Skip to content

Commit

Permalink
authorization issues, improved performance for "GetAllEvents"-Hook
Browse files Browse the repository at this point in the history
  • Loading branch information
@DanielGausi
DanielGausi committed Oct 28, 2018
1 parent cbd9872 commit 1476c73
Show file tree
Hide file tree
Showing 5 changed files with 76 additions and 84 deletions.
29 changes: 17 additions & 12 deletions src/Resources/contao/modules/CEAuthCheck.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,40 +65,45 @@ function UserIsAuthorizedElapsedEvents($objCalendar, $User){
return (UserIsAdmin($objCalendar, $User)) || ( UserIsAuthorizedUser($objCalendar, $User) && (! $objCalendar->caledit_onlyFuture));
}

function EditLinksAreAllowed ($objCalendar, $aEvent, $userID, $UserIsAdmin, $currentTime){
// used in GetAllEvents Hook
function EditLinksAreAllowed ($objCalendar, $aEvent, $userID, $UserIsAdmin, $UserIsMember, $currentTime){
if ($UserIsAdmin && (!$aEvent['disable_editing'])) {
return TRUE;
} else
{
} else {
return
(
// Allow only if if the editing is NOT disabled in the backend for this event
(!$aEvent['disable_editing'])
// Allow only if the editing is NOT disabled in the backend for this event
(!$aEvent['disable_editing'])
// Allow only if the User belongs to an authorized Member group
&& ($UserIsMember)
// Allow only if FE User is logged in or the calendar does not requie login
&& ( FE_USER_LOGGED_IN || !$objCalendar->caledit_loginRequired)
// Allow only if CalendarEditing is not restricted to future events -OR- EventTime is later then CurrentTime,
&& ((!$objCalendar->caledit_onlyFuture) || ($currentTime <= $aEvent['startTime']) )
// Allow only if CalendarEditing is not restricted to the Owner -OR- The Owner is currently logged in
&& ((!$objCalendar->caledit_onlyUser) || ($aEvent['fe_user'] == $userID))
);

}
}

// used in Module ModuleEventReaderEdit
function EditLinksAreAllowed2 ($objCalendar, $objEvent, $User, $UserIsAdmin){
function EditLinksAreAllowed2 ($objCalendar, $objEvent, $User, $UserIsAdmin, $UserIsMember){
if ($UserIsAdmin && (!$objEvent->disable_editing)) {
return TRUE;
} else
{
return
} else {
return
(
// Allow only if if the editing is NOT disabled in the backend for this event
(!$objEvent->disable_editing)
(!$objEvent->disable_editing)
// Allow only if the User belongs to an authorized Member group
&& ($UserIsMember)
// Allow only if FE User is logged in or the calendar does not requie login
&& ( FE_USER_LOGGED_IN || !$objCalendar->caledit_loginRequired)
// Allow only if CalendarEditing is not restricted to future events -OR- EventTime is later then CurrentTime,
&& ((!$objCalendar->caledit_onlyFuture) || (time() <= $objEvent->startTime) )
// Allow only if CalendarEditing is not restricted to the Owner -OR- The Owner is currently logged in
&& ((!$objCalendar->caledit_onlyUser) || ($objEvent->fe_user == $User->id))
);

}
}

Expand Down
2 changes: 1 addition & 1 deletion src/Resources/contao/modules/CalendarModelEdit.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ public static function findByIds($arrIds, array $arrOptions=array())
$t = static::$strTable;
$arrColumns[] = "$t.id IN(" . implode(',', array_map('\intval', $arrIds)) . ")";

return static::findBy($arrColumns, $varId, $arrOptions);
return static::findBy($arrColumns, $arrOptions);
}

}
112 changes: 46 additions & 66 deletions src/Resources/contao/modules/ListAllEvents_Hook.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@
*/

include_once('CEAuthCheck.php');
use DanielGausi\CalendarEditorBundle\CalendarModelEdit;


class ListAllEvents_Hook extends Frontend
Expand All @@ -40,38 +41,12 @@ public function addEditLinks(&$aEvent, $strUrl)
$aEvent['editTitle'] = $GLOBALS['TL_LANG']['MSC']['caledit_editTitle'];
}

/**
* Search for the DatabaseResult the matching entry (entries) in $arrEvents and set additional information
*/
// the FE-User can edit the event
// a.) if FE-User is FE-Admin AND the Event was NOT blocked by a Backend-User OR
// b.) if (FE-User is the creator of this event OR every FE-User can edit the event) AND (the Event was NOT blocked by a Backend-User)
// AND (the event is in the future OR editing elapsed events is allowed)
// These conditions are the same for duplicating, as duplicating changes ONLY the date, nothing else.

