Refactor user session handling and permissions management
- Updated session variables to use 'authorization' array instead of 'username' for user identification across multiple files. - Introduced a new function `getUserPermissions` to consolidate user permissions retrieval based on assigned roles. - Modified API calls to use the new authorization structure and updated endpoints to v2. - Enhanced language support by adding 'PL' to the list of supported languages. - Cleaned up redundant code and improved session management during user login and registration processes. - Added a new API endpoint for fetching user permissions based on user ID.
This commit is contained in:
“VeLiTi”
@@ -304,7 +304,7 @@ function menu($selected,$selected_child){
|
||||
$menu = '';
|
||||
|
||||
//filter the main_menu array based on profile
|
||||
$filteredMenu = filterMenuByProfile($main_menu, $_SESSION['profile']);
|
||||
$filteredMenu = filterMenuByProfile($main_menu, $_SESSION['authorization']['profile']);
|
||||
|
||||
foreach ($filteredMenu as $menu_item){
|
||||
//Main Item
|
||||
@@ -340,12 +340,12 @@ function template_header($title, $selected = 'assets', $selected_child = 'view')
|
||||
$domain = getDomainName($_SERVER['SERVER_NAME']);
|
||||
$custom_css = (file_exists(dirname(__FILE__,2).'/custom/'.$domain.'/style/'.$domain.'.css') ? './custom/'.$domain.'/style/'.$domain.'.css' : './style/admin.css');
|
||||
|
||||
$user = ucfirst($_SESSION['username']);
|
||||
$user = ucfirst($_SESSION['authorization']['clientID']);
|
||||
if (filter_var($user, FILTER_VALIDATE_EMAIL)){
|
||||
$user = substr($user, 0, strpos($user, "@"));
|
||||
}
|
||||
|
||||
if (isset($_SESSION['id'])){$id = $_SESSION['id'];} else{$id='';}
|
||||
if (isset($_SESSION['authorization']['id'])){$id = $_SESSION['authorization']['id'];} else{$id='';}
|
||||
|
||||
if(isset($_SESSION['country_code'])){
|
||||
$api_file_language = dirname(__FILE__,2).'/settings/translations/translations_'.strtoupper($_SESSION['country_code']).'.php';
|
||||
@@ -520,8 +520,8 @@ EOT;
|
||||
//------------------------------------------
|
||||
function template_footer($js_script = '') {
|
||||
$js_script = $js_script ? '<script>' . $js_script . '</script>' : '';
|
||||
$lancode = $_SESSION['language'] ?? 'US';
|
||||
$user_mail = $_SESSION['email'] ?? '';
|
||||
$lancode = $_SESSION['authorization']['language'] ?? 'US';
|
||||
$user_mail = $_SESSION['authorization']['email'] ?? '';
|
||||
$veliti_cim = '';
|
||||
if (veliti_cim){
|
||||
$veliti_cim = '
|
||||
@@ -1239,7 +1239,7 @@ function ioServer($api_call, $data){
|
||||
debuglog($date." - ioServer incoming call: api_call=$api_call, data=" . $data_log);
|
||||
}
|
||||
|
||||
$token = $_SESSION['userkey'] ?? 'authorization_request';
|
||||
$token = $_SESSION['authorization']['userkey'] ?? 'authorization_request';
|
||||
$bearertoken = createCommunicationToken($token);
|
||||
|
||||
$url = $baseurl.$api_call;
|
||||
@@ -1541,18 +1541,16 @@ function getProfile($profile, $permission){
|
||||
//+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
|
||||
function isAllowed($page,$profile,$permission,$action){
|
||||
|
||||
//++++++++++++++++
|
||||
//OVERRIDE
|
||||
//++++++++++++++++
|
||||
return 1;
|
||||
//++++++++++++++++
|
||||
|
||||
//override for testing only
|
||||
return 1;
|
||||
|
||||
//Include settingsa
|
||||
include dirname(__FILE__,2).'/settings/settings_redirector.php';
|
||||
|
||||
// Always allowed collections: [collection => allowed_actions_string]
|
||||
$always_allowed = [
|
||||
'com_log' => 'U',
|
||||
'user_permissions' => 'R',
|
||||
'software_update' => 'R',
|
||||
'software_download' => 'R',
|
||||
'software_available' => 'R',
|
||||
@@ -2690,7 +2688,7 @@ function listPartner($partnertype, $user_right, $input, $required)
|
||||
//BASED ON USERRIGHT DEFINE SQL AND DATA RETURNED
|
||||
if ($user_right != 3 || $user_right !=4) {
|
||||
//NOT ADMIN USER
|
||||
$partner = json_decode($_SESSION['partnerhierarchy']);
|
||||
$partner = json_decode($_SESSION['authorization']['partnerhierarchy']);
|
||||
//SoldTo is empty
|
||||
if (empty($partner->soldto) || $partner->soldto == ''){$soldto_search = '%';} else {$soldto_search = '-%';}
|
||||
//BUILD CONDITION
|
||||
@@ -2738,7 +2736,7 @@ function listAccounts($type, $user_right, $input)
|
||||
//BASED ON USERRIGHT DEFINE SQL AND DATA RETURNED
|
||||
if ($user_right != 3 || $user_right !=4) {
|
||||
//NOT ADMIN USER
|
||||
$partner = json_decode($_SESSION['partnerhierarchy']);
|
||||
$partner = json_decode($_SESSION['authorization']['partnerhierarchy']);
|
||||
//SoldTo is empty
|
||||
if (empty($partner->soldto) || $partner->soldto == ''){$soldto_search = '%';} else {$soldto_search = '-%';}
|
||||
//BUILD CONDITION
|
||||
@@ -5661,4 +5659,77 @@ function generateCountriesFile($token){
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
/**
|
||||
* Get combined user permissions based on all assigned roles
|
||||
*
|
||||
* This function retrieves all role assignments for a user and combines permissions
|
||||
* from multiple roles. If the same access_element appears in multiple roles,
|
||||
* permissions are merged (OR operation) so the user gets the union of all permissions.
