<?php

/**
 * sysPass
 * 
 * @author nuxsmin
 * @link http://syspass.org
 * @copyright 2012 Rubén Domínguez nuxsmin@syspass.org
 *  
 * This file is part of sysPass.
 *
 * sysPass is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
 *
 * sysPass is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with sysPass.  If not, see <http://www.gnu.org/licenses/>.
 *
 */
defined('APP_ROOT') || die(_('No es posible acceder directamente a este archivo'));

/**
 * Esta clase es la encargada de calcular las access lists de acceso a usuarios.
 */
class SP_ACL {
    
    static $accountCacheUserGroupsId;

    /**
     * @brief Comprobar los permisos de acceso del usuario a los módulos de la aplicación
     * @param string $strAction con el nombre de la acción
     * @param int $userId opcional, con el Id del usuario
     * @return bool
     * 
     * Esta función comprueba los permisos del usuario para realizar una acción.
     * Si los permisos ya han sido obtenidos desde la BBDD, se utiliza el objeto creado
     * en la variable de sesión.
     */
    public static function checkUserAccess($strAction, $userId = 0) {
        // Comprobamos si la cache de permisos está inicializada
        if (!isset($_SESSION["usrprofile"]) || !is_object($_SESSION["usrprofile"])) {
            return FALSE;
        }

        $blnUIsAdminApp = $_SESSION["uisadminapp"];
        $blnUIsAdminAcc = $_SESSION["uisadminacc"];
        $profile = $_SESSION["usrprofile"];

        switch ($strAction) {
            case "accview":
                return ( $blnUIsAdminApp || $blnUIsAdminAcc || $profile->userProfile_pView );
            case "accviewpass":
                return ( $blnUIsAdminApp || $blnUIsAdminAcc || $profile->userProfile_pViewPass );
            case "accviewhistory":
                return ( $blnUIsAdminApp || $blnUIsAdminAcc || $profile->userProfile_pViewHistory );
            case "accedit":
                return ( $blnUIsAdminApp || $blnUIsAdminAcc || $profile->userProfile_pEdit );
            case "acceditpass":
                return ( $blnUIsAdminApp || $blnUIsAdminAcc || $profile->userProfile_pEditPass || $userId == $_SESSION["uid"] );
            case "accnew":
                return ( $blnUIsAdminApp || $blnUIsAdminAcc || $profile->userProfile_pAdd );
            case "acccopy":
                return ( $blnUIsAdminApp || $blnUIsAdminAcc || ($profile->userProfile_pAdd && $profile->userProfile_pView) );
            case "accdelete":
                return ( $blnUIsAdminApp || $blnUIsAdminAcc || $profile->userProfile_pDelete );
            case "accfiles":
                return ( $blnUIsAdminApp || $blnUIsAdminAcc || $profile->userProfile_pFiles );
            case "appmgmtmenu":
                return ( $blnUIsAdminApp || $profile->userProfile_pAppMgmtMenu );
            case "configmenu":
                return ( $blnUIsAdminApp || $profile->userProfile_pConfigMenu );
            case "config":
                return ( $blnUIsAdminApp || $profile->userProfile_pConfig );
            case "categories":
                return ( $blnUIsAdminApp || $profile->userProfile_pAppMgmtCategories );
            case "customers":
                return ( $blnUIsAdminApp || $profile->userProfile_pAppMgmtCustomers );
            case "masterpass":
                return ( $blnUIsAdminApp || $profile->userProfile_pConfigMasterPass );
            case "backup":
                return ( $blnUIsAdminApp || $profile->userProfile_pConfigBackup );
            case "usersmenu":
                return ( $blnUIsAdminApp || $profile->userProfile_pUsersMenu );
            case "users":
                return ( $blnUIsAdminApp || $profile->userProfile_pUsers );
            case "groups":
                return ( $blnUIsAdminApp || $profile->userProfile_pGroups );
            case "profiles":
                return ( $blnUIsAdminApp || $profile->userProfile_pProfiles );
            case "eventlog":
                return ( $blnUIsAdminApp || $profile->userProfile_pEventlog );
        }

        $message['action'][] = __FUNCTION__;
        $message['text'][] = _('Denegado acceso a') . " '" . $strAction . "'";

        SP_Common::wrLogInfo($message);

        return FALSE;
    }
    
    /**
     * @brief Comprueba los permisos de acceso a una cuenta
     * @param string $action con la acción realizada
     * @param array $accountData con los datos de la cuenta a verificar
     * @return bool
     */ 
    public static function checkAccountAccess($action, $accountData){
        $userGroupId = $_SESSION["ugroup"];
        $userId = $_SESSION["uid"];
        $userIsAdminApp = $_SESSION["uisadminapp"];
        $userIsAdminAcc = $_SESSION["uisadminacc"];
        
        switch ($action){
            case "accview":
                return ( $userId == $accountData['user_id'] 
                        || $userGroupId == $accountData['group_id']
                        || in_array($userId, $accountData['users_id'])
                        || in_array($userGroupId, $accountData['groups_id'])
                        || $userIsAdminApp 
                        || $userIsAdminAcc );
            case "accviewpass":
                return ( $userId == $accountData['user_id'] 
                        || $userGroupId == $accountData['group_id']
                        || in_array($userId, $accountData['users_id'])
                        || in_array($userGroupId, $accountData['groups_id'])
                        || $userIsAdminApp 
                        || $userIsAdminAcc );
            case "accviewhistory":
                return ( $userId == $accountData['user_id'] 
                        || $userGroupId == $accountData['group_id']
                        || in_array($userId, $accountData['users_id'])
                        || in_array($userGroupId, $accountData['groups_id'])
                        || $userIsAdminApp 
                        || $userIsAdminAcc );
            case "accedit":
                return ( $userId == $accountData['user_id']
                        || $userGroupId == $accountData['group_id']
                        || (in_array($userId, $accountData['users_id']) && $accountData['otheruser_edit'])
                        || (in_array($userGroupId, $accountData['groups_id']) && $accountData['othergroup_edit'])
                        || $userIsAdminApp 
                        || $userIsAdminAcc );
            case "accdelete":
                return ( $userId == $accountData['user_id'] 
                        || $userGroupId == $accountData['group_id']
                        || (in_array($userId, $accountData['users_id']) && $accountData['otheruser_edit'])
                        || (in_array($userGroupId, $accountData['groups_id']) && $accountData['othergroup_edit'])
                        || $userIsAdminApp 
                        || $userIsAdminAcc );
            case "acceditpass":
                return ( $userId == $accountData['user_id'] 
                        || $userGroupId == $accountData['group_id']
                        || (in_array($userId, $accountData['users_id']) && $accountData['otheruser_edit'])
                        || (in_array($userGroupId, $accountData['groups_id']) && $accountData['othergroup_edit'])
                        || $userIsAdminApp 
                        || $userIsAdminAcc );
            case "acccopy":
                return ( $userId == $accountData['user_id'] 
                        || $userGroupId == $accountData['group_id']
                        || in_array($userId, $accountData['users_id'])
                        || in_array($userGroupId, $accountData['groups_id'])
                        || $userIsAdminApp 
                        || $userIsAdminAcc );
        }
               
        return FALSE;
    }
}