1
|
|
|
<?php |
2
|
|
|
/** |
3
|
|
|
* @copyright Copyright (c) 2016 Julius Härtl <[email protected]> |
4
|
|
|
* |
5
|
|
|
* @author Julius Härtl <[email protected]> |
6
|
|
|
* |
7
|
|
|
* @license GNU AGPL version 3 or any later version |
8
|
|
|
* |
9
|
|
|
* This program is free software: you can redistribute it and/or modify |
10
|
|
|
* it under the terms of the GNU Affero General Public License as |
11
|
|
|
* published by the Free Software Foundation, either version 3 of the |
12
|
|
|
* License, or (at your option) any later version. |
13
|
|
|
* |
14
|
|
|
* This program is distributed in the hope that it will be useful, |
15
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of |
16
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
17
|
|
|
* GNU Affero General Public License for more details. |
18
|
|
|
* |
19
|
|
|
* You should have received a copy of the GNU Affero General Public License |
20
|
|
|
* along with this program. If not, see <http://www.gnu.org/licenses/>. |
21
|
|
|
* |
22
|
|
|
*/ |
23
|
|
|
|
24
|
|
|
namespace OCA\Deck\Service; |
25
|
|
|
|
26
|
|
|
use OCA\Deck\Db\Acl; |
27
|
|
|
use OCA\Deck\Db\AclMapper; |
28
|
|
|
use OCA\Deck\Db\Board; |
29
|
|
|
use OCA\Deck\Db\BoardMapper; |
30
|
|
|
use OCA\Deck\Db\IPermissionMapper; |
31
|
|
|
use OCA\Deck\Db\User; |
32
|
|
|
use OCA\Deck\NoPermissionException; |
33
|
|
|
use OCP\AppFramework\Db\DoesNotExistException; |
34
|
|
|
use OCP\AppFramework\Db\Entity; |
35
|
|
|
use OCP\AppFramework\Db\MultipleObjectsReturnedException; |
36
|
|
|
use OCP\AppFramework\QueryException; |
37
|
|
|
use OCP\IConfig; |
38
|
|
|
use OCP\IGroupManager; |
39
|
|
|
use OCP\ILogger; |
40
|
|
|
use OCP\IUserManager; |
41
|
|
|
use OCP\Share\IManager; |
42
|
|
|
|
43
|
|
|
|
44
|
|
|
class PermissionService { |
45
|
|
|
|
46
|
|
|
/** @var BoardMapper */ |
47
|
|
|
private $boardMapper; |
48
|
|
|
/** @var AclMapper */ |
49
|
|
|
private $aclMapper; |
50
|
|
|
/** @var ILogger */ |
51
|
|
|
private $logger; |
52
|
|
|
/** @var IUserManager */ |
53
|
|
|
private $userManager; |
54
|
|
|
/** @var IGroupManager */ |
55
|
|
|
private $groupManager; |
56
|
|
|
/** @var IConfig */ |
57
|
|
|
private $config; |
58
|
|
|
/** @var IManager */ |
59
|
|
|
private $shareManager; |
60
|
|
|
/** @var string */ |
61
|
|
|
private $userId; |
62
|
|
|
/** @var array */ |
63
|
|
|
private $users = []; |
64
|
|
|
|
65
|
|
|
private $circlesEnabled = false; |
66
|
|
|
|
67
|
|
|
public function __construct( |
68
|
|
|
ILogger $logger, |
69
|
|
|
AclMapper $aclMapper, |
70
|
|
|
BoardMapper $boardMapper, |
71
|
|
|
IUserManager $userManager, |
72
|
|
|
IGroupManager $groupManager, |
73
|
|
|
IManager $shareManager, |
74
|
|
|
IConfig $config, |
75
|
|
|
$userId |
76
|
|
|
) { |
77
|
|
|
$this->aclMapper = $aclMapper; |
78
|
|
|
$this->boardMapper = $boardMapper; |
79
|
|
|
$this->logger = $logger; |
80
|
|
|
$this->userManager = $userManager; |
