Improved the getActions helper Method, to insure created_by value gets loaded if not part of the item values, gh-335.

This commit is contained in:
Llewellyn van der Merwe 2018-09-14 05:34:09 +02:00
parent a20d661878
commit e200e2179d
No known key found for this signature in database
GPG Key ID: CAD7B16D27AF28C5
7 changed files with 443 additions and 575 deletions

View File

@ -125,11 +125,11 @@ Watch the [proposed development workflow](https://vdm.bz/proposed-development-wo
+ *Author*: [Llewellyn van der Merwe](mailto:llewellyn@joomlacomponentbuilder.com) + *Author*: [Llewellyn van der Merwe](mailto:llewellyn@joomlacomponentbuilder.com)
+ *Name*: [Component Builder](https://github.com/vdm-io/Joomla-Component-Builder) + *Name*: [Component Builder](https://github.com/vdm-io/Joomla-Component-Builder)
+ *First Build*: 30th April, 2015 + *First Build*: 30th April, 2015
+ *Last Build*: 13th September, 2018 + *Last Build*: 14th September, 2018
+ *Version*: 2.9.0 + *Version*: 2.9.0
+ *Copyright*: Copyright (C) 2015 - 2018 Vast Development Method. All rights reserved. + *Copyright*: Copyright (C) 2015 - 2018 Vast Development Method. All rights reserved.
+ *License*: GNU General Public License version 2 or later; see LICENSE.txt + *License*: GNU General Public License version 2 or later; see LICENSE.txt
+ *Line count*: **193128** + *Line count*: **193084**
+ *Field count*: **1081** + *Field count*: **1081**
+ *File count*: **1273** + *File count*: **1273**
+ *Folder count*: **201** + *Folder count*: **201**

View File

@ -125,11 +125,11 @@ Watch the [proposed development workflow](https://vdm.bz/proposed-development-wo
+ *Author*: [Llewellyn van der Merwe](mailto:llewellyn@joomlacomponentbuilder.com) + *Author*: [Llewellyn van der Merwe](mailto:llewellyn@joomlacomponentbuilder.com)
+ *Name*: [Component Builder](https://github.com/vdm-io/Joomla-Component-Builder) + *Name*: [Component Builder](https://github.com/vdm-io/Joomla-Component-Builder)
+ *First Build*: 30th April, 2015 + *First Build*: 30th April, 2015
+ *Last Build*: 13th September, 2018 + *Last Build*: 14th September, 2018
+ *Version*: 2.9.0 + *Version*: 2.9.0
+ *Copyright*: Copyright (C) 2015 - 2018 Vast Development Method. All rights reserved. + *Copyright*: Copyright (C) 2015 - 2018 Vast Development Method. All rights reserved.
+ *License*: GNU General Public License version 2 or later; see LICENSE.txt + *License*: GNU General Public License version 2 or later; see LICENSE.txt
+ *Line count*: **193128** + *Line count*: **193084**
+ *Field count*: **1081** + *Field count*: **1081**
+ *File count*: **1273** + *File count*: **1273**
+ *Folder count*: **201** + *Folder count*: **201**

View File

@ -301,183 +301,127 @@ abstract class ###Component###Helper
} }
/** /**
* Get the actions permissions * Get the action permissions
*
* @param string $view The related view name
* @param int $record The item to act upon
* @param string $views The related list view name
*
* @return object The JObject of permission/authorised actions
*
**/ **/
public static function getActions($view,&$record = null,$views = null) public static function getActions($view, &$record = null, $views = null)
{ {
jimport('joomla.access.access'); // get the user object
$user = JFactory::getUser(); $user = JFactory::getUser();
// load the JObject
$result = new JObject; $result = new JObject;
// make view name safe (just incase)
$view = self::safeString($view); $view = self::safeString($view);
if (self::checkString($views)) if (self::checkString($views))
{ {
$views = self::safeString($views); $views = self::safeString($views);
} }
// get all actions from component // get all actions from component
$actions = JAccess::getActions('com_###component###', 'component'); $actions = JAccess::getActionsFromFile(
// set acctions only set in component settiongs JPATH_ADMINISTRATOR . '/components/com_###component###/access.xml',
$componentActions = array('core.admin','core.manage','core.options','core.export'); "/access/section[@name='component']/"
);
// if non found then return empty JObject
if (empty($actions))
{
return $result;
}
// get created by if not found
if (self::checkObject($record) && !isset($record->created_by) && isset($record->id))
{
$record->created_by = self::getVar($view, 'id', $record->id, 'created_by');
}
// set actions only set in component settings
$componentActions = array('core.admin', 'core.manage', 'core.options', 'core.export');
// loop the actions and set the permissions // loop the actions and set the permissions
foreach ($actions as $action) foreach ($actions as $action)
{ {
// set to use component default // set to use component default
$fallback= true; $fallback = true;
if (self::checkObject($record) && isset($record->id) && $record->id > 0 && !in_array($action->name,$componentActions)) // reset permission per/action
$permission = false;
$catpermission = false;
// set area
$area = 'comp';
// check if the record has an ID and the action is item related (not a component action)
if (self::checkObject($record) && isset($record->id) && $record->id > 0 && !in_array($action->name, $componentActions) &&
(strpos($action->name, 'core.') !== false || strpos($action->name, $view . '.') !== false))
{ {
// we are in item
$area = 'item';
// The record has been set. Check the record permissions. // The record has been set. Check the record permissions.
$permission = $user->authorise($action->name, 'com_###component###.'.$view.'.' . (int) $record->id); $permission = $user->authorise($action->name, 'com_###component###.' . $view . '.' . (int) $record->id);
if (!$permission) // TODO removed && !is_null($permission) // if no permission found, check edit own
if (!$permission)
{ {
if ($action->name == 'core.edit' || $action->name == $view.'.edit') // With edit, if the created_by matches current user then dig deeper.
if (($action->name === 'core.edit' || $action->name === $view . '.edit') && $record->created_by > 0 && ($record->created_by == $user->id))
{ {
if ($user->authorise('core.edit.own', 'com_###component###.'.$view.'.' . (int) $record->id)) // the correct target
{ $coreCheck = (array) explode('.', $action->name);
// If the owner matches 'me' then allow. // check that we have both local and global access
if (isset($record->created_by) && $record->created_by > 0 && ($record->created_by == $user->id)) if ($user->authorise($coreCheck[0] . '.edit.own', 'com_###component###.' . $view . '.' . (int) $record->id) &&
$user->authorise($coreCheck[0] . '.edit.own', 'com_###component###'))
{ {
// allow edit
$result->set($action->name, true); $result->set($action->name, true);
// set not to use component default // set not to use global default
$fallback= false; // because we already validated it
$fallback = false;
} }
else else
{ {
// do not allow edit
$result->set($action->name, false); $result->set($action->name, false);
// set not to use component default $fallback = false;
$fallback= false;
}
}
elseif ($user->authorise($view.'edit.own', 'com_###component###.'.$view.'.' . (int) $record->id))
{
// If the owner matches 'me' then allow.
if (isset($record->created_by) && $record->created_by > 0 && ($record->created_by == $user->id))
{
$result->set($action->name, true);
// set not to use component default
$fallback= false;
}
else
{
$result->set($action->name, false);
// set not to use component default
$fallback= false;
}
}
elseif ($user->authorise('core.edit.own', 'com_###component###'))
{
// If the owner matches 'me' then allow.
if (isset($record->created_by) && $record->created_by > 0 && ($record->created_by == $user->id))
{
$result->set($action->name, true);
// set not to use component default
$fallback= false;
}
else
{
$result->set($action->name, false);
// set not to use component default
$fallback= false;
