📄 permissionutil.inc.php
字号:
$iFolderID = $oDocumentOrFolder->getID();
$sFolderIDs = Folder::generateFolderIDs($iFolderID);
$sFolderIDs .= '%';
$sWhere = 'permission_object_id = ? AND parent_folder_ids LIKE ?';
$aParams = array($oDocumentOrFolder->getPermissionObjectID(), $sFolderIDs);
$aFolders =& Folder::getList(array($sWhere, $aParams));
foreach ($aFolders as $oFolder) {
KTPermissionUtil::updatePermissionLookup($oFolder);
}
$aDocuments =& Document::getList(array($sWhere, $aParams));
foreach ($aDocuments as $oDocument) {
KTPermissionUtil::updatePermissionLookup($oDocument);
}
}
// }}}
// {{{ updatePermissionLookup
/**
* Update's the permission lookup on one folder or document,
* non-recursively.
*/
function updatePermissionLookup(&$oFolderOrDocument, $aOptions = null) {
$is_a_folder = is_a($oFolderOrDocument, 'Folder');
$is_a_document = is_a($oFolderOrDocument, 'Document') || is_a($oFolderOrDocument, 'KTDocumentCore');
//ensure that the document shortcut is being updated.
if($is_a_document && $oFolderOrDocument->isSymbolicLink()){
$oFolderOrDocument->switchToRealCore();
}
$oChannel = null;
$aMapPermAllowed = null;
$oPermLookup = null;
if (!is_null($aOptions)) {
$oChannel = $aOptions['channel'];
$aMapPermAllowed = $aOptions['map_allowed'];
$oPermLookup = $aOptions['perm_lookup'];
}
if (!$is_a_folder && !$is_a_document) {
return ; // we occasionally get handed a PEAR::raiseError. Just ignore it.
}
if (is_null($oChannel)) {
$oChannel =& KTPermissionChannel::getSingleton();
}
if ($is_a_folder) {
$msg = sprintf("Updating folder %s", join('/', $oFolderOrDocument->getPathArray()));
} else {
if (is_a($oFolderOrDocument, 'Document')) {
//modify the message to reflect that a shortcut is begin updated
if($oFolderOrDocument->isSymbolicLink()){
$msg = sprintf("Updating shortcut to %s", $oFolderOrDocument->getName());
}else{
$msg = sprintf("Updating document %s", $oFolderOrDocument->getName());
}
} else {
$msg = sprintf("Updating document %d", $oFolderOrDocument->getId());
}
}
$oChannel->sendMessage(new KTPermissionGenericMessage($msg));
//var_dump($msg);
$iPermissionObjectId = $oFolderOrDocument->getPermissionObjectID();
if (empty($iPermissionObjectId)) {
return;
}
$oPO = KTPermissionObject::get($iPermissionObjectId);
if (is_null($aMapPermAllowed)) {
$aPAs = KTPermissionAssignment::getByObjectMulti($oPO);
$aMapPermAllowed = array();
foreach ($aPAs as $oPA) {
$oPD = KTPermissionDescriptor::get($oPA->getPermissionDescriptorID());
$aGroupIDs = $oPD->getGroups();
$aUserIDs = array();
$aRoleIDs = $oPD->getRoles();
$aAllowed = array(
'group' => $aGroupIDs,
'user' => $aUserIDs,
'role' => $aRoleIDs,
);
$aMapPermAllowed[$oPA->getPermissionID()] = $aAllowed;
}
}
if (!$is_a_folder) {
$aDynamicConditions = KTPermissionDynamicCondition::getByPermissionObject($oPO);
if (!PEAR::isError($aDynamicConditions)) {
foreach ($aDynamicConditions as $oDynamicCondition) {
$iConditionId = $oDynamicCondition->getConditionId();
if (KTSearchUtil::testConditionOnDocument($iConditionId, $oFolderOrDocument)) {
$iGroupId = $oDynamicCondition->getGroupId();
$aPermissionIds = $oDynamicCondition->getAssignment();
foreach ($aPermissionIds as $iPermissionId) {
$aCurrentAllowed = KTUtil::arrayGet($aMapPermAllowed, $iPermissionId, array());
$aCurrentAllowed['group'][] = $iGroupId;
$aMapPermAllowed[$iPermissionId] = $aCurrentAllowed;
}
}
}
}
}
if (!$is_a_folder) {
$oState = KTWorkflowUtil::getWorkflowStateForDocument($oFolderOrDocument);
if (!(PEAR::isError($oState) || is_null($oState) || ($oState == false))) {
$aWorkflowStatePermissionAssignments = KTWorkflowStatePermissionAssignment::getByState($oState);
foreach ($aWorkflowStatePermissionAssignments as $oAssignment) {
$iPermissionId = $oAssignment->getPermissionId();
$iPermissionDescriptorId = $oAssignment->getDescriptorId();
$oPD = KTPermissionDescriptor::get($iPermissionDescriptorId);
$aGroupIDs = $oPD->getGroups();
$aUserIDs = array();
$aRoleIDs = $oPD->getRoles();
$aAllowed = array(
'group' => $aGroupIDs,
'user' => $aUserIDs,
'role' => $aRoleIDs,
);
$aMapPermAllowed[$iPermissionId] = $aAllowed;
}
}
}
// if we have roles: nearest folder.
$iRoleSourceFolder = null;
if ($is_a_document) {
$iRoleSourceFolder = $oFolderOrDocument->getFolderID();
}else {
$iRoleSourceFolder = $oFolderOrDocument->getId();
}
// very minor perf win: map role_id (in context) to PD.
$_roleCache = array();
foreach ($aMapPermAllowed as $iPermissionId => $aAllowed) {
$aAfterRoles = array();
if (array_key_exists('role', $aAllowed)) {
foreach ($aAllowed['role'] as $k => $iRoleId) {
// store the PD <-> RoleId map
// special-case "all" or "authenticated".
if (($iRoleId == -3) || ($iRoleId == -4)) {
$aAfterRoles[] = $iRoleId;
continue;
}
if (!array_key_exists($iRoleId, $_roleCache)) {
$oRoleAllocation = null;
if ($is_a_document) {
$oRoleAllocation =& DocumentRoleAllocation::getAllocationsForDocumentAndRole($oFolderOrDocument->getId(), $iRoleId);
if (PEAR::isError($oRoleAllocation)) { $oRoleAllocation = null; }
}
// if that's null - not set _on_ the document, then
if (is_null($oRoleAllocation)) {
$oRoleAllocation =& RoleAllocation::getAllocationsForFolderAndRole($iRoleSourceFolder, $iRoleId);
}
$_roleCache[$iRoleId] = $oRoleAllocation;
}
// roles are _not_ always assigned (can be null at root)
if (!is_null($_roleCache[$iRoleId])) {
$aMapPermAllowed[$iPermissionId]['user'] = kt_array_merge($aMapPermAllowed[$iPermissionId]['user'], $_roleCache[$iRoleId]->getUserIds());
$aMapPermAllowed[$iPermissionId]['group'] = kt_array_merge($aMapPermAllowed[$iPermissionId]['group'], $_roleCache[$iRoleId]->getGroupIds());
// naturally, roles cannot be assigned roles, or madness follows.
}
unset($aAllowed['role'][$k]);
}
}
unset($aMapPermAllowed[$iPermissionId]['role']);
if (!empty($aAfterRoles)) {
$aMapPermAllowed[$iPermissionId]['role'] = $aAfterRoles;
}
}
/*
print '<pre>';
print '=======' . $oFolderOrDocument->getName();
print '<br />';
var_dump($aMapPermAllowed);
print '</pre>';
*/
//if (is_null($oPermLookup)) {
$aMapPermDesc = array();
foreach ($aMapPermAllowed as $iPermissionId => $aAllowed) {
$oLookupPD = KTPermissionUtil::getOrCreateDescriptor($aAllowed);
$aMapPermDesc[$iPermissionId] = $oLookupPD->getID();
}
$oPermLookup = KTPermissionLookupAssignment::findOrCreateLookupByPermissionDescriptorMap($aMapPermDesc);
//}
$oFolderOrDocument->setPermissionLookupID($oPermLookup->getID());
$oFolderOrDocument->update();
}
// }}}
// {{{ userHasPermissionOnItem
/**
* Check whether a given user has the given permission on the given
* object, by virtue of a direct or indirect assignment due to the
* user, its groups, its roles, or the roles assigned to its groups,
* and so forth.
*/
function userHasPermissionOnItem($oUser, $oPermission, $oFolderOrDocument) {
if (is_string($oPermission)) {
$oPermission =& KTPermission::getByName($oPermission);
}
if (PEAR::isError($oPermission)) {
return false;
}
if (PEAR::isError($oFolderOrDocument) || $oFolderOrDocument == null) {
return false;
}
// Quick fix for multiple permissions look ups.
// For the current lookup, if the permissions have been checked then return their value
$iPermId = $oPermission->getID();
$iDocId = $oFolderOrDocument->getID();
$lookup = 'folders';
if(is_a($oEntity, 'Document') || is_a($oEntity, 'DocumentProxy')){
$lookup = 'docs';
}
// check if permission has been set
// $permArr[permId] = array('folders' => array('id' => bool), 'docs' => array('id' => bool));
if(isset($permArr[$iPermId][$lookup][$iDocId])){
return $permArr[$iPermId][$lookup][$iDocId];
}
$oPL = KTPermissionLookup::get($oFolderOrDocument->getPermissionLookupID());
$oPLA = KTPermissionLookupAssignment::getByPermissionAndLookup($oPermission, $oPL);
if (PEAR::isError($oPLA)) {
//print $oPL->getID();
$permArr[$iPermId][$lookup][$iDocId] = false;
return false;
}
$oPD = KTPermissionDescriptor::get($oPLA->getPermissionDescriptorID());
// set permission array to true
$permArr[$iPermId][$lookup][$iDocId] = true;
// check for permissions
$aGroups = GroupUtil::listGroupsForUserExpand($oUser);
if ($oPD->hasRoles(array(-3))) { return true; } // everyone has access.
else if ($oPD->hasUsers(array($oUser))) { return true; }
else if ($oPD->hasGroups($aGroups)) { return true; }
else if ($oPD->hasRoles(array(-4)) && !$oUser->isAnonymous()) { return true; }
// permission isn't true, set to false
$permArr[$iPermId][$lookup][$iDocId] = false;
return false;
}
// }}}
// {{{ findRootObjectForPermissionObject
/**
* Given a specific permission object, find the object (Folder or
* Document) that is the root of that permission object - the one
* object that has this permission object, but its parent has a
* different one.
*/
function findRootObjectForPermissionObject($oPO) {
global $default;
/*
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -