diff --git a/filemanager/index.php b/filemanager/index.php index 882afb6138..fedeac13b3 100755 --- a/filemanager/index.php +++ b/filemanager/index.php @@ -179,22 +179,35 @@ if ($phpwh_debug) } ### -# Get their memberships to be used throughout the script +# Get their readable groups to be used throughout the script ### -$memberships = $GLOBALS['phpgw']->accounts->membership ($GLOBALS['userinfo']['username']); +$groups = array (); -if (!is_array ($memberships)) +$groups = $GLOBALS['phpgw']->accounts->get_list ('groups'); + +$readable_groups = array (); + +while (list ($num, $account) = each ($groups)) { - $memberships = array (); + if ($GLOBALS['phpgw']->vfs->acl_check (array ( + 'owner_id' => $account['account_id'], + 'operation' => PHPGW_ACL_READ + )) + ) + { + $readable_groups[$account['account_lid']] = Array('account_id' => $account['account_id'], 'account_name' => $account['account_lid']); + } } -while (list ($num, $group_array) = each ($memberships)) -{ - $membership_id = $GLOBALS['phpgw']->accounts->name2id ($group_array['account_name']); +$groups_applications = array (); - $group_applications = CreateObject('phpgwapi.applications', $membership_id); - $membership_applications[$group_array['account_name']] = $group_applications->read_account_specific (); +while (list ($num, $group_array) = each ($readable_groups)) +{ + $group_id = $GLOBALS['phpgw']->accounts->name2id ($group_array['account_name']); + + $applications = CreateObject('phpgwapi.applications', $group_id); + $groups_applications[$group_array['account_name']] = $applications->read_account_specific (); } ### @@ -277,6 +290,20 @@ if ($update || rand (0, 19) == 4) $GLOBALS['phpgw']->vfs->update_real (array ('string' => $path, 'relatives' => array (RELATIVE_NONE))); } +### +# Check available permissions for $path, so we can disable unusable operations in user interface +### + +if ($GLOBALS['phpgw']->vfs->acl_check (array ( + 'string' => $path, + 'relatives' => array (RELATIVE_NONE), + 'operation' => PHPGW_ACL_ADD + )) +) +{ + $can_add = True; +} + ### # Default is to sort by name ### @@ -325,14 +352,14 @@ if ($path == $GLOBALS['fakebase']) // $files_array = $ls_array; // $numoffiles = count($ls_array); - reset ($memberships); - while (list ($num, $group_array) = each ($memberships)) + reset ($readable_groups); + while (list ($num, $group_array) = each ($readable_groups)) { ### # If the group doesn't have access to this app, we don't show it ### - if (!$membership_applications[$group_array['account_name']][$GLOBALS['appname']]['enabled']) + if (!$groups_applications[$group_array['account_name']][$GLOBALS['appname']]['enabled']) { continue; } @@ -1044,7 +1071,6 @@ if (!$op && !$delete && !$createdir && !$renamefiles && !$move && !$copy && !$ed { html_form_input ('submit', 'copy', lang('Copy to:')); html_help_link ('copy_to'); - html_form_input ('submit', 'move', lang('Move to:')); html_help_link ('move_to'); } @@ -1075,17 +1101,17 @@ if (!$op && !$delete && !$createdir && !$renamefiles && !$move && !$copy && !$ed ### - # Then we get the directories in their membership's home directories + # Then we get the directories in their readable groups' home directories ### - reset ($memberships); - while (list ($num, $group_array) = each ($memberships)) + reset ($readable_groups); + while (list ($num, $group_array) = each ($readable_groups)) { ### # Don't list directories for groups that don't have access ### - if (!$membership_applications[$group_array['account_name']][$GLOBALS['appname']]['enabled']) + if (!$groups_applications[$group_array['account_name']][$GLOBALS['appname']]['enabled']) { continue; } @@ -1148,16 +1174,19 @@ if (!$op && !$delete && !$createdir && !$renamefiles && !$move && !$copy && !