summaryrefslogtreecommitdiff
path: root/models
diff options
context:
space:
mode:
authorFrédéric Guillot <contact@fredericguillot.com>2014-03-01 19:51:09 -0500
committerFrédéric Guillot <contact@fredericguillot.com>2014-03-01 19:51:09 -0500
commit28bc4246bff405367c9e5640bca356b307962026 (patch)
tree897fa49d471c1f4c6fc00bbd7e6d427239d01bd3 /models
parente7db71b593f2d9856a5b3aacde00a638d074d601 (diff)
Add acl and access list for projects
Diffstat (limited to 'models')
-rw-r--r--models/acl.php64
-rw-r--r--models/base.php5
-rw-r--r--models/config.php4
-rw-r--r--models/project.php144
-rw-r--r--models/schema.php14
-rw-r--r--models/user.php4
6 files changed, 214 insertions, 21 deletions
diff --git a/models/acl.php b/models/acl.php
new file mode 100644
index 00000000..7c363272
--- /dev/null
+++ b/models/acl.php
@@ -0,0 +1,64 @@
+<?php
+
+namespace Model;
+
+class Acl extends Base
+{
+ // Controllers and actions allowed from outside
+ private $public_actions = array(
+ 'user' => array('login', 'check'),
+ 'task' => array('add'),
+ 'board' => array('readonly'),
+ );
+
+ // Controllers and actions allowed for regular users
+ private $user_actions = array(
+ 'app' => array('index'),
+ 'board' => array('index', 'show', 'assign', 'assigntask', 'save'),
+ 'project' => array('tasks', 'index', 'forbidden'),
+ 'task' => array('show', 'create', 'save', 'edit', 'update', 'close', 'confirmclose', 'open', 'confirmopen'),
+ 'user' => array('index', 'edit', 'update', 'forbidden', 'logout', 'index'),
+ 'config' => array('index'),
+ );
+
+ public function isAllowedAction(array $acl, $controller, $action)
+ {
+ if (isset($acl[$controller])) {
+ return in_array($action, $acl[$controller]);
+ }
+
+ return false;
+ }
+
+ public function isPublicAction($controller, $action)
+ {
+ return $this->isAllowedAction($this->public_actions, $controller, $action);
+ }
+
+ public function isUserAction($controller, $action)
+ {
+ return $this->isAllowedAction($this->user_actions, $controller, $action);
+ }
+
+ public function isAdminUser()
+ {
+ return isset($_SESSION['user']['is_admin']) && $_SESSION['user']['is_admin'] === '1';
+ }
+
+ public function isRegularUser()
+ {
+ return isset($_SESSION['user']['is_admin']) && $_SESSION['user']['is_admin'] === '0';
+ }
+
+ public function getUserId()
+ {
+ return isset($_SESSION['user']['id']) ? (int) $_SESSION['user']['id'] : 0;
+ }
+
+ public function isPageAccessAllowed($controller, $action)
+ {
+ return $this->isPublicAction($controller, $action) ||
+ $this->isAdminUser() ||
+ ($this->isRegularUser() && $this->isUserAction($controller, $action));
+ }
+}
diff --git a/models/base.php b/models/base.php
index c8e4cf19..44a8b6b2 100644
--- a/models/base.php
+++ b/models/base.php
@@ -18,8 +18,7 @@ require __DIR__.'/schema.php';
abstract class Base
{
const APP_VERSION = 'master';
- const DB_VERSION = 6;
- const DB_FILENAME = 'data/db.sqlite';
+ const DB_VERSION = 7;
private static $dbInstance = null;
protected $db;
@@ -37,7 +36,7 @@ abstract class Base
{
$db = new \PicoDb\Database(array(
'driver' => 'sqlite',
- 'filename' => self::DB_FILENAME
+ 'filename' => DB_FILENAME
));
if ($db->schema()->check(self::DB_VERSION)) {
diff --git a/models/config.php b/models/config.php
index a00d0b7e..8f818a3b 100644
--- a/models/config.php
+++ b/models/config.php
@@ -79,11 +79,11 @@ class Config extends Base
public function downloadDatabase()
{
- return gzencode(file_get_contents(self::DB_FILENAME));
+ return gzencode(file_get_contents(DB_FILENAME));
}
public function getDatabaseSize()
{
- return filesize(self::DB_FILENAME);
+ return filesize(DB_FILENAME);
}
}
diff --git a/models/project.php b/models/project.php
index cb96dccd..a2f66478 100644
--- a/models/project.php
+++ b/models/project.php
@@ -8,10 +8,89 @@ use \SimpleValidator\Validators;
class Project extends Base
{
const TABLE = 'projects';
+ const TABLE_USERS = 'project_has_users';
const ACTIVE = 1;
const INACTIVE = 0;
- public function get($project_id)
+ public function getUsersList($project_id)
+ {
+ $allowed_users = $this->getAllowedUsers($project_id);
+
+ if (empty($allowed_users)) {
+ $userModel = new User;
+ $allowed_users = $userModel->getList();
+ }
+
+ return array(t('Unassigned')) + $allowed_users;
+ }
+
+ public function getAllowedUsers($project_id)
+ {
+ return $this->db
+ ->table(self::TABLE_USERS)
+ ->join(\Model\User::TABLE, 'id', 'user_id')
+ ->eq('project_id', $project_id)
+ ->asc('username')
+ ->listing('user_id', 'username');
+ }
+
+ public function getAllUsers($project_id)
+ {
+ $users = array(
+ 'allowed' => array(),
+ 'not_allowed' => array(),
+ );
+
+ $userModel = new User;
+ $all_users = $userModel->getList();
+
+ $users['allowed'] = $this->getAllowedUsers($project_id);
+
+ foreach ($all_users as $user_id => $username) {
+
+ if (! isset($users['allowed'][$user_id])) {
+ $users['not_allowed'][$user_id] = $username;
+ }
+ }
+
+ return $users;
+ }
+
+ public function allowUser($project_id, $user_id)
+ {
+ return $this->db
+ ->table(self::TABLE_USERS)
+ ->save(array('project_id' => $project_id, 'user_id' => $user_id));
+ }
+
+ public function revokeUser($project_id, $user_id)
+ {
+ return $this->db
+ ->table(self::TABLE_USERS)
+ ->eq('project_id', $project_id)
+ ->eq('user_id', $user_id)
+ ->remove();
+ }
+
+ public function isUserAllowed($project_id, $user_id)
+ {
+ // If there is nobody specified, everybody have access to the project
+ $nb_users = $this->db
+ ->table(self::TABLE_USERS)
+ ->eq('project_id', $project_id)
+ ->count();
+
+ if ($nb_users < 1) return true;
+
+ // Otherwise, allow only specific users
+ return (bool) $this->db
+ ->table(self::TABLE_USERS)
+ ->eq('project_id', $project_id)
+ ->eq('user_id', $user_id)
+ ->count();
+ }
+
+ public function getById($project_id)
{
return $this->db->table(self::TABLE)->eq('id', $project_id)->findOne();
}
@@ -26,7 +105,7 @@ class Project extends Base
return $this->db->table(self::TABLE)->findOne();
}
- public function getAll($fetch_stats = false)
+ public function getAll($fetch_stats = false, $check_permissions = false)
{
if (! $fetch_stats) {
return $this->db->table(self::TABLE)->asc('name')->findAll();
@@ -41,20 +120,27 @@ class Project extends Base
$taskModel = new \Model\Task;
$boardModel = new \Model\Board;
+ $aclModel = new \Model\Acl;
- foreach ($projects as &$project) {
+ foreach ($projects as $pkey => &$project) {
- $columns = $boardModel->getcolumns($project['id']);
- $project['nb_active_tasks'] = 0;
-
- foreach ($columns as &$column) {
- $column['nb_active_tasks'] = $taskModel->countByColumnId($project['id'], $column['id']);
- $project['nb_active_tasks'] += $column['nb_active_tasks'];
+ if ($check_permissions && ! $this->isUserAllowed($project['id'], $aclModel->getUserId())) {
+ unset($projects[$pkey]);
}
+ else {
+
+ $columns = $boardModel->getcolumns($project['id']);
+ $project['nb_active_tasks'] = 0;
- $project['columns'] = $columns;
- $project['nb_tasks'] = $taskModel->countByProjectId($project['id']);
- $project['nb_inactive_tasks'] = $project['nb_tasks'] - $project['nb_active_tasks'];
+ foreach ($columns as &$column) {
+ $column['nb_active_tasks'] = $taskModel->countByColumnId($project['id'], $column['id']);
+ $project['nb_active_tasks'] += $column['nb_active_tasks'];
+ }
+
+ $project['columns'] = $columns;
+ $project['nb_tasks'] = $taskModel->countByProjectId($project['id']);
+ $project['nb_inactive_tasks'] = $project['nb_tasks'] - $project['nb_active_tasks'];
+ }
}
$this->db->closeTransaction();
@@ -93,12 +179,27 @@ class Project extends Base
->count();
}
+ public function filterListByAccess(array $projects, $user_id)
+ {
+ foreach ($projects as $project_id => $project_name) {
+ if (! $this->isUserAllowed($project_id, $user_id)) {
+ unset($projects[$project_id]);
+ }
+ }
+
+ return $projects;
+ }
+
public function create(array $values)
{
$this->db->startTransaction();
$values['token'] = self::generateToken();
- $this->db->table(self::TABLE)->save($values);
+
+ if (! $this->db->table(self::TABLE)->save($values)) {
+ $this->db->cancelTransaction();
+ return false;
+ }
$project_id = $this->db->getConnection()->getLastId();
@@ -112,7 +213,7 @@ class Project extends Base
$this->db->closeTransaction();
- return $project_id;
+ return (int) $project_id;
}
public function update(array $values)
@@ -170,4 +271,19 @@ class Project extends Base
$v->getErrors()
);
}
+
+ public function validateUserAccess(array $values)
+ {
+ $v = new Validator($values, array(
+ new Validators\Required('project_id', t('The project id is required')),
+ new Validators\Integer('project_id', t('This value must be an integer')),
+ new Validators\Required('user_id', t('The user id is required')),
+ new Validators\Integer('user_id', t('This value must be an integer')),
+ ));
+
+ return array(
+ $v->execute(),
+ $v->getErrors()
+ );
+ }
}
diff --git a/models/schema.php b/models/schema.php
index 4aa2a265..f98f0e69 100644
--- a/models/schema.php
+++ b/models/schema.php
@@ -2,6 +2,20 @@
namespace Schema;
+function version_7($pdo)
+{
+ $pdo->exec("
+ CREATE TABLE project_has_users (
+ id INTEGER PRIMARY KEY,
+ project_id INTEGER,
+ user_id INTEGER,
+ FOREIGN KEY(project_id) REFERENCES projects(id) ON DELETE CASCADE,
+ FOREIGN KEY(user_id) REFERENCES users(id) ON DELETE CASCADE,
+ UNIQUE(project_id, user_id)
+ )
+ ");
+}
+
function version_6($pdo)
{
$pdo->exec("ALTER TABLE columns ADD COLUMN task_limit INTEGER DEFAULT '0'");
diff --git a/models/user.php b/models/user.php
index f80d5edf..2832a3fb 100644
--- a/models/user.php
+++ b/models/user.php
@@ -30,12 +30,12 @@ class User extends Base
public function getList()
{
- return array(t('Unassigned')) + $this->db->table(self::TABLE)->asc('username')->listing('id', 'username');
+ return $this->db->table(self::TABLE)->asc('username')->listing('id', 'username');
}
public function create(array $values)
{
- unset($values['confirmation']);
+ if (isset($values['confirmation'])) unset($values['confirmation']);
$values['password'] = \password_hash($values['password'], PASSWORD_BCRYPT);
return $this->db->table(self::TABLE)->save($values);
generated by cgit v1.2.3 (git 2.46.0) at 2024-11-26 16:56:02 +0000