Zurmo: /home/apizurmo/zurmo/app/protected/modules/zurmo/utils/security/FormLayoutSecurityUtil.php Source File

00001 <?php
00002     /*********************************************************************************
00003      * Zurmo is a customer relationship management program developed by
00004      * Zurmo, Inc. Copyright (C) 2017 Zurmo Inc.
00005      *
00006      * Zurmo is free software; you can redistribute it and/or modify it under
00007      * the terms of the GNU Affero General Public License version 3 as published by the
00008      * Free Software Foundation with the addition of the following permission added
00009      * to Section 15 as permitted in Section 7(a): FOR ANY PART OF THE COVERED WORK
00010      * IN WHICH THE COPYRIGHT IS OWNED BY ZURMO, ZURMO DISCLAIMS THE WARRANTY
00011      * OF NON INFRINGEMENT OF THIRD PARTY RIGHTS.
00012      *
00013      * Zurmo is distributed in the hope that it will be useful, but WITHOUT
00014      * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
00015      * FOR A PARTICULAR PURPOSE.  See the GNU Affero General Public License for more
00016      * details.
00017      *
00018      * You should have received a copy of the GNU Affero General Public License along with
00019      * this program; if not, see http://www.gnu.org/licenses or write to the Free
00020      * Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
00021      * 02110-1301 USA.
00022      *
00023      * You can contact Zurmo, Inc. with a mailing address at 27 North Wacker Drive
00024      * Suite 370 Chicago, IL 60606. or at email address contact@zurmo.com.
00025      *
00026      * The interactive user interfaces in original and modified versions
00027      * of this program must display Appropriate Legal Notices, as required under
00028      * Section 5 of the GNU Affero General Public License version 3.
00029      *
00030      * In accordance with Section 7(b) of the GNU Affero General Public License version 3,
00031      * these Appropriate Legal Notices must retain the display of the Zurmo
00032      * logo and Zurmo copyright notice. If the display of the logo is not reasonably
00033      * feasible for technical reasons, the Appropriate Legal Notices must display the words
00034      * "Copyright Zurmo Inc. 2017. All rights reserved".
00035      ********************************************************************************/
00036 
00040     class FormLayoutSecurityUtil
00041     {
00042         //TODO: change this functions once field level security is available.
00050         public static function resolveElementForEditableRender($model, & $elementInformation, $user)
00051         {
00052             assert('$model instanceof RedBeanModel || $model instanceof CModel');
00053             assert('is_array($elementInformation)');
00054             assert('$user instanceof User && $user->id > 0');
00055             $elementclassname = $elementInformation['type'] . 'Element';
00056             $attributeName    = $elementInformation['attributeName'];
00057             if (is_subclass_of($elementclassname, 'ModelElement'))
00058             {
00059                 $editableActionType = $elementclassname::getEditableActionType();
00060                 if (!ActionSecurityUtil::canUserPerformAction(
00061                     $editableActionType, $model->$attributeName, $user))
00062                 {
00063                     $elementInformation['attributeName'] = null;
00064                     $elementInformation['type']          = 'Null'; // Not Coding Standard
00065                     //TODO: potentially throw misconfiguration exception if field is required
00066                     //instead of just setting a null element.
00067                 }
00068                 //If there is already an existing model, but the user cannot view it, then this should be disabled
00069                 //otherwise the user can accidentially wipe this out since it will appear in the UI as if it is not
00070                 //populated.
00071                 elseif ($editableActionType == 'ModalList' &&
00072                        $model->{$attributeName} != null &&
00073                        $model->{$attributeName} instanceof RedBeanModel &
00074                        $model->{$attributeName}->id > 0 &&
00075                        !ActionSecurityUtil::canUserPerformAction('Details', $model->{$attributeName}, $user))
00076                 {
00077                     $elementInformation['attributeName'] = null;
00078                     $elementInformation['type']          = 'Null'; // Not Coding Standard
00079                 }
00080             }
00081             if (is_subclass_of($elementclassname, 'ModelsElement'))
00082             {
00083                 $actionType = $elementclassname::getEditableActionType();
00084                 if ($actionType != null)
00085                 {
00086                     $actionSecurity = ActionSecurityFactory::createRightsOnlyActionSecurityFromActionType($actionType, $user);
00087                     if (!$actionSecurity->canUserPerformAction())
00088                     {
00089                         $elementInformation['attributeName'] = null;
00090                         $elementInformation['type']          = 'Null'; // Not Coding Standard
00091                         //TODO: potentially throw misconfiguration exception if field is required
00092                         //instead of just setting a null element.
00093                     }
00094                 }
00095             }
00096         }
00097 
00098         //TODO: change this functions once field level security is available.
00106         public static function resolveElementForNonEditableRender($model, & $elementInformation, $user)
00107         {
00108             assert('$model instanceof RedBeanModel || $model instanceof CModel');
00109             assert('is_array($elementInformation)');
00110             assert('$user instanceof User && $user->id > 0');
00111             $elementclassname = $elementInformation['type'] . 'Element';
00112             $attributeName    = $elementInformation['attributeName'];
00113             if (is_subclass_of($elementclassname, 'ModelElement'))
00114             {
00115                 $moduleId = $elementclassname::getModuleId();
00116                 $moduleClassName = get_class(Yii::app()->getModule($moduleId));
00117                 assert('is_string($moduleClassName)');
00118                 $userCanAccess   = RightsUtil::canUserAccessModule($moduleClassName, $user);
00119                 $userCanReadItem = ActionSecurityUtil::canUserPerformAction(
00120                     $elementclassname::getNonEditableActionType(), $model->$attributeName, $user);
00121                 if ($userCanAccess && $userCanReadItem)
00122                 {
00123                     return;
00124                 }
00125                 elseif (!$userCanAccess && $userCanReadItem)
00126                 {
00127                     if ($model->$attributeName->id < 0)
00128                     {
00129                         $elementInformation['attributeName'] = null;
00130                         $elementInformation['type']          = 'Null'; // Not Coding Standard
00131                     }
00132                     else
00133                     {
00134                         $elementInformation['noLink'] = true;
00135                     }
00136                 }
00137                 else
00138                 {
00139                     $elementInformation['attributeName'] = null;
00140                     $elementInformation['type']          = 'Null'; // Not Coding Standard
00141                 }
00142             }
00143             elseif (is_subclass_of($elementclassname, 'ExplicitReadWriteModelPermissionsElement'))
00144             {
00145                 if (ActionSecurityUtil::canUserPerformAction('Edit', $model, $user))
00146                 {
00147                     return;
00148                 }
00149                 else
00150                 {
00151                     $elementInformation['type'] = 'Null'; // Not Coding Standard
00152                 }
00153             }
00154         }
00155     }
00156 ?>