forked from joomla/Component-Builder
Improved the getActions helper Method, to insure created_by value gets loaded if not part of the item values, gh-335.
This commit is contained in:
parent
a20d661878
commit
e200e2179d
@ -125,11 +125,11 @@ Watch the [proposed development workflow](https://vdm.bz/proposed-development-wo
|
|||||||
+ *Author*: [Llewellyn van der Merwe](mailto:llewellyn@joomlacomponentbuilder.com)
|
+ *Author*: [Llewellyn van der Merwe](mailto:llewellyn@joomlacomponentbuilder.com)
|
||||||
+ *Name*: [Component Builder](https://github.com/vdm-io/Joomla-Component-Builder)
|
+ *Name*: [Component Builder](https://github.com/vdm-io/Joomla-Component-Builder)
|
||||||
+ *First Build*: 30th April, 2015
|
+ *First Build*: 30th April, 2015
|
||||||
+ *Last Build*: 13th September, 2018
|
+ *Last Build*: 14th September, 2018
|
||||||
+ *Version*: 2.9.0
|
+ *Version*: 2.9.0
|
||||||
+ *Copyright*: Copyright (C) 2015 - 2018 Vast Development Method. All rights reserved.
|
+ *Copyright*: Copyright (C) 2015 - 2018 Vast Development Method. All rights reserved.
|
||||||
+ *License*: GNU General Public License version 2 or later; see LICENSE.txt
|
+ *License*: GNU General Public License version 2 or later; see LICENSE.txt
|
||||||
+ *Line count*: **193128**
|
+ *Line count*: **193084**
|
||||||
+ *Field count*: **1081**
|
+ *Field count*: **1081**
|
||||||
+ *File count*: **1273**
|
+ *File count*: **1273**
|
||||||
+ *Folder count*: **201**
|
+ *Folder count*: **201**
|
||||||
|
@ -125,11 +125,11 @@ Watch the [proposed development workflow](https://vdm.bz/proposed-development-wo
|
|||||||
+ *Author*: [Llewellyn van der Merwe](mailto:llewellyn@joomlacomponentbuilder.com)
|
+ *Author*: [Llewellyn van der Merwe](mailto:llewellyn@joomlacomponentbuilder.com)
|
||||||
+ *Name*: [Component Builder](https://github.com/vdm-io/Joomla-Component-Builder)
|
+ *Name*: [Component Builder](https://github.com/vdm-io/Joomla-Component-Builder)
|
||||||
+ *First Build*: 30th April, 2015
|
+ *First Build*: 30th April, 2015
|
||||||
+ *Last Build*: 13th September, 2018
|
+ *Last Build*: 14th September, 2018
|
||||||
+ *Version*: 2.9.0
|
+ *Version*: 2.9.0
|
||||||
+ *Copyright*: Copyright (C) 2015 - 2018 Vast Development Method. All rights reserved.
|
+ *Copyright*: Copyright (C) 2015 - 2018 Vast Development Method. All rights reserved.
|
||||||
+ *License*: GNU General Public License version 2 or later; see LICENSE.txt
|
+ *License*: GNU General Public License version 2 or later; see LICENSE.txt
|
||||||
+ *Line count*: **193128**
|
+ *Line count*: **193084**
|
||||||
+ *Field count*: **1081**
|
+ *Field count*: **1081**
|
||||||
+ *File count*: **1273**
|
+ *File count*: **1273**
|
||||||
+ *Folder count*: **201**
|
+ *Folder count*: **201**
|
||||||
|
@ -301,183 +301,127 @@ abstract class ###Component###Helper
|
|||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Get the actions permissions
|
* Get the action permissions
|
||||||
|
*
|
||||||
|
* @param string $view The related view name
|
||||||
|
* @param int $record The item to act upon
|
||||||
|
* @param string $views The related list view name
|
||||||
|
*
|
||||||
|
* @return object The JObject of permission/authorised actions
|
||||||
|
*
|
||||||
**/
|
**/
|
||||||
public static function getActions($view,&$record = null,$views = null)
|
public static function getActions($view, &$record = null, $views = null)
|
||||||
{
|
{
|
||||||
jimport('joomla.access.access');
|
// get the user object
|
||||||
|
|
||||||
$user = JFactory::getUser();
|
$user = JFactory::getUser();
|
||||||
|
// load the JObject
|
||||||
$result = new JObject;
|
$result = new JObject;
|
||||||
|
// make view name safe (just incase)
|
||||||
$view = self::safeString($view);
|
$view = self::safeString($view);
|
||||||
if (self::checkString($views))
|
if (self::checkString($views))
|
||||||
{
|
{
|
||||||
$views = self::safeString($views);
|
$views = self::safeString($views);
|
||||||
}
|
}
|
||||||
// get all actions from component
|
// get all actions from component
|
||||||
$actions = JAccess::getActions('com_###component###', 'component');
|
$actions = JAccess::getActionsFromFile(
|
||||||
// set acctions only set in component settiongs
|
JPATH_ADMINISTRATOR . '/components/com_###component###/access.xml',
|
||||||
$componentActions = array('core.admin','core.manage','core.options','core.export');
|
"/access/section[@name='component']/"
|
||||||
|
);
|
||||||
|
// if non found then return empty JObject
|
||||||
|
if (empty($actions))
|
||||||
|
{
|
||||||
|
return $result;
|
||||||
|
}
|
||||||
|
// get created by if not found
|
||||||
|
if (self::checkObject($record) && !isset($record->created_by) && isset($record->id))
|
||||||
|
{
|
||||||
|
$record->created_by = self::getVar($view, 'id', $record->id, 'created_by');
|
||||||
|
}
|
||||||
|
// set actions only set in component settings
|
||||||
|
$componentActions = array('core.admin', 'core.manage', 'core.options', 'core.export');
|
||||||
// loop the actions and set the permissions
|
// loop the actions and set the permissions
|
||||||
foreach ($actions as $action)
|
foreach ($actions as $action)
|
||||||
{
|
{
|
||||||
// set to use component default
|
// set to use component default
|
||||||
$fallback= true;
|
$fallback = true;
|
||||||
if (self::checkObject($record) && isset($record->id) && $record->id > 0 && !in_array($action->name,$componentActions))
|
// reset permission per/action
|
||||||
|
$permission = false;
|
||||||
|
$catpermission = false;
|
||||||
|
// set area
|
||||||
|
$area = 'comp';
|
||||||
|
// check if the record has an ID and the action is item related (not a component action)
|
||||||
|
if (self::checkObject($record) && isset($record->id) && $record->id > 0 && !in_array($action->name, $componentActions) &&
|
||||||
|
(strpos($action->name, 'core.') !== false || strpos($action->name, $view . '.') !== false))
|
||||||
{
|
{
|
||||||
|
// we are in item
|
||||||
|
$area = 'item';
|
||||||
// The record has been set. Check the record permissions.
|
// The record has been set. Check the record permissions.
|
||||||
$permission = $user->authorise($action->name, 'com_###component###.'.$view.'.' . (int) $record->id);
|
$permission = $user->authorise($action->name, 'com_###component###.' . $view . '.' . (int) $record->id);
|
||||||
if (!$permission) // TODO removed && !is_null($permission)
|
// if no permission found, check edit own
|
||||||
|
if (!$permission)
|
||||||
{
|
{
|
||||||
if ($action->name == 'core.edit' || $action->name == $view.'.edit')
|
// With edit, if the created_by matches current user then dig deeper.
