public function checkPermission()
{
if ($this->User->isAdmin) {
return;
}
// Set root IDs
if (!is_array($this->User->forms) || empty($this->User->forms)) {
$root = array(0);
} else {
$root = $this->User->forms;
}
$id = strlen(Input::get('id')) ? Input::get('id') : CURRENT_ID;
// Check current action
switch (Input::get('act')) {
case 'paste':
// Allow
break;
case 'create':
case 'select':
if (!strlen(Input::get('id')) || !in_array(Input::get('id'), $root)) {
throw new Contao\CoreBundle\Exception\AccessDeniedException('Not enough permissions to access form ID ' . Input::get('id') . '.');
}
break;
case 'cut':
case 'copy':
$pid = Input::get('pid');
// Get form ID
if (Input::get('mode') == 1) {
$objField = $this->Database->prepare("SELECT pid FROM tl_form_field WHERE id=?")->limit(1)->execute(Input::get('pid'));
if ($objField->numRows < 1) {
throw new Contao\CoreBundle\Exception\AccessDeniedException('Invalid form field ID ' . Input::get('pid') . '.');
}
$pid = $objField->pid;
}
if (!in_array($pid, $root)) {
throw new Contao\CoreBundle\Exception\AccessDeniedException('Not enough permissions to ' . Input::get('act') . ' form field ID ' . $id . ' to form ID ' . $pid . '.');
}
// NO BREAK STATEMENT HERE
// NO BREAK STATEMENT HERE
case 'edit':
case 'show':
case 'delete':
case 'toggle':
$objField = $this->Database->prepare("SELECT pid FROM tl_form_field WHERE id=?")->limit(1)->execute($id);
if ($objField->numRows < 1) {
throw new Contao\CoreBundle\Exception\AccessDeniedException('Invalid form field ID ' . $id . '.');
}
if (!in_array($objField->pid, $root)) {
throw new Contao\CoreBundle\Exception\AccessDeniedException('Not enough permissions to ' . Input::get('act') . ' form field ID ' . $id . ' of form ID ' . $objField->pid . '.');
}
break;
case 'editAll':
case 'deleteAll':
case 'overrideAll':
case 'cutAll':
case 'copyAll':
if (!in_array($id, $root)) {
throw new Contao\CoreBundle\Exception\AccessDeniedException('Not enough permissions to access form ID ' . $id . '.');
}
$objForm = $this->Database->prepare("SELECT id FROM tl_form_field WHERE pid=?")->execute($id);
if ($objForm->numRows < 1) {
throw new Contao\CoreBundle\Exception\AccessDeniedException('Invalid form ID ' . $id . '.');
}
/** @var Symfony\Component\HttpFoundation\Session\SessionInterface $objSession */
$objSession = System::getContainer()->get('session');
$session = $objSession->all();
$session['CURRENT']['IDS'] = array_intersect($session['CURRENT']['IDS'], $objForm->fetchEach('id'));
$objSession->replace($session);
break;
default:
if (strlen(Input::get('act'))) {
throw new Contao\CoreBundle\Exception\AccessDeniedException('Invalid command "' . Input::get('act') . '".');
} elseif (!in_array($id, $root)) {
throw new Contao\CoreBundle\Exception\AccessDeniedException('Not enough permissions to access form ID ' . $id . '.');
}
break;
}
}