|
||||
*
|
||||
* For example:
|
||||
* - Role A: access_element 'assets' with C=1, U=1, D=0
|
||||
* - Role B: access_element 'assets' with C=0, U=0, D=1
|
||||
* - Result: access_element 'assets' with C=1, U=1, D=1
|
||||
*
|
||||
* @param PDO $pdo Database connection
|
||||
* @param int $user_id The user ID to get permissions for
|
||||
* @return array Associative array of permissions indexed by access_element path
|
||||
* Each element contains: [path, name, group, can_create, can_read, can_update, can_delete]
|
||||
*/
|
||||
function getUserPermissions($pdo, $user_id) {
|
||||
// Get all active role assignments for the user with their permissions
|
||||
$sql = "SELECT
|
||||
ae.access_path,
|
||||
ae.access_name,
|
||||
ae.access_group,
|
||||
rap.can_create,
|
||||
rap.can_read,
|
||||
rap.can_update,
|
||||
rap.can_delete
|
||||
FROM user_role_assignments ura
|
||||
INNER JOIN user_roles ur ON ura.role_id = ur.rowID
|
||||
INNER JOIN role_access_permissions rap ON ur.rowID = rap.role_id
|
||||
INNER JOIN access_elements ae ON rap.access_id = ae.rowID
|
||||
WHERE ura.user_id = :user_id
|
||||
AND ura.is_active = 1
|
||||
AND ur.is_active = 1
|
||||
AND ae.is_active = 1
|
||||
AND (ura.expires_at IS NULL OR ura.expires_at > NOW())
|
||||
ORDER BY ae.access_path";
|
||||
|
||||
$stmt = $pdo->prepare($sql);
|
||||
$stmt->bindParam(':user_id', $user_id, PDO::PARAM_INT);
|
||||
$stmt->execute();
|
||||
$results = $stmt->fetchAll(PDO::FETCH_ASSOC);
|
||||
|
||||
// Combine permissions for duplicate access elements
|
||||
$combined_permissions = [];
|
||||
|
||||
foreach ($results as $row) {
|
||||
$path = $row['access_path'];
|
||||
|
||||
if (!isset($combined_permissions[$path])) {
|
||||
// First time seeing this access element
|
||||
$combined_permissions[$path] = [
|
||||
'path' => $row['access_path'],
|
||||
'name' => $row['access_name'],
|
||||
'group' => $row['access_group'],
|
||||
'can_create' => (int)$row['can_create'],
|
||||
'can_read' => (int)$row['can_read'],
|
||||
'can_update' => (int)$row['can_update'],
|
||||
'can_delete' => (int)$row['can_delete']
|
||||
];
|
||||
} else {
|
||||
// Access element already exists, combine permissions (OR operation)
|
||||
// If any role grants a permission, the user has that permission
|
||||
$combined_permissions[$path]['can_create'] = max($combined_permissions[$path]['can_create'], (int)$row['can_create']);
|
||||
$combined_permissions[$path]['can_read'] = max($combined_permissions[$path]['can_read'], (int)$row['can_read']);
|
||||
$combined_permissions[$path]['can_update'] = max($combined_permissions[$path]['can_update'], (int)$row['can_update']);
|
||||
$combined_permissions[$path]['can_delete'] = max($combined_permissions[$path]['can_delete'], (int)$row['can_delete']);
|
||||
}
|
||||
}
|
||||
|
||||
return $combined_permissions;
|
||||
}
|
||||
Reference in New Issue
Block a user