. * * For more information, contact Colosa Inc, 2566 Le Jeune Rd., * Coral Gables, FL, 33134, USA, or email info@colosa.com. * */ use ProcessMaker\Exception\RBACException; /** * File: $Id$ * * RBAC class definition * * @package gulliver.system * @copyright (C) 2002 by Colosa Development Team. * @link http://www.colosa.com * @link http://manuals.colosa.com/gulliver/rbac.html * @author Fernando Ontiveros */ /** * Clase Wrapper * * @package gulliver.system * @author Fernando Ontiveros */ class RBAC { const SETUPERMISSIONUID= '00000000000000000000000000000002'; const PER_SYSTEM = '00000000000000000000000000000002'; const PM_GUEST_CASE = 'PM_GUEST_CASE'; const PM_GUEST_CASE_UID = '00000000000000000000000000000066'; const PROCESSMAKER_GUEST = 'PROCESSMAKER_GUEST'; const PROCESSMAKER_GUEST_UID = '00000000000000000000000000000005'; const GUEST_USER_UID = '00000000000000000000000000000002'; /** * * @access private * @var $userObj */ public $userObj; public $usersPermissionsObj; public $usersRolesObj; public $systemObj; public $rolesObj; public $permissionsObj; public $userloggedobj; public $currentSystemobj; public $rolesPermissionsObj; public $authSourcesObj; public $aUserInfo = array (); public $aRbacPlugins = array (); public $sSystem = ''; public $singleSignOn = false; private static $instance = null; public $authorizedActions = array(); private $aliasPermissions = []; /** * To enable compatibility with soap login. * @var bool */ private $enableLoginHash = false; public function __construct () { $this->authorizedActions = array( 'users_Ajax.php' => array( 'availableUsers' => array('PM_FACTORY'), 'assign' => array('PM_FACTORY'), 'changeView' => array(), 'ofToAssign' => array('PM_FACTORY'), 'usersGroup' => array('PM_FACTORY'), 'canDeleteUser' => array('PM_USERS'), 'deleteUser' => array('PM_USERS'), 'changeUserStatus' => array('PM_USERS'), 'availableGroups' => array('PM_USERS'), 'assignedGroups' => array('PM_USERS'), 'assignGroupsToUserMultiple' => array('PM_USERS'), 'deleteGroupsToUserMultiple' => array('PM_USERS'), 'authSources' => array('PM_USERS'), 'loadAuthSourceByUID' => array('PM_USERS'), 'updateAuthServices' => array('PM_USERS'), 'usersList' => array('PM_USERS'), 'updatePageSize' => array(), 'summaryUserData' => array('PM_USERS'), 'verifyIfUserAssignedAsSupervisor' => array('PM_USERS') ), 'skin_Ajax.php' => array( 'updatePageSize' => array(), 'skinList' => array('PM_SETUP_SKIN'), 'newSkin' => array('PM_SETUP_SKIN'), 'importSkin' => array('PM_SETUP_SKIN'), 'exportSkin' => array('PM_SETUP_SKIN'), 'deleteSkin' => array('PM_SETUP_SKIN'), 'streamSkin' => array('PM_SETUP_SKIN'), 'addTarFolder' => array('PM_SETUP_SKIN'), 'copy_skin_folder' => array('PM_SETUP_SKIN') ), 'processes_DownloadFile.php' => array( 'downloadFileHash' => array('PM_FACTORY') ), 'processProxy.php' => array( 'categoriesList' => array('PM_SETUP_PROCESS_CATEGORIES'), 'getCategoriesList' => array('PM_FACTORY'), 'saveProcess' => array('PM_FACTORY'), 'changeStatus' => array('PM_FACTORY'), 'changeDebugMode' => array('PM_FACTORY'), 'getUsers' => array(), 'getGroups' => array(), 'assignActorsTask' => array(), 'removeActorsTask' => array(), 'getActorsTask' => array(), 'getProcessDetail' => array(), 'getProperties' => array(), 'saveProperties' => array(), 'getCaledarList' => array(), 'getPMVariables' => array(), 'generateBpmn' => array('PM_FACTORY') ), 'home.php' => array( 'login' => array('PM_LOGIN'), 'index' => array('PM_CASES/strict'), 'indexSingle' => array('PM_CASES/strict'), 'appList' => array('PM_CASES/strict'), 'appAdvancedSearch' => array('PM_ALLCASES'), 'getApps' => array('PM_ALLCASES'), 'getAppsData' => array('PM_ALLCASES'), 'startCase' => array('PM_CASES/strict'), 'error' => array(), 'getUserArray' => array('PM_ALLCASES'), 'getCategoryArray' => array('PM_ALLCASES'), 'getAllUsersArray' => array('PM_ALLCASES'), 'getStatusArray' => array('PM_ALLCASES'), 'getProcessArray' => array('PM_ALLCASES'), 'getProcesses' => array('PM_ALLCASES'), 'getUsers' => array('PM_ALLCASES') ), 'newSite.php' => array( 'newSite.php' => array('PM_SETUP_ADVANCE') ), 'emailsAjax.php' => array( 'MessageList' => array('PM_SETUP', 'PM_SETUP_LOGS'), 'updateStatusMessage' => array('PM_SETUP', 'PM_SETUP_LOGS'), ), 'processCategory_Ajax.php' => array( 'processCategoryList' => array('PM_SETUP', 'PM_SETUP_PROCESS_CATEGORIES'), 'updatePageSize' => array('PM_SETUP', 'PM_SETUP_PROCESS_CATEGORIES'), 'checkCategoryName' => array('PM_SETUP', 'PM_SETUP_PROCESS_CATEGORIES'), 'saveNewCategory' => array('PM_SETUP', 'PM_SETUP_PROCESS_CATEGORIES'), 'checkEditCategoryName' => array('PM_SETUP', 'PM_SETUP_PROCESS_CATEGORIES'), 'updateCategory' => array('PM_SETUP', 'PM_SETUP_PROCESS_CATEGORIES'), 'canDeleteCategory' => array('PM_SETUP', 'PM_SETUP_PROCESS_CATEGORIES'), 'deleteCategory' => array('PM_SETUP', 'PM_SETUP_PROCESS_CATEGORIES') ), 'emailServerAjax.php' => array( 'INS' => array('PM_SETUP'), 'UPD' => array('PM_SETUP'), 'DEL' => array('PM_SETUP'), 'LST' => array('PM_SETUP'), 'TEST' => array('PM_SETUP') ) ); $this->aliasPermissions['PM_CASES'] = [self::PM_GUEST_CASE]; $this->aliasPermissions['PM_LOGIN'] = [self::PM_GUEST_CASE]; } /** * to get singleton instance * * @access public * @return object */ public function &getSingleton () { if (self::$instance == null) { self::$instance = new RBAC(); } return self::$instance; } /** * to get start with some classess * * @access public * @return object */ public function initRBAC () { if (is_null( $this->userObj )) { $this->userObj = new RbacUsers(); } if (is_null( $this->systemObj )) { $this->systemObj = new Systems(); } if (is_null( $this->usersRolesObj )) { $this->usersRolesObj = new UsersRoles(); } if (is_null( $this->rolesObj )) { $this->rolesObj = new Roles(); } if (is_null( $this->permissionsObj )) { $this->permissionsObj = new Permissions(); } if (is_null( $this->rolesPermissionsObj )) { $this->rolesPermissionsObj = new RolesPermissions(); } if (is_null( $this->authSourcesObj )) { $this->authSourcesObj = new AuthenticationSource(); } //hook for RBAC plugins $pathPlugins = PATH_RBAC . 'plugins'; if (is_dir( $pathPlugins )) { if ($handle = opendir( $pathPlugins )) { while (false !== ($file = readdir( $handle ))) { if (strpos( $file, '.php', 1 ) && is_file( $pathPlugins . PATH_SEP . $file ) && substr( $file, 0, 6 ) == 'class.' && substr( $file, - 4 ) == '.php') { $sClassName = substr( $file, 6, strlen( $file ) - 10 ); require_once ($pathPlugins . PATH_SEP . $file); $this->aRbacPlugins[] = $sClassName; } } } } if (!in_array('ldapAdvanced', $this->aRbacPlugins)) { if (class_exists('ldapAdvanced')) { $this->aRbacPlugins[] = 'ldapAdvanced'; } } } /** * gets the Role and their permissions for Administrator Processmaker * * @access public * @return $this->permissionsAdmin[ $permissionsAdmin ] */ public function loadPermissionAdmin() { $permissionsAdmin = array(array("PER_UID" => "00000000000000000000000000000001", "PER_CODE" => "PM_LOGIN", "PER_NAME" => "Login" ), array("PER_UID" => "00000000000000000000000000000002", "PER_CODE" => "PM_SETUP", "PER_NAME" => "Setup" ), array("PER_UID" => "00000000000000000000000000000003", "PER_CODE" => "PM_USERS", "PER_NAME" => "Users" ), array("PER_UID" => "00000000000000000000000000000004", "PER_CODE" => "PM_FACTORY", "PER_NAME" => "Design Process" ), array("PER_UID" => "00000000000000000000000000000005", "PER_CODE" => "PM_CASES", "PER_NAME" => "Create Users" ), array("PER_UID" => "00000000000000000000000000000006", "PER_CODE" => "PM_ALLCASES", "PER_NAME" => "All Cases" ), array("PER_UID" => "00000000000000000000000000000007", "PER_CODE" => "PM_REASSIGNCASE", "PER_NAME" => "Reassign case" ), array("PER_UID" => "00000000000000000000000000000008", "PER_CODE" => "PM_REPORTS", "PER_NAME" => "PM reports" ), array("PER_UID" => "00000000000000000000000000000009", "PER_CODE" => "PM_SUPERVISOR", "PER_NAME" => "Supervisor" ), array("PER_UID" => "00000000000000000000000000000010", "PER_CODE" => "PM_SETUP_ADVANCE", "PER_NAME" => "Setup Advanced" ), array("PER_UID" => "00000000000000000000000000000011", "PER_CODE" => "PM_DASHBOARD", "PER_NAME" => "Dashboard" ), array("PER_UID" => "00000000000000000000000000000012", "PER_CODE" => "PM_WEBDAV", "PER_NAME" => "WebDav" ), array("PER_UID" => "00000000000000000000000000000013", "PER_CODE" => "PM_DELETECASE", "PER_NAME" => "Cancel cases" ), array("PER_UID" => "00000000000000000000000000000014", "PER_CODE" => "PM_EDITPERSONALINFO", "PER_NAME" => "Edit Personal Info" ), array("PER_UID" => "00000000000000000000000000000015", "PER_CODE" => "PM_FOLDERS_VIEW", "PER_NAME" => "View Folders" ), array("PER_UID" => "00000000000000000000000000000016", "PER_CODE" => "PM_FOLDERS_ADD_FOLDER", "PER_NAME" => "Delete folders" ), array("PER_UID" => "00000000000000000000000000000017", "PER_CODE" => "PM_FOLDERS_ADD_FILE", "PER_NAME" => "Delete folders" ), array("PER_UID" => "00000000000000000000000000000018", "PER_CODE" => "PM_CANCELCASE", "PER_NAME" => "Cancel cases" ), array("PER_UID" => "00000000000000000000000000000019", "PER_CODE" => "PM_FOLDER_DELETE", "PER_NAME" => "Cancel cases" ), array("PER_UID" => "00000000000000000000000000000020", "PER_CODE" => "PM_SETUP_LOGO", "PER_NAME" => "Setup Logo" ), array("PER_UID" => "00000000000000000000000000000021", "PER_CODE" => "PM_SETUP_EMAIL", "PER_NAME" => "Setup Email" ), array("PER_UID" => "00000000000000000000000000000022", "PER_CODE" => "PM_SETUP_CALENDAR", "PER_NAME" => "Setup Calendar" ), array("PER_UID" => "00000000000000000000000000000023", "PER_CODE" => "PM_SETUP_PROCESS_CATEGORIES", "PER_NAME" => "Setup Process Categories" ), array("PER_UID" => "00000000000000000000000000000024", "PER_CODE" => "PM_SETUP_CLEAR_CACHE", "PER_NAME" => "Setup Clear Cache" ), array("PER_UID" => "00000000000000000000000000000025", "PER_CODE" => "PM_SETUP_HEART_BEAT", "PER_NAME" => "Setup Heart Beat" ), array("PER_UID" => "00000000000000000000000000000026", "PER_CODE" => "PM_SETUP_ENVIRONMENT", "PER_NAME" => "Setup Environment" ), array("PER_UID" => "00000000000000000000000000000027", "PER_CODE" => "PM_SETUP_PM_TABLES", "PER_NAME" => "Setup PM Tables" ), array("PER_UID" => "00000000000000000000000000000028", "PER_CODE" => "PM_SETUP_LOGIN", "PER_NAME" => "Setup Login" ), array("PER_UID" => "00000000000000000000000000000029", "PER_CODE" => "PM_SETUP_DASHBOARDS", "PER_NAME" => "Setup Dashboards" ), array("PER_UID" => "00000000000000000000000000000030", "PER_CODE" => "PM_SETUP_LANGUAGE", "PER_NAME" => "Setup Language" ), array("PER_UID" => "00000000000000000000000000000031", "PER_CODE" => "PM_SETUP_SKIN", "PER_NAME" => "Setup Skin" ), array("PER_UID" => "00000000000000000000000000000032", "PER_CODE" => "PM_SETUP_CASES_LIST_CACHE_BUILDER", "PER_NAME" => "Setup Case List Cache Builder" ), array("PER_UID" => "00000000000000000000000000000033", "PER_CODE" => "PM_SETUP_PLUGINS", "PER_NAME" => "Setup Plugins" ), array("PER_UID" => "00000000000000000000000000000034", "PER_CODE" => "PM_SETUP_USERS_AUTHENTICATION_SOURCES", "PER_NAME" => "Setup User Authentication Sources" ), array("PER_UID" => "00000000000000000000000000000035", "PER_CODE" => "PM_SETUP_LOGS", "PER_NAME" => "Setup Logs" ), array("PER_UID" => "00000000000000000000000000000036", "PER_CODE" => "PM_DELETE_PROCESS_CASES", "PER_NAME" => "Delete process cases" ), array("PER_UID" => "00000000000000000000000000000037", "PER_CODE" => "PM_EDITPERSONALINFO_CALENDAR", "PER_NAME" => "Edit personal info Calendar" ), array("PER_UID" => "00000000000000000000000000000038", "PER_CODE" => "PM_UNCANCELCASE", "PER_NAME" => "Undo cancel case" ), array("PER_UID" => "00000000000000000000000000000039", "PER_CODE" => "PM_REST_API_APPLICATIONS", "PER_NAME" => "Create rest API Aplications" ), array("PER_UID" => "00000000000000000000000000000040", "PER_CODE" => "PM_EDIT_USER_PROFILE_FIRST_NAME", "PER_NAME" => "Edit User profile First Name" ), array("PER_UID" => "00000000000000000000000000000041", "PER_CODE" => "PM_EDIT_USER_PROFILE_LAST_NAME", "PER_NAME" => "Edit User profile Last Name" ), array("PER_UID" => "00000000000000000000000000000042", "PER_CODE" => "PM_EDIT_USER_PROFILE_USERNAME", "PER_NAME" => "Edit User profile Username" ), array("PER_UID" => "00000000000000000000000000000043", "PER_CODE" => "PM_EDIT_USER_PROFILE_EMAIL", "PER_NAME" => "Edit User profile Email" ), array("PER_UID" => "00000000000000000000000000000044", "PER_CODE" => "PM_EDIT_USER_PROFILE_ADDRESS", "PER_NAME" => "Edit User profile Address" ), array("PER_UID" => "00000000000000000000000000000045", "PER_CODE" => "PM_EDIT_USER_PROFILE_ZIP_CODE", "PER_NAME" => "Edit User profile Zip Code" ), array("PER_UID" => "00000000000000000000000000000046", "PER_CODE" => "PM_EDIT_USER_PROFILE_COUNTRY", "PER_NAME" => "Edit User profile Country" ), array("PER_UID" => "00000000000000000000000000000047", "PER_CODE" => "PM_EDIT_USER_PROFILE_STATE_OR_REGION", "PER_NAME" => "Edit User profile State or Region" ), array("PER_UID" => "00000000000000000000000000000048", "PER_CODE" => "PM_EDIT_USER_PROFILE_LOCATION", "PER_NAME" => "Edit User profile Location" ), array("PER_UID" => "00000000000000000000000000000049", "PER_CODE" => "PM_EDIT_USER_PROFILE_PHONE", "PER_NAME" => "Edit User profile Phone" ), array("PER_UID" => "00000000000000000000000000000050", "PER_CODE" => "PM_EDIT_USER_PROFILE_POSITION", "PER_NAME" => "Edit User profile Position" ), array("PER_UID" => "00000000000000000000000000000051", "PER_CODE" => "PM_EDIT_USER_PROFILE_REPLACED_BY", "PER_NAME" => "Edit User profile Replaced By" ), array("PER_UID" => "00000000000000000000000000000052", "PER_CODE" => "PM_EDIT_USER_PROFILE_EXPIRATION_DATE", "PER_NAME" => "Edit User profile Expiration Date" ), array("PER_UID" => "00000000000000000000000000000053", "PER_CODE" => "PM_EDIT_USER_PROFILE_CALENDAR", "PER_NAME" => "Edit User profile Calendar" ), array("PER_UID" => "00000000000000000000000000000054", "PER_CODE" => "PM_EDIT_USER_PROFILE_STATUS", "PER_NAME" => "Edit User profile Status" ), array("PER_UID" => "00000000000000000000000000000055", "PER_CODE" => "PM_EDIT_USER_PROFILE_ROLE", "PER_NAME" => "Edit User profile Role" ), array("PER_UID" => "00000000000000000000000000000056", "PER_CODE" => "PM_EDIT_USER_PROFILE_TIME_ZONE", "PER_NAME" => "Edit User profile Time Zone" ), array("PER_UID" => "00000000000000000000000000000057", "PER_CODE" => "PM_EDIT_USER_PROFILE_DEFAULT_LANGUAGE", "PER_NAME" => "Edit User profile Default Language" ), array("PER_UID" => "00000000000000000000000000000058", "PER_CODE" => "PM_EDIT_USER_PROFILE_COSTS", "PER_NAME" => "Edit User profile Costs" ), array("PER_UID" => "00000000000000000000000000000059", "PER_CODE" => "PM_EDIT_USER_PROFILE_PASSWORD", "PER_NAME" => "Edit User profile Password" ), array("PER_UID" => "00000000000000000000000000000060", "PER_CODE" => "PM_EDIT_USER_PROFILE_USER_MUST_CHANGE_PASSWORD_AT_NEXT_LOGON", "PER_NAME" => "Edit User profile Must Change Password at next Logon" ), array("PER_UID" => "00000000000000000000000000000061", "PER_CODE" => "PM_EDIT_USER_PROFILE_PHOTO", "PER_NAME" => "Edit User profile Photo" ), array("PER_UID" => "00000000000000000000000000000062", "PER_CODE" => "PM_EDIT_USER_PROFILE_DEFAULT_MAIN_MENU_OPTIONS", "PER_NAME" => "Edit User profile Default Main Menu Options" ), array("PER_UID" => "00000000000000000000000000000063", "PER_CODE" => "PM_EDIT_USER_PROFILE_DEFAULT_CASES_MENU_OPTIONS", "PER_NAME" => "Edit User profile Default Cases Menu Options" ), array("PER_UID" => "00000000000000000000000000000064", "PER_CODE" => "PM_REASSIGNCASE_SUPERVISOR", "PER_NAME" => "Reassign case supervisor" ), array("PER_UID" => "00000000000000000000000000000065", "PER_CODE" => "PM_SETUP_CUSTOM_CASES_LIST", "PER_NAME" => "Setup Custom Cases List" ) ); return $permissionsAdmin; } /** * Create if not exists GUEST user. * * @param Roles $role * @throws Exception */ private function verifyGuestUser(Roles $role) { try { $strRole = $role->getRolCode(); $arrayData = array(); $arrayData["USR_UID"] = self::GUEST_USER_UID; $arrayData["USR_USERNAME"] = 'guest'; $arrayData["USR_PASSWORD"] = '674ba9750749d735ec9787d606170d78'; $arrayData["USR_FIRSTNAME"] = 'Guest'; $arrayData["USR_LASTNAME"] = ''; $arrayData["USR_EMAIL"] = 'guest@processmaker.com'; $arrayData["USR_DUE_DATE"] = '2200-01-01'; $arrayData["USR_CREATE_DATE"] = date("Y-m-d H:i:s"); $arrayData["USR_UPDATE_DATE"] = date("Y-m-d H:i:s"); $arrayData["USR_BIRTHDAY"] = '2009-02-01'; $arrayData["USR_AUTH_USER_DN"] = ""; $arrayData["USR_STATUS"] = 0; $rbacUserExists = RbacUsersPeer::retrieveByPK(self::GUEST_USER_UID); $isNotRbacUserGuest = !empty($rbacUserExists) && $rbacUserExists instanceof RbacUsers && $rbacUserExists->getUserRole($rbacUserExists->getUsrUid())['ROL_CODE'] !== self::PROCESSMAKER_GUEST; if (empty($rbacUserExists)) { $rbacUser = new RbacUsers(); $rbacUser->fromArray($arrayData, BasePeer::TYPE_FIELDNAME); $rbacUser->save(); $arrayData["USR_UID"] = $rbacUser->getUsrUid(); $arrayData["USR_STATUS"] = 'INACTIVE'; $arrayData["USR_COUNTRY"] = ""; $arrayData["USR_CITY"] = ""; $arrayData["USR_LOCATION"] = ""; $arrayData["USR_ADDRESS"] = ""; $arrayData["USR_PHONE"] = ""; $arrayData["USR_ZIP_CODE"] = ""; $arrayData["USR_POSITION"] = ""; $arrayData["USR_ROLE"] = $strRole; $user = new Users(); $user->create($arrayData); $this->assignRoleToUser($user->getUsrUid(), $strRole); } elseif ($isNotRbacUserGuest) { $this->assignRoleToUser($rbacUserExists->getUsrUid(), $strRole); } } catch (Exception $exception) { throw new Exception( "Can not create guest user: " . $exception->getMessage(), 0, $exception ); } } /** * Create if not exists GUEST role. * * @param type $permissions * @return type * @throws Exception */ private function verifyGuestRole($permissions) { try { $criteria = new Criteria; $criteria->add(RolesPeer::ROL_CODE, self::PROCESSMAKER_GUEST); $roleExists = RolesPeer::doSelectOne($criteria); if (!empty($roleExists)) { return $roleExists; } $aData = [ 'ROL_UID' => self::PROCESSMAKER_GUEST_UID, 'ROL_CODE' => self::PROCESSMAKER_GUEST, 'ROL_SYSTEM' => self::PER_SYSTEM, 'ROL_STATUS' => 1, 'ROL_NAME' => self::PROCESSMAKER_GUEST, 'ROL_CREATE_DATE' => date('Y-m-d H:i:s'), 'ROL_UPDATE_DATE' => date('Y-m-d H:i:s'), ]; $this->createRole($aData); $role = RolesPeer::doSelectOne($criteria); foreach($permissions as $permission) { $o = new RolesPermissions(); $o->setPerUid($permission->getPerUid()); $o->setPermissionName('Guest case'); $o->setRolUid($role->getRolUid()); $o->save(); } return $role; } catch (Exception $exception) { throw new Exception( "Can not create guest role: " . $exception->getMessage(), 0, $exception ); } } /** * Create if not exists GUEST permissions. * * @return type * @throws Exception */ private function verifyGuestPermissions() { try { $criteria = new Criteria(); $criteria->add(PermissionsPeer::PER_CODE, self::PM_GUEST_CASE); $perm = PermissionsPeer::doSelectOne($criteria); if (!empty($perm)) { return [$perm]; } $permission = new Permissions(); $permission->setPerUid(self::PM_GUEST_CASE_UID); $permission->setPerCode(self::PM_GUEST_CASE); $permission->setPerCreateDate(date('Y-m-d H:i:s')); $permission->setPerUpdateDate(date('Y-m-d H:i:s')); $permission->setPerStatus(1); $permission->setPerSystem(self::PER_SYSTEM); $permission->save(); return [$permission]; } catch (Exception $exception) { throw new Exception( "Can not set guest permissions: " . $exception->getMessage(), 0, $exception ); } } /** * Create if not exists GUEST user. * Create if not exists GUEST role. * Create if not exists GUEST permissions. * * @throws Exception */ private function verifyGuestUserRolePermission() { $permissions = $this->verifyGuestPermissions(); $role = $this->verifyGuestRole($permissions); $this->verifyGuestUser($role); } /** * Gets the roles and permission for one RBAC_user * * gets the Role and their permissions for one User * * @author Fernando Ontiveros Lira * @access public * * @param string $sSystem the system * @param string $sUser the user * @return $this->aUserInfo[ $sSystem ] */ public function loadUserRolePermission ($sSystem, $sUser) { //in previous versions we provided a path data and session we will cache the session Info for this user //now this is deprecated, and all the aUserInfo is in the memcache $this->sSystem = $sSystem; $fieldsSystem = $this->systemObj->loadByCode( $sSystem ); $fieldsRoles = $this->usersRolesObj->getRolesBySystem( $fieldsSystem['SYS_UID'], $sUser ); $fieldsPermissions = $this->usersRolesObj->getAllPermissions( $fieldsRoles['ROL_UID'], $sUser ); $this->aUserInfo['USER_INFO'] = $this->userObj->load( $sUser ); $this->aUserInfo[$sSystem]['SYS_UID'] = $fieldsSystem['SYS_UID']; $this->aUserInfo[$sSystem]['ROLE'] = $fieldsRoles; $this->aUserInfo[$sSystem]['PERMISSIONS'] = $fieldsPermissions; } /** * verification the register automatic * * * @access public * @param string $strUser the system * @param string $strPass the password * @return $res */ public function checkAutomaticRegister ($strUser, $strPass) { $result = - 1; //default return value, foreach ($this->aRbacPlugins as $sClassName) { $plugin = new $sClassName(); if (method_exists( $plugin, 'automaticRegister' )) { $oCriteria = new Criteria( 'rbac' ); $oCriteria->add( AuthenticationSourcePeer::AUTH_SOURCE_PROVIDER, $sClassName ); $oCriteria->addAscendingOrderByColumn( AuthenticationSourcePeer::AUTH_SOURCE_NAME ); $oDataset = AuthenticationSourcePeer::doSelectRS( $oCriteria, Propel::getDbConnection('rbac_ro') ); $oDataset->setFetchmode( ResultSet::FETCHMODE_ASSOC ); $oDataset->next(); $aRow = $oDataset->getRow(); while (is_array( $aRow )) { $aRow = array_merge( $aRow, unserialize( $aRow['AUTH_SOURCE_DATA'] ) ); //Check if this authsource is enabled for AutoRegister, if not skip this if ($aRow['AUTH_SOURCE_AUTO_REGISTER'] == 1) { $plugin->sAuthSource = $aRow['AUTH_SOURCE_UID']; $plugin->sSystem = $this->sSystem; //search the usersRolesObj //create the users in ProcessMaker $res = $plugin->automaticRegister( $aRow, $strUser, $strPass ); if ($res == 1) { return $res; } } $oDataset->next(); $aRow = $oDataset->getRow(); } } } } /** * this function is checking the register automatic without authentication * * * @access public * @param string $sAuthType * @param string $sAuthSource * @param string $aUserFields * @param string $sAuthUserDn * @param string $strPass * @return number -2: wrong password * -3: inactive user * -4: due date * -5: invalid authentication source */ public function VerifyWithOtherAuthenticationSource ($sAuthType, $aUserFields, $strPass) { if ($sAuthType == '' || $sAuthType == 'MYSQL') { //check if the user is active if ($aUserFields['USR_STATUS'] != 1) { return - 3; //inactive user } //check if the user's due date is valid if ($aUserFields['USR_DUE_DATE'] < date( 'Y-m-d' )) { return - 4; //due date } } foreach ($this->aRbacPlugins as $sClassName) { if (strtolower( $sClassName ) == strtolower( $sAuthType )) { $plugin = new $sClassName(); $plugin->sAuthSource = $aUserFields["UID_AUTH_SOURCE"]; $plugin->sSystem = $this->sSystem; $bValidUser = false; $bValidUser = $plugin->VerifyLogin( $aUserFields["USR_AUTH_USER_DN"], $strPass ); if ($bValidUser === true) { return ($aUserFields['USR_UID']); } else { return - 2; //wrong password } } } return - 5; //invalid authentication source } /** * authentication of an user through of class RBAC_user * * checking that an user has right to start an applicaton * * @author Fernando Ontiveros Lira * @access public * * @param string $strUser UserId (login) an user * @param string $strPass Password * @return -1: no user * -2: wrong password * -3: inactive usuario * -4: due date * -5: invalid authentication source ( **new ) * n : uid of user */ public function VerifyLogin ($strUser, $strPass) { /*----------------------------------********---------------------------------*/ $licenseManager =& PmLicenseManager::getSingleton(); if (in_array(G::encryptOld($licenseManager->result), array('38afd7ae34bd5e3e6fc170d8b09178a3', 'ba2b45bdc11e2a4a6e86aab2ac693cbb'))) { return -7; } /*----------------------------------********---------------------------------*/ if (strlen( $strPass ) == 0) { return - 2; } //check if the user exists in the table RB_WORKFLOW.USERS $this->initRBAC(); //if the user exists, the VerifyUser function will return the user properties if ($this->userObj->verifyUser( $strUser ) == 0) { //here we are checking if the automatic user Register is enabled, ioc return -1 $res = $this->checkAutomaticRegister( $strUser, $strPass ); if ($res == 1) { $this->userObj->verifyUser( $strUser ); } else { return $res; } } //default values $sAuthType = 'mysql'; if (isset( $this->userObj->fields['USR_AUTH_TYPE'] )) { $sAuthType = strtolower( $this->userObj->fields['USR_AUTH_TYPE'] ); } //Hook for RBAC plugins if ($sAuthType != "mysql" && $sAuthType != "") { $res = $this->VerifyWithOtherAuthenticationSource( $sAuthType, $this->userObj->fields, $strPass ); return $res; } else { $this->userObj->reuseUserFields = true; $res = $this->userObj->VerifyLogin( $strUser, $strPass ); return $res; } } /** * Verify if the user exist or not exists, the argument is the UserName * * @author Everth S. Berrios * @access public * @param string $strUser * @return $res */ public function verifyUser ($strUser) { $res = $this->userObj->verifyUser( $strUser ); return $res; } /** * Verify if the user exist or not exists, the argument is the UserUID * * @author Everth S. Berrios * @access public * @param string $strUserId * @return $res */ public function verifyUserId ($strUserId) { $res = $this->userObj->verifyUserId( $strUserId ); return $res; } /** * Verify if the user has a right over the permission. Ex. * $rbac->userCanAccess("PM_CASES"); * * Alias of permissions: * PM_CASES has alias: PM_GUEST_CASE * This means that a role with PM_GUEST_CASE could access like one with PM_CASES * unless the permission is required as strict, like this: * $rbac->userCanAccess("PM_CASES/strict"); * * @access public * @param string $uid id of user * @param string $system Code of System * @param string $permBase id of Permissions * @return int 1: If it is ok * -1: System doesn't exists * -2: The User has not a Role * -3: The User has not this Permission. */ public function userCanAccess($permBase) { $strict = substr($permBase, -7, 7) === '/strict'; $perm = $strict ? substr($permBase, 0, -7) : $permBase; if (isset($this->aUserInfo[$this->sSystem]['PERMISSIONS'])) { $res = - 3; foreach ($this->aUserInfo[$this->sSystem]['PERMISSIONS'] as $key => $val) { if ($perm == $val['PER_CODE']) { $res = 1; } $hasAliasPermission = !$strict && isset($this->aliasPermissions[$perm]) && array_search( $val['PER_CODE'], $this->aliasPermissions[$perm] ) !== false; if ($hasAliasPermission) { $res = 1; break; } } } else { $res = - 1; } return $res; } /** * to create an user * * @access public * @param array $aData * @param string $sRolCode * @return $sUserUID */ public function createUser ($aData = array(), $sRolCode = '') { if ($aData["USR_STATUS"] . "" == "1") { $aData["USR_STATUS"] = "ACTIVE"; } if ($aData["USR_STATUS"] . "" == "0") { $aData["USR_STATUS"] = "INACTIVE"; } if ($aData['USR_STATUS'] == 'ACTIVE') { $aData['USR_STATUS'] = 1; } if ($aData['USR_STATUS'] == 'INACTIVE') { $aData['USR_STATUS'] = 0; } $sUserUID = $this->userObj->create( $aData ); if ($sRolCode != '') { $this->assignRoleToUser( $sUserUID, $sRolCode ); } return $sUserUID; } /** * updated an user * * @access public * @param array $aData * @param string $sRolCode * @return void */ public function updateUser ($aData = array(), $sRolCode = '') { if (isset( $aData['USR_STATUS'] )) { if ($aData['USR_STATUS'] == 'ACTIVE') { $aData['USR_STATUS'] = 1; } } $this->userObj->update( $aData ); if ($sRolCode != '') { $this->removeRolesFromUser( $aData['USR_UID'] ); $this->assignRoleToUser( $aData['USR_UID'], $sRolCode ); } } /** * to put role an user * * @access public * @param string $sUserUID * @param string $sRolCode * @return void */ public function assignRoleToUser ($sUserUID = '', $sRolCode = '') { $aRol = $this->rolesObj->loadByCode( $sRolCode ); $this->usersRolesObj->create( $sUserUID, $aRol['ROL_UID'] ); } /** * remove a role from an user * * @access public * @param array $sUserUID * @return void */ public function removeRolesFromUser ($sUserUID = '') { $oCriteria = new Criteria( 'rbac' ); $oCriteria->add( UsersRolesPeer::USR_UID, $sUserUID ); UsersRolesPeer::doDelete( $oCriteria ); } /** * change status of an user * * @access public * @param array $sUserUID * @return void */ public function changeUserStatus ($sUserUID = '', $sStatus = 'ACTIVE') { if ($sStatus === 'ACTIVE') { $sStatus = 1; } $aFields = $this->userObj->load( $sUserUID ); $aFields['USR_STATUS'] = $sStatus; $this->userObj->update( $aFields ); } /** * remove an user * * @access public * @param array $sUserUID * @return void */ public function removeUser ($sUserUID = '') { $this->userObj->remove( $sUserUID ); $this->removeRolesFromUser( $sUserUID ); } // /** * getting user's basic information (rbac) * * getting datas that is saved in rbac * * @author Fernando Ontiveros Lira * @access public * * @param string $uid id user * @return array with info of an user */ public function load ($uid) { $this->initRBAC(); $this->userObj->Fields = $this->userObj->load( $uid ); $fieldsSystem = $this->systemObj->loadByCode( $this->sSystem ); $fieldsRoles = $this->usersRolesObj->getRolesBySystem( $fieldsSystem['SYS_UID'], $uid ); $this->userObj->Fields['USR_ROLE'] = $fieldsRoles['ROL_CODE']; return $this->userObj->Fields; } /** * loading permission by code * * * @access public * * @param string $sCode * @return void */ // function loadPermissionByCode($sCode) { // return $this->permissionsObj->loadByCode($sCode); // } /** * create permission * * * @access public * * @param string $sCode * @return void */ public function createPermision ($sCode) { return $this->permissionsObj->create( array ('PER_CODE' => $sCode) ); } /** * loading role by code * * * @access public * * @param string $sCode * @return void */ // function loadRoleByCode($sCode) { // return $this->rolesObj->loadByCode($sCode); // } /** * list all roles * * * @access public * * @param string $systemCode * @return $this->rolesObj */ public function listAllRoles ($systemCode = 'PROCESSMAKER') { return $this->rolesObj->listAllRoles( $systemCode ); } /** * getting all roles * * * @access public * * @param string $systemCode * @return $this->rolesObj->getAllRoles */ public function getAllRoles ($systemCode = 'PROCESSMAKER') { return $this->rolesObj->getAllRoles( $systemCode ); } /** * getting all roles by filter * * * @access public * @param string $filter * @return $this->rolesObj->getAllRolesFilter */ public function getAllRolesFilter ($start, $limit, $filter) { return $this->rolesObj->getAllRolesFilter( $start, $limit, $filter ); } /** * list all permission * * * @access public * * @param string $systemCode * @return $this->rolesObj->listAllPermissions */ public function listAllPermissions ($systemCode = 'PROCESSMAKER') { return $this->rolesObj->listAllPermissions( $systemCode ); } /** * this function creates a role * * * @access public * * @param array $aData * @return $this->rolesObj->createRole */ public function createRole ($aData) { return $this->rolesObj->createRole( $aData ); } /** * this function removes a role * * * @access public * * @param string $ROL_UID * $@return $this->rolesObj->removeRole */ public function removeRole ($ROL_UID) { return $this->rolesObj->removeRole( $ROL_UID ); } /** * this function checks a new role * * * @access public * * @param string $code * @return $this->rolesObj->verifyNewRole */ public function verifyNewRole ($code) { return $this->rolesObj->verifyNewRole( $code ); } /** * this function updates a role * * * @access public * * @param string $fields * @return $this->rolesObj->updateRole */ public function updateRole ($fields) { return $this->rolesObj->updateRole( $fields ); } /** * this function loads by ID * * * @access public * * @param string $ROL_UID * @return $this->rolesObj->loadById */ public function loadById ($ROL_UID) { return $this->rolesObj->loadById( $ROL_UID ); } /** * this function gets the user's roles * * * @access public * * @param string $ROL_UID * @return $this->rolesObj->getRoleUsers */ public function getRoleUsers ($ROL_UID, $filter = '') { throw new Exception(__METHOD__ . ': The method is deprecated'); } /** * this function gets the number of users by roles * * * @access public * @author : Enrique Ponce de Leon * * @return $this->rolesObj->getAllUsersByRole */ public function getAllUsersByRole () { return $this->rolesObj->getAllUsersByRole(); } /** * this function gets the number of users by department * * * @access public * @author : Enrique Ponce de Leon * * @return $this->rolesObj->getAllUsersByRole */ public function getAllUsersByDepartment () { return $this->rolesObj->getAllUsersByDepartment(); } /** * this function gets roles code * * * @access public * * @param string $ROL_UID * @return $this->rolesObj->getRoleCode */ public function getRoleCode ($ROL_UID) { return $this->rolesObj->getRoleCode( $ROL_UID ); } /** * this function removes role from an user * * * @access public * * @param string $ROL_UID * @param string $USR_UID * @return $this->rolesObj->deleteUserRole */ public function deleteUserRole ($ROL_UID, $USR_UID) { return $this->rolesObj->deleteUserRole( $ROL_UID, $USR_UID ); } /** * this function gets all user * * * @access public * * @param string $ROL_UID * @return $this->rolesObj->getAllUsers */ public function getAllUsers ($ROL_UID, $filter = '') { throw new Exception(__METHOD__ . ': The method is deprecated'); } /** * this function assigns role an user * * * @access public * * @param array $aData * @return $this->rolesObj->assignUserToRole */ public function assignUserToRole ($aData) { return $this->rolesObj->assignUserToRole( $aData ); } /** * this function gets role permission * * * @access public * * @param string $ROL_UID * @return $this->rolesObj->getRolePermissionsByPerUid */ public function getRolePermissionsByPerUid($ROL_UID) { return $this->rolesObj->getRolePermissionsByPerUid($ROL_UID); } /** * this function is Assigne role permission * * * @access public * * @param string $ROL_UID * @return $this->rolesObj->isAssigneRolePermission */ public function getPermissionAssignedRole($ROL_UID, $PER_UID) { return $this->rolesObj->getPermissionAssignedRole($ROL_UID, $PER_UID); } /** * this function gets role permission * * * @access public * * @param string $ROL_UID * @return $this->rolesObj->getRolePermissions */ public function getRolePermissions ($ROL_UID, $filter = '', $status = null) { return $this->rolesObj->getRolePermissions( $ROL_UID, $filter, $status ); } /** * this function gets all permissions * * * @access public * * @param string $ROL_UID * @param string $PER_SYSTEM * @return $this->rolesObj->getAllPermissions */ public function getAllPermissions ($ROL_UID, $PER_SYSTEM = "", $filter = '', $status = null) { return $this->rolesObj->getAllPermissions( $ROL_UID, $PER_SYSTEM, $filter, $status ); } /** * this function assigns permissions and role * * * @access public * * @param array $aData * @return $this->rolesObj->assignPermissionRole */ public function assignPermissionRole ($sData) { return $this->rolesObj->assignPermissionRole( $sData ); } /** * this function assigns permissions to a role * * * @access public * * @param string $sRoleUID * @param string $sPermissionUID * @return $this->rolesPermissionsObj->create */ public