Newer
Older
*
* This file is part of Maarch Framework.
*
* Maarch Framework is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Maarch Framework is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with Maarch Framework. If not, see <http://www.gnu.org/licenses/>.
*/
/**
* @brief Contains the controler of the Security Object
*
*
* @file
* @author Claire Figueras <dev@maarch.org>
* @date $date$
* @version $Revision$
* @ingroup core
*/
// Loads the required class
require_once 'core/core_tables.php';
require_once 'core/class/class_db.php';
require_once 'core/class/users_controler.php';
require_once 'core/class/session_security_controler.php';
require_once 'core/class/Security.php';
if (! defined('_CLASSIFICATION_SCHEME_VIEW')) {
define('_CLASSIFICATION_SCHEME_VIEW', 'mr_classification_scheme_view');
}
functions::xecho($e->getMessage()) . ' // ';
* @brief Controler of the Security Object
*
*<ul>
* <li>Get an security object from an id</li>
* <li>Save in the database a security</li>
* <li>Manage the operation on the security table in the database
/**
* Returns an Security Object based on a security identifier
*
* @return Security object with properties from the database or null
*/
{
return null;
$query = "select * from " . SECURITY_TABLE . " where security_id = ?";
$stmt = $db->query($query, array($securityId));
if ($stmt->rowCount() > 0) {
}
return $access;
return null;
}
}
/**
* Returns all security object for a given usergroup
*
* @return Array of security objects or null
*/
{
return null;
$db = new Database();
$query = "select * from " . SECURITY_TABLE . " where group_id = ?";
$stmt = $db->query($query, array($groupId));
$security = array();
if ($stmt->rowCount() > 0) {
while ($queryResult = $stmt->fetchObject()) {
$access = new SecurityObj();
foreach ($queryResult as $key => $value) {
}
array_push($security, $access);
}
}
return $security;
}
/**
* Saves in the database a security object
*
* @param $security Security object to be saved
* @param $mode string Saving mode : add or up (add by default)
* @return bool true if the save is complete, false otherwise
public function save($security, $mode="add")
{
return false;
if ($mode == "up") {
return $this->_update($security);
} else if ($mode == "add") {
return $this->_insert($security);
}
return false;
}
/**
* Inserts in the database (security table) a Security object
*
* @param $security Security object
*/
{
return false;
$query = "insert into " . SECURITY_TABLE . " (" . $prepQuery['COLUMNS']
. ") values (" . $prepQuery['VALUES'] . ")";
$stmt = $db->query($query, $prepQuery['ARRAY_VALUES']);
$ok = true;
return $ok;
}
/**
* Updates a security in the database (security table) with a Security object
*
* @param $security Security object
*/
{
return false;
$db = new Database();
$prep_query = $this->_updatePrepare($security);
. $prep_query['QUERY'] . " where security_id=?";
$prep_query['VALUES'][] = $security->security_id;
$stmt = self::$db->query($query, $prep_query['VALUES']);
$ok = true;
return $ok;
}
/**
* Deletes in the database (security table) a given security
*
* @return bool true if the deletion is complete, false otherwise
*/
{
return false;
$db = new Database();
$query = "delete from " . SECURITY_TABLE . " where security_id=?";
$db->query($query, array($securityId));
$ok = true;
return $ok;
}
/**
* Deletes in the database (security table) all security of a given usergroup
*
* @return bool true if the deletion is complete, false otherwise
*/
{
return false;
$db = new Database();
$query = "delete from " . SECURITY_TABLE . " where group_id=?";
$db->query($query, array($groupId));
$ok = true;
return $ok;
}
/**
*
* @param $security Security object
* @return String containing the fields and the values
*/
{
foreach ($security->getArray() as $key => $value) {
// For now all fields in the usergroups table are strings or date
// excepts the security_id
if (! empty($value)) {
if ($key <> 'security_id') {
}
}
return array(
'QUERY' => implode(",",$result),
'VALUES' => $arrayValues,
);
}
/**
*
* @param $security Security object
* @return Array containing the fields and the values
*/
{
foreach ($security->getArray() as $key => $value) {
// For now all fields in the security table are strings
// or date excepts the security_id
if (! empty($value)) {
if ($key <> 'security_id') {
$columns[] = $key;
}
}
}
'COLUMNS' => implode(",", $columns),
'VALUES' => implode(",", $values),
}
public function check_where_clause($collId, $whereClause,
{
$res = array(
'RESULT' => false,
if (empty($collId) || empty($whereClause)) {
$res['TXT'] = _ERROR_PARAMETERS_FUNCTION;
return $res;
}
$where = str_replace('\\', '', $where);
$where = $this->process_security_where_clause($where, $userId);
if (str_replace(' ', '', $where) == '') {
$where = '';
}
$where = str_replace('where', ' ', $where);
$query = 'select res_id from ' . $view . ' where ' . $where;
$res['TXT'] = _SYNTAX_ERROR_WHERE_CLAUSE;
return $res;
$res['TXT'] = _SYNTAX_OK;
$res['RESULT'] = true;
}
return $res;
}
/**
* Process a where clause, using the process_where_clause methods of the
* modules, the core and the apps
*
* @param $whereClause string Where clause to process
* @param $userId string User identifier
* @return string Proper where clause
