Added group permission protection (#5320)

core/groups/app_config.php

@@ -173,6 +173,14 @@
 		$apps[$x]['db'][$y]['fields'][$z]['type'] = "text";
 		$apps[$x]['db'][$y]['fields'][$z]['description']['en-us'] = "";
 		$z++;
+		$apps[$x]['db'][$y]['fields'][$z]['name']['text'] = "permission_protected";
+		$apps[$x]['db'][$y]['fields'][$z]['type'] = "text";
+		$apps[$x]['db'][$y]['fields'][$z]['description']['en-us'] = "";
+		$z++;
+		$apps[$x]['db'][$y]['fields'][$z]['name']['text'] = "permission_assigned";
+		$apps[$x]['db'][$y]['fields'][$z]['type'] = "text";
+		$apps[$x]['db'][$y]['fields'][$z]['description']['en-us'] = "";
+		$z++;
 		$apps[$x]['db'][$y]['fields'][$z]['name'] = "group_name";
 		$apps[$x]['db'][$y]['fields'][$z]['type'] = "text";
 		$apps[$x]['db'][$y]['fields'][$z]['search'] = "true";

core/groups/group_permissions.php

@@ -66,6 +66,7 @@
 				$x = 0;
 				$sql = "select distinct(permission_name) from v_group_permissions ";
 				$sql .= "where (domain_uuid = :domain_uuid or domain_uuid is null) ";
+				$sql .= "and permission_assigned = 'true' ";
 				foreach ($_SESSION["groups"] as $field) {
 					if (strlen($field['group_name']) > 0) {
 						$sql_where_or[] = "group_name = :group_name_".$x;
@@ -100,61 +101,132 @@
 		$group_permissions = $_POST['group_permissions'];
 	}
 
+//add the search string
+	if (isset($_REQUEST["search"])) {
+		$search =  strtolower($_REQUEST["search"]);
+		$sql_search = " (";
+		$sql_search .= "	lower(p.permission_name) like :search \n";
+		$sql_search .= ") ";
+		$parameters['search'] = '%'.$search.'%';
+	}
+
+//get the list
+	$sql = "select "; 
+	$sql .= "	distinct p.permission_name, \n";
+	$sql .= "	p.application_name, \n";
+	$sql .= "	g.permission_protected, \n"; 
+	$sql .= "	g.group_permission_uuid, \n"; 
+	$sql .= "	g.permission_assigned \n";
+	$sql .= "from v_permissions as p \n"; 
+	$sql .= "left join \n"; 
+	$sql .= "	v_group_permissions as g \n"; 
+	$sql .= "	on p.permission_name = g.permission_name \n"; 
+	$sql .= "	and group_name = :group_name \n"; 
+	if (isset($sql_search)) {
+		$sql .= "where ".$sql_search;
+	}
+	$sql .= "	order by p.application_name, p.permission_name asc "; 
+	$parameters['group_name'] = $group_name;
+	$database = new database;
+	$group_permissions = $database->select($sql, $parameters, 'all');
+
 //process the user data and save it to the database
 	if (count($_POST) > 0 && strlen($_POST["persistformvar"]) == 0) {
-		//get the list
-			$sql = "select p.*, ";
-			$sql .= "exists(select from v_group_permissions where permission_name = p.permission_name and group_name = :group_name) as permission_assigned ";
-			$sql .= "from v_permissions as p ";
-			$parameters['group_name'] = $group_name;
-			//$sql = "select * from v_group_permissions ";
-			//$sql .= "where group_uuid = :group_uuid ";
-			//$parameters['group_uuid'] = $group_uuid;
-			$database = new database;
-			$group_permissions = $database->select($sql, $parameters, 'all');
-
-		//add or remove permissions from the group
 			$x = 0;
 			if (is_array($_POST['group_permissions'])) {
 				foreach($_POST['group_permissions'] as $row) {
-					//check to see if the group has been assigned the permission
-					$in_database = false;
-					foreach($group_permissions as $field) {
-						if ($field['permission_name'] === $row['permission_name'] && $field['permission_assigned'] === true) {
-							$in_database = true;
-							break;
+					//reset values
+						$action = "";
+						$save_permission = false;
+						$delete_permission = false;
+						$save_protected = false;
+						$delete_protected = false;
+						$persist = false;
+
+					//get the action save or delete
+						foreach($group_permissions as $field) {
+							if ($field['permission_name'] === $row['permission_name']) {
+								if ($field['permission_assigned'] == 'true') {
+									if ($row['checked'] == "true") {
+										$persist = true;
+									}
+									else {
+										$delete_permission = true;
+									}
+								}
+								else {
+									
+									if ($row['checked'] == "true") {
+										$save_permission = true;
+									}
+									else {
+										//do nothing
+									}
+								}
+
+								if ($field['permission_protected'] == 'true') {
+									if ($row['permission_protected'] == "true") {
+										$persist = true;
+									}
+									else {
+										$delete_protected = true;
+									}
+								}
+								else {
+									if ($row['permission_protected'] == "true") {
+										$save_protected = true;
+									}
+									else {
+										//do nothing
+									}
+								}
+
+								if ($save_permission || $save_protected) {
+									$action = "save";
+								}
+								elseif ($delete_permission || $delete_protected){
+									if ($persist) {
+										$action = "save";
+									}
+									else {
+										$action = "delete";
+									}
+								}
+								else {
+									$action = "";
+								}
+								$group_permission_uuid = $field['group_permission_uuid'];
+								break;
+							}
 						}
-					}
-
-					//add - checked on html form and not in the database
-					if ($row['checked'] === 'true') {
-						if (!$in_database) {
+					
+					//build the array;
+						if ($action == "save") {
+							if (strlen($group_permission_uuid) == 0) {
+								$group_permission_uuid = uuid();
+							}
 							if (isset($row['permission_name']) && strlen($row['permission_name']) > 0) {
-								$array['add']['group_permissions'][$x]['group_permission_uuid'] = uuid();
-								$array['add']['group_permissions'][$x]['permission_name'] = $row['permission_name'];
-								$array['add']['group_permissions'][$x]['group_uuid'] = $group_uuid;
-								$array['add']['group_permissions'][$x]['group_name'] = $group_name;
-								//$array['add']['group_permissions'][$x]['permission_uuid'] = $row['uuid'];
+								$array['save']['group_permissions'][$x]['group_permission_uuid'] = $group_permission_uuid;
+								$array['save']['group_permissions'][$x]['permission_name'] = $row['permission_name'];
+								$array['save']['group_permissions'][$x]['permission_protected'] = $row['permission_protected'] == 'true' ? "true" : 'false';
+								$array['save']['group_permissions'][$x]['permission_assigned'] = $row['checked'] != "true" ? "false" : "true";
+								$array['save']['group_permissions'][$x]['group_uuid'] = $group_uuid;
+								$array['save']['group_permissions'][$x]['group_name'] = $group_name;
 								$x++;
 							}
 						}
-					}
 
