Skip to content

Commit

Permalink
fixed some authorisation issues
Browse files Browse the repository at this point in the history
  • Loading branch information
@DanielGausi
DanielGausi committed Oct 29, 2018
1 parent 789fa2a commit 8ab26f0
Show file tree
Hide file tree
Showing 4 changed files with 94 additions and 80 deletions.
146 changes: 83 additions & 63 deletions src/Resources/contao/modules/CEAuthCheck.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,39 +18,47 @@

// Check, whether the User is an Admin to add/edit Events in this objCalendar
function UserIsAdmin($objCalendar, $User){
if (FE_USER_LOGGED_IN) {
// Get Admin-Groups which are allowed to edit events in this calendar
// (Admins are allowed to edit events even if the "only owner"-setting is checked)
// (Admins are allowed to add events on elapsed days)
$admin_groups = deserialize($objCalendar->caledit_adminGroup);
if (is_array($admin_groups)
&& (count($admin_groups) > 0)
&& (count(array_intersect($admin_groups, $User->groups)) > 0)){
return TRUE;
}
}
if (!$objCalendar->allowEdit) {
return false;
} else {
if (FE_USER_LOGGED_IN) {
// Get Admin-Groups which are allowed to edit events in this calendar
// (Admins are allowed to edit events even if the "only owner"-setting is checked)
// (Admins are allowed to add events on elapsed days)
$admin_groups = deserialize($objCalendar->caledit_adminGroup);
if (is_array($admin_groups)
&& (count($admin_groups) > 0)
&& (count(array_intersect($admin_groups, $User->groups)) > 0)){
return TRUE;
}
}
}
return FALSE;
}

// Check, whether the User is authorized to add/edit Events in this objCalendar
function UserIsAuthorizedUser($objCalendar, $User){
if (!$objCalendar->caledit_loginRequired) {
// if no Login is required, consider the User as "authorized"
return TRUE;
}
else {
if (FE_USER_LOGGED_IN) {
// Admins are authorized as well ;-)
if (UserIsAdmin($objCalendar, $User)) {
return TRUE;
}

// Get Groups which are allowed to edit events in this calendar
$groups = deserialize($objCalendar->caledit_groups);
if (is_array($groups)
&& (count($groups) > 0)
&& (count(array_intersect($groups, $User->groups)) > 0)) {
return TRUE;
if (!$objCalendar->allowEdit) {
return false;
} else {
if (!$objCalendar->caledit_loginRequired) {
// if no Login is required, consider the User as "authorized"
return TRUE;
}
else {
if (FE_USER_LOGGED_IN) {
// Admins are authorized as well ;-)
if (UserIsAdmin($objCalendar, $User)) {
return TRUE;
}

// Get Groups which are allowed to edit events in this calendar
$groups = deserialize($objCalendar->caledit_groups);
if (is_array($groups)
&& (count($groups) > 0)
&& (count(array_intersect($groups, $User->groups)) > 0)) {
return TRUE;
}
}
}
}
Expand All @@ -59,51 +67,63 @@ function UserIsAuthorizedUser($objCalendar, $User){
}

function UserIsAuthorizedElapsedEvents($objCalendar, $User){
// User is authorized to edit/add elapsed Events if
// 1.) the User is an Admin for the Calendar or
// 2.) The User is an Authorized User and the CalendarSetting "only Future" is False
return (UserIsAdmin($objCalendar, $User)) || ( UserIsAuthorizedUser($objCalendar, $User) && (! $objCalendar->caledit_onlyFuture));
if (!$objCalendar->allowEdit) {
return false;
} else {
// User is authorized to edit/add elapsed Events if
// 1.) the User is an Admin for the Calendar or
// 2.) The User is an Authorized User and the CalendarSetting "only Future" is False
return (UserIsAdmin($objCalendar, $User)) || ( UserIsAuthorizedUser($objCalendar, $User) && (! $objCalendar->caledit_onlyFuture));
}
}

// used in GetAllEvents Hook
function EditLinksAreAllowed ($objCalendar, $aEvent, $userID, $UserIsAdmin, $UserIsMember, $currentTime){
if ($UserIsAdmin && (!$aEvent['disable_editing'])) {
return TRUE;
} else {
return
(
// Allow only if the editing is NOT disabled in the backend for this event
(!$aEvent['disable_editing'])
// Allow only if the User belongs to an authorized Member group
&& ($UserIsMember)
// Allow only if FE User is logged in or the calendar does not requie login
&& ( FE_USER_LOGGED_IN || !$objCalendar->caledit_loginRequired)
// Allow only if CalendarEditing is not restricted to future events -OR- EventTime is later then CurrentTime,
&& ((!$objCalendar->caledit_onlyFuture) || ($currentTime <= $aEvent['startTime']) )
// Allow only if CalendarEditing is not restricted to the Owner -OR- The Owner is currently logged in
&& ((!$objCalendar->caledit_onlyUser) || ($aEvent['fe_user'] == $userID))
);
if (!$objCalendar->allowEdit) {
return false;
} else {
if ($UserIsAdmin && (!$aEvent['disable_editing'])) {
return TRUE;
} else {
return
(
// Allow only if the editing is NOT disabled in the backend for this event
(!$aEvent['disable_editing'])
// Allow only if the User belongs to an authorized Member group
&& ($UserIsMember)
// Allow only if FE User is logged in or the calendar does not requie login
&& ( FE_USER_LOGGED_IN || !$objCalendar->caledit_loginRequired)
// Allow only if CalendarEditing is not restricted to future events -OR- EventTime is later then CurrentTime,
&& ((!$objCalendar->caledit_onlyFuture) || ($currentTime <= $aEvent['startTime']) )
// Allow only if CalendarEditing is not restricted to the Owner -OR- The Owner is currently logged in
&& ((!$objCalendar->caledit_onlyUser) || ($aEvent['fe_user'] == $userID))
);
}
}
}

// used in Module ModuleEventReaderEdit
function EditLinksAreAllowed2 ($objCalendar, $objEvent, $User, $UserIsAdmin, $UserIsMember){
if ($UserIsAdmin && (!$objEvent->disable_editing)) {
return TRUE;
if (!$objCalendar->allowEdit) {
return false;
} else {
return
(
// Allow only if if the editing is NOT disabled in the backend for this event
(!$objEvent->disable_editing)
// Allow only if the User belongs to an authorized Member group
&& ($UserIsMember)
// Allow only if FE User is logged in or the calendar does not requie login
&& ( FE_USER_LOGGED_IN || !$objCalendar->caledit_loginRequired)
// Allow only if CalendarEditing is not restricted to future events -OR- EventTime is later then CurrentTime,
&& ((!$objCalendar->caledit_onlyFuture) || (time() <= $objEvent->startTime) )
// Allow only if CalendarEditing is not restricted to the Owner -OR- The Owner is currently logged in
&& ((!$objCalendar->caledit_onlyUser) || ($objEvent->fe_user == $User->id))
);
if ($UserIsAdmin && (!$objEvent->disable_editing)) {
return TRUE;
} else {
return
(
// Allow only if if the editing is NOT disabled in the backend for this event
(!$objEvent->disable_editing)
// Allow only if the User belongs to an authorized Member group
&& ($UserIsMember)
// Allow only if FE User is logged in or the calendar does not requie login
&& ( FE_USER_LOGGED_IN || !$objCalendar->caledit_loginRequired)
// Allow only if CalendarEditing is not restricted to future events -OR- EventTime is later then CurrentTime,
&& ((!$objCalendar->caledit_onlyFuture) || (time() <= $objEvent->startTime) )
// Allow only if CalendarEditing is not restricted to the Owner -OR- The Owner is currently logged in
&& ((!$objCalendar->caledit_onlyUser) || ($objEvent->fe_user == $User->id))
);
}
}
}

Expand Down
2 changes: 1 addition & 1 deletion src/Resources/contao/modules/ListAllEvents_Hook.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ public function updateAllEvents($arrEvents, $arrCalendars, $intStart, $intEnd, $
return $arrEvents;
}

if(version_compare(VERSION.'.'.BUILD, '3.5.1', '>=')) {
if(version_compare(VERSION.'.'.BUILD, '3.5.1', '>=')) {
$this->import('StringUtil');
} else {
$this->import('String');
Expand Down
21 changes: 5 additions & 16 deletions src/Resources/contao/modules/ModuleCalenderEdit.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,10 +22,7 @@
use Contao\CalendarModel;
use Contao\Events;

//use Contao\Calendar;
//use Contao\CalendarModel;

include_once('CEAuthCheck.php');
include_once('CEAuthCheck.php');

/**
* Class ModuleCalenderEdit
Expand All @@ -49,26 +46,19 @@ public function GetHolidayCalendarIDs($cals) {
return $IDs;
}

// check weather the current FE User is allowed to edit any of the calendars
// check whether the current FE User is allowed to edit any of the calendars
public function CheckUserAuthorizations($arrCalendars) {
$this->import('FrontendUser', 'User');
$this->AllowElapsedEvents = False;
$this->AllowEditEvents = False;

foreach ($arrCalendars as $id)
{
// get properties of this calendar
$objCalendar = $this->Database->prepare("SELECT * FROM tl_calendar WHERE id=?")
->limit(1)
->execute($id);

$objCalendars = CalendarModelEdit::findByIds($arrCalendars);
foreach($objCalendars as $objCalendar) {
$this->AllowElapsedEvents = ($this->AllowElapsedEvents || UserIsAuthorizedElapsedEvents($objCalendar, $this->User) );
$this->AllowEditEvents = ($this->AllowEditEvents || UserIsAuthorizedUser($objCalendar, $this->User) );
}
}
}



// overwrite the compileWeeks-Method from ModuleCalendar
protected function compileWeeks()
{
Expand All @@ -83,7 +73,6 @@ protected function compileWeeks()
// this will set the variables $this->AllowEditEvents and $this->AllowElapsedEvents
$this->CheckUserAuthorizations($this->cal_calendar);


if ($this->AllowEditEvents){
// get the JumpToAdd-Page for this calendar
$objPage = $this->Database->prepare("SELECT id, alias FROM tl_page WHERE id=?")
Expand Down
5 changes: 5 additions & 0 deletions src/Resources/contao/modules/ModuleEventEditor.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -215,6 +215,11 @@ public function checkUserEditRights($user, $eventID, $CurrentObjectData) {
return false; // Event not found or something else is wrong
}

if (!$objCalendar->allowEdit) {
$this->ErrorString = $GLOBALS['TL_LANG']['MSC']['caledit_NoEditAllowed'];
return false;
}

// check calendar settings
if (UserIsAuthorizedUser($objCalendar, $user)) {
// if the editing is disabled in the BE: Deny editing in the FE
Expand Down

0 comments on commit 8ab26f0

Please sign in to comment.