//public function addEventInformation(Database_Result $objEvents, $objId, $objCalendar, &$arrEvents, $strUrl, $userID, $UserIsAdmin)
public function addEventInformation($objEvents, $objId, $objCalendar, &$arrEvents, $strUrl, $userID, $UserIsAdmin)
{
$currentTime = time();
foreach ($arrEvents as &$intnext) {
foreach ($intnext as &$intdate) {
foreach ($intdate as &$aEvent){
if ($objEvents->id == $aEvent['id']) {
if (EditLinksAreAllowed ($objCalendar, $aEvent, $userID, $UserIsAdmin, $currentTime)){
$this->addEditLinks($aEvent, $strUrl);
}
}
}
}
}
}

/**

/**
Manipulate the arrEvents-Array generated by ModuleCalendar and ModuleEventlist
**/
public function updateAllEvents($arrEvents, $arrCalendars, $intStart, $intEnd, $objCalendarModule)
{

if (!is_array($arrCalendars)) {
return $arrEvents;
}
Expand All @@ -84,51 +59,56 @@ public function updateAllEvents($arrEvents, $arrCalendars, $intStart, $intEnd, $

$time = time();
$this->import('FrontendUser', 'User');

foreach ($arrCalendars as $id) {

// preperations: Get more information about the calendars used for these "all events"
$CalendarObjects = array(); // needed for a detailed authorization check
$UserIsAdminForCalendar = array(); //
$UserIsMemberForCalendar = array(); //
$JumpPages = array(); // needed for the edit-links we want to add in his hook

$objCalendars = CalendarModelEdit::findByIds($arrCalendars);
foreach($objCalendars as $objCalendar) {
$currentPID = $objCalendar->id; // this is the Parent-ID for the events in the Event-Array

// get properties of this calendar
$objCalendar = $this->Database->prepare("SELECT * FROM tl_calendar WHERE id=?")
->limit(1)
->execute($id);



if ($objCalendar->allowEdit) {
// get the JumpToEdit-Page for this calendar
$objPage = $this->Database->prepare("SELECT id, alias FROM tl_page WHERE id=(SELECT caledit_jumpTo FROM tl_calendar WHERE id=?)")
$CalendarObjects[$currentPID] = $objCalendar;

if ($objCalendar->allowEdit) {
// is user admin for this calendar?
$UserIsAdminForCalendar[$currentPID] = UserIsAdmin ($objCalendar, $this->User);
$UserIsMemberForCalendar[$currentPID] = UserIsAuthorizedUser ($objCalendar, $this->User);

// get the jump-to-Edit-page for this calendar
$objPage = $this->Database->prepare("SELECT id, alias FROM tl_page WHERE id=(SELECT caledit_jumpTo FROM tl_calendar WHERE id=?)")
->limit(1)
->execute($id);
->execute($objCalendar->id);
if ($objPage->numRows) {
$strUrl = $this->generateFrontendUrl($objPage->row(), '');
$JumpPages[$currentPID] = $this->generateFrontendUrl($objPage->row(), '');
}
else {
$strUrl = $this->Environment->request;
$JumpPages[$currentPID] = $this->Environment->request;
}

$AuthorizedUser = UserIsAuthorizedUser($objCalendar, $this->User);
$UserIsAdmin = UserIsAdmin($objCalendar, $this->User);

if ($AuthorizedUser || $UserIsAdmin ) {
// Now: Get all Events in this calendar (as in ModuleCalendar, but without the constraint "AND published=1")
$objEvents = $this->Database->prepare("SELECT *, (SELECT title FROM tl_calendar WHERE id=?) AS calendar, (SELECT name FROM tl_user WHERE id=author) author FROM tl_calendar_events WHERE pid=? AND ((startTime>=? AND startTime<=?) OR (endTime>=? AND endTime<=?) OR (startTime<=? AND endTime>=?) OR (recurring=1 AND (recurrences=0 OR repeatEnd>=?) AND startTime<=?))" . (!BE_USER_LOGGED_IN ? " AND (start='' OR start<$time) AND (stop='' OR stop>$time)" : "") . " ORDER BY startTime")
->execute($id, $id, $intStart, $intEnd, $intStart, $intEnd, $intStart, $intEnd, $intStart, $intEnd);

if ($objEvents->numRows < 1) {
continue; // nothing to do here (no events found)
}

while ($objEvents->next()) {
// We have some events in this calendar, and the user is member of a group, which is allowed to edit events
// So: Add Edit-Links to these Events.
$this->addEventInformation($objEvents, $objEvents->id, $objCalendar, $arrEvents, $strUrl, $this->User->id, $UserIsAdmin);
}
} else {
// no editing allowed in this calendar
$UserIsAdminForCalendar[$currentPID] = false;
$UserIsMemberForCalendar[$currentPID] = false;
$JumpPages[$currentPID] = $this->Environment->request;
}
}