function assignPermissionToRole ($sRoleUID, $sPermissionUID) { return $this->rolesPermissionsObj->create( array ('ROL_UID' => $sRoleUID,'PER_UID' => $sPermissionUID ) ); } /** * this function removes permission to role * * * @access public * * @param string $ROL_UID * @param string $PER_UID * @return $this->rolesObj->deletePermissionRole */ public function deletePermissionRole ($ROL_UID, $PER_UID) { return $this->rolesObj->deletePermissionRole( $ROL_UID, $PER_UID ); } /** * this function counts number of user without role * * * @access public * * @param string $ROL_UID * @return $this->rolesObj->numUsersWithRole */ public function numUsersWithRole ($ROL_UID) { return $this->rolesObj->numUsersWithRole( $ROL_UID ); } /** * this function creates system code * * * @access public * * @param string $sCode * @return $this->systemObj->create */ public function createSystem ($sCode) { return $this->systemObj->create( array ('SYS_CODE' => $sCode ) ); } /** * this function checks by code * * * @access public * * @param string $sCode * @return $this->rolesObj->verifyByCode */ public function verifyByCode ($sCode) { return $this->rolesObj->verifyByCode( $sCode ); } /** * this function gets all authentication source * Authentication Sources * * @access public * * @param void * @return $this->authSourcesObj->getAllAuthSources() */ public function getAllAuthSources () { return $this->authSourcesObj->getAllAuthSources(); } /** * this function gets all authentication source * Authentication Sources By User * * @access public * @author Enrique Ponce de Leon * @param void * @return $this->authSourcesObj->getAllAuthSources() */ public function getAllAuthSourcesByUser () { return $this->authSourcesObj->getAllAuthSourcesByUser(); } /** * this function gets all authentication source * Authentication Sources based at parameters * * @access public * @author Enrique Ponce de Leon * @param int $start offset value to paging grid * @param int $limit limit value to paging grid * @param string $filter value to search or filter select * @return $this->authSourcesObj->getAuthenticationSources() */ public function getAuthenticationSources ($start, $limit, $filter = '') { return $this->authSourcesObj->getAuthenticationSources( $start, $limit, $filter ); } /** * this function gets all authentication source * Authentication Sources * * @access public * * @param string $sUID * @return $this->authSourcesObj->load */ public function getAuthSource ($sUID) { $data = $this->authSourcesObj->load( $sUID ); $pass = explode( "_", $data['AUTH_SOURCE_PASSWORD'] ); foreach ($pass as $index => $value) { if ($value == '2NnV3ujj3w') { $data['AUTH_SOURCE_PASSWORD'] = G::decrypt( $pass[0], $data['AUTH_SOURCE_SERVER_NAME'] ); } } $this->authSourcesObj->Fields = $data; return $this->authSourcesObj->Fields; } /** * this function creates an authentication source * Authentication Sources * * @access public * * @param array $aData * @return $this->authSourcesObj->create */ public function createAuthSource ($aData) { $aData['AUTH_SOURCE_PASSWORD'] = G::encrypt( $aData['AUTH_SOURCE_PASSWORD'], $aData['AUTH_SOURCE_SERVER_NAME'] ) . "_2NnV3ujj3w"; $this->authSourcesObj->create( $aData ); } /** * this function updates an authentication source * Authentication Sources * * @access public * * @param array $aData * @return $this->authSourcesObj->create */ public function updateAuthSource ($aData) { $aData['AUTH_SOURCE_PASSWORD'] = G::encrypt( $aData['AUTH_SOURCE_PASSWORD'], $aData['AUTH_SOURCE_SERVER_NAME'] ) . "_2NnV3ujj3w"; $this->authSourcesObj->update( $aData ); } /** * this function removes an authentication source * Authentication Sources * * @access public * * @param string $sUID * @return $this->authSourcesObj->remove */ public function removeAuthSource ($sUID) { $this->authSourcesObj->remove( $sUID ); } /** * this function gets all users by authentication source * * @access public * * @param void * @return $this->userObj->getAllUsersByAuthSource() */ public function getAllUsersByAuthSource () { return $this->userObj->getAllUsersByAuthSource(); } /** * this function gets all users by authentication source * * @access public * * @param void * @return $this->userObj->getAllUsersByAuthSource() */ public function getListUsersByAuthSource ($aSource) { return $this->userObj->getListUsersByAuthSource( $aSource ); } /** * this function searchs users * * * @access public * * @param string $sUID * @param string $sKeyword * @return array */ public function searchUsers ($sUID, $sKeyword) { $aAuthSource = $this->getAuthSource( $sUID ); $sAuthType = strtolower( $aAuthSource['AUTH_SOURCE_PROVIDER'] ); foreach ($this->aRbacPlugins as $sClassName) { if (strtolower( $sClassName ) == $sAuthType) { $plugin = new $sClassName(); $plugin->sAuthSource = $sUID; $plugin->sSystem = $this->sSystem; return $plugin->searchUsers( $sKeyword ); } } return array (); } public function requirePermissions ($permissions) { $numPerms = func_num_args(); $permissions = func_get_args(); $access = - 1; if ($numPerms == 1) { $access = $this->userCanAccess( $permissions[0] ); } elseif ($numPerms > 0) { foreach ($permissions as $perm) { $access = $this->userCanAccess( $perm ); if ($access == 1) { $access = 1; break; } } } else { throw new Exception( 'function requirePermissions() ->ERROR: Parameters missing!' ); } if ($access == 1) { return true; } else { switch ($access) { case - 2: G::SendTemporalMessage( 'ID_USER_HAVENT_RIGHTS_SYSTEM', 'error', 'labels' ); G::header( 'location: ../login/login' ); break; case - 1: default: G::SendTemporalMessage( 'ID_USER_HAVENT_RIGHTS_PAGE', 'error', 'labels' ); G::header( 'location: ../login/login' ); break; } exit( 0 ); } } private function getAllFiles ($directory, $recursive = true) { $result = array (); if (is_dir( $directory )) { $handle = opendir( $directory ); while ($datei = readdir( $handle )) { if (($datei != '.') && ($datei != '..')) { $file = $directory . $datei; if (is_dir( $file )) { if ($recursive) { $result = array_merge( $result, getAllFiles( $file . '/' ) ); } } else { $result[] = $file; } } } closedir( $handle ); } return $result; } private function getFilesTimestamp ($directory, $recursive = true) { $allFiles = self::getAllFiles( $directory, $recursive ); $fileArray = array (); foreach ($allFiles as $val) { $timeResult['file'] = $val; $timeResult['timestamp'] = filemtime( $val ); $fileArray[] = $timeResult; } return $fileArray; } public function cleanSessionFiles ($hours = 72) { $currentTime = strtotime( "now" ); $timeDifference = $hours * 60 * 60; $limitTime = $currentTime - $timeDifference; $sessionsPath = PATH_DATA . 