diff options
| author | Igor Scheller <igor.scheller@igorshp.de> | 2018-11-12 14:41:23 +0100 |
|---|---|---|
| committer | msquare <msquare@notrademark.de> | 2018-12-02 12:53:31 +0100 |
| commit | c33940f64a1e5b59afd700010247382f5b7b2df3 (patch) | |
| tree | 453b8810c90cd78e75a1425a4f4f002e585d121a | |
| parent | 951828a4f1175f99666a48629ea125640cc7c598 (diff) | |
Moved permission checks to Authenticator class
35 files changed, 193 insertions, 199 deletions
diff --git a/includes/controller/angeltypes_controller.php b/includes/controller/angeltypes_controller.php index 821d101a..6e78db45 100644 --- a/includes/controller/angeltypes_controller.php +++ b/includes/controller/angeltypes_controller.php @@ -78,9 +78,7 @@ function angeltypes_about_controller() */ function angeltype_delete_controller() { - global $privileges; - - if (!in_array('admin_angel_types', $privileges)) { + if (!auth()->can('admin_angel_types')) { redirect(page_link_to('angeltypes')); } @@ -105,10 +103,8 @@ function angeltype_delete_controller() */ function angeltype_edit_controller() { - global $privileges; - // In supporter mode only allow to modify description - $supporter_mode = !in_array('admin_angel_types', $privileges); + $supporter_mode = !auth()->can('admin_angel_types'); $request = request(); if ($request->has('angeltype_id')) { @@ -178,10 +174,9 @@ function angeltype_edit_controller() */ function angeltype_controller() { - global $privileges; $user = auth()->user(); - if (!in_array('angeltypes', $privileges)) { + if (!auth()->can('angeltypes')) { redirect(page_link_to('/')); } @@ -210,8 +205,8 @@ function angeltype_controller() $angeltype, $members, $user_angeltype, - in_array('admin_user_angeltypes', $privileges) || $user_angeltype['supporter'], - in_array('admin_angel_types', $privileges), + auth()->can('admin_user_angeltypes') || $user_angeltype['supporter'], + auth()->can('admin_angel_types'), $user_angeltype['supporter'], $user_driver_license, $user, @@ -250,11 +245,9 @@ function angeltype_controller_shiftsFilterDays($angeltype) */ function angeltype_controller_shiftsFilter($angeltype, $days) { - global $privileges; - $request = request(); $shiftsFilter = new ShiftsFilter( - in_array('user_shifts_admin', $privileges), + auth()->can('user_shifts_admin'), Room_ids(), [$angeltype['id']] ); @@ -278,10 +271,9 @@ function angeltype_controller_shiftsFilter($angeltype, $days) */ function angeltypes_list_controller() { - global $privileges; $user = auth()->user(); - if (!in_array('angeltypes', $privileges)) { + if (!auth()->can('angeltypes')) { redirect(page_link_to('/')); } @@ -296,7 +288,7 @@ function angeltypes_list_controller() ) ]; - if (in_array('admin_angel_types', $privileges)) { + if (auth()->can('admin_angel_types')) { $actions[] = button( page_link_to('angeltypes', ['action' => 'edit', 'angeltype_id' => $angeltype['id']]), __('edit'), @@ -340,7 +332,7 @@ function angeltypes_list_controller() return [ angeltypes_title(), - AngelTypes_list_view($angeltypes, in_array('admin_angel_types', $privileges)) + AngelTypes_list_view($angeltypes, auth()->can('admin_angel_types')) ]; } diff --git a/includes/controller/event_config_controller.php b/includes/controller/event_config_controller.php index e9b27cba..ff68c3ea 100644 --- a/includes/controller/event_config_controller.php +++ b/includes/controller/event_config_controller.php @@ -16,9 +16,7 @@ function event_config_title() */ function event_config_edit_controller() { - global $privileges; - - if (!in_array('admin_event_config', $privileges)) { + if (!auth()->can('admin_event_config')) { redirect(page_link_to('/')); } diff --git a/includes/controller/rooms_controller.php b/includes/controller/rooms_controller.php index f95184f0..01d4fd37 100644 --- a/includes/controller/rooms_controller.php +++ b/includes/controller/rooms_controller.php @@ -14,9 +14,7 @@ use Engelsystem\ShiftsFilterRenderer; */ function room_controller() { - global $privileges; - - if (!in_array('view_rooms', $privileges)) { + if (!auth()->can('view_rooms')) { redirect(page_link_to()); } diff --git a/includes/controller/shift_entries_controller.php b/includes/controller/shift_entries_controller.php index 16f0c0a1..a6659598 100644 --- a/includes/controller/shift_entries_controller.php +++ b/includes/controller/shift_entries_controller.php @@ -35,7 +35,6 @@ function shift_entries_controller() */ function shift_entry_create_controller() { - global $privileges; $user = auth()->user(); $request = request(); @@ -50,7 +49,7 @@ function shift_entry_create_controller() $angeltype = AngelType($request->input('angeltype_id')); - if (in_array('user_shifts_admin', $privileges)) { + if (auth()->can('user_shifts_admin')) { return shift_entry_create_controller_admin($shift, $angeltype); } diff --git a/includes/controller/shifts_controller.php b/includes/controller/shifts_controller.php index 375ea6b6..caf124ba 100644 --- a/includes/controller/shifts_controller.php +++ b/includes/controller/shifts_controller.php @@ -43,13 +43,11 @@ function shift_edit_link($shift) */ function shift_edit_controller() { - global $privileges; - $msg = ''; $valid = true; $request = request(); - if (!in_array('admin_shifts', $privileges)) { + if (!auth()->can('admin_shifts')) { redirect(page_link_to('user_shifts')); } @@ -203,10 +201,9 @@ function shift_edit_controller() */ function shift_delete_controller() { - global $privileges; $request = request(); - if (!in_array('user_shifts_admin', $privileges)) { + if (!auth()->can('user_shifts_admin')) { redirect(page_link_to('user_shifts')); } @@ -253,11 +250,10 @@ function shift_delete_controller() */ function shift_controller() { - global $privileges; $user = auth()->user(); $request = request(); - if (!in_array('user_shifts', $privileges)) { + if (!auth()->can('user_shifts')) { redirect(page_link_to('/')); } @@ -332,9 +328,7 @@ function shifts_controller() */ function shift_next_controller() { - global $privileges; - - if (!in_array('user_shifts', $privileges)) { + if (!auth()->can('user_shifts')) { redirect(page_link_to('/')); } @@ -363,7 +357,7 @@ function shifts_json_export_controller() if (!$user) { engelsystem_error('Key invalid.'); } - if (!in_array('shifts_json_export', privileges_for_user($user->id))) { + if (!auth()->can('shifts_json_export')) { engelsystem_error('No privilege for shifts_json_export.'); } diff --git a/includes/controller/user_angeltypes_controller.php b/includes/controller/user_angeltypes_controller.php index e03bd293..ad62416a 100644 --- a/includes/controller/user_angeltypes_controller.php +++ b/includes/controller/user_angeltypes_controller.php @@ -80,7 +80,6 @@ function user_angeltypes_delete_all_controller() */ function user_angeltypes_confirm_all_controller() { - global $privileges; $user = auth()->user(); $request = request(); @@ -95,7 +94,7 @@ function user_angeltypes_confirm_all_controller() redirect(page_link_to('angeltypes')); } - if (!in_array('admin_user_angeltypes', $privileges) && !User_is_AngelType_supporter($user, $angeltype)) { + if (!auth()->can('admin_user_angeltypes') && !User_is_AngelType_supporter($user, $angeltype)) { error(__('You are not allowed to confirm all users for this angeltype.')); redirect(page_link_to('angeltypes')); } @@ -235,11 +234,10 @@ function user_angeltype_delete_controller() */ function user_angeltype_update_controller() { - global $privileges; $supporter = false; $request = request(); - if (!in_array('admin_angel_types', $privileges)) { + if (!auth()->can('admin_angel_types')) { error(__('You are not allowed to set supporter rights.')); redirect(page_link_to('angeltypes')); } @@ -360,7 +358,6 @@ function user_angeltype_add_controller() */ function user_angeltype_join_controller($angeltype) { - global $privileges; $user = auth()->user(); $user_angeltype = UserAngelType_by_User_and_AngelType($user->id, $angeltype); @@ -380,7 +377,7 @@ function user_angeltype_join_controller($angeltype) )); success($success_message); - if (in_array('admin_user_angeltypes', $privileges)) { + if (auth()->can('admin_user_angeltypes')) { UserAngelType_confirm($user_angeltype_id, $user->id); engelsystem_log(sprintf( 'User %s confirmed as %s.', diff --git a/includes/controller/user_driver_licenses_controller.php b/includes/controller/user_driver_licenses_controller.php index 69179b35..9dc15f15 100644 --- a/includes/controller/user_driver_licenses_controller.php +++ b/includes/controller/user_driver_licenses_controller.php @@ -96,13 +96,12 @@ function user_driver_license_load_user() */ function user_driver_license_edit_controller() { - global $privileges; $user = auth()->user(); $request = request(); $user_source = user_driver_license_load_user(); // only privilege admin_user can edit other users driver license information - if ($user->id != $user_source->id && !in_array('admin_user', $privileges)) { + if ($user->id != $user_source->id && !auth()->can('admin_user')) { redirect(user_driver_license_edit_link()); } diff --git a/includes/controller/user_worklog_controller.php b/includes/controller/user_worklog_controller.php index 4eaa5e91..bf0eb1cf 100644 --- a/includes/controller/user_worklog_controller.php +++ b/includes/controller/user_worklog_controller.php @@ -182,10 +182,9 @@ function user_worklog_delete_link($userWorkLog, $parameters = []) */ function user_worklog_controller() { - global $privileges; $user = auth()->user(); - if (!in_array('admin_user_worklog', $privileges)) { + if (!auth()->can('admin_user_worklog')) { redirect(user_link($user->id)); } diff --git a/includes/controller/users_controller.php b/includes/controller/users_controller.php index 51b6e432..2fcd90b9 100644 --- a/includes/controller/users_controller.php +++ b/includes/controller/users_controller.php @@ -46,7 +46,6 @@ function users_controller() */ function user_delete_controller() { - global $privileges; $user = auth()->user(); $request = request(); @@ -56,7 +55,7 @@ function user_delete_controller() $user_source = $user; } - if (!in_array('admin_user', $privileges)) { + if (!auth()->can('admin_user')) { redirect(page_link_to('')); } @@ -138,7 +137,6 @@ function user_link($userId) */ function user_edit_vouchers_controller() { - global $privileges; $user = auth()->user(); $request = request(); @@ -148,7 +146,7 @@ function user_edit_vouchers_controller() $user_source = $user; } - if (!in_array('admin_user', $privileges)) { + if (!auth()->can('admin_user')) { redirect(page_link_to('')); } @@ -190,7 +188,6 @@ function user_edit_vouchers_controller() */ function user_controller() { - global $privileges; $user = auth()->user(); $request = request(); @@ -203,7 +200,7 @@ function user_controller() } } - $shifts = Shifts_by_user($user_source->id, in_array('user_shifts_admin', $privileges)); + $shifts = Shifts_by_user($user_source->id, auth()->can('user_shifts_admin')); foreach ($shifts as &$shift) { // TODO: Move queries to model $shift['needed_angeltypes'] = DB::select(' @@ -242,15 +239,15 @@ function user_controller() $user_source->name, User_view( $user_source, - in_array('admin_user', $privileges), + auth()->can('admin_user'), User_is_freeloader($user_source), User_angeltypes($user_source->id), User_groups($user_source->id), $shifts, $user->id == $user_source->id, $tshirt_score, - in_array('admin_active', $privileges), - in_array('admin_user_worklog', $privileges), + auth()->can('admin_active'), + auth()->can('admin_user_worklog'), UserWorkLogsForUser($user_source->id) ) ]; @@ -263,10 +260,9 @@ function user_controller() */ function users_list_controller() { - global $privileges; $request = request(); - if (!in_array('admin_user', $privileges)) { + if (!auth()->can('admin_user')) { redirect(page_link_to('')); } diff --git a/includes/engelsystem.php b/includes/engelsystem.php index caebe09b..ca121cc2 100644 --- a/includes/engelsystem.php +++ b/includes/engelsystem.php @@ -21,9 +21,3 @@ if ($app->get('config')->get('maintenance')) { echo $maintenance; die(); } - - -/** - * Init authorization - */ -load_auth(); diff --git a/includes/model/Shifts_model.php b/includes/model/Shifts_model.php index d6fbe3b6..4be65dda 100644 --- a/includes/model/Shifts_model.php +++ b/includes/model/Shifts_model.php @@ -422,17 +422,16 @@ function Shift_signup_allowed_admin($needed_angeltype, $shift_entries) */ function Shift_signout_allowed($shift, $angeltype, $signout_user_id) { - global $privileges; $user = auth()->user(); // user shifts admin can sign out any user at any time - if (in_array('user_shifts_admin', $privileges)) { + if (auth()->can('user_shifts_admin')) { return true; } // angeltype supporter can sign out any user at any time from their supported angeltype if ( - in_array('shiftentry_edit_angeltype_supporter', $privileges) + auth()->can('shiftentry_edit_angeltype_supporter') && User_is_AngelType_supporter($user, $angeltype) ) { return true; @@ -466,14 +465,12 @@ function Shift_signup_allowed( $needed_angeltype, $shift_entries ) { - global $privileges; - - if (in_array('user_shifts_admin', $privileges)) { + if (auth()->can('user_shifts_admin')) { return Shift_signup_allowed_admin($needed_angeltype, $shift_entries); } if ( - in_array('shiftentry_edit_angeltype_supporter', $privileges) + auth()->can('shiftentry_edit_angeltype_supporter') && User_is_AngelType_supporter(auth()->user(), $angeltype) ) { return Shift_signup_allowed_angeltype_supporter($needed_angeltype, $shift_entries); diff --git a/includes/pages/admin_free.php b/includes/pages/admin_free.php index d8787f36..7b694659 100644 --- a/includes/pages/admin_free.php +++ b/includes/pages/admin_free.php @@ -17,7 +17,6 @@ function admin_free_title() */ function admin_free() { - global $privileges; $request = request(); $search = ''; @@ -88,7 +87,7 @@ function admin_free() 'dect' => $usr->contact->dect, 'email' => $usr->settings->email_human ? ($usr->contact->email ? $usr->contact->email : $usr->email) : glyph('eye-close'), 'actions' => - in_array('admin_user', $privileges) + auth()->can('admin_user') ? button(page_link_to('admin_user', ['id' => $usr->id]), __('edit'), 'btn-xs') : '' ]; diff --git a/includes/pages/admin_news.php b/includes/pages/admin_news.php index 90aeb439..21245eb9 100644 --- a/includes/pages/admin_news.php +++ b/includes/pages/admin_news.php @@ -8,7 +8,6 @@ use Engelsystem\Models\User\User; */ function admin_news() { - global $privileges; $user = auth()->user(); $request = request(); @@ -32,7 +31,7 @@ function admin_news() case 'edit': $user_source = User::find($news['UID']); if ( - !in_array('admin_news_html', $privileges) + !auth()->can('admin_news_html') && strip_tags($news['Text']) != $news['Text'] ) { $html .