// now: scan the events-array and add edit links where appropriate
$currentTime = time();
foreach ($arrEvents as &$intnext) {
foreach ($intnext as &$intdate) {
foreach ($intdate as &$aEvent){
$cPID = $aEvent['pid'];
if ( ($CalendarObjects[$cPID]->allowEdit) && EditLinksAreAllowed($CalendarObjects[$cPID], $aEvent, $this->User->id, $UserIsAdminForCalendar[$cPID], $UserIsMemberForCalendar[$cPID], $currentTime)){
$this->addEditLinks($aEvent, $JumpPages[$cPID]);
}
}
} // else: Frontend-Editing is not allowed for this calender. Modifications of the Events not necessary.

}
return $arrEvents;
}
}
}
return $arrEvents;
}
}

?>
15 changes: 11 additions & 4 deletions src/Resources/contao/modules/ModuleEventEditor.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -851,7 +851,6 @@ protected function HandleEdit($editID, $currentEventObject) {
}

$objWidget = new $strClass($this->prepareForWidget($arrField, $arrField['name'], $arrField['value']));
$objWidget->parse();
// Validate widget
if ($this->Input->post('FORM_SUBMIT') == 'caledit_submit') {
$objWidget->validate();
Expand All @@ -861,6 +860,10 @@ protected function HandleEdit($editID, $currentEventObject) {
}
$arrWidgets[$arrField['name']] = $objWidget;
}
// parse the Date fields, to show the Datepicker
$arrWidgets['startDate']->parse();
$arrWidgets['endDate']->parse();


// Check, whether the user is allowed to edit past events
// or the date is in the future
Expand Down Expand Up @@ -912,7 +915,7 @@ protected function HandleEdit($editID, $currentEventObject) {
if ($this->Input->post('FORM_SUBMIT') == 'caledit_submit') {
$this->Template->InfoClass = 'tl_error';
if ($this->Template->InfoMessage == '') {
$this->Template->InfoMessage = $GLOBALS['TL_LANG']['MSC']['caledit_error'];
$this->Template->InfoMessage = $GLOBALS['TL_LANG']['MSC']['caledit_error'].'wuppdi';
} // else: keep the InfoMesage as set before
}
$this->Template->fields = $arrWidgets;
Expand Down Expand Up @@ -1157,8 +1160,7 @@ protected function HandleClone($currentEventObject) {
$strClass = $GLOBALS['TL_FFL'][$arrField['inputType']];
$arrField['eval']['required'] = $arrField['eval']['mandatory'];

$objWidget = new $strClass($this->prepareForWidget($arrField, $arrField['name'], $arrField['value']));
$objWidget->parse();
$objWidget = new $strClass($this->prepareForWidget($arrField, $arrField['name'], $arrField['value']));
// Validate widget
if ($this->Input->post('FORM_SUBMIT') == 'caledit_submit') {
$objWidget->validate();
Expand All @@ -1169,6 +1171,11 @@ protected function HandleClone($currentEventObject) {
$arrWidgets[$arrField['name']] = $objWidget;
}

for ($i = 1; $i <= 10; $i++) {
$arrWidgets['start'.$i]->parse();
$arrWidgets['end'.$i]->parse();
}

$allDatesAllowed = $this->allDatesAllowed($currentEventData['pid']);
for ($i = 1; $i <= 10; $i++) {
// check the 10 startdates
Expand Down
2 changes: 1 addition & 1 deletion src/Resources/contao/modules/ModuleEventReaderEdit.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -113,7 +113,7 @@ protected function compile()
$UserIsAdmin = UserIsAdmin($objCalendar, $this->User);

$AuthorizedUserElapsedEvents = UserIsAuthorizedElapsedEvents($objCalendar, $this->User);
$AddEditLinks = EditLinksAreAllowed2 ($objCalendar, $objEvent, $this->User, $UserIsAdmin);
$AddEditLinks = EditLinksAreAllowed2 ($objCalendar, $objEvent, $this->User, $UserIsAdmin, $AuthorizedUser);

if ($AddEditLinks) {
// get the JumpToEdit-Page for this calendar
Expand Down

0 comments on commit 1476c73

Please sign in to comment.