Dev: Work on User right: work for survey_manager adding

Dev: Fixed issue: config['defaulttemplate'] by default (if user can not acces the template) Dev: No change, just move/rename some function :
LimeSurvey · Jan 11, 2013 · c64acd6 · c64acd6
1 parent 762473d
commit c64acd6
Show file tree

Hide file tree

Showing 9 changed files with 91 additions and 161 deletions.
diff --git a/application/controllers/AdminController.php b/application/controllers/AdminController.php
@@ -125,7 +125,7 @@ protected function _sessioncontrol()
         Yii::app()->setLang($this->lang);
 
         if (!empty($this->user_id))
-            $this->_GetSessionUserRights($this->user_id);
+            $this->_setSessionUserRights($this->user_id);
     }
 
     /**
@@ -221,46 +221,30 @@ public function getActionClasses()
     * Set Session User Rights
     *
     * @access public
-    * @param integer $iLoginID
-    * @return void
+    * @return boolean
     */
-    public function _GetSessionUserRights($iLoginID)
+    public function _setSessionUserRights()
     {
+        $iLoginID=Yii::app()->user->getId();
+        if(!$iLoginID)
+            return false;
         $oUser = User::model()->findByPk($iLoginID);
-
-        if (!empty($oUser))
+        if(!$oUser)
+            return false;
+        $userrights=array();
+        foreach(User::$UserRights as $right)
         {
-            Yii::app()->session['USER_RIGHT_SUPERADMIN']        = $oUser->superadmin;
-            Yii::app()->session['USER_RIGHT_CREATE_SURVEY']     = ($oUser->create_survey || $oUser->superadmin);
-            Yii::app()->session['USER_RIGHT_PARTICIPANT_PANEL'] = ($oUser->participant_panel || $oUser->superadmin);
-            Yii::app()->session['USER_RIGHT_CONFIGURATOR']      = ($oUser->configurator || $oUser->superadmin);
-            Yii::app()->session['USER_RIGHT_CREATE_USER']       = ($oUser->create_user || $oUser->superadmin);
-            Yii::app()->session['USER_RIGHT_DELETE_USER']       = ($oUser->delete_user || $oUser->superadmin);
-            Yii::app()->session['USER_RIGHT_MANAGE_TEMPLATE']   = ($oUser->manage_template || $oUser->superadmin);
-            Yii::app()->session['USER_RIGHT_MANAGE_LABEL']      = ($oUser->manage_label || $oUser->superadmin);
+            $userrights[$right]=($oUser->$right || $oUser->superadmin);
         }
-
-        // SuperAdmins
-        // * original superadmin with uid=1 unless manually changed and defined
-        //   in config-defaults.php
-        // * or any user having USER_RIGHT_SUPERADMIN right
-
-        // Let's check if I am the Initial SuperAdmin
-
-        $oUser = User::model()->findByAttributes(array('parent_id' => 0));
-
-        if (!is_null($oUser) && $oUser->uid == $iLoginID)
-            $initialSuperadmin=true;
-        else
-            $initialSuperadmin=false;
-
-        if ($initialSuperadmin === true)
+        $userrights['initialsuperadmin']=(!$oUser->parent_id);
+        // initialsuperadminare a superadmin
+        // initialsuperadmin can have less right than superadmin in session only: like old situation
+        $userrights['superadmin']=($userrights['superadmin'] || $userrights['initialsuperadmin']);
+        foreach($userrights as $right=>$value)
         {
-            Yii::app()->session['USER_RIGHT_SUPERADMIN'] = 1;
-            Yii::app()->session['USER_RIGHT_INITIALSUPERADMIN'] = 1;
+            Yii::app()->session['USER_RIGHT_'.strtoupper($right)]=($value)? 1:0;
         }
-        else
-            Yii::app()->session['USER_RIGHT_INITIALSUPERADMIN'] = 0;
+        return true;
     }
 
     /**

diff --git a/application/controllers/admin/authentication.php b/application/controllers/admin/authentication.php
@@ -46,7 +46,7 @@ public function index()
                 {
                     Failed_login_attempts::model()->deleteAttempts();
 
