authorizedActions = [ 'users_Ajax.php' => [ 'availableUsers' => ['PM_FACTORY'], 'assign' => ['PM_FACTORY'], 'changeView' => [], 'ofToAssign' => ['PM_FACTORY'], 'usersGroup' => ['PM_FACTORY'], 'canDeleteUser' => ['PM_USERS'], 'privateProcesses' => ['PM_USERS'], 'deleteUser' => ['PM_USERS'], 'changeUserStatus' => ['PM_USERS'], 'availableGroups' => ['PM_USERS'], 'assignedGroups' => ['PM_USERS'], 'assignGroupsToUserMultiple' => ['PM_USERS'], 'deleteGroupsToUserMultiple' => ['PM_USERS'], 'authSources' => ['PM_USERS'], 'loadAuthSourceByUID' => ['PM_USERS'], 'updateAuthServices' => ['PM_USERS'], 'usersList' => ['PM_USERS'], 'updatePageSize' => [], 'summaryUserData' => ['PM_USERS'], 'verifyIfUserAssignedAsSupervisor' => ['PM_USERS'] ], 'skin_Ajax.php' => [ 'updatePageSize' => [], 'skinList' => ['PM_SETUP_SKIN'], 'newSkin' => ['PM_SETUP_SKIN'], 'importSkin' => ['PM_SETUP_SKIN'], 'exportSkin' => ['PM_SETUP_SKIN'], 'deleteSkin' => ['PM_SETUP_SKIN'], 'streamSkin' => ['PM_SETUP_SKIN'], 'addTarFolder' => ['PM_SETUP_SKIN'], 'copy_skin_folder' => ['PM_SETUP_SKIN'] ], 'processes_DownloadFile.php' => [ 'downloadFileHash' => ['PM_FACTORY'] ], 'processProxy.php' => [ 'categoriesList' => ['PM_SETUP_PROCESS_CATEGORIES'], 'getCategoriesList' => ['PM_FACTORY'], 'saveProcess' => ['PM_FACTORY'], 'changeStatus' => ['PM_FACTORY'], 'changeDebugMode' => ['PM_FACTORY'], 'getUsers' => [], 'getGroups' => [], 'assignActorsTask' => [], 'removeActorsTask' => [], 'getActorsTask' => [], 'getProcessDetail' => [], 'getProperties' => [], 'saveProperties' => [], 'getCaledarList' => [], 'getPMVariables' => [], 'generateBpmn' => ['PM_FACTORY'] ], 'home.php' => [ 'login' => ['PM_LOGIN'], 'index' => ['PM_CASES/strict'], 'indexSingle' => ['PM_CASES/strict'], 'appList' => ['PM_CASES/strict'], 'appAdvancedSearch' => ['PM_ALLCASES'], 'getApps' => ['PM_ALLCASES'], 'getAppsData' => ['PM_ALLCASES'], 'startCase' => ['PM_CASES/strict'], 'error' => [], 'getUserArray' => ['PM_ALLCASES'], 'getCategoryArray' => ['PM_ALLCASES'], 'getStatusArray' => ['PM_ALLCASES'], 'getProcessArray' => ['PM_ALLCASES'], 'getProcesses' => ['PM_ALLCASES'], 'getUsers' => ['PM_ALLCASES'] ], 'newSite.php' => [ 'newSite.php' => ['PM_SETUP_ADVANCE'] ], 'emailsAjax.php' => [ 'MessageList' => ['PM_SETUP', 'PM_SETUP_LOGS'], 'updateStatusMessage' => ['PM_SETUP', 'PM_SETUP_LOGS'], ], 'processCategory_Ajax.php' => [ 'processCategoryList' => ['PM_SETUP', 'PM_SETUP_PROCESS_CATEGORIES'], 'updatePageSize' => ['PM_SETUP', 'PM_SETUP_PROCESS_CATEGORIES'], 'checkCategoryName' => ['PM_SETUP', 'PM_SETUP_PROCESS_CATEGORIES'], 'saveNewCategory' => ['PM_SETUP', 'PM_SETUP_PROCESS_CATEGORIES'], 'checkEditCategoryName' => ['PM_SETUP', 'PM_SETUP_PROCESS_CATEGORIES'], 'updateCategory' => ['PM_SETUP', 'PM_SETUP_PROCESS_CATEGORIES'], 'canDeleteCategory' => ['PM_SETUP', 'PM_SETUP_PROCESS_CATEGORIES'], 'deleteCategory' => ['PM_SETUP', 'PM_SETUP_PROCESS_CATEGORIES'] ], 'emailServerAjax.php' => [ 'INS' => ['PM_SETUP'], 'UPD' => ['PM_SETUP'], 'DEL' => ['PM_SETUP'], 'LST' => ['PM_SETUP'], 'TEST' => ['PM_SETUP'], 'createAuthUrl' => ['PM_SETUP'], 'createAuthUrlOffice365' => ['PM_SETUP'] ], 'emailServerGmailOAuth.php' => [ 'code' => ['PM_SETUP'] ], 'emailServerOffice365OAuth.php' => [ 'code' => ['PM_SETUP'] ], 'processes_GetFile.php' => [ 'mailTemplates' => ['PM_FACTORY'], 'public' => ['PM_FACTORY'] ], 'tools/ajaxListener.php' => [ 'getList' => ['PM_SETUP'], 'save' => ['PM_SETUP'], 'delete' => ['PM_SETUP'], 'rebuild' => ['PM_SETUP'] ], 'proxyNewCasesList.php' => [ 'todo' => ['PM_CASES'], 'draft' => ['PM_CASES'], 'sent' => ['PM_CASES'], 'paused' => ['PM_CASES'], 'unassigned' => ['PM_CASES'], 'to_reassign' => ['PM_REASSIGNCASE,PM_REASSIGNCASE_SUPERVISOR'], 'to_revise' => ['PM_SUPERVISOR'] ], 'casesList_Ajax.php' => [ 'userValues' => ['PM_CASES'], 'processListExtJs' => ['PM_CASES'], 'verifySession' => [], 'getUsersToReassign' => ['PM_CASES'], 'reassignCase' => ['PM_CASES'], 'showHistoryMessage' => ['PM_CASES'], 'showDynaformListHistory' => ['PM_CASES'], 'dynaformChangeLogViewHistory' => ['PM_CASES'], 'historyDynaformGridPreview' => ['PM_CASES'], ], 'usersAjax.php' => [ 'timeZoneParameters' => ['PM_LOGIN'], 'countryList' => ['PM_LOGIN'], 'stateList' => ['PM_LOGIN'], 'locationList' => ['PM_LOGIN'], 'usersList' => ['PM_USERS,PM_EDIT_USER_PROFILE_REPLACED_BY'], 'availableCalendars' => ['PM_LOGIN'], 'rolesList' => ['PM_LOGIN'], 'getUserLogedRole' => ['PM_USERS,PM_EDIT_USER_PROFILE_PASSWORD'], 'languagesList' => ['PM_LOGIN'], 'saveUser' => [], // This action is validated with custom logic in the same page 'savePersonalInfo' => [], // This action is validated with custom logic in the same page 'userData' => [], // This action is validated with custom logic in the same page 'defaultMainMenuOptionList' => ['PM_LOGIN'], 'defaultCasesMenuOptionList' => ['PM_LOGIN'], 'testPassword' => ['PM_USERS,PM_EDIT_USER_PROFILE_PASSWORD'], 'testUsername' => ['PM_USERS,PM_EDIT_USER_PROFILE_USERNAME'], 'passwordValidate' => ['PM_USERS,PM_EDIT_USER_PROFILE_PASSWORD'], ] ]; $this->aliasPermissions['PM_CASES'] = [self::PM_GUEST_CASE]; $this->aliasPermissions['PM_LOGIN'] = [self::PM_GUEST_CASE]; } /** * to get singleton instance * * @access public * @return object */ public static function &getSingleton() { if (self::$instance == null) { self::$instance = new RBAC(); } return self::$instance; } /** * to get start with some classes * * @access public * @return object */ public function initRBAC() { if (is_null($this->userObj)) { $this->userObj = new RbacUsers(); } if (is_null($this->systemObj)) { $this->systemObj = new Systems(); } if (is_null($this->usersRolesObj)) { $this->usersRolesObj = new UsersRoles(); } if (is_null($this->rolesObj)) { $this->rolesObj = new Roles(); } if (is_null($this->permissionsObj)) { $this->permissionsObj = new Permissions(); } if (is_null($this->rolesPermissionsObj)) { $this->rolesPermissionsObj = new RolesPermissions(); } if (is_null($this->authSourcesObj)) { $this->authSourcesObj = new AuthenticationSource(); } //hook for RBAC plugins $pathPlugins = PATH_RBAC . 'plugins'; if (is_dir($pathPlugins)) { if ($handle = opendir($pathPlugins)) { while (false !== ($file = readdir($handle))) { if (strpos($file, '.php', 1) && is_file($pathPlugins . PATH_SEP . $file) && substr($file, 0, 6) === 'class.' && substr($file, -4) === '.php') { $className = substr($file, 6, strlen($file) - 10); require_once($pathPlugins . PATH_SEP . $file); $this->aRbacPlugins[] = $className; } } } } if (!in_array('ldapAdvanced', $this->aRbacPlugins)) { if (class_exists('ldapAdvanced')) { $this->aRbacPlugins[] = 'ldapAdvanced'; } } } /** * gets the Role and their permissions for Administrator Processmaker * * @access public * @return array $this->permissionsAdmin[ $permissionsAdmin ] */ public function loadPermissionAdmin() { $permissionsAdmin = [ [ "PER_UID" => "00000000000000000000000000000001", "PER_CODE" => "PM_LOGIN", "PER_NAME" => "Login" ], [ "PER_UID" => "00000000000000000000000000000002", "PER_CODE" => "PM_SETUP", "PER_NAME" => "Setup" ], [ "PER_UID" => "00000000000000000000000000000003", "PER_CODE" => "PM_USERS", "PER_NAME" => "Users" ], [ "PER_UID" => "00000000000000000000000000000004", "PER_CODE" => "PM_FACTORY", "PER_NAME" => "Design Process" ], [ "PER_UID" => "00000000000000000000000000000005", "PER_CODE" => "PM_CASES", "PER_NAME" => "Create Users" ], [ "PER_UID" => "00000000000000000000000000000006", "PER_CODE" => "PM_ALLCASES", "PER_NAME" => "All Cases" ], [ "PER_UID" => "00000000000000000000000000000007", "PER_CODE" => "PM_REASSIGNCASE", "PER_NAME" => "Reassign case" ], [ "PER_UID" => "00000000000000000000000000000008", "PER_CODE" => "PM_REPORTS", "PER_NAME" => "PM reports" ], [ "PER_UID" => "00000000000000000000000000000009", "PER_CODE" => "PM_SUPERVISOR", "PER_NAME" => "Supervisor" ], [ "PER_UID" => "00000000000000000000000000000010", "PER_CODE" => "PM_SETUP_ADVANCE", "PER_NAME" => "Setup Advanced" ], [ "PER_UID" => "00000000000000000000000000000011", "PER_CODE" => "PM_DASHBOARD", "PER_NAME" => "Dashboard" ], [ "PER_UID" => "00000000000000000000000000000012", "PER_CODE" => "PM_WEBDAV", "PER_NAME" => "WebDav" ], [ "PER_UID" => "00000000000000000000000000000013", "PER_CODE" => "PM_DELETECASE", "PER_NAME" => "Cancel cases" ], [ "PER_UID" => "00000000000000000000000000000014", "PER_CODE" => "PM_EDITPERSONALINFO", "PER_NAME" => "Edit Personal Info" ], [ "PER_UID" => "00000000000000000000000000000015", "PER_CODE" => "PM_FOLDERS_ALL", "PER_NAME" => "View Folders" ], [ "PER_UID" => "00000000000000000000000000000016", "PER_CODE" => "PM_FOLDERS_ADD_FOLDER", "PER_NAME" => "Delete folders" ], [ "PER_UID" => "00000000000000000000000000000017", "PER_CODE" => "PM_FOLDERS_ADD_FILE", "PER_NAME" => "Delete folders" ], [ "PER_UID" => "00000000000000000000000000000018", "PER_CODE" => "PM_CANCELCASE", "PER_NAME" => "Cancel cases" ], [ "PER_UID" => "00000000000000000000000000000019", "PER_CODE" => "PM_FOLDER_DELETE", "PER_NAME" => "Cancel cases" ], [ "PER_UID" => "00000000000000000000000000000020", "PER_CODE" => "PM_SETUP_LOGO", "PER_NAME" => "Setup Logo" ], [ "PER_UID" => "00000000000000000000000000000021", "PER_CODE" => "PM_SETUP_EMAIL", "PER_NAME" => "Setup Email" ], [ "PER_UID" => "00000000000000000000000000000022", "PER_CODE" => "PM_SETUP_CALENDAR", "PER_NAME" => "Setup Calendar" ], [ "PER_UID" => "00000000000000000000000000000023", "PER_CODE" => "PM_SETUP_PROCESS_CATEGORIES", "PER_NAME" => "Setup Process Categories" ], [ "PER_UID" => "00000000000000000000000000000024", "PER_CODE" => "PM_SETUP_CLEAR_CACHE", "PER_NAME" => "Setup Clear Cache" ], // The 00000000000000000000000000000025 was deleted related to the heart beat [ "PER_UID" => "00000000000000000000000000000026", "PER_CODE" => "PM_SETUP_ENVIRONMENT", "PER_NAME" => "Setup Environment" ], [ "PER_UID" => "00000000000000000000000000000027", "PER_CODE" => "PM_SETUP_PM_TABLES", "PER_NAME" => "Setup PM Tables" ], [ "PER_UID" => "00000000000000000000000000000028", "PER_CODE" => "PM_SETUP_LOGIN", "PER_NAME" => "Setup Login" ], [ "PER_UID" => "00000000000000000000000000000029", "PER_CODE" => "PM_SETUP_DASHBOARDS", "PER_NAME" => "Setup Dashboards" ], [ "PER_UID" => "00000000000000000000000000000030", "PER_CODE" => "PM_SETUP_LANGUAGE", "PER_NAME" => "Setup Language" ], [ "PER_UID" => "00000000000000000000000000000031", "PER_CODE" => "PM_SETUP_SKIN", "PER_NAME" => "Setup Skin" ], [ "PER_UID" => "00000000000000000000000000000032", "PER_CODE" => "PM_SETUP_CASES_LIST_CACHE_BUILDER", "PER_NAME" => "Setup Case List Cache Builder" ], [ "PER_UID" => "00000000000000000000000000000033", "PER_CODE" => "PM_SETUP_PLUGINS", "PER_NAME" => "Setup Plugins" ], [ "PER_UID" => "00000000000000000000000000000034", "PER_CODE" => "PM_SETUP_USERS_AUTHENTICATION_SOURCES", "PER_NAME" => "Setup User Authentication Sources" ], [ "PER_UID" => "00000000000000000000000000000035", "PER_CODE" => "PM_SETUP_LOGS", "PER_NAME" => "Setup Logs" ], [ "PER_UID" => "00000000000000000000000000000036", "PER_CODE" => "PM_DELETE_PROCESS_CASES", "PER_NAME" => "Delete process cases" ], [ "PER_UID" => "00000000000000000000000000000037", "PER_CODE" => "PM_EDITPERSONALINFO_CALENDAR", "PER_NAME" => "Edit personal info Calendar" ], [ "PER_UID" => "00000000000000000000000000000038", "PER_CODE" => "PM_UNCANCELCASE", "PER_NAME" => "Undo cancel case" ], [ "PER_UID" => "00000000000000000000000000000039", "PER_CODE" => "PM_REST_API_APPLICATIONS", "PER_NAME" => "Create rest API Aplications" ], [ "PER_UID" => "00000000000000000000000000000040", "PER_CODE" => "PM_EDIT_USER_PROFILE_FIRST_NAME", "PER_NAME" => "Edit User profile First Name" ], [ "PER_UID" => "00000000000000000000000000000041", "PER_CODE" => "PM_EDIT_USER_PROFILE_LAST_NAME", "PER_NAME" => "Edit User profile Last Name" ], [ "PER_UID" => "00000000000000000000000000000042", "PER_CODE" => "PM_EDIT_USER_PROFILE_USERNAME", "PER_NAME" => "Edit User profile Username" ], [ "PER_UID" => "00000000000000000000000000000043", "PER_CODE" => "PM_EDIT_USER_PROFILE_EMAIL", "PER_NAME" => "Edit User profile Email" ], [ "PER_UID" => "00000000000000000000000000000044", "PER_CODE" => "PM_EDIT_USER_PROFILE_ADDRESS", "PER_NAME" => "Edit User profile Address" ], [ "PER_UID" => "00000000000000000000000000000045", "PER_CODE" => "PM_EDIT_USER_PROFILE_ZIP_CODE", "PER_NAME" => "Edit User profile Zip Code" ], [ "PER_UID" => "00000000000000000000000000000046", "PER_CODE" => "PM_EDIT_USER_PROFILE_COUNTRY", "PER_NAME" => "Edit User profile Country" ], [ "PER_UID" => "00000000000000000000000000000047", "PER_CODE" => "PM_EDIT_USER_PROFILE_STATE_OR_REGION", "PER_NAME" => "Edit User profile State or Region" ], [ "PER_UID" => "00000000000000000000000000000048", "PER_CODE" => "PM_EDIT_USER_PROFILE_LOCATION", "PER_NAME" => "Edit User profile Location" ], [ "PER_UID" => "00000000000000000000000000000049", "PER_CODE" => "PM_EDIT_USER_PROFILE_PHONE", "PER_NAME" => "Edit User profile Phone" ], [ "PER_UID" => "00000000000000000000000000000050", "PER_CODE" => "PM_EDIT_USER_PROFILE_POSITION", "PER_NAME" => "Edit User profile Position" ], [ "PER_UID" => "00000000000000000000000000000051", "PER_CODE" => "PM_EDIT_USER_PROFILE_REPLACED_BY", "PER_NAME" => "Edit User profile Replaced By" ], [ "PER_UID" => "00000000000000000000000000000052", "PER_CODE" => "PM_EDIT_USER_PROFILE_EXPIRATION_DATE", "PER_NAME" => "Edit User profile Expiration Date" ], [ "PER_UID" => "00000000000000000000000000000053", "PER_CODE" => "PM_EDIT_USER_PROFILE_CALENDAR", "PER_NAME" => "Edit User profile Calendar" ], [ "PER_UID" => "00000000000000000000000000000054", "PER_CODE" => "PM_EDIT_USER_PROFILE_STATUS", "PER_NAME" => "Edit User profile Status" ], [ "PER_UID" => "00000000000000000000000000000055", "PER_CODE" => "PM_EDIT_USER_PROFILE_ROLE", "PER_NAME" => "Edit User profile Role" ], [ "PER_UID" => "00000000000000000000000000000056", "PER_CODE" => "PM_EDIT_USER_PROFILE_TIME_ZONE", "PER_NAME" => "Edit User profile Time Zone" ], [ "PER_UID" => "00000000000000000000000000000057", "PER_CODE" => "PM_EDIT_USER_PROFILE_DEFAULT_LANGUAGE", "PER_NAME" => "Edit User profile Default Language" ], [ "PER_UID" => "00000000000000000000000000000058", "PER_CODE" => "PM_EDIT_USER_PROFILE_COSTS", "PER_NAME" => "Edit User profile Costs" ], [ "PER_UID" => "00000000000000000000000000000059", "PER_CODE" => "PM_EDIT_USER_PROFILE_PASSWORD", "PER_NAME" => "Edit User profile Password" ], [ "PER_UID" => "00000000000000000000000000000060", "PER_CODE" => "PM_EDIT_USER_PROFILE_USER_MUST_CHANGE_PASSWORD_AT_NEXT_LOGON", "PER_NAME" => "Edit User profile Must Change Password at next Logon" ], [ "PER_UID" => "00000000000000000000000000000061", "PER_CODE" => "PM_EDIT_USER_PROFILE_PHOTO", "PER_NAME" => "Edit User profile Photo" ], [ "PER_UID" => "00000000000000000000000000000062", "PER_CODE" => "PM_EDIT_USER_PROFILE_DEFAULT_MAIN_MENU_OPTIONS", "PER_NAME" => "Edit User profile Default Main Menu Options" ], [ "PER_UID" => "00000000000000000000000000000063", "PER_CODE" => "PM_EDIT_USER_PROFILE_DEFAULT_CASES_MENU_OPTIONS", "PER_NAME" => "Edit User profile Default Cases Menu Options" ], [ "PER_UID" => "00000000000000000000000000000064", "PER_CODE" => "PM_REASSIGNCASE_SUPERVISOR", "PER_NAME" => "Reassign case supervisor" ], [ "PER_UID" => "00000000000000000000000000000065", "PER_CODE" => "PM_SETUP_CUSTOM_CASES_LIST", "PER_NAME" => "Setup Custom Cases List" ], [ 'PER_UID' => '00000000000000000000000000000067', 'PER_CODE' => 'PM_SETUP_LOG_FILES', 'PER_NAME' => 'Log Files' ], [ 'PER_UID' => '00000000000000000000000000000068', 'PER_CODE' => 'PM_FOLDERS_OWNER', 'PER_NAME' => 'View Your Folders' ], [ 'PER_UID' => '00000000000000000000000000000069', 'PER_CODE' => 'PM_TASK_SCHEDULER_ADMIN', 'PER_NAME' => 'View Task Scheduler' ], [ 'PER_UID' => '00000000000000000000000000000070', 'PER_CODE' => 'TASK_METRICS_VIEW', 'PER_NAME' => 'Task Metrics View' ] ]; return $permissionsAdmin; } /** * Create if not exists GUEST user. * * @param Roles $role * @throws Exception */ private function verifyGuestUser(Roles $role) { try { $strRole = $role->getRolCode(); $arrayData = []; $arrayData["USR_UID"] = self::GUEST_USER_UID; $arrayData["USR_USERNAME"] = 'guest'; $arrayData["USR_PASSWORD"] = '674ba9750749d735ec9787d606170d78'; $arrayData["USR_FIRSTNAME"] = 'Guest'; $arrayData["USR_LASTNAME"] = ''; $arrayData["USR_EMAIL"] = 'guest@processmaker.com'; $arrayData["USR_DUE_DATE"] = '2030-01-01'; $arrayData["USR_CREATE_DATE"] = date("Y-m-d H:i:s"); $arrayData["USR_UPDATE_DATE"] = date("Y-m-d H:i:s"); $arrayData["USR_BIRTHDAY"] = '2009-02-01'; $arrayData["USR_AUTH_USER_DN"] = ""; $arrayData["USR_STATUS"] = 0; $rbacUserExists = RbacUsersPeer::retrieveByPK(self::GUEST_USER_UID); $isNotRbacUserGuest = !empty($rbacUserExists) && $rbacUserExists instanceof RbacUsers && $rbacUserExists->getUserRole($rbacUserExists->getUsrUid())['ROL_CODE'] !== self::PROCESSMAKER_GUEST; if (empty($rbacUserExists)) { $rbacUser = new RbacUsers(); $rbacUser->fromArray($arrayData, BasePeer::TYPE_FIELDNAME); $rbacUser->save(); $arrayData["USR_UID"] = $rbacUser->getUsrUid(); $arrayData["USR_STATUS"] = 'INACTIVE'; $arrayData["USR_COUNTRY"] = ""; $arrayData["USR_CITY"] = ""; $arrayData["USR_LOCATION"] = ""; $arrayData["USR_ADDRESS"] = ""; $arrayData["USR_PHONE"] = ""; $arrayData["USR_ZIP_CODE"] = ""; $arrayData["USR_POSITION"] = ""; $arrayData["USR_ROLE"] = $strRole; $user = new Users(); $user->create($arrayData); $this->assignRoleToUser($user->getUsrUid(), $strRole); } elseif ($isNotRbacUserGuest) { $this->assignRoleToUser($rbacUserExists->getUsrUid(), $strRole); } } catch (Exception $exception) { throw new Exception( "Can not create guest user: " . $exception->getMessage(), 0, $exception ); } } /** * Create if not exists GUEST role. * * @param type $permissions * @return type * @throws Exception */ private function verifyGuestRole($permissions) { try { $criteria = new Criteria; $criteria->add(RolesPeer::ROL_CODE, self::PROCESSMAKER_GUEST); $roleExists = RolesPeer::doSelectOne($criteria); if (!empty($roleExists)) { return $roleExists; } $dataCase = [ 'ROL_UID' => self::PROCESSMAKER_GUEST_UID, 'ROL_CODE' => self::PROCESSMAKER_GUEST, 'ROL_SYSTEM' => self::PER_SYSTEM, 'ROL_STATUS' => 1, 'ROL_NAME' => self::PROCESSMAKER_GUEST, 'ROL_CREATE_DATE' => date('Y-m-d H:i:s'), 'ROL_UPDATE_DATE' => date('Y-m-d H:i:s'), ]; $this->createRole($dataCase); $role = RolesPeer::doSelectOne($criteria); foreach ($permissions as $permission) { $o = new RolesPermissions(); $o->setPerUid($permission->getPerUid()); $o->setPermissionName('Guest case'); $o->setRolUid($role->getRolUid()); $o->save(); } return $role; } catch (Exception $exception) { throw new Exception( "Can not create guest role: " . $exception->getMessage(), 0, $exception ); } } /** * Create if not exists GUEST permissions. * * @return type * @throws Exception */ private function verifyGuestPermissions() { try { $criteria = new Criteria(); $criteria->add(PermissionsPeer::PER_CODE, self::PM_GUEST_CASE); $perm = PermissionsPeer::doSelectOne($criteria); if (!empty($perm)) { return [$perm]; } $permission = new Permissions(); $permission->setPerUid(self::PM_GUEST_CASE_UID); $permission->setPerCode(self::PM_GUEST_CASE); $permission->setPerCreateDate(date('Y-m-d H:i:s')); $permission->setPerUpdateDate(date('Y-m-d H:i:s')); $permission->setPerStatus(1); $permission->setPerSystem(self::PER_SYSTEM); $permission->save(); return [$permission]; } catch (Exception $exception) { throw new Exception( "Can not set guest permissions: " . $exception->getMessage(), 0, $exception ); } } /** * Create if not exists GUEST user. * Create if not exists GUEST role. * Create if not exists GUEST permissions. * * @throws Exception */ private function verifyGuestUserRolePermission() { $permissions = $this->verifyGuestPermissions(); $role = $this->verifyGuestRole($permissions); $this->verifyGuestUser($role); } /** * Gets the roles and permission for one RBAC_user * * gets the Role and their permissions for one User * * @access public * * @param string $sSystem the system * @param string $sUser the user * @return $this->aUserInfo[ $sSystem ] */ public function loadUserRolePermission($sSystem, $sUser) { //in previous versions we provided a path data and session we will cache the session Info for this user //now this is deprecated, and all the aUserInfo is in the memcache $this->sSystem = $sSystem; $fieldsSystem = $this->systemObj->loadByCode($sSystem); $fieldsRoles = $this->usersRolesObj->getRolesBySystem($fieldsSystem['SYS_UID'], $sUser); $rolUid = isset($fieldsRoles['ROL_UID']) ? $fieldsRoles['ROL_UID'] : null; $fieldsPermissions = $this->usersRolesObj->getAllPermissions($rolUid, $sUser); $this->aUserInfo['USER_INFO'] = $this->userObj->load($sUser); $this->aUserInfo[$sSystem]['SYS_UID'] = $fieldsSystem['SYS_UID']; $this->aUserInfo[$sSystem]['ROLE'] = $fieldsRoles; $this->aUserInfo[$sSystem]['PERMISSIONS'] = $fieldsPermissions; } /** * Verification of a user through the class RBAC_user * verify if the user has permissions to stay in the application * -4: expired user * @access public * @throws Exception */ public function verifyDueDateUserLogged() { if (empty($this->userObj)) { return; } $uid = !empty($this->userObj) ? $this->userObj->getUsrUid() : null; //if the expired user if ($this->userObj->getUsrDueDate() < date('Y-m-d')) { $uid = -4; $errLabel = 'ID_USER_INACTIVE_BY_DATE'; } if (!isset($uid) || $uid < 0) { if (!defined('PPP_FAILED_LOGINS')) { define('PPP_FAILED_LOGINS', 0); } //start new session @session_destroy(); session_start(); session_regenerate_id(); throw new RBACException($errLabel); } } /** * Destroy all active sessions of a user (browser, soap, oauth) * @param string $usrUid User uid */ public static function destroySessionUser($usrUid) { //remove all register of tables related to the token (new OauthAccessTokens())->removeByUser($usrUid); (new OauthRefreshTokens())->removeByUser($usrUid); (new PmoauthUserAccessTokens())->removeByUser($usrUid); (new OauthAuthorizationCodes())->removeByUser($usrUid); $loginLog = new LoginLog(); $sessionId = $loginLog->getSessionsIdByUser($usrUid); if ($sessionId) { //remove all login log row's of LOGIN_LOG table $loginLog->removeByUser($usrUid); //remove all register of tables (new Session())->removeByUser($usrUid); // 1. commit session if it's started. if (session_id()) { session_commit(); } // 2. store current session id session_start(); $currentSessionId = session_id(); session_commit(); // 3. then destroy session specified. foreach ($sessionId as $sid) { session_id($sid['LOG_SID']); session_start(); session_destroy(); session_commit(); } // 4. restore current session id. If don't restore it, your current session will refer to the session you just destroyed! session_id($currentSessionId); session_start(); session_commit(); } } /** * verification the register automatic * * * @access public * @param string $strUser the system * @param string $strPass the password * @return $result */ public function checkAutomaticRegister($strUser, $strPass) { $result = -1; //default return value, foreach ($this->aRbacPlugins as $className) { $plugin = new $className(); if (method_exists($plugin, 'automaticRegister')) { $criteria = new Criteria('rbac'); $criteria->add(AuthenticationSourcePeer::AUTH_SOURCE_PROVIDER, $className); $criteria->addAscendingOrderByColumn(AuthenticationSourcePeer::AUTH_SOURCE_NAME); $dataset = AuthenticationSourcePeer::doSelectRS($criteria, Propel::getDbConnection('rbac_ro')); $dataset->setFetchmode(ResultSet::FETCHMODE_ASSOC); $dataset->next(); $row = $dataset->getRow(); while (is_array($row)) { $row = array_merge($row, unserialize($row['AUTH_SOURCE_DATA'])); //Check if this authsource is enabled for AutoRegister, if not skip this if ($row['AUTH_SOURCE_AUTO_REGISTER'] == 1) { $plugin->sAuthSource = $row['AUTH_SOURCE_UID']; $plugin->sSystem = $this->sSystem; //search the usersRolesObj //create the users in ProcessMaker try { $res = $plugin->automaticRegister($row, $strUser, $strPass); if ($res == 1) { return $res; } } catch (Exception $e) { $message = $e->getMessage(); $context = [ 'action' => 'ldapSynchronize', 'authSource' => $row ]; Log::channel(':ldapSynchronize')->error($message, Bootstrap::context($context)); } } $dataset->next(); $row = $dataset->getRow(); } } } return $result; } /** * this function is checking the register automatic without authentication * * * @access public * @param string $authType * @param string $userFields * @param string $strPass * @return number -2: wrong password * -3: inactive user * -4: due date * -5: invalid authentication source */ public function VerifyWithOtherAuthenticationSource($authType, $userFields, $strPass) { if ($authType === '' || $authType === 'MYSQL') { //check if the user is active if ($userFields['USR_STATUS'] !