1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
|
<?php
class PermissionUtil
{
/**
* Generate all possible variants to match against, eg. $permissionid = a.b.c then we get:
* [ *, a.*, a.b.*, a.b.c ]
* In case $permissionid ends with an asterisk, also set $wildcard and $wclen, e.g.
* $permissionid = a.b.* --> $wildcard = a.b. and $wclen = 4
*
* @param $permission string|string[] permission to mangle
* @param string[] $compare all the generated variants
* @param string|false $wildcard if $permission is a wildcard string this returns the matching variant
* @param int|false $wclen if $permission is a wildcard string, this is the length of the matching variant
*/
private static function makeComparisonVariants($permission, &$compare, &$wildcard, &$wclen)
{
if (!is_array($permission)) {
$permission = explode('.', $permission);
}
$partCount = count($permission);
$compare = [];
for ($i = 0; $i < $partCount; ++$i) {
$compare[] = $permission[0];
}
for ($i = 1; $i < $partCount; ++$i) {
$compare[$i - 1] .= '.*';
for ($j = $i; $j < $partCount; ++$j) {
$compare[$j] .= '.' . $permission[$i];
}
}
$compare[] = '*';
if ($permission[$partCount - 1] === '*') {
$wildcard = substr($compare[$partCount - 1], 0, -1);
$wclen = strlen($wildcard);
} else {
$wclen = $wildcard = false;
}
}
/**
* Check if the user has the given permission (for the given location).
*
* @param string $userid userid to check
* @param string $permissionid permissionid to check
* @param int|null $locationid locationid to check or null if the location should be disregarded
* @return bool true if user has permission, false if not
*/
public static function userHasPermission($userid, $permissionid, $locationid)
{
$permissionid = strtolower($permissionid);
self::validatePermission($permissionid);
$parts = explode('.', $permissionid);
// Limit query to first part of permissionid, which is always the module id
$prefix = $parts[0] . '.%';
if (is_null($locationid)) {
$res = Database::simpleQuery("SELECT permissionid FROM role_x_permission
INNER JOIN user_x_role USING (roleid)
WHERE user_x_role.userid = :userid AND (permissionid LIKE :prefix OR permissionid LIKE '*')",
compact('userid', 'prefix'));
} else {
if ($locationid === 0) {
$locations = [0];
} else {
$locations = Location::getLocationRootChain($locationid);
if (empty($locations)) { // Non-existent location, still continue as user might have global perms
$locations = [0];
}
}
$res = Database::simpleQuery("SELECT permissionid FROM role_x_permission
INNER JOIN user_x_role USING (roleid)
INNER JOIN role_x_location USING (roleid)
WHERE user_x_role.userid = :userid AND (permissionid LIKE :prefix OR permissionid LIKE '*')
AND (locationid IN (:locations) OR locationid IS NULL)",
compact('userid', 'prefix', 'locations'));
}
// Quick bailout - no results
if ($res->rowCount() === 0)
return false;
// Compare to database result
self::makeComparisonVariants($parts, $compare, $wildcard, $wclen);
while ($row = $res->fetch(PDO::FETCH_ASSOC)) {
if (in_array($row['permissionid'], $compare, true))
return true;
if ($wildcard !== false && strncmp($row['permissionid'], $wildcard, $wclen) === 0)
return true;
}
return false;
}
/**
* Get all locations where the user has the given permission.
*
* @param string $userid userid to check
* @param string $permissionid permissionid to check
* @return array array of locationids where the user has the given permission
*/
public static function getAllowedLocations($userid, $permissionid)
{
$permissionid = strtolower($permissionid);
self::validatePermission($permissionid);
$parts = explode('.', $permissionid);
// Limit query to first part of permissionid, which is always the module id
$prefix = $parts[0] . '.%';
$res = Database::simpleQuery("SELECT permissionid, locationid FROM role_x_permission
INNER JOIN user_x_role USING (roleid)
INNER JOIN role_x_location USING (roleid)
WHERE user_x_role.userid = :userid AND (permissionid LIKE :prefix OR permissionid LIKE '*')",
compact('userid', 'prefix'));
// Gather locationid from relevant rows
self::makeComparisonVariants($parts, $compare, $wildcard, $wclen);
$allowedLocations = array();
while ($row = $res->fetch(PDO::FETCH_ASSOC)) {
if (in_array($row['permissionid'], $compare, true)
|| ($wildcard !== false && strncmp($row['permissionid'], $wildcard, $wclen) === 0)) {
$allowedLocations[(int)$row['locationid']] = true;
}
}
$locations = Location::getTree();
if (isset($allowedLocations[0])) {
// Trivial case - have permission for all locations, so populate list with all valid locationds
$allowedLocations = Location::extractIds($locations);
$allowedLocations[] = 0; // .. plus 0 to show that we have global perms
} else {
// We have a specific list of locationds - add any sublocations to list
$allowedLocations = self::getSublocations($locations, $allowedLocations);
}
return $allowedLocations;
}
/**
* Extend an array of locations by adding all sublocations.
