From cdd50f6b55dfe70fc1b08061f6acae1d48636843 Mon Sep 17 00:00:00 2001 From: Christian Binder Date: Wed, 18 Nov 2009 07:42:14 +0000 Subject: [PATCH] new method check_perms for categories class --- phpgwapi/inc/class.categories.inc.php | 70 ++++++++++++++++++++++----- 1 file changed, 58 insertions(+), 12 deletions(-) diff --git a/phpgwapi/inc/class.categories.inc.php b/phpgwapi/inc/class.categories.inc.php index 7b6dcbcbd4..b3087ff8ec 100644 --- a/phpgwapi/inc/class.categories.inc.php +++ b/phpgwapi/inc/class.categories.inc.php @@ -133,7 +133,7 @@ class categories * @param string $query='' query-pattern * @param string $sort='ASC' sort order, defaults to 'ASC' * @param string $order='' order by, default cat_main, cat_level, cat_name ASC - * @param boolean $globals includes the global egroupware categories or not + * @param boolean $globals include the global egroupware categories or not * @param array|int $parent_id=null return only subcats of $parent_id(s) * @param int $lastmod = -1 if > 0 return only cats modified since then * @param string $column='' if column-name given only that column is returned, not the full array with all cat-data @@ -143,12 +143,6 @@ class categories function return_array($type='all', $start=0, $limit=true, $query='', $sort='ASC',$order='',$globals=false, $parent_id=null, $lastmod=-1, $column='', $filter=null) { //error_log(__METHOD__."($type,$start,$limit,$query,$sort,$order,globals=$globals,parent=".array2string($parent_id).",$lastmod,$column) account_id=$this->account_id, appname=$this->app_name: ".function_backtrace()); - - // load the grants - if ($this->account_id != -1 && is_null($this->grants)) - { - $this->grants = $GLOBALS['egw']->acl->get_grants($this->app_name); - } $cats = array(); foreach(self::$cache as $cat_id => $cat) { @@ -194,13 +188,18 @@ class categories // check if certain parent required if ($parent_id && !in_array($cat['parent'],(array)$parent_id)) continue; - // apply standard acl / grants: return only application global cats (if $globals) or - if (!($globals && $cat['appname'] == 'phpgw' || - $cat['appname'] == $this->app_name && ($cat['owner'] == -1 || $cat['owner'] == $this->account_id || - $this->account_id != -1 && $cat['access'] == 'public' && $this->grants && isset($this->grants[$cat['owner']])))) + // return global categories just if $globals is set + if (!$globals && $cat['appname'] == 'phpgw') { continue; } + + // check for read permission + if(!$this->check_perms(EGW_ACL_READ, $cat)) + { + continue; + } + // check if we have the correct type switch ($type) { @@ -491,6 +490,53 @@ class categories return $id; } + + /** + * Checks if the current user has the necessary ACL rights + * + * If the access of a category is set to private, one needs a private grant for the application + * + * @param int $needed necessary ACL right: EGW_ACL_{READ|EDIT|DELETE} + * @param mixed $category category as array or the category_id + * @return boolean true permission granted, false for permission denied, null for category does not exist + */ + public function check_perms($needed,$category) + { + if (!is_array($category) && !($category = self::$cache[$category])) + { + return null; + } + + // The user for the global cats has id -1, this one has full access to all global cats + if ($this->account_id == -1 && ($category['appname'] == 'phpgw' + || $category['appname'] == $this->app_name && $category['owner'] == -1)) + { + return true; + } + + // Read access to global categories + if ($needed == EGW_ACL_READ && ($category['appname'] == 'phpgw' + || $category['appname'] == $this->app_name && $category['owner'] == -1)) + { + return true; + } + + // Full access to own categories + if ($category['appname'] == $this->app_name && $category['owner'] == $this->account_id) + { + return true; + } + + // Load the application grants + if ($category['appname'] == $this->app_name && is_null($this->grants)) + { + $this->grants = $GLOBALS['egw']->acl->get_grants($this->app_name); + } + + // Check for ACL granted access, the -1 user must not get access by ACL to keep old behaviour + return ($this->account_id != -1 && $category['appname'] == $this->app_name && ($this->grants[$category['owner']] & $needed) && + ($category['access'] == 'public' || ($this->grants[$category['owner']] & EGW_ACL_PRIVATE))); + } /** * delete a category @@ -664,7 +710,7 @@ class categories * We use a shared cache together with return_single * * @param int $cat_id=0 cat-id - * @param string $item='name requested information, 'path' = / delimited path of category names (incl. parents) + * @param string $item='name' requested information, 'path' = / delimited path of category names (incl. parents) * @return string information or '--' if not found or !$cat_id */ static function id2name($cat_id=0, $item='name')