Commit 0692d118 authored by sylvieg's avatar sylvieg

[FIX]tracker: fix categ perms checking on tracker items + jail list and stat...

[FIX]tracker: fix categ perms checking on tracker items + jail list and stat on items (todo: distinguish perm view, view close... depending on item status)
parent f348c63d
......@@ -400,6 +400,7 @@ class CategLib extends ObjectLib {
'image' => 'tiki_p_view_image_gallery',
'calendar' => 'tiki_p_view_calendar',
'file' => 'tiki_p_download_files',
'trackeritem' => 'tiki_p_view_trackers',
// newsletters can't be categorized, although there's some code in tiki-admin_newsletters.php
// 'newsletter' => ?,
......
......@@ -209,6 +209,8 @@ class Perms
}
public static function mixedFilter( array $baseContext, $discriminator, $bulkKey, $data, $contextMapMap, $permissionMap ) {
//echo '<pre>BASECONTEXT'; print_r($baseContext); echo 'DISCRIMATOR';print_r($discriminator); echo 'BULKEY';print_r($bulkKey); echo 'DATA';print_r($data); echo 'CONTEXTMAPMAP';print_r($contextMapMap); echo 'PERMISSIONMAP';print_r($permissionMap); echo '</pre>';
$perType = array();
foreach( $data as $row ) {
......
......@@ -485,7 +485,7 @@ class TrackerLib extends TikiLib {
$is_date=($myfield['type']=='f');
$is_trackerlink=($myfield['type']=='r');
$tmp="";
$tmp=$this->get_all_items($trackerId,$field,$status);
$tmp=$this->get_all_items($trackerId,$field,$status, false);//deliberatly do not check perm on categs on items
$options = split(',', $myfield["options"]);
foreach ($tmp as $key=>$value){
if ($is_date) $value=$this->date_format("%e/%m/%y",$value);
......@@ -511,17 +511,27 @@ class TrackerLib extends TikiLib {
return false;
}
}
function get_all_items($trackerId,$fieldId,$status='o') {
function get_all_items($trackerId,$fieldId,$status='o', $allfields='') {
global $cachelib, $prefs;
$jail = '';
$needToCheckCategPerms = $this->need_to_check_categ_perms($allfields);
if ($prefs['feature_categories'] == 'y' && $needToCheckCategPerms) {
global $categlib; include_once('lib/categories/categlib.php');
$jail = $categlib->get_jail();
}
$sort_mode = "value_asc";
$cache = md5('trackerfield'.$fieldId.$status);
if ($this->is_multilingual($fieldId) == 'y') {
$multi_languages=$prefs['available_languages'];
$cache = md5('trackerfield'.$fieldId.$status.$prefs['language']);
} else
} else {
unset($multi_languages);
}
if (!empty($jail)) {
$cache .= md5(serialize($jail));
}
if (!$cachelib->isCached($cache) || !$this->valid_status($status)) {
$sts = preg_split('//', $status, -1, PREG_SPLIT_NO_EMPTY);
......@@ -534,22 +544,53 @@ class TrackerLib extends TikiLib {
}else {
$bindvars = array_merge($sts,$fieldIdArray);
}
$query = "select ttif.`itemId` , ttif.`value` FROM `tiki_tracker_items` tti,`tiki_tracker_item_fields` ttif ";
$join = '';
if (!empty($jail)) {
$categlib->getSqlJoin($jail, 'trackeritem', 'tti.`itemId`', $join, $mid, $bindvars);
}
$query = "select ttif.`itemId` , ttif.`value` FROM `tiki_tracker_items` tti,`tiki_tracker_item_fields` ttif $join ";
$query.= " WHERE $mid and tti.`itemId` = ttif.`itemId` order by ".$this->convertSortMode($sort_mode);
$result = $this->query($query,$bindvars);
$ret = array();
while ($res = $result->fetchRow()) {
$k = $res['itemId'];
$ret[$k] = $res['value'];
$ret[] = $res;
}
$cachelib->cacheItem($cache,serialize($ret));
return $ret;
} else {
return unserialize($cachelib->getCached($cache));
$ret = unserialize($cachelib->getCached($cache));
}
if ($needToCheckCategPerms) {
$ret = $this->filter_categ_items($ret);
}
$ret2 = array();
foreach ($ret as $res) {
$k = $res['itemId'];
$ret2[$k] = $res['value'];
}
return $ret2;
}
function need_to_check_categ_perms($allfields='') {
global $prefs;
if ($allfields === false) { // use for itemlink field - otherwise will be too slow
return false;
}
$needToCheckCategPerms = false;
if ($prefs['feature_categories'] == 'y') {
global $categlib; require_once('lib/categories/categlib.php');
if (empty($allfields['data'])) {
$needToCheckCategPerms = true;
} else {
foreach ($allfields['data'] as $f) {
if ($f['type'] == 'e') {
$needToCheckCategPerms = true;
break;
}
}
}
}
return $needToCheckCategPerms;
}
function get_all_tracker_items($trackerId){
$ret = array();
$query = "select distinct(`itemId`) from `tiki_tracker_items` where`trackerId`=?";
......@@ -631,8 +672,9 @@ class TrackerLib extends TikiLib {
* ex: filterfield=array('1','2', '3'), filtervalue=array(array('this', '*that'), ''), exactvalue('', array('there', 'those'), 'these')
* will filter items with fielId 1 with a value %this% or %that, and fieldId with the value there or those, and fieldId 3 with a value these
* listfields = array(fieldId=>array('type'=>, 'name'=>...), ...)
* allfields is only for performance issue - check if one field is a category
*/
function list_items($trackerId, $offset=0, $maxRecords=-1, $sort_mode ='' , $listfields='', $filterfield = '', $filtervalue = '', $status = '', $initial = '', $exactvalue = '', $filter='') {
function list_items($trackerId, $offset=0, $maxRecords=-1, $sort_mode ='' , $listfields='', $filterfield = '', $filtervalue = '', $status = '', $initial = '', $exactvalue = '', $filter='', $allfields=null) {
//echo '<pre>FILTERFIELD:'; print_r($filterfield); echo '<br />FILTERVALUE:';print_r($filtervalue); echo '<br />EXACTVALUE:'; print_r($exactvalue); echo '<br />STATUS:'; print_r($status); echo '</pre>';
global $prefs;
......@@ -646,6 +688,7 @@ class TrackerLib extends TikiLib {
$mid = ' WHERE tti.`trackerId` = ? ';
$bindvars = array($trackerId);
$join = '';
if (!empty($filter)) {
$mid2 = array();
......@@ -790,11 +833,18 @@ class TrackerLib extends TikiLib {
$cat_tables = '';
}
$needToCheckCategPerms = $this->need_to_check_categ_perms($allfields);
if( $needToCheckCategPerms) {
global $categlib; include_once('lib/categories/categlib.php');
if ( $jail = $categlib->get_jail() ) {
$categlib->getSqlJoin($jail, 'trackeritem', 'tti.`itemId`', $join, $mid, $bindvars);
}
}
$base_tables = '('
.' `tiki_tracker_items` tti'
.' INNER JOIN `tiki_tracker_item_fields` ttif ON tti.`itemId` = ttif.`itemId`'
.' INNER JOIN `tiki_tracker_fields` ttf ON ttf.`fieldId` = ttif.`fieldId`'
.')';
.')'.$join;
$query = 'SELECT tti.*, ttif.`value`, ttf.`type`'
.', '.( ($numsort) ? "right(lpad($csort_mode,40,'0'),40)" : $csort_mode).' as `sortvalue`'
......@@ -807,9 +857,15 @@ class TrackerLib extends TikiLib {
$result = $this->query($query, $bindvars, $maxRecords, $offset);
$cant = $this->getOne($query_cant, $bindvars);
$type = '';
$ret = array();