|
||||||
|
if (($action->name === 'core.edit' || $action->name === $view . '.edit') && $record->created_by > 0 && ($record->created_by == $user->id))
|
||||||
{
|
{
|
||||||
if ($user->authorise('core.edit.own', 'com_###component###.'.$view.'.' . (int) $record->id))
|
// the correct target
|
||||||
{
|
$coreCheck = (array) explode('.', $action->name);
|
||||||
// If the owner matches 'me' then allow.
|
// check that we have both local and global access
|
||||||
if (isset($record->created_by) && $record->created_by > 0 && ($record->created_by == $user->id))
|
if ($user->authorise($coreCheck[0] . '.edit.own', 'com_###component###.' . $view . '.' . (int) $record->id) &&
|
||||||
|
$user->authorise($coreCheck[0] . '.edit.own', 'com_###component###'))
|
||||||
{
|
{
|
||||||
|
// allow edit
|
||||||
$result->set($action->name, true);
|
$result->set($action->name, true);
|
||||||
// set not to use component default
|
// set not to use global default
|
||||||
$fallback= false;
|
// because we already validated it
|
||||||
|
$fallback = false;
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
|
// do not allow edit
|
||||||
$result->set($action->name, false);
|
$result->set($action->name, false);
|
||||||
// set not to use component default
|
$fallback = false;
|
||||||
$fallback= false;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
elseif ($user->authorise($view.'edit.own', 'com_###component###.'.$view.'.' . (int) $record->id))
|
|
||||||
{
|
|
||||||
// If the owner matches 'me' then allow.
|
|
||||||
if (isset($record->created_by) && $record->created_by > 0 && ($record->created_by == $user->id))
|
|
||||||
{
|
|
||||||
$result->set($action->name, true);
|
|
||||||
// set not to use component default
|
|
||||||
$fallback= false;
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
|
||||||
$result->set($action->name, false);
|
|
||||||
// set not to use component default
|
|
||||||
$fallback= false;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
elseif ($user->authorise('core.edit.own', 'com_###component###'))
|
|
||||||
{
|
|
||||||
// If the owner matches 'me' then allow.
|
|
||||||
if (isset($record->created_by) && $record->created_by > 0 && ($record->created_by == $user->id))
|
|
||||||
{
|
|
||||||
$result->set($action->name, true);
|
|
||||||
// set not to use component default
|
|
||||||
$fallback= false;
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
|
||||||
$result->set($action->name, false);
|
|
||||||
// set not to use component default
|
|
||||||
$fallback= false;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
elseif ($user->authorise($view.'edit.own', 'com_###component###'))
|
|
||||||
{
|
|
||||||
// If the owner matches 'me' then allow.
|
|
||||||
if (isset($record->created_by) && $record->created_by > 0 && ($record->created_by == $user->id))
|
|
||||||
{
|
|
||||||
$result->set($action->name, true);
|
|
||||||
// set not to use component default
|
|
||||||
$fallback= false;
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
|
||||||
$result->set($action->name, false);
|
|
||||||
// set not to use component default
|
|
||||||
$fallback= false;
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
elseif (self::checkString($views) && isset($record->catid) && $record->catid > 0)
|
elseif (self::checkString($views) && isset($record->catid) && $record->catid > 0)
|
||||||
{
|
{
|
||||||
|
// we are in item
|
||||||
|
$area = 'category';
|
||||||
|
// set the core check
|
||||||
|
$coreCheck = explode('.', $action->name);
|
||||||
|
$core = $coreCheck[0];
|
||||||
// make sure we use the core. action check for the categories
|
// make sure we use the core. action check for the categories
|
||||||
if (strpos($action->name,$view) !== false && strpos($action->name,'core.') === false ) {
|
if (strpos($action->name, $view) !== false && strpos($action->name, 'core.') === false )
|
||||||
$coreCheck = explode('.',$action->name);
|
{
|
||||||
$coreCheck[0] = 'core';
|
$coreCheck[0] = 'core';
|
||||||
$categoryCheck = implode('.',$coreCheck);
|
$categoryCheck = implode('.', $coreCheck);
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
$categoryCheck = $action->name;
|
$categoryCheck = $action->name;
|
||||||
}
|
}
|
||||||
// The record has a category. Check the category permissions.
|
// The record has a category. Check the category permissions.
|
||||||
$catpermission = $user->authorise($categoryCheck, 'com_###component###.'.$views.'.category.' . (int) $record->catid);
|
$catpermission = $user->authorise($categoryCheck, 'com_###component###.' . $views . '.category.' . (int) $record->catid);
|
||||||
if (!$catpermission && !is_null($catpermission))
|
if (!$catpermission && !is_null($catpermission))
|
||||||
{
|
{
|
||||||
if ($action->name == 'core.edit' || $action->name == $view.'.edit')
|
// With edit, if the created_by matches current user then dig deeper.
|
||||||
|
if (($action->name === 'core.edit' || $action->name === $view . '.edit') && $record->created_by > 0 && ($record->created_by == $user->id))
|
||||||
{
|
{
|
||||||
if ($user->authorise('core.edit.own', 'com_###component###.'.$views.'.category.' . (int) $record->catid))
|
// check that we have both local and global access
|
||||||
{
|
if ($user->authorise('core.edit.own', 'com_###component###.' . $views . '.category.' . (int) $record->catid) &&
|
||||||
// If the owner matches 'me' then allow.
|
$user->authorise($core . '.edit.own', 'com_###component###'))
|
||||||
if (isset($record->created_by) && $record->created_by > 0 && ($record->created_by == $user->id))
|
|
||||||
{
|
{
|
||||||
|
// allow edit
|
||||||
$result->set($action->name, true);
|
$result->set($action->name, true);
|
||||||
// set not to use component default
|
// set not to use global default
|
||||||
$fallback= false;
|
// because we already validated it
|
||||||
|
$fallback = false;
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
|
// do not allow edit
|
||||||
$result->set($action->name, false);
|
$result->set($action->name, false);
|
||||||
// set not to use component default
|
$fallback = false;
|
||||||
$fallback= false;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
elseif ($user->authorise($view.'edit.own', 'com_###component###.'.$views.'.category.' . (int) $record->catid))
|
|
||||||
{
|
|
||||||
// If the owner matches 'me' then allow.
|
|
||||||
if (isset($record->created_by) && $record->created_by > 0 && ($record->created_by == $user->id))
|
|
||||||
{
|
|
||||||
$result->set($action->name, true);
|
|
||||||
// set not to use component default
|
|
||||||
$fallback= false;
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
|
||||||
$result->set($action->name, false);
|
|
||||||
// set not to use component default
|
|
||||||
$fallback= false;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
elseif ($user->authorise('core.edit.own', 'com_###component###'))
|
|
||||||
{
|
|
||||||
// If the owner matches 'me' then allow.
|
|
||||||
if (isset($record->created_by) && $record->created_by > 0 && ($record->created_by == $user->id))
|
|
||||||
{
|
|
||||||
$result->set($action->name, true);
|
|
||||||
// set not to use component default
|
|
||||||
$fallback= false;
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
|
||||||
$result->set($action->name, false);
|
|
||||||
// set not to use component default
|
|
||||||
$fallback= false;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
elseif ($user->authorise($view.'edit.own', 'com_###component###'))
|
|
||||||
{
|
|
||||||
// If the owner matches 'me' then allow.
