iger
/
engelsystem
9
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Moved permission checks to Authenticator class

This commit is contained in:
Igor Scheller 2018-11-12 14:41:23 +01:00 committed by msquare
parent 951828a4f1
commit c33940f64a
35 changed files with 193 additions and 199 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
includes/controller/angeltypes_controller.php
View File

@ -78,9 +78,7 @@ function angeltypes_about_controller()
*/
function angeltype_delete_controller()
{
global $privileges;
if (!in_array('admin_angel_types', $privileges)) {
if (!auth()->can('admin_angel_types')) {
redirect(page_link_to('angeltypes'));
}
@ -105,10 +103,8 @@ function angeltype_delete_controller()
*/
function angeltype_edit_controller()
{
global $privileges;
// In supporter mode only allow to modify description
$supporter_mode = !in_array('admin_angel_types', $privileges);
$supporter_mode = !auth()->can('admin_angel_types');
$request = request();
if ($request->has('angeltype_id')) {
@ -178,10 +174,9 @@ function angeltype_edit_controller()
*/
function angeltype_controller()
{
global $privileges;
$user = auth()->user();
if (!in_array('angeltypes', $privileges)) {
if (!auth()->can('angeltypes')) {
redirect(page_link_to('/'));
}
@ -210,8 +205,8 @@ function angeltype_controller()
$angeltype,
$members,
$user_angeltype,
in_array('admin_user_angeltypes', $privileges) || $user_angeltype['supporter'],
in_array('admin_angel_types', $privileges),
auth()->can('admin_user_angeltypes') || $user_angeltype['supporter'],
auth()->can('admin_angel_types'),
$user_angeltype['supporter'],
$user_driver_license,
$user,
@ -250,11 +245,9 @@ function angeltype_controller_shiftsFilterDays($angeltype)
*/
function angeltype_controller_shiftsFilter($angeltype, $days)
{
global $privileges;
$request = request();
$shiftsFilter = new ShiftsFilter(
in_array('user_shifts_admin', $privileges),
auth()->can('user_shifts_admin'),
Room_ids(),
[$angeltype['id']]
);
@ -278,10 +271,9 @@ function angeltype_controller_shiftsFilter($angeltype, $days)
*/
function angeltypes_list_controller()
{
global $privileges;
$user = auth()->user();
if (!in_array('angeltypes', $privileges)) {
if (!auth()->can('angeltypes')) {
redirect(page_link_to('/'));
}
@ -296,7 +288,7 @@ function angeltypes_list_controller()
)
];
if (in_array('admin_angel_types', $privileges)) {
if (auth()->can('admin_angel_types')) {
$actions[] = button(
page_link_to('angeltypes', ['action' => 'edit', 'angeltype_id' => $angeltype['id']]),
__('edit'),
@ -340,7 +332,7 @@ function angeltypes_list_controller()
return [
angeltypes_title(),
AngelTypes_list_view($angeltypes, in_array('admin_angel_types', $privileges))
AngelTypes_list_view($angeltypes, auth()->can('admin_angel_types'))
];
}

4
includes/controller/event_config_controller.php
View File

@ -16,9 +16,7 @@ function event_config_title()
*/
function event_config_edit_controller()
{
global $privileges;
if (!in_array('admin_event_config', $privileges)) {
if (!auth()->can('admin_event_config')) {
redirect(page_link_to('/'));
}

4
includes/controller/rooms_controller.php
View File

@ -14,9 +14,7 @@ use Engelsystem\ShiftsFilterRenderer;
*/
function room_controller()
{
global $privileges;
if (!in_array('view_rooms', $privileges)) {
if (!auth()->can('view_rooms')) {
redirect(page_link_to());
}

3
includes/controller/shift_entries_controller.php
View File

@ -35,7 +35,6 @@ function shift_entries_controller()
*/
function shift_entry_create_controller()
{
global $privileges;
$user = auth()->user();
$request = request();
@ -50,7 +49,7 @@ function shift_entry_create_controller()
$angeltype = AngelType($request->input('angeltype_id'));
if (in_array('user_shifts_admin', $privileges)) {
if (auth()->can('user_shifts_admin')) {
return shift_entry_create_controller_admin($shift, $angeltype);
}

16
includes/controller/shifts_controller.php
View File

@ -43,13 +43,11 @@ function shift_edit_link($shift)
*/
function shift_edit_controller()
{
global $privileges;
$msg = '';
$valid = true;
$request = request();
if (!in_array('admin_shifts', $privileges)) {
if (!auth()->can('admin_shifts')) {
redirect(page_link_to('user_shifts'));
}
@ -203,10 +201,9 @@ function shift_edit_controller()
*/
function shift_delete_controller()
{
global $privileges;
$request = request();
if (!in_array('user_shifts_admin', $privileges)) {
if (!auth()->can('user_shifts_admin')) {
redirect(page_link_to('user_shifts'));
}
@ -253,11 +250,10 @@ function shift_delete_controller()
*/
function shift_controller()
{
global $privileges;
$user = auth()->user();
$request = request();
if (!in_array('user_shifts', $privileges)) {
if (!auth()->can('user_shifts')) {
redirect(page_link_to('/'));
}
@ -332,9 +328,7 @@ function shifts_controller()
*/
function shift_next_controller()
{
global $privileges;
if (!in_array('user_shifts', $privileges)) {
if (!auth()->can('user_shifts')) {
redirect(page_link_to('/'));
}
@ -363,7 +357,7 @@ function shifts_json_export_controller()
if (!$user) {
engelsystem_error('Key invalid.');
}
if (!in_array('shifts_json_export', privileges_for_user($user->id))) {
if (!auth()->can('shifts_json_export')) {
engelsystem_error('No privilege for shifts_json_export.');
}

9
includes/controller/user_angeltypes_controller.php
View File

@ -80,7 +80,6 @@ function user_angeltypes_delete_all_controller()
*/
function user_angeltypes_confirm_all_controller()
{
global $privileges;
$user = auth()->user();
$request = request();
@ -95,7 +94,7 @@ function user_angeltypes_confirm_all_controller()
redirect(page_link_to('angeltypes'));
}
if (!in_array('admin_user_angeltypes', $privileges) && !User_is_AngelType_supporter($user, $angeltype)) {
if (!auth()->can('admin_user_angeltypes') && !User_is_AngelType_supporter($user, $angeltype)) {
error(__('You are not allowed to confirm all users for this angeltype.'));
redirect(page_link_to('angeltypes'));
}
@ -235,11 +234,10 @@ function user_angeltype_delete_controller()
*/
function user_angeltype_update_controller()
{
global $privileges;
$supporter = false;
$request = request();
if (!in_array('admin_angel_types', $privileges)) {
if (!auth()->can('admin_angel_types')) {
error(__('You are not allowed to set supporter rights.'));
redirect(page_link_to('angeltypes'));
}
@ -360,7 +358,6 @@ function user_angeltype_add_controller()
*/
function user_angeltype_join_controller($angeltype)
{
global $privileges;
$user = auth()->user();
$user_angeltype = UserAngelType_by_User_and_AngelType($user->id, $angeltype);
@ -380,7 +377,7 @@ function user_angeltype_join_controller($angeltype)
));
success($success_message);
if (in_array('admin_user_angeltypes', $privileges)) {
if (auth()->can('admin_user_angeltypes')) {
UserAngelType_confirm($user_angeltype_id, $user->id);
engelsystem_log(sprintf(
'User %s confirmed as %s.',

3
includes/controller/user_driver_licenses_controller.php
View File

@ -96,13 +96,12 @@ function user_driver_license_load_user()
*/
function user_driver_license_edit_controller()
{
global $privileges;
$user = auth()->user();
$request = request();
$user_source = user_driver_license_load_user();
// only privilege admin_user can edit other users driver license information
if ($user->id != $user_source->id && !in_array('admin_user', $privileges)) {
if ($user->id != $user_source->id && !auth()->can('admin_user')) {
redirect(user_driver_license_edit_link());
}

3
includes/controller/user_worklog_controller.php
View File

@ -182,10 +182,9 @@ function user_worklog_delete_link($userWorkLog, $parameters = [])
*/
function user_worklog_controller()
{
global $privileges;
$user = auth()->user();
if (!in_array('admin_user_worklog', $privileges)) {
if (!auth()->can('admin_user_worklog')) {
redirect(user_link($user->id));
}

18
includes/controller/users_controller.php
View File

@ -46,7 +46,6 @@ function users_controller()
*/
function user_delete_controller()
{
global $privileges;
$user = auth()->user();
$request = request();
@ -56,7 +55,7 @@ function user_delete_controller()
$user_source = $user;
}
if (!in_array('admin_user', $privileges)) {
if (!auth()->can('admin_user')) {
redirect(page_link_to(''));
}
@ -138,7 +137,6 @@ function user_link($userId)
*/
function user_edit_vouchers_controller()
{
global $privileges;
$user = auth()->user();
$request = request();
@ -148,7 +146,7 @@ function user_edit_vouchers_controller()
$user_source = $user;
}
if (!in_array('admin_user', $privileges)) {
if (!auth()->can('admin_user')) {
redirect(page_link_to(''));
}
@ -190,7 +188,6 @@ function user_edit_vouchers_controller()
*/
function user_controller()
{
global $privileges;
$user = auth()->user();
$request = request();
@ -203,7 +200,7 @@ function user_controller()
}
}
$shifts = Shifts_by_user($user_source->id, in_array('user_shifts_admin', $privileges));
$shifts = Shifts_by_user($user_source->id, auth()->can('user_shifts_admin'));
foreach ($shifts as &$shift) {
// TODO: Move queries to model
$shift['needed_angeltypes'] = DB::select('
@ -242,15 +239,15 @@ function user_controller()
$user_source->name,
User_view(
$user_source,
in_array('admin_user', $privileges),
auth()->can('admin_user'),
User_is_freeloader($user_source),
User_angeltypes($user_source->id),
User_groups($user_source->id),
$shifts,
$user->id == $user_source->id,
$tshirt_score,
in_array('admin_active', $privileges),
in_array('admin_user_worklog', $privileges),
auth()->can('admin_active'),
auth()->can('admin_user_worklog'),
UserWorkLogsForUser($user_source->id)
)
];
@ -263,10 +260,9 @@ function user_controller()
*/
function users_list_controller()
{
global $privileges;
$request = request();
if (!in_array('admin_user', $privileges)) {
if (!auth()->can('admin_user')) {
redirect(page_link_to(''));
}

6
includes/engelsystem.php
View File

@ -21,9 +21,3 @@ if ($app->get('config')->get('maintenance')) {
echo $maintenance;
die();
}
/**
* Init authorization
*/
load_auth();

11
includes/model/Shifts_model.php
View File

@ -422,17 +422,16 @@ function Shift_signup_allowed_admin($needed_angeltype, $shift_entries)
*/
function Shift_signout_allowed($shift, $angeltype, $signout_user_id)
{
global $privileges;
$user = auth()->user();
// user shifts admin can sign out any user at any time
if (in_array('user_shifts_admin', $privileges)) {
if (auth()->can('user_shifts_admin')) {
return true;
}
// angeltype supporter can sign out any user at any time from their supported angeltype
if (
in_array('shiftentry_edit_angeltype_supporter', $privileges)
auth()->can('shiftentry_edit_angeltype_supporter')
&& User_is_AngelType_supporter($user, $angeltype)
) {
return true;
@ -466,14 +465,12 @@ function Shift_signup_allowed(
$needed_angeltype,
$shift_entries
) {
global $privileges;
if (in_array('user_shifts_admin', $privileges)) {
if (auth()->can('user_shifts_admin')) {
return Shift_signup_allowed_admin($needed_angeltype, $shift_entries);
}
if (
in_array('shiftentry_edit_angeltype_supporter', $privileges)
auth()->can('shiftentry_edit_angeltype_supporter')
&& User_is_AngelType_supporter(auth()->user(), $angeltype)
) {
return Shift_signup_allowed_angeltype_supporter($needed_angeltype, $shift_entries);

3
includes/pages/admin_free.php
View File

@ -17,7 +17,6 @@ function admin_free_title()
*/
function admin_free()
{
global $privileges;
$request = request();
$search = '';
@ -88,7 +87,7 @@ function admin_free()
'dect' => $usr->contact->dect,
'email' => $usr->settings->email_human ? ($usr->contact->email ? $usr->contact->email : $usr->email) : glyph('eye-close'),
'actions' =>
in_array('admin_user', $privileges)
auth()->can('admin_user')
? button(page_link_to('admin_user', ['id' => $usr->id]), __('edit'), 'btn-xs')
: ''
];

5
includes/pages/admin_news.php
View File

@ -8,7 +8,6 @@ use Engelsystem\Models\User\User;
*/
function admin_news()
{
global $privileges;
$user = auth()->user();
$request = request();
@ -32,7 +31,7 @@ function admin_news()
case 'edit':
$user_source = User::find($news['UID']);
if (
!in_array('admin_news_html', $privileges)
!auth()->can('admin_news_html')
&& strip_tags($news['Text']) != $news['Text']
) {
$html .= warning(
@ -62,7 +61,7 @@ function admin_news()
case 'save':
$text = $request->postData('eText');
if (!in_array('admin_news_html', $privileges)) {
if (!auth()->can('admin_news_html')) {
$text = strip_tags($text);
}

4
includes/pages/admin_questions.php
View File

@ -18,10 +18,10 @@ function admin_questions_title()
*/
function admin_new_questions()
{
global $privileges, $page;
global $page;
if ($page != 'admin_questions') {
if (in_array('admin_questions', $privileges)) {
if (auth()->can('admin_questions')) {
$new_messages = count(DB::select('SELECT `QID` FROM `Questions` WHERE `AID` IS NULL'));
if ($new_messages > 0) {

5
includes/pages/admin_user.php
View File

@ -16,7 +16,6 @@ function admin_user_title()
*/
function admin_user()
{
global $privileges;
$user = auth()->user();
$tshirt_sizes = config('tshirt_sizes');
$request = request();
@ -83,7 +82,7 @@ function admin_user()
$html .= html_options('eAktiv', $options, $user_source->state->active) . '</td></tr>' . "\n";
// Aktiv erzwingen
if (in_array('admin_active', $privileges)) {
if (auth()->can('admin_active')) {
$html .= ' <tr><td>' . __('Force active') . '</td><td>' . "\n";
$html .= html_options('force_active', $options, $user_source->state->force_active) . '</td></tr>' . "\n";
}
@ -249,7 +248,7 @@ function admin_user()
case 'save':
$force_active = $user->state->force_active;
$user_source = User::find($user_id);
if (in_array('admin_active', $privileges)) {
if (auth()->can('admin_active')) {
$force_active = $request->input('force_active');
}
if ($user_source->settings->email_human) {

7
includes/pages/guest_login.php
View File

@ -39,7 +39,6 @@ function logout_title()
*/
function guest_register()
{
global $privileges;
$authUser = auth()->user();
$tshirt_sizes = config('tshirt_sizes');
$enable_tshirt_size = config('enable_tshirt_size');
@ -71,7 +70,7 @@ function guest_register()
}
}
if (!in_array('register', $privileges) || (!$authUser && !config('registration_enabled'))) {
if (!auth()->can('register') || (!$authUser && !config('registration_enabled'))) {
error(__('Registration is disabled.'));
return page_with_title(register_title(), [
@ -472,9 +471,7 @@ function guest_login()
*/
function get_register_hint()
{
global $privileges;
if (in_array('register', $privileges) && config('registration_enabled')) {
if (auth()->can('register') && config('registration_enabled')) {
return join('', [
'<p>' . __('Please sign up, if you want to help us!') . '</p>',
buttons([

2
includes/pages/user_atom.php
View File

@ -17,7 +17,7 @@ function user_atom()
if (empty($user)) {
engelsystem_error('Key invalid.');
}
if (!in_array('atom', privileges_for_user($user->id))) {
if (!auth()->can('atom')) {
engelsystem_error('No privilege for atom.');
}

2
includes/pages/user_ical.php
View File

@ -15,7 +15,7 @@ function user_ical()
if (!$user) {
engelsystem_error('Key invalid.');
}
if (!in_array('ical', privileges_for_user($user->id))) {
if (!auth()->can('ical')) {
engelsystem_error('No privilege for ical.');
}

7
includes/pages/user_myshifts.php
View File

@ -18,13 +18,12 @@ function myshifts_title()
*/
function user_myshifts()
{
global $privileges;
$user = auth()->user();
$request = request();
if (
$request->has('id')
&& in_array('user_shifts_admin', $privileges)
&& auth()->can('user_shifts_admin')
&& preg_match('/^\d{1,}$/', $request->input('id'))
&& User::find($request->input('id'))
) {
@ -79,7 +78,7 @@ function user_myshifts()
if ($request->hasPostData('submit')) {
$valid = true;
if (in_array('user_shifts_admin', $privileges)) {
if (auth()->can('user_shifts_admin')) {
$freeloaded = $request->has('freeloaded');
$freeload_comment = strip_request_item_nl('freeload_comment');
if ($freeloaded && $freeload_comment == '') {
@ -120,7 +119,7 @@ function user_myshifts()
$shift['Comment'],
$shift['freeloaded'],
$shift['freeload_comment'],
in_array('user_shifts_admin', $privileges)
auth()->can('user_shifts_admin')
);
} else {
redirect(page_link_to('user_myshifts'));