$ret = $ret1 = array();
while ( $res = $result->fetchRow() ) {
$ret1[] = $res;
}
if ($needToCheckCategPerms) {
$ret1 = $this->filter_categ_items($ret1);
}
foreach ($ret1 as $res) {
$res['itemUser'] = '';
$res['field_values'] = $this->get_item_fields($trackerId, $res['itemId'], $listfields, $res['itemUser']);
if (!empty($asort_mode)) {
......@@ -828,6 +884,10 @@ class TrackerLib extends TikiLib {
$retval['cant'] = $cant;
return $retval;
}
function filter_categ_items($ret) {
//this is an approxomation - the perm should be function of the status
return Perms::filter(array('type' => 'trackeritem'), 'object', $ret, array('object' => 'itemId'), 'view_trackers');
}
/* listfields fieldId=>ooptions */
function get_item_fields($trackerId, $itemId, $listfields, &$itemUser) {
global $prefs, $user, $tiki_p_admin_trackers;
......@@ -918,7 +978,7 @@ class TrackerLib extends TikiLib {
$mycats = $categlib->get_child_categories($fopt['options']);
if (empty($zcatItemId) || $zcatItemId != $itemId) {
$zcatItemId = $itemId;
$zcats = $categlib->get_object_categories('tracker '.$trackerId, $itemId);
$zcats = $categlib->get_object_categories('trackeritem', $itemId);
}
$cats = array();
$catIds = array();
......@@ -1083,7 +1143,7 @@ class TrackerLib extends TikiLib {
}
if ($prefs['feature_categories'] == 'y') {
$old_categs = $categlib->get_object_categories("tracker $trackerId", $itemId ? $itemId : $new_itemId);
$old_categs = $categlib->get_object_categories('trackeritem', $itemId ? $itemId : $new_itemId);
$new_categs = array_diff($ins_categs, $old_categs);
$del_categs = array_diff($old_categs, $ins_categs);
......@@ -1612,7 +1672,7 @@ class TrackerLib extends TikiLib {
} else {
$categlib->update_category($currentCategId, "Tracker Item $itemId", $tracker_item_desc, $parentcategId);
}
$cat_type = "tracker $trackerId";
$cat_type = "trackeritem";
$cat_objid = $itemId;
$cat_desc = '';
$cat_name = "Tracker Item $itemId";
......@@ -2962,7 +3022,7 @@ class TrackerLib extends TikiLib {
function categorized_item($trackerId, $itemId, $mainfield, $ins_categs) {
global $categlib; include_once('lib/categories/categlib.php');
$cat_type = "tracker $trackerId";
$cat_type = "trackeritem";
$cat_objid = $itemId;
$cat_desc = '';
if (empty($mainfield))
......@@ -3017,7 +3077,7 @@ class TrackerLib extends TikiLib {
function get_filtered_item_values($fieldId, $value, $fieldIdOut) {
$query = "select ttifOut.`value` from `tiki_tracker_item_fields` ttifOut, `tiki_tracker_item_fields` ttif
where ttifOut.`itemId`= ttif.`itemId`and ttif.`fieldId`=? and ttif.`value`=? and ttifOut.`fieldId`=?";
$result = $this->query($query, array($fieldId, $value, $fieldIdOut));
$result = $this->query($query, $bindvars);
$ret = array();
while ($res = $result->fetchRow()) {
$ret[] = $res['value'];
......
......@@ -633,7 +633,7 @@ class TrkWithMirrorTablesLib extends TrackerLib {
global $categlib;
if (!is_object($categlib)) include_once 'lib/categories/categlib.php';
$mycats = $categlib->get_child_categories($fopt['options']);
$zcats = $categlib->get_object_categories("tracker ".$trackerId,$res["itemId"]);
$zcats = $categlib->get_object_categories('trackeritem',$res['itemId']);
$cats = array();
foreach ($mycats as $m) {
if (in_array($m['categId'],$zcats)) {
......