81
|
|
|
$this->groupManager = $groupManager; |
82
|
|
|
$this->shareManager = $shareManager; |
83
|
|
|
$this->config = $config; |
84
|
|
|
$this->userId = $userId; |
85
|
|
|
|
86
|
|
|
$this->circlesEnabled = \OC::$server->getAppManager()->isEnabledForUser('circles') && |
87
|
|
|
(version_compare(\OC::$server->getAppManager()->getAppVersion('circles'), '0.17.1') >= 0); |
88
|
|
|
} |
89
|
|
|
|
90
|
|
|
/** |
91
|
|
|
* Get current user permissions for a board by id |
92
|
|
|
* |
93
|
|
|
* @param $boardId |
94
|
|
|
* @return bool|array |
95
|
|
|
*/ |
96
|
|
View Code Duplication |
public function getPermissions($boardId) { |
|
|
|
|
97
|
|
|
$owner = $this->userIsBoardOwner($boardId); |
98
|
|
|
$acls = $this->aclMapper->findAll($boardId); |
99
|
|
|
return [ |
100
|
|
|
Acl::PERMISSION_READ => $owner || $this->userCan($acls, Acl::PERMISSION_READ), |
101
|
|
|
Acl::PERMISSION_EDIT => $owner || $this->userCan($acls, Acl::PERMISSION_EDIT), |
102
|
|
|
Acl::PERMISSION_MANAGE => $owner || $this->userCan($acls, Acl::PERMISSION_MANAGE), |
103
|
|
|
Acl::PERMISSION_SHARE => ($owner || $this->userCan($acls, Acl::PERMISSION_SHARE)) |
104
|
|
|
&& (!$this->shareManager->sharingDisabledForUser($this->userId)) |
105
|
|
|
]; |
106
|
|
|
} |
107
|
|
|
|
108
|
|
|
/** |
109
|
|
|
* Get current user permissions for a board |
110
|
|
|
* |
111
|
|
|
* @param Board|Entity $board |
112
|
|
|
* @return array|bool |
113
|
|
|
* @internal param $boardId |
114
|
|
|
*/ |
115
|
|
View Code Duplication |
public function matchPermissions(Board $board) { |
|
|
|
|
116
|
|
|
$owner = $this->userIsBoardOwner($board->getId()); |
117
|
|
|
$acls = $board->getAcl(); |
118
|
|
|
return [ |
119
|
|
|
Acl::PERMISSION_READ => $owner || $this->userCan($acls, Acl::PERMISSION_READ), |
120
|
|
|
Acl::PERMISSION_EDIT => $owner || $this->userCan($acls, Acl::PERMISSION_EDIT), |
121
|
|
|
Acl::PERMISSION_MANAGE => $owner || $this->userCan($acls, Acl::PERMISSION_MANAGE), |
122
|
|
|
Acl::PERMISSION_SHARE => ($owner || $this->userCan($acls, Acl::PERMISSION_SHARE)) |
123
|
|
|
&& (!$this->shareManager->sharingDisabledForUser($this->userId)) |
124
|
|
|
]; |
125
|
|
|
} |
126
|
|
|
|
127
|
|
|
/** |
128
|
|
|
* check permissions for replacing dark magic middleware |
129
|
|
|
* |
130
|
|
|
* @param $mapper IPermissionMapper|null null if $id is a boardId |
131
|
|
|
* @param $id int unique identifier of the Entity |
132
|
|
|
* @param $permission int |
133
|
|
|
* @return bool |
134
|
|
|
* @throws NoPermissionException |
135
|
|
|
*/ |
136
|
|
|
public function checkPermission($mapper, $id, $permission, $userId = null) { |
137
|
|
|
$boardId = $id; |
138
|
|
|
if ($mapper instanceof IPermissionMapper) { |
139
|
|
|
$boardId = $mapper->findBoardId($id); |
140
|
|
|
} |
141
|
|
|
if ($boardId === null) { |
142
|
|
|
// Throw NoPermission to not leak information about existing entries |
143
|
|
|
