Open-Web-Analytics#577 access control - improve implementation and ad…

…d access control for displaying navigation entries
jmturner · Jan 13, 2012 · eaa3a57 · eaa3a57
1 parent b26123a
commit eaa3a57
Show file tree

Hide file tree

Showing 13 changed files with 46 additions and 39 deletions.
diff --git a/modules/base/logout.php b/modules/base/logout.php
@@ -35,10 +35,10 @@ class owa_logoutController extends owa_controller {
 
 	function action() {
 
-		$auth = &owa_auth::get_instance();
+		$auth = owa_auth::get_instance();
 		$auth->deleteCredentials();
 		$this->setRedirectAction('base.loginForm');
 	}
 }
 
-?>
+?>
diff --git a/modules/base/report.php b/modules/base/report.php
@@ -66,6 +66,8 @@ function render($data) {
 
 		// Set navigation
 		$this->body->set('top_level_report_nav', $this->get('top_level_report_nav'));
+		$this->body->set('currentSiteId', $this->get('currentSiteId'));
+
 
 		// load body template
 		$this->body->set_template('report.tpl');
@@ -100,6 +102,7 @@ function render($data) {
 		$this->setCss("base/css/owa.report.css");
 		$this->setCss('base/css/ui.jqgrid.css');
 		$this->setCss('base/css/chosen/chosen.css');
+
 	}
 
 	/**

diff --git a/modules/base/sites.php b/modules/base/sites.php
@@ -42,7 +42,7 @@ function __construct($params) {
 	function action() {
 
 		$s = owa_coreAPI::entityFactory('base.site');
-		$sites = $this->getAllowedSitesForCurrentUserAndControllerCap();		
+		$sites = $this->getSitesAllowedForCurrentUser();		
 		$this->set('tracked_sites', $sites);
 		$this->setSubview('base.sites');
 		$this->setView('base.options');

diff --git a/modules/base/templates/report.tpl b/modules/base/templates/report.tpl
@@ -26,7 +26,7 @@ jQuery(document).ready(function(){
 			<TD valign="top" class="owa_reportLeftNavColumn">
 				<div class="reportSectionContainer">
 					<div id="owa_reportNavPanel">
-						<?php echo $this->makeNavigationMenu($top_level_report_nav);?>
+						<?php echo $this->makeNavigationMenu($top_level_report_nav, $currentSiteId);?>
 					</div>
 				</div>			
 			</TD>

diff --git a/modules/base/templates/report_nav.tpl b/modules/base/templates/report_nav.tpl
@@ -2,6 +2,7 @@
 
 	<UL>
 		<?php foreach ($links as $kl => $l): ?>
+		<?php if (!$this->getCurrentUser()->isCapable($l['priviledge'], $currentSiteId)) continue; ?>
 		<LI>
 			<div class="owa_admin_nav_topmenu">
 
@@ -18,6 +19,7 @@
 				<div id="owa_admin_nav_subgroup_<?php echo $kl;?>" class="owa_admin_nav_subgroup">
 					<UL>
 						<?php foreach ($l['subgroup'] as $sgl): ?>
+						<?php if (!$this->getCurrentUser()->isCapable($sgl['priviledge'], $currentSiteId)) continue; ?>
 						<LI>
 							<div class="owa_admin_nav_subgroup_item">
 								<a href="<?php echo $this->makeLink(array('do' => $sgl['ref']), true);?>"><?php echo $sgl['anchortext'];?></a>

diff --git a/modules/base/templates/wrapper_default.tpl b/modules/base/templates/wrapper_default.tpl
@@ -1,5 +1,5 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-
+<?php $cu = $this->getCurrentUser(); ?>
 <html xmlns="http://www.w3.org/1999/xhtml">
 
 	<head>
@@ -9,7 +9,7 @@
 		<?php include($this->getTemplatePath('base','css.tpl'));?>
 	</head>
 
-	<body>
+	<body class="<?php if ($cu->user->isOWAAdmin()) echo 'owaadmin'; ?>">
 		<style>
 			html {background-color: #F2F2F2;}
 		</style>

diff --git a/modules/hello/module.php b/modules/hello/module.php
@@ -64,18 +64,9 @@ function registerAdminPanels() {
 
 	}
 
-	function registerNavigation() {
-
-		/*$this->addNavigationLink(array('view' 			=> 'base.reportDocument', 
-										'nav_name'		=> 'subnav',
-										'ref'			=> 'base.reportClicks',
-										'priviledge' 	=> 'viewer', 
-										'anchortext' 	=> 'Click Map Report',
-										'order'			=> 1));
-		
-		*/
-
-		return;
+	public function registerNavigation() {
+		$this->addNavigationSubGroup('Hello World', 'hello.reportDashboard', 'Hello Dashboard');
+		$this->addNavigationLinkInSubGroup('Hello World','hello.reportSearchterms','also to the dashboard',1);
 
 	}
 

diff --git a/owa_base.php b/owa_base.php
@@ -49,7 +49,7 @@ class owa_base {
 	/**
 	 * Configuration Entity
 	 * 
-	 * @var Object global configuration object
+	 * @var owa_settings  Object global configuration object
 	 */
 	var $c;
 

diff --git a/owa_controller.php b/owa_controller.php
@@ -524,9 +524,13 @@ function setStatusMsg($msg) {
 		$this->data['status_message'] = $msg;
 	}
 
-	function authenticatedButNotCapableAction($additionalMessage = '') {
+	function authenticatedButNotCapableAction($additionalMessage = '') {		
 		if ( empty($additionalMessage) ) {
-			$additionalMessage = '('.$this->getRequiredCapability().' / '.$this->getCurrentSiteId() .')';
+			$siteIdMsg = $this->getCurrentSiteId();
+			if ( empty ($siteIdMsg) ) {
+				$siteIdMsg = 'No access to any site for the permission "'.$this->getRequiredCapability().'"';
+			}
+			$additionalMessage = $siteIdMsg;
 		}
 		$this->setView('base.error');
 		$this->set('error_msg', $this->getMsg(2003).' '.$additionalMessage);
@@ -567,39 +571,42 @@ function getSetting($module, $name) {
 
 
 	/**
+	 * Returns array of owa_site entities where the current user has access to, taken the current controller cap into account 
 	 * @return array
 	 */
-	protected function getAllowedSitesForCurrentUserAndControllerCap() {
+	protected function getSitesAllowedForCurrentUser() {
 		$currentUser = owa_coreAPI::getCurrentUser();
 		$allSites = owa_coreAPI::getSitesList();
 		$allowedSites=array();
 		foreach ($allSites as $siteRow) {
-			if ($currentUser->isCapable($this->capability,$siteRow['site_id'])) {
-				$site = owa_coreAPI::entityFactory('base.site');
-				$site->load($siteRow['id']);
+			$site = owa_coreAPI::entityFactory('base.site');
+			$site->load($siteRow['id']);
+			if ($site->isUserAssigned($currentUser->user->get('id'))) {
 				$allowedSites[$siteRow['site_id']] = $site;
 			}
 		}
 		return $allowedSites;
 	}
+
 	/**
 	 * gets the siteid taking the site access permissions into account
 	 * If not a typical siteId parameter is set or user lacks permission, the first availabe site is used
 	 * 
 	 * @return string or false if no site access
 	 */
 	protected function getCurrentSiteId() {
-		$allowedSites = $this->getAllowedSitesForCurrentUserAndControllerCap();
+		$allowedSites = $this->getSitesAllowedForCurrentUser();
 		$siteParameterValue = $this->getSiteIdParameterValue();
 
 		// set siteId from Request if set
 		if ( $siteParameterValue !== false && isset($allowedSites[$siteParameterValue])) {
 			return $siteParameterValue;
 		}
-		elseif (isset($allowedSites[0])) {
+		elseif ( current($allowedSites) instanceof owa_site) {
 			//set default
-			return $allowedSites[0]->get('site_id');
+			return current($allowedSites)->get('site_id');
 		}
+
 		return false;
 	}
 

diff --git a/owa_coreAPI.php b/owa_coreAPI.php
@@ -32,7 +32,6 @@
 
 class owa_coreAPI {
 
-	const OWA_ROLE_VIEWER = 'viewer';
 
 	// @depricated
 	// @todo remove
@@ -675,6 +674,8 @@ public static function getGroupNavigation($group_name, $sortby ='order') {
 
 						if (array_key_exists($group, $links)) {
 
+
+
 							// check to see if link is already present in the main array
 							if (array_key_exists($link['anchortext'], $links[$group])) {
 								// merge various elements?? not now.

