][ruleName] # ex: # ["core"]["isRoot","ACLx"] # []["isRoot"] # protected array $accessRules = []; public static $sqlTable = "tblUserGroups"; public static $allowDeleteFromDB = true; public static $sqlColumns = [ "name" => [ "type" => "VARCHAR(255)", "index" => "INDEX" ], "companyId" => [ "type" => "INT", "index" => "INDEX" ] ]; public function getMembers() { $this->checkSql(); $rv = []; foreach (userGroupMembership::getUsersInGroup($this, $this->sql) as $ugm) { $rv[$ugm->user->id] = $ugm->user; } return $rv; } public static function getForUser(user $user, $isList = false, ?sql $sql = null) { if (empty($sql)) { $sql = new sql(); } $ugms = userGroupMembership::getGroupsForUser($user, $sql); $rv = []; foreach ($ugms as $ugm) { if ($isList === null || ($ugm->group->isList === $isList)) { $rv[] = $ugm->group; } } return $rv; } /* * options: * isListOnly - { only - search isList only, no - search with isList = 0, both - search any}, default=no * accessRule - передается в формате access_rule_name@module. * !!! Внимание !!! в отличие от проверки прав доступа - здесь поиск по isRoot не осуществляется! * Если module отсутствует - то считается, что module ='all' * * * */ protected static function xSearch($where, $pattern, ?array $options, sql $sql) { $accessRule=(empty($options["accessRule"])?null:$options["accessRule"]); $isList=(array_key_exists("isList", $options)?$options["isList"]:false); $ruleJoin=null; $ruleWhere=null; if ($isList !== false) { $ruleWhere .= " and `i`.`isList` = " . ($isList == true ? 1 : 0); } if (empty($ruleWhere)) { $xWhere=$where; } else { $xWhere=(empty($where)?$ruleWhere:"(".$where.") AND ".$ruleWhere); } return ["where"=>$xWhere, "join"=>$ruleJoin]; } public function join(user $user) { if (empty($this->id)) { throw new \Exception("Group not saved! Save it first."); } if (array_key_exists($user->id, $this->getMembers())) { return true; } $umm = new userGroupMembership(); $umm->userId = $user->id; $umm->groupId = $this->id; $umm->save(); $user->flushACRCache(); return true; } public function left(user $user) { if (empty($this->id)) { throw new \Exception("Group not saved! Save it first."); } foreach (userGroupMembership::getUsersInGroup($this, $this->sql) as $ugm) { if ($ugm->user->id == $user->id) { $ugm->delete(); } } $user->flushACRCache(); return true; } public function isMember(user $user) { foreach (userGroupMembership::getUsersInGroup($this, $this->sql) as $ugm) { if ($ugm->user->id == $user->id) { return true; } } return false; } public function addAccessRule(string $rule, string $modInstance = "") { if (array_key_exists($modInstance, $this->accessRules) && (array_search($rule, $this->accessRules[$modInstance]) !== false)) { return true; } $this->accessRules[$modInstance][] = $rule; return true; } public function dropAccessRule(string $rule, string $modInstance = "") { if (array_key_exists($modInstance, $this->accessRules) && (($rid = array_search($rule, $this->accessRules[$modInstance])) !== false)) { unset($this->accessRules[$modInstance][$rid]); if (empty($this->accessRules[$modInstance])) { unset($this->accessRules[$modInstance]); } ; } } public static function API_GET_list(request $request) { if (! $request->user->checkAccess("adminUserGroups", "core")) { throw new foxException("Forbidden", 403); } return static::search()->result; } public static function API_POST_members(request $request) { if (! $request->user->checkAccess("adminUserGroups", "core")) { throw new foxException("Forbidden", 403); } return static::getMembers(); } public static function API_DELETE_acl(request $request) { if (! $request->user->checkAccess("adminUserGroups", "core")) { throw new foxException("Forbidden", 403); } $group = new static(common::clearInput($request->requestBody->groupId,"0-9")); $group->dropAccessRule(common::clearInput($request->requestBody->rule), common::clearInput($request->requestBody->module)); $group->save(); static::log($request->instance,__FUNCTION__, "Rule ".common::clearInput($request->requestBody->rule)."@".common::clearInput($request->requestBody->module)." removed from group ".$group->name,$request->user,"userGroup",$group->id,null,logEntry::sevInfo); foxRequestResult::throw(200, "Deleted"); } public static function API_PUT_acl(request $request) { if (! $request->user->checkAccess("adminUserGroups", "core")) { throw new foxException("Forbidden", 403); } $group = new static(common::clearInput($request->requestBody->groupId,"0-9")); $group->addAccessRule(common::clearInput($request->requestBody->rule), ($request->requestBody->forAll=="1")?"":common::clearInput($request->requestBody->module)); static::log($request->instance,__FUNCTION__, "Rule ".common::clearInput($request->requestBody->rule)."@".common::clearInput($request->requestBody->module)." added for group ".$group->name,$request->user,"userGroup",$group->id,null,logEntry::sevInfo); $group->save(); } public static function APICall(request $request) { if (! $request->user->checkAccess("adminUserGroups", "core")) { throw new foxException("Forbidden", 403); } switch ($request->method) { case "GET": if (empty($request->parameters[0])) { return new static(common::clearInput($request->function)); } else { switch ($request->parameters[0]) { case "acls": return (new static(common::clearInput($request->function)))->accessRules; break; default: throw new foxException("Method not allowed",405); } } break; case "PUT": $grName=common::clearInput($request->requestBody->name); $groups = userGroup::search($grName)->result; foreach ($groups as $group) { if (trim(strtolower($group->name))==trim(strtolower($grName))) { foxException::throw("ERR", "Already exists", 409, "GAX"); } } $group=new userGroup(); $group->name=$grName; $group->isList=$request->requestBody->isList==1; $group->save(); static::log($request->instance,__FUNCTION__, "UserGroup ".$group->name." created.",$request->user,"userGroup",$group->id,null,logEntry::sevInfo); foxRequestResult::throw(201, "Created",$group); break; case "DELETE": $group = new static(common::clearInput($request->function)); if ($group->getMembers()) { foxException::throw("ERR","Group not empty", 400,"NEG"); } $group->delete(); static::log($request->instance,__FUNCTION__, "UserGroup ".$group->name." deleted.",$request->user,"userGroup",$group->id,null,logEntry::sevInfo); throw new foxRequestResult("Deleted",200); break; default: throw new foxException("Method not allowed",405); } } } ?>