2019-07-03 11:58:28 +00:00

339 Zeilen
Kein EOL
11 KiB

* Project:
* Contenido Content Management System
* Description:
* Defines the "rights" related functions
* Requirements:
* @con_php_req 5.0
* @package Contenido Backend includes
* @version 1.0.0
* @author Martin Horwath
* @copyright
* @link
* @since file available since contenido release <= 4.6
* {@internal
* created 2004-11-25
* modified 2008-06-26, Frederic Schneider, add security fix
* modified 2011-02-05, Murat Purc, Added function buildUserOrGroupPermsFromRequest()
* $Id$:
* }}
if(!defined('CON_FRAMEWORK')) {
die('Illegal call');
* Function checks if a language is associated with a given list of clients Fixed CON-200
* @param array $aClients - array of clients to check
* @param integer $iLang - language id which should be checked
* @param array $aCfg - Contenido configruation array
* @param object $oDb - Contenido database object
* @return boolean - status (if language id corresponds to list of clients true otherwise false)
function checkLangInClients($aClients, $iLang, $aCfg, $oDb)
//Escape values for use in DB
$iIdClient = Contenido_Security::toInteger($iLang);
foreach ($aClients as $iKey => $iValue) {
$aClients[$iKey] = Contenido_Security::toInteger($aClients[$iKey]);
//Query to check, if langid is in list of clients associated
$sSql = "SELECT * FROM ".$aCfg['tab']['clients_lang']. " WHERE idlang=".$iLang." AND idclient IN ('".implode("','",$aClients)."');";
if ($oDb->next_record()) {
return true;
} else {
return false;
* Duplicate rights for any element
* @param string $area main area name
* @param int $iditem ID of element to copy
* @param int $newiditem ID of the new element
* @param int $idlang ID of lang parameter
* @author Martin Horwath <>
* @copyright <>
function copyRightsForElement($area, $iditem, $newiditem, $idlang = false)
global $cfg, $perm, $auth, $area_tree;
$db = new DB_ConLite();
$db2 = new DB_ConLite();
// get all user_id values for con_rights
$userIDContainer = $perm->getGroupsForUser($auth->auth['uid']); // add groups if available
$userIDContainer[] = $auth->auth['uid']; // add user_id of current user
foreach ($userIDContainer as $key) {
$statement_where2[] = "user_id = '".Contenido_Security::escapeDB($key, $db)."' ";
$where_users = '('.implode(' OR ', $statement_where2 ) .')'; // only duplicate on user and where user is member of
// get all idarea values for $area
// short way
$AreaContainer = $area_tree[$perm->showareas($area)];
// long version start
// get all actions for corresponding area
$AreaActionContainer = array();
$sql = "SELECT idarea, idaction FROM ".$cfg["tab"]["actions"]." WHERE idarea IN (".implode (',', $AreaContainer).")";
while ($db->next_record()) {
$AreaActionContainer[] = array('idarea'=>$db->f('idarea'), 'idaction'=>$db->f('idaction'));
// build sql statement for con_rights
foreach ($AreaActionContainer as $key) {
$statement_where[] = "( idarea = ".Contenido_Security::toInteger($key["idarea"])." AND idaction = ".Contenido_Security::toInteger($key["idaction"])." )";
$where_area_actions = '('.implode(' OR ', $statement_where ) .')'; // only correct area action pairs possible
// final sql statement to get all effected elements in con_right
$sql = "SELECT
{$where_area_actions} AND
{$where_users} AND
idcat = {$iditem}";
// long version end
if ($idlang) {
$sql.= " AND idlang='$idlang'";
while ($db->next_record()) {
$sql = "INSERT INTO ".$cfg["tab"]["rights"]." (idright,user_id,idarea,idaction,idcat,idclient,idlang,`type`) VALUES ('".Contenido_Security::toInteger($db2->nextid($cfg["tab"]["rights"]))."',
'".Contenido_Security::escapeDB($db->f("user_id"), $db)."', '".Contenido_Security::toInteger($db->f("idarea"))."', '".Contenido_Security::toInteger($db->f("idaction"))."',
'".Contenido_Security::toInteger($newiditem)."','".Contenido_Security::toInteger($db->f("idclient"))."', '".Contenido_Security::toInteger($db->f("idlang"))."',
// permissions reloaded...
* Create rights for any element
* @param string $area main area name
* @param int $iditem ID of new element
* @param int $idlang ID of lang parameter
* @author Martin Horwath <>
* @copyright <>
function createRightsForElement($area, $iditem, $idlang = false)
global $cfg, $perm, $auth, $area_tree, $client;
if (!is_object($perm)) {
return false;
if (!is_object($auth)) {
return false;
$db = new DB_ConLite();
$db2 = new DB_ConLite();
// get all user_id values for con_rights
$userIDContainer = $perm->getGroupsForUser($auth->auth['uid']); // add groups if available
$userIDContainer[] = $auth->auth['uid']; // add user_id of current user
foreach ($userIDContainer as $key) {
$statement_where2[] = "user_id = '".Contenido_Security::toInteger($key)."' ";
$where_users = '('.implode(' OR ', $statement_where2 ) .')'; // only duplicate on user and where user is member of
// get all idarea values for $area
// short way
$AreaContainer = $area_tree[$perm->showareas($area)];
$sql = "SELECT
idclient='".Contenido_Security::toInteger($client)."' AND
idarea IN (".implode (',', $AreaContainer).") AND
idcat != 0 AND
idaction!='0' AND
if ($idlang) {
$sql.= " AND idlang='".Contenido_Security::toInteger($idlang)."'";
$RightsContainer = array();
$RightsContainer[$db->f('user_id')][$db->f('idlang')][$db->f('type')][$db->f('idaction')] = $db->f('idarea');
// i found no better way to set the rights
// double entries should not be possible anymore...
foreach ($RightsContainer as $userid=>$LangContainer) {
foreach ($LangContainer as $idlang=>$TypeContainer) {
foreach ($TypeContainer as $type=>$ActionContainer) {
foreach ($ActionContainer as $idaction=>$idarea) {
$sql = "INSERT INTO ".$cfg["tab"]["rights"]."
(idright, user_id,idarea,idaction,idcat,idclient,idlang,`type`)
VALUES ('".Contenido_Security::toInteger($db2->nextid($cfg["tab"]["rights"]))."', '".Contenido_Security::toInteger($userid)."', '".Contenido_Security::toInteger($idarea)."',
'".Contenido_Security::toInteger($idaction)."', '".Contenido_Security::toInteger($iditem)."', '".Contenido_Security::toInteger($client)."',
'".Contenido_Security::toInteger($idlang)."', '".Contenido_Security::toInteger($type)."')";
// permissions reloaded...
* Delete rights for any element
* @param string $area main area name
* @param int $iditem ID of new element
* @param int $idlang ID of lang parameter
* @author Martin Horwath <>
* @copyright <>
function deleteRightsForElement($area, $iditem, $idlang = false)
global $cfg, $perm, $area_tree, $client;
$db = new DB_ConLite();
// get all idarea values for $area
$AreaContainer = $area_tree[$perm->showareas(Contenido_Security::escapeDB($area, $db))];
$sql = "DELETE FROM ".$cfg["tab"]["rights"]." WHERE idcat='".Contenido_Security::toInteger($iditem)."' AND idclient='".Contenido_Security::toInteger($client)."' AND idarea IN (".implode (',', $AreaContainer).")";
if ($idlang) {
$sql.= " AND idlang='".Contenido_Security::toInteger($idlang)."'";
// permissions reloaded...
* Builds user/group permissions (sysadmin, admin, client and language) by
* processing request variables ($msysadmin, $madmin, $mclient, $mlang) and
* returns the build permissions array.
* @todo Do we really need to add other perms, if the user/group gets the
* 'sysadmin' permission?
* @param bool $bAddUserToClient Flag to add current user to current client,
* if no client is specified.
* @return array
function buildUserOrGroupPermsFromRequest($bAddUserToClient = false)
global $cfg, $msysadmin, $madmin, $mclient, $mlang, $auth, $client;
$aPerms = array();
// check and prevalidation
$bSysadmin = (isset($msysadmin) && $msysadmin);
$aAdmin = (isset($madmin) && is_array($madmin)) ? $madmin : array();
foreach ($aAdmin as $p => $value) {
if (!is_numeric($value)) {
$aClient = (isset($mclient) && is_array($mclient)) ? $mclient : array();
foreach ($aClient as $p => $value) {
if (!is_numeric($value)) {
$aLang = (isset($mlang) && is_array($mlang)) ? $mlang : array();
foreach ($aLang as $p => $value) {
if (!is_numeric($value)) {
// build permissions array
if ($bSysadmin) {
$aPerms[] = 'sysadmin';
foreach ($aAdmin as $value) {
$aPerms[] = sprintf('admin[%s]', $value);
foreach ($aClient as $value) {
$aPerms[] = sprintf('client[%s]', $value);
if (count($aClient) == 0 && $bAddUserToClient) {
// Add user to the current client, if the current user isn't sysadmin and
// no client has been specified. This avoids new accounts which are not
// accessible by the current user (client admin) anymore.
$aUserPerm = explode(',', $auth->auth['perm']);
if (!in_array('sysadmin', $aUserPerm)) {
$aPerms[] = sprintf('client[%s]', $client);
if (count($aLang) > 0 && count($aClient) > 0) {
// adding language perms makes sense if we have also at least one selected client
$db = new DB_ConLite();
foreach ($aLang as $value) {
if (checkLangInClients($aClient, $value, $cfg, $db)) {
$aPerms[] = sprintf('lang[%s]', $value);
return $aPerms;