*/
public function process_security_where_clause($whereClause, $userId, $addWhere = true)
{
$whereClause = str_replace("'", "'", $whereClause);
if ($addWhere) {
$where = ' where ' . $whereClause;
} else {
$where = $whereClause;
}
// Process with the core vars
// Process with the modules vars
if (file_exists(
$_SESSION['config']['corepath'] . 'custom'
. DIRECTORY_SEPARATOR . $_SESSION['custom_override_id']
. DIRECTORY_SEPARATOR . 'modules' . DIRECTORY_SEPARATOR
. $_SESSION['modules_loaded'][$key]['name'] . DIRECTORY_SEPARATOR . "class"
. DIRECTORY_SEPARATOR . "class_modules_tools.php"
)
) {
$pathModuleTools = $_SESSION['config']['corepath'] . 'custom'
. DIRECTORY_SEPARATOR . $_SESSION['custom_override_id']
. DIRECTORY_SEPARATOR . 'modules' . DIRECTORY_SEPARATOR
. $_SESSION['modules_loaded'][$key]['name'] . DIRECTORY_SEPARATOR . "class"
. DIRECTORY_SEPARATOR . "class_modules_tools.php";
} else {
$pathModuleTools = 'modules' . DIRECTORY_SEPARATOR
. $_SESSION['modules_loaded'][$key]['name'] . DIRECTORY_SEPARATOR . "class"
. DIRECTORY_SEPARATOR . "class_modules_tools.php";
}
if (file_exists($pathModuleTools)) {
require_once($pathModuleTools);
if (class_exists($key)) {
$object = new $key;
if (method_exists(
$object, 'process_where_clause'
) == true
) {
$where = $object->process_where_clause(
$where, $userId
);
}
}
}
}
$where = preg_replace('/, ,/', ',', $where);
$where = preg_replace('/\( ?,/', '(', $where);
$where = preg_replace('/, ?\)/', ')', $where);
// Process with the apps vars
require_once 'apps' . DIRECTORY_SEPARATOR
. $_SESSION['config']['app_id'] . DIRECTORY_SEPARATOR . 'class'
. DIRECTORY_SEPARATOR . 'class_business_app_tools.php';
$object = new business_app_tools();
if (method_exists($object, 'process_where_clause')) {
$where = $object->process_where_clause($where, $userId);
}
return $where;
return '';
}
}
/**
* Process a where clause with the core specific vars
*
* @param $whereClause string Where clause to process
* @param $userId string User identifier
* @return string Proper where clause
*/
{
"@user", "'" . trim($userId) . "'", $whereClause
}
$db = new Database();
$query = "select mail from " . USERS_TABLE . " where user_id = ?";
$stmt = $db->query($query, array($userId));
$userObj = $stmt->fetchObject();
if (preg_match('/@email/', $whereClause)) {
$whereClause = str_replace(
"@email", "'" . trim($userObj->mail) . "'", $whereClause
);
}
return $whereClause;
}
/**
* Loads into session, the security parameters corresponding to the user
* groups.
*
*/
{
$tab['collections'] = array();
$tab['security'] = array();
$func = new functions();
if ($userId == "superadmin") {
for ($i = 0; $i < count($_SESSION['collections']); $i ++) {
$tab['security'][$_SESSION['collections'][$i]['id']] = array();
$tab['security'][$_SESSION['collections'][$i]['id']]['DOC'] = array(
'table' => $_SESSION['collections'][$i]['table'],
'label_coll' => $_SESSION['collections'][$i]['label'],
'view' => $_SESSION['collections'][$i]['view'],
'where' => " (1=1) ",
);
array_push(
$tab['collections'], $_SESSION['collections'][$i]['id']
);
}
$uc = new users_controler();
$access = array();
for ($i = 0; $i < count($groups); $i ++) {
$tmp = $this->getAccessForGroup($groups[$i]['GROUP_ID']);
for ($j = 0; $j < count($tmp);$j ++) {
array_push($access, $tmp[$j]);
}
}
// TO DO : vérifier les dates
$collId = $access[$i]->__get('coll_id');
$whereClause = $access[$i]->__get('where_clause');
$whereClause = $this->process_security_where_clause(
$whereClause, $userId
);
$whereClause = str_replace('where', '', $whereClause);
$where = "-1";
}
if (! in_array($collId, $tab['collections'])) {
$tab['security'][$collId] = array();
$tab['security'][$collId]['DOC'] = array(
'table' => $_SESSION['collections'][$ind]['table'],
'label_coll' => $_SESSION['collections'][$ind]['label'],
'view' => $_SESSION['collections'][$ind]['view'],
'where' => $where,
);
if (isset($tab['security'][$collId]['DOC'])
&& count($tab['security'][$collId]['DOC']) > 0
$tab['security'][ $collId]['DOC']['where'] .= " or "
$tab['security'][$collId]['DOC'] = array(
'table' => $_SESSION['collections'][$ind]['table'],
'label_coll' => $_SESSION['collections'][$ind]['label'],
'view' => $_SESSION['collections'][$ind]['view'],
'where' => $where,
}
}
}
}
return $tab;
}
/**
* Gets the indice of the collection in the $_SESSION['collections'] array
*
* @param $collId string Collection identifier
* @return integer Indice of the collection in the $_SESSION['collections']
*/
{
for ($i = 0; $i < count($_SESSION['collections']); $i ++) {
if (trim($_SESSION['collections'][$i]['id']) == trim($collId)) {
return $i;
}
}
return -1;
}
/**
* Check the where clause syntax
*
* @param $whereClause string The where clause to check
* @return bool true if the request is not secure, false otherwise
*/
public function isUnsecureRequest($whereClause)
{
$whereClause = str_replace("'", "'", $whereClause);
$search1 = '#\b(?:abort|alter|copy|create|delete|disgard|drop|'
. 'execute|grant|insert|load|lock|move|reset|truncate|update)\b#i';
preg_match($search1, $whereClause, $out);
if (isset($out[0])) {
$count = count($out[0]);
if ($count == 1) {
$find1 = true;
} else {
$find1 = false;
}
} else {
$find1 = false;
}
return $find1;
}