/include/engine/shPermissions.class.php
PHP | 877 lines | 665 code | 78 blank | 134 comment | 153 complexity | adc5bc9e7f68b1c4b97d2e5a711f832c MD5 | raw file
Possible License(s): GPL-3.0
- <?php
- /*
- * Nexus is a web-based file management application.
- * Copyright (C) Karim Shehadeh
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version 2
- * of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
- */
-
- /**
- * @desc The permissions object stores all possible permissions for a single user
- * and is to be used in conjuction with the shCompanyGroupPair object
- */
- class shPermissions
- {
- // USER PERMISSIONS
-
- public $allowUserChangeSettings = false;
- public $allowUserAddFileBoxDocument = false;
- public $allowUserEditFileBoxDocument = false;
- public $allowUserDeleteFileBoxDocument = false;
-
- // DOMAIN PERMISSIONS
-
- public $allowDomainChangeSettings = false;
- public $allowDomainAddDocument = false;
- public $allowDomainEditDocument = false;
- public $allowDomainDeleteDocument = false;
- public $allowDomainAddGroup = false;
- public $allowDomainEditGroup = false;
- public $allowDomainDeleteGroup = false;
- public $allowDomainAddUser = false;
- public $allowDomainEditUser = false;
- public $allowDomainDeleteUser = false;
- public $allowDomainViewReports = false;
- public $allowDomainViewTrash = false;
- public $allowDomainRestoreTrash = false;
- public $allowDomainDeletePermanently = false;
- public $allowDomainSendGroupMail = false;
-
- // DOMAIN GROUP PERMISSIONS
-
- public $allowDomainGroupChangeSettings = false;
- public $allowDomainGroupAddDocument = false;
- public $allowDomainGroupEditDocument = false;
- public $allowDomainGroupDeleteDocument = false;
- public $allowDomainGroupAddUser = false;
- public $allowDomainGroupEditUser = false;
- public $allowDomainGroupDeleteUser = false;
- public $allowDomainGroupViewReports = false;
- public $allowDomainGroupViewTrash = false;
- public $allowDomainGroupRestoreTrash = false;
- public $allowDomainGroupDeletePermanently = false;
- public $allowDomainGroupSendGroupMail = false;
-
- // GLOBAL PERMISSIONS
-
- public $allowGlobalChangeSettings = false;
- public $allowGlobalAddCompany = false;
- public $allowGlobalEditCompany = false;
- public $allowGlobalDeleteCompany = false;
- public $allowGlobalAddDocument = false;
- public $allowGlobalEditDocument = false;
- public $allowGlobalDeleteDocument = false;
- public $allowGlobalAddGroup = false;
- public $allowGlobalEditGroup = false;
- public $allowGlobalDeleteGroup = false;
- public $allowGlobalAddUser = false;
- public $allowGlobalEditUser = false;
- public $allowGlobalDeleteUser = false;
- public $allowGlobalAddCategory = false;
- public $allowGlobalEditCategory = false;
- public $allowGlobalDeleteCategory = false;
- public $allowGlobalViewTrash = false;
- public $allowGlobalRestoreTrash = false;
- public $allowGlobalDeletePermanently = false;
- public $allowGlobalViewReports = false;
- public $allowGlobalFileBoxEditDocument = false;
- public $allowGlobalFileBoxDeleteDocument = false;
- public $allowGlobalSendGroupMail = false;
-
- /**
- * @desc Takes the data given in the array and sets the appropriate
- * variables in this object.
- * @param array $rowData An associative array where each key is a
- * permission field name in the user table and the value is that
- * permission value.
- */
- public function load ($rowData)
- {
- $vars = array_keys(get_object_vars($this));
- foreach ($rowData as $key=>$value)
- {
- if (in_array($key,$vars))
- {
- $this->$key = $value;
- }
- }
- }
-
- /**
- * @desc Takes the data stored in this object and adds it to the given
- * array as associative keys that match the permission field
- * names in theuser table.
- * @param array $rowData On output, contains permission information.
- */
- public function store(&$rowData)
- {
- $props = get_object_vars($this);
- foreach ($props as $key=>$value)
- {
- $rowData[$key] = $value;
- }
- }
-
- /**
- * Maps the list of permissions to an easy to read 'permission group'
- * like USER_TYPE_ADMIN or USER_TYPE_REGISTERED.
- * @return int Returns one of the USER_TYPE_XXX constants.
- */
- public function getPermissionGroup()
- {
- // GLOBAL PERMISSIONS
- $globalTrues = 0;
- $domainTrues = 0;
- $groupTrues = 0;
- $userTrues = 0;
- $globalAll = 0;
- $domainAll = 0;
- $groupAll = 0;
- $userAll = 0;
-
- $props = get_object_vars($this);
- foreach ($props as $key=>$value)
- {
- if (stripos($key,'allowGlobal') !== false)
- {
- $globalAll++;
- if ($value == true)
- {
- $globalTrues++;
- }
- }
- else if (stripos($key,'allowUser') !== false)
- {
- $userAll++;
- if ($value == true)
- {
- $userTrues++;
- }
- }
- else if (stripos($key,'allowDomainGroup') !== false)
- {
- $groupAll++;
- if ($value == true)
- {
- $groupTrues++;
- }
- }
- else if (stripos($key,'allowDomain') !== false)
- {
- $domainAll++;
- if ($value == true)
- {
- $domainTrues++;
- }
- }
- }
-
- //echo $globalTrues.'|'.$domainTrues.'|'.$userTrues.'|'.$groupTrues;
- //echo '<br>'.$globalAll.'|'.$domainAll.'|'.$userAll.'|'.$groupAll;
-
- if (($globalTrues + $domainTrues + $userTrues + $groupTrues) ==
- ($groupAll + $domainAll + $userAll + $globalAll))
- {
- return USER_TYPE_ADMIN;
- }
-
- if (($domainTrues + $groupTrues + $userTrues) ==
- ($groupAll + $domainAll + $userAll))
- {
- return USER_TYPE_DOMAIN_ADMIN;
- }
-
- if (($groupTrues + $userTrues) ==
- ($groupAll + $userAll))
- {
- return USER_TYPE_DOMAIN_GROUP_ADMIN;
- }
-
- if ($userTrues == $userAll)
- {
- return USER_TYPE_REGISTERED;
- }
-
- return USER_TYPE_CUSTOM;
- }
-
- public function isAllowed($action, $id)
- {
- $user = app()->getLoggedInUserObject();
-
- $auth = AUTH_NOOP;
- nx_fire_event('EVENT_AUTHORIZATION_NEEDED',array('action'=>$action,'id'=>$id,'auth'=>&$auth));
-
- if ($auth != AUTH_NOOP)
- {
- if ($auth == AUTH_ALLOW)
- {
- return true;
- }
- else if ($auth == AUTH_DENY)
- {
- return false;
- }
- }
-
- switch ($action)
- {
- case URLACTION_USERMANAGER:
-
- $permGroup = $this->getPermissionGroup();
- return ($permGroup == USER_TYPE_ADMIN ||
- $permGroup == USER_TYPE_DOMAIN_ADMIN ||
- $permGroup == USER_TYPE_DOMAIN_GROUP_ADMIN);
-
- case URLACTION_DOCMANAGER:
- $permGroup = $this->getPermissionGroup();
- return ($permGroup == USER_TYPE_ADMIN);
-
- case URLACTION_PLUGINS:
- {
- return ($this->getPermissionGroup() == USER_TYPE_ADMIN);
- }
- case URLACTION_SERVER_INFO:
- {
- if ($this->getPermissionGroup() == USER_TYPE_ADMIN)
- {
- return true;
- }
- return false;
- }
- case URLACTION_BROWSEBYCAT:
- {
- return true;
- }
- case URLACTION_MODUSER:
- {
- if ($id)
- {
- if ($this->allowGlobalEditUser)
- {
- return true;
- }
- else
- {
- if ($this->allowUserChangeSettings &&
- ($id == $user->get(PROP_USERNAME)))
- {
- // user can edit himself
- return true;
- }
- else
- {
- $userToView = new shUser;
- $userToView->set(PROP_USERNAME,$id);
- if ($userToView->load())
- {
- if ($this->allowDomainEditUser)
- {
- if ($userToView->getCompany()->get(PROP_ID) == $user->getCompany()->get(PROP_ID))
- {
- return true;
- }
- }
- else if ($this->allowDomainGroupEditUser)
- {
- if ($user->userHasMatchingDomain($userToView))
- {
- return true;
- }
- }
- }
- }
- }
-
- return false;
- }
- else
- {
- // If there are restrictions regarding
- // *where* the user can be added, that
- // will be handled in the form object.