'session' . PATH_SEP; $filesResult = self::getFilesTimestamp( $sessionsPath ); $count = 0; foreach ($filesResult as $file) { if ($file['timestamp'] < $limitTime) { unlink( $file['file'] ); $count ++; } } } /** * this function permissions * * * @access public * */ public function verifyPermissions() { $message = array(); $this->verifyGuestUserRolePermission(); $listPermissions = $this->loadPermissionAdmin(); $criteria = new Criteria('rbac'); $dataset = PermissionsPeer::doSelectRS($criteria); $dataset->setFetchmode(ResultSet::FETCHMODE_ASSOC); $dataset->next(); $aRow = $dataset->getRow(); while (is_array($aRow)) { foreach ($listPermissions as $key => $item) { if ($aRow['PER_UID'] == $item['PER_UID']) { unset($listPermissions[$key]); break; } } $dataset->next(); $aRow = $dataset->getRow(); } foreach ($listPermissions as $key => $item) { //Adding new permissions $data = array(); $data['PER_UID'] = $item['PER_UID']; $data['PER_CODE'] = $item['PER_CODE']; $data['PER_CREATE_DATE'] = date('Y-m-d H:i:s'); $data['PER_UPDATE_DATE'] = $data['PER_CREATE_DATE']; $data['PER_STATUS'] = 1; $permission = new Permissions(); $permission->fromArray($data, BasePeer::TYPE_FIELDNAME); $permission->save(); $message[] = 'Add permission missing ' . $item['PER_CODE']; //Adding new labels for new permissions $o = new RolesPermissions(); $o->setPerUid($item['PER_UID']); $o->setPermissionName($item['PER_NAME']); //assigning new permissions $this->assigningNewPermissionsPmSetup($item); $this->assigningNewPermissionsPmEditProfile($item); } return $message; } /** * Permissions for tab ADMIN * @param array $item */ public function assigningNewPermissionsPmSetup($item = array()) { if (strpos($item['PER_CODE'], 'PM_SETUP_') !== false) { $rolesWithPermissionSetup = $this->getRolePermissionsByPerUid(self::SETUPERMISSIONUID); $rolesWithPermissionSetup->next(); while ($aRow = $rolesWithPermissionSetup->getRow()) { $isAssignedNewpermissions = $this->getPermissionAssignedRole($aRow['ROL_UID'], $item['PER_UID']); if (!$isAssignedNewpermissions) { $dataPermissions = array(); $dataPermissions['ROL_UID'] = $aRow['ROL_UID']; $dataPermissions['PER_UID'] = $item['PER_UID']; $this->assignPermissionRole($dataPermissions); } $rolesWithPermissionSetup->next(); } } } /** * Permissions for Edit Profile User * @param array $item */ public function assigningNewPermissionsPmEditProfile($item = array()) { if (strpos($item['PER_CODE'], 'PM_EDIT_USER_PROFILE_') !== false) { $allRolesRolUid = $this->getAllRoles('PROCESSMAKER'); $perCodePM = array('PROCESSMAKER_ADMIN', 'PROCESSMAKER_OPERATOR', 'PROCESSMAKER_MANAGER'); $permissionsForOperator = array( 'PM_EDIT_USER_PROFILE_POSITION', 'PM_EDIT_USER_PROFILE_REPLACED_BY', 'PM_EDIT_USER_PROFILE_EXPIRATION_DATE', 'PM_EDIT_USER_PROFILE_STATUS', 'PM_EDIT_USER_PROFILE_ROLE', 'PM_EDIT_USER_PROFILE_COSTS', 'PM_EDIT_USER_PROFILE_USER_MUST_CHANGE_PASSWORD_AT_NEXT_LOGON', 'PM_EDIT_USER_PROFILE_DEFAULT_MAIN_MENU_OPTIONS', 'PM_EDIT_USER_PROFILE_DEFAULT_CASES_MENU_OPTIONS' ); foreach ($allRolesRolUid as $index => $aRow) { $isAssignedNewpermissions = $this->getPermissionAssignedRole($aRow['ROL_UID'], $item['PER_UID']); $assignPermissions = true; if (!$isAssignedNewpermissions) { if ($aRow['ROL_CODE'] == 'PROCESSMAKER_OPERATOR' && in_array($item['PER_CODE'], $permissionsForOperator)) { $assignPermissions = false; } if (!in_array($aRow['ROL_CODE'], $perCodePM)) { $assignPermissions = false; $checkPermisionEdit = $this->getPermissionAssignedRole($aRow['ROL_UID'], '00000000000000000000000000000014'); if ($checkPermisionEdit && !in_array($item['PER_CODE'], $permissionsForOperator)) { $assignPermissions = true; } } if ($assignPermissions) { $dataPermissions = array(); $dataPermissions['ROL_UID'] = $aRow['ROL_UID']; $dataPermissions['PER_UID'] = $item['PER_UID']; $this->assignPermissionRole($dataPermissions); } } } } } /** * This function verify if the user allows to the file with a specific action * If the action is not defined in the authorizedActions we give the allow * @param string $file * @param string $action * * @return void */ public function allows($file, $action) { $access = false; if (isset($this->authorizedActions[$file][$action])) { $permissions = $this->authorizedActions[$file][$action]; $totalPermissions = count($permissions); $countAccess = 0; foreach ($permissions as $key => $value) { if ($this->userCanAccess($value) == 1) { $countAccess++; } } //Check if the user has all permissions that needed if ($countAccess == $totalPermissions) { $access = true; } } if (!$access) { throw new RBACException('ID_ACCESS_DENIED', 403); } } /** * Enable compatibility with hash login */ public function enableLoginWithHash() { $this->enableLoginHash = true; } /** * Disable compatibility with hash login */ public function disableLoginWithHash() { $this->enableLoginHash = false; } /** * Return status login with hash * * @return bool */ public function loginWithHash() { return $this->enableLoginHash; } /** * Returns true in case the parameter corresponds to the invited user, * otherwise it returns false. * * @param string $usrUid * @return boolean */ public static function isGuestUserUid($usrUid) { return self::GUEST_USER_UID === $usrUid; } }