-					//delete - unchecked on the form and in the database
-					if ($row['checked'] !== 'true') {
-						if ($in_database) {
+						if ($action == "delete") {
 							if (isset($row['permission_name']) && strlen($row['permission_name']) > 0) {
 								$array['delete']['group_permissions'][$x]['permission_name'] = $row['permission_name'];
 								$array['delete']['group_permissions'][$x]['group_uuid'] = $group_uuid;
 								$array['delete']['group_permissions'][$x]['group_name'] = $group_name;
-								//$array['delete'][$x]['permission_uuid'] = $row['uuid'];
 							}
 							$x++;
 						}
-					}
 				}
 			}
-
+			
 		//validate the token
 			$token = new token;
 			if (!$token->validate($_SERVER['PHP_SELF'])) {
@@ -163,16 +235,16 @@
 				exit;
 			}
 
-		//save to the data
-			if (is_array($array['add']) && @sizeof($array['add']) != 0) {
+		//save the save array
+			if (is_array($array['save']) && @sizeof($array['save']) != 0) {
 				$database = new database;
 				$database->app_name = 'groups';
 				$database->app_uuid = '2caf27b0-540a-43d5-bb9b-c9871a1e4f84';
-				$database->save($array['add']);
+				$database->save($array['save']);
 				$message = $database->message;
 			}
 
-		//delete the permissions
+		//delete the delete array
 			if (is_array($array['delete']) && @sizeof($array['delete']) != 0) {
 				if (permission_exists('group_permission_delete')) {
 					$database = new database;
@@ -194,41 +266,6 @@
 	//$order_by = $_GET["order_by"];
 	//$order = $_GET["order"];
 
-//add the search string
-	if (isset($_REQUEST["search"])) {
-		$search =  strtolower($_REQUEST["search"]);
-		$sql_search = " (";
-		$sql_search .= "	lower(p.permission_name) like :search ";
-		//$sql_search .= "	or lower(p.group_name) like :search ";
-		$sql_search .= ") ";
-		$parameters['search'] = '%'.$search.'%';
-	}
-
-//get the count
-	/*
-	$sql = "select count(group_permission_uuid) from v_group_permissions ";
-	$sql .= "where group_uuid = :group_uuid ";
-	$parameters['group_uuid'] = $group_uuid;
-	if (isset($sql_search)) {
-		$sql .= "where ".$sql_search;
-	}
-	$database = new database;
-	$num_rows = $database->select($sql, $parameters, 'column');
-	*/
-
-//get the list
-	$sql = "select p.*, ";
-	$sql .= "exists(select from v_group_permissions where permission_name = p.permission_name and group_name = :group_name) as permission_assigned ";
-	$sql .= "from v_permissions as p ";
-	$parameters['group_name'] = $group_name;
-	if (isset($sql_search)) {
-		$sql .= "where ".$sql_search;
-	}
-	$sql .= "order by application_name asc, permission_name asc ";
-	$database = new database;
-	$group_permissions = $database->select($sql, $parameters, 'all');
-	unset($sql, $parameters);
-
 //create token
 	$object = new token;
 	$token = $object->create($_SERVER['PHP_SELF']);
@@ -270,7 +307,8 @@
 	if (is_array($group_permissions) && @sizeof($group_permissions) != 0) {
 		$x = 0;
 		foreach ($group_permissions as $row) {
-			$checked = ($row['permission_assigned'] === true) ? " checked=\"checked\"" : $checked = '';
+			$checked = ($row['permission_assigned'] === 'true') ? " checked=\"checked\"" : $checked = '';
+			$protected = ($row['permission_protected'] === 'true') ? " checked=\"checked\"" : '';
 			$application_name = strtolower($row['application_name']);
 			$label_application_name = ucwords(str_replace(['_','-'], " ", $row['application_name']));
 
@@ -293,6 +331,10 @@
 				if (permission_exists('group_permission_edit') && $_SESSION['theme']['list_row_edit_button']['boolean'] == 'true') {
 					echo "	<td class='action-button'>&nbsp;</td>\n";
 				}
+				echo "	<th class='checkbox'>\n";
+				echo "		<input type='checkbox' id='checkbox_all_".$application_name."_protected' name='checkbox_protected_all' onclick=\"list_all_toggle('".$application_name."_protected');\">\n";
+				echo "	</th>\n";
+				echo th_order_by('group_permission_protected', $text['label-group_protected'], $order_by, $order, null, "class=''");
 				echo "</tr>\n";
 
 			}
@@ -305,6 +347,14 @@
 				echo "	</td>\n";
 			}
 			echo "	<td  class='no-wrap' onclick=\"if (document.getElementById('checkbox_".$x."').checked) { document.getElementById('checkbox_".$x."').checked = false; document.getElementById('checkbox_all_".$application_name."').checked = false; } else { document.getElementById('checkbox_".$x."').checked = true; }\">".escape($row['permission_name'])."</td>\n";
+			if (permission_exists('group_permission_add') || permission_exists('group_permission_edit') || permission_exists('group_permission_delete')) {
+				echo "	<td class='checkbox'>\n";
+				echo "		<input type='checkbox' name='group_permissions[$x][permission_protected]' id='checkbox_protected_".$x."' class='checkbox_".$application_name."_protected' value='true' ".$protected." onclick=\"if (!this.checked) { document.getElementById('checkbox_all_".$application_name."_protected').checked = false; }\">\n";
+				echo "	</td>\n";
+			}
+			echo "	</td>\n";
+			echo "	<td>";
+			echo "	</td>\n";
 			echo "</tr>\n";
 
 			//set the previous category

core/groups/resources/classes/groups.php

@@ -445,6 +445,8 @@ if (!class_exists('groups')) {
 								$array['group_permissions'][$x]['group_permission_uuid'] = uuid();
 								$array['group_permissions'][$x]['domain_uuid'] = null;
 								$array['group_permissions'][$x]['permission_name'] = $row['name'];
+								$array['group_permissions'][$x]['permission_protected'] = 'false';
+								$array['group_permissions'][$x]['permission_assigned'] = 'true';
 								$array['group_permissions'][$x]['group_name'] = $group;
 								$array['group_permissions'][$x]['group_uuid'] = $group_uuids[$group];
 							}

core/groups/resources/classes/permission.php

@@ -58,14 +58,15 @@
 					}
 					$group_names = "'".implode("','", $group_name_array)."'";
 
-				//delete unprotected system group permissions
+				//delete unprotected permissions
 					$sql = "delete from v_group_permissions as p ";
 					$sql .= "where group_name in ( ";
 					$sql .= "	select group_name ";
 					$sql .= "	from v_groups ";
 					$sql .= "	where group_protected <> 'true' ";
 					$sql .= "	and group_name in (".$group_names.") ";
-					$sql .= ");";
+					$sql .= ")";
+					$sql .= "and (permission_protected <> 'true' or permission_protected is null)";
 					$database = new database;
 					$result = $database->select($sql);
 
@@ -166,6 +167,8 @@
 												//build default permissions insert array
 												$array['group_permissions'][$x]['group_permission_uuid'] = uuid();
 												$array['group_permissions'][$x]['permission_name'] = $permission['name'];
+												$array['group_permissions'][$x]['permission_protected'] = 'false';
+												$array['group_permissions'][$x]['permission_assigned'] = 'true';
 												$array['group_permissions'][$x]['group_name'] = $group_name;
 												$array['group_permissions'][$x]['group_uuid'] = $group_uuid;
 												$x++;