|
|
||||||
if (isset($record->created_by) && $record->created_by > 0 && ($record->created_by == $user->id))
|
|
||||||
{
|
|
||||||
$result->set($action->name, true);
|
|
||||||
// set not to use component default
|
|
||||||
$fallback= false;
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
|
||||||
$result->set($action->name, false);
|
|
||||||
// set not to use component default
|
|
||||||
$fallback= false;
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -485,10 +429,22 @@ abstract class ###Component###Helper
|
|||||||
}
|
}
|
||||||
// if allowed then fallback on component global settings
|
// if allowed then fallback on component global settings
|
||||||
if ($fallback)
|
if ($fallback)
|
||||||
|
{
|
||||||
|
// if item/category blocks access then don't fall back on global
|
||||||
|
if ((($area === 'item') && !$permission) || (($area === 'category') && !$catpermission))
|
||||||
|
{
|
||||||
|
// do not allow
|
||||||
|
$result->set($action->name, false);
|
||||||
|
}
|
||||||
|
// Finally remember the global settings have the final say. (even if item allow)
|
||||||
|
// The local item permissions can block, but it can't open and override of global permissions.
|
||||||
|
// Since items are created by users and global permissions is set by system admin.
|
||||||
|
else
|
||||||
{
|
{
|
||||||
$result->set($action->name, $user->authorise($action->name, 'com_###component###'));
|
$result->set($action->name, $user->authorise($action->name, 'com_###component###'));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
}
|
||||||
return $result;
|
return $result;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -616,194 +616,150 @@ abstract class ###Component###Helper
|
|||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Get the actions permissions
|
* Get the action permissions
|
||||||
|
*
|
||||||
|
* @param string $view The related view name
|
||||||
|
* @param int $record The item to act upon
|
||||||
|
* @param string $views The related list view name
|
||||||
|
*
|
||||||
|
* @return object The JObject of permission/authorised actions
|
||||||
|
*
|
||||||
**/
|
**/
|
||||||
public static function getActions($view,&$record = null,$views = null)
|
public static function getActions($view, &$record = null, $views = null)
|
||||||
{
|
{
|
||||||
jimport('joomla.access.access');
|
// get the user object
|
||||||
|
|
||||||
$user = JFactory::getUser();
|
$user = JFactory::getUser();
|
||||||
|
// load the JObject
|
||||||
$result = new JObject;
|
$result = new JObject;
|
||||||
|
// make view name safe (just incase)
|
||||||
$view = self::safeString($view);
|
$view = self::safeString($view);
|
||||||
if (self::checkString($views))
|
if (self::checkString($views))
|
||||||
{
|
{
|
||||||
$views = self::safeString($views);
|
$views = self::safeString($views);
|
||||||
}
|
}
|
||||||
// get all actions from component
|
// get all actions from component
|
||||||
$actions = JAccess::getActions('com_###component###', 'component');
|
$actions = JAccess::getActionsFromFile(
|
||||||
// set acctions only set in component settiongs
|
JPATH_ADMINISTRATOR . '/components/com_###component###/access.xml',
|
||||||
$componentActions = array('core.admin','core.manage','core.options','core.export');
|
"/access/section[@name='component']/"
|
||||||
|
);
|
||||||
|
// if non found then return empty JObject
|
||||||
|
if (empty($actions))
|
||||||
|
{
|
||||||
|
return $result;
|
||||||
|
}
|
||||||
|
// get created by if not found
|
||||||
|
if (self::checkObject($record) && !isset($record->created_by) && isset($record->id))
|
||||||
|
{
|
||||||
|
$record->created_by = self::getVar($view, 'id', $record->id, 'created_by');
|
||||||
|
}
|
||||||
|
// set actions only set in component settings
|
||||||
|
$componentActions = array('core.admin', 'core.manage', 'core.options', 'core.export');
|
||||||
// loop the actions and set the permissions
|
// loop the actions and set the permissions
|
||||||
foreach ($actions as $action)
|
foreach ($actions as $action)
|
||||||
{
|
{
|
||||||
// set to use component default
|
// set to use component default
|
||||||
$fallback = true;
|
$fallback = true;
|
||||||
if (self::checkObject($record) && isset($record->id) && $record->id > 0 && !in_array($action->name,$componentActions))
|
// reset permission per/action
|
||||||
|
$permission = false;
|
||||||
|
$catpermission = false;
|
||||||
|
// set area
|
||||||
|
$area = 'comp';
|
||||||
|
// check if the record has an ID and the action is item related (not a component action)
|
||||||
|
if (self::checkObject($record) && isset($record->id) && $record->id > 0 && !in_array($action->name, $componentActions) &&
|
||||||
|
(strpos($action->name, 'core.') !== false || strpos($action->name, $view . '.') !== false))
|
||||||
{
|
{
|
||||||
|
// we are in item
|
||||||
|
$area = 'item';
|
||||||
// The record has been set. Check the record permissions.
|
// The record has been set. Check the record permissions.
|
||||||
$permission = $user->authorise($action->name, 'com_###component###.'.$view.'.' . (int) $record->id);
|
$permission = $user->authorise($action->name, 'com_###component###.' . $view . '.' . (int) $record->id);
|
||||||
if (!$permission) // TODO removed && !is_null($permission)
|
// if no permission found, check edit own
|
||||||
|
if (!$permission)
|
||||||
{
|
{
|
||||||
if ($action->name == 'core.edit' || $action->name == $view.'.edit')
|
// With edit, if the created_by matches current user then dig deeper.
|
||||||
|
if (($action->name === 'core.edit' || $action->name === $view . '.edit') && $record->created_by > 0 && ($record->created_by == $user->id))
|
||||||
{
|
{
|
||||||
if ($user->authorise('core.edit.own', 'com_###component###.'.$view.'.' . (int) $record->id))
|
// the correct target
|
||||||
{
|
$coreCheck = (array) explode('.', $action->name);
|
||||||
// If the owner matches 'me' then allow.
|
// check that we have both local and global access
|
||||||
if (isset($record->created_by) && $record->created_by > 0 && ($record->created_by == $user->id))
|
if ($user->authorise($coreCheck[0] . '.edit.own', 'com_###component###.' . $view . '.' . (int) $record->id) &&
|
||||||
|
$user->authorise($coreCheck[0] . '.edit.own', 'com_###component###'))
|
||||||
{
|
{
|
||||||
|
// allow edit
|
||||||
$result->set($action->name, true);
|
$result->set($action->name, true);
|
||||||
// set not to use component default
|
// set not to use global default
|
||||||
|
// because we already validated it
|
||||||
$fallback = false;
|
$fallback = false;
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
|
// do not allow edit
|
||||||
$result->set($action->name, false);
|
$result->set($action->name, false);
|
||||||
// set not to use component default
|
|
||||||
$fallback = false;
|
$fallback = false;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
elseif ($user->authorise($view.'edit.own', 'com_###component###.'.$view.'.' . (int) $record->id))
|
|
||||||
{
|
|
||||||
// If the owner matches 'me' then allow.
|
|
||||||
if (isset($record->created_by) && $record->created_by > 0 && ($record->created_by == $user->id))
|
|
||||||
{
|
|
||||||
$result->set($action->name, true);
|
|
||||||
// set not to use component default
|
|
||||||
$fallback = false;
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
|
||||||
$result->set($action->name, false);
|
|
||||||
// set not to use component default
|
|
||||||
$fallback = false;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
elseif ($user->authorise('core.edit.own', 'com_###component###'))
|
|
||||||
{
|
|
||||||
// If the owner matches 'me' then allow.
|
|
||||||
if (isset($record->created_by) && $record->created_by > 0 && ($record->created_by == $user->id))
|
|
||||||
{
|
|
||||||
$result->set($action->name, true);
|
|
||||||
// set not to use component default
|
|
||||||
$fallback = false;
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
|
||||||
$result->set($action->name, false);
|
|
||||||
// set not to use component default
|
|
||||||
$fallback = false;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
elseif ($user->authorise($view.'edit.own', 'com_###component###'))
|
|
||||||
{
|
|
||||||
// If the owner matches 'me' then allow.
