ktpermissions.php.svn-base

来自「PHP 知识管理系统（基于树结构的知识管理系统）, 英文原版的PHP源码。」· SVN-BASE 代码 · 共 905 行 · 第 1/3 页

<?php
/**
 * $Id$
 *
 * KnowledgeTree Community Edition
 * Document Management Made Simple
 * Copyright (C) 2008 KnowledgeTree Inc.
 * Portions copyright The Jam Warehouse Software (Pty) Limited
 * 
 * This program is free software; you can redistribute it and/or modify it under
 * the terms of the GNU General Public License version 3 as published by the
 * Free Software Foundation.
 * 
 * This program is distributed in the hope that it will be useful, but WITHOUT
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
 * FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more
 * details.
 * 
 * You should have received a copy of the GNU General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 * 
 * You can contact KnowledgeTree Inc., PO Box 7775 #87847, San Francisco, 
 * California 94120-7775, or email info@knowledgetree.com.
 * 
 * The interactive user interfaces in modified source and object code versions
 * of this program must display Appropriate Legal Notices, as required under
 * Section 5 of the GNU General Public License version 3.
 * 
 * In accordance with Section 7(b) of the GNU General Public License version 3,
 * these Appropriate Legal Notices must retain the display of the "Powered by
 * KnowledgeTree" logo and retain the original copyright notice. If the display of the 
 * logo is not reasonably feasible for technical reasons, the Appropriate Legal Notices
 * must display the words "Powered by KnowledgeTree" and retain the original 
 * copyright notice.
 * Contributor( s): ______________________________________
 *
 */

require_once(KT_LIB_DIR . '/actions/folderaction.inc.php');
require_once(KT_LIB_DIR . '/actions/documentaction.inc.php');
require_once(KT_LIB_DIR . '/widgets/fieldWidgets.php');

require_once(KT_LIB_DIR . "/foldermanagement/Folder.inc");
require_once(KT_LIB_DIR . "/foldermanagement/foldertransaction.inc.php");

require_once(KT_LIB_DIR . "/groups/Group.inc");
require_once(KT_LIB_DIR . "/users/User.inc");
require_once(KT_LIB_DIR . "/roles/Role.inc");
require_once(KT_LIB_DIR . "/roles/roleallocation.inc.php");
require_once(KT_LIB_DIR . "/roles/documentroleallocation.inc.php");

require_once(KT_LIB_DIR . "/permissions/permission.inc.php");
require_once(KT_LIB_DIR . "/permissions/permissionobject.inc.php");
require_once(KT_LIB_DIR . "/permissions/permissionlookup.inc.php");
require_once(KT_LIB_DIR . "/permissions/permissionassignment.inc.php");
require_once(KT_LIB_DIR . "/permissions/permissiondescriptor.inc.php");
require_once(KT_LIB_DIR . "/permissions/permissionutil.inc.php");

require_once(KT_LIB_DIR . '/workflow/workflowutil.inc.php');

class KTDocumentPermissionsAction extends KTDocumentAction {
    var $sName = 'ktcore.actions.document.permissions';
    var $_sEditShowPermission = "ktcore.permissions.security";
    var $_sShowPermission = "ktcore.permissions.security";
    var $_bAdminAlwaysAvailable = true;

    function getDisplayName() {
        return _kt('Permissions');
    }

    function do_main() {
        $this->oPage->setBreadcrumbDetails(_kt("Document Permissions"));
        $oTemplate = $this->oValidator->validateTemplate("ktcore/document/document_permissions");

        $oPL = KTPermissionLookup::get($this->oDocument->getPermissionLookupID());
        $aPermissions = KTPermission::getList();
        $aMapPermissionGroup = array();
        $aMapPermissionRole = array();
		$aMapPermissionUser = array();

		$aAllGroups = Group::getList();   // probably small enough
		$aAllRoles = Role::getList();     // probably small enough.
		// users are _not_ fetched this way.

		$aActiveGroups = array();
		$aActiveUsers = array();
		$aActiveRoles = array();

        foreach ($aPermissions as $oPermission) {
            $oPLA = KTPermissionLookupAssignment::getByPermissionAndLookup($oPermission, $oPL);
            if (PEAR::isError($oPLA)) {
                continue;
            }
            $oDescriptor = KTPermissionDescriptor::get($oPLA->getPermissionDescriptorID());
            $iPermissionID = $oPermission->getID();
            $aIDs = $oDescriptor->getGroups();
            $aMapPermissionGroup[$iPermissionID] = array();
            foreach ($aIDs as $iID) {
                $aMapPermissionGroup[$iPermissionID][$iID] = true;
				$aActiveGroups[$iID] = true;
            }
            $aIds = $oDescriptor->getRoles();
            $aMapPermissionRole[$iPermissionID] = array();
            foreach ($aIds as $iId) {
                $aMapPermissionRole[$iPermissionID][$iId] = true;
				$aActiveRoles[$iId] = true;
            }
			$aIds = $oDescriptor->getUsers();
            $aMapPermissionUser[$iPermissionID] = array();
            foreach ($aIds as $iId) {
                $aMapPermissionUser[$iPermissionID][$iId] = true;
				$aActiveUsers[$iId] = true;
            }
        }

		// now we constitute the actual sets.
		$users = array();
		$groups = array();
		$roles = array(); // should _always_ be empty, barring a bug in permissions::updatePermissionLookup

		// this should be quite limited - direct role -> user assignment is typically rare.
		foreach ($aActiveUsers as $id => $marker) {
		    $oUser = User::get($id);
			$users[$oUser->getName()] = $oUser;
		}
		asort($users); // ascending, per convention.

		foreach ($aActiveGroups as $id => $marker) {
		    $oGroup = Group::get($id);
			$groups[$oGroup->getName()] = $oGroup;
		}
		asort($groups);

		foreach ($aActiveRoles as $id => $marker) {
		    $oRole = Role::get($id);
			$roles[$oRole->getName()] = $oRole;
		}
		asort($roles);

        $bEdit = KTPermissionUtil::userHasPermissionOnItem($this->oUser, $this->_sEditShowPermission, $this->oDocument);
		$sInherited = '';

        $aDynamicControls = array();
        $aWorkflowControls = array();

        // handle conditions
        $iPermissionObjectId = $this->oDocument->getPermissionObjectID();
        if (!empty($iPermissionObjectId)) {
            $oPO = KTPermissionObject::get($iPermissionObjectId);
            $aDynamicConditions = KTPermissionDynamicCondition::getByPermissionObject($oPO);
            if (!PEAR::isError($aDynamicConditions)) {
                foreach ($aDynamicConditions as $oDynamicCondition) {
                    $iConditionId = $oDynamicCondition->getConditionId();
                    if (KTSearchUtil::testConditionOnDocument($iConditionId, $this->oDocument)) {
                        $aPermissionIds = $oDynamicCondition->getAssignment();
                        foreach ($aPermissionIds as $iPermissionId) {
                            $aDynamicControls[$iPermissionId] = true;
                        }
                    }
                }
            }
        }


        // indicate that workflow controls a given permission
        $oState = KTWorkflowUtil::getWorkflowStateForDocument($this->oDocument);
        if (!(PEAR::isError($oState) || is_null($oState) || ($oState == false))) {
            $aWorkflowStatePermissionAssignments = KTWorkflowStatePermissionAssignment::getByState($oState);
            foreach ($aWorkflowStatePermissionAssignments as $oAssignment) {
                $aWorkflowControls[$oAssignment->getPermissionId()] = true;
                unset($aDynamicControls[$oAssignment->getPermissionId()]);
            }
        }


        $aTemplateData = array(
            "context" => $this,
            "permissions" => $aPermissions,
            "groups" => $groups,
			"users" => $users,
            "roles" => $roles,
            "iDocumentID" => $_REQUEST['fDocumentID'],
            "aMapPermissionGroup" => $aMapPermissionGroup,
            "aMapPermissionRole" => $aMapPermissionRole,
			"aMapPermissionUser" => $aMapPermissionUser,
            "edit" => $bEdit,
            "inherited" => $sInherited,
            'workflow_controls' => $aWorkflowControls,
            'conditions_control' => $aDynamicControls,
        );
        return $oTemplate->render($aTemplateData);
    }

    function do_resolved_users() {
        $this->oPage->setBreadcrumbDetails(_kt("Permissions"));
        $oTemplate = $this->oValidator->validateTemplate("ktcore/document/resolved_permissions_user");

        $oPL = KTPermissionLookup::get($this->oDocument->getPermissionLookupID());
        $aPermissions = KTPermission::getList();
        $aMapPermissionGroup = array();
        $aMapPermissionRole = array();
        $aMapPermissionUser = array();

        $aUsers = User::getList();

        foreach ($aPermissions as $oPermission) {
            $oPLA = KTPermissionLookupAssignment::getByPermissionAndLookup($oPermission, $oPL);
            if (PEAR::isError($oPLA)) {
                continue;
            }
            $oDescriptor = KTPermissionDescriptor::get($oPLA->getPermissionDescriptorID());
            $iPermissionID = $oPermission->getID();
            $aMapPermissionGroup[$iPermissionID] = array();
            foreach ($aUsers as $oUser) {
                if (KTPermissionUtil::userHasPermissionOnItem($oUser, $oPermission, $this->oDocument)) {
                    $aMapPermissionUser[$iPermissionID][$oUser->getId()] = true;
                    $aActiveUsers[$oUser->getId()] = true;
                }
            }
        }

        // now we constitute the actual sets.
        $users = array();
        $groups = array();
        $roles = array(); // should _always_ be empty, barring a bug in permissions::updatePermissionLookup
        // this should be quite limited - direct role -> user assignment is typically rare.
        foreach ($aActiveUsers as $id => $marker) {
            $oUser = User::get($id);
            $users[$oUser->getName()] = $oUser;
        }
        asort($users); // ascending, per convention.

        $bEdit = false;
        $sInherited = '';


        $aDynamicControls = array();
        $aWorkflowControls = array();

        // handle conditions
        $iPermissionObjectId = $this->oDocument->getPermissionObjectID();
        if (!empty($iPermissionObjectId)) {
            $oPO = KTPermissionObject::get($iPermissionObjectId);
            $aDynamicConditions = KTPermissionDynamicCondition::getByPermissionObject($oPO);
            if (!PEAR::isError($aDynamicConditions)) {
                foreach ($aDynamicConditions as $oDynamicCondition) {
                    $iConditionId = $oDynamicCondition->getConditionId();
                    if (KTSearchUtil::testConditionOnDocument($iConditionId, $this->oDocument)) {
                        $aPermissionIds = $oDynamicCondition->getAssignment();
                        foreach ($aPermissionIds as $iPermissionId) {
                            $aDynamicControls[$iPermissionId] = true;
                        }
                    }
                }
            }
        }


        // indicate that workflow controls a given permission
        $oState = KTWorkflowUtil::getWorkflowStateForDocument($this->oDocument);
        if (!(PEAR::isError($oState) || is_null($oState) || ($oState == false))) {
            $aWorkflowStatePermissionAssignments = KTWorkflowStatePermissionAssignment::getByState($oState);
            foreach ($aWorkflowStatePermissionAssignments as $oAssignment) {
                $aWorkflowControls[$oAssignment->getPermissionId()] = true;
                unset($aDynamicControls[$oAssignment->getPermissionId()]);
            }
        }


        $aTemplateData = array(
            "context" => $this,
            "permissions" => $aPermissions,
            "groups" => $groups,
            "users" => $users,
            "roles" => $roles,
            "oDocument" => $this->oDocument,
            "aMapPermissionGroup" => $aMapPermissionGroup,
            "aMapPermissionRole" => $aMapPermissionRole,
            "aMapPermissionUser" => $aMapPermissionUser,
            "edit" => $bEdit,
            "inherited" => $sInherited,
            'workflow_controls' => $aWorkflowControls,
            'conditions_control' => $aDynamicControls,
        );
        return $oTemplate->render($aTemplateData);
    }
}

class KTRoleAllocationPlugin extends KTFolderAction {
    var $sName = 'ktcore.actions.folder.roles';

    var $_sShowPermission = "ktcore.permissions.security";
    var $bAutomaticTransaction = true;
    var $_bAdminAlwaysAvailable = true;

    function getDisplayName() {
        return _kt('Allocate Roles');
    }

    function do_main() {
        $this->oPage->setTitle(_kt("Allocate Roles"));
        $this->oPage->setBreadcrumbDetails(_kt("Allocate Roles"));