== 1) { return -3; //inactive user } //check if the user's due date is valid if ($userFields['USR_DUE_DATE'] < date('Y-m-d')) { return -4; //due date } } foreach ($this->aRbacPlugins as $className) { if (strtolower($className) === strtolower($authType)) { $plugin = new $className(); $reflectionClass = new ReflectionClass($plugin); if ($reflectionClass->hasConstant('AUTH_TYPE')) { return $plugin->VerifyLogin($userFields['USR_USERNAME'], $strPass); } $plugin->sAuthSource = $userFields['UID_AUTH_SOURCE']; $plugin->sSystem = $this->sSystem; $bValidUser = $plugin->VerifyLogin($userFields['USR_AUTH_USER_DN'], $strPass); if ($bValidUser === true) { return ($userFields['USR_UID']); } else { return -2; //wrong password } } } return -5; //invalid authentication source } /** * authentication of an user through of class RBAC_user * * checking that an user has right to start an application * * @access public * * @param string $strUser UserId (login) an user * @param string $strPass Password * @return -1: no user * -2: wrong password * -3: inactive usuario * -4: due date * -5: invalid authentication source ( **new ) * n : uid of user */ public function VerifyLogin($strUser, $strPass) { /*----------------------------------********---------------------------------*/ $licenseManager = PmLicenseManager::getSingleton(); if (in_array( G::encryptOld($licenseManager->result), ['38afd7ae34bd5e3e6fc170d8b09178a3', 'ba2b45bdc11e2a4a6e86aab2ac693cbb'] )) { return -7; } /*----------------------------------********---------------------------------*/ if (strlen($strPass) === 0) { return -2; } //check if the user exists in the table RB_WORKFLOW.USERS $this->initRBAC(); //if the user exists, the VerifyUser function will return the user properties if ($this->userObj->verifyUser($strUser) == 0) { //here we are checking if the automatic user Register is enabled, ioc return -1 $res = $this->checkAutomaticRegister($strUser, $strPass); if ($res == 1) { $this->userObj->verifyUser($strUser); } else { return $res; } } //default values $authType = 'mysql'; if (isset($this->userObj->fields['USR_AUTH_TYPE'])) { $authType = strtolower($this->userObj->fields['USR_AUTH_TYPE']); } //Hook for RBAC plugins if ($authType != "mysql" && $authType != "") { $res = $this->VerifyWithOtherAuthenticationSource($authType, $this->userObj->fields, $strPass); return $res; } else { $this->userObj->reuseUserFields = true; $res = $this->userObj->VerifyLogin($strUser, $strPass); return $res; } } /** * Verify if the user exist or not exists, the argument is the UserName * * @author Everth S. Berrios * @access public * @param string $strUser * @return $res */ public function verifyUser($strUser) { $res = $this->userObj->verifyUser($strUser); return $res; } /** * Verify if the user exist or not exists, the argument is the UserUID * * @access public * @param string $strUserId * @return $res */ public function verifyUserId($strUserId) { $res = $this->userObj->verifyUserId($strUserId); return $res; } /** * Verify if the user has a right over the permission. Ex. * $rbac->userCanAccess("PM_CASES"); * * Alias of permissions: * PM_CASES has alias: PM_GUEST_CASE * This means that a role with PM_GUEST_CASE could access like one with PM_CASES * unless the permission is required as strict, like this: * $rbac->userCanAccess("PM_CASES/strict"); * * @access public * @param string $uid id of user * @param string $system Code of System * @param string $permBase id of Permissions * @return int 1: If it is ok * -1: System doesn't exists * -2: The User has not a Role * -3: The User has not this Permission. */ public function userCanAccess($permBase) { $strict = substr($permBase, -7, 7) === '/strict'; $perm = $strict ? substr($permBase, 0, -7) : $permBase; if (isset($this->aUserInfo[$this->sSystem]['PERMISSIONS'])) { $res = -3; foreach ($this->aUserInfo[$this->sSystem]['PERMISSIONS'] as $key => $val) { if ($perm == $val['PER_CODE']) { $res = 1; } $hasAliasPermission = !$strict && isset($this->aliasPermissions[$perm]) && array_search( $val['PER_CODE'], $this->aliasPermissions[$perm] ) !== false; if ($hasAliasPermission) { $res = 1; break; } } } else { $res = -1; } return $res; } /** * to create an user * * @access public * @param array $dataCase * @param string $rolCode * @return $userUid */ public function createUser($dataCase = [], $rolCode = '') { if ($dataCase['USR_STATUS'] . '' === '1') { $dataCase['USR_STATUS'] = 'ACTIVE'; } if ($dataCase['USR_STATUS'] . '' === '0') { $dataCase['USR_STATUS'] = 'INACTIVE'; } if ($dataCase['USR_STATUS'] === 'ACTIVE') { $dataCase['USR_STATUS'] = 1; } if ($dataCase['USR_STATUS'] === 'INACTIVE') { $dataCase['USR_STATUS'] = 0; } $userUid = $this->userObj->create($dataCase); if ($rolCode !== '') { $this->assignRoleToUser($userUid, $rolCode); } return $userUid; } /** * Update an user * * @access public * @param array $dataCase * @param string $rolCode * @return void */ public function updateUser($dataCase = [], $rolCode = '') { if (isset($dataCase['USR_STATUS'])) { if ($dataCase['USR_STATUS'] === 'ACTIVE') { $dataCase['USR_STATUS'] = 1; } } $currentUser = $this->userObj; $this->userObj = new RbacUsers(); $this->userObj->update($dataCase); if ($rolCode != '') { $this->removeRolesFromUser($dataCase['USR_UID']); $this->assignRoleToUser($dataCase['USR_UID'], $rolCode); } $this->userObj = $currentUser; } /** * To put role an user * * @access public * @param string $userUid * @param string $rolCode * @return void */ public function assignRoleToUser($userUid = '', $rolCode = '') { $aRol = $this->rolesObj->loadByCode($rolCode); $this->usersRolesObj->create($userUid, $aRol['ROL_UID']); } /** * Remove a role from an user * * @access public * @param string $userUid * @return void */ public function removeRolesFromUser($userUid = '') { $criteria = new Criteria('rbac'); $criteria->add(UsersRolesPeer::USR_UID, $userUid); $criteria->add(UsersRolesPeer::ROL_UID, [RBAC::PROCESSMAKER_GUEST_UID], Criteria::NOT_IN); UsersRolesPeer::doDelete($criteria); } /** * change status of an user * * @access public * @param string $userUid * @param string $userStatus * @return void */ public function changeUserStatus($userUid = '', $userStatus = 'ACTIVE') { if ($userStatus === 'ACTIVE') { $userStatus = 1; } $fields = $this->userObj->load($userUid); $fields['USR_STATUS'] = $userStatus; $this->userObj->update($fields); } /** * remove an user * * @access public * @param string $userUid * @return void */ public function removeUser($userUid = '') { $this->userObj->remove($userUid); $this->removeRolesFromUser($userUid); } // /** * getting user's basic information (rbac) * * getting datas that is saved in rbac * * @access public * * @param string $uid id user * @return array with info of an user */ public function load($uid) { $this->initRBAC(); $this->userObj->Fields = $this->userObj->load($uid); $fieldsSystem = $this->systemObj->loadByCode($this->sSystem); $fieldsRoles = $this->usersRolesObj->getRolesBySystem($fieldsSystem['SYS_UID'], $uid); $this->userObj->Fields['USR_ROLE'] = $fieldsRoles['ROL_CODE']; return $this->userObj->Fields; } /** * create permission * * * @access public * * @param string $code * @return void */ public function createPermision($code) { return $this->permissionsObj->create(['PER_CODE' => $code]); } /** * list all roles * * * @access public * * @param string $systemCode * @return $this->rolesObj */ public function listAllRoles($systemCode = 'PROCESSMAKER') { return $this->rolesObj->listAllRoles($systemCode); } /** * getting all roles * * * @access public * * @param string $systemCode * @return $this->rolesObj->getAllRoles */ public function getAllRoles($systemCode = 'PROCESSMAKER') { return $this->rolesObj->getAllRoles($systemCode); } /** * getting all roles by filter * * * @access public * @param string $filter * @return $this->rolesObj->getAllRolesFilter */ public function getAllRolesFilter($start, $limit, $filter) { return $this->rolesObj->getAllRolesFilter($start, $limit, $filter); } /** * list all permission * * * @access public * * @param string $systemCode * @return $this->rolesObj->listAllPermissions */ public function listAllPermissions($systemCode = 'PROCESSMAKER') { return $this->rolesObj->listAllPermissions($systemCode); } /** * this function creates a role * * * @access public * * @param array $dataCase * @return $this->rolesObj->createRole */ public function createRole($dataCase) { return $this->rolesObj->createRole($dataCase); } /** * this function removes a role * * * @access public * * @param string $rolUid * $@return $this->rolesObj->removeRole */ public function removeRole($rolUid) { return $this->rolesObj->removeRole($rolUid); } /** * this function checks a new role * * * @access public * * @param string $code * @return $this->rolesObj->verifyNewRole */ public function verifyNewRole($code) { return $this->rolesObj->verifyNewRole($code); } /** * this function updates a role * * * @access public * * @param string $fields * @return $this->rolesObj->updateRole */ public function updateRole($fields) { return $this->rolesObj->updateRole($fields); } /** * this function loads by ID * * * @access public * * @param string $rolUid * @return $this->rolesObj->loadById */ public function loadById($rolUid) { return $this->rolesObj->loadById($rolUid); } /** * Get Role code * * @access public * * @param string $role * * @return string */ public function getRoleCodeValid($role) { $roleCode = ''; if (!empty($role)) { if ($this->verifyByCode($role)) { //If is a valid ROL_CODE $roleCode = $role; } else { //We will to check by ROL_UID $roleInfo = $this->loadById($role); $roleCode = !empty($roleInfo['ROL_CODE']) ? $roleInfo['ROL_CODE'] : ''; } } return $roleCode; } /** * this function gets the user's roles * * * @access public * * @param string $rolUid * @return $this->rolesObj->getRoleUsers */ public function getRoleUsers($rolUid, $filter = '') { throw new Exception(__METHOD__ . ': The method is deprecated'); } /** * this function gets the number of users by roles * * * @access public * * @return $this->rolesObj->getAllUsersByRole */ public function getAllUsersByRole() { return $this->rolesObj->getAllUsersByRole(); } /** * this function gets the number of users by department * * * @access public * * @return $this->rolesObj->getAllUsersByRole */ public function getAllUsersByDepartment() { return $this->rolesObj->getAllUsersByDepartment(); } /** * this function gets roles code * * * @access public * * @param string $rolUid * @return $this->rolesObj->getRoleCode */ public function getRoleCode($rolUid) { return $this->rolesObj->getRoleCode($rolUid); } /** * this function removes role from an user * * * @access public * * @param string $rolUid * @param string $USR_UID * @return $this->rolesObj->deleteUserRole */ public function deleteUserRole($rolUid, $USR_UID) { return $this->rolesObj->deleteUserRole($rolUid, $USR_UID); } /** * this function gets all user * * * @access public * * @param string $rolUid * @return $this->rolesObj->getAllUsers */ public function getAllUsers($rolUid, $filter = '') { throw new Exception(__METHOD__ . ': The method is deprecated'); } /** * this function assigns role an user * * * @access public * * @param array $dataCase * @return $this->rolesObj->assignUserToRole */ public function assignUserToRole($dataCase) { return $this->rolesObj->assignUserToRole($dataCase); } /** * this function gets role permission * * * @access public * * @param string $rolUid * @return $this->rolesObj->getRolePermissionsByPerUid */ public function getRolePermissionsByPerUid($rolUid) { return $this->rolesObj->getRolePermissionsByPerUid($rolUid); } /** * this function is Assignee role permission * * * @access public * * @param string $rolUid * @return $this->rolesObj->isAssigneRolePermission */ public function getPermissionAssignedRole($rolUid, $perUid) { return $this->rolesObj->getPermissionAssignedRole($rolUid, $perUid); } /** * this function gets role permission * * * @access public * * @param string $rolUid * @param string $filter * @param string $status * @return $this->rolesObj->getRolePermissions */ public function getRolePermissions($rolUid, $filter = '', $status = null) { return $this->rolesObj->getRolePermissions($rolUid, $filter, $status); } /** * this function gets all permissions * * * @access public * * @param string $rolUid * @param string $perSystem * @param string $filter * @param string $status * @return $this->rolesObj->getAllPermissions */ public function getAllPermissions($rolUid, $perSystem = "", $filter = '', $status = null) { return $this->rolesObj->getAllPermissions($rolUid, $perSystem, $filter, $status); } /** * this function assigns