- $val =
- $this->allowDomainAddUser ||
- $this->allowDomainGroupAddUser ||
- $this->allowGlobalAddUser;
-
- return $val;
-
- }
- }
- case URLACTION_MODCAT:
- {
- if ($id)
- {
- // Editing category
- if ($this->allowGlobalEditCategory)
- {
- return true;
- }
- else if ($this->getPermissionGroup() == USER_TYPE_DOMAIN_ADMIN)
- {
- return shAuthorize::canViewCategory($user->get(PROP_USERNAME),$id);
- }
- else if ($this->getPermissionGroup() == USER_TYPE_DOMAIN_GROUP_ADMIN)
- {
- $cat = new shCategory;
- if ($cat->loadId($id))
- {
- return $cat->doesDomainHaveAccess($user->getCompany()->id,$user->getGroup()->id);
- }
- }
-
- return false;
- }
- else
- {
- // Adding category
- return $this->allowGlobalAddCategory;
- }
- }
-
- case URLACTION_VIEWDOC:
-
- if ($id != '')
- {
- return shAuthorize::canViewDocument($user->get(PROP_USERNAME),$id);
- }
- else
- {
- // Displaying the list of docuements so allow - the lister will
- // handle filtering out those documents that the user can't see.
- return true;
- }
-
- case URLACTION_MODDOC:
- {
- if ($id)
- {
- // Editing document
- if ($this->allowGlobalEditDocument)
- {
- return true;
- }
- else if ($this->allowDomainEditDocument)
- {
- // check to see if this document
- // is in the domain.
- return shAuthorize::canDomainViewDocument(
- $id,
- $user->getCompany()->get(PROP_ID),
- 0);
-
- }
- else if ($this->allowDomainGroupEditDocument)
- {
- // check to see if this document
- // is in the group domain
- return shAuthorize::canDomainViewDocument(
- $id,
- $user->getCompany()->get(PROP_ID),
- $user->getGroup()->get(PROP_ID));
-
- }
- else
- {
- return false;
- }
- }
- else
- {
- // Restrictions to location handled
- // in form code.
- return $this->allowDomainAddDocument ||
- $this->allowDomainGroupAddDocument ||
- $this->allowGlobalAddDocument;
- }
- }
- case URLACTION_MODCOMPANY:
- {
- if ($id)
- {
- if (($this->getPermissionGroup() == USER_TYPE_DOMAIN_ADMIN) &&
- ($id == $user->getCompany()->get(PROP_ID)))
- {
- return true;
- }
- else
- {
- return $this->allowGlobalEditCompany;
- }
- }
- else
- {
- return $this->allowGlobalAddCompany;
- }
- }
- case URLACTION_MODGROUP:
- {
- if ($id)
- {
- if ($this->allowGlobalEditGroup)
- {
- return true;
- }
- else if ($this->allowDomainEditGroup)
- {
- // Is this group tied to the user's company
- // or is it one of the free groups that
- // can be used by any company. If the
- // latter is true, then the user cannot
- // edit it.
- $group = new shGroup;
- $group->set(PROP_ID,$id);
- if ($group->load())
- {
- if ($group->get(PROP_COMPANY_ID) == $user->getCompany()->get(PROP_ID))
- {
- return true;
- }
- }
- }
- }
- else
- {
-
- // Appropriate restrictions will be placed on the new group
- // in the form object code.
- return ($this->allowGlobalAddGroup || $this->allowDomainAddGroup);
- }
- }
- case URLACTION_MOD_POOL:
- {
- if ($id)
- {
- if ($this->allowGlobalFileBoxEditDocument)
- {
- // Global permissions to edit any filebox doc
- return true;
- }
- else if ($this->allowUserEditFileBoxDocument)
- {
- $fileboxDocument = new shPoolItem;
- $fileboxDocument->loadId($id);
-
- if ($fileboxDocument->get(PROP_USERNAME) ==
- $user->get(PROP_USERNAME))
- {
- // Can edit own filebox documents
- return true;
- }
- else
- {
- return false;
- }
- }
- }
- else
- {
- // Users can always add their own filebox documents.
- return $this->allowUserAddFileBoxDocument;
- }
- }
- case URLACTION_DELUSER:
- {
- if ($this->allowGlobalDeleteUser)
- {
- return true;
- }
- else if ($this->allowDomainDeleteUser || $this->allowDomainGroupDeleteUser)
- {
- $userToDelete = new shUser;
- $userToDelete->set(PROP_USERNAME,$id);
- if ($userToDelete->load())
- {
- if ($this->allowDomainDeleteUser)
- {
- // Domain admins can delete users in their own company
- if ($userToDelete->getCompany()->get(PROP_ID) == $user->getCompany()->get(PROP_ID))
- {
- return true;
- }
- }
- else if ($this->allowDomainGroupDeleteUser)
- {
- // Domain group admins can delete users in their company and group
- if (($userToDelete->getCompany()->get(PROP_ID) == $user->getCompany()->get(PROP_ID)) &&
- ($userToDelete->getGroup()->get(PROP_ID) == $user->getGroup()->get(PROP_ID)))
- {
- return true;
- }
- }
- }
- }
-
- return false;
- }
- case URLACTION_DELCAT:
- {
- if ($this->allowGlobalDeleteCategory)
- {
- return true;
- }
-
- return false;
- }
- case URLACTION_DELDOC:
- {
- if ($this->allowGlobalDeleteDocument)
- {
- return true;
- }
- else if ($this->allowDomainDeleteDocument)
- {
- // check to see if this document
- // is in the domain.
- return shAuthorize::canDomainViewDocument(
- $id,
- $user->getCompany()->get(PROP_ID),
- 0);
-
- }
- else if ($this->allowDomainGroupDeleteDocument)
- {
- // check to see if this document
- // is in the group domain
- return shAuthorize::canDomainViewDocument(
- $id,
- $user->getCompany()->get(PROP_ID),
- $user->getGroup()->get(PROP_ID));
-
- }
-
- return false;
- }
- case URLACTION_DELCOMPANY:
- {
- return $this->allowGlobalDeleteCompany;
- }
- case URLACTION_DELGROUP:
- {
- return $this->allowGlobalDeleteGroup;
- }
- case URLACTION_DELPOOLITEM:
- if ($this->allowGlobalFileBoxDeleteDocument)
- {
- return true;
- }
- else
- {
- return shAuthorize::canDeletePoolItem
- ($user->get(PROP_USERNAME), $id);
- }
-
- case URLACTION_VIEWTRASH:
- {
- if ($this->allowGlobalViewTrash ||
- $this->allowDomainViewTrash ||
- $this->allowDomainGroupViewTrash)
- {
- // View code will handle filtering out items
- // that are not available to the current user.
- return true;
- }
- }
- case URLACTION_EMPTYTRASH:
- {
- if ($this->allowGlobalDeletePermanently ||
- $this->allowDomainDeletePermanently ||
- $this->allowDomainGroupDeletePermanently)
- {
- // View code will handle filtering out items
- // that are not available to the current user.
- return true;
- }
- }
- case URLACTION_RESTORE:
- {
- if ($this->allowGlobalRestoreTrash ||
- $this->allowDomainRestoreTrash ||
- $this->allowDomainGroupRestoreTrash)
- {
- // View code will handle filtering out items
- // that are not available to the current user.
- return true;
- }
- }
- case URLACTION_VIEWCAT:
-
- // This will be limited in the code that displays
- // files for this category.
- return true;
-
- case URLACTION_VIEWCOMPANY:
-
- if ($this->allowGlobalEditCompany)
- {
- return true;
- }
- else if ($this->getPermissionGroup() == USER_TYPE_DOMAIN_ADMIN)
- {
- if ($user->getCompany()->get(PROP_ID) == $id)
- {
- return true;
- }
- }
-
- return false;
-
- case URLACTION_VIEWGROUP:
-
- if ($id == 0 || $id == '')
- {
- // Trying to view all groups
- return $this->allowGlobalEditGroup;
- }
- else
- {
- if ($this->allowGlobalEditGroup)
- {
- return true;
- }
- else if ($this->allowDomainEditGroup)
- {
- // The user has the ability to edit groups
- // in a domain. Let's check to see if the group
- // is part of the current's user's organization
- $org = $user->getCompany();
- if ($org)
- {
- if ($org->findGroup($id))
- {
- // The group is part of the organization
- // so go ahead and allow this view.
- return true;
- }
- }
- }
- else if ($this->allowDomainGroupEditGroup)
- {
- if ($user->getGroup()->get(PROP_ID) == $id)
- {
- return true;
- }
- }
- }
-
- return false;
-
- case URLACTION_VIEWATTRIB:
-
- // This lists information about the attribute (tag). We
- // allow it for anyone and just have the code that displays
- // handle hiding info that isn't available to the user.
- return true;
-
- case URLACTION_VIEWUSER:
-
- if ($id == '')
- {
- if ($this->allowGlobalEditUser ||
- $this->allowDomainGroupEditUser ||
- $this->allowDomainEditUser)
- {
- // The lister will filter out users
- // which this user cannot see.
- return true;
- }
- else
- {
- return false;
- }
- }
- else
- {
- return $this->isAllowed (URLACTION_MODUSER,$id);
- }
-
- case URLACTION_SENDMAIL_TO_GROUP:
-
- // The form will restrict to which group
- // mail can be sent.
- return ($this->allowDomainSendGroupMail ||
- $this->allowDomainGroupSendGroupMail ||
- $this->allowGlobalSendGroupMail);
-
- case URLACTION_VIEWMOD:
-
- // the lister for this data will filter out
- // inaccessible items.
- return $this->allowGlobalViewReports ||
- $this->allowDomainViewReports ||
- $this->allowDomainGroupViewReports;
-
- case URLACTION_VIEWUSAGE:
-
- // the lister for this data will filter out
- // inaccessible items.
- return $this->allowGlobalViewReports ||
- $this->allowDomainViewReports ||
- $this->allowDomainGroupViewReports;
-
- case URLACTION_VIEWPOOL:
-
- if ($id == '')
- {
- // Anyone can view the item pool though only admin
- // users will be able to see items thatuploaded
- // by others (handled elsewhere).
- return $this->allowUserAddFileBoxDocument ||
- $this->allowGlobalFileBoxEditDocument;
- }
- else
- {
- $permGroup = $this->getPermissionGroup();
- if ($permGroup == USER_TYPE_ADMIN)
- {
- // Super admin can see anything
- return true;
- }
- else
- {
- // Users can only see their own filebox documents or
- // filebox that are shared with them.
- $username = $user->get(PROP_USERNAME);
- if (shAuthorize::canDownloadPoolItem($username,$id))
- {
- return true;
- }
- else
- {
- return false;
- }
- }
- }
-
- case URLACTION_VIEWBIN:
- // Anyone can view the bin
- return true;
-
- case URLACTION_BROWSELIBRARY:
- return true;
-
- case URLACTION_BROWSEBYORG:
- return $this->allowGlobalEditCompany &&
- $this->allowGlobalEditGroup;
-
- case URLACTION_SETTINGS:
- return $this->allowGlobalChangeSettings;
-
- case URLACTION_PURGEHISTORY:
- return $this->allowGlobalChangeSettings;
-
- default:
- return true;
- }
-
- }
- }
-
- /**
- * @desc Creates a permissions object that allows the user
- * to do anything in the system (super admin)
- * @return shPermissions Returns permissions object with correctly
- * set permissions
- */
- function makeSuperAdminPermissions()
- {
- $perm = new shPermissions;
- $props = get_object_vars($perm);
- foreach ($props as $key=>$value)
- {
- $perm->$key = true;
- }
- return $perm;
- }
-
- /**
- * @desc Creates a permissions object that allows the user
- * to do anything in his own group (group admin)
- * @return shPermissions Returns permissions object with correctly
- * set permissions
- */
- function makeGroupAdminPermissions()
- {
- $perm = new shPermissions;
- $props = get_object_vars($perm);
-
- foreach ($props as $key=>$value)
- {
- if (stripos($key,'allowUser') !== false)
- {
- $perm->$key = true;
- }
- else if (stripos($key,'allowDomainGroup') !== false)
- {
- $perm->$key = true;
- }
- }
-
- return $perm;
- }
-
- /**
- * @desc Creates a permissions object that allows the user
- * to do anything in his own company (org admin)
- * @return shPermissions Returns permissions object with correctly
- * set permissions
- */
- function makeDomainAdminPermissions()
- {
- $perm = new shPermissions;
-
- $props = get_object_vars($perm);
- foreach ($props as $key=>$value)
- {
- if (stripos($key,'allowUser') !== false)
- {
- $perm->$key = true;
- }
- else if (stripos($key,'allowDomainGroup') !== false)
- {
- $perm->$key = true;
- }
- else if (stripos($key,'allowDomain') !== false)
- {
- $perm->$key = true;
- }
- }
-
- return $perm;
- }
-
- /**
- * @desc Creates a permissions object that allows the user
- * to have standard registered user permissions(registered user)
- * @return shPermissions Returns permissions object with correctly
- * set permissions
- */
- function makeUserPermissions()
- {
- $perm = new shPermissions;
- $props = get_object_vars($perm);
- foreach ($props as $key=>$value)
- {
- if (stripos($key,'allowUser') !== false)
- {
- $perm->$key = true;
- }
- }
-
- return $perm;
- }
-
- ?>