|
|
||||||
if (isset($record->created_by) && $record->created_by > 0 && ($record->created_by == $user->id))
|
|
||||||
{
|
|
||||||
$result->set($action->name, true);
|
|
||||||
// set not to use component default
|
|
||||||
$fallback = false;
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
|
||||||
$result->set($action->name, false);
|
|
||||||
// set not to use component default
|
|
||||||
$fallback = false;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
elseif (self::checkString($views) && isset($record->catid) && $record->catid > 0)
|
elseif (self::checkString($views) && isset($record->catid) && $record->catid > 0)
|
||||||
{
|
{
|
||||||
|
// we are in item
|
||||||
|
$area = 'category';
|
||||||
|
// set the core check
|
||||||
|
$coreCheck = explode('.', $action->name);
|
||||||
|
$core = $coreCheck[0];
|
||||||
// make sure we use the core. action check for the categories
|
// make sure we use the core. action check for the categories
|
||||||
if (strpos($action->name,$view) !== false && strpos($action->name,'core.') === false ) {
|
if (strpos($action->name, $view) !== false && strpos($action->name, 'core.') === false )
|
||||||
$coreCheck = explode('.',$action->name);
|
{
|
||||||
$coreCheck[0] = 'core';
|
$coreCheck[0] = 'core';
|
||||||
$categoryCheck = implode('.',$coreCheck);
|
$categoryCheck = implode('.', $coreCheck);
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
$categoryCheck = $action->name;
|
$categoryCheck = $action->name;
|
||||||
}
|
}
|
||||||
// The record has a category. Check the category permissions.
|
// The record has a category. Check the category permissions.
|
||||||
$catpermission = $user->authorise($categoryCheck, 'com_###component###.'.$views.'.category.' . (int) $record->catid);
|
$catpermission = $user->authorise($categoryCheck, 'com_###component###.' . $views . '.category.' . (int) $record->catid);
|
||||||
if (!$catpermission && !is_null($catpermission))
|
if (!$catpermission && !is_null($catpermission))
|
||||||
{
|
{
|
||||||
if ($action->name == 'core.edit' || $action->name == $view.'.edit')
|
// With edit, if the created_by matches current user then dig deeper.
|
||||||
|
if (($action->name === 'core.edit' || $action->name === $view . '.edit') && $record->created_by > 0 && ($record->created_by == $user->id))
|
||||||
{
|
{
|
||||||
if ($user->authorise('core.edit.own', 'com_###component###.'.$views.'.category.' . (int) $record->catid))
|
// check that we have both local and global access
|
||||||
{
|
if ($user->authorise('core.edit.own', 'com_###component###.' . $views . '.category.' . (int) $record->catid) &&
|
||||||
// If the owner matches 'me' then allow.
|
$user->authorise($core . '.edit.own', 'com_###component###'))
|
||||||
if (isset($record->created_by) && $record->created_by > 0 && ($record->created_by == $user->id))
|
|
||||||
{
|
{
|
||||||
|
// allow edit
|
||||||
$result->set($action->name, true);
|
$result->set($action->name, true);
|
||||||
// set not to use component default
|
// set not to use global default
|
||||||
|
// because we already validated it
|
||||||
$fallback = false;
|
$fallback = false;
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
|
// do not allow edit
|
||||||
$result->set($action->name, false);
|
$result->set($action->name, false);
|
||||||
// set not to use component default
|
|
||||||
$fallback = false;
|
$fallback = false;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
elseif ($user->authorise($view.'edit.own', 'com_###component###.'.$views.'.category.' . (int) $record->catid))
|
|
||||||
{
|
|
||||||
// If the owner matches 'me' then allow.
|
|
||||||
if (isset($record->created_by) && $record->created_by > 0 && ($record->created_by == $user->id))
|
|
||||||
{
|
|
||||||
$result->set($action->name, true);
|
|
||||||
// set not to use component default
|
|
||||||
$fallback = false;
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
|
||||||
$result->set($action->name, false);
|
|
||||||
// set not to use component default
|
|
||||||
$fallback = false;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
elseif ($user->authorise('core.edit.own', 'com_###component###'))
|
|
||||||
{
|
|
||||||
// If the owner matches 'me' then allow.
|
|
||||||
if (isset($record->created_by) && $record->created_by > 0 && ($record->created_by == $user->id))
|
|
||||||
{
|
|
||||||
$result->set($action->name, true);
|
|
||||||
// set not to use component default
|
|
||||||
$fallback = false;
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
|
||||||
$result->set($action->name, false);
|
|
||||||
// set not to use component default
|
|
||||||
$fallback = false;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
elseif ($user->authorise($view.'edit.own', 'com_###component###'))
|
|
||||||
{
|
|
||||||
// If the owner matches 'me' then allow.
|
|
||||||
if (isset($record->created_by) && $record->created_by > 0 && ($record->created_by == $user->id))
|
|
||||||
{
|
|
||||||
$result->set($action->name, true);
|
|
||||||
// set not to use component default
|
|
||||||
$fallback = false;
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
|
||||||
$result->set($action->name, false);
|
|
||||||
// set not to use component default
|
|
||||||
$fallback = false;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
// if allowed then fallback on component global settings
|
// if allowed then fallback on component global settings
|
||||||
if ($fallback)
|
if ($fallback)
|
||||||
|
{
|
||||||
|
// if item/category blocks access then don't fall back on global
|
||||||
|
if ((($area === 'item') && !$permission) || (($area === 'category') && !$catpermission))
|
||||||
|
{
|
||||||
|
// do not allow
|
||||||
|
$result->set($action->name, false);
|
||||||
|
}
|
||||||
|
// Finally remember the global settings have the final say. (even if item allow)
|
||||||
|
// The local item permissions can block, but it can't open and override of global permissions.
|
||||||
|
// Since items are created by users and global permissions is set by system admin.