throw new NoPermissionException('Permission denied'); |
144
|
|
|
} |
145
|
|
|
|
146
|
|
|
if ($permission === Acl::PERMISSION_SHARE && $this->shareManager->sharingDisabledForUser($this->userId)) { |
147
|
|
|
return false; |
148
|
|
|
} |
149
|
|
|
|
150
|
|
|
if ($this->userIsBoardOwner($boardId, $userId)) { |
151
|
|
|
return true; |
152
|
|
|
} |
153
|
|
|
|
154
|
|
|
$acls = $this->aclMapper->findAll($boardId); |
155
|
|
|
$result = $this->userCan($acls, $permission, $userId); |
156
|
|
|
if ($result) { |
157
|
|
|
return true; |
158
|
|
|
} |
159
|
|
|
|
160
|
|
|
// Throw NoPermission to not leak information about existing entries |
161
|
|
|
throw new NoPermissionException('Permission denied'); |
162
|
|
|
} |
163
|
|
|
|
164
|
|
|
/** |
165
|
|
|
* @param $boardId |
166
|
|
|
* @return bool |
167
|
|
|
*/ |
168
|
|
|
public function userIsBoardOwner($boardId, $userId = null) { |
169
|
|
|
if ($userId === null) { |
170
|
|
|
$userId = $this->userId; |
171
|
|
|
} |
172
|
|
|
try { |
173
|
|
|
$board = $this->boardMapper->find($boardId); |
174
|
|
|
return $board && $userId === $board->getOwner(); |
175
|
|
|
} catch (DoesNotExistException $e) { |
176
|
|
|
} catch (MultipleObjectsReturnedException $e) { |
177
|
|
|
return false; |
178
|
|
|
} |
179
|
|
|
} |
180
|
|
|
|
181
|
|
|
/** |
182
|
|
|
* Check if permission matches the acl rules for current user and groups |
183
|
|
|
* |
184
|
|
|
* @param Acl[] $acls |
185
|
|
|
* @param $permission |
186
|
|
|
* @return bool |
187
|
|
|
*/ |
188
|
|
|
public function userCan(array $acls, $permission, $userId = null) { |
189
|
|
|
if ($userId === null) { |
190
|
|
|
$userId = $this->userId; |
191
|
|
|
} |
192
|
|
|
// check for users |
193
|
|
|
foreach ($acls as $acl) { |
194
|
|
|
if ($acl->getType() === Acl::PERMISSION_TYPE_USER && $acl->getParticipant() === $userId) { |
195
|
|
|
return $acl->getPermission($permission); |
196
|
|
|
} |
197
|
|
|
|
198
|
|
|
if ($this->circlesEnabled && $acl->getType() === Acl::PERMISSION_TYPE_CIRCLE) { |
199
|
|
|
try { |
200
|
|
|
\OCA\Circles\Api\v1\Circles::getMember($acl->getParticipant(), $this->userId, 1, true); |
201
|
|
|
return $acl->getPermission($permission); |
202
|
|
|
} catch (\Exception $e) { |
203
|
|
|
$this->logger->info('Member not found in circle that was accessed. This should not happen.'); |
204
|
|
|
} |
205
|
|
|
} |
206
|
|
|
} |
207
|
|
|
// check for groups |
208
|
|
|
$hasGroupPermission = false; |
209
|
|
|
foreach ($acls as $acl) { |
210
|
|
|
if (!$hasGroupPermission && $acl->getType() === Acl::PERMISSION_TYPE_GROUP && $this->groupManager->isInGroup($userId, $acl->getParticipant())) { |
211
|
|
|
$hasGroupPermission = $acl->getPermission($permission); |
212
|
|
|
} |
213
|
|
|
} |
214
|
|
|
return $hasGroupPermission; |
215
|
|
|
} |
216
|
|
|
|
217
|
|
|
/** |
218
|
|
|
* Find a list of all users (including the ones from groups) |
219
|
|
|
* Required to allow assigning them to cards |