11
includes/pages/user_news.php
View File

@ -91,7 +91,7 @@ function news_text($news)
*/
function display_news($news)
{
global $privileges, $page;
global $page;
$html = '';
$html .= '<div class="panel' . ($news['Treffen'] == 1 ? ' panel-info' : ' panel-default') . '">';
@ -101,7 +101,7 @@ function display_news($news)
$html .= '<div class="panel-body">' . news_text($news) . '</div>';
$html .= '<div class="panel-footer text-muted">';
if (in_array('admin_news', $privileges)) {
if (auth()->can('admin_news')) {
$html .= '<div class="pull-right">'
. button_glyph(
page_link_to('admin_news', ['action' => 'edit', 'id' => $news['ID']]),
@ -198,7 +198,6 @@ function user_news_comments()
*/
function user_news()
{
global $privileges;
$user = auth()->user();
$display_news = config('display_news');
$request = request();
@ -206,13 +205,13 @@ function user_news()
$html = '<div class="col-md-12"><h1>' . news_title() . '</h1>' . msg();
$isMeeting = $request->postData('treffen');
if ($request->has('text') && $request->has('betreff') && in_array('admin_news', $privileges)) {
if ($request->has('text') && $request->has('betreff') && auth()->can('admin_news')) {
if (!$request->has('treffen')) {
$isMeeting = 0;
}
$text = $request->postData('text');
if (!in_array('admin_news_html', $privileges)) {
if (!auth()->can('admin_news_html')) {
$text = strip_tags($text);
}
@ -266,7 +265,7 @@ function user_news()
}
$html .= '</ul></div>';
if (in_array('admin_news', $privileges)) {
if (auth()->can('admin_news')) {
$html .= '<hr />';
$html .= '<h2>' . __('Create news:') . '</h2>';

6
includes/pages/user_shifts.php
View File

@ -168,7 +168,7 @@ function load_types()
*/
function view_user_shifts()
{
global $privileges, $ical_shifts;
global $ical_shifts;
$user = auth()->user();
$session = session();
@ -182,13 +182,13 @@ function view_user_shifts()
$rooms[0]['id']
];
$type_ids = array_map('get_ids_from_array', $types);
$shiftsFilter = new ShiftsFilter(in_array('user_shifts_admin', $privileges), $room_ids, $type_ids);
$shiftsFilter = new ShiftsFilter(auth()->can('user_shifts_admin'), $room_ids, $type_ids);
$session->set('shifts-filter', $shiftsFilter->sessionExport());
}
$shiftsFilter = new ShiftsFilter();
$shiftsFilter->sessionImport($session->get('shifts-filter'));
update_ShiftsFilter($shiftsFilter, in_array('user_shifts_admin', $privileges), $days);
update_ShiftsFilter($shiftsFilter, auth()->can('user_shifts_admin'), $days);
$session->set('shifts-filter', $shiftsFilter->sessionExport());
$shiftCalendarRenderer = shiftCalendarRendererByShiftFilter($shiftsFilter);

27
includes/sys_auth.php
View File

@ -1,35 +1,8 @@
<?php
use Carbon\Carbon;
use Engelsystem\Database\DB;
use Engelsystem\Models\User\User;
/**
* Testet ob ein User eingeloggt ist und lädt die entsprechenden Privilegien
*/
function load_auth()
{
global $privileges;
$session = session();
if ($session->has('uid')) {
$user = auth()->user();
if ($user) {
$user->last_login_at = new Carbon();
$user->save();
$privileges = privileges_for_user($user->id);
return;
}
$session->remove('uid');
}
// guest privileges
$privileges = privileges_for_group(-10);
}
/**
* generate a salt (random string) of arbitrary length suitable for the use with crypt()
*