= warning( @@ -62,7 +61,7 @@ function admin_news() case 'save': $text = $request->postData('eText'); - if (!in_array('admin_news_html', $privileges)) { + if (!auth()->can('admin_news_html')) { $text = strip_tags($text); } diff --git a/includes/pages/admin_questions.php b/includes/pages/admin_questions.php index 60df1ebf..0b5940cc 100644 --- a/includes/pages/admin_questions.php +++ b/includes/pages/admin_questions.php @@ -18,10 +18,10 @@ function admin_questions_title() */ function admin_new_questions() { - global $privileges, $page; + global $page; if ($page != 'admin_questions') { - if (in_array('admin_questions', $privileges)) { + if (auth()->can('admin_questions')) { $new_messages = count(DB::select('SELECT `QID` FROM `Questions` WHERE `AID` IS NULL')); if ($new_messages > 0) { diff --git a/includes/pages/admin_user.php b/includes/pages/admin_user.php index 3894e724..63993fc9 100644 --- a/includes/pages/admin_user.php +++ b/includes/pages/admin_user.php @@ -16,7 +16,6 @@ function admin_user_title() */ function admin_user() { - global $privileges; $user = auth()->user(); $tshirt_sizes = config('tshirt_sizes'); $request = request(); @@ -83,7 +82,7 @@ function admin_user() $html .= html_options('eAktiv', $options, $user_source->state->active) . '</td></tr>' . "\n"; // Aktiv erzwingen - if (in_array('admin_active', $privileges)) { + if (auth()->can('admin_active')) { $html .= ' <tr><td>' . __('Force active') . '</td><td>' . "\n"; $html .= html_options('force_active', $options, $user_source->state->force_active) . '</td></tr>' . "\n"; } @@ -249,7 +248,7 @@ function admin_user() case 'save': $force_active = $user->state->force_active; $user_source = User::find($user_id); - if (in_array('admin_active', $privileges)) { + if (auth()->can('admin_active')) { $force_active = $request->input('force_active'); } if ($user_source->settings->email_human) { diff --git a/includes/pages/guest_login.php b/includes/pages/guest_login.php index e1c6dfa4..2df09d79 100644 --- a/includes/pages/guest_login.php +++ b/includes/pages/guest_login.php @@ -39,7 +39,6 @@ function logout_title() */ function guest_register() { - global $privileges; $authUser = auth()->user(); $tshirt_sizes = config('tshirt_sizes'); $enable_tshirt_size = config('enable_tshirt_size'); @@ -71,7 +70,7 @@ function guest_register() } } - if (!in_array('register', $privileges) || (!$authUser && !config('registration_enabled'))) { + if (!auth()->can('register') || (!$authUser && !config('registration_enabled'))) { error(__('Registration is disabled.')); return page_with_title(register_title(), [ @@ -472,9 +471,7 @@ function guest_login() */ function get_register_hint() { - global $privileges; - - if (in_array('register', $privileges) && config('registration_enabled')) { + if (auth()->can('register') && config('registration_enabled')) { return join('', [ '<p>' . __('Please sign up, if you want to help us!') . '</p>', buttons([ diff --git a/includes/pages/user_atom.php b/includes/pages/user_atom.php index 6aafb74f..e624ceb4 100644 --- a/includes/pages/user_atom.php +++ b/includes/pages/user_atom.php @@ -17,7 +17,7 @@ function user_atom() if (empty($user)) { engelsystem_error('Key invalid.'); } - if (!in_array('atom', privileges_for_user($user->id))) { + if (!auth()->can('atom')) { engelsystem_error('No privilege for atom.'); } diff --git a/includes/pages/user_ical.php b/includes/pages/user_ical.php index 8a80d681..ee3a8340 100644 --- a/includes/pages/user_ical.php +++ b/includes/pages/user_ical.php @@ -15,7 +15,7 @@ function user_ical() if (!$user) { engelsystem_error('Key invalid.'); } - if (!in_array('ical', privileges_for_user($user->id))) { + if (!auth()->can('ical')) { engelsystem_error('No privilege for ical.'); } diff --git a/includes/pages/user_myshifts.php b/includes/pages/user_myshifts.php index 1eab016d..11bbc9f4 100644 --- a/includes/pages/user_myshifts.php +++ b/includes/pages/user_myshifts.php @@ -18,13 +18,12 @@ function myshifts_title() */ function user_myshifts() { - global $privileges; $user = auth()->user(); $request = request(); if ( $request->has('id') - && in_array('user_shifts_admin', $privileges) + && auth()->can('user_shifts_admin') && preg_match('/^\d{1,}$/', $request->input('id')) && User::find($request->input('id')) ) { @@ -79,7 +78,7 @@ function user_myshifts() if ($request->hasPostData('submit')) { $valid = true; - if (in_array('user_shifts_admin', $privileges)) { + if (auth()->can('user_shifts_admin')) { $freeloaded = $request->has('freeloaded'); $freeload_comment = strip_request_item_nl('freeload_comment'); if ($freeloaded && $freeload_comment == '') { @@ -120,7 +119,7 @@ function user_myshifts() $shift['Comment'], $shift['freeloaded'], $shift['freeload_comment'], - in_array('user_shifts_admin', $privileges) + auth()->can('user_shifts_admin') ); } else { redirect(page_link_to('user_myshifts')); diff --git a/includes/pages/user_news.php b/includes/pages/user_news.php index e101be6b..34be033f 100644 --- a/includes/pages/user_news.php +++ b/includes/pages/user_news.php @@ -91,7 +91,7 @@ function news_text($news) */ function display_news($news) { - global $privileges, $page; + global $page; $html = ''; $html .= '<div class="panel' . ($news['Treffen'] == 1 ? ' panel-info' : ' panel-default') . '">'; @@ -101,7 +101,7 @@ function display_news($news) $html .= '<div class="panel-body">' . news_text($news) . '</div>'; $html .= '<div class="panel-footer text-muted">'; - if (in_array('admin_news', $privileges)) { + if (auth()->can('admin_news')) { $html .= '<div class="pull-right">' . button_glyph( page_link_to('admin_news', ['action' => 'edit', 'id' => $news['ID']]), @@ -198,7 +198,6 @@ function user_news_comments() */ function user_news() { - global $privileges; $user = auth()->user(); $display_news = config('display_news'); $request = request(); @@ -206,13 +205,13 @@ function user_news() $html = '<div class="col-md-12"><h1>' . news_title() . '</h1>' . msg(); $isMeeting = $request->postData('treffen'); - if ($request->has('text') && $request->has('betreff') && in_array('admin_news', $privileges)) { + if ($request->has('text') && $request->has('betreff') && auth()->can('admin_news')) { if (!$request->has('treffen')) { $isMeeting = 0; } $text = $request->postData('text'); - if (!in_array('admin_news_html', $privileges)) { + if (!auth()->can('admin_news_html')) { $text = strip_tags($text); } @@ -266,7 +265,7 @@ function user_news() } $html .= '</ul></div>'; - if (in_array('admin_news', $privileges)) { + if (auth()->can('admin_news')) { $html .= '<hr />'; $html .= '<h2>' . __('Create news:') . '</h2>'; diff --git a/includes/pages/user_shifts.php b/includes/pages/user_shifts.php index cef6af73..942b8849 100644 --- a/includes/pages/user_shifts.php +++ b/includes/pages/user_shifts.php @@ -168,7 +168,7 @@ function load_types() */ function view_user_shifts() { - global $privileges, $ical_shifts; + global $ical_shifts; $user = auth()->user(); $session = session(); @@ -182,13 +182,13 @@ function view_user_shifts() $rooms[0]['id'] ]; $type_ids = array_map('get_ids_from_array', $types); - $shiftsFilter = new ShiftsFilter(in_array('user_shifts_admin', $privileges), $room_ids, $type_ids); + $shiftsFilter = new ShiftsFilter(auth()->can('user_shifts_admin'), $room_ids, $type_ids); $session->set('shifts-filter', $shiftsFilter->sessionExport()); } $shiftsFilter = new ShiftsFilter(); $shiftsFilter->sessionImport($session->get('shifts-filter')); - update_ShiftsFilter($shiftsFilter, in_array('user_shifts_admin', $privileges), $days); + update_ShiftsFilter($shiftsFilter, auth()->can('user_shifts_admin'), $days); $session->set('shifts-filter', $shiftsFilter->sessionExport()); $shiftCalendarRenderer = shiftCalendarRendererByShiftFilter($shiftsFilter); diff --git a/includes/sys_auth.php b/includes/sys_auth.php index 5d2fa8be..520b13eb 100644 --- a/includes/sys_auth.php +++ b/includes/sys_auth.php @@ -1,36 +1,9 @@ <?php -use Carbon\Carbon; use Engelsystem\Database\DB; use Engelsystem\Models\User\User; /** - * Testet ob ein User eingeloggt ist und lädt die entsprechenden Privilegien - */ -function load_auth() -{ - global $privileges; - $session = session(); - - if ($session->has('uid')) { - $user = auth()->user(); - - if ($user) { - $user->last_login_at = new Carbon(); - $user->save(); - - $privileges = privileges_for_user($user->id); - return; - } - - $session->remove('uid'); - } - - // guest privileges - $privileges = privileges_for_group(-10); -} - -/** * generate a salt (random string) of arbitrary length suitable for the use with crypt() * * @param int $length diff --git a/includes/sys_menu.php b/includes/sys_menu.php index e4f79766..b4c04a98 100644 --- a/includes/sys_menu.php +++ b/includes/sys_menu.php @@ -45,15 +45,15 @@ function header_render_hints() */ function make_user_submenu() { - global $privileges, $page; + global $page; $user_submenu = make_language_select(); - if (in_array('user_settings', $privileges) || in_array('logout', $privileges)) { + if (auth()->can('user_settings') || auth()->can('logout')) { $user_submenu[] = toolbar_item_divider(); } - if (in_array('user_settings', $privileges)) { + if (auth()->can('user_settings')) { $user_submenu[] = toolbar_item_link( page_link_to('user_settings'), 'list-alt', @@ -62,7 +62,7 @@ function make_user_submenu() ); } - if (in_array('logout', $privileges)) { + if (auth()->can('logout')) { $user_submenu[] = toolbar_item_link( page_link_to('logout'), 'log-out', @@ -79,7 +79,7 @@ function make_user_submenu() */ function make_navigation() { - global $page, $privileges; + global $page; $menu = []; $pages = [ @@ -91,7 +91,7 @@ function make_navigation() ]; foreach ($pages as $menu_page => $title) { - if (in_array($menu_page, $privileges)) { + if (auth()->can($menu_page)) { $menu[] = toolbar_item_link(page_link_to($menu_page), '', $title, $menu_page == $page); } } @@ -115,7 +115,7 @@ function make_navigation() ]; foreach ($admin_pages as $menu_page => $title) { - if (in_array($menu_page, $privileges)) { + if (auth()->can($menu_page)) { $admin_menu[] = toolbar_item_link( page_link_to($menu_page), '', @@ -140,16 +140,14 @@ function make_navigation() */ function make_room_navigation($menu) { - global $privileges; - - if (!in_array('view_rooms', $privileges)) { + if (!auth()->can('view_rooms')) { return $menu; } // Get a list of all rooms $rooms = Rooms(); $room_menu = []; - if (in_array('admin_rooms', $privileges)) { + if (auth()->can('admin_rooms')) { $room_menu[] = toolbar_item_link(page_link_to('admin_rooms'), 'list', __('Manage rooms')); } if (count($room_menu) > 0) { diff --git a/includes/view/AngelTypes_view.php b/includes/view/AngelTypes_view.php index ab4ce517..f4e83758 100644 --- a/includes/view/AngelTypes_view.php +++ b/includes/view/AngelTypes_view.php @@ -564,14 +564,12 @@ function AngelTypes_about_view_angeltype($angeltype) */ function AngelTypes_about_view($angeltypes, $user_logged_in) { - global $privileges; - $buttons = []; if ($user_logged_in) { $buttons[] = button(page_link_to('angeltypes'), angeltypes_title(), 'back'); } else { - if (in_array('register', $privileges) && config('registration_enabled')) { + if (auth()->can('register') && config('registration_enabled')) { $buttons[] = button(page_link_to('register'), register_title()); } diff --git a/includes/view/Rooms_view.php b/includes/view/Rooms_view.php index 93351e28..4ea78e86 100644 --- a/includes/view/Rooms_view.php +++ b/includes/view/Rooms_view.php @@ -64,9 +64,7 @@ function Room_view($room, ShiftsFilterRenderer $shiftsFilterRenderer, ShiftCalen */ function Room_name_render($room) { - global $privileges; - - if (in_array('view_rooms', $privileges)) { + if (auth()->can('view_rooms')) { return '<a href="' . room_link($room) . '">' . glyph('map-marker') . $room['Name'] . '</a>'; } diff --git a/includes/view/ShiftCalendarShiftRenderer.php b/includes/view/ShiftCalendarShiftRenderer.php index 6a01949e..3f427ea0 100644 --- a/includes/view/ShiftCalendarShiftRenderer.php +++ b/includes/view/ShiftCalendarShiftRenderer.php @@ -97,8 +97,6 @@ class ShiftCalendarShiftRenderer */ private function renderShiftNeededAngeltypes($shift, $needed_angeltypes, $shift_entries, $user) { - global $privileges; - $shift_entries_filtered = []; foreach ($needed_angeltypes as $needed_angeltype) { $shift_entries_filtered[$needed_angeltype['id']] = []; @@ -130,7 +128,7 @@ class ShiftCalendarShiftRenderer $shift_signup_state = new ShiftSignupState(ShiftSignupState::SHIFT_ENDED, 0); } - if (in_array('user_shifts_admin', $privileges)) { + if (auth()->can('user_shifts_admin')) { $html .= '<li class="list-group-item">'; $html .= button(shift_entry_create_link_admin($shift), glyph('plus') . __('Add more angels'), @@ -253,10 +251,8 @@ class ShiftCalendarShiftRenderer */ private function renderShiftHead($shift, $class) { - global $privileges; - $header_buttons = ''; - if (in_array('admin_shifts', $privileges)) { + if (auth()->can('admin_shifts')) { $header_buttons = '<div class="pull-right">' . table_buttons([ button( page_link_to('user_shifts', ['edit_shift' => $shift['SID']]), diff --git a/includes/view/ShiftTypes_view.php b/includes/view/ShiftTypes_view.php index 72d119ff..634f9760 100644 --- a/includes/view/ShiftTypes_view.php +++ b/includes/view/ShiftTypes_view.php @@ -6,8 +6,7 @@ */ function ShiftType_name_render($shifttype) { - global $privileges; - if (in_array('shifttypes', $privileges)) { + if (auth()->can('shifttypes')) { return '<a href="' . shifttype_link($shifttype) . '">' . $shifttype['name'] . '</a>'; } return $shifttype['name']; diff --git a/includes/view/Shifts_view.php b/includes/view/Shifts_view.php index 4c329f1b..4daaec8e 100644 --- a/includes/view/Shifts_view.php +++ b/includes/view/Shifts_view.php @@ -102,12 +102,10 @@ function Shift_signup_button_render($shift, $angeltype, $user_angeltype = null) */ function Shift_view($shift, $shifttype, $room, $angeltypes_source, ShiftSignupState $shift_signup_state) { - global $privileges; - - $shift_admin = in_array('admin_shifts', $privileges); - $user_shift_admin = in_array('user_shifts_admin', $privileges); - $admin_rooms = in_array('admin_rooms', $privileges); - $admin_shifttypes = in_array('shifttypes', $privileges); + $shift_admin = auth()->can('admin_shifts'); + $user_shift_admin = auth()->can('user_shifts_admin'); + $admin_rooms = auth()->can('admin_rooms'); + $admin_shifttypes = auth()->can('shifttypes'); $parsedown = new Parsedown(); diff --git a/includes/view/User_view.php b/includes/view/User_view.php index 2b4154b4..275a31ca 100644 --- a/includes/view/User_view.php +++ b/includes/view/User_view.php @@ -352,8 +352,6 @@ function User_view_shiftentries($needed_angel_type) */ function User_view_myshift($shift, $user_source, $its_me) { - global $privileges; - $shift_info = '<a href="' . shift_link($shift) . '">' . $shift['name'] . '</a>'; if ($shift['title']) { $shift_info .= '<br /><a href="' . shift_link($shift) . '">' . $shift['title'] . '</a>'; @@ -382,7 +380,7 @@ function User_view_myshift($shift, $user_source, $its_me) $myshift['duration'] = '<p class="text-danger">' . round(-($shift['end'] - $shift['start']) / 3600 * 2, 2) . ' h' . '</p>'; - if (in_array('user_shifts_admin', $privileges)) { + if (auth()->can('user_shifts_admin')) { $myshift['comment'] .= '<br />' . '<p class="text-danger">' . __('Freeloaded') . ': ' . $shift['freeload_comment'] . '</p>'; } else { @@ -393,7 +391,7 @@ function User_view_myshift($shift, $user_source, $its_me) $myshift['actions'] = [ button(shift_link($shift), glyph('eye-open') . __('view'), 'btn-xs') ]; - if ($its_me || in_array('user_shifts_admin', $privileges)) { + if ($its_me || auth()->can('user_shifts_admin')) { $myshift['actions'][] = button( page_link_to('user_myshifts', ['edit' => $shift['id'], 'id' => $user_source->id]), glyph('edit') . __('edit'), diff --git a/src/Helpers/Authenticator.php b/src/Helpers/Authenticator.php index 3061fbc1..edceaa44 100644 --- a/src/Helpers/Authenticator.php +++ b/src/Helpers/Authenticator.php @@ -2,6 +2,7 @@ namespace Engelsystem\Helpers; +use Carbon\Carbon; use Engelsystem\Models\User\User; use Engelsystem\Models\User\User as UserRepository; use Psr\Http\Message\ServerRequestInterface; @@ -21,6 +22,9 @@ class Authenticator /** @var UserRepository */ protected $userRepository; + /** @var string[] */ + protected $permissions; + /** * @param ServerRequestInterface $request * @param Session $session @@ -90,4 +94,60 @@ class Authenticator return $this->user; } + + /** + * @param string[]|string $abilities + * @return bool + */ + public function can($abilities): bool + { + $abilities = (array)$abilities; + + if (empty($this->permissions)) { + $userId = $this->session->get('uid'); + + if ($userId) { + if ($user = $this->user()) { + $this->permissions = $this->getPermissionsByUser($user); + + $user->last_login_at = new Carbon(); + $user->save(); + } else { + $this->session->remove('uid'); + } + } + + if (empty($this->permissions)) { + $this->permissions = $this->getPermissionsByGroup(-10); + } + } + + foreach ($abilities as $ability) { + if (!in_array($ability, $this->permissions)) { + return false; + } + } + + return true; + } + + /** + * @param User $user + * @return array + * @codeCoverageIgnore + */ + protected function getPermissionsByUser($user) + { + return privileges_for_user($user->id); + } + + /** + * @param int $groupId + * @return array + * @codeCoverageIgnore + */ + protected function getPermissionsByGroup(int $groupId) + { + return privileges_for_group($groupId); + } } diff --git a/src/Middleware/LegacyMiddleware.php b/src/Middleware/LegacyMiddleware.php index ce1eadef..b1315fda 100644 --- a/src/Middleware/LegacyMiddleware.php +++ b/src/Middleware/LegacyMiddleware.php @@ -62,7 +62,6 @@ class LegacyMiddleware implements MiddlewareInterface ServerRequestInterface $request, RequestHandlerInterface $handler ): ResponseInterface { - global $privileges; global $page; /** @var Request $appRequest */ @@ -79,10 +78,7 @@ class LegacyMiddleware implements MiddlewareInterface $title = $content = ''; if ( preg_match('~^\w+$~i', $page) - && ( - in_array($page, $this->free_pages) - || (isset($privileges) && in_array($page, $privileges)) - ) + && (in_array($page, $this->free_pages) || $this->auth->can($page)) ) { list($title, $content) = $this->loadPage($page); } diff --git a/src/Renderer/Twig/Extensions/Authentication.php b/src/Renderer/Twig/Extensions/Authentication.php index 20ede828..538526da 100644 --- a/src/Renderer/Twig/Extensions/Authentication.php +++ b/src/Renderer/Twig/Extensions/Authentication.php @@ -27,7 +27,7 @@ class Authentication extends TwigExtension return [ new TwigFunction('is_user', [$this, 'isAuthenticated']), new TwigFunction('is_guest', [$this, 'isGuest']), - new TwigFunction('has_permission_to', [$this, 'checkAuth']), + new TwigFunction('has_permission_to', [$this->auth, 'can']), ]; } @@ -46,15 +46,4 @@ class Authentication extends TwigExtension { return !$this->isAuthenticated(); } - - /** - * @param $privilege - * @return bool - */ - public function checkAuth($privilege) - { - global $privileges; - - return in_array($privilege, $privileges); - } } diff --git a/tests/Unit/Helpers/AuthenticatorTest.php b/tests/Unit/Helpers/AuthenticatorTest.php index 2c03b968..05c7d16e 100644 --- a/tests/Unit/Helpers/AuthenticatorTest.php +++ b/tests/Unit/Helpers/AuthenticatorTest.php @@ -99,4 +99,56 @@ class AuthenticatorTest extends ServiceProviderTest UserModelImplementation::$user = null; $this->assertEquals($user, $auth->apiUser()); } + + /** + * @covers \Engelsystem\Helpers\Authenticator::can + */ + public function testCan() + { + /** @var ServerRequestInterface|MockObject $request */ + $request = $this->getMockForAbstractClass(ServerRequestInterface::class); + /** @var Session|MockObject $session */ + $session = $this->createMock(Session::class); + /** @var UserModelImplementation|MockObject $userRepository */ + $userRepository = new UserModelImplementation(); + /** @var User|MockObject $user */ + $user = $this->createMock(User::class); + + $user->expects($this->once()) + ->method('save'); + + $session->expects($this->exactly(2)) + ->method('get') + ->with('uid') + ->willReturn(42); + $session->expects($this->once()) + ->method('remove') + ->with('uid'); + + /** @var Authenticator|MockObject $auth */ + $auth = $this->getMockBuilder(Authenticator::class) + ->setConstructorArgs([$request, $session, $userRepository]) + ->setMethods(['getPermissionsByGroup', 'getPermissionsByUser', 'user']) + ->getMock(); + $auth->expects($this->exactly(1)) + ->method('getPermissionsByGroup') + ->with(-10) + ->willReturn([]); + $auth->expects($this->exactly(1)) + ->method('getPermissionsByUser') + ->with($user) + ->willReturn(['bar']); + $auth->expects($this->exactly(2)) + ->method('user') + ->willReturnOnConsecutiveCalls(null, $user); + + // No user, no permissions + $this->assertFalse($auth->can('foo')); + + // User exists, has permissions + $this->assertTrue($auth->can('bar')); + + // Permissions cached + $this->assertTrue($auth->can('bar')); + } } diff --git a/tests/Unit/Middleware/LegacyMiddlewareTest.php b/tests/Unit/Middleware/LegacyMiddlewareTest.php index caea483d..8dd2f417 100644 --- a/tests/Unit/Middleware/LegacyMiddlewareTest.php +++ b/tests/Unit/Middleware/LegacyMiddlewareTest.php @@ -76,6 +76,9 @@ class LegacyMiddlewareTest extends TestCase $auth->expects($this->atLeastOnce()) ->method('user') ->willReturn(false); + $auth->expects($this->atLeastOnce()) + ->method('can') + ->willReturn(false); $translator->expects($this->exactly(2)) ->method('translate') diff --git a/tests/Unit/Renderer/Twig/Extensions/AuthenticationTest.php b/tests/Unit/Renderer/Twig/Extensions/AuthenticationTest.php index b67d4eed..266b038e 100644 --- a/tests/Unit/Renderer/Twig/Extensions/AuthenticationTest.php +++ b/tests/Unit/Renderer/Twig/Extensions/AuthenticationTest.php @@ -23,7 +23,7 @@ class AuthenticationTest extends ExtensionTest $this->assertExtensionExists('is_user', [$extension, 'isAuthenticated'], $functions); $this->assertExtensionExists('is_guest', [$extension, 'isGuest'], $functions); - $this->assertExtensionExists('has_permission_to', [$extension, 'checkAuth'], $functions); + $this->assertExtensionExists('has_permission_to', [$auth, 'can'], $functions); } /** @@ -53,23 +53,4 @@ class AuthenticationTest extends ExtensionTest $this->assertTrue($extension->isAuthenticated()); $this->assertFalse($extension->isGuest()); } - - /** - * @covers \Engelsystem\Renderer\Twig\Extensions\Authentication::checkAuth - */ - public function testCheckAuth() - { - global $privileges; - $privileges = []; - - /** @var Authenticator|MockObject $auth */ - $auth = $this->createMock(Authenticator::class); - - $extension = new Authentication($auth); - - $this->assertFalse($extension->checkAuth('foo.bar')); - - $privileges = ['foo.bar']; - $this->assertTrue($extension->checkAuth('foo.bar')); - } } |