function CheckWebRights($method = "", $arParams = array(), $simple = true)
{
if($this->withoutAuthorization)
{
return true;
}
$strong = ($method !== "");
$path = '';
if (is_array($arParams['arElement']))
$path = (isset($arParams['arElement']['item_id']) ? $arParams['arElement']['item_id'] : '');
elseif (is_string($arParams['arElement']))
$path = $arParams['arElement'];
$result = $this->CheckRights($method, $strong, $path);
if ((! $result) || $simple)
return $result;
$arError = array();
$action = mb_strtolower(is_set($arParams, "action")? $arParams["action"] : $arParams["ACTION"]);
$arElement = (is_set($arParams, "arElement") ? $arParams["arElement"] : array());
static $arErrors = array();
$static_id = md5(serialize(array($action, $arElement["ID"], $GLOBALS["USER"]->GetID())));
if (array_key_exists($static_id, $arErrors))
{
$arError = $arErrors[$static_id];
}
else
{
if ( $this->e_rights )
{
foreach(array('arElement', 'from', 'to') as $elm)
{
if (is_set($arParams, $elm))
{
if ((!isset($arParams[$elm]['not_found']) || ($arParams[$elm]['not_found']===true)) && !in_array($action, array('create', 'copy', 'move', 'mkcol')))
$arError[] = array("id" => "bad_element", "text" => GetMessage("WD_FILE_ERROR105"));
}
}
if (empty($arError))
{
if ($action == 'copy')
{
//from[]
//to[]
$arTo = (isset($arParams['to']) ? $arParams['to'] : array());
$arFrom = (isset($arParams['from']) ? $arParams['from'] : array());
$nCount = min(sizeof($arTo), sizeof($arFrom));
for ($i=0;$i<$nCount;$i++)
{
$To = $arTo[$i];
$From = $arFrom[$i];
$type = (($To['is_file']) ? 'ELEMENT' : 'SECTION');
$id = ($To['not_found'] ? $To['parent_id'] : $To['item_id']);
$op = ($From['is_file'] ? 'section_element_bind' : 'section_section_bind');
if (!$this->GetPermission($type, $id, $op))
$arError[] = array("id" => "", "text" => GetMessage("WD_ACCESS_DENIED"));
}
}
elseif (($action == 'create') || ($action == 'mkcol'))
{
//arElement
//null
if (empty($arElement))
{
$arParent = $this->GetObject();
$bAllowEdit = false;
if ($arParent['not_found'] === false)
{
$bAllowEdit = $this->GetPermission(($arParent['is_file'] ? 'ELEMENT' : 'SECTION'), $arParent['item_id'], 'element_edit');
}
return $bAllowEdit;
}
else
{
$type = 'SECTION';
if (isset($arElement['parent_id']) && $arElement['parent_id']>0)
{
$id = $arElement['parent_id'];
}
else
{
$id = $this->IBLOCK_ID;
$type = 'IBLOCK';
}
if ($action == 'mkcol')
return $this->GetPermission($type, $id, 'section_section_bind');
if ($arElement['is_dir'])
{
if(!$this->GetPermission($type, $id, 'section_section_bind'))
$arError[] = array("id" => "", "text" => GetMessage("WD_ACCESS_DENIED"));
}
else
{
if (!empty($arParams['create_element_in_section']) || ($this->workflow != "workflow" && $this->workflow != "bizproc"))
{
if (! (
$this->GetPermission($type, $id, 'section_element_bind')
))
$arError[] = array("id" => "cannot_create", "text" => GetMessage("WD_ACCESS_DENIED"));
}
elseif ($this->workflow == "workflow")
{
$db_res = CWorkflowStatus::GetDropDownList("N", "desc");
if (!($db_res && $res = $db_res->Fetch()))
$arError[] = array("id" => "bad_wf_statuses", "text" => GetMessage("WD_ACCESS_DENIED"));
}
elseif ($this->workflow == 'bizproc')
{
$arDocumentStates = CBPDocument::GetDocumentStates($this->wfParams['DOCUMENT_TYPE'], null);
$arUserGroups = $this->USER["GROUPS"];
$arUserGroups[] = "Author";
$canWrite = false;
if (!CBPDocument::CanUserOperateDocumentType(
CBPCanUserOperateOperation::WriteDocument,
$GLOBALS["USER"]->GetID(),
$this->wfParams['DOCUMENT_TYPE'],
array(
"IBlockPermission" => $this->permission,
"AllUserGroups" => $arUserGroups,
"DocumentStates" => $arDocumentStates)
))
$arError[] = array("id" => "bad_bizproc_permision", "text" => GetMessage("WD_ACCESS_DENIED"));
}
}
}
}
elseif ($action == 'delete' || $action == 'undelete') // aka move to trash, move op will be checked later
{
//arElement
$type = (($arElement['is_dir']) ? 'SECTION' : 'ELEMENT');
if ($type == 'ELEMENT')
{
$res = $this->GetPermission($type, $arElement['item_id'], 'element_delete');
if (!$res)
$arError[] = array("id" => "", "text" => GetMessage("WD_ACCESS_DENIED"));
} else
{
$res = $this->GetPermission($type, $arElement['item_id'], 'section_delete', false);
if (!$res)
$arError[] = array("id" => "", "text" => GetMessage("WD_ACCESS_DENIED"));
}
}
elseif ($action == 'destroy')
{
//arElement
$id = $arElement['item_id'];
$type = (($arElement['is_dir']) ? 'SECTION' : 'ELEMENT');
$op = (($arElement['is_dir']) ? 'section_delete' : 'element_delete');
if (!$this->GetPermission($type, $id, $op, false))
$arError[] = array("id" => "", "text" => GetMessage("WD_ACCESS_DENIED"));
}
elseif ($action == 'edit' || $action == 'lock' || $action == 'proppatch' || $action == 'delete_dropped')
{
//arElement
$id = $arElement['item_id'];
$type = $arElement['is_dir'] ? 'SECTION' : 'ELEMENT';
if ($arElement['is_dir'])
{
if (!$this->GetPermission($type, $id, 'section_edit'))
$arError[] = array("id" => "", "text" => GetMessage("WD_ACCESS_DENIED"));
}
else
{
if ($arElement["LOCK_STATUS_BP"] == "red")
$arError[] = array("id" => "locked", "text" => GetMessage("WD_FILE_ERROR107"));
elseif ($this->check_creator && $arElement["CREATED_BY"] != $GLOBALS["USER"]->GetID())
{
$arError[] = array("id" => "bad_author", "text" => GetMessage("WD_FILE_ERROR108"));
}
elseif ($this->GetPermission($type, $id, 'element_edit_any_wf_status'))
{
true;
}
elseif ($this->workflow == "workflow" && $this->GetPermission($type, $id, 'element_edit'))
{
$arWorkFlow = array("LAST_ID" => CIBlockElement::WF_GetLast($arElement["item_id"]));
$arWorkFlow["STATUS_ID"] = CIBlockElement::WF_GetCurrentStatus($arWorkFlow["LAST_ID"], $arWorkFlow["STATUS_TITLE"]);
$arWorkFlow["STATUS_PERMISSION"] = CIBlockElement::WF_GetStatusPermission($arWorkFlow["STATUS_ID"]);
if ($arWorkFlow["STATUS_ID"] > 1 && $arWorkFlow["STATUS_PERMISSION"] < 2)
{
$arError[] = array("id" => "bad_wf_status_permission", "text" => GetMessage("WD_FILE_ERROR109"));
}
}
elseif ($this->workflow == 'bizproc' && $this->GetPermission($type, $id, 'element_edit'))
{
$documentId = $this->wfParams['DOCUMENT_TYPE'];
$documentId[2] = $arElement["item_id"];
$arDocumentStates = CBPDocument::GetDocumentStates(
$this->wfParams['DOCUMENT_TYPE'],
$documentId
);
$arUserGroups = $this->USER["GROUPS"];
if ($arElement["CREATED_BY"] == $GLOBALS["USER"]->GetID())
$arUserGroups[] = "Author";
if (!CBPDocument::CanUserOperateDocument(
CBPCanUserOperateOperation::WriteDocument,
$GLOBALS["USER"]->GetID(),
$documentId,
array(
"IBlockPermission" => $this->permission,
"AllUserGroups" => $arUserGroups,
"DocumentStates" => $arDocumentStates)
))
{
$arError[] = array("id" => "bad_bizproc_permision", "text" => GetMessage("WD_ACCESS_DENIED"));
}
}
else
{
$arError[] = array("id" => "bad_permision", "text" => GetMessage("WD_ACCESS_DENIED"));
}
}
}
elseif ($action == 'read' || $action == 'propfind')
{
//arElement, null
if ($arElement)
{
$id = $arElement['item_id'];
$type = (($arElement['is_dir']) ? 'SECTION' : 'ELEMENT');
$op = (($arElement['is_dir']) ? 'section_read' : 'element_read');
if (!$this->GetPermission($type, $id, $op))
$arError[] = array("id" => "bad_permision", "text" => GetMessage("WD_ACCESS_DENIED"));
if ($type == 'SECTION' && $id == $this->GetMetaID('TRASH'))
{
if (!$this->GetPermission($type, $id, 'section_delete'))
{
$arError[] = array("id" => "bad_permision", "text" => GetMessage("WD_ACCESS_DENIED"));
}
}
}
else
{
if (!$this->GetPermission('IBLOCK', $this->IBLOCK_ID, 'section_read'))
$arError[] = array("id" => "bad_permision", "text" => GetMessage("WD_ACCESS_DENIED"));
}
}
elseif ($action == 'move')
{
//from // auto recusive
//to // auto recusive
$arTo = (isset($arParams['to']) ? $arParams['to'] : array());
$arFrom = (isset($arParams['from']) ? $arParams['from'] : array());
$nCount = min(sizeof($arTo), sizeof($arFrom));
for ($i=0;$i<$nCount;$i++)
{
$To = $arTo[$i];
$From = $arFrom[$i];
$type = (($From['is_dir']) ? 'SECTION' : 'ELEMENT');
$id = $From['item_id'];
$op = ($From['is_dir'] ? 'section_edit' : 'element_edit');
if (!$this->GetPermission($type, $id, $op))
$arError[] = array("id" => "bad_permision", "text" => GetMessage("WD_ACCESS_DENIED"));
if ($To['not_found'])
{
$type = 'SECTION';
$id = $To['parent_id'];
$op = ($arFrom['is_dir'] ? 'section_section_bind' : 'section_element_bind'); // TODO: bizproc ?
if (!$this->GetPermission($type, $id, $op))
{
$arError[] = array("id" => "bad_permision", "text" => GetMessage("WD_ACCESS_DENIED"));
}
}
else
{
$type = (($To['is_dir']) ? 'SECTION' : 'ELEMENT');
$id = $To['item_id'];
$op = ($To['is_dir'] ? ($arFrom['is_dir'] ? 'section_section_bind' : 'section_element_bind') : 'element_edit'); // TODO: bizproc ?
if (!$this->GetPermission($type, $id, $op))
{
$arError[] = array("id" => "bad_permision", "text" => GetMessage("WD_ACCESS_DENIED"));
}
}
}
}
}
}
else // not e_rights
{
// check iblock rights
if ($this->permission < "R")
{
$arError[] = array("id" => "cannot_read", "text" => GetMessage("WD_ACCESS_DENIED"));
}
elseif ($this->permission > "U")
{
true;
}
elseif ($action == "read" || $action == "propfind")
{
true;
}
elseif ($this->permission < "U")
{
$arError[] = array("id" => "cannot_workflow", "text" => GetMessage("WD_ACCESS_DENIED"));
}
elseif ($action == "create")
{
if ($this->workflow != "workflow" && $this->workflow != "bizproc")
{
$arError[] = array("id" => "cannot_write", "text" => GetMessage("WD_ACCESS_DENIED"));
}
elseif ($this->workflow == "workflow")
{
$db_res = CWorkflowStatus::GetDropDownList("N", "desc");
if (!($db_res && $res = $db_res->Fetch()))
$arError[] = array("id" => "bad_wf_statuses", "text" => GetMessage("WD_ACCESS_DENIED"));
}
elseif ($this->workflow == 'bizproc')
{
$arDocumentStates = CBPDocument::GetDocumentStates($this->wfParams['DOCUMENT_TYPE'], null);
$arUserGroups = $this->USER["GROUPS"];
$arUserGroups[] = "Author";
$canWrite = false;
if (!CBPDocument::CanUserOperateDocumentType(
CBPCanUserOperateOperation::WriteDocument,
$GLOBALS["USER"]->GetID(),
$this->wfParams['DOCUMENT_TYPE'],
array(
"IBlockPermission" => $this->permission,
"AllUserGroups" => $arUserGroups,
"DocumentStates" => $arDocumentStates)
))