20
includes/sys_menu.php
View File

@ -45,15 +45,15 @@ function header_render_hints()
*/
function make_user_submenu()
{
global $privileges, $page;
global $page;
$user_submenu = make_language_select();
if (in_array('user_settings', $privileges) || in_array('logout', $privileges)) {
if (auth()->can('user_settings') || auth()->can('logout')) {
$user_submenu[] = toolbar_item_divider();
}
if (in_array('user_settings', $privileges)) {
if (auth()->can('user_settings')) {
$user_submenu[] = toolbar_item_link(
page_link_to('user_settings'),
'list-alt',
@ -62,7 +62,7 @@ function make_user_submenu()
);
}
if (in_array('logout', $privileges)) {
if (auth()->can('logout')) {
$user_submenu[] = toolbar_item_link(
page_link_to('logout'),
'log-out',
@ -79,7 +79,7 @@ function make_user_submenu()
*/
function make_navigation()
{
global $page, $privileges;
global $page;
$menu = [];
$pages = [
@ -91,7 +91,7 @@ function make_navigation()
];
foreach ($pages as $menu_page => $title) {
if (in_array($menu_page, $privileges)) {
if (auth()->can($menu_page)) {
$menu[] = toolbar_item_link(page_link_to($menu_page), '', $title, $menu_page == $page);
}
}
@ -115,7 +115,7 @@ function make_navigation()
];
foreach ($admin_pages as $menu_page => $title) {
if (in_array($menu_page, $privileges)) {
if (auth()->can($menu_page)) {
$admin_menu[] = toolbar_item_link(
page_link_to($menu_page),
'',
@ -140,16 +140,14 @@ function make_navigation()
*/
function make_room_navigation($menu)
{
global $privileges;
if (!in_array('view_rooms', $privileges)) {
if (!auth()->can('view_rooms')) {
return $menu;
}
// Get a list of all rooms
$rooms = Rooms();
$room_menu = [];
if (in_array('admin_rooms', $privileges)) {
if (auth()->can('admin_rooms')) {
$room_menu[] = toolbar_item_link(page_link_to('admin_rooms'), 'list', __('Manage rooms'));
}
if (count($room_menu) > 0) {

4
includes/view/AngelTypes_view.php
View File

@ -564,14 +564,12 @@ function AngelTypes_about_view_angeltype($angeltype)
*/
function AngelTypes_about_view($angeltypes, $user_logged_in)
{
global $privileges;
$buttons = [];
if ($user_logged_in) {
$buttons[] = button(page_link_to('angeltypes'), angeltypes_title(), 'back');
} else {
if (in_array('register', $privileges) && config('registration_enabled')) {
if (auth()->can('register') && config('registration_enabled')) {
$buttons[] = button(page_link_to('register'), register_title());
}

4
includes/view/Rooms_view.php
View File

@ -64,9 +64,7 @@ function Room_view($room, ShiftsFilterRenderer $shiftsFilterRenderer, ShiftCalen
*/
function Room_name_render($room)
{
global $privileges;
if (in_array('view_rooms', $privileges)) {
if (auth()->can('view_rooms')) {
return '<a href="' . room_link($room) . '">' . glyph('map-marker') . $room['Name'] . '</a>';
}

8
includes/view/ShiftCalendarShiftRenderer.php
View File

@ -97,8 +97,6 @@ class ShiftCalendarShiftRenderer
*/
private function renderShiftNeededAngeltypes($shift, $needed_angeltypes, $shift_entries, $user)
{
global $privileges;
$shift_entries_filtered = [];
foreach ($needed_angeltypes as $needed_angeltype) {
$shift_entries_filtered[$needed_angeltype['id']] = [];
@ -130,7 +128,7 @@ class ShiftCalendarShiftRenderer
$shift_signup_state = new ShiftSignupState(ShiftSignupState::SHIFT_ENDED, 0);
}
if (in_array('user_shifts_admin', $privileges)) {
if (auth()->can('user_shifts_admin')) {
$html .= '<li class="list-group-item">';
$html .= button(shift_entry_create_link_admin($shift),
glyph('plus') . __('Add more angels'),
@ -253,10 +251,8 @@ class ShiftCalendarShiftRenderer
*/
private function renderShiftHead($shift, $class)
{
global $privileges;
$header_buttons = '';
if (in_array('admin_shifts', $privileges)) {
if (auth()->can('admin_shifts')) {
$header_buttons = '<div class="pull-right">' . table_buttons([
button(
page_link_to('user_shifts', ['edit_shift' => $shift['SID']]),

3
includes/view/ShiftTypes_view.php
View File

@ -6,8 +6,7 @@
*/
function ShiftType_name_render($shifttype)
{
global $privileges;
if (in_array('shifttypes', $privileges)) {
if (auth()->can('shifttypes')) {
return '<a href="' . shifttype_link($shifttype) . '">' . $shifttype['name'] . '</a>';
}
return $shifttype['name'];

10
includes/view/Shifts_view.php
View File

@ -102,12 +102,10 @@ function Shift_signup_button_render($shift, $angeltype, $user_angeltype = null)
*/
function Shift_view($shift, $shifttype, $room, $angeltypes_source, ShiftSignupState $shift_signup_state)
{
global $privileges;
$shift_admin = in_array('admin_shifts', $privileges);
$user_shift_admin = in_array('user_shifts_admin', $privileges);
$admin_rooms = in_array('admin_rooms', $privileges);
$admin_shifttypes = in_array('shifttypes', $privileges);
$shift_admin = auth()->can('admin_shifts');
$user_shift_admin = auth()->can('user_shifts_admin');
$admin_rooms = auth()->can('admin_rooms');
$admin_shifttypes = auth()->can('shifttypes');
$parsedown = new Parsedown();

6
includes/view/User_view.php
View File

@ -352,8 +352,6 @@ function User_view_shiftentries($needed_angel_type)
*/
function User_view_myshift($shift, $user_source, $its_me)
{
global $privileges;
$shift_info = '<a href="' . shift_link($shift) . '">' . $shift['name'] . '</a>';
if ($shift['title']) {
$shift_info .= '<br /><a href="' . shift_link($shift) . '">' . $shift['title'] . '</a>';
@ -382,7 +380,7 @@ function User_view_myshift($shift, $user_source, $its_me)
$myshift['duration'] = '<p class="text-danger">'
. round(-($shift['end'] - $shift['start']) / 3600 * 2, 2) . '&nbsp;h'
. '</p>';
if (in_array('user_shifts_admin', $privileges)) {
if (auth()->can('user_shifts_admin')) {
$myshift['comment'] .= '<br />'
. '<p class="text-danger">' . __('Freeloaded') . ': ' . $shift['freeload_comment'] . '</p>';
} else {
@ -393,7 +391,7 @@ function User_view_myshift($shift, $user_source, $its_me)
$myshift['actions'] = [
button(shift_link($shift), glyph('eye-open') . __('view'), 'btn-xs')
];
if ($its_me || in_array('user_shifts_admin', $privileges)) {
if ($its_me || auth()->can('user_shifts_admin')) {
$myshift['actions'][] = button(
page_link_to('user_myshifts', ['edit' => $shift['id'], 'id' => $user_source->id]),
glyph('edit') . __('edit'),

60
src/Helpers/Authenticator.php
View File

@ -2,6 +2,7 @@
namespace Engelsystem\Helpers;
use Carbon\Carbon;
use Engelsystem\Models\User\User;
use Engelsystem\Models\User\User as UserRepository;
use Psr\Http\Message\ServerRequestInterface;
@ -21,6 +22,9 @@ class Authenticator
/** @var UserRepository */
protected $userRepository;
/** @var string[] */
protected $permissions;
/**
* @param ServerRequestInterface $request
* @param Session $session
@ -90,4 +94,60 @@ class Authenticator
return $this->user;
}
/**
* @param string[]|string $abilities
* @return bool
*/
public function can($abilities): bool
{
$abilities = (array)$abilities;
if (empty($this->permissions)) {
$userId = $this->session->get('uid');
if ($userId) {
if ($user = $this->user()) {
$this->permissions = $this->getPermissionsByUser($user);
$user->last_login_at = new Carbon();
$user->save();
} else {
$this->session->remove('uid');
}
}
if (empty($this->permissions)) {
$this->permissions = $this->getPermissionsByGroup(-10);
}
}
foreach ($abilities as $ability) {
if (!in_array($ability, $this->permissions)) {
return false;
}
}
return true;
}
/**
* @param User $user
* @return array
* @codeCoverageIgnore
*/
protected function getPermissionsByUser($user)
{
return privileges_for_user($user->id);
}
/**
* @param int $groupId
* @return array
* @codeCoverageIgnore
*/
protected function getPermissionsByGroup(int $groupId)
{
return privileges_for_group($groupId);
}
}

6
src/Middleware/LegacyMiddleware.php
View File

@ -62,7 +62,6 @@ class LegacyMiddleware implements MiddlewareInterface
ServerRequestInterface $request,
RequestHandlerInterface $handler
): ResponseInterface {
global $privileges;
global $page;
/** @var Request $appRequest */
@ -79,10 +78,7 @@ class LegacyMiddleware implements MiddlewareInterface
$title = $content = '';
if (
preg_match('~^\w+$~i', $page)
&& (
in_array($page, $this->free_pages)
|| (isset($privileges) && in_array($page, $privileges))
)
&& (in_array($page, $this->free_pages) || $this->auth->can($page))
) {
list($title, $content) = $this->loadPage($page);
}