}
}
elseif ($user->authorise($view.'edit.own', 'com_###component###'))
{
// If the owner matches 'me' then allow.
if (isset($record->created_by) && $record->created_by > 0 && ($record->created_by == $user->id))
{
$result->set($action->name, true);
// set not to use component default
$fallback= false;
}
else
{
$result->set($action->name, false);
// set not to use component default
$fallback= false;
}
} }
} }
} }
elseif (self::checkString($views) && isset($record->catid) && $record->catid > 0) elseif (self::checkString($views) && isset($record->catid) && $record->catid > 0)
{ {
// we are in item
$area = 'category';
// set the core check
$coreCheck = explode('.', $action->name);
$core = $coreCheck[0];
// make sure we use the core. action check for the categories // make sure we use the core. action check for the categories
if (strpos($action->name,$view) !== false && strpos($action->name,'core.') === false ) { if (strpos($action->name, $view) !== false && strpos($action->name, 'core.') === false )
$coreCheck = explode('.',$action->name); {
$coreCheck[0] = 'core'; $coreCheck[0] = 'core';
$categoryCheck = implode('.',$coreCheck); $categoryCheck = implode('.', $coreCheck);
} }
else else
{ {
$categoryCheck = $action->name; $categoryCheck = $action->name;
} }
// The record has a category. Check the category permissions. // The record has a category. Check the category permissions.
$catpermission = $user->authorise($categoryCheck, 'com_###component###.'.$views.'.category.' . (int) $record->catid); $catpermission = $user->authorise($categoryCheck, 'com_###component###.' . $views . '.category.' . (int) $record->catid);
if (!$catpermission && !is_null($catpermission)) if (!$catpermission && !is_null($catpermission))
{ {
if ($action->name == 'core.edit' || $action->name == $view.'.edit') // With edit, if the created_by matches current user then dig deeper.
if (($action->name === 'core.edit' || $action->name === $view . '.edit') && $record->created_by > 0 && ($record->created_by == $user->id))
{ {
if ($user->authorise('core.edit.own', 'com_###component###.'.$views.'.category.' . (int) $record->catid)) // check that we have both local and global access
{ if ($user->authorise('core.edit.own', 'com_###component###.' . $views . '.category.' . (int) $record->catid) &&
// If the owner matches 'me' then allow. $user->authorise($core . '.edit.own', 'com_###component###'))
if (isset($record->created_by) && $record->created_by > 0 && ($record->created_by == $user->id))
{ {
// allow edit
$result->set($action->name, true); $result->set($action->name, true);
// set not to use component default // set not to use global default
$fallback= false; // because we already validated it
$fallback = false;
} }
else else
{ {
// do not allow edit
$result->set($action->name, false); $result->set($action->name, false);
// set not to use component default $fallback = false;
$fallback= false;
}
}
elseif ($user->authorise($view.'edit.own', 'com_###component###.'.$views.'.category.' . (int) $record->catid))
{
// If the owner matches 'me' then allow.
if (isset($record->created_by) && $record->created_by > 0 && ($record->created_by == $user->id))
{
$result->set($action->name, true);
// set not to use component default
$fallback= false;
}
else
{
$result->set($action->name, false);
// set not to use component default
$fallback= false;
}
}
elseif ($user->authorise('core.edit.own', 'com_###component###'))
{
// If the owner matches 'me' then allow.
if (isset($record->created_by) && $record->created_by > 0 && ($record->created_by == $user->id))
{
$result->set($action->name, true);
// set not to use component default
$fallback= false;
}
else
{
$result->set($action->name, false);
// set not to use component default
$fallback= false;
}
}
elseif ($user->authorise($view.'edit.own', 'com_###component###'))
{
// If the owner matches 'me' then allow.
if (isset($record->created_by) && $record->created_by > 0 && ($record->created_by == $user->id))
{
$result->set($action->name, true);
// set not to use component default
$fallback= false;
}
else
{
$result->set($action->name, false);
// set not to use component default
$fallback= false;
}
} }
} }
} }
@ -485,10 +429,22 @@ abstract class ###Component###Helper
} }
// if allowed then fallback on component global settings // if allowed then fallback on component global settings
if ($fallback) if ($fallback)
{
// if item/category blocks access then don't fall back on global
if ((($area === 'item') && !$permission) || (($area === 'category') && !$catpermission))
{
// do not allow
$result->set($action->name, false);
}
// Finally remember the global settings have the final say. (even if item allow)
// The local item permissions can block, but it can't open and override of global permissions.
// Since items are created by users and global permissions is set by system admin.
else
{ {
$result->set($action->name, $user->authorise($action->name, 'com_###component###')); $result->set($action->name, $user->authorise($action->name, 'com_###component###'));
} }
} }
}
return $result; return $result;
} }

View File

@ -616,194 +616,150 @@ abstract class ###Component###Helper
} }
/** /**
* Get the actions permissions * Get the action permissions
*
* @param string $view The related view name
* @param int $record The item to act upon
* @param string $views The related list view name
*
* @return object The JObject of permission/authorised actions
*
**/ **/
public static function getActions($view,&$record = null,$views = null) public static function getActions($view, &$record = null, $views = null)
{ {
jimport('joomla.access.access'); // get the user object
$user = JFactory::getUser(); $user = JFactory::getUser();
// load the JObject
$result = new JObject; $result = new JObject;
// make view name safe (just incase)
$view = self::safeString($view); $view = self::safeString($view);
if (self::checkString($views)) if (self::checkString($views))
{ {
$views = self::safeString($views); $views = self::safeString($views);
} }
// get all actions from component // get all actions from component
$actions = JAccess::getActions('com_###component###', 'component'); $actions = JAccess::getActionsFromFile(
// set acctions only set in component settiongs JPATH_ADMINISTRATOR . '/components/com_###component###/access.xml',
$componentActions = array('core.admin','core.manage','core.options','core.export'); "/access/section[@name='component']/"
);
// if non found then return empty JObject
if (empty($actions))
{
return $result;
}
// get created by if not found
if (self::checkObject($record) && !isset($record->created_by) && isset($record->id))
{
$record->created_by = self::getVar($view, 'id', $record->id, 'created_by');
}
// set actions only set in component settings
$componentActions = array('core.admin', 'core.manage', 'core.options', 'core.export');
// loop the actions and set the permissions // loop the actions and set the permissions
foreach ($actions as $action) foreach ($actions as $action)
{ {
// set to use component default // set to use component default
$fallback = true; $fallback = true;
if (self::checkObject($record) && isset($record->id) && $record->id > 0 && !in_array($action->name,$componentActions)) // reset permission per/action
$permission = false;
$catpermission = false;
// set area
$area = 'comp';
// check if the record has an ID and the action is item related (not a component action)
if (self::checkObject($record) && isset($record->id) && $record->id > 0 && !in_array($action->name, $componentActions) &&
(strpos($action->name, 'core.') !== false || strpos($action->name, $view . '.') !== false))
{ {
// we are in item
$area = 'item';
// The record has been set. Check the record permissions. // The record has been set. Check the record permissions.
$permission = $user->authorise($action->name, 'com_###component###.'.$view.'.' . (int) $record->id); $permission = $user->authorise($action->name, 'com_###component###.' . $view . '.' . (int) $record->id);
if (!$permission) // TODO removed && !is_null($permission) // if no permission found, check edit own
if (!$permission)
{ {
if ($action->name == 'core.edit' || $action->name == $view.'.edit') // With edit, if the created_by matches current user then dig deeper.
if (($action->name === 'core.edit' || $action->name === $view . '.edit') && $record->created_by > 0 && ($record->created_by == $user->id))
{ {
if ($user->authorise('core.edit.own', 'com_###component###.'.$view.'.' . (int) $record->id)) // the correct target
{ $coreCheck = (array) explode('.', $action->name);
// If the owner matches 'me' then allow. // check that we have both local and global access
if (isset($record->created_by) && $record->created_by > 0 && ($record->created_by == $user->id)) if ($user->authorise($coreCheck[0] . '.edit.own', 'com_###component###.' . $view . '.' . (int) $record->id) &&
$user->authorise($coreCheck[0] . '.edit.own', 'com_###component###'))
{ {
// allow edit
$result->set($action->name, true); $result->set($action->name, true);
// set not to use component default // set not to use global default
// because we already validated it
$fallback = false; $fallback = false;
} }
else else
{ {
// do not allow edit
$result->set($action->name, false); $result->set($action->name, false);
// set not to use component default
$fallback = false; $fallback = false;
} }
} }
elseif ($user->authorise($view.'edit.own', 'com_###component###.'.$view.'.' . (int) $record->id))
{
// If the owner matches 'me' then allow.
if (isset($record->created_by) && $record->created_by > 0 && ($record->created_by == $user->id))
{
$result->set($action->name, true);
// set not to use component default
$fallback = false;
}
else
{
$result->set($action->name, false);
// set not to use component default
$fallback = false;
}
}
elseif ($user->authorise('core.edit.own', 'com_###component###'))
{
// If the owner matches 'me' then allow.
if (isset($record->created_by) && $record->created_by > 0 && ($record->created_by == $user->id))
{
$result->set($action->name, true);
// set not to use component default
$fallback = false;
}
else
{
$result->set($action->name, false);
// set not to use component default
$fallback = false;
}
}
elseif ($user->authorise($view.'edit.own', 'com_###component###'))
{
// If the owner matches 'me' then allow.
if (isset($record->created_by) && $record->created_by > 0 && ($record->created_by == $user->id))
{
$result->set($action->name, true);
// set not to use component default
$fallback = false;
}
else
{
$result->set($action->name, false);
// set not to use component default
$fallback = false;
}
}
}
} }
elseif (self::checkString($views) && isset($record->catid) && $record->catid > 0) elseif (self::checkString($views) && isset($record->catid) && $record->catid > 0)
{ {
// we are in item
$area = 'category';
// set the core check
$coreCheck = explode('.', $action->name);
$core = $coreCheck[0];
// make sure we use the core. action check for the categories // make sure we use the core. action check for the categories
if (strpos($action->name,$view) !== false && strpos($action->name,'core.') === false ) { if (strpos($action->name, $view) !== false && strpos($action->name, 'core.') === false )
$coreCheck = explode('.',$action->name); {
$coreCheck[0] = 'core'; $coreCheck[0] = 'core';
$categoryCheck = implode('.',$coreCheck); $categoryCheck = implode('.', $coreCheck);
} }
else else
{ {
$categoryCheck = $action->name; $categoryCheck = $action->name;
} }
// The record has a category. Check the category permissions. // The record has a category. Check the category permissions.
$catpermission = $user->authorise($categoryCheck, 'com_###component###.'.$views.'.category.' . (int) $record->catid); $catpermission = $user->authorise($categoryCheck, 'com_###component###.' . $views . '.category.' . (int) $record->catid);
if (!$catpermission && !is_null($catpermission)) if (!$catpermission && !is_null($catpermission))
{ {
if ($action->name == 'core.edit' || $action->name == $view.'.edit') // With edit, if the created_by matches current user then dig deeper.
if (($action->name === 'core.edit' || $action->name === $view . '.edit') && $record->created_by > 0 && ($record->created_by == $user->id))
{ {
if ($user->authorise('core.edit.own', 'com_###component###.'.$views.'.category.' . (int) $record->catid)) // check that we have both local and global access
{ if ($user->authorise('core.edit.own', 'com_###component###.' . $views . '.category.' . (int) $record->catid) &&
// If the owner matches 'me' then allow. $user->authorise($core . '.edit.own', 'com_###component###'))
if (isset($record->created_by) && $record->created_by > 0 && ($record->created_by == $user->id))
{ {
// allow edit
$result->set($action->name, true); $result->set($action->name, true);
// set not to use component default // set not to use global default
// because we already validated it
$fallback = false; $fallback = false;
} }
else else
{ {
// do not allow edit
$result->set($action->name, false); $result->set($action->name, false);
// set not to use component default
$fallback = false; $fallback = false;
} }
} }
elseif ($user->authorise($view.'edit.own', 'com_###component###.'.$views.'.category.' . (int) $record->catid))
{
// If the owner matches 'me' then allow.
if (isset($record->created_by) && $record->created_by > 0 && ($record->created_by == $user->id))
{
$result->set($action->name, true);
// set not to use component default
$fallback = false;
}
else
{
$result->set($action->name, false);
// set not to use component default
$fallback = false;
}
}
elseif ($user->authorise('core.edit.own', 'com_###component###'))
{
// If the owner matches 'me' then allow.
if (isset($record->created_by) && $record->created_by > 0 && ($record->created_by == $user->id))
{
$result->set($action->name, true);
// set not to use component default
$fallback = false;
}
else
{
$result->set($action->name, false);
// set not to use component default
$fallback = false;
}
}
elseif ($user->authorise($view.'edit.own', 'com_###component###'))
{
// If the owner matches 'me' then allow.
if (isset($record->created_by) && $record->created_by > 0 && ($record->created_by == $user->id))
{
$result->set($action->name, true);
// set not to use component default
$fallback = false;
}
else
{
$result->set($action->name, false);
// set not to use component default
$fallback = false;
}
}
}
} }
} }
} }
// if allowed then fallback on component global settings // if allowed then fallback on component global settings
if ($fallback) if ($fallback)
{
// if item/category blocks access then don't fall back on global
if ((($area === 'item') && !$permission) || (($area === 'category') && !$catpermission))
{
// do not allow
$result->set($action->name, false);
}
// Finally remember the global settings have the final say. (even if item allow)
// The local item permissions can block, but it can't open and override of global permissions.
// Since items are created by users and global permissions is set by system admin.
else
{ {
$result->set($action->name, $user->authorise($action->name, 'com_###component###')); $result->set($action->name, $user->authorise($action->name, 'com_###component###'));
} }
} }
}
return $result; return $result;
} }

View File

@ -3729,10 +3729,20 @@ abstract class ComponentbuilderHelper
if (self::checkObject($item) && isset($item->id)) if (self::checkObject($item) && isset($item->id))
{ {
$id = (int) $item->id; $id = (int) $item->id;
// check if created_by is available
if (isset($item->created_by) && $item->created_by > 0)
{
$created_by = (int) $item->created_by;
}
} }
elseif (self::checkArray($item) && isset($item['id'])) elseif (self::checkArray($item) && isset($item['id']))
{ {
$id = (int) $item['id']; $id = (int) $item['id'];
// check if created_by is available
if (isset($item['created_by']) && $item['created_by'] > 0)
{
$created_by = (int) $item['created_by'];
}
} }
elseif (is_numeric($item)) elseif (is_numeric($item))
{ {
@ -3741,8 +3751,20 @@ abstract class ComponentbuilderHelper
// check ID // check ID
if (isset($id) && $id > 0) if (isset($id) && $id > 0)
{ {
// get user object
$user = JFactory::getUser();
// can edit // can edit
if (JFactory::getUser()->authorise($view . '.edit', $component . '.' . $view . '.' . (int) $id)) if ($user->authorise($view . '.edit', $component . '.' . $view . '.' . (int) $id) ||
(
isset($created_by) && $created_by == $user->id &&
(
($user->authorise($view . '.edit.own', $component . '.' . $view . '.' . (int) $id) &&
$user->authorise($view . '.edit.own', $component)) ||
($user->authorise('core.edit.own', $component . '.' . $view . '.' . (int) $id) &&
$user->authorise('core.edit.own', $component))
)
)
)
{ {
// set the edit link // set the edit link
if ($jRoute) if ($jRoute)
@ -4539,183 +4561,127 @@ abstract class ComponentbuilderHelper
} }
/** /**
* Get the actions permissions * Get the action permissions
*
* @param string $view The related view name
* @param int $record The item to act upon
* @param string $views The related list view name
*
* @return object The JObject of permission/authorised actions
*
**/ **/
public static function getActions($view,&$record = null,$views = null) public static function getActions($view, &$record = null, $views = null)
{ {
jimport('joomla.access.access'); // get the user object
$user = JFactory::getUser(); $user = JFactory::getUser();
// load the JObject
$result = new JObject; $result = new JObject;
// make view name safe (just incase)
$view = self::safeString($view); $view = self::safeString($view);
if (self::checkString($views)) if (self::checkString($views))
{ {
$views = self::safeString($views); $views = self::safeString($views);
} }
// get all actions from component // get all actions from component
$actions = JAccess::getActions('com_componentbuilder', 'component'); $actions = JAccess::getActionsFromFile(
// set acctions only set in component settiongs JPATH_ADMINISTRATOR . '/components/com_componentbuilder/access.xml',
$componentActions = array('core.admin','core.manage','core.options','core.export'); "/access/section[@name='component']/"
);
// if non found then return empty JObject
if (empty($actions))
{
return $result;
}
// get created by if not found
if (self::checkObject($record) && !isset($record->created_by) && isset($record->id))
{
$record->created_by = self::getVar($view, 'id', $record->id, 'created_by');
}
// set actions only set in component settings
$componentActions = array('core.admin', 'core.manage', 'core.options', 'core.export');
// loop the actions and set the permissions // loop the actions and set the permissions
foreach ($actions as $action) foreach ($actions as $action)
{ {
// set to use component default // set to use component default
$fallback= true; $fallback = true;
if (self::checkObject($record) && isset($record->id) && $record->id > 0 && !in_array($action->name,$componentActions)) // reset permission per/action
$permission = false;
$catpermission = false;
// set area
$area = 'comp';
// check if the record has an ID and the action is item related (not a component action)
if (self::checkObject($record) && isset($record->id) && $record->id > 0 && !in_array($action->name, $componentActions) &&
(strpos($action->name, 'core.') !== false || strpos($action->name, $view . '.') !== false))
{ {
// we are in item
$area = 'item';
// The record has been set. Check the record permissions. // The record has been set. Check the record permissions.
$permission = $user->authorise($action->name, 'com_componentbuilder.'.$view.'.' . (int) $record->id); $permission = $user->authorise($action->name, 'com_componentbuilder.' . $view . '.' . (int) $record->id);
if (!$permission) // TODO removed && !is_null($permission) // if no permission found, check edit own
if (!$permission)
{ {
if ($action->name == 'core.edit' || $action->name == $view.'.edit') // With edit, if the created_by matches current user then dig deeper.
if (($action->name === 'core.edit' || $action->name === $view . '.edit') && $record->created_by > 0 && ($record->created_by == $user->id))
{ {
if ($user->authorise('core.edit.own', 'com_componentbuilder.'.$view.'.' . (int) $record->id)) // the correct target
{ $coreCheck = (array) explode('.', $action->name);
// If the owner matches 'me' then allow. // check that we have both local and global access
if (isset($record->created_by) && $record->created_by > 0 && ($record->created_by == $user->id)) if ($user->authorise($coreCheck[0] . '.edit.own', 'com_componentbuilder.' . $view . '.' . (int) $record->id) &&
$user->authorise($coreCheck[0] . '.edit.own', 'com_componentbuilder'))
{ {
// allow edit
$result->set($action->name, true); $result->set($action->name, true);
// set not to use component default // set not to use global default
$fallback= false; // because we already validated it
$fallback = false;
} }
else else
{ {
// do not allow edit
$result->set($action->name, false); $result->set($action->name, false);
// set not to use component default $fallback = false;
$fallback= false;
}
}
elseif ($user->authorise($view.'edit.own', 'com_componentbuilder.'.$view.'.' . (int) $record->id))
{
// If the owner matches 'me' then allow.
if (isset($record->created_by) && $record->created_by > 0 && ($record->created_by == $user->id))
{
$result->set($action->name, true);
// set not to use component default
$fallback= false;
}
else
{
$result->set($action->name, false);
// set not to use component default
$fallback= false;
}
}
elseif ($user->authorise('core.edit.own', 'com_componentbuilder'))
{
// If the owner matches 'me' then allow.
if (isset($record->created_by) && $record->created_by > 0 && ($record->created_by == $user->id))
{
$result->set($action->name, true);
// set not to use component default
$fallback= false;
}
else
{
$result->set($action->name, false);
// set not to use component default
$fallback= false;
}
}
elseif ($user->authorise($view.'edit.own', 'com_componentbuilder'))
{
// If the owner matches 'me' then allow.
if (isset($record->created_by) && $record->created_by > 0 && ($record->created_by == $user->id))
{
$result->set($action->name, true);
// set not to use component default
$fallback= false;
}
else
{
$result->set($action->name, false);
// set not to use component default
$fallback= false;
}
} }
} }
} }
elseif (self::checkString($views) && isset($record->catid) && $record->catid > 0) elseif (self::checkString($views) && isset($record->catid) && $record->catid > 0)
{ {
// we are in item
$area = 'category';
// set the core check
$coreCheck = explode('.', $action->name);
$core = $coreCheck[0];
// make sure we use the core. action check for the categories // make sure we use the core. action check for the categories
if (strpos($action->name,$view) !== false && strpos($action->name,'core.') === false ) { if (strpos($action->name, $view) !== false && strpos($action->name, 'core.') === false )
$coreCheck = explode('.',$action->name); {
$coreCheck[0] = 'core'; $coreCheck[0] = 'core';
$categoryCheck = implode('.',$coreCheck); $categoryCheck = implode('.', $coreCheck);
} }
else else
{ {
$categoryCheck = $action->name; $categoryCheck = $action->name;
} }
// The record has a category. Check the category permissions. // The record has a category. Check the category permissions.
$catpermission = $user->authorise($categoryCheck, 'com_componentbuilder.'.$views.'.category.' . (int) $record->catid); $catpermission = $user->authorise($categoryCheck, 'com_componentbuilder.' . $views . '.category.' . (int) $record->catid);
if (!$catpermission && !is_null($catpermission)) if (!$catpermission && !is_null($catpermission))
{ {
if ($action->name == 'core.edit' || $action->name == $view.'.edit') // With edit, if the created_by matches current user then dig deeper.
if (($action->name === 'core.edit' || $action->name === $view . '.edit') && $record->created_by > 0 && ($record->created_by == $user->id))
{ {
if ($user->authorise('core.edit.own', 'com_componentbuilder.'.$views.'.category.' . (int) $record->catid)) // check that we have both local and global access
{ if ($user->authorise('core.edit.own', 'com_componentbuilder.' . $views . '.category.' . (int) $record->catid) &&
// If the owner matches 'me' then allow. $user->authorise($core . '.edit.own', 'com_componentbuilder'))
if (isset($record->created_by) && $record->created_by > 0 && ($record->created_by == $user->id))
{ {
// allow edit
$result->set($action->name, true); $result->set($action->name, true);
// set not to use component default // set not to use global default
$fallback= false; // because we already validated it
$fallback = false;
} }
else else
{ {
// do not allow edit
$result->set($action->name, false); $result->set($action->name, false);
// set not to use component default $fallback = false;
$fallback= false;
}
}
elseif ($user->authorise($view.'edit.own', 'com_componentbuilder.'.$views.'.category.' . (int) $record->catid))
{
// If the owner matches 'me' then allow.
if (isset($record->created_by) && $record->created_by > 0 && ($record->created_by == $user->id))
{
$result->set($action->name, true);
// set not to use component default
$fallback= false;
}
else
{
$result->set($action->name, false);
// set not to use component default
$fallback= false;
}
}
elseif ($user->authorise('core.edit.own', 'com_componentbuilder'))
{
// If the owner matches 'me' then allow.
if (isset($record->created_by) && $record->created_by > 0 && ($record->created_by == $user->id))
{
$result->set($action->name, true);
// set not to use component default
$fallback= false;
}
else
{
$result->set($action->name, false);
// set not to use component default
$fallback= false;
}
}
elseif ($user->authorise($view.'edit.own', 'com_componentbuilder'))
{
// If the owner matches 'me' then allow.
if (isset($record->created_by) && $record->created_by > 0 && ($record->created_by == $user->id))
{
$result->set($action->name, true);
// set not to use component default
$fallback= false;
}
else
{
$result->set($action->name, false);
// set not to use component default
$fallback= false;
}
} }
} }
} }
@ -4723,10 +4689,22 @@ abstract class ComponentbuilderHelper
} }
// if allowed then fallback on component global settings // if allowed then fallback on component global settings
if ($fallback) if ($fallback)
{
// if item/category blocks access then don't fall back on global
if ((($area === 'item') && !$permission) || (($area === 'category') && !$catpermission))
{
// do not allow
$result->set($action->name, false);
}
// Finally remember the global settings have the final say. (even if item allow)
// The local item permissions can block, but it can't open and override of global permissions.
// Since items are created by users and global permissions is set by system admin.
else
{ {
$result->set($action->name, $user->authorise($action->name, 'com_componentbuilder')); $result->set($action->name, $user->authorise($action->name, 'com_componentbuilder'));
} }
} }
}
return $result; return $result;
} }

View File

@ -1,7 +1,7 @@
<?xml version="1.0" encoding="utf-8"?> <?xml version="1.0" encoding="utf-8"?>
<extension type="component" version="3.2" method="upgrade"> <extension type="component" version="3.2" method="upgrade">
<name>COM_COMPONENTBUILDER</name> <name>COM_COMPONENTBUILDER</name>
<creationDate>13th September, 2018</creationDate> <creationDate>14th September, 2018</creationDate>
<author>Llewellyn van der Merwe</author> <author>Llewellyn van der Merwe</author>
<authorEmail>llewellyn@joomlacomponentbuilder.com</authorEmail> <authorEmail>llewellyn@joomlacomponentbuilder.com</authorEmail>
<authorUrl>http://www.joomlacomponentbuilder.com</authorUrl> <authorUrl>http://www.joomlacomponentbuilder.com</authorUrl>

View File

@ -3729,10 +3729,20 @@ abstract class ComponentbuilderHelper
if (self::checkObject($item) && isset($item->id)) if (self::checkObject($item) && isset($item->id))
{ {
$id = (int) $item->id; $id = (int) $item->id;
// check if created_by is available
if (isset($item->created_by) && $item->created_by > 0)
{
$created_by = (int) $item->created_by;
}
} }
elseif (self::checkArray($item) && isset($item['id'])) elseif (self::checkArray($item) && isset($item['id']))
{ {
$id = (int) $item['id']; $id = (int) $item['id'];
// check if created_by is available
if (isset($item['created_by']) && $item['created_by'] > 0)
{
$created_by = (int) $item['created_by'];
}
} }
elseif (is_numeric($item)) elseif (is_numeric($item))
{ {
@ -3741,8 +3751,20 @@ abstract class ComponentbuilderHelper
// check ID // check ID
if (isset($id) && $id > 0) if (isset($id) && $id > 0)
{ {
// get user object
$user = JFactory::getUser();
// can edit // can edit
if (JFactory::getUser()->authorise($view . '.edit', $component . '.' . $view . '.' . (int) $id)) if ($user->authorise($view . '.edit', $component . '.' . $view . '.' . (int) $id) ||
(
isset($created_by) && $created_by == $user->id &&
(
($user->authorise($view . '.edit.own', $component . '.' . $view . '.' . (int) $id) &&
$user->authorise($view . '.edit.own', $component)) ||
($user->authorise('core.edit.own', $component . '.' . $view . '.' . (int) $id) &&
$user->authorise('core.edit.own', $component))
)
)
)
{ {
// set the edit link // set the edit link
if ($jRoute) if ($jRoute)
@ -4596,194 +4618,150 @@ abstract class ComponentbuilderHelper
} }
/** /**
* Get the actions permissions * Get the action permissions
*
* @param string $view The related view name
* @param int $record The item to act upon
* @param string $views The related list view name
*
* @return object The JObject of permission/authorised actions
*
**/ **/
public static function getActions($view,&$record = null,$views = null) public static function getActions($view, &$record = null, $views = null)
{ {
jimport('joomla.access.access'); // get the user object
$user = JFactory::getUser(); $user = JFactory::getUser();
// load the JObject
$result = new JObject; $result = new JObject;
// make view name safe (just incase)
$view = self::safeString($view); $view = self::safeString($view);
if (self::checkString($views)) if (self::checkString($views))
{ {
$views = self::safeString($views); $views = self::safeString($views);
} }
// get all actions from component // get all actions from component
$actions = JAccess::getActions('com_componentbuilder', 'component'); $actions = JAccess::getActionsFromFile(
// set acctions only set in component settiongs JPATH_ADMINISTRATOR . '/components/com_componentbuilder/access.xml',
$componentActions = array('core.admin','core.manage','core.options','core.export'); "/access/section[@name='component']/"
);
// if non found then return empty JObject
if (empty($actions))
{
return $result;
}
// get created by if not found
if (self::checkObject($record) && !isset($record->created_by) && isset($record->id))
{
$record->created_by = self::getVar($view, 'id', $record->id, 'created_by');
}
// set actions only set in component settings
$componentActions = array('core.admin', 'core.manage', 'core.options', 'core.export');
// loop the actions and set the permissions // loop the actions and set the permissions
foreach ($actions as $action) foreach ($actions as $action)
{ {
// set to use component default // set to use component default
$fallback = true; $fallback = true;
if (self::checkObject($record) && isset($record->id) && $record->id > 0 && !in_array($action->name,$componentActions)) // reset permission per/action
$permission = false;
$catpermission = false;
// set area
$area = 'comp';
// check if the record has an ID and the action is item related (not a component action)
if (self::checkObject($record) && isset($record->id) && $record->id > 0 && !in_array($action->name, $componentActions) &&
(strpos($action->name, 'core.') !== false || strpos($action->name, $view . '.') !== false))
{ {
// we are in item
$area = 'item';
// The record has been set. Check the record permissions. // The record has been set. Check the record permissions.
$permission = $user->authorise($action->name, 'com_componentbuilder.'.$view.'.' . (int) $record->id); $permission = $user->authorise($action->name, 'com_componentbuilder.' . $view . '.' . (int) $record->id);
if (!$permission) // TODO removed && !is_null($permission) // if no permission found, check edit own
if (!$permission)
{ {
if ($action->name == 'core.edit' || $action->name == $view.'.edit') // With edit, if the created_by matches current user then dig deeper.
if (($action->name === 'core.edit' || $action->name === $view . '.edit') && $record->created_by > 0 && ($record->created_by == $user->id))
{ {
if ($user->authorise('core.edit.own', 'com_componentbuilder.'.$view.'.' . (int) $record->id)) // the correct target
{ $coreCheck = (array) explode('.', $action->name);
// If the owner matches 'me' then allow. // check that we have both local and global access
if (isset($record->created_by) && $record->created_by > 0 && ($record->created_by == $user->id)) if ($user->authorise($coreCheck[0] . '.edit.own', 'com_componentbuilder.' . $view . '.' . (int) $record->id) &&
$user->authorise($coreCheck[0] . '.edit.own', 'com_componentbuilder'))
{ {
// allow edit
$result->set($action->name, true); $result->set($action->name, true);
// set not to use component default // set not to use global default
// because we already validated it
$fallback = false; $fallback = false;
} }
else else
{ {
// do not allow edit
$result->set($action->name, false); $result->set($action->name, false);
// set not to use component default
$fallback = false; $fallback = false;
} }
} }
elseif ($user->authorise($view.'edit.own', 'com_componentbuilder.'.$view.'.' . (int) $record->id))
{
// If the owner matches 'me' then allow.
if (isset($record->created_by) && $record->created_by > 0 && ($record->created_by == $user->id))
{
$result->set($action->name, true);
// set not to use component default
$fallback = false;
}
else
{
$result->set($action->name, false);
// set not to use component default
$fallback = false;
}
}
elseif ($user->authorise('core.edit.own', 'com_componentbuilder'))
{
// If the owner matches 'me' then allow.
if (isset($record->created_by) && $record->created_by > 0 && ($record->created_by == $user->id))
{
$result->set($action->name, true);
// set not to use component default
$fallback = false;
}
else
{
$result->set($action->name, false);
// set not to use component default
$fallback = false;
}
}
elseif ($user->authorise($view.'edit.own', 'com_componentbuilder'))
{
// If the owner matches 'me' then allow.
if (isset($record->created_by) && $record->created_by > 0 && ($record->created_by == $user->id))
{
$result->set($action->name, true);
// set not to use component default
$fallback = false;
}
else
{
$result->set($action->name, false);
// set not to use component default
$fallback = false;
}
}
}
} }
elseif (self::checkString($views) && isset($record->catid) && $record->catid > 0) elseif (self::checkString($views) && isset($record->catid) && $record->catid > 0)
{ {
// we are in item
$area = 'category';
// set the core check
$coreCheck = explode('.', $action->name);
$core = $coreCheck[0];
// make sure we use the core. action check for the categories // make sure we use the core. action check for the categories
if (strpos($action->name,$view) !== false && strpos($action->name,'core.') === false ) { if (strpos($action->name, $view) !== false && strpos($action->name, 'core.') === false )
$coreCheck = explode('.',$action->name); {
$coreCheck[0] = 'core'; $coreCheck[0] = 'core';
$categoryCheck = implode('.',$coreCheck); $categoryCheck = implode('.', $coreCheck);
} }
else else
{ {
$categoryCheck = $action->name; $categoryCheck = $action->name;
} }
// The record has a category. Check the category permissions. // The record has a category. Check the category permissions.
$catpermission = $user->authorise($categoryCheck, 'com_componentbuilder.'.$views.'.category.' . (int) $record->catid); $catpermission = $user->authorise($categoryCheck, 'com_componentbuilder.' . $views . '.category.' . (int) $record->catid);
if (!$catpermission && !is_null($catpermission)) if (!$catpermission && !is_null($catpermission))
{ {
if ($action->name == 'core.edit' || $action->name == $view.'.edit') // With edit, if the created_by matches current user then dig deeper.
if (($action->name === 'core.edit' || $action->name === $view . '.edit') && $record->created_by > 0 && ($record->created_by == $user->id))
{ {
if ($user->authorise('core.edit.own', 'com_componentbuilder.'.$views.'.category.' . (int) $record->catid)) // check that we have both local and global access
{ if ($user->authorise('core.edit.own', 'com_componentbuilder.' . $views . '.category.' . (int) $record->catid) &&
// If the owner matches 'me' then allow. $user->authorise($core . '.edit.own', 'com_componentbuilder'))
if (isset($record->created_by) && $record->created_by > 0 && ($record->created_by == $user->id))
{ {
// allow edit
$result->set($action->name, true); $result->set($action->name, true);
// set not to use component default // set not to use global default
// because we already validated it
$fallback = false; $fallback = false;
} }
else else
{ {
// do not allow edit
$result->set($action->name, false); $result->set($action->name, false);
// set not to use component default
$fallback = false; $fallback = false;
} }
} }
elseif ($user->authorise($view.'edit.own', 'com_componentbuilder.'.$views.'.category.' . (int) $record->catid))
{
// If the owner matches 'me' then allow.
if (isset($record->created_by) && $record->created_by > 0 && ($record->created_by == $user->id))
{
$result->set($action->name, true);
// set not to use component default
$fallback = false;
}
else
{
$result->set($action->name, false);
// set not to use component default
$fallback = false;
}
}
elseif ($user->authorise('core.edit.own', 'com_componentbuilder'))
{
// If the owner matches 'me' then allow.
if (isset($record->created_by) && $record->created_by > 0 && ($record->created_by == $user->id))
{
$result->set($action->name, true);
// set not to use component default
$fallback = false;
}
else
{
$result->set($action->name, false);
// set not to use component default
$fallback = false;
}
}
elseif ($user->authorise($view.'edit.own', 'com_componentbuilder'))
{
// If the owner matches 'me' then allow.
if (isset($record->created_by) && $record->created_by > 0 && ($record->created_by == $user->id))
{
$result->set($action->name, true);
// set not to use component default
$fallback = false;
}
else
{
$result->set($action->name, false);
// set not to use component default
$fallback = false;
}
}
}
} }
} }
} }
// if allowed then fallback on component global settings // if allowed then fallback on component global settings
if ($fallback) if ($fallback)
{
// if item/category blocks access then don't fall back on global
if ((($area === 'item') && !$permission) || (($area === 'category') && !$catpermission))
{
// do not allow
$result->set($action->name, false);
}
// Finally remember the global settings have the final say. (even if item allow)
// The local item permissions can block, but it can't open and override of global permissions.
// Since items are created by users and global permissions is set by system admin.
else
{ {
$result->set($action->name, $user->authorise($action->name, 'com_componentbuilder')); $result->set($action->name, $user->authorise($action->name, 'com_componentbuilder'));
} }
} }
}
return $result; return $result;
} }