permissions and role * * * @access public * * @param array $dataCase * @return $this->rolesObj->assignPermissionRole */ public function assignPermissionRole($dataCase) { return $this->rolesObj->assignPermissionRole($dataCase); } /** * this function assigns permissions to a role * * * @access public * * @param string $roleUid * @param string $permissionUid * @return $this->rolesPermissionsObj->create */ public function assignPermissionToRole($roleUid, $permissionUid) { return $this->rolesPermissionsObj->create(array('ROL_UID' => $roleUid, 'PER_UID' => $permissionUid)); } /** * this function removes permission to role * * * @access public * * @param string $rolUid * @param string $perUid * @return $this->rolesObj->deletePermissionRole */ public function deletePermissionRole($rolUid, $perUid) { return $this->rolesObj->deletePermissionRole($rolUid, $perUid); } /** * this function counts number of user without role * * * @access public * * @param string $rolUid * @return $this->rolesObj->numUsersWithRole */ public function numUsersWithRole($rolUid) { return $this->rolesObj->numUsersWithRole($rolUid); } /** * this function creates system code * * * @access public * * @param string $code * @return $this->systemObj->create */ public function createSystem($code) { return $this->systemObj->create(array( 'SYS_CODE' => $code )); } /** * this function checks by code * * * @access public * * @param string $code * @return $this->rolesObj->verifyByCode */ public function verifyByCode($code) { return $this->rolesObj->verifyByCode($code); } /** * this function gets all authentication source * Authentication Sources * * @access public * * @param void * @return $this->authSourcesObj->getAllAuthSources() */ public function getAllAuthSources() { return $this->authSourcesObj->getAllAuthSources(); } /** * this function gets all authentication source * Authentication Sources By User * * @access public * @author Enrique Ponce de Leon * @param void * @return $this->authSourcesObj->getAllAuthSources() */ public function getAllAuthSourcesByUser() { return $this->authSourcesObj->getAllAuthSourcesByUser(); } /** * this function gets all authentication source * Authentication Sources based at parameters * * @access public * @author Enrique Ponce de Leon * @param int $start offset value to paging grid * @param int $limit limit value to paging grid * @param string $filter value to search or filter select * @return $this->authSourcesObj->getAuthenticationSources() */ public function getAuthenticationSources($start, $limit, $filter = '') { return $this->authSourcesObj->getAuthenticationSources($start, $limit, $filter); } /** * this function gets all authentication source * Authentication Sources * * @access public * * @param string $uid * @return $this->authSourcesObj->load */ public function getAuthSource($uid) { $data = $this->authSourcesObj->load($uid); $pass = explode("_", $data['AUTH_SOURCE_PASSWORD']); foreach ($pass as $index => $value) { if ($value == '2NnV3ujj3w') { $data['AUTH_SOURCE_PASSWORD'] = G::decrypt($pass[0], $data['AUTH_SOURCE_SERVER_NAME']); } } $this->authSourcesObj->Fields = $data; return $this->authSourcesObj->Fields; } /** * this function creates an authentication source * Authentication Sources * * @access public * * @param array $dataCase * @return $this->authSourcesObj->create */ public function createAuthSource($dataCase) { $dataCase['AUTH_SOURCE_PASSWORD'] = G::encrypt( $dataCase['AUTH_SOURCE_PASSWORD'], $dataCase['AUTH_SOURCE_SERVER_NAME'] ,false, false ) . "_2NnV3ujj3w"; $this->authSourcesObj->create($dataCase); } /** * this function updates an authentication source * Authentication Sources * * @access public * * @param array $dataCase * @return $this->authSourcesObj->create */ public function updateAuthSource($dataCase) { $dataCase['AUTH_SOURCE_PASSWORD'] = G::encrypt( $dataCase['AUTH_SOURCE_PASSWORD'], $dataCase['AUTH_SOURCE_SERVER_NAME'] , false, false ) . "_2NnV3ujj3w"; $this->authSourcesObj->update($dataCase); } /** * this function removes an authentication source * Authentication Sources * * @access public * * @param string $uid * @return $this->authSourcesObj->remove */ public function removeAuthSource($uid) { $this->authSourcesObj->remove($uid); } /** * this function gets all users by authentication source * * @access public * * @param void * @return $this->userObj->getAllUsersByAuthSource() */ public function getAllUsersByAuthSource() { return $this->userObj->getAllUsersByAuthSource(); } /** * this function gets all users by authentication source * * @access public * * @param void * @return $this->userObj->getAllUsersByAuthSource() */ public function getListUsersByAuthSource($source) { return $this->userObj->getListUsersByAuthSource($source); } /** * this function searchs users * * * @access public * * @param string $uid * @param string $keyword * @return array */ public function searchUsers($uid, $keyword) { $aAuthSource = $this->getAuthSource($uid); $authType = strtolower($aAuthSource['AUTH_SOURCE_PROVIDER']); foreach ($this->aRbacPlugins as $className) { if (strtolower($className) == $authType) { $plugin = new $className(); $plugin->sAuthSource = $uid; $plugin->sSystem = $this->sSystem; return $plugin->searchUsers($keyword); } } return []; } public function requirePermissions($permissions) { $numPerms = func_num_args(); $permissions = func_get_args(); $access = -1; if ($numPerms == 1) { $access = $this->userCanAccess($permissions[0]); } elseif ($numPerms > 0) { foreach ($permissions as $perm) { $access = $this->userCanAccess($perm); if ($access == 1) { $access = 1; break; } } } else { throw new Exception('function requirePermissions() ->ERROR: Parameters missing!'); } if ($access == 1) { return true; } else { switch ($access) { case -2: G::SendTemporalMessage('ID_USER_HAVENT_RIGHTS_SYSTEM', 'error', 'labels'); G::header('location: ../login/login'); break; case -1: default: G::SendTemporalMessage('ID_USER_HAVENT_RIGHTS_PAGE', 'error', 'labels'); G::header('location: ../login/login'); break; } exit(0); } } private function getAllFiles($directory, $recursive = true) { $result = []; if (is_dir($directory)) { $handle = opendir($directory); while ($datei = readdir($handle)) { if (($datei != '.') && ($datei != '..')) { $file = $directory . $datei; if (is_dir($file)) { if ($recursive) { $result = array_merge($result, getAllFiles($file . '/')); } } else { $result[] = $file; } } } closedir($handle); } return $result; } private function getFilesTimestamp($directory, $recursive = true) { $allFiles = self::getAllFiles($directory, $recursive); $fileArray = []; foreach ($allFiles as $val) { $timeResult['file'] = $val; $timeResult['timestamp'] = filemtime($val); $fileArray[] = $timeResult; } return $fileArray; } public function cleanSessionFiles($hours = 72) { $currentTime = strtotime("now"); $timeDifference = $hours * 60 * 60; $limitTime = $currentTime - $timeDifference; $sessionsPath = PATH_DATA . 'session' . PATH_SEP; $filesResult = self::getFilesTimestamp($sessionsPath); $count = 0; foreach ($filesResult as $file) { if ($file['timestamp'] < $limitTime) { unlink($file['file']); $count++; } } } /** * This function verify the permissions * * @access public * * @return array */ public function verifyPermissions() { $message = []; $this->verifyGuestUserRolePermission(); $listPermissions = $this->loadPermissionAdmin(); $criteria = new Criteria('rbac'); $dataset = PermissionsPeer::doSelectRS($criteria); $dataset->setFetchmode(ResultSet::FETCHMODE_ASSOC); $dataset->next(); $aRow = $dataset->getRow(); while (is_array($aRow)) { foreach ($listPermissions as $key => $item) { if ($aRow['PER_UID'] == $item['PER_UID']) { unset($listPermissions[$key]); break; } } $dataset->next(); $aRow = $dataset->getRow(); } foreach ($listPermissions as $key => $item) { //Adding new permissions $data = []; $data['PER_UID'] = $item['PER_UID']; $data['PER_CODE'] = $item['PER_CODE']; $data['PER_CREATE_DATE'] = date('Y-m-d H:i:s'); $data['PER_UPDATE_DATE'] = $data['PER_CREATE_DATE']; $data['PER_STATUS'] = 1; $permission = new Permissions(); $permission->fromArray($data, BasePeer::TYPE_FIELDNAME); $permission->save(); $message[] = 'Add permission missing ' . $item['PER_CODE']; //Adding new labels for new permissions $o = new RolesPermissions(); $o->setPerUid($item['PER_UID']); $o->setPermissionName($item['PER_NAME']); // Assigning new permissions to specific roles $this->assigningNewPermissionsForAdmin($item); $this->assigningNewPermissionsPmEditProfile($item); } return $message; } /** * Assign new permissions to the role defined * Permissions with the name with PM_SETUP_* or defined in the array $defaultPermissionsForAdmin * @param array $item */ public function assigningNewPermissionsForAdmin($item = []) { if (strpos($item['PER_CODE'], 'PM_SETUP_') !== false || in_array($item['PER_CODE'], self::$defaultPermissionsForAdmin)) { $rolesWithPermissionSetup = $this->getRolePermissionsByPerUid(self::SETUPERMISSIONUID); $rolesWithPermissionSetup->next(); while ($aRow = $rolesWithPermissionSetup->getRow()) { $isAssignedNewpermissions = $this->getPermissionAssignedRole($aRow['ROL_UID'], $item['PER_UID']); if (!$isAssignedNewpermissions) { $dataPermissions = []; $dataPermissions['ROL_UID'] = $aRow['ROL_UID']; $dataPermissions['PER_UID'] = $item['PER_UID']; $this->assignPermissionRole($dataPermissions); } $rolesWithPermissionSetup->next(); } } } /** * Permissions for Edit Profile User * @param array $item */ public function assigningNewPermissionsPmEditProfile($item = []) { if (strpos($item['PER_CODE'], 'PM_EDIT_USER_PROFILE_') !== false) { $allRolesRolUid = $this->getAllRoles('PROCESSMAKER'); $perCodePM = array('PROCESSMAKER_ADMIN', 'PROCESSMAKER_OPERATOR', 'PROCESSMAKER_MANAGER'); $permissionsForOperator = array( 'PM_EDIT_USER_PROFILE_POSITION', 'PM_EDIT_USER_PROFILE_REPLACED_BY', 'PM_EDIT_USER_PROFILE_EXPIRATION_DATE', 'PM_EDIT_USER_PROFILE_STATUS', 'PM_EDIT_USER_PROFILE_ROLE', 'PM_EDIT_USER_PROFILE_COSTS', 'PM_EDIT_USER_PROFILE_USER_MUST_CHANGE_PASSWORD_AT_NEXT_LOGON', 'PM_EDIT_USER_PROFILE_DEFAULT_MAIN_MENU_OPTIONS', 'PM_EDIT_USER_PROFILE_DEFAULT_CASES_MENU_OPTIONS' ); foreach ($allRolesRolUid as $index => $aRow) { $isAssignedNewpermissions = $this->getPermissionAssignedRole($aRow['ROL_UID'], $item['PER_UID']); $assignPermissions = true; if (!$isAssignedNewpermissions) { if ($aRow['ROL_CODE'] == 'PROCESSMAKER_OPERATOR' && in_array( $item['PER_CODE'], $permissionsForOperator )) { $assignPermissions = false; } if (!in_array($aRow['ROL_CODE'], $perCodePM)) { $assignPermissions = false; $checkPermisionEdit = $this->getPermissionAssignedRole( $aRow['ROL_UID'], '00000000000000000000000000000014' ); if ($checkPermisionEdit && !in_array($item['PER_CODE'], $permissionsForOperator)) { $assignPermissions = true; } } if ($assignPermissions) { $dataPermissions = []; $dataPermissions['ROL_UID'] = $aRow['ROL_UID']; $dataPermissions['PER_UID'] = $item['PER_UID']; $this->assignPermissionRole($dataPermissions); } } } } } /** * This function verify if the user allows to the file with a specific action * If the action is not defined in the authorizedActions we give the allow * @param string $file * @param string $action * * @return void * @throws RBACException */ public function allows($file, $action) { $access = false; if (isset($this->authorizedActions[$file][$action])) { $permissions = $this->authorizedActions[$file][$action]; $totalPermissions = count($permissions); $countAccess = 0; foreach ($permissions as $key => $value) { $atLeastPermission = explode(',', $value); foreach ($atLeastPermission as $permission) { if ($this->userCanAccess(trim($permission)) == 1) { $countAccess++; break; } } } //Check if the user has all permissions that needed if ($countAccess == $totalPermissions) { $access = true; } } if (!$access) { throw new RBACException('ID_ACCESS_DENIED', 403); } } /** * Enable compatibility with hash login */ public function enableLoginWithHash() { $this->enableLoginHash = true; } /** * Disable compatibility with hash login */ public function disableLoginWithHash() { $this->enableLoginHash = false; } /** * Return status login with hash * * @return bool */ public function loginWithHash() { return $this->enableLoginHash; } /** * Returns true in case the parameter corresponds to the invited user, * otherwise it returns false. * * @param string $usrUid * @return boolean */ public static function isGuestUserUid($usrUid) { return self::GUEST_USER_UID === $usrUid; } }