13
src/Renderer/Twig/Extensions/Authentication.php
View File

@ -27,7 +27,7 @@ class Authentication extends TwigExtension
return [
new TwigFunction('is_user', [$this, 'isAuthenticated']),
new TwigFunction('is_guest', [$this, 'isGuest']),
new TwigFunction('has_permission_to', [$this, 'checkAuth']),
new TwigFunction('has_permission_to', [$this->auth, 'can']),
];
}
@ -46,15 +46,4 @@ class Authentication extends TwigExtension
{
return !$this->isAuthenticated();
}
/**
* @param $privilege
* @return bool
*/
public function checkAuth($privilege)
{
global $privileges;
return in_array($privilege, $privileges);
}
}

52
tests/Unit/Helpers/AuthenticatorTest.php
View File

@ -99,4 +99,56 @@ class AuthenticatorTest extends ServiceProviderTest
UserModelImplementation::$user = null;
$this->assertEquals($user, $auth->apiUser());
}
/**
* @covers \Engelsystem\Helpers\Authenticator::can
*/
public function testCan()
{
/** @var ServerRequestInterface|MockObject $request */
$request = $this->getMockForAbstractClass(ServerRequestInterface::class);
/** @var Session|MockObject $session */
$session = $this->createMock(Session::class);
/** @var UserModelImplementation|MockObject $userRepository */
$userRepository = new UserModelImplementation();
/** @var User|MockObject $user */
$user = $this->createMock(User::class);
$user->expects($this->once())
->method('save');
$session->expects($this->exactly(2))
->method('get')
->with('uid')
->willReturn(42);
$session->expects($this->once())
->method('remove')
->with('uid');
/** @var Authenticator|MockObject $auth */
$auth = $this->getMockBuilder(Authenticator::class)
->setConstructorArgs([$request, $session, $userRepository])
->setMethods(['getPermissionsByGroup', 'getPermissionsByUser', 'user'])
->getMock();
$auth->expects($this->exactly(1))
->method('getPermissionsByGroup')
->with(-10)
->willReturn([]);
$auth->expects($this->exactly(1))
->method('getPermissionsByUser')
->with($user)
->willReturn(['bar']);
$auth->expects($this->exactly(2))
->method('user')
->willReturnOnConsecutiveCalls(null, $user);
// No user, no permissions
$this->assertFalse($auth->can('foo'));
// User exists, has permissions
$this->assertTrue($auth->can('bar'));
// Permissions cached
$this->assertTrue($auth->can('bar'));
}
}

3
tests/Unit/Middleware/LegacyMiddlewareTest.php
View File

@ -76,6 +76,9 @@ class LegacyMiddlewareTest extends TestCase
$auth->expects($this->atLeastOnce())
->method('user')
->willReturn(false);
$auth->expects($this->atLeastOnce())
->method('can')
->willReturn(false);
$translator->expects($this->exactly(2))
->method('translate')

21
tests/Unit/Renderer/Twig/Extensions/AuthenticationTest.php
View File

@ -23,7 +23,7 @@ class AuthenticationTest extends ExtensionTest
$this->assertExtensionExists('is_user', [$extension, 'isAuthenticated'], $functions);
$this->assertExtensionExists('is_guest', [$extension, 'isGuest'], $functions);
$this->assertExtensionExists('has_permission_to', [$extension, 'checkAuth'], $functions);
$this->assertExtensionExists('has_permission_to', [$auth, 'can'], $functions);
}
/**
@ -53,23 +53,4 @@ class AuthenticationTest extends ExtensionTest
$this->assertTrue($extension->isAuthenticated());
$this->assertFalse($extension->isGuest());
}
/**
* @covers \Engelsystem\Renderer\Twig\Extensions\Authentication::checkAuth
*/
public function testCheckAuth()
{
global $privileges;
$privileges = [];
/** @var Authenticator|MockObject $auth */
$auth = $this->createMock(Authenticator::class);
$extension = new Authentication($auth);
$this->assertFalse($extension->checkAuth('foo.bar'));
$privileges = ['foo.bar'];
$this->assertTrue($extension->checkAuth('foo.bar'));
}
}