Open-Web-Analytics#577 access control (duplicate Open-Web-Analytics#288…

…) / refactorings: Open-Web-Analytics#576 Open-Web-Analytics#575

index.php

@@ -34,6 +34,7 @@
 // Initialize owa admin
 $owa = new owa_php;
 
+
 if (!$owa->isOwaInstalled()) {
 	// redirect to install
 	owa_lib::redirectBrowser(owa_coreAPI::getSetting('base','public_url').'install.php');
@@ -44,6 +45,7 @@
 	// run controller or view and echo page content
 	echo $owa->handleRequestFromURL();
 } else {
+
 	// unload owa
 	$owa->restInPeace();
 }

modules/base/apiRequest.php

@@ -55,7 +55,7 @@ function action() {
 					// doesn't look like the currentuser has the necessary priviledges
 					owa_coreAPI::debug('User does not have capability required by this controller.');
 					// auth user
-					$auth = &owa_auth::get_instance();
+					$auth = owa_auth::get_instance();
 					$status = $auth->authenticateUser();
 					// if auth was not successful then return login view.
 					if ($status['auth_status'] != true) {

modules/base/classes/installController.php

@@ -78,7 +78,7 @@ function createAdminUser($email_address, $real_name = '', $password = '') {
 		if (empty($id_check)) {
 
 			//Check to see if user name already exists
-			$u->getByColumn('user_id', 'admin');
+			$u->getByColumn('user_id', owa_user::ADMIN_USER_ID);
 
 			$id = $u->get('id');
 
@@ -89,7 +89,7 @@ function createAdminUser($email_address, $real_name = '', $password = '') {
 				if ( ! $password ) {
 					$password = $u->generateRandomPassword();
 				}
-				$ret = $u->createNewUser('admin', 'admin', $password, $email_address, $real_name);
+				$ret = $u->createNewUser('admin', owa_user::ADMIN_USER_ID, $password, $email_address, $real_name);
 				owa_coreAPI::debug("Admin user created successfully.");
 				return $password;
 

modules/base/classes/installManager.php

@@ -56,7 +56,7 @@ function createAdminUser($email_address, $real_name = '', $password = '') {
 		if (empty($id_check)) {
 
 			//Check to see if user name already exists
-			$u->getByColumn('user_id', 'admin');
+			$u->getByColumn('user_id', owa_user::ADMIN_USER_ID);
 
 			$id = $u->get('id');
 

modules/base/classes/resultSetManager.php

@@ -874,6 +874,9 @@ function applyMetaDataToSingleResultRow($row) {
 				$type = 'metric';
 				$data_type = $this->getMetric($k)->getDataType();
 			}
+			else {
+				throw new Exception($k.' is not a metric or dimension. Check the configuration!');
+			}
 
 
 

modules/base/classes/service.php

@@ -245,8 +245,10 @@ function _loadEventProcessors() {
 
 	}
 
-	function &getCurrentUser() {
-
+	/**
+	 * @return owa_serviceUser
+	 */
+	function getCurrentUser() {		
 		return $this->current_user;
 	}
 

modules/base/classes/serviceUser.php

@@ -30,8 +30,10 @@
 
 
 class owa_serviceUser extends owa_base {
-
-	var $user;
+	/**
+	 * @var owa_user
+	 */
+	public $user;
 	var $capabilities = array();
 	var $preferences = array();
 	var $is_authenticated;
@@ -55,26 +57,24 @@ function loadRelatedUserData() {
 		$this->preferences = $this->getPreferences($this->user->get('user_id'));
 		return;
 	}
-
-	function getCapabilities($role) {
-
-		$caps = owa_coreAPI::getSetting('base', 'capabilities');
-
+	/**
+	 * gets allowed capabilities for the user role
+	 * @param unknown_type $role
+	 */
+	function getCapabilities($role) {		
+		$caps = owa_coreAPI::getSetting('base', 'capabilities');		
 		if (array_key_exists($role, $caps)) {
 			return $caps[$role];
 		} else {
 			return array();
-		}
-
+		}		
 	}
 
-	function getPreferences($user_id) {
-
+	function getPreferences($user_id) {		
 		return false;
 	}
 
-	function getRole() {
-
+	function getRole() {		
 		return $this->user->get('role');
 	}
 
@@ -96,23 +96,33 @@ function getUserData($name) {
 		return $this->user->get($name);
 	}
 
-	function isCapable($cap) {
-		//owa_coreAPI::debug(print_r($this->user->getProperties(), true));
-		owa_coreAPI::debug("cap ".$cap);
-		// just in case there is no cap passed
-		if (!empty($cap)) {
-			//adding @ here as is_array throws warning that an empty array is not the right data type!
-			if (in_array($cap, $this->capabilities)) {
-				return true;
-			} else {
-				return false;
-			}
-
-		} else {
-
+	/**
+	 * Checks if user is capable to do something
+	 * @param string $cap
+	 * @param integer $currentSiteId optionel - only needed if cap is a  capabilities That Require SiteAccess. You need to pass site_id (not id) field
+	 */
+	function isCapable($cap, $siteId = null) {
+		owa_coreAPI::debug("check cap ".$cap);
+		//global admin can always everything:
+		if ($this->user->isOWAAdmin() || empty($cap)) {
 			return true;
 		}
+		if (!in_array($cap, $this->capabilities)) {
+			return false;	
+		}
 
+		$capabilitiesThatRequireSiteAccess = owa_coreAPI::getSetting('base', 'capabilitiesThatRequireSiteAccess');
+		if (is_array($capabilitiesThatRequireSiteAccess) && in_array($cap, $capabilitiesThatRequireSiteAccess)) {
+			if (is_null($siteId)) {
+				throw new InvalidArgumentException('Capability "'.$cap.'" that should be checked requires a sited - but nothing given');
+			}
+			$site = owa_coreAPI::entityFactory('base.site');			
+			$site->load($siteId,'site_id');
+			if (!$site->isUserAssigned($this->user->get('id'))) {
+				return false;
+			}
+		}
+		return true;
 	}
 
 	// mark the user as authenticated and populate their capabilities