Skip to content

Instantly share code, notes, and snippets.

@cbellgit
Forked from xaprb/all-object-privileges.php
Created March 21, 2016 12:21
Show Gist options
  • Save cbellgit/bf07da9e3fbb360c32f8 to your computer and use it in GitHub Desktop.
Save cbellgit/bf07da9e3fbb360c32f8 to your computer and use it in GitHub Desktop.
<?php
$permissions = array(
"owner_read" => 256,
"owner_write" => 128,
"owner_delete" => 64,
"group_read" => 32,
"group_write" => 16,
"group_delete" => 8,
"other_read" => 4,
"other_write" => 2,
"other_delete" => 1
);
$groups = array(
"root" => 1,
"officer" => 2,
"user" => 4,
"wheel" => 8
);
$obj_id = 2;
$tbl = 't_user';
$user_id = 2;
$user_groups = 4;
$query = "
select distinct ac.c_title
from
t_action as ac
-- join onto the object itself
inner join $tbl as obj on obj.c_uid = $obj_id
-- Filter out actions that do not apply to this object type
inner join t_implemented_action as ia
on ia.c_action = ac.c_title
and ia.c_table = '$tbl'
and ((ia.c_status = 0) or (ia.c_status & obj.c_status <> 0))
-- Privileges that apply to the object (or every object in the table)
-- and grant the given action
left outer join t_privilege as pr
on pr.c_related_table = '$tbl'
and pr.c_action = ac.c_title
and (
(pr.c_type = 'object' and pr.c_related_uid = $obj_id)
or pr.c_type = 'global'
or (pr.c_role = 'self' and $user_id = $obj_id and '$tbl' = 't_user'))
where
-- The action must apply to objects
ac.c_apply_object
and (
-- Members of the 'root' group are always allowed to do everything
($user_groups & $groups[root] <> 0)
-- UNIX style read permissions in the bit field
or (ac.c_title = 'read' and (
-- The other_read permission bit is on
(obj.c_unixperms & $permissions[other_read] <> 0)
-- The owner_read permission bit is on, and the member is the owner
or ((obj.c_unixperms & $permissions[owner_read] <> 0)
and obj.c_owner = $user_id)
-- The group_read permission bit is on, and the member is in the group
or ((obj.c_unixperms & $permissions[group_read] <> 0)
and ($user_groups & obj.c_group <> 0))))
-- UNIX style write permissions in the bit field
or (ac.c_title = 'write' and (
-- The other_write permission bit is on
(obj.c_unixperms & $permissions[other_write] <> 0)
-- The owner_write permission bit is on, and the member is the owner
or ((obj.c_unixperms & $permissions[owner_write] <> 0)
and obj.c_owner = $user_id)
-- The group_write permission bit is on, and the member is in the group
or ((obj.c_unixperms & $permissions[group_write] <> 0)
and ($user_groups & obj.c_group <> 0))))
-- UNIX style delete permissions in the bit field
or (ac.c_title = 'delete' and (
-- The other_delete permission bit is on
(obj.c_unixperms & $permissions[other_delete] <> 0)
-- The owner_delete permission bit is on, and the member is the owner
or ((obj.c_unixperms & $permissions[owner_delete] <> 0)
and obj.c_owner = $user_id)
-- The group_delete permission bit is on, and the member is in the group
or ((obj.c_unixperms & $permissions[group_delete] <> 0)
and ($user_groups & obj.c_group <> 0))))
-- user privileges
or (pr.c_role = 'user' and pr.c_who = $user_id)
-- owner privileges
or (pr.c_role = 'owner' and obj.c_owner = $user_id)
-- owner_group privileges
or (pr.c_role = 'owner_group' and (obj.c_group & $user_groups <> 0))
-- group privileges
or (pr.c_role = 'group' and (pr.c_who & $user_groups <> 0)))
-- self privileges
or pr.c_role = 'self';
";
echo $query;
?>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment