X-Git-Url: http://git.roojs.org/?p=Pman.Core;a=blobdiff_plain;f=DataObjects%2FCore_person.php;h=b45eef49f091484a895f58f34c5dfc248ac6fbe6;hp=ee9a860fe03adcb85dfac9bd9e7141164d6b3872;hb=HEAD;hpb=02ef8a4283a3c896b57f0a64234a1845dd108b7e diff --git a/DataObjects/Core_person.php b/DataObjects/Core_person.php index ee9a860f..4208198e 100644 --- a/DataObjects/Core_person.php +++ b/DataObjects/Core_person.php @@ -283,7 +283,7 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject } unset($_SESSION[get_class($this)][$sesPrefix .'-auth']); unset($_SESSION[get_class($this)][$sesPrefix .'-timeout']); - setcookie('Pman.timeout', -1, time() + (30*60), '/'); + //setcookie('Pman.timeout', -1, time() + (30*60), '/'); return false; } @@ -434,7 +434,7 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject if (isset($_SESSION[get_class($this)][$sesPrefix .'-auth'])) { $_SESSION[get_class($this)][$sesPrefix .'-auth-timeout'] = time() + (30*60); // eg. 30 minutes - setcookie('Pman.timeout', time() + (30*60), time() + (30*60), '/'); + //setcookie('Pman.timeout', time() + (30*60), time() + (30*60), '/'); } // not really sure why it's cloned.. return clone (self::$authUser); @@ -514,7 +514,7 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject $d = $p->toArray(); $_SESSION[get_class($this)][$sesPrefix .'-auth-timeout'] = time() + (30*60); // eg. 30 minutes - setcookie('Pman.timeout', time() + (30*60), time() + (30*60), '/'); + //setcookie('Pman.timeout', time() + (30*60), time() + (30*60), '/'); //var_dump(array(get_class($this),$sesPrefix .'-auth')); $_SESSION[get_class($this)][$sesPrefix .'-auth'] = serialize((object)$d); @@ -767,18 +767,28 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject $oath_require = $s->lookup('core', 'two_factor_auth_required'); $aur['require_oath'] = $oath_require ? $oath_require->val : 0; - $aur['core_person_settings'] = array(); - - $core_person_settings = DB_DataObject::factory('core_person_settings'); - $core_person_settings->setFrom(array( - 'person_id' => $this->id - )); - - $aur['core_person_settings'] = $core_person_settings->fetchAll('scope', 'data'); + $aur['core_person_settings'] = $this->settings(); return $aur; } + function settings($return_obj = false) + { + $cs = DB_DataObject::factory('core_person_settings'); + $cs->setFrom(array( + 'person_id' => $this->id + )); + return $return_obj ? $cs->fetchAll() : $cs->fetchAll('scope', 'data');; + } + function toRooSingleArray($authUser, $request) + { + $ret = $this->toArray(); + foreach( $this->settings() as $k=>$v) { + $ret['core_person_settings['. $k .']'] = $v; + } + + return $ret; + } // ----------PERMS------ ---------------- function getPerms() { @@ -1041,7 +1051,7 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject // #2307 Search Country!! if (!empty($q['query']['in_country'])) { // DB_DataObject::debugLevel(1); - $inc = $q['query']['in_country']; + $inc = $this->escape($q['query']['in_country']); $this->whereAdd("$tn_p.countries LIKE '%{$inc}%'"); } @@ -1375,10 +1385,18 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject // determine if it's staff!!! $owncomp = DB_DataObject::Factory('core_company'); $owncomp->get('comptype', 'OWNER'); - $isStaff = ($au->company_id == $owncomp->id); - + $editor_is_staff = ($au->company_id == $owncomp->id); + + if (!$editor_is_staff) { + // non staff editing should not user roo/isPerm? + return false; // no permission if user is not staff!? + + } + + $this_is_staff = ($this->company_id == $owncomp->id); - if (!$isStaff) { + /* + if (!$this_is_staff ) { // - can not change company!!! if ($changes && @@ -1402,7 +1420,7 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject //return $this->company_id == $au->company_id; } - + */ // yes, only owner company can mess with this... @@ -1413,11 +1431,13 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject // extra case change passwod? case 'P': //??? password // standard perms -- for editing + if the user is dowing them selves.. - $ret = $isStaff ? $au->hasPerm("Core.Staff", "E") : $au->hasPerm("Core.Person", "E"); - return $ret || $au->id == $this->id; + $ret = $this_is_staff ? $au->hasPerm("Core.Staff", "E") : $au->hasPerm("Core.Person", "E"); + return $ret || $au->id == $this->id; // can change own data? default: - return $isStaff ? $au->hasPerm("Core.Staff", $lvl) : $au->hasPerm("Core.Person", $lvl); + return $this_is_staff ? $au->hasPerm("Core.Staff", $lvl) : $au->hasPerm("Core.Person", $lvl); + + } return false; @@ -1425,8 +1445,20 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject function beforeInsert($req, $roo) { + if (!empty($req['_bulk_update_passwords'])) { + $this->bulkUpdatePasswords($req['_bulk_update_passwords'], $roo); + return; + } + $p = DB_DataObject::factory('core_person'); if ($roo->authUser->id > -1 || $p->count() > 1) { + $pp = DB_DataObject::factory('core_person'); + $pp->whereAdd('LOWER(email) = "' . $pp->escape(strtolower(trim($this->email))) . '"'); + if ($pp->count()){ + $roo->jerror("NOTICE-DUPE-EMAIL", "that email already exists in the database"); + } + + return; } $c = DB_DataObject::Factory('core_company'); @@ -1439,11 +1471,7 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject $this->company_id = $c->id; $this->email = trim($this->email); - $pp = DB_DataObject::factory('core_person'); - $pp->email = $this->email; - if ($pp->count()){ - $roo->jerr("that email already exists in the database"); - } + @@ -1481,9 +1509,45 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject $pd->company_id = $this->company_id; $pd->insert(); } - + if (!empty($req['core_person_settings'])) { + $this->updateSettings($req['core_person_settings'], $roo); + } } + function onUpdate($old, $req,$roo, $event) + { + if (!empty($req['core_person_settings'])) { + $this->updateSettings($req['core_person_settings'], $roo); + } + } + + // there should really be a registry of valid scope values!? + function updateSettings($ar, $roo) + { + //DB_DataObject::debugLevel(1); + $old = array(); + foreach($this->settings(true) as $o) { + $old[$o->scope] = $o; + } + foreach($ar as $k=>$v) { + if (isset($old[$k])) { + $oo = clone($old[$k]); + $old[$k]->data = $v; + $old[$k]->update($oo); + continue; + } + $cs = DB_DataObject::Factory('core_person_settings'); + $cs->setFrom(array( + 'person_id' =>$this->id, + 'scope' => $k, + 'data' => $v + )); + $cs->insert(); + } + // we dont delete old stuff.... + } + + function importFromArray($roo, $persons, $opts) { if (empty($opts['prefix'])) { @@ -1560,9 +1624,7 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject $ff= HTML_FlexyFramework::get(); $appname = empty($ff->appNameShort) ? $ff->project : $ff->project . '-' . $ff->appNameShort; - $dname = method_exists($this, 'getDatabaseConnection') ? $this->getDatabaseConnection()->dsn['database'] : $this->databaseNickname(); - $sesPrefix = $appname.'-' .get_class($this) .'-' . $dname; return $sesPrefix; @@ -1571,9 +1633,7 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject function loginPublic() // used where??? { $this->isAuth(); // force session start.. - $db = $this->getDatabaseConnection(); - $ff = HTML_FlexyFramework::get(); if(empty($ff->Pman) || empty($ff->Pman['login_public'])){ @@ -1593,6 +1653,16 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject function beforeUpdate($old, $q, $roo) { $this->email = trim($this->email); + + $p = DB_DataObject::factory('core_person'); + if ($roo->authUser->id > -1 || $p->count() > 1) { + $pp = DB_DataObject::factory('core_person'); + $pp->whereAdd('LOWER(email) = "' . $pp->escape(strtolower(trim($this->email))) . '"'); + $pp->whereAdd('id != ' . $old->id); + if ($pp->count()){ + $roo->jerror("NOTICE-DUPE-EMAIL", "that email already exists in the database"); + } + } } function generateOathKey() @@ -1659,6 +1729,62 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject return $content; } - + function bulkUpdatePasswords($data, $roo) + { + + if ( !$roo->hasPerm("Core.Staff", "E")) { + $roo->jerr("permission denied"); + } + $rows = explode("\n",$data); + $upd = array(); + $bad = array(); + + foreach($rows as $i=>$row) { + if (!strlen(trim($row))) { + continue; + } + $bits = preg_split('/\s+/', trim($row)); + if (count($bits) != 2) { + $bad[] = "Invalid line: {$row}"; + continue; + } + // validate. + $upd[strtolower($bits[0])] = $bits[1]; + + } + if (empty($upd)) { + + $roo->jerr(empty($bad) ? "No rows to update": ("ERRORS: ". implode("\n", $bad))); + return; + } + // next fetch them all. + $p = DB_DataObject::factory('core_person'); + $p->whereAddIn('email', array_keys($upd), 'string'); + foreach($p->fetchAll() as $p) { + $map[strtolower($p->email)] = $p; + } + foreach($upd as $k=>$nv) { + if (!isset($map[$k])) { + $bad[] = "Missing account with email: " . $k; + continue; + } + if ($map[$k]->id == $roo->authUser->id) { + $bad[] = "You can not update your own password here: " . $k; + continue; + } + } + if (!empty($bad)) { + $roo->jerr("ERRORS: ". implode("\n", $bad)); + return; + } + foreach($map as $k => $p) { + $pp = clone($p); + $p->setPassword($upd[$k]); + $p->update($pp); + } + $roo->jok("Updated"); + + + } }