From 12f228923367bf5feee3d66bfc2e075dc3bdd9d0 Mon Sep 17 00:00:00 2001 From: Robert Sesek Date: Sun, 18 Mar 2007 01:22:03 +0000 Subject: [PATCH] r1485: - Adding base support for multiple user groups: schema changes, created FetchUserPermissions(), and an improved can_perform() - In ProcessBugDataForDisplay() we can use less calls to can_perform when checking canviewhidden* permissions --- docs/schema_changes.sql | 1 + includes/functions.php | 66 ++++++++++++++++++++++++++++++++++++----- includes/init.php | 2 +- 3 files changed, 60 insertions(+), 9 deletions(-) diff --git a/docs/schema_changes.sql b/docs/schema_changes.sql index 9de1d44..6a41263 100644 --- a/docs/schema_changes.sql +++ b/docs/schema_changes.sql @@ -1,2 +1,3 @@ ## SVN $Id$ +ALTER TABLE user ADD groupids TEXT NULL DEFAULT ''; diff --git a/includes/functions.php b/includes/functions.php index 3e4e4da..f23d799 100755 --- a/includes/functions.php +++ b/includes/functions.php @@ -96,11 +96,26 @@ function can_perform($bitmask, $productid = 0, $userinfo = null) { global $bugsys; + // masks that aren't product-specific + static $inspecific = array( + 'cansearch', + 'canbeassignedto', + 'canadminpanel', + 'canadminbugs', + 'canadminfields', + 'canadminversions', + 'canadminusers', + 'canadmingroups', + 'canadmintools' + ); + if ($userinfo == null) { $userinfo =& $bugsys->userinfo; } + $permissions =& $bugsys->datastore['permissions']; + if (!isset($bugsys->permissions["$bitmask"])) { trigger_error('Invalid bitmask "' . $bitmask . '" specified for can_perform() [includes/functions.php]', E_USER_WARNING); @@ -108,18 +123,22 @@ function can_perform($bitmask, $productid = 0, $userinfo = null) if (!$userinfo['permissions']) { - $userinfo['permissions'] = (int)$bugsys->datastore['usergroup']["$userinfo[usergroupid]"]['permissions']; + $userinfo['permissions'] = FetchUserPermissions($userinfo); } - if ($productid AND isset($bugsys->datastore['permission']["$userinfo[usergroupid]"]["$productid"])) + if ($productid AND !in_array($bitmask, $inspecific)) { - $inspecific = array('cansearch', 'canbeassignedto', 'canadminpanel', 'canadminbugs', 'canadminfields', 'canadminversions', 'canadminusers', 'canadmingroups', 'canadmintools'); + $verdict = (isset($permissions["$userinfo[usergroupid]"]["$productid"]) ? ($permissions["$userinfo[usergroupid]"]["$productid"] & $bugsys->permissions["$bitmask"]) : ($userinfo['permissions'] & $bugsys->permissions["$bitmask"])); - if (!in_array($bitmask, $inspecific)) + foreach ($userinfo['groupids'] AS $group) { - $bugsys->debug("verdict* on can_perform($bitmask, $productid, $userinfo[userid]) = " . ($bugsys->datastore['permission']["$userinfo[usergroupid]"]["$productid"] & $bugsys->permissions["$bitmask"])); - return ($bugsys->datastore['permission']["$userinfo[usergroupid]"]["$productid"] & $bugsys->permissions["$bitmask"]); + if (isset($permissions["$group"]["$productid"])) + { + $verdict |= ($permissions["$group"]["$productid"] & $bugsys->permissions["$bitmask"]); + } } + $bugsys->debug("verdict* on can_perform($bitmask, $productid, $userinfo[userid]) = $verdict"); + return $verdict; } $bugsys->debug("verdict on can_perform($bitmask, $productid, $userinfo[userid]) = " . ($userinfo['permissions'] & $bugsys->permissions["$bitmask"])); @@ -527,6 +546,7 @@ function fetch_guest_user() return array( 'usergroupid' => 1, + 'groupids' => array(), 'userid' => 0, 'email' => '', 'displayname' => '', @@ -579,7 +599,7 @@ function check_bug_permissions($bug, $userinfo = null) ( $bug['hidden'] AND - ( + (A ($userinfo['userid'] == $bug['userid'] AND can_perform('canviewownhidden', $bug['product'], $userinfo)) OR can_perform('canviewhidden', $bug['product'], $userinfo) @@ -614,7 +634,7 @@ function ProcessBugDataForDisplay($bug, $color = '') { global $bugsys; - $bug['hiddendisplay'] = (can_perform('canviewhidden', $bug['product']) OR (can_perform('canviewownhidden') AND $bug['userid'] == $bugsys->userinfo['userid'])); + $bug['hiddendisplay'] = ($bug['hidden'] AND (can_perform('canviewhidden', $bug['product']) OR (can_perform('canviewownhidden') AND $bug['userid'] == $bugsys->userinfo['userid']))); $bug['bgcolor'] = ($bugsys->userinfo['showcolors'] ? $bugsys->datastore['status']["$bug[status]"]['color'] : $color); $bug['product'] = $bugsys->datastore['product']["$bug[product]"]['title']; @@ -693,6 +713,36 @@ function PageNavigatorCallback($baselink, $nextpage, $prevpage, $show, $pagebits return $return; } +// ################################################################### +/** +* Determines the correct permissions of the user. This is especially +* important for working with multiple-usergroup permission schemes. +* If a user is assigned to more than one usergroup, the highest level +* will always override (so a YES will always override a NO); this is +* because permissions are calculated with bitwise OR. +* +* @param array The user array with usergroups already exploded +* +* @return integer Permissions value +*/ +function FetchUserPermissions(&$user) +{ + global $bugsys; + + $perms = $bugsys->datastore['usergroup']["$user[usergroupid]"]['permissions']; + if (!is_array($user['groupids'])) + { + $user['groupids'] = $bugsys->funct->array_strip_empty(explode(',', $bugsys->userinfo['groupids'])); + } + + foreach ($user['groupids'] AS $group) + { + $perms |= $bugsys->datastore['usergroup']["$group"]['permissions']; + } + + return $perms; +} + /*=====================================================================*\ || ################################################################### || # $HeadURL$ diff --git a/includes/init.php b/includes/init.php index 8827e9b..05bc171 100755 --- a/includes/init.php +++ b/includes/init.php @@ -116,7 +116,7 @@ $bugsys->auth = $auth = new $authClass(); if ($auth->authenticateCookies()) { $bugsys->userinfo = $auth->fetchBugdarUser(); - $bugsys->userinfo['permissions'] = (int)$bugsys->datastore['usergroup'][ $bugsys->userinfo['usergroupid'] ]['permissions']; + $bugsys->userinfo['permissions'] = FetchUserPermissions($bugsys->userinfo); $bugsys->userinfo['displaytitle'] = $bugsys->datastore['usergroup'][ $bugsys->userinfo['usergroupid'] ]['displaytitle']; $bugsys->userinfo['columnoptions'] = unserialize($bugsys->userinfo['columnoptions']); } -- 2.22.5