|
||||||
|
else
|
||||||
{
|
{
|
||||||
$result->set($action->name, $user->authorise($action->name, 'com_###component###'));
|
$result->set($action->name, $user->authorise($action->name, 'com_###component###'));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
}
|
||||||
return $result;
|
return $result;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -3729,10 +3729,20 @@ abstract class ComponentbuilderHelper
|
|||||||
if (self::checkObject($item) && isset($item->id))
|
if (self::checkObject($item) && isset($item->id))
|
||||||
{
|
{
|
||||||
$id = (int) $item->id;
|
$id = (int) $item->id;
|
||||||
|
// check if created_by is available
|
||||||
|
if (isset($item->created_by) && $item->created_by > 0)
|
||||||
|
{
|
||||||
|
$created_by = (int) $item->created_by;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
elseif (self::checkArray($item) && isset($item['id']))
|
elseif (self::checkArray($item) && isset($item['id']))
|
||||||
{
|
{
|
||||||
$id = (int) $item['id'];
|
$id = (int) $item['id'];
|
||||||
|
// check if created_by is available
|
||||||
|
if (isset($item['created_by']) && $item['created_by'] > 0)
|
||||||
|
{
|
||||||
|
$created_by = (int) $item['created_by'];
|
||||||
|
}
|
||||||
}
|
}
|
||||||
elseif (is_numeric($item))
|
elseif (is_numeric($item))
|
||||||
{
|
{
|
||||||
@ -3741,8 +3751,20 @@ abstract class ComponentbuilderHelper
|
|||||||
// check ID
|
// check ID
|
||||||
if (isset($id) && $id > 0)
|
if (isset($id) && $id > 0)
|
||||||
{
|
{
|
||||||
|
// get user object
|
||||||
|
$user = JFactory::getUser();
|
||||||
// can edit
|
// can edit
|
||||||
if (JFactory::getUser()->authorise($view . '.edit', $component . '.' . $view . '.' . (int) $id))
|
if ($user->authorise($view . '.edit', $component . '.' . $view . '.' . (int) $id) ||
|
||||||
|
(
|
||||||
|
isset($created_by) && $created_by == $user->id &&
|
||||||
|
(
|
||||||
|
($user->authorise($view . '.edit.own', $component . '.' . $view . '.' . (int) $id) &&
|
||||||
|
$user->authorise($view . '.edit.own', $component)) ||
|
||||||
|
($user->authorise('core.edit.own', $component . '.' . $view . '.' . (int) $id) &&
|
||||||
|
$user->authorise('core.edit.own', $component))
|
||||||
|
)
|
||||||
|
)
|
||||||
|
)
|
||||||
{
|
{
|
||||||
// set the edit link
|
// set the edit link
|
||||||
if ($jRoute)
|
if ($jRoute)
|
||||||
@ -4539,183 +4561,127 @@ abstract class ComponentbuilderHelper
|
|||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Get the actions permissions
|
* Get the action permissions
|
||||||
|
*
|
||||||
|
* @param string $view The related view name
|
||||||
|
* @param int $record The item to act upon
|
||||||
|
* @param string $views The related list view name
|
||||||
|
*
|
||||||
|
* @return object The JObject of permission/authorised actions
|
||||||
|
*
|
||||||
**/
|
**/
|
||||||
public static function getActions($view,&$record = null,$views = null)
|
public static function getActions($view, &$record = null, $views = null)
|
||||||
{
|
{
|
||||||
jimport('joomla.access.access');
|
// get the user object
|
||||||
|
|
||||||
$user = JFactory::getUser();
|
$user = JFactory::getUser();
|
||||||
|
// load the JObject
|
||||||
$result = new JObject;
|
$result = new JObject;
|
||||||
|
// make view name safe (just incase)
|
||||||
$view = self::safeString($view);
|
$view = self::safeString($view);
|
||||||
if (self::checkString($views))
|
if (self::checkString($views))
|
||||||
{
|
{
|
||||||
$views = self::safeString($views);
|
$views = self::safeString($views);
|
||||||
}
|
}
|
||||||
// get all actions from component
|
// get all actions from component
|
||||||
$actions = JAccess::getActions('com_componentbuilder', 'component');
|
$actions = JAccess::getActionsFromFile(
|
||||||
// set acctions only set in component settiongs
|
JPATH_ADMINISTRATOR . '/components/com_componentbuilder/access.xml',
|
||||||
$componentActions = array('core.admin','core.manage','core.options','core.export');
|
"/access/section[@name='component']/"
|
||||||
|
);
|
||||||
|
// if non found then return empty JObject
|
||||||
|
if (empty($actions))
|
||||||
|
{
|
||||||
|
return $result;
|
||||||
|
}
|
||||||
|
// get created by if not found
|
||||||
|
if (self::checkObject($record) && !isset($record->created_by) && isset($record->id))
|
||||||
|
{
|
||||||
|
$record->created_by = self::getVar($view, 'id', $record->id, 'created_by');
|
||||||
|
}
|
||||||
|
// set actions only set in component settings
|
||||||
|
$componentActions = array('core.admin', 'core.manage', 'core.options', 'core.export');
|
||||||
// loop the actions and set the permissions
|
// loop the actions and set the permissions
|
||||||
foreach ($actions as $action)
|
foreach ($actions as $action)
|
||||||
{
|
{
|
||||||
// set to use component default
|
// set to use component default
|
||||||
$fallback= true;
|
$fallback = true;
|
||||||
if (self::checkObject($record) && isset($record->id) && $record->id > 0 && !in_array($action->name,$componentActions))
|
// reset permission per/action
|
||||||
|
$permission = false;
|
||||||
|
$catpermission = false;
|
||||||
|
// set area
|
||||||
|
$area = 'comp';
|
||||||
|
// check if the record has an ID and the action is item related (not a component action)
|
||||||
|
if (self::checkObject($record) && isset($record->id) && $record->id > 0 && !in_array($action->name, $componentActions) &&
|
||||||
|
(strpos($action->name, 'core.') !== false || strpos($action->name, $view . '.') !== false))
|
||||||
{
|
{
|
||||||
|
// we are in item
|
||||||
|
$area = 'item';
|
||||||
// The record has been set. Check the record permissions.
|
// The record has been set. Check the record permissions.
|
||||||
$permission = $user->authorise($action->name, 'com_componentbuilder.'.$view.'.' . (int) $record->id);
|
$permission = $user->authorise($action->name, 'com_componentbuilder.' . $view . '.' . (int) $record->id);
|
||||||
if (!$permission) // TODO removed && !is_null($permission)
|
// if no permission found, check edit own
|
||||||
|
if (!$permission)
|
||||||
{
|
{
|
||||||
if ($action->name == 'core.edit' || $action->name == $view.'.edit')
|
// With edit, if the created_by matches current user then dig deeper.
|
||||||
|
if (($action->name === 'core.edit' || $action->name === $view . '.edit') && $record->created_by > 0 && ($record->created_by == $user->id))
|
||||||
{
|
{
|
||||||
if ($user->authorise('core.edit.own', 'com_componentbuilder.'.$view.'.' . (int) $record->id))
|
// the correct target
|
||||||
{
|
$coreCheck = (array) explode('.', $action->name);
|
||||||
// If the owner matches 'me' then allow.
|
// check that we have both local and global access
|
||||||
if (isset($record->created_by) && $record->created_by > 0 && ($record->created_by == $user->id))
|
if ($user->authorise($coreCheck[0] . '.edit.own', 'com_componentbuilder.' . $view . '.' . (int) $record->id) &&
|
||||||
|
$user->authorise($coreCheck[0] . '.edit.own', 'com_componentbuilder'))
|
||||||
{
|
{
|
||||||
|
// allow edit
|
||||||
$result->set($action->name, true);
|
$result->set($action->name, true);
|
||||||
// set not to use component default
|
// set not to use global default
|
||||||
$fallback= false;
|
// because we already validated it
|
||||||
|
$fallback = false;
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
|
// do not allow edit
|
||||||
$result->set($action->name, false);
|
$result->set($action->name, false);
|
||||||
// set not to use component default
|
$fallback = false;
|
||||||
$fallback= false;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
elseif ($user->authorise($view.'edit.own', 'com_componentbuilder.'.$view.'.' . (int) $record->id))
|
|
||||||
{
|
|
||||||
// If the owner matches 'me' then allow.
|
|
||||||
if (isset($record->created_by) && $record->created_by > 0 && ($record->created_by == $user->id))
|
|
||||||
{
|
|
||||||
$result->set($action->name, true);
|
|
||||||
// set not to use component default
|
|
||||||
$fallback= false;
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
|
||||||
$result->set($action->name, false);
|
|
||||||
// set not to use component default
|
|
||||||
$fallback= false;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
elseif ($user->authorise('core.edit.own', 'com_componentbuilder'))
|
|
||||||
{
|
|
||||||
// If the owner matches 'me' then allow.
|
|
||||||
if (isset($record->created_by) && $record->created_by > 0 && ($record->created_by == $user->id))
|
|
||||||
{
|
|
||||||
$result->set($action->name, true);
|
|
||||||
// set not to use component default
|
|
||||||
$fallback= false;
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
|
||||||
$result->set($action->name, false);
|
|
||||||
// set not to use component default
|
|
||||||
$fallback= false;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
elseif ($user->authorise($view.'edit.own', 'com_componentbuilder'))
|
|
||||||
{
|
|
||||||
// If the owner matches 'me' then allow.
|
|
||||||
if (isset($record->created_by) && $record->created_by > 0 && ($record->created_by == $user->id))
|
|
||||||
{
|
|
||||||
$result->set($action->name, true);
|
|
||||||
// set not to use component default
|
|
||||||
$fallback= false;
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
|
||||||
$result->set($action->name, false);
|
|
||||||
// set not to use component default
|
|
||||||
$fallback= false;
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
elseif (self::checkString($views) && isset($record->catid) && $record->catid > 0)
|
elseif (self::checkString($views) && isset($record->catid) && $record->catid > 0)
|
||||||
{
|
{
|
||||||
|
// we are in item
|
||||||
|
$area = 'category';
|
||||||
|
// set the core check
|
||||||
|
$coreCheck = explode('.', $action->name);
|
||||||
|
$core = $coreCheck[0];
|
||||||
// make sure we use the core. action check for the categories
|
// make sure we use the core. action check for the categories
|
||||||
if (strpos($action->name,$view) !== false && strpos($action->name,'core.') === false ) {
|
if (strpos($action->name, $view) !== false && strpos($action->name, 'core.') === false )
|
||||||
$coreCheck = explode('.',$action->name);
|
{
|
||||||
$coreCheck[0] = 'core';
|
$coreCheck[0] = 'core';
|
||||||
$categoryCheck = implode('.',$coreCheck);
|
$categoryCheck = implode('.', $coreCheck);
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
$categoryCheck = $action->name;
|
$categoryCheck = $action->name;
|
||||||
}
|
}
|
||||||
// The record has a category. Check the category permissions.
|
// The record has a category. Check the category permissions.
|
||||||
$catpermission = $user->authorise($categoryCheck, 'com_componentbuilder.'.$views.'.category.' . (int) $record->catid);
|
$catpermission = $user->authorise($categoryCheck, 'com_componentbuilder.' . $views . '.category.' . (int) $record->catid);
|
||||||
if (!$catpermission && !is_null($catpermission))
|
if (!$catpermission && !is_null($catpermission))
|
||||||
{
|
{
|
||||||
if ($action->name == 'core.edit' || $action->name == $view.'.edit')
|
// With edit, if the created_by matches current user then dig deeper.
|
||||||
|
if (($action->name === 'core.edit' || $action->name === $view . '.edit') && $record->created_by > 0 && ($record->created_by == $user->id))
|
||||||
{
|
{
|
||||||
if ($user->authorise('core.edit.own', 'com_componentbuilder.'.$views.'.category.' . (int) $record->catid))
|
// check that we have both local and global access
|
||||||
{
|
if ($user->authorise('core.edit.own', 'com_componentbuilder.' . $views . '.category.' . (int) $record->catid) &&
|
||||||
// If the owner matches 'me' then allow.
|
$user->authorise($core . '.edit.own', 'com_componentbuilder'))
|
||||||
if (isset($record->created_by) && $record->created_by > 0 && ($record->created_by == $user->id))
|
|
||||||
{
|
{
|
||||||
|
// allow edit
|
||||||
$result->set($action->name, true);
|
$result->set($action->name, true);
|
||||||
// set not to use component default
|
// set not to use global default
|
||||||
$fallback= false;
|
// because we already validated it
|
||||||
|
$fallback = false;
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
|
// do not allow edit
|
||||||
$result->set($action->name, false);
|
$result->set($action->name, false);
|
||||||
// set not to use component default
|
$fallback = false;
|
||||||
$fallback= false;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
elseif ($user->authorise($view.'edit.own', 'com_componentbuilder.'.$views.'.category.' . (int) $record->catid))
|
|
||||||
{
|
|
||||||
// If the owner matches 'me' then allow.
|
|
||||||
if (isset($record->created_by) && $record->created_by > 0 && ($record->created_by == $user->id))
|
|
||||||
{
|
|
||||||
$result->set($action->name, true);
|
|
||||||
// set not to use component default
|
|
||||||
$fallback= false;
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
|
||||||
$result->set($action->name, false);
|
|
||||||
// set not to use component default
|
|
||||||
$fallback= false;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
elseif ($user->authorise('core.edit.own', 'com_componentbuilder'))
|
|
||||||
{
|
|
||||||
// If the owner matches 'me' then allow.
|
|
||||||
if (isset($record->created_by) && $record->created_by > 0 && ($record->created_by == $user->id))
|
|
||||||
{
|
|
||||||
$result->set($action->name, true);
|
|
||||||
// set not to use component default
|
|
||||||
$fallback= false;
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
|
||||||
$result->set($action->name, false);
|
|
||||||
// set not to use component default
|
|
||||||
$fallback= false;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
elseif ($user->authorise($view.'edit.own', 'com_componentbuilder'))
|
|
||||||
{
|
|
||||||
// If the owner matches 'me' then allow.
|
|
||||||
if (isset($record->created_by) && $record->created_by > 0 && ($record->created_by == $user->id))
|
|
||||||
{
|
|
||||||
$result->set($action->name, true);
|
|
||||||
// set not to use component default
|
|
||||||
$fallback= false;
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
|
||||||
$result->set($action->name, false);
|
|
||||||
// set not to use component default
|
|
||||||
$fallback= false;
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -4723,10 +4689,22 @@ abstract class ComponentbuilderHelper
|
|||||||
}
|
}
|
||||||
// if allowed then fallback on component global settings
|
// if allowed then fallback on component global settings
|
||||||
if ($fallback)
|
if ($fallback)
|
||||||
|
{
|
||||||
|
// if item/category blocks access then don't fall back on global
|
||||||
|
if ((($area === 'item') && !$permission) || (($area === 'category') && !$catpermission))
|
||||||
|
{
|
||||||
|
// do not allow
|
||||||
|
$result->set($action->name, false);
|
||||||
|
}
|
||||||
|
// Finally remember the global settings have the final say. (even if item allow)
|
||||||
|
// The local item permissions can block, but it can't open and override of global permissions.
|
||||||
|
// Since items are created by users and global permissions is set by system admin.