$ed html_help_link ('download'); html_nbsp (3); - html_form_input ('text', 'createdir', NULL, 255, 15); - html_form_input ('submit', 'newdir', lang('Create Folder')); - html_help_link ('create_folder'); + if ($can_add) + { + html_form_input ('text', 'createdir', NULL, 255, 15); + html_form_input ('submit', 'newdir', lang('Create Folder')); + html_help_link ('create_folder'); + } } html_break (1); html_form_input ('submit', 'update', lang('Update')); html_help_link ('update'); - if ($path != '/' && $path != $GLOBALS['fakebase']) + if ($path != '/' && $path != $GLOBALS['fakebase'] && $can_add) { html_nbsp (3); html_form_input ('text', 'createfile', NULL, 255, 15); @@ -1210,7 +1239,7 @@ if (!$op && !$delete && !$createdir && !$renamefiles && !$move && !$copy && !$ed # Show file upload boxes. Note the last argument to html (). Repeats $show_upload_boxes times ### - if ($path != '/' && $path != $GLOBALS['fakebase']) + if ($path != '/' && $path != $GLOBALS['fakebase'] && $can_add) { html_break (2); html_form_begin ($GLOBALS['appname'].'/index.php?op=upload&path='.$path, 'post', 'multipart/form-data'); diff --git a/phpgwapi/inc/class.vfs_sql.inc.php b/phpgwapi/inc/class.vfs_sql.inc.php index 26a01e3d54..fbebf2f124 100644 --- a/phpgwapi/inc/class.vfs_sql.inc.php +++ b/phpgwapi/inc/class.vfs_sql.inc.php @@ -149,7 +149,7 @@ } else { - $query = $GLOBALS['phpgw']->db->query ("SELECT directory, name, link_directory, link_name FROM phpgw_vfs WHERE (link_directory IS NOT NULL or link_directory != '') AND (lilnk_name IS NOT NULL or link_name != '')" . $this->extra_sql (array ('query_type' => VFS_SQL_SELECT)), __LINE__,__FILE__); + $query = $GLOBALS['phpgw']->db->query ("SELECT directory, name, link_directory, link_name FROM phpgw_vfs WHERE (link_directory IS NOT NULL or link_directory != '') AND (link_name IS NOT NULL or link_name != '')" . $this->extra_sql (array ('query_type' => VFS_SQL_SELECT)), __LINE__,__FILE__); } @@ -1067,8 +1067,12 @@ /*! @function acl_check @abstract Check ACL access to $file for $GLOBALS['phpgw_info']["user"]["account_id"]; + @discussion To check the access for a file or directory, pass 'string'/'relatives'/'must_exist'. + To check the access to another user or group, pass 'owner_id'. + If 'owner_id' is present, we bypass checks on 'string'/'relatives'/'must_exist' @param string File to check access of @param relatives Standard relativity array + @param owner_id Owner id to check access of (see discussion above) @param operation Operation to check access to. In the form of a PHPGW_ACL defines bitmask. Default is read @param must_exist Boolean. Set to True if 'string' must exist. Otherwise, we check the parent directory as well @result Boolean. True if access is ok, False otherwise @@ -1095,87 +1099,97 @@ return True; } - $p = $this->path_parts (array( - 'string' => $data['string'], - 'relatives' => array ($data['relatives'][0]) - ) - ); - - /* Temporary, until we get symlink type files set up */ - if ($p->outside) + if (!$data['owner_id']) { - return True; - } - - /* If the file doesn't exist, we get ownership from the parent directory */ - if (!$this->file_exists (array( - 'string' => $p->fake_full_path, - 'relatives' => array ($p->mask) - )) - ) - { - if ($data['must_exist']) - { - return False; - } - - $data['string'] = $p->fake_leading_dirs; - $p2 = $this->path_parts (array( + $p = $this->path_parts (array( 'string' => $data['string'], - 'relatives' => array ($p->mask) + 'relatives' => array ($data['relatives'][0]) ) ); + /* Temporary, until we get symlink type files set up */ + if ($p->outside) + { + return True; + } + + /* Read access is always allowed here, but nothing else is */ + if ($data['string'] == '/' || $data['string'] == $this->fakebase) + { + if ($data['operation'] == PHPGW_ACL_READ) + { + return True; + } + else + { + return False; + } + } + + /* If the file doesn't exist, we get ownership from the parent directory */ if (!