-                    $this->getController()->_GetSessionUserRights(Yii::app()->session['loginID']);
+                    $this->getController()->_setSessionUserRights();
                     Yii::app()->session['just_logged_in'] = true;
                     Yii::app()->session['loginsummary'] = $this->_getSummary();
                     $this->_doRedirect();

diff --git a/application/controllers/admin/remotecontrol.php b/application/controllers/admin/remotecontrol.php
@@ -2369,7 +2369,7 @@ protected function _jumpStartSession($username)
             Yii::app()->session[$k] = $v;
         Yii::app()->user->setId($aUserData['uid']);
 
-        $this->controller->_GetSessionUserRights($aUserData['uid']);
+        $this->controller->_setSessionUserRights();
         return true;
     }
 

diff --git a/application/controllers/admin/surveyadmin.php b/application/controllers/admin/surveyadmin.php
@@ -1523,7 +1523,7 @@ function insert($iSurveyID=null)
             $sTemplate = $_POST['template'];
             if (!$sTemplate || (Yii::app()->session['USER_RIGHT_SUPERADMIN'] != 1 && Yii::app()->session['USER_RIGHT_MANAGE_TEMPLATE'] != 1 && !hasTemplateManageRights(Yii::app()->session['loginID'], $_POST['template'])))
             {
-                $sTemplate = "default";
+                $sTemplate = Yii::app()->getConfig('defaulttemplate');
             }
 
             Yii::app()->loadHelper("surveytranslator");

diff --git a/application/controllers/admin/useraction.php b/application/controllers/admin/useraction.php
@@ -110,13 +110,6 @@ function adduser()
                 $sresult = User::model()->getAllRecords(array('uid' => $iNewUID));
                 $srow = count($sresult);
 
-                $userlist = getUserList();
-                array_push($userlist, array("user" => $srow['users_name'], "uid" => $srow['uid'], "email" => $srow['email'],
-                "password" => $srow["password"], "parent_id" => $srow['parent_id'], // "level"=>$level,
-                "create_survey" => $srow['create_survey'], "participant_panel" => $srow['participant_panel'], "configurator" => $srow['configurator'], "create_user" => $srow['create_user'],
-                "delete_user" => $srow['delete_user'], "superadmin" => $srow['superadmin'], "manage_template" => $srow['manage_template'],
-                "manage_label" => $srow['manage_label']));
-
                 // send Mail
                 $body = sprintf($clang->gT("Hello %s,"), $new_full_name) . "<br /><br />\n";
                 $body .= sprintf($clang->gT("this is an automated email to notify that a user has been created for you on the site '%s'."), Yii::app()->getConfig("sitename")) . "<br /><br />\n";
@@ -466,67 +459,24 @@ function userrights()
             $sresult = User::model()->findAllByAttributes(array('uid' => $postuserid, 'parent_id' => Yii::app()->session['loginID']));
             $sresultcount = count($sresult);
 
-            if (Yii::app()->session['USER_RIGHT_SUPERADMIN'] != 1 && $sresultcount > 0) { // Not Admin, just a user with childs
-                $rights = array();
-
-                $rights['create_survey'] = (isset($_POST['create_survey']) && Yii::app()->session['USER_RIGHT_CREATE_SURVEY'])
-                ? 1 : 0;
-                $rights['configurator'] = (isset($_POST['configurator']) && Yii::app()->session['USER_RIGHT_CONFIGURATOR'])
-                ? 1 : 0;
-                $rights['create_user'] = (isset($_POST['create_user']) && Yii::app()->session['USER_RIGHT_CREATE_USER'])
-                ? 1 : 0;
-                $rights['participant_panel'] = (isset($_POST['participant_panel']) && Yii::app()->session['USER_RIGHT_PARTICIPANT_PANEL'])
-                ? 1 : 0;
-                $rights['delete_user'] = (isset($_POST['delete_user']) && Yii::app()->session['USER_RIGHT_DELETE_USER'])
-                ? 1 : 0;
-                $rights['manage_template'] = (isset($_POST['manage_template']) && Yii::app()->session['USER_RIGHT_MANAGE_TEMPLATE'])
-                ? 1 : 0;
-                $rights['manage_label'] = (isset($_POST['manage_label']) && Yii::app()->session['USER_RIGHT_MANAGE_LABEL'])
-                ? 1 : 0;
-
-                $rights['superadmin'] = 0; // ONLY Initial Superadmin can give this right
-
-                if ($postuserid != 1)
-                    setUserRights($postuserid, $rights);
-            }
-            elseif (Yii::app()->session['USER_RIGHT_SUPERADMIN'] == 1)
-            {
+            if ($sresultcount > 0 || User::GetUserRights('superadmin')) 
+            { // User (non super admin) can not modifiy other admin created user
+                $thisUserRights=User::GetUserRights();
+                $thisUserRights['superadmin']=$thisUserRights['initialsuperadmin'];
                 $rights = array();
-
-                // Only Initial Superadmin can give this right
-                if (isset($_POST['superadmin'])) {
-                    // Am I original Superadmin ?
-                    // Initial SuperAdmin has parent_id == 0
-                    $adminresult = User::model()->getuidfromparentid('0');
-                    $row = $adminresult;
-                    if ($row['uid'] == Yii::app()->session['loginID']) // it's the original superadmin !!!
-                    {
-                        $rights['superadmin'] = 1;
-                    }
-                    else
-                    {
-                        $rights['superadmin'] = 0;
-                    }
-                }
-                else
+                foreach($thisUserRights as $userRight => $thisUserRight)
                 {
-                    $rights['superadmin'] = 0;
+                    $rights[$userRight]=(isset($_POST[$userRight]) && $thisUserRight) ? 1 : 0;
                 }
+                $rights['superadmin'] = ($rights['superadmin'] && $thisUserRights['initialsuperadmin']) ? 1 : 0; // ONLY Initial Superadmin can give this right
 
-                $rights['create_survey'] = (isset($_POST['create_survey']) || $rights['superadmin']) ? 1 : 0;
-                $rights['configurator'] = (isset($_POST['configurator']) || $rights['superadmin']) ? 1 : 0;
-                $rights['create_user'] = (isset($_POST['create_user']) || $rights['superadmin']) ? 1 : 0;
-                $rights['participant_panel'] = (isset($_POST['participant_panel']) || $rights['superadmin']) ? 1 : 0;
-                $rights['delete_user'] = (isset($_POST['delete_user']) || $rights['superadmin']) ? 1 : 0;
-                $rights['manage_template'] = (isset($_POST['manage_template']) || $rights['superadmin']) ? 1 : 0;
-                $rights['manage_label'] = (isset($_POST['manage_label']) || $rights['superadmin']) ? 1 : 0;
 
-                setUserRights($postuserid, $rights);
+                if (!User::GetUserRights('initialsuperadmin',$postuserid))// This can not be happened
+                    User::setUserRights($postuserid, $rights);
             }
             else
             {
-                echo accessDenied('userrights');
-                die();
+                $aViewUrls['mboxwithredirect'][] = $this->_messageBoxWithRedirect($clang->gT("Set user permissions"), $clang->gT("You are not allowed to change this user permissions!"), 'warningheader');
             }
             $aViewUrls['mboxwithredirect'][] = $this->_messageBoxWithRedirect($clang->gT("Set user permissions"), $clang->gT("User permissions were updated successfully."), 'successheader');
         }

diff --git a/application/core/UserIdentity.php b/application/core/UserIdentity.php
@@ -26,7 +26,7 @@ class UserIdentity extends CUserIdentity
     * @return bool
     */
     public function authenticate($sOneTimePassword='')
-    {    
+    {
         if (Yii::app()->getConfig("auth_webserver")==false || $this->username != "")         
         {
             $user = User::model()->findByAttributes(array('users_name' => $this->username));

diff --git a/application/helpers/common_helper.php b/application/helpers/common_helper.php
@@ -291,15 +291,8 @@ function hasGlobalPermission($sPermission)
 {
     if (!Yii::app()->user->getIsGuest()) $iUID = !Yii::app()->user->getId();
     else return false;
-    if (Yii::app()->session['USER_RIGHT_SUPERADMIN']==1) return true; //Superadmin has access to all
-    if (Yii::app()->session[$sPermission]==1)
-    {
-        return true;
-    }
-    else
-    {
-        return false;
-    }
+    $sPermission=substr($sPermission,11);// Remove "USER_RIGHT_"
+    return User::GetUserRights($sPermission);
 
 }
 
@@ -1027,16 +1020,7 @@ function getUserList($outputformat='fullinfoarray')
     {
         if (isset($myuid))
         {
-            $sDatabaseType = Yii::app()->db->getDriverName();
-            if ($sDatabaseType=='mssql' || $sDatabaseType=="sqlsrv")
-            {
-                $sSelectFields = 'users_name,uid,email,full_name,parent_id,create_survey,participant_panel,configurator,create_user,delete_user,superadmin,manage_template,manage_label,CAST(password as varchar) as password';
-            }
-            else
-            {
-                $sSelectFields = 'users_name,uid,email,full_name,parent_id,create_survey,participant_panel,configurator,create_user,delete_user,superadmin,manage_template,manage_label,password';
-            }
-
+            $sSelectFields = 'users_name,uid,email,full_name,parent_id';
             // List users from same group as me + all my childs
             // a subselect is used here because MSSQL does not like to group by text
             // also Postgres does like this one better
@@ -1080,11 +1064,11 @@ function getUserList($outputformat='fullinfoarray')
         {
             if ($srow['uid'] != Yii::app()->session['loginID'])
             {
-                $userlist[] = array("user"=>$srow['users_name'], "uid"=>$srow['uid'], "email"=>$srow['email'], "password"=>$srow['password'], "full_name"=>$srow['full_name'], "parent_id"=>$srow['parent_id'], "create_survey"=>$srow['create_survey'], "participant_panel"=>$srow['participant_panel'], "configurator"=>$srow['configurator'], "create_user"=>$srow['create_user'], "delete_user"=>$srow['delete_user'], "superadmin"=>$srow['superadmin'], "manage_template"=>$srow['manage_template'], "manage_label"=>$srow['manage_label']);           //added by Dennis modified by Moses
+                $userlist[] = array("user"=>$srow['users_name'], "uid"=>$srow['uid'], "email"=>$srow['email'], "full_name"=>$srow['full_name'], "parent_id"=>$srow['parent_id']);
             }
             else
             {
-                $userlist[0] = array("user"=>$srow['users_name'], "uid"=>$srow['uid'], "email"=>$srow['email'], "password"=>$srow['password'], "full_name"=>$srow['full_name'], "parent_id"=>$srow['parent_id'], "create_survey"=>$srow['create_survey'],"participant_panel"=>$srow['participant_panel'], "configurator"=>$srow['configurator'], "create_user"=>$srow['create_user'], "delete_user"=>$srow['delete_user'], "superadmin"=>$srow['superadmin'], "manage_template"=>$srow['manage_template'], "manage_label"=>$srow['manage_label']);
+                $userlist[0] = array("user"=>$srow['users_name'], "uid"=>$srow['uid'], "email"=>$srow['email'], "full_name"=>$srow['full_name'], "parent_id"=>$srow['parent_id']);
             }
         }
         else
@@ -2000,17 +1984,7 @@ function hasFileUploadQuestion($surveyid) {
 */
 function setUserRights($uid, $rights)
 {
-    $uid=sanitize_int($uid);
-    $updates = "create_survey=".$rights['create_survey']
-    . ", create_user=".$rights['create_user']
-    . ", participant_panel=".$rights['participant_panel']
-    . ", delete_user=".$rights['delete_user']
-    . ", superadmin=".$rights['superadmin']
-    . ", configurator=".$rights['configurator']
-    . ", manage_template=".$rights['manage_template']
-    . ", manage_label=".$rights['manage_label'];
-    $uquery = "UPDATE {{users}} SET ".$updates." WHERE uid = ".$uid;
-    return dbSelectLimitAssoc($uquery);     //Checked
+    User::model()->setUserRights($uid, $rights);
 }
 
 /**
@@ -6333,15 +6307,15 @@ function getSurveyUserList($bIncludeOwner=true, $bIncludeSuperAdmins=true,$surve
         $authorizedUsersList = getUserList('onlyuidarray');
     }
 
-        foreach($aSurveyIDResult as $sv)
+    foreach($aSurveyIDResult as $sv)
+    {
+        if (Yii::app()->getConfig('usercontrolSameGroupPolicy') == false ||
+        in_array($sv['uid'],$authorizedUsersList))
         {
-            if (Yii::app()->getConfig('usercontrolSameGroupPolicy') == false ||
-            in_array($sv['uid'],$authorizedUsersList))
-            {
-                $surveyselecter .= "<option";
-                $surveyselecter .=" value='{$sv['uid']}'>{$sv['users_name']} {$sv['full_name']}</option>\n";
-            }
+            $surveyselecter .= "<option";
+            $surveyselecter .=" value='{$sv['uid']}'>{$sv['users_name']} {$sv['full_name']}</option>\n";
         }
+    }
     if (!isset($svexist)) {$surveyselecter = "<option value='-1' selected='selected'>".$clang->gT("Please choose...")."</option>\n".$surveyselecter;}
     else {$surveyselecter = "<option value='-1'>".$clang->gT("None")."</option>\n".$surveyselecter;}
 

diff --git a/application/models/User.php b/application/models/User.php
@@ -65,9 +65,17 @@ public function primaryKey()
     */
     public function rules()
     {
-        return array(
-        array('users_name, password, email, full_name', 'required'),
-        array('email', 'email'),
+        $rightRules=array();
+        foreach(self::$UserRights as $right)
+        {
+            $rightRules[]=array($right,'boolean', 'falseValue'=>0,'trueValue'=>1,'strict'=>false,'allowEmpty'=>true);
+        }
+        return array_merge ( 
+        array(
+            array('users_name, password, email, full_name', 'required'),
+            array('email', 'email'),
+        ),
+        $rightRules
         );
     }
 
@@ -278,6 +286,33 @@ public function getCommonUID($surveyid, $postusergroupid)
         return Yii::app()->db->createCommand($query2)->bindParam(":surveyid", $surveyid, PDO::PARAM_INT)->bindParam(":postugid", $postusergroupid, PDO::PARAM_INT)->query(); //Checked
     }
 
+     /**
+    * Set the user rights
+    *
+    * @access public
+    * @return boolean
+    */
+    public static function setUserRights($iUserID, $rights=array())
+    {
+        $iUserID= (int)$iUserID;
+        $oUser=self::model()->findByPk($iUserID);
+        if(!$oUser)
+            return false
+        foreach($rights as $right=>$value)
+        {
+            if(in_array($right,self::$UserRights))
+                $oUser->$right=$value;
+        }
+        if ($oUser->save())
+        {
+            return true;
+        }
+        else
+        {
+            return false;
+        }
+    }
+
     /**
     * Returns global user rights 
     * By default the right of the login user
@@ -291,16 +326,17 @@ public function getCommonUID($surveyid, $postusergroupid)
     */
     public static function GetUserRights($user_right=false,$userid=false)
     {
-        // If right and right is in session, return actual session 
-        if( $user_right && (!$userid || $userid==Yii::app()->session['loginID']) && isset(Yii::app()->session['USER_RIGHT_'.strtoupper($user_right)]))
-        {
-            return Yii::app()->session['USER_RIGHT_'.strtoupper($user_right)];
-        }
-        // if not userid, set to the actual session userid
+
         if(!$userid)
         {
             $userid=Yii::app()->session['loginID'];
         }
+        // If right and right is in session, return actual session
+        if( $user_right && $userid==Yii::app()->session['loginID'] && isset(Yii::app()->session['USER_RIGHT_'.strtoupper($user_right)]))
+        {
+            return Yii::app()->session['USER_RIGHT_'.strtoupper($user_right)];
+        }
+
         $user=self::model()->findByPk($userid);
         // is $user_right, return the corresponding attribute
         if($user_right)
@@ -322,20 +358,6 @@ public static function GetUserRights($user_right=false,$userid=false)
         }
         $userrights['initialsuperadmin']=(!$user->parent_id);
         $userrights['superadmin']=($userrights['superadmin'] || $userrights['initialsuperadmin']);
-        // Fill the session var ?
-        // Can not happened actually, because USER_RIGHT_INITIALSUPERADMIN is set in AdminController
-        if($userid==Yii::app()->session['loginID'] && !isset(Yii::app()->session['USER_RIGHT_INITIALSUPERADMIN']))
-        {
-            foreach($userrights as $right->$value)
-            {
-                if(!isset(Yii::app()->session['USER_RIGHT_'.strtoupper($right)]))
-                {
-                    Yii::app()->session['USER_RIGHT_'.strtoupper($right)]=$value;
-                }
-            }
-        }
         return $userrights;
-
     }
-
 }