*
* @param array $tree tree of all locations (structured like Location::getTree())
* @param array $allowedLocations the array of locationids to extend
* @return array extended array of locationids
*/
public static function getSublocations($tree, $allowedLocations)
{
$result = $allowedLocations;
foreach ($tree as $location) {
if (array_key_exists("children", $location)) {
if (isset($allowedLocations[$location["locationid"]])) {
$result += array_flip(Location::extractIds($location["children"]));
} else {
$result += array_flip(self::getSublocations($location["children"], $allowedLocations));
}
}
}
return array_keys($result);
}
/**
* If in debug mode, validate that the checked permission is actually defined
* in the according permissions.json and complain if that's not the case.
* This is supposed to catch misspelled permission checks.
*
* @param string $permissionId permission to check
*/
private static function validatePermission($permissionId)
{
if (!CONFIG_DEBUG || $permissionId === '*')
return;
$split = explode('.', $permissionId, 2);
if (count($split) !== 2) {
trigger_error('[skip:3]Cannot check malformed permission "' . $permissionId . '"', E_USER_WARNING);
return;
}
if ($split[1] === '*')
return;
$data = json_decode(file_get_contents('modules/' . $split[0] . '/permissions/permissions.json'), true);
if (substr($split[1], -2) === '.*') {
$len = strlen($split[1]) - 1;
foreach ($data as $perm => $v) {
if (strncmp($split[1], $perm, $len) === 0)
return;
}
trigger_error('[skip:3]Permission "' . $permissionId . '" does not match anything defined for module', E_USER_WARNING);
} elseif (!is_array($data) || !array_key_exists($split[1], $data)) {
trigger_error('[skip:3]Permission "' . $permissionId . '" not defined for module', E_USER_WARNING);
}
}
/**
* Get all permissions of all active modules that have permissions in their permissions/permissions.json file.
*
* @return array permission tree as a multidimensional array
*/
public static function getPermissions()
{
$permissions = array();
foreach (glob("modules/*/permissions/permissions.json", GLOB_NOSORT) as $file) {
$data = json_decode(file_get_contents($file), true);
if (!is_array($data))
continue;
preg_match('#^modules/([^/]+)/#', $file, $out);
$moduleId = $out[1];
if (Module::get($moduleId) === false)
continue;
foreach ($data as $perm => $permissionFlags) {
$description = Dictionary::translateFileModule($moduleId, "permissions", $perm);
self::putInPermissionTree($moduleId . "." . $perm, $permissionFlags['location-aware'], $description, $permissions);
}
}
ksort($permissions);
global $MENU_CAT_OVERRIDE;
$sortingOrder = $MENU_CAT_OVERRIDE;
foreach ($permissions as $module => $v) {
$sortingOrder[Module::get($module)->getCategory()][] = $module;
}
$permissions = array_replace(array_flip(call_user_func_array('array_merge', $sortingOrder)), $permissions);
foreach ($permissions as $module => $v) {
if (is_int($v)) {
unset($permissions[$module]);
}
}
return $permissions;
}
/**
* Place a permission into the given permission tree.
*
* @param string $permission the permission to place in the tree
* @param bool $locationAware whether this permissions can be restricted to specific locations only
* @param string $description the description of the permission
* @param array $tree the permission tree to modify
*/
private static function putInPermissionTree($permission, $locationAware, $description, &$tree)
{
$subPermissions = explode('.', $permission);
foreach ($subPermissions as $subPermission) {
if ($subPermission) {
if (!array_key_exists($subPermission, $tree)) {
$tree[$subPermission] = array();
}
$tree =& $tree[$subPermission];
}
}
$tree = array('description' => $description, 'location-aware' => $locationAware, 'isLeaf' => true);
}
}
|