|
||||||
|
else
|
||||||
{
|
{
|
||||||
$result->set($action->name, $user->authorise($action->name, 'com_componentbuilder'));
|
$result->set($action->name, $user->authorise($action->name, 'com_componentbuilder'));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
}
|
||||||
return $result;
|
return $result;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
<?xml version="1.0" encoding="utf-8"?>
|
<?xml version="1.0" encoding="utf-8"?>
|
||||||
<extension type="component" version="3.2" method="upgrade">
|
<extension type="component" version="3.2" method="upgrade">
|
||||||
<name>COM_COMPONENTBUILDER</name>
|
<name>COM_COMPONENTBUILDER</name>
|
||||||
<creationDate>13th September, 2018</creationDate>
|
<creationDate>14th September, 2018</creationDate>
|
||||||
<author>Llewellyn van der Merwe</author>
|
<author>Llewellyn van der Merwe</author>
|
||||||
<authorEmail>llewellyn@joomlacomponentbuilder.com</authorEmail>
|
<authorEmail>llewellyn@joomlacomponentbuilder.com</authorEmail>
|
||||||
<authorUrl>http://www.joomlacomponentbuilder.com</authorUrl>
|
<authorUrl>http://www.joomlacomponentbuilder.com</authorUrl>
|
||||||
|
@ -3729,10 +3729,20 @@ abstract class ComponentbuilderHelper
|
|||||||
if (self::checkObject($item) && isset($item->id))
|
if (self::checkObject($item) && isset($item->id))
|
||||||
{
|
{
|
||||||
$id = (int) $item->id;
|
$id = (int) $item->id;
|
||||||
|
// check if created_by is available
|
||||||
|
if (isset($item->created_by) && $item->created_by > 0)
|
||||||
|
{
|
||||||
|
$created_by = (int) $item->created_by;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
elseif (self::checkArray($item) && isset($item['id']))
|
elseif (self::checkArray($item) && isset($item['id']))
|
||||||
{
|
{
|
||||||
$id = (int) $item['id'];
|
$id = (int) $item['id'];
|
||||||
|
// check if created_by is available
|
||||||
|
if (isset($item['created_by']) && $item['created_by'] > 0)
|
||||||
|
{
|
||||||
|
$created_by = (int) $item['created_by'];
|
||||||
|
}
|
||||||
}
|
}
|
||||||
elseif (is_numeric($item))
|
elseif (is_numeric($item))
|
||||||
{
|
{
|
||||||
@ -3741,8 +3751,20 @@ abstract class ComponentbuilderHelper
|
|||||||
// check ID
|
// check ID
|
||||||
if (isset($id) && $id > 0)
|
if (isset($id) && $id > 0)
|
||||||
{
|
{
|
||||||
|
// get user object
|
||||||
|
$user = JFactory::getUser();
|
||||||
// can edit
|
// can edit
|
||||||
if (JFactory::getUser()->authorise($view . '.edit', $component . '.' . $view . '.' . (int) $id))
|
if ($user->authorise($view . '.edit', $component . '.' . $view . '.' . (int) $id) ||
|
||||||
|
(
|
||||||
|
isset($created_by) && $created_by == $user->id &&
|
||||||
|
(
|
||||||
|
($user->authorise($view . '.edit.own', $component . '.' . $view . '.' . (int) $id) &&
|
||||||
|
$user->authorise($view . '.edit.own', $component)) ||
|
||||||
|
($user->authorise('core.edit.own', $component . '.' . $view . '.' . (int) $id) &&
|
||||||
|
$user->authorise('core.edit.own', $component))
|
||||||
|
)
|
||||||
|
)
|
||||||
|
)
|
||||||
{
|
{
|
||||||
// set the edit link
|
// set the edit link
|
||||||
if ($jRoute)
|
if ($jRoute)
|
||||||
@ -4596,194 +4618,150 @@ abstract class ComponentbuilderHelper
|
|||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Get the actions permissions
|
* Get the action permissions
|
||||||
|
*
|
||||||
|
* @param string $view The related view name
|
||||||
|
* @param int $record The item to act upon
|
||||||
|
* @param string $views The related list view name
|
||||||
|
*
|
||||||
|
* @return object The JObject of permission/authorised actions
|
||||||
|
*
|
||||||
**/
|
**/
|
||||||
public static function getActions($view,&$record = null,$views = null)
|
public static function getActions($view, &$record = null, $views = null)
|
||||||
{
|
{
|
||||||
jimport('joomla.access.access');
|
// get the user object
|
||||||
|
|
||||||
$user = JFactory::getUser();
|
$user = JFactory::getUser();
|
||||||
|
// load the JObject
|
||||||
$result = new JObject;
|
$result = new JObject;
|
||||||
|
// make view name safe (just incase)
|
||||||
$view = self::safeString($view);
|
$view = self::safeString($view);
|
||||||
if (self::checkString($views))
|
if (self::checkString($views))
|
||||||
{
|
{
|
||||||
$views = self::safeString($views);
|
$views = self::safeString($views);
|
||||||
}
|
}
|
||||||
// get all actions from component
|
// get all actions from component
|
||||||
$actions = JAccess::getActions('com_componentbuilder', 'component');
|
$actions = JAccess::getActionsFromFile(
|
||||||
// set acctions only set in component settiongs
|
JPATH_ADMINISTRATOR . '/components/com_componentbuilder/access.xml',
|
||||||
$componentActions = array('core.admin','core.manage','core.options','core.export');
|
"/access/section[@name='component']/"
|
||||||
|
);
|
||||||
|
// if non found then return empty JObject
|
||||||
|
if (empty($actions))
|
||||||
|
{
|
||||||
|
return $result;
|
||||||
|
}
|
||||||
|
// get created by if not found
|
||||||
|
if (self::checkObject($record) && !isset($record->created_by) && isset($record->id))
|
||||||
|
{
|
||||||
|
$record->created_by = self::getVar($view, 'id', $record->id, 'created_by');
|
||||||
|
}
|
||||||
|
// set actions only set in component settings
|
||||||
|
$componentActions = array('core.admin', 'core.manage', 'core.options', 'core.export');
|
||||||
// loop the actions and set the permissions
|
// loop the actions and set the permissions
|
||||||
foreach ($actions as $action)
|
foreach ($actions as $action)
|
||||||
{
|
{
|
||||||
// set to use component default
|
// set to use component default
|
||||||
$fallback = true;
|
$fallback = true;
|
||||||
if (self::checkObject($record) && isset($record->id) && $record->id > 0 && !in_array($action->name,$componentActions))
|
// reset permission per/action
|
||||||
|
$permission = false;
|
||||||
|
$catpermission = false;
|
||||||
|
// set area
|
||||||
|
$area = 'comp';
|
||||||
|
// check if the record has an ID and the action is item related (not a component action)
|
||||||
|
if (self::checkObject($record) && isset($record->id) && $record->id > 0 && !in_array($action->name, $componentActions) &&
|
||||||
|
(strpos($action->name, 'core.') !== false || strpos($action->name, $view . '.') !== false))
|
||||||
{
|
{
|
||||||
|
// we are in item
|
||||||
|
$area = 'item';
|
||||||
// The record has been set. Check the record permissions.
|
// The record has been set. Check the record permissions.
|
||||||
$permission = $user->authorise($action->name, 'com_componentbuilder.'.$view.'.' . (int) $record->id);
|
$permission = $user->authorise($action->name, 'com_componentbuilder.' . $view . '.' . (int) $record->id);
|
||||||
if (!$permission) // TODO removed && !is_null($permission)
|
// if no permission found, check edit own
|
||||||
|
if (!$permission)
|
||||||
{
|
{
|
||||||
if ($action->name == 'core.edit' || $action->name == $view.'.edit')
|
// With edit, if the created_by matches current user then dig deeper.
|
||||||
|
if (($action->name === 'core.edit' || $action->name === $view . '.edit') && $record->created_by > 0 && ($record->created_by == $user->id))
|
||||||
{
|
{
|
||||||
if ($user->authorise('core.edit.own', 'com_componentbuilder.'.$view.'.' . (int) $record->id))
|
// the correct target
|
||||||
{
|
$coreCheck = (array) explode('.', $action->name);
|
||||||
// If the owner matches 'me' then allow.
|
// check that we have both local and global access
|
||||||
if (isset($record->created_by) && $record->created_by > 0 && ($record->created_by == $user->id))
|
if ($user->authorise($coreCheck[0] . '.edit.own', 'com_componentbuilder.' . $view . '.' . (int) $record->id) &&
|
||||||
|
$user->authorise($coreCheck[0] . '.edit.own', 'com_componentbuilder'))
|
||||||
{
|
{
|
||||||
|
// allow edit
|
||||||
$result->set($action->name, true);
|
$result->set($action->name, true);
|
||||||
// set not to use component default
|
// set not to use global default
|
||||||
|
// because we already validated it
|
||||||
$fallback = false;
|
$fallback = false;
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
|
// do not allow edit
|
||||||
$result->set($action->name, false);
|
$result->set($action->name, false);
|
||||||
// set not to use component default
|
|
||||||
$fallback = false;
|
$fallback = false;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
elseif ($user->authorise($view.'edit.own', 'com_componentbuilder.'.$view.'.' . (int) $record->id))
|
|
||||||
{
|
|
||||||
// If the owner matches 'me' then allow.
|
|
||||||
if (isset($record->created_by) && $record->created_by > 0 && ($record->created_by == $user->id))
|
|
||||||
{
|
|
||||||
$result->set($action->name, true);
|
|
||||||
// set not to use component default
|
|
||||||
$fallback = false;
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
|
||||||
$result->set($action->name, false);
|
|
||||||
// set not to use component default
|
|
||||||
$fallback = false;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
elseif ($user->authorise('core.edit.own', 'com_componentbuilder'))
|
|
||||||
{
|
|
||||||
// If the owner matches 'me' then allow.
|
|
||||||
if (isset($record->created_by) && $record->created_by > 0 && ($record->created_by == $user->id))
|
|
||||||
{
|
|
||||||
$result->set($action->name, true);
|
|
||||||
// set not to use component default
|
|
||||||
$fallback = false;
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
|
||||||
$result->set($action->name, false);
|
|
||||||
// set not to use component default
|
|
||||||
$fallback = false;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
elseif ($user->authorise($view.'edit.own', 'com_componentbuilder'))
|
|
||||||
{
|
|
||||||
// If the owner matches 'me' then allow.
|
|
||||||
if (isset($record->created_by) && $record->created_by > 0 && ($record->created_by == $user->id))
|
|
||||||
{
|
|
||||||
$result->set($action->name, true);
|
|
||||||
// set not to use component default
|
|
||||||
$fallback = false;
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
|
||||||
$result->set($action->name, false);
|
|
||||||
// set not to use component default
|
|
||||||
$fallback = false;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
elseif (self::checkString($views) && isset($record->catid) && $record->catid > 0)
|
elseif (self::checkString($views) && isset($record->catid) && $record->catid > 0)
|
||||||
{
|
{
|
||||||
|
// we are in item
|
||||||
|
$area = 'category';
|
||||||
|
// set the core check
|
||||||
|
$coreCheck = explode('.', $action->name);
|
||||||
|
$core = $coreCheck[0];
|
||||||
// make sure we use the core. action check for the categories
|
// make sure we use the core. action check for the categories
|
||||||
if (strpos($action->name,$view) !== false && strpos($action->name,'core.') === false ) {
|
if (strpos($action->name, $view) !== false && strpos($action->name, 'core.') === false )
|
||||||
$coreCheck = explode('.',$action->name);
|
{
|
||||||
$coreCheck[0] = 'core';
|
$coreCheck[0] = 'core';
|
||||||
$categoryCheck = implode('.',$coreCheck);
|
$categoryCheck = implode('.', $coreCheck);
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
$categoryCheck = $action->name;
|
$categoryCheck = $action->name;
|
||||||
}
|
}
|
||||||
// The record has a category. Check the category permissions.
|
// The record has a category. Check the category permissions.
|
||||||
$catpermission = $user->authorise($categoryCheck, 'com_componentbuilder.'.$views.'.category.' . (int) $record->catid);
|
$catpermission = $user->authorise($categoryCheck, 'com_componentbuilder.' . $views . '.category.' . (int) $record->catid);
|
||||||
if (!$catpermission && !is_null($catpermission))
|
if (!$catpermission && !is_null($catpermission))
|
||||||
{
|
{
|
||||||
if ($action->name == 'core.edit' || $action->name == $view.'.edit')
|
// With edit, if the created_by matches current user then dig deeper.
|
||||||
|
if (($action->name === 'core.edit' || $action->name === $view . '.edit') && $record->created_by > 0 && ($record->created_by == $user->id))
|
||||||
{
|
{
|
||||||
if ($user->authorise('core.edit.own', 'com_componentbuilder.'.$views.'.category.' . (int) $record->catid))
|
// check that we have both local and global access
|
||||||
{
|
if ($user->authorise('core.edit.own', 'com_componentbuilder.' . $views . '.category.' . (int) $record->catid) &&
|
||||||
// If the owner matches 'me' then allow.
|
$user->authorise($core . '.edit.own', 'com_componentbuilder'))
|
||||||
if (isset($record->created_by) && $record->created_by > 0 && ($record->created_by == $user->id))
|
|
||||||
{
|
{
|
||||||
|
// allow edit
|
||||||
$result->set($action->name, true);
|
$result->set($action->name, true);
|
||||||
// set not to use component default
|
// set not to use global default
|
||||||
|
// because we already validated it
|
||||||
$fallback = false;
|
$fallback = false;
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
|
// do not allow edit
|
||||||
$result->set($action->name, false);
|
$result->set($action->name, false);
|
||||||
// set not to use component default
|
|
||||||
$fallback = false;
|
$fallback = false;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
elseif ($user->authorise($view.'edit.own', 'com_componentbuilder.'.$views.'.category.' . (int) $record->catid))
|
|
||||||
{
|
|
||||||
// If the owner matches 'me' then allow.
|
|
||||||
if (isset($record->created_by) && $record->created_by > 0 && ($record->created_by == $user->id))
|
|
||||||
{
|
|
||||||
$result->set($action->name, true);
|
|
||||||
// set not to use component default
|
|
||||||
$fallback = false;
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
|
||||||
$result->set($action->name, false);
|
|
||||||
// set not to use component default
|
|
||||||
$fallback = false;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
elseif ($user->authorise('core.edit.own', 'com_componentbuilder'))
|
|
||||||
{
|
|
||||||
// If the owner matches 'me' then allow.
|
|
||||||
if (isset($record->created_by) && $record->created_by > 0 && ($record->created_by == $user->id))
|
|
||||||
{
|
|
||||||
$result->set($action->name, true);
|
|
||||||
// set not to use component default
|
|
||||||
$fallback = false;
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
|
||||||
$result->set($action->name, false);
|
|
||||||
// set not to use component default
|
|
||||||
$fallback = false;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
elseif ($user->authorise($view.'edit.own', 'com_componentbuilder'))
|
|
||||||
{
|
|
||||||
// If the owner matches 'me' then allow.
|
|
||||||
if (isset($record->created_by) && $record->created_by > 0 && ($record->created_by == $user->id))
|
|
||||||
{
|
|
||||||
$result->set($action->name, true);
|
|
||||||
// set not to use component default
|
|
||||||
$fallback = false;
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
|
||||||
$result->set($action->name, false);
|
|
||||||
// set not to use component default
|
|
||||||
$fallback = false;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
// if allowed then fallback on component global settings
|
// if allowed then fallback on component global settings
|
||||||
if ($fallback)
|
if ($fallback)
|
||||||
|
{
|
||||||
|
// if item/category blocks access then don't fall back on global
|
||||||
|
if ((($area === 'item') && !$permission) || (($area === 'category') && !$catpermission))
|
||||||
|
{
|
||||||
|
// do not allow
|
||||||
|
$result->set($action->name, false);
|
||||||
|
}
|
||||||
|
// Finally remember the global settings have the final say. (even if item allow)
|
||||||
|
// The local item permissions can block, but it can't open and override of global permissions.
|
||||||
|
// Since items are created by users and global permissions is set by system admin.
|
||||||
|
else
|
||||||
{
|
{
|
||||||
$result->set($action->name, $user->authorise($action->name, 'com_componentbuilder'));
|
$result->set($action->name, $user->authorise($action->name, 'com_componentbuilder'));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
}
|
||||||
return $result;
|
return $result;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user