protected function run8()
{
$this->console->out('Converting acl rules to a new schema');
$permissionsArray = [self::PERM_FARMS_MANAGE, Acl::PERM_FARMS_LAUNCH_TERMINATE, Acl::PERM_FARMS_CLONE, Acl::PERM_FARMS_SERVERS, Acl::PERM_FARMS_CHANGE_OWNERSHIP, Acl::PERM_FARMS_STATISTICS];
foreach ($this->db->GetAll('SELECT account_role_id, role_id FROM acl_account_roles') as $accountRole) {
$accountRoleId = $accountRole['account_role_id'];
$isDenyRole = $accountRole['role_id'] == Acl::ROLE_ID_EVERYTHING_FORBIDDEN;
$resourceFarmServers = $this->isGrantedAccountResource($accountRoleId, self::RESOURCE_FARMS_SERVERS);
$resourceFarms = $this->isGrantedAccountResource($accountRoleId, Acl::RESOURCE_FARMS);
$resourceStatistics = $this->isGrantedAccountResource($accountRoleId, self::RESOURCE_FARMS_STATISTICS);
$permFarmsNotOwner = $this->isGrantedAccountPermission($accountRoleId, Acl::RESOURCE_FARMS, 'not-owned-farms');
$permFarmsLaunch = $this->isGrantedAccountPermission($accountRoleId, Acl::RESOURCE_FARMS, 'launch');
$permFarmsClone = $this->isGrantedAccountPermission($accountRoleId, Acl::RESOURCE_FARMS, 'clone');
$permFarmsManage = $this->isGrantedAccountPermission($accountRoleId, Acl::RESOURCE_FARMS, 'manage');
// Clear items. Because they could be re-added later depending on permission "not-owned-farms"
$this->db->Execute("DELETE FROM `acl_account_role_resources` WHERE account_role_id = ? AND `resource_id` = ?", [$accountRoleId, Acl::RESOURCE_FARMS]);
$this->db->Execute("DELETE FROM `acl_account_role_resource_permissions` WHERE account_role_id = ? AND `resource_id` = ?", [$accountRoleId, Acl::RESOURCE_FARMS]);
if ($resourceFarms == 1 || $resourceFarms == NULL && !$isDenyRole) {
// Allows to view farms
if ($permFarmsNotOwner == 1 || $permFarmsNotOwner == NULL && !$isDenyRole) {
// Access to all farms
foreach ([Acl::RESOURCE_FARMS, Acl::RESOURCE_OWN_FARMS, Acl::RESOURCE_TEAM_FARMS] as $r) {
$this->setGrantedAccountResource($accountRoleId, $r, '1');
}
$this->createAclPermissionRule($accountRoleId, $permFarmsManage, Acl::RESOURCE_FARMS, self::PERM_FARMS_MANAGE, $isDenyRole);
// special requirement for upgrade script, permission is disabled for existing roles (base roles have this permission enabled)
$this->createAclPermissionRule($accountRoleId, '0', Acl::RESOURCE_FARMS, Acl::PERM_FARMS_CHANGE_OWNERSHIP, $isDenyRole);
$this->createAclPermissionRule($accountRoleId, $permFarmsLaunch, Acl::RESOURCE_FARMS, Acl::PERM_FARMS_LAUNCH_TERMINATE, $isDenyRole);
$this->createAclPermissionRule($accountRoleId, $permFarmsClone, Acl::RESOURCE_FARMS, Acl::PERM_FARMS_CLONE, $isDenyRole);
$this->createAclPermissionRule($accountRoleId, $resourceFarmServers, Acl::RESOURCE_FARMS, Acl::PERM_FARMS_SERVERS, $isDenyRole);
$this->createAclPermissionRule($accountRoleId, $resourceStatistics, Acl::RESOURCE_FARMS, Acl::PERM_FARMS_STATISTICS, $isDenyRole);
$this->createAclPermissionRule($accountRoleId, $permFarmsManage, Acl::RESOURCE_TEAM_FARMS, self::PERM_FARMS_MANAGE, $isDenyRole);
// special requirement for upgrade script, permission is disabled for existing roles (base roles have this permission enabled)
$this->createAclPermissionRule($accountRoleId, '0', Acl::RESOURCE_TEAM_FARMS, Acl::PERM_FARMS_CHANGE_OWNERSHIP, $isDenyRole);
$this->createAclPermissionRule($accountRoleId, $permFarmsLaunch, Acl::RESOURCE_TEAM_FARMS, Acl::PERM_FARMS_LAUNCH_TERMINATE, $isDenyRole);
$this->createAclPermissionRule($accountRoleId, $permFarmsClone, Acl::RESOURCE_TEAM_FARMS, Acl::PERM_FARMS_CLONE, $isDenyRole);
$this->createAclPermissionRule($accountRoleId, $resourceFarmServers, Acl::RESOURCE_TEAM_FARMS, Acl::PERM_FARMS_SERVERS, $isDenyRole);
$this->createAclPermissionRule($accountRoleId, $resourceStatistics, