Context Navigation

source: trunk/include/ws_functions/pwg.permissions.php @ 27811

Last change on this file since 27811 was 27811, checked in by plg, 10 years ago

merge r27810 from branch 2.6 to trunk

bug 3055: add security pwg_token on API methods introduced in Piwigo 2.6
(pwg.groups.addUser, pwg.groups.deleteUser, pwg.groups.setInfo, pwg.users.add,
pwg.users.setInfo, pwg.permissions.add, pwg.permissions.remove)

File size: 6.9 KB

Line
1	<?php
2	// +-----------------------------------------------------------------------+
3	// \| Piwigo - a PHP based photo gallery \|
4	// +-----------------------------------------------------------------------+
5	// \| Copyright(C) 2008-2014 Piwigo Team http://piwigo.org \|
6	// \| Copyright(C) 2003-2008 PhpWebGallery Team http://phpwebgallery.net \|
7	// \| Copyright(C) 2002-2003 Pierrick LE GALL http://le-gall.net/pierrick \|
8	// +-----------------------------------------------------------------------+
9	// \| This program is free software; you can redistribute it and/or modify \|
10	// \| it under the terms of the GNU General Public License as published by \|
11	// \| the Free Software Foundation \|
12	// \| \|
13	// \| This program is distributed in the hope that it will be useful, but \|
14	// \| WITHOUT ANY WARRANTY; without even the implied warranty of \|
15	// \| MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU \|
16	// \| General Public License for more details. \|
17	// \| \|
18	// \| You should have received a copy of the GNU General Public License \|
19	// \| along with this program; if not, write to the Free Software \|
20	// \| Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, \|
21	// \| USA. \|
22	// +-----------------------------------------------------------------------+
23
24	/**
25	* API method
26	* Returns permissions
27	* @param mixed[] $params
28	* @option int[] cat_id (optional)
29	* @option int[] group_id (optional)
30	* @option int[] user_id (optional)
31	*/
32	function ws_permissions_getList($params, &$service)
33	{
34	$my_params = array_intersect(array_keys($params), array('cat_id','group_id','user_id'));
35	if (count($my_params) > 1)
36	{
37	return new PwgError(WS_ERR_INVALID_PARAM, 'Too many parameters, provide cat_id OR user_id OR group_id');
38	}
39
40	$cat_filter = '';
41	if (!empty($params['cat_id']))
42	{
43	$cat_filter = 'WHERE cat_id IN('. implode(',', $params['cat_id']) .')';
44	}
45
46	$perms = array();
47
48	// direct users
49	$query = '
50	SELECT user_id, cat_id
51	FROM '. USER_ACCESS_TABLE .'
52	'. $cat_filter .'
53	;';
54	$result = pwg_query($query);
55
56	while ($row = pwg_db_fetch_assoc($result))
57	{
58	if (!isset($perms[ $row['cat_id'] ]))
59	{
60	$perms[ $row['cat_id'] ]['id'] = intval($row['cat_id']);
61	}
62	$perms[ $row['cat_id'] ]['users'][] = intval($row['user_id']);
63	}
64
65	// indirect users
66	$query = '
67	SELECT ug.user_id, ga.cat_id
68	FROM '. USER_GROUP_TABLE .' AS ug
69	INNER JOIN '. GROUP_ACCESS_TABLE .' AS ga
70	ON ug.group_id = ga.group_id
71	'. $cat_filter .'
72	;';
73	$result = pwg_query($query);
74
75	while ($row = pwg_db_fetch_assoc($result))
76	{
77	if (!isset($perms[ $row['cat_id'] ]))
78	{
79	$perms[ $row['cat_id'] ]['id'] = intval($row['cat_id']);
80	}
81	$perms[ $row['cat_id'] ]['users_indirect'][] = intval($row['user_id']);
82	}
83
84	// groups
85	$query = '
86	SELECT group_id, cat_id
87	FROM '. GROUP_ACCESS_TABLE .'
88	'. $cat_filter .'
89	;';
90	$result = pwg_query($query);
91
92	while ($row = pwg_db_fetch_assoc($result))
93	{
94	if (!isset($perms[ $row['cat_id'] ]))
95	{
96	$perms[ $row['cat_id'] ]['id'] = intval($row['cat_id']);
97	}
98	$perms[ $row['cat_id'] ]['groups'][] = intval($row['group_id']);
99	}
100
101	// filter by group and user
102	foreach ($perms as $cat_id => &$cat)
103	{
104	if (isset($filters['group_id']))
105	{
106	if (empty($cat['groups']) or count(array_intersect($cat['groups'], $params['group_id'])) == 0)
107	{
108	unset($perms[$cat_id]);
109	continue;
110	}
111	}
112	if (isset($filters['user_id']))
113	{
114	if (
115	(empty($cat['users_indirect']) or count(array_intersect($cat['users_indirect'], $params['user_id'])) == 0)
116	and (empty($cat['users']) or count(array_intersect($cat['users'], $params['user_id'])) == 0)
117	) {
118	unset($perms[$cat_id]);
119	continue;
120	}
121	}
122
123	$cat['groups'] = !empty($cat['groups']) ? array_values(array_unique($cat['groups'])) : array();
124	$cat['users'] = !empty($cat['users']) ? array_values(array_unique($cat['users'])) : array();
125	$cat['users_indirect'] = !empty($cat['users_indirect']) ? array_values(array_unique($cat['users_indirect'])) : array();
126	}
127	unset($cat);
128
129	return array(
130	'categories' => new PwgNamedArray(
131	array_values($perms),
132	'category',
133	array('id')
134	)
135	);
136	}
137
138	/**
139	* API method
140	* Add permissions
141	* @param mixed[] $params
142	* @option int[] cat_id
143	* @option int[] group_id (optional)
144	* @option int[] user_id (optional)
145	* @option bool recursive
146	*/
147	function ws_permissions_add($params, &$service)
148	{
149	if (get_pwg_token() != $params['pwg_token'])
150	{
151	return new PwgError(403, 'Invalid security token');
152	}
153
154	include_once(PHPWG_ROOT_PATH.'admin/include/functions.php');
155
156	if (!empty($params['group_id']))
157	{
158	$cat_ids = get_uppercat_ids($params['cat_id']);
159	if ($params['recursive'])
160	{
161	$cat_ids = array_merge($cat_ids, get_subcat_ids($params['cat_id']));
162	}
163
164	$query = '
165	SELECT id
166	FROM '. CATEGORIES_TABLE .'
167	WHERE id IN ('. implode(',', $cat_ids) .')
168	AND status = \'private\'
169	;';
170	$private_cats = array_from_query($query, 'id');
171
172	$inserts = array();
173	foreach ($private_cats as $cat_id)
174	{
175	foreach ($params['group_id'] as $group_id)
176	{
177	$inserts[] = array(
178	'group_id' => $group_id,
179	'cat_id' => $cat_id
180	);
181	}
182	}
183
184	mass_inserts(
185	GROUP_ACCESS_TABLE,
186	array('group_id','cat_id'),
187	$inserts,
188	array('ignore'=>true)
189	);
190	}
191
192	if (!empty($params['user_id']))
193	{
194	if ($params['recursive']) $_POST['apply_on_sub'] = true;
195	add_permission_on_category($params['cat_id'], $params['user_id']);
196	}
197
198	return $service->invoke('pwg.permissions.getList', array('cat_id'=>$params['cat_id']));
199	}
200
201	/**
202	* API method
203	* Removes permissions
204	* @param mixed[] $params
205	* @option int[] cat_id
206	* @option int[] group_id (optional)
207	* @option int[] user_id (optional)
208	*/
209	function ws_permissions_remove($params, &$service)
210	{
211	if (get_pwg_token() != $params['pwg_token'])
212	{
213	return new PwgError(403, 'Invalid security token');
214	}
215
216	include_once(PHPWG_ROOT_PATH.'admin/include/functions.php');
217
218	$cat_ids = get_subcat_ids($params['cat_id']);
219
220	if (!empty($params['group_id']))
221	{
222	$query = '
223	DELETE
224	FROM '. GROUP_ACCESS_TABLE .'
225	WHERE group_id IN ('. implode(',', $params['group_id']).')
226	AND cat_id IN ('. implode(',', $cat_ids).')
227	;';
228	pwg_query($query);
229	}
230
231	if (!empty($params['user_id']))
232	{
233	$query = '
234	DELETE
235	FROM '. USER_ACCESS_TABLE .'
236	WHERE user_id IN ('. implode(',', $params['user_id']) .')
237	AND cat_id IN ('. implode(',', $cat_ids) .')
238	;';
239	pwg_query($query);
240	}
241
242	return $service->invoke('pwg.permissions.getList', array('cat_id'=>$params['cat_id']));
243	}
244
245	?>

Note: See TracBrowser for help on using the repository browser.

Download in other formats: