PrivilegeController.php 4.67 KB
Newer Older
1
2
3
<?php

/**
4
5
* Copyright Maarch since 2008 under license.
* See LICENSE.txt file at the root folder for more details.
6
7
8
9
10
11
12
13
14
15
16
17
18
* This file is part of Maarch software.
*
*/

/**
* @brief Privilege Controller
* @author dev@maarch.org
*/

namespace Group\controllers;

use SrcCore\models\ValidatorModel;
use User\models\UserGroupModel;
19
use Group\models\GroupPrivilegeModel;
20
use User\controllers\UserController;
21
22
23

class PrivilegeController
{
24
    public const PRIVILEGES = [
25
26
27
28
        ['id' => 'manage_users',                'type' => 'admin', 'icon' => 'person-sharp',  'route' => '/administration/users'],
        ['id' => 'manage_groups',               'type' => 'admin', 'icon' => 'people-sharp',  'route' => '/administration/groups'],
        ['id' => 'manage_connections',          'type' => 'admin', 'icon' => 'server-sharp',  'route' => '/administration/connections'],
        ['id' => 'manage_email_configuration',  'type' => 'admin', 'icon' => 'paper-plane',   'route' => '/administration/emailConfiguration'],
Alex ORLUC's avatar
Alex ORLUC committed
29
30
        ['id' => 'manage_password_rules',       'type' => 'admin', 'icon' => 'lock-closed',   'route' => '/administration/passwordRules'],
        ['id' => 'manage_history',              'type' => 'admin', 'icon' => 'timer-outline', 'route' => '/administration/history'],
31
        ['id' => 'manage_otp_connectors',       'type' => 'admin', 'icon' => 'people-circle-outline', 'route' => '/administration/otps'],
32
        ['id' => 'manage_customization',        'type' => 'admin', 'icon' => 'color-wand-outline',  'route' => '/administration/customization'],
33
        ['id' => 'manage_notifications',        'type' => 'admin', 'icon' => 'notifications', 'route' => '/administration/notifications'],
34
35
        ['id' => 'manage_documents',            'type' => 'simple'],
        ['id' => 'indexation',                  'type' => 'simple']
36
    ];
37

38
    public static function getPrivilegesByUserId(array $args)
Damien's avatar
Damien committed
39
    {
40
        ValidatorModel::notEmpty($args, ['userId', 'type']);
Damien's avatar
Damien committed
41
        ValidatorModel::intVal($args, ['userId']);
42
        ValidatorModel::stringType($args, ['type']);
Damien's avatar
Damien committed
43
44
45
46
47

        $groups = UserGroupModel::get(['select' => ['group_id'], 'where' => ['user_id = ?'], 'data' => [$args['userId']]]);

        $allGroups = array_column($groups, 'group_id');

48
        $administrativePrivileges = [];
Damien's avatar
Damien committed
49
        if (!empty($allGroups)) {
50
            $privileges = GroupPrivilegeModel::getPrivileges(['select' => ['privilege'], 'where' => ['group_id in (?)'], 'data' => [$allGroups]]);
Damien's avatar
Damien committed
51
52
53
54
            $privileges = array_column($privileges, 'privilege');

            if (!empty($privileges)) {
                foreach (PrivilegeController::PRIVILEGES as $value) {
55
                    if ($value['type'] == $args['type'] && in_array($value['id'], $privileges)) {
56
                        $administrativePrivileges[] = $value;
Damien's avatar
Damien committed
57
58
59
60
61
                    }
                }
            }
        }

62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
        return $administrativePrivileges;
    }

    public static function hasPrivilege(array $args)
    {
        ValidatorModel::notEmpty($args, ['userId', 'privilege']);
        ValidatorModel::intVal($args, ['userId']);
        ValidatorModel::stringType($args, ['privilege']);

        $groups = UserGroupModel::get(['select' => ['group_id'], 'where' => ['user_id = ?'], 'data' => [$args['userId']]]);

        foreach ($groups as $group) {
            $privilege = GroupPrivilegeModel::getPrivileges(['select' => [1], 'where' => ['group_id = ?', 'privilege = ?'], 'data' => [$group['group_id'], $args['privilege']]]);
            if (!empty($privilege)) {
                return true;
            }
        }

Damien's avatar
Damien committed
80
81
        return false;
    }
82

83
    public static function hasRightByPrivilege(array $args)
84
    {
85
        ValidatorModel::notEmpty($args, ['userId', 'groupId', 'privilegeId']);
86
87
88
89
        ValidatorModel::intVal($args, ['userId', 'groupId']);
        ValidatorModel::stringType($args, ['privilegeId']);

        if ($args['privilegeId'] == 'manage_users') {
90
            if (empty($args['readOnly']) && !isset($args['parameters']['authorized'])) {
91
92
                return false;
            }
93
            if (PrivilegeController::hasPrivilege(['userId' => $args['userId'], 'privilege' => 'manage_groups'])) {
94
                return true;
95
96
            } elseif (!PrivilegeController::hasPrivilege(['userId' => $args['userId'], 'privilege' => 'manage_users'])) {
                return false;
97
98
            } else {
                $candidateGroups = $args['parameters']['authorized'] ?? [];
99
                $manageableGroups = array_column(UserController::getManageableGroups(['userId' => $args['userId']]), 'id');
100
101
                if (!empty(array_diff($candidateGroups, $manageableGroups))) {
                    return false;
102
103
104
105
                }
            }
        }

106
        return true;
107
    }
108
}