Index: trunk/core/units/general/helpers/permissions_helper.php
===================================================================
diff -u -N -r4762 -r4840
--- trunk/core/units/general/helpers/permissions_helper.php (.../permissions_helper.php) (revision 4762)
+++ trunk/core/units/general/helpers/permissions_helper.php (.../permissions_helper.php) (revision 4840)
@@ -76,15 +76,15 @@
}
/**
- * Checks permissions of user
+ * Common event permission checking method
*
* @param kEvent $event
*/
- function CheckPermission(&$event, $perm_mapping)
+ function CheckEventPermission(&$event, $perm_mapping)
{
$section = $event->getSection();
if (preg_match('/^CATEGORY:(.*)/', $section)) {
- return $this->CheckCategoryPermission($event, $perm_mapping);
+ return $this->CheckEventCategoryPermission($event, $perm_mapping);
}
$top_prefix = $event->getEventParam('top_prefix');
@@ -99,7 +99,7 @@
foreach ($check_perms as $perm_name) {
// check if at least one of required permissions is set
$perm_name = $section.'.'.$perm_name;
- $perm_status = $this->Application->CheckPermission($perm_name, 1);
+ $perm_status = $this->CheckPermission($perm_name, 1);
if (($perm_name == $section.'.add') && $perm_status && ($top_prefix == $event->Prefix)) {
// main item, add permission allowed, but ID is > 0, then deny permission
// how to get id here
@@ -123,17 +123,12 @@
}
/**
- * Check permissions
+ * Checks non-system permission on event per category basis
*
* @param kEvent $event
*/
- function CheckCategoryPermission(&$event, $event_perm_mapping)
+ function CheckEventCategoryPermission(&$event, $event_perm_mapping)
{
- // would be better to check this too, but we have no such ermission for now
- /*if ($event->Name == 'OnRateProduct') {
- return $this->Application->CheckPermission('PRODUCT.RATE', 0);
- }*/
-
// mapping between specific permissions and common permissions
$perm_mapping = Array('add' => 'ADD', 'edit' => 'MODIFY', 'delete' => 'DELETE', 'view' => 'VIEW');
@@ -169,10 +164,10 @@
if ((substr($event->Name, 0, 9) == 'OnPreSave') || ($event->Name == 'OnSave')) {
if ($event_handler->isNewItemCreate($event)) {
- return $this->Application->CheckPermission($item_prefix.'.ADD', 0, $category_id);
+ return $this->CheckPermission($item_prefix.'.ADD', 0, $category_id);
}
else {
- return $this->Application->CheckPermission($item_prefix.'.ADD', 0, $category_id) || $this->Application->CheckPermission($item_prefix.'.MODIFY', 0, $category_id);
+ return $this->CheckPermission($item_prefix.'.ADD', 0, $category_id) || $this->CheckPermission($item_prefix.'.MODIFY', 0, $category_id);
}
}
@@ -191,8 +186,8 @@
continue;
}
$perm_name = $item_prefix.'.'.$perm_mapping[$perm_name];
- echo 'event_name: '.$event->Name.'; permission: '.$perm_name.'
';
- $perm_status = $this->Application->CheckPermission($perm_name, 0, $category_id);
+ $this->showDebug('Event '.$event->Name.' permission(-s): '.$perm_name.'');
+ $perm_status = $this->CheckPermission($perm_name, 0, $category_id);
if ($perm_status) {
return $perm_status;
@@ -212,6 +207,161 @@
}
return $perm_status;
}
+
+ function showDebug($text)
+ {
+ if (!$this->Application->isDebugMode()) return true;
+ echo $text.'
';
+ }
+
+ function TagPermissionCheck($params, $tag_name)
+ {
+ $perm_event = getArrayValue($params, 'perm_event');
+ $permission_groups = getArrayValue($params, 'permissions');
+
+ if ($permission_groups) {
+ $this->showDebug('Tag '.$tag_name.' permission(-s): '.$permission_groups);
+ $permission_groups = explode('|', $permission_groups);
+ $group_has_permission = false;
+ foreach ($permission_groups as $permission_group) {
+ $permissions = explode(',', $permission_group);
+ $has_permission = true;
+ foreach ($permissions as $permission) {
+ $has_permission = $has_permission && $this->CheckPermission($permission, isset($params['system']) && $params['system'] ? 1 : 0);
+ }
+ $group_has_permission = $group_has_permission || $has_permission;
+
+ if ($group_has_permission) {
+ return true;
+ }
+ }
+ return false;
+ }
+ elseif ($perm_event) {
+ list($prefix, $event) = explode(':', $perm_event);
+ $event_handler =& $this->Application->recallObject($prefix.'_EventHandler');
+ return $event_handler->CheckPermission( new kEvent($perm_event) );
+ }
+
+ return true;
+ }
+
+ /**
+ * Returns no permission template to redirect to
+ *
+ * @param Array $params
+ * @return Array
+ */
+ function getPermissionTemplate($params)
+ {
+ $t = $this->Application->GetVar('t');
+ if ($next_t = getArrayValue($params, 'next_template')) {
+ $t = $next_t;
+ }
+
+ if (!$this->Application->LoggedIn()) {
+ $redirect_template = $params['login_template'];
+ $redirect_params = Array('next_template' => $t);
+ }
+ else {
+ if (isset($params['no_permissions_template'])) {
+ $redirect_template = $params['no_permissions_template'];
+ }
+ else {
+ $redirect_template = $this->Application->IsAdmin() ? 'no_permission' : $this->Application->ConfigValue('NoPermissionTemplate');
+ }
+
+ $redirect_params = $this->Application->isDebugMode() ? Array('from_template' => 1, 'perms' => $params['permissions'], 'next_template' => $t) : Array();
+ }
+
+ return Array($redirect_template, $redirect_params);
+ }
+
+ /**
+ * Check current user permissions based on it's group permissions in specified category (for non-system permissions) or just checks if system permission is set
+ *
+ * @param string $name permission name
+ * @param int $cat_id category id, current used if not specified
+ * @param int $type permission type {1 - system, 0 - per category}
+ * @return int
+ */
+ function CheckPermission($name, $type = 1, $cat_id = null)
+ {
+ if ($this->Application->GetVar('u_id') == -1) {
+ // "root" is allowed anywhere
+ return $name == 'SYSTEM_ACCESS.READONLY' ? 0 : 1;
+ }
+
+ if ($type == 1) {
+ // "system" permission are always checked per "Home" category (ID = 0)
+ $cat_id = 0;
+ }
+
+ if (!isset($cat_id)) {
+ $cat_id = $this->Application->GetVar('m_cat_id');
+ }
+
+ $cache_key = $name.'|'.$type.'|'.$cat_id;
+ $perm_value = $this->Application->getCache('permissions', $cache_key);
+ if ($perm_value !== false) {
+ return $perm_value;
+ }
+
+ // perm cache is build only based on records in db, that's why if permission is not explicitly denied, then
+ // that (perm cache creator) code thinks that it is allowed & adds corresponding record and code below will
+ // return incorrect results
+
+ /*if (preg_match('/(.*)\.VIEW$/', $name) && ($type == 0)) {
+ // cached view permission of category: begin
+ $sql = 'SELECT perm_cache.PermId
+ FROM '.TABLE_PREFIX.'PermCache perm_cache
+ LEFT JOIN '.TABLE_PREFIX.'PermissionConfig perm_config ON perm_cache.PermId = perm_config.PermissionConfigId
+ WHERE (perm_config.PermissionName = '.$this->Conn->qstr($name).' AND perm_cache.CategoryId = '.$cat_id.')';
+
+ $view_filters = Array();
+ $groups = explode(',', $this->Application->RecallVar('UserGroups'));
+ foreach ($groups as $group) {
+ $view_filters[] = 'FIND_IN_SET('.$group.', perm_cache.ACL) || ((NOT FIND_IN_SET('.$group.', perm_cache.DACL)) AND perm_cache.ACL = \'\')';
+ }
+ $sql .= ' AND ('.implode(' OR ', $view_filters).')';
+ $perm_value = $this->Conn->GetOne($sql) ? 1 : 0;
+
+ $this->Application->setCache('permissions', $cache_key, $perm_value);
+ return $perm_value;
+ // cached view permission of category: end
+ }*/
+
+ if ($cat_id == 0) {
+ $cat_hierarchy = Array(0);
+ }
+ else {
+ $sql = 'SELECT ParentPath
+ FROM '.$this->Application->getUnitOption('c', 'TableName').'
+ WHERE CategoryId = '.$cat_id;
+ $cat_hierarchy = $this->Conn->GetOne($sql);
+ $cat_hierarchy = explode('|', $cat_hierarchy);
+ array_shift($cat_hierarchy);
+ array_pop($cat_hierarchy);
+ $cat_hierarchy = array_reverse($cat_hierarchy);
+ array_push($cat_hierarchy, 0);
+ }
+
+ $perm_value = 0;
+ $groups = $this->Application->RecallVar('UserGroups');
+ foreach ($cat_hierarchy as $category_id) {
+ $sql = 'SELECT PermissionValue
+ FROM '.TABLE_PREFIX.'Permissions
+ WHERE Permission = "'.$name.'" AND CatId = '.$category_id.' AND GroupId IN ('.$groups.') AND Type = '.$type;
+ $res = $this->Conn->GetOne($sql);
+ if ($res !== false) {
+ $perm_value = $res;
+ break;
+ }
+ }
+
+ $this->Application->setCache('permissions', $cache_key, $perm_value);
+ return $perm_value;
+ }
}
?>
\ No newline at end of file