$arError[] = array("id" => "bad_bizproc_permision", "text" => GetMessage("WD_ACCESS_DENIED"));
}
}
elseif (!is_array($arElement) || empty($arElement))
{
$arError[] = array("id" => "bad_element", "text" => GetMessage("WD_FILE_ERROR105"));
}
elseif ($action == "clone")
{
if ($this->workflow != "bizproc")
{
$arError[] = array("id" => "bad_workflow", "text" => GetMessage("WD_FILE_ERROR106"));
}
else
{
// User has to have permissions to read parent document && to create new document
$arDocumentStates = CBPDocument::GetDocumentStates($this->wfParams['DOCUMENT_TYPE'], null);
if (!($arElement["PERMISSION"] >= "R" && CBPDocument::CanUserOperateDocumentType(
CBPCanUserOperateOperation::WriteDocument,
$GLOBALS["USER"]->GetID(),
$this->wfParams['DOCUMENT_TYPE'],
array(
"IBlockPermission" => $this->permission,
"AllUserGroups" => array_merge($this->USER["GROUPS"], array("author")),
"DocumentStates" => $arDocumentStates)))):
$arError[] = array("id" => "bad_permission", "text" => GetMessage("WD_ACCESS_DENIED"));
endif;
}
}
elseif (!in_array($action, array("delete", "move", "edit", "unlock", "lock")))
{
$arError[] = array("id" => "bad_action", "text" => GetMessage("WD_ERROR_BAD_ACTION"));
}
else
{
if ($arElement["LOCK_STATUS_BP"] == "red")
$arError[] = array("id" => "locked", "text" => GetMessage("WD_FILE_ERROR107"));
elseif ($arElement["LOCK_STATUS"] == "red" && ($action != "unlock" || $arElement["SHOW"]["UNLOCK"] != "Y"))
{
$arError[] = array("id" => "locked", "text" => str_replace(
array("#ID#", "#DATE#"),
array($arElement["locked_by"], $arElement["date_lock"]),
GetMessage("WD_ERROR_ELEMENT_LOCKED")));
}
elseif ($this->check_creator && $arElement["CREATED_BY"] != $GLOBALS["USER"]->GetID())
{
$arError[] = array("id" => "bad_author", "text" => GetMessage("WD_FILE_ERROR108"));
}
elseif ($this->workflow == "workflow")
{
$arWorkFlow = array("LAST_ID" => CIBlockElement::WF_GetLast($arElement["item_id"]));
$arWorkFlow["STATUS_ID"] = CIBlockElement::WF_GetCurrentStatus($arWorkFlow["LAST_ID"], $arWorkFlow["STATUS_TITLE"]);
$arWorkFlow["STATUS_PERMISSION"] = CIBlockElement::WF_GetStatusPermission($arWorkFlow["STATUS_ID"]);
if ($arWorkFlow["STATUS_ID"] > 1 && $arWorkFlow["STATUS_PERMISSION"] < 2)
{
$arError[] = array("id" => "bad_wf_status_permission", "text" => GetMessage("WD_FILE_ERROR109"));
}
}
elseif ($this->workflow == 'bizproc')
{
$documentId = $this->wfParams['DOCUMENT_TYPE'];
$documentId[2] = $arElement["item_id"];
$arDocumentStates = CBPDocument::GetDocumentStates(
$this->wfParams['DOCUMENT_TYPE'],
$documentId
);
$arUserGroups = $this->USER["GROUPS"];
if ($arElement["CREATED_BY"] == $GLOBALS["USER"]->GetID())
$arUserGroups[] = "Author";
if (!CBPDocument::CanUserOperateDocument(
CBPCanUserOperateOperation::WriteDocument,
$GLOBALS["USER"]->GetID(),
$documentId,
array(
"IBlockPermission" => $this->permission,
"AllUserGroups" => $arUserGroups,
"DocumentStates" => $arDocumentStates)
))
{
$arError[] = array("id" => "bad_bizproc_permision", "text" => GetMessage("WD_ACCESS_DENIED"));
}
}
}
}
$arErrors[$static_id] = $arError;
}
if (empty($arError))
{
$e = new CAdminException($arError);
$this->LAST_ERROR = $e->GetString();
if ($this->LAST_ERROR == '
')
$this->LAST_ERROR = '';
return true;
}
else
{
$e = new CAdminException($arError);
$this->LAST_ERROR = $e->GetString();
if ($this->LAST_ERROR == '
')
$this->LAST_ERROR = '';
return false;
}
}