220
|
|
|
* |
221
|
|
|
* @param $boardId |
222
|
|
|
* @return array |
223
|
|
|
*/ |
224
|
|
|
public function findUsers($boardId, $refresh = false) { |
225
|
|
|
// cache users of a board so we don't query them for every cards |
226
|
|
|
if (array_key_exists((string) $boardId, $this->users) && !$refresh) { |
227
|
|
|
return $this->users[(string) $boardId]; |
228
|
|
|
} |
229
|
|
|
try { |
230
|
|
|
$board = $this->boardMapper->find($boardId); |
231
|
|
|
} catch (DoesNotExistException $e) { |
232
|
|
|
return []; |
233
|
|
|
} catch (MultipleObjectsReturnedException $e) { |
234
|
|
|
return []; |
235
|
|
|
} |
236
|
|
|
|
237
|
|
|
$owner = $this->userManager->get($board->getOwner()); |
238
|
|
|
if ($owner === null) { |
239
|
|
|
$this->logger->info('No owner found for board ' . $board->getId()); |
240
|
|
|
} else { |
241
|
|
|
$users = []; |
242
|
|
|
$users[$owner->getUID()] = new User($owner); |
243
|
|
|
} |
244
|
|
|
$acls = $this->aclMapper->findAll($boardId); |
245
|
|
|
/** @var Acl $acl */ |
246
|
|
|
foreach ($acls as $acl) { |
247
|
|
View Code Duplication |
if ($acl->getType() === Acl::PERMISSION_TYPE_USER) { |
248
|
|
|
$user = $this->userManager->get($acl->getParticipant()); |
249
|
|
|
if ($user === null) { |
250
|
|
|
$this->logger->info('No user found for acl rule ' . $acl->getId()); |
251
|
|
|
continue; |
252
|
|
|
} |
253
|
|
|
$users[$user->getUID()] = new User($user); |
|
|
|
|
254
|
|
|
} |
255
|
|
View Code Duplication |
if ($acl->getType() === Acl::PERMISSION_TYPE_GROUP) { |
|
|
|
|
256
|
|
|
$group = $this->groupManager->get($acl->getParticipant()); |
257
|
|
|
if ($group === null) { |
258
|
|
|
$this->logger->info('No group found for acl rule ' . $acl->getId()); |
259
|
|
|
continue; |
260
|
|
|
} |
261
|
|
|
foreach ($group->getUsers() as $user) { |
262
|
|
|
$users[$user->getUID()] = new User($user); |
263
|
|
|
} |
264
|
|
|
} |
265
|
|
|
} |
266
|
|
|
$this->users[(string) $boardId] = $users; |
267
|
|
|
return $this->users[(string) $boardId]; |
268
|
|
|
} |
269
|
|
|
|
270
|
|
|
public function canCreate() { |
271
|
|
|
$groups = $this->getGroupLimitList(); |
272
|
|
|
if (count($groups) === 0) { |
273
|
|
|
return true; |
274
|
|
|
} |
275
|
|
|
foreach ($groups as $group) { |
276
|
|
|
if ($this->groupManager->isInGroup($this->userId, $group)) { |
277
|
|
|
return true; |
278
|
|
|
} |
279
|
|
|
} |
280
|
|
|
return false; |
281
|
|
|
} |
282
|
|
|
|
283
|
|
View Code Duplication |
private function getGroupLimitList() { |
|
|
|
|
284
|
|
|
$value = $this->config->getAppValue('deck', 'groupLimit', ''); |
285
|
|
|
$groups = explode(',', $value); |
286
|
|
|
if ($value === '') { |
287
|
|
|
return []; |
288
|
|
|
} |
289
|
|
|
return $groups; |
290
|
|
|
} |
291
|
|
|
} |
292
|
|
|
|
Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation.
You can also find more detailed suggestions in the “Code” section of your repository.