1 files changed, 46 insertions, 13 deletions

diff --git a/modules-available/permissionmanager/inc/permissionutil.inc.php b/modules-available/permissionmanager/inc/permissionutil.inc.php
index 6fc33ad1..5ff41046 100644
--- a/modules-available/permissionmanager/inc/permissionutil.inc.php
+++ b/modules-available/permissionmanager/inc/permissionutil.inc.php
@@ -2,6 +2,14 @@
 
 class PermissionUtil
 {
+	/**
+	 * Check if the user has the given permission (for the given location).
+	 *
+	 * @param string $userid userid to check
+	 * @param string $permissionid permissionid to check
+	 * @param int|null $locationid locationid to check or null if the location should be disregarded
+	 * @return bool true if user has permission, false if not
+	 */
 	public static function userHasPermission($userid, $permissionid, $locationid) {
 		$locations = array();
 		if (!is_null($locationid)) {
@@ -10,23 +18,29 @@ class PermissionUtil
 			else $locations[] = 0;
 		}
 
-		$res = Database::simpleQuery("SELECT role_x_permission.permissionid as 'permissionid',
-													role_x_location.locationid as 'locationid'
-												FROM user_x_role
+		$res = Database::simpleQuery("SELECT permissionid, locationid FROM user_x_role
 												INNER JOIN role_x_permission ON user_x_role.roleid = role_x_permission.roleid
-												LEFT JOIN role_x_location ON role_x_permission.roleid = role_x_location.roleid
+												LEFT JOIN (SELECT roleid, COALESCE(locationid, 0) AS locationid FROM role_x_location) t1
+													ON role_x_permission.roleid = t1.roleid
 												WHERE user_x_role.userid = :userid", array("userid" => $userid));
 
 		while ($row = $res->fetch(PDO::FETCH_ASSOC)) {
-			$userPermission = trim($row["permissionid"], "*");
-			if (substr($permissionid, 0, strlen($userPermission)) === $userPermission
-					&& (is_null($locationid) || in_array($row["locationid"], $locations))) {
+			$userPermission = rtrim($row["permissionid"], ".*").".";
+			if ((is_null($locationid) || (!is_null($row["locationid"]) && in_array($row["locationid"], $locations))) &&
+				(substr($permissionid.".", 0, strlen($userPermission)) === $userPermission || $userPermission === ".")) {
 				return true;
 			}
 		}
 		return false;
 	}
 
+	/**
+	 * Get all locations where the user has the given permission.
+	 *
+	 * @param string $userid userid to check
+	 * @param string $permissionid permissionid to check
+	 * @return array array of locationids where the user has the given permission
+	 */
 	public static function getAllowedLocations($userid, $permissionid) {
 
 		$res = Database::simpleQuery("SELECT permissionid, COALESCE(locationid, 0) AS locationid FROM user_x_role
@@ -36,8 +50,8 @@ class PermissionUtil
 
 		$allowedLocations = array();
 		while ($row = $res->fetch(PDO::FETCH_ASSOC)) {
-			$userPermission = trim($row["permissionid"], "*");
-			if (!is_null($row["locationid"]) && substr($permissionid, 0, strlen($userPermission)) === $userPermission) {
+			$userPermission = rtrim($row["permissionid"], ".*").".";
+			if (substr($permissionid.".", 0, strlen($userPermission)) === $userPermission || $userPermission === ".") {
 				$allowedLocations[$row["locationid"]] = 1;
 			}
 		}
@@ -45,12 +59,20 @@ class PermissionUtil
 		$locations = Location::getTree();
 		if (in_array("0", $allowedLocations)) {
 			$allowedLocations = array_map("intval", Location::extractIds($locations));
+			$allowedLocations[] = 0;
 		} else {
 			$allowedLocations = self::getSublocations($locations, $allowedLocations);
 		}
 		return $allowedLocations;
 	}
 
+	/**
+	 * Extend an array of locations by adding all sublocations.
+	 *
+	 * @param array $tree tree of all locations (structured like Location::getTree())
+	 * @param array $locations the array of locationids to extend
+	 * @return array extended array of locationids
+	 */
 	public static function getSublocations($tree, $locations) {
 		$result = array_flip($locations);
 		foreach ($tree as $location) {
@@ -65,6 +87,11 @@ class PermissionUtil
 		return array_keys($result);
 	}
 
+	/**
+	 * Get all permissions of all active modules that have permissions in their permissions/permissions.json file.
+	 *
+	 * @return array permission tree as a multidimensional array
+	 */
 	public static function getPermissions()
 	{
 		$permissions = array();
@@ -75,7 +102,7 @@ class PermissionUtil
 			preg_match('#^modules/([^/]+)/#', $file, $out);
 			foreach( $data as $p ) {
 				$description = Dictionary::translateFileModule($out[1], "permissions", $p);
-				$permissions = self::putInPermissionTree($out[1].".".$p, $description, $permissions);
+				self::putInPermissionTree($out[1].".".$p, $description, $permissions);
 			}
 		}
 		ksort($permissions);
@@ -89,10 +116,16 @@ class PermissionUtil
 		return $permissions;
 	}
 
-	private static function putInPermissionTree($permission, $description, $tree)
+	/**
+	 * Place a permission into the given permission tree.
+	 *
+	 * @param string $permission the permission to place in the tree
+	 * @param string $description the description of the permission
+	 * @param array $tree the permission tree to modify
+	 */
+	private static function putInPermissionTree($permission, $description, &$tree)
 	{
 		$subPermissions = explode('.', $permission);
-		$original =& $tree;
 		foreach ($subPermissions as $subPermission) {
 			if ($subPermission) {
 				if (!array_key_exists($subPermission, $tree)) {
@@ -101,6 +134,6 @@ class PermissionUtil
 				$tree =& $tree[$subPermission];
 			}
 		}
-		return $original;
+		$tree = $description;
 	}
 }
\ No newline at end of file