$this->file_exists (array( - 'string' => $data['string'], + 'string' => $p->fake_full_path, 'relatives' => array ($p->mask) )) ) { - return False; - } - } - else - { - $p2 = $p; - } + if ($data['must_exist']) + { + return False; + } - /* Read access is always allowed here, but nothing else is */ - if ($data['string'] == '/' || $data['string'] == $this->fakebase) - { - if ($data['operation'] == PHPGW_ACL_READ) - { - return True; + $data['string'] = $p->fake_leading_dirs; + $p2 = $this->path_parts (array( + 'string' => $data['string'], + 'relatives' => array ($p->mask) + ) + ); + + if (!$this->file_exists (array( + 'string' => $data['string'], + 'relatives' => array ($p->mask) + )) + ) + { + return False; + } } else { - return False; + $p2 = $p; } + + /* + We don't use ls () to get owner_id as we normally would, + because ls () calls acl_check (), which would create an infinite loop + */ + $query = $GLOBALS['phpgw']->db->query ("SELECT owner_id FROM phpgw_vfs WHERE directory='".$p2->fake_leading_dirs_clean."' AND name='".$p2->fake_name_clean."'" . $this->extra_sql (array ('query_type' => VFS_SQL_SELECT)), __LINE__, __FILE__); + $GLOBALS['phpgw']->db->next_record (); + + $owner_id = $GLOBALS['phpgw']->db->Record['owner_id']; + } + else + { + $owner_id = $data['owner_id']; } - /* - We don't use ls () to get owner_id as we normally would, - because ls () calls acl_check (), which would create an infinite loop - */ - $query = $GLOBALS['phpgw']->db->query ("SELECT owner_id FROM phpgw_vfs WHERE directory='".$p2->fake_leading_dirs_clean."' AND name='".$p2->fake_name_clean."'" . $this->extra_sql (array ('query_type' => VFS_SQL_SELECT)), __LINE__, __FILE__); - $GLOBALS['phpgw']->db->next_record (); - $group_id = $GLOBALS['phpgw']->db->Record['owner_id']; + $user_id = $GLOBALS['phpgw_info']['user']['account_id']; /* They always have access to their own files */ - if ($group_id == $GLOBALS['phpgw_info']['user']['account_id']) + if ($owner_id == $user_id) { return True; } - /* Check if they're in the group. If so, they have access */ - $memberships = $GLOBALS['phpgw']->accounts->membership ($GLOBALS['phpgw_info']['user']['account_id']); + /* Check if they're in the group */ + $memberships = $GLOBALS['phpgw']->accounts->membership ($user_id); if (is_array ($memberships)) { - @reset ($memberships); - while (list ($num, $group_array) = @each ($memberships)) + reset ($memberships); + while (list ($num, $group_array) = each ($memberships)) { - if ($group_id == $GLOBALS['phpgw']->accounts->name2id ($group_array['account_name'])) + if ($owner_id == $group_array['account_id']) { $group_ok = 1; break; @@ -1183,26 +1197,38 @@ } } - if (!$group_id) + $acl = CreateObject ('phpgwapi.acl', $owner_id); + $acl->account_id = $owner_id; + $acl->read_repository (); + + $rights = $acl->get_rights ($user_id); + + /* Add privileges from the groups this user belongs to */ + if (is_array ($memberships)) { - if (!$group_id = $this->account_id) + reset ($memberships); + while (list ($num, $group_array) = each ($memberships)) { - $group_id = 0; + $rights |= $acl->get_rights ($group_array['account_id']); } } - $acl = CreateObject ('phpgwapi.acl', $group_id); - $acl->account_id = $group_id; - $acl->read_repository (); - - $rights = $acl->get_rights ($account_id); if ($rights & $data['operation']) { return True; } elseif (!$rights && $group_ok) { - return True; + $conf = CreateObject('phpgwapi.config', 'phpgwapi'); + $conf->read_repository(); + if ($conf->config_data['acl_default'] == 'grant') + { + return True; + } + else + { + return False; + } } else { @@ -3343,7 +3369,7 @@ return $data; } - /* This fetchs all available file system information for $string (not using the database) */ + /* This fetchs all available file system information for string (not using the database) */ function get_real_info ($data) { if (!is_array ($data))