permissions.php.svn-base

来自「PHP 知识管理系统（基于树结构的知识管理系统）, 英文原版的PHP源码。」· SVN-BASE 代码 · 共 643 行 · 第 1/2 页

            'iFolderId' => $this->oFolder->getId(),
	        'roles' => Role::getList(),
	        'groups' => Group::getList(),
            'conditions' => KTSavedSearch::getConditions(),
            'dynamic_conditions' => $aDynamicConditions,
            'context' => &$this,
            'foldername' => $this->oFolder->getName(),
	        'jsonpermissions' => $sJSONPermissions,
	        'edit' => true,
	        'permissions' => $perms,
	        'document_permissions' => $docperms,
	        'can_inherit' => $bCanInherit
        );
        return $oTemplate->render($aTemplateData);
    }


    function json_permissionError() {
	return array('error' => true,
		     'type' => 'kt.permission_denied',
		     'alert' => true,
		     'message' => _kt('You do not have permission to alter security settings.'));
    }

    function &_getPermissionsMap() {
        $oPO = KTPermissionObject::get($this->oFolder->getPermissionObjectId());
        $aPermissions = KTPermission::getList();
        $aPermissionsMap = array('role'=>array(), 'group'=>array());

        foreach ($aPermissions as $oPermission) {
            $oPA = KTPermissionAssignment::getByPermissionAndObject($oPermission, $oPO);
            if (PEAR::isError($oPA)) {
                continue;
            }
            $oDescriptor = KTPermissionDescriptor::get($oPA->getPermissionDescriptorId());
            $iPermissionId = $oPermission->getId();

	    // groups
            $aGroupIds = $oDescriptor->getGroups();
            foreach ($aGroupIds as $iId) {
                $aPermissionsMap['group'][$iId][$iPermissionId] = true;
            }

	    // roles
            $aRoleIds = $oDescriptor->getRoles();
            foreach ($aRoleIds as $iId) {
                $aPermissionsMap['role'][$iId][$iPermissionId] = true;
            }
        }
	return $aPermissionsMap;
    }



    function json_getEntities($optFilter = null) {
	$sFilter = KTUtil::arrayGet($_REQUEST, 'filter', false);
	if($sFilter == false && $optFilter != null) {
	    $sFilter = $optFilter;
	}

	$bSelected = KTUtil::arrayGet($_REQUEST, 'selected', false);

	$aEntityList = array('off' => _kt('-- Please filter --'));

	// check permissions
        $oPO = KTPermissionObject::get($this->oFolder->getPermissionObjectId());
        $aOptions = array('redirect_to' => array('json', 'json_action=permission_error&fFolderId=' .  $this->oFolder->getId()));

        if (!KTBrowseUtil::inAdminMode($this->oUser, $this->oFolder)) {
            $this->oValidator->userHasPermissionOnItem($this->oUser, $this->_sEditShowPermission, $this->oFolder, $aOptions);
        }

	// get permissions map
	$aPermissionsMap =& $this->_getPermissionsMap();

	if($bSelected || $sFilter && trim($sFilter)) {
	    if(!$bSelected) {
		$aEntityList = array();
	    }

	    $aGroups = Group::getList(sprintf('name like \'%%%s%%\'', $sFilter));
	    foreach($aGroups as $oGroup) {
		$aPerm = @array_keys($aPermissionsMap['group'][$oGroup->getId()]);
		if(!is_array($aPerm)) {
		    $aPerm = array();
		}
		if($bSelected) {
		    if(count($aPerm))
		    $aEntityList['g'.$oGroup->getId()] = array('type' => 'group',
							       'display' => _kt('Group') . ': ' . $oGroup->getName(),
							       'name' => $oGroup->getName(),
							       'permissions' => $aPerm,
							       'id' => $oGroup->getId(),
							       'selected' => true);
		} else {
		    $aEntityList['g'.$oGroup->getId()] = array('type' => 'group',
							       'display' => _kt('Group') . ': ' . $oGroup->getName(),
							       'name' => $oGroup->getName(),
							       'permissions' => $aPerm,
							       'id' => $oGroup->getId());
		}
	    }

	    $aRoles = Role::getList(sprintf('name like \'%%%s%%\'', $sFilter));
	    foreach($aRoles as $oRole) {
		$aPerm = @array_keys($aPermissionsMap['role'][$oRole->getId()]);
		if(!is_array($aPerm)) {
		    $aPerm = array();
		}

		if($bSelected) {
		    if(count($aPerm))
		    $aEntityList['r'.$oRole->getId()] = array('type' => 'role',
							      'display' => _kt('Role') . ': ' . $oRole->getName(),
							      'name' => $oRole->getName(),
							      'permissions' => $aPerm,
							      'id' => $oRole->getId(),
							      'selected' => true);
		} else {
		    $aEntityList['r'.$oRole->getId()] = array('type' => 'role',
							      'display' => _kt('Role') . ': ' . $oRole->getName(),
							      'name' => $oRole->getName(),
							      'permissions' => $aPerm,
							      'id' => $oRole->getId());
		}
	    }
	}
	return $aEntityList;
    }



    function do_update() {
        $aOptions = array('redirect_to' => array('main', 'fFolderId=' .  $this->oFolder->getId()));
        if (!KTBrowseUtil::inAdminMode($this->oUser, $this->oFolder)) {
            $this->oValidator->userHasPermissionOnItem($this->oUser, $this->_sEditShowPermission, $this->oFolder, $aOptions);
        }

        $aFoo = $_REQUEST['foo'];
        $aPermissions = KTPermission::getList();

		/*
		--- This section has been commented out to remove these checks when permissions
		--- are updated.
		---------------------------------------------------------------------------------

		//-------------------
        //This section is used to make sure that a user doesn't disable the admin groups
        //Manage security permission or the Manage Security permission of a group they
        //are currently a member of.

        // Check which groups have permission to manage security
        $aNewGroups = (isset($aFoo[4]['group']) ? $aFoo[4]['group'] : array());
        $aNewRoles = (isset($aFoo[4]['role']) ? $aFoo[4]['role'] : array());

        $iUserId = $this->oUser->getId();

        //Check that they aren't removing the sys admin Manage Security permission
        //1 in this case is the admin group.
        if(!in_array('1', $aNewGroups))
        {
        	$this->addErrorMessage(_kt('You cannot remove the Manage Security permission from the System Administrators Group'));
            $this->redirectTo('edit', 'fFolderId=' . $this->oFolder->getId());
            exit(0);
        }


        //Check that they aren't removing the Manage Security permission from a group
        //They are a member of.
        if(!GroupUtil::checkUserInGroups($iUserId, array(1)))
        {
	        //Ensure the user is not removing his/her own permission to update the folder permissions (manage security)
	        if(!in_array(-3, $aNewRoles))
	        {

	            if(!GroupUtil::checkUserInGroups($iUserId, $aNewGroups))
	            {
	                // If user no longer has permission, return an error.
	                $this->addErrorMessage(_kt('You cannot remove the Manage Security permission from a group you belong to.'));
	                $this->redirectTo('edit', 'fFolderId=' . $this->oFolder->getId());
	                exit(0);
	            }

	        }
        }
		//-----------------
        */

        require_once(KT_LIB_DIR . '/documentmanagement/observers.inc.php');
        $oPO = KTPermissionObject::get($this->oFolder->getPermissionObjectId());

        foreach ($aPermissions as $oPermission) {
            $iPermId = $oPermission->getId();

            $aAllowed = KTUtil::arrayGet($aFoo, $iPermId, array());
            KTPermissionUtil::setPermissionForId($oPermission, $oPO, $aAllowed);
        }

        $oTransaction = KTFolderTransaction::createFromArray(array(
            'folderid' => $this->oFolder->getId(),
            'comment' => _kt('Updated permissions'),
            'transactionNS' => 'ktcore.transactions.permissions_change',
            'userid' => $_SESSION['userID'],
            'ip' => Session::getClientIP(),
            ));
        $aOptions = array(
            'defaultmessage' => _kt('Error updating permissions'),
            'redirect_to' => array('edit', sprintf('fFolderId=%d', $this->oFolder->getId())),
            );
        $this->oValidator->notErrorFalse($oTransaction, $aOptions);

        $po =& new JavascriptObserver($this);
        $po->start();
        $oChannel =& KTPermissionChannel::getSingleton();
        $oChannel->addObserver($po);

        KTPermissionUtil::updatePermissionLookupForPO($oPO);

        $this->commitTransaction();

        $this->addInfoMessage(_kt('Permissions on folder updated'));
        $po->redirect(KTUtil::addQueryString($_SERVER['PHP_SELF'], 'action=edit&fFolderId=' . $this->oFolder->getId()));
        exit(0);
    }


    function do_inheritPermissions() {
        $aOptions = array('redirect_to' => array('main', 'fFolderId=' .  $this->oFolder->getId()));
        if (!KTBrowseUtil::inAdminMode($this->oUser, $this->oFolder)) {
            $this->oValidator->userHasPermissionOnItem($this->oUser, $this->_sEditShowPermission, $this->oFolder, $aOptions);
        }
        $oTransaction = KTFolderTransaction::createFromArray(array(
            'folderid' => $this->oFolder->getId(),
            'comment' => _kt('Inherit permissions from parent'),
            'transactionNS' => 'ktcore.transactions.permissions_change',
            'userid' => $_SESSION['userID'],
            'ip' => Session::getClientIP(),
        ));
        $aOptions = array(
            'defaultmessage' => _kt('Error updating permissions'),
            'redirect_to' => array('edit', sprintf('fFolderId=%d', $this->oFolder->getId())),
        );
        $this->oValidator->notErrorFalse($oTransaction, $aOptions);

        KTPermissionUtil::inheritPermissionObject($this->oFolder);
        return $this->successRedirectTo('main', _kt('Permissions updated'),
                array('fFolderId' => $this->oFolder->getId()));
    }

    function do_newDynamicPermission() {
        $aOptions = array('redirect_to' => array('main', 'fFolderId=' .  $this->oFolder->getId()));
        if (!KTBrowseUtil::inAdminMode($this->oUser, $this->oFolder)) {
            $this->oValidator->userHasPermissionOnItem($this->oUser, $this->_sEditShowPermission, $this->oFolder, $aOptions);
        }
        $aOptions = array(
            'redirect_to' => array('edit', 'fFolderId=' .  $this->oFolder->getId()),
        );
        $oGroup =& $this->oValidator->validateGroup($_REQUEST['fGroupId'], $aOptions);
        $oCondition =& $this->oValidator->validateCondition($_REQUEST['fConditionId'], $aOptions);
        $aPermissionIds = (array) $_REQUEST['fPermissionIds'];
        if (empty($aPermissionIds)) { $this->errorRedirectTo('edit', _kt('Please select one or more permissions.'), sprintf('fFolderId=%d', $this->oFolder->getId())); }
        $oPO = KTPermissionObject::get($this->oFolder->getPermissionObjectId());

        $oTransaction = KTFolderTransaction::createFromArray(array(
            'folderid' => $this->oFolder->getId(),
            'comment' => _kt('Added dynamic permissions'),
            'transactionNS' => 'ktcore.transactions.permissions_change',
            'userid' => $_SESSION['userID'],
            'ip' => Session::getClientIP(),
        ));
        $aOptions = array(
            'defaultmessage' => _kt('Error updating permissions'),
            'redirect_to' => array('edit', sprintf('fFolderId=%d', $this->oFolder->getId())),
        );
        $this->oValidator->notErrorFalse($oTransaction, $aOptions);

        $oDynamicCondition = KTPermissionDynamicCondition::createFromArray(array(
            'groupid' => $oGroup->getId(),
            'conditionid' => $oCondition->getId(),
            'permissionobjectid' => $oPO->getId(),
        ));
        $this->oValidator->notError($oDynamicCondition, $aOptions);
        $res = $oDynamicCondition->saveAssignment($aPermissionIds);
        $this->oValidator->notError($res, $aOptions);
        KTPermissionUtil::updatePermissionLookupForPO($oPO);
        $this->successRedirectTo('edit', _kt('Dynamic permission added'), 'fFolderId=' . $this->oFolder->getId());
    }

    function do_removeDynamicCondition() {
        $aOptions = array('redirect_to' => array('main', 'fFolderId=' .  $this->oFolder->getId()));
        if (!KTBrowseUtil::inAdminMode($this->oUser, $this->oFolder)) {
            $this->oValidator->userHasPermissionOnItem($this->oUser, $this->_sEditShowPermission, $this->oFolder, $aOptions);
        }
        $aOptions = array(
            'redirect_to' => array('edit', 'fFolderId=' .  $this->oFolder->getId()),
        );
        $oDynamicCondition =& $this->oValidator->validateDynamicCondition($_REQUEST['fDynamicConditionId'], $aOptions);
        $res = $oDynamicCondition->delete();
        $this->oValidator->notError($res, $aOptions);

        $oTransaction = KTFolderTransaction::createFromArray(array(
            'folderid' => $this->oFolder->getId(),
            'comment' => _kt('Removed dynamic permissions'),
            'transactionNS' => 'ktcore.transactions.permissions_change',
            'userid' => $_SESSION['userID'],
            'ip' => Session::getClientIP(),
        ));
        $aOptions = array(
            'defaultmessage' => _kt('Error updating permissions'),
            'redirect_to' => array('edit', sprintf('fFolderId=%d', $this->oFolder->getId())),
        );
        $this->oValidator->notErrorFalse($oTransaction, $aOptions);

        $oPO = KTPermissionObject::get($this->oFolder->getPermissionObjectId());
        KTPermissionUtil::updatePermissionLookupForPO($oPO);
        $this->successRedirectTo('edit', _kt('Dynamic permission removed'), 'fFolderId=' . $this->oFolder->getId());
    }
}

?>