee7692a2ac4c83d46d6a78 (patch) | |
| tree | e1482e82af3b53422d0008669a05847079d660c6 /modules-available/permissionmanager/inc | |
| parent | [vmstore] lang_intern -> lang_internal (diff) | |
| download | slx-admin-7afe5a3ffee64ff5c1ee7692a2ac4c83d46d6a78.tar.gz slx-admin-7afe5a3ffee64ff5c1ee7692a2ac4c83d46d6a78.tar.xz slx-admin-7afe5a3ffee64ff5c1ee7692a2ac4c83d46d6a78.zip | |
[permissionmanager] Implement permissions:
Permissinmanager is now protected by permissions.
In order to prevent complete lockout, the user with
userid == 1 will always be able to edit and assign permissions.
(TODO: Communicate this somehow)
Diffstat (limited to 'modules-available/permissionmanager/inc')
| -rw-r--r-- | modules-available/permissionmanager/inc/getpermissiondata.inc.php | 22 | ||||
| -rw-r--r-- | modules-available/permissionmanager/inc/permissionutil.inc.php | 34 |
2 files changed, 41 insertions, 15 deletions
diff --git a/modules-available/permissionmanager/inc/getpermissiondata.inc.php b/modules-available/permissionmanager/inc/getpermissiondata.inc.php index dd100d42..496c8224 100644 --- a/modules-available/permissionmanager/inc/getpermissiondata.inc.php +++ b/modules-available/permissionmanager/inc/getpermissiondata.inc.php @@ -3,6 +3,9 @@ class GetPermissionData { + const WITH_USER_COUNT = 1; + const WITH_LOCATION_COUNT = 2; + /** * Get data for all users. * @@ -64,11 +67,26 @@ class GetPermissionData /** * Get all roles. * + * @param int $flags Bitmask specifying additional data to fetch (WITH_* constants of this class) * @return array array roles (each with roleid and rolename) */ - public static function getRoles() + public static function getRoles($flags = 0) { - return Database::queryAll("SELECT roleid, rolename FROM role ORDER BY rolename ASC"); + $cols = $joins = ''; + if ($flags & self::WITH_USER_COUNT) { + $cols .= ', Count(DISTINCT rxu.userid) AS users'; + $joins .= ' LEFT JOIN user_x_role rxu ON (r.roleid = rxu.roleid)'; + } + if ($flags & self::WITH_LOCATION_COUNT) { + $cols .= ', Count(DISTINCT rxl.locationid) AS locations'; + $joins .= ' LEFT JOIN role_x_location rxl ON (r.roleid = rxl.roleid)'; + } + if (!empty($joins)) { + $joins .= ' GROUP BY r.roleid'; + } + return Database::queryAll("SELECT r.roleid, r.rolename $cols FROM role r + $joins + ORDER BY rolename ASC"); } /** diff --git a/modules-available/permissionmanager/inc/permissionutil.inc.php b/modules-available/permissionmanager/inc/permissionutil.inc.php index b4d54055..bc42c5a0 100644 --- a/modules-available/permissionmanager/inc/permissionutil.inc.php +++ b/modules-available/permissionmanager/inc/permissionutil.inc.php @@ -53,6 +53,9 @@ class PermissionUtil $permissionid = strtolower($permissionid); self::validatePermission($permissionid); $parts = explode('.', $permissionid); + // Special case: To prevent lockout, userid === 1 always has permissionmanager.* + if ($parts[0] === 'permissionmanager' && User::getId() === 1) + return true; // Limit query to first part of permissionid, which is always the module id $prefix = $parts[0] . '.%'; if (is_null($locationid)) { @@ -103,21 +106,26 @@ class PermissionUtil $permissionid = strtolower($permissionid); self::validatePermission($permissionid); $parts = explode('.', $permissionid); - // Limit query to first part of permissionid, which is always the module id - $prefix = $parts[0] . '.%'; - $res = Database::simpleQuery("SELECT permissionid, locationid FROM role_x_permission - INNER JOIN user_x_role USING (roleid) - INNER JOIN role_x_location USING (roleid) - WHERE user_x_role.userid = :userid AND (permissionid LIKE :prefix OR permissionid LIKE '*')", - compact('userid', 'prefix')); + // Special case: To prevent lockout, userid === 1 always has permissionmanager.* + if ($parts[0] === 'permissionmanager' && User::getId() === 1) { + $allowedLocations = [true]; + } else { + // Limit query to first part of permissionid, which is always the module id + $prefix = $parts[0] . '.%'; + $res = Database::simpleQuery("SELECT permissionid, locationid FROM role_x_permission + INNER JOIN user_x_role USING (roleid) + INNER JOIN role_x_location USING (roleid) + WHERE user_x_role.userid = :userid AND (permissionid LIKE :prefix OR permissionid LIKE '*')", + compact('userid', 'prefix')); - // Gather locationid from relevant rows - self::makeComparisonVariants($parts, $compare, $wildcard, $wclen); - $allowedLocations = array(); - while ($row = $res->fetch(PDO::FETCH_ASSOC)) { - if (in_array($row['permissionid'], $compare, true) + // Gather locationid from relevant rows + self::makeComparisonVariants($parts, $compare, $wildcard, $wclen); + $allowedLocations = array(); + while ($row = $res->fetch(PDO::FETCH_ASSOC)) { + if (in_array($row['permissionid'], $compare, true) || ($wildcard !== false && strncmp($row['permissionid'], $wildcard, $wclen) === 0)) { - $allowedLocations[(int)$row['locationid']] = true; + $allowedLocations[(int)$row['locationid']] = true; + } } } $locations = Location::getTree(); |