$this->level) { $this->level = $level; } } public function get_level() { return $this->level; } public function __construct(Model $model) { $this->model = $model; $userd = $this->model->dw_auth->getUserData($this->model->user_nick); if ($userd !== false && is_array($userd['grps'])) { $grps = $userd['grps']; if (in_array('admin', $grps ) || in_array('bez_admin', $grps )) { $this->update_level(BEZ_AUTH_ADMIN); } elseif (in_array('bez_leader', $grps )) { $this->update_level(BEZ_AUTH_LEADER); } else { $this->update_level(BEZ_AUTH_USER); } } elseif (isset($_GET['t'])) { $page_id = $this->model->action->id(); $user_tok = trim($_GET['t']); if ($this->model->authentication_tokenFactory->get_token($page_id) == $user_tok) { $this->update_level(BEZ_AUTH_VIEWER); } } } private function static_thread() { $acl = array_fill_keys(Thread::get_columns(), BEZ_PERMISSION_NONE); //virtual columns $acl['participants'] = BEZ_PERMISSION_NONE; $acl['labels'] = BEZ_PERMISSION_NONE; //BEZ_AUTH_VIEWER is also token viewer if ($this->level >= BEZ_AUTH_VIEWER) { //user can display everythig $acl = array_map(function($value) { return BEZ_PERMISSION_VIEW; }, $acl); } if ($this->level >= BEZ_AUTH_ADMIN) { //user can edit everythig $acl = array_map(function($value) { return BEZ_PERMISSION_DELETE; }, $acl); return $acl; } } private function check_thread(Thread $thread) { $acl = $this->static_thread(); //we create new issue if ($thread->id === NULL) { if ($this->level >= BEZ_AUTH_USER) { $acl['title'] = BEZ_PERMISSION_CHANGE; $acl['content'] = BEZ_PERMISSION_CHANGE; //$acl['type'] = BEZ_PERMISSION_CHANGE; } if ($this->level >= BEZ_AUTH_LEADER) { $acl['coordinator'] = BEZ_PERMISSION_CHANGE; } return $acl; } if ($thread->state === 'proposal' && $thread->original_poster === $this->model->user_nick) { $acl['title'] = BEZ_PERMISSION_CHANGE; $acl['content'] = BEZ_PERMISSION_CHANGE; //$acl['type'] = BEZ_PERMISSION_CHANGE; } if ($thread->coordinator === $this->model->user_nick) { $acl['title'] = BEZ_PERMISSION_CHANGE; $acl['content'] = BEZ_PERMISSION_CHANGE; //$acl['type'] = BEZ_PERMISSION_CHANGE; //coordinator can change coordinator $acl['coordinator'] = BEZ_PERMISSION_CHANGE; $acl['state'] = BEZ_PERMISSION_CHANGE; //$acl['opinion'] = BEZ_PERMISSION_CHANGE; } return $acl; } private function static_task() { $acl = array_fill_keys(Task::get_columns(), BEZ_PERMISSION_NONE); //virtual columns $acl['participants'] = BEZ_PERMISSION_NONE; //BEZ_AUTH_VIEWER is also token viewer if ($this->level >= BEZ_AUTH_VIEWER) { //user can display everythig $acl = array_map(function($value) { return BEZ_PERMISSION_VIEW; }, $acl); } if ($this->level >= BEZ_AUTH_ADMIN) { //user can edit everythig $acl = array_map(function($value) { return BEZ_PERMISSION_DELETE; }, $acl); return $acl; } } //if user can chante id => he can delete record private function check_task($task) { $acl = $this->static_task(); //we create new task if ($task->id === NULL) { if ($task->thread != null && $task->thread->coordinator == $this->model->user_nick || ($task->thread_id == '' && $this->level >= BEZ_AUTH_LEADER)) { $acl['content'] = BEZ_PERMISSION_CHANGE; $acl['task_program_id'] = BEZ_PERMISSION_CHANGE; $acl['assignee'] = BEZ_PERMISSION_CHANGE; $acl['cost'] = BEZ_PERMISSION_CHANGE; $acl['plan_date'] = BEZ_PERMISSION_CHANGE; $acl['all_day_event'] = BEZ_PERMISSION_CHANGE; $acl['start_time'] = BEZ_PERMISSION_CHANGE; $acl['finish_time'] = BEZ_PERMISSION_CHANGE; } //przypisujemy zadanie programowe samemu sobie //no assignee if ($task->thread_id == '') { $acl['content'] = BEZ_PERMISSION_CHANGE; $acl['task_program_id'] = BEZ_PERMISSION_CHANGE; $acl['cost'] = BEZ_PERMISSION_CHANGE; $acl['plan_date'] = BEZ_PERMISSION_CHANGE; $acl['all_day_event'] = BEZ_PERMISSION_CHANGE; $acl['start_time'] = BEZ_PERMISSION_CHANGE; $acl['finish_time'] = BEZ_PERMISSION_CHANGE; } return $acl; } //user can change state // if ($task->assignee == $this->model->user_nick) { //// $acl['reason'] = BEZ_PERMISSION_CHANGE; // $acl['state'] = BEZ_PERMISSION_CHANGE; // } //reporters can add subscribents to programme task // if ($task->original_poster === $this->model->user_nick) { // $acl['subscribents'] = BEZ_PERMISSION_CHANGE; // } if ($task->thread != null && $task->thread->coordinator == $this->model->user_nick || ($task->thread_id == '' && $this->level >= BEZ_AUTH_LEADER)) { // $acl['reason'] = BEZ_PERMISSION_CHANGE; //$acl['state'] = BEZ_PERMISSION_CHANGE; //we can chante cause $acl['thread_comment_id'] = BEZ_PERMISSION_CHANGE; $acl['content'] = BEZ_PERMISSION_CHANGE; $acl['task_program_id'] = BEZ_PERMISSION_CHANGE; $acl['assignee'] = BEZ_PERMISSION_CHANGE; $acl['cost'] = BEZ_PERMISSION_CHANGE; //$acl['reason'] = BEZ_PERMISSION_CHANGE; $acl['plan_date'] = BEZ_PERMISSION_CHANGE; $acl['all_day_event'] = BEZ_PERMISSION_CHANGE; $acl['start_time'] = BEZ_PERMISSION_CHANGE; $acl['finish_time'] = BEZ_PERMISSION_CHANGE; //leaders can add subscribents to programme tasks //$acl['subscribents'] = BEZ_PERMISSION_CHANGE; } if ($task->thread_id == '' && $task->original_poster == $this->model->user_nick && $task->assignee == $this->model->user_nick) { //$acl['reason'] = BEZ_PERMISSION_CHANGE; //$acl['state'] = BEZ_PERMISSION_CHANGE; $acl['content'] = BEZ_PERMISSION_CHANGE; $acl['task_program_id'] = BEZ_PERMISSION_CHANGE; //no executor $acl['cost'] = BEZ_PERMISSION_CHANGE; //$acl['reason'] = BEZ_PERMISSION_CHANGE; $acl['plan_date'] = BEZ_PERMISSION_CHANGE; $acl['all_day_event'] = BEZ_PERMISSION_CHANGE; $acl['start_time'] = BEZ_PERMISSION_CHANGE; $acl['finish_time'] = BEZ_PERMISSION_CHANGE; } return $acl; } private function static_thread_comment() { $acl = array_fill_keys(Thread_comment::get_columns(), BEZ_PERMISSION_NONE); //virtual columns //BEZ_AUTH_VIEWER is also token viewer if ($this->level >= BEZ_AUTH_VIEWER) { //user can display everythig $acl = array_map(function($value) { return BEZ_PERMISSION_VIEW; }, $acl); } if ($this->level >= BEZ_AUTH_ADMIN) { //user can edit everythig $acl = array_map(function($value) { return BEZ_PERMISSION_DELETE; }, $acl); return $acl; } } private function check_thread_comment(Thread_comment $thread_comment) { $acl = $this->static_thread_comment(); //we create new commcause if ($thread_comment->id === NULL) { if ($this->level >= BEZ_AUTH_USER) { $acl['content'] = BEZ_PERMISSION_CHANGE; } if ($thread_comment->coordinator === $this->model->user_nick) { $acl['type'] = BEZ_PERMISSION_CHANGE; $acl['content'] = BEZ_PERMISSION_CHANGE; } return $acl; } if ($thread_comment->coordinator === $this->model->user_nick) { $acl['type'] = BEZ_PERMISSION_CHANGE; $acl['content'] = BEZ_PERMISSION_CHANGE; //we can only delete records when there is no tasks subscribed to issue if ($thread_comment->task_count === 0) { $acl['id'] = BEZ_PERMISSION_CHANGE; } } //jeżeli ktoś zmieni typ z komentarza na przyczynę, tracimy możliwość edycji if ($thread_comment->author === $this->model->user_nick && $thread_comment->type == '0') { $acl['content'] = BEZ_PERMISSION_CHANGE; //we can only delete records when there is no tasks subscribed to issue if ($thread_comment->task_count === 0) { $acl['id'] = BEZ_PERMISSION_CHANGE; } } return $acl; } private function static_label() { $acl = array_fill_keys(Label::get_columns(), BEZ_PERMISSION_NONE); if ($this->level >= BEZ_AUTH_USER) { //user can display everythig $acl = array_map(function($value) { return BEZ_PERMISSION_VIEW; }, $acl); } if ($this->level >= BEZ_AUTH_ADMIN) { //admin can edit everythig $acl = array_map(function($value) { return BEZ_PERMISSION_DELETE; }, $acl); } return $acl; } private function check_label(Label $label) { return $this->static_label(); } private function static_task_program() { $acl = array_fill_keys(Task_program::get_columns(), BEZ_PERMISSION_NONE); if ($this->level >= BEZ_AUTH_USER) { //user can display everythig $acl = array_map(function($value) { return BEZ_PERMISSION_VIEW; }, $acl); } if ($this->level >= BEZ_AUTH_ADMIN) { //admin can edit everythig $acl = array_map(function($value) { return BEZ_PERMISSION_DELETE; }, $acl); } return $acl; } private function check_task_program(Task_program $task_program) { return $this->static_label(); } private function static_task_comment() { $acl = array_fill_keys(Task_comment::get_columns(), BEZ_PERMISSION_NONE); //BEZ_AUTH_VIEWER is also token viewer if ($this->level >= BEZ_AUTH_VIEWER) { //user can display everythig $acl = array_map(function($value) { return BEZ_PERMISSION_VIEW; }, $acl); } if ($this->level >= BEZ_AUTH_ADMIN) { //user can edit everything $acl = array_map(function($value) { return BEZ_PERMISSION_DELETE; }, $acl); return $acl; } } private function check_task_comment(Task_comment $task_comment) { $acl = $this->static_task_comment(); //we create new comment if ($task_comment->id == NULL) { if ($this->level >= BEZ_AUTH_USER) { $acl['content'] = BEZ_PERMISSION_CHANGE; } return $acl; } if ($this->level >= BEZ_AUTH_LEADER) { $acl['id'] = BEZ_PERMISSION_DELETE; $acl['content'] = BEZ_PERMISSION_CHANGE; } if ($task_comment->author === $this->model->user_nick) { $acl['content'] = BEZ_PERMISSION_CHANGE; $acl['id'] = BEZ_PERMISSION_DELETE; } return $acl; } // private function check_tasktype($tasktype) { // $acl = array( // 'id' => BEZ_PERMISSION_NONE, // 'pl' => BEZ_PERMISSION_NONE, // 'en' => BEZ_PERMISSION_NONE // ); // // if ($this->level >= BEZ_AUTH_USER) { // //user can display everythig // $acl = array_map(function($value) { // return BEZ_PERMISSION_VIEW; // }, $acl); // } // // if ($this->level >= BEZ_AUTH_ADMIN) { // //admin can edit everythig // $acl = array_map(function($value) { // return BEZ_PERMISSION_CHANGE; // }, $acl); // } // // return $acl; // } /*returns array */ public function check(Entity $obj) { $method = 'check_'.$obj->get_table_name(); if (!method_exists($this, $method)) { throw new \Exception('no acl rules set for table: '.$obj->get_table_name()); } return $this->$method($obj); } public function check_field(Entity $obj, $field) { $acl = $this->check($obj); if (isset($acl[$field])) { return $acl[$field]; } return BEZ_PERMISSION_UNKNOWN; } public function check_static($table) { $method = 'static_'.$table; if (!method_exists($this, $method)) { throw new \Exception('no acl rules set for table: '.$table); } return $this->$method($table); } public function check_static_field($table, $field) { $acl = $this->check_static($table); return $acl[$field]; } public function can(Entity $obj, $field, $what=BEZ_PERMISSION_CHANGE) { if ($this->check_field($obj, $field) < $what) { $table = $obj->get_table_name(); $id = $obj->id; throw new PermissionDeniedException('user cannot change field "'.$field.'" in table "'.$table.', rowid: "'.$id.'"'); } } }