......@@ -101,17 +101,24 @@ function wikiplugin_trackeritemfield($data, $params) {
return tra('Incorrect param').': trackerId';
}
$memoItemId = $itemId;
if (!empty($status) && !$trklib->valid_status($status)) {
return tra('Incorrect param').': status';
}
$info = $trklib->get_item_info($itemId);
if (!$memoUserTracker) {
$perm = ($info['status'] == 'c')? 'view_trackers_closed':(($info['status'] == 'p')?'view_trackers_pending':'view_trackers');
$perms = Perms::get(array('type'=>'tracker', 'object'=>$trackerId));
if (!$perms->$perm) {
return false;
}
$perms = Perms::get(array('type'=>'trackeritem', 'object'=>$itemId));
if (!$perms->$perm) {
return false;
}
}
$memoStatus = $info['status'];
//$perm = (isset($status) && $status == 'c')? 'tiki_p_view_trackers_closed':((isset($status) && $status == 'p')?'tiki_p_view_trackers_pending':'tiki_p_view_trackers');
//if ((!empty($fieldId)|| isset($fields)) && !$memoUserTracker && $tiki_p_admin_trackers != 'y' && !$userlib->user_has_perm_on_object($user, $trackerId, 'tracker', $perm) && empty($is_user_tracker)) {
// return false;
//}
$memoItemId = $itemId;
$memoTrackerId = $trackerId;
}
if (!isset($data)) {
......
......@@ -665,7 +665,7 @@ function wikiplugin_trackerlist($data, $params) {
}
if (count($passfields)) {
$items = $trklib->list_items($trackerId, $tr_offset, $max, $tr_sort_mode, $passfields, $filterfield, $filtervalue, $tr_status, $tr_initial, $exactvalue, $filter);
$items = $trklib->list_items($trackerId, $tr_offset, $max, $tr_sort_mode, $passfields, $filterfield, $filtervalue, $tr_status, $tr_initial, $exactvalue, $filter, $allfields);
if (isset($silent) && $silent == 'y' && empty($items['cant'])) {
return;
}
......
......@@ -66,6 +66,10 @@ function wikiplugin_trackerstat($data, $params) {
if ($prefs['feature_trackers'] != 'y' || !isset($trackerId) || !($tracker_info = $trklib->get_tracker($trackerId))) {
return $smarty->fetch("wiki-plugins/error_tracker.tpl");
}
$perms = Perms::get(array('type'=>'tracker', 'object'=>$trackerId));
if (!$perms->view_trackers) {
return tra('Permission denied');
}
if (!isset($status)) {
$status = 'o';
......@@ -170,7 +174,7 @@ function wikiplugin_trackerstat($data, $params) {
$userValues = $trklib->get_filtered_item_values($allFields["data"][$iIp]['fieldId'], $tikilib->get_ip_address(), $allFields["data"][$i]['fieldId']);
}
$allValues = $trklib->get_all_items($trackerId, $fieldId, $status);
$allValues = $trklib->get_all_items($trackerId, $fieldId, $status, $allFields);
$j = -1;
foreach ($allValues as $value) {
$value = trim($value);
......
......@@ -179,7 +179,9 @@ if (isset($_REQUEST['assign']) && !isset($_REQUEST['quick_perms'])) {
$newPermissions = get_assign_permissions();
$permissionApplier->apply( $newPermissions );
$smarty->assign('groupName', $_REQUEST["group"]);
if (isset($_REQUEST['group'])) {
$smarty->assign('groupName', $_REQUEST['group']);
}
}
// Prepare display
......