diff --git a/owa_module.php b/owa_module.php
@@ -387,12 +387,12 @@ function addAdminPanel($panel) {
 	 * Registers Group Link with a particular View
 	 * @DEPRICATED - use addNavigationSubGroup and addNavigationLinkInSubGroup
 	 */
-	function addNavigationLink($group, $subgroup = '', $ref, $anchortext, $order = 0, $priviledge = 'viewer') {
+	function addNavigationLink($group, $subgroup = '', $ref, $anchortext, $order = 0, $priviledge = 'view_reports') {
 
 		if (!empty($subgroup)):
-			$this->addNavigationLinkInSubGroup($subgroup,$ref, $anchortext, $order = 0, $priviledge = 'viewer',$group);
+			$this->addNavigationLinkInSubGroup($subgroup,$ref, $anchortext, $order = 0, $priviledge ,$group);
 		else:
-			$this->addNavigationSubGroup($anchortext,$ref, $anchortext, $order = 0, $priviledge = 'viewer',$group);		
+			$this->addNavigationSubGroup($anchortext,$ref, $anchortext, $order = 0, $priviledge ,$group);		
 		endif;
 
 		return;
@@ -408,7 +408,7 @@ function addNavigationLink($group, $subgroup = '', $ref, $anchortext, $order = 0
 	 * @param string $priviledge
 	 * @param string $groupName
 	 */
-	public function addNavigationSubGroup($subgroupName, $ref, $anchortext, $order = 0, $priviledge = owa_coreAPI::OWA_ROLE_VIEWER, $groupName = 'Reports') {		
+	public function addNavigationSubGroup($subgroupName, $ref, $anchortext, $order = 0, $priviledge = 'view_reports', $groupName = 'Reports') {		
 		$this->nav_links[$groupName][$subgroupName] = $this->getLinkStruct($ref, $anchortext, $order,$priviledge);
 	}
 
@@ -422,7 +422,7 @@ public function addNavigationSubGroup($subgroupName, $ref, $anchortext, $order =
 	 * @param string $priviledge
 	 * @param string $groupName
 	 */
-	public function addNavigationLinkInSubGroup($subgroupName, $ref, $anchortext, $order = 0, $priviledge = owa_coreAPI::OWA_ROLE_VIEWER, $groupName = 'Reports') {	
+	public function addNavigationLinkInSubGroup($subgroupName, $ref, $anchortext, $order = 0, $priviledge = 'view_reports', $groupName = 'Reports') {	
 		if (!isset($this->nav_links[$groupName][$subgroupName]) || !is_array($this->nav_links[$groupName][$subgroupName])) {
 			throw new Exception('Subgroup "'.$subgroupName.'" is not existend - add Subgroup first with addNavigationSubGroup ');
 		}

diff --git a/owa_reportController.php b/owa_reportController.php
@@ -41,7 +41,7 @@ class owa_reportController extends owa_adminController {
 	 */
 	function __construct($params) {	
 		$this->setControllerType('report');
-		$this->_setCapability('view_reports');
+		$this->setRequiredCapability('view_reports');
 		return parent::__construct($params);
 	}
 
@@ -53,7 +53,7 @@ function __construct($params) {
 	 */
 	function pre() {
 
-		$this->set('sites', $this->getAllowedSitesForCurrentUserAndControllerCap());
+		$this->set('sites', $this->getSitesAllowedForCurrentUser());
 		$this->setParam('siteId', $this->getCurrentSiteId());
 		// pass full set of params to view
 		$this->data['params'] = $this->params;
@@ -143,7 +143,8 @@ function pre() {
 			unset($nav['Ecommerce']);
 		}
 
-		$this->set('top_level_report_nav', $nav);
+		$this->set('top_level_report_nav', $nav);		
+		$this->set('currentSiteId', $this->getCurrentSiteId());
 
 	}
 

diff --git a/owa_template.php b/owa_template.php
@@ -783,12 +783,14 @@ function substituteValue($string, $var_name) {
 		}
 	}
 
-	function makeNavigationMenu($links) {
+	function makeNavigationMenu($links, $currentSiteId) {
 
-		if (!empty($links)) {
+		if (!empty($links) && !empty($currentSiteId)) {
 
 			$t = new owa_template;
 			$t->set('links', $links);
+			$t->set('currentSiteId', $currentSiteId);
+
 			$t->caller_params['link_state'] = $this->caller_params['link_state'];
 			$t->set_template('report_nav.tpl');
 			return $t->fetch();
-Original file line number
+Diff line change
@@ Expand Up / @@ -49,7 +49,7 @@ class owa_base { @@
     	/**
     	 * Configuration Entity
     	 *
-    	 * @var Object global configuration object
+    	 * @var owa_settings  Object global configuration object
     	 */
     	var $c;
@@ Expand Down @@