......@@ -350,12 +350,7 @@ for ($i = 0; $i < $temp_max; $i++) {
$fields["data"][$i]["value"] = '';
}
if ($fields["data"][$i]["type"] == 'r') { // item link
if ($tiki_p_admin_trackers == 'y') {
$stt = 'poc';
} else {
$stt = 'o';
}
$fields["data"][$i]["list"] = array_unique($trklib->get_all_items($fields["data"][$i]["options_array"][0], $fields["data"][$i]["options_array"][1], $stt));
$fields["data"][$i]["list"] = array_unique($trklib->get_all_items($fields["data"][$i]["options_array"][0], $fields["data"][$i]["options_array"][1], 'poc', false));
if (isset($fields["data"][$i]["options_array"][3])) $fields["data"][$i]["listdisplay"] = array_unique($trklib->concat_all_items_from_fieldslist($fields["data"][$i]["options_array"][0], $fields["data"][$i]["options_array"][3]));
} elseif (($fields["data"][$i]["type"] == 'M') && ($fields["data"][$i]["options_array"][0] >= '3')) {
if (isset($_FILES["$ins_id"]) && is_uploaded_file($_FILES["$ins_id"]['tmp_name'])) {
......@@ -630,7 +625,7 @@ if (isset($_REQUEST["trackerId"])) $trackerId = $_REQUEST["trackerId"];
if (isset($tracker_info['useRatings']) and $tracker_info['useRatings'] == 'y' and $user and $tiki_p_tracker_vote_ratings == 'y' and !empty($_REQUEST['trackerId']) and !empty($ratedItemId) and isset($newItemRate) and ($newItemRate == 'NULL' || in_array($newItemRate, split(',', $tracker_info['ratingOptions'])))) {
$trklib->replace_rating($_REQUEST['trackerId'], $ratedItemId, $newItemRateField, $user, $newItemRate);
}
$items = $trklib->list_items($_REQUEST["trackerId"], $offset, $maxRecords, $sort_mode, $listfields, $filterfield, $filtervalue, $_REQUEST["status"], $initial, $exactvalue);
$items = $trklib->list_items($_REQUEST["trackerId"], $offset, $maxRecords, $sort_mode, $listfields, $filterfield, $filtervalue, $_REQUEST["status"], $initial, $exactvalue,'', $xfields);
$urlquery['status'] = $_REQUEST['status'];
$urlquery['initial'] = $initial;
$urlquery['trackerId'] = $_REQUEST["trackerId"];
......
......@@ -714,7 +714,7 @@ if ($_REQUEST["itemId"]) {
$k = $fields["data"][$i]['options_array'][0];
$ins_fields["data"][$i]["$k"] = $categlib->get_child_categories($k);
if (!isset($cat)) {
$cat = $categlib->get_object_categories("tracker " . $_REQUEST["trackerId"], $_REQUEST["itemId"]);
$cat = $categlib->get_object_categories('trackeritem', $_REQUEST['itemId']);
}
if (isset($_REQUEST['save']) || isset($_REQUEST['save_return'])) {
foreach($ins_fields["data"][$i]["$k"] as $c) {
......@@ -756,7 +756,7 @@ if ($_REQUEST["itemId"]) {
} elseif ($fields["data"][$i]["type"] == 'r') {
$ins_fields["data"][$i]["linkId"] = $trklib->get_item_id($fields["data"][$i]["options_array"][0], $fields["data"][$i]["options_array"][1], $info[$fid]);
$ins_fields["data"][$i]["value"] = $info[$fid];
$ins_fields["data"][$i]["list"] = array_unique($trklib->get_all_items($fields["data"][$i]["options_array"][0], $fields["data"][$i]["options_array"][1]));
$ins_fields["data"][$i]["list"] = array_unique($trklib->get_all_items($fields["data"][$i]["options_array"][0], $fields["data"][$i]["options_array"][1]), 'poc', false);
if (isset($fields["data"][$i]["options_array"][3])) {
$ins_fields["data"][$i]["displayedvalue"] = $trklib->concat_item_from_fieldslist($fields["data"][$i]["options_array"][0], $trklib->get_item_id($fields["data"][$i]["options_array"][0], $fields["data"][$i]["options_array"][1], $info[$fid]) , $fields["data"][$i]["options_array"][3]);
$ins_fields["data"][$i]["listdisplay"] = $trklib->concat_all_items_from_fieldslist($fields["data"][$i]["options_array"][0], $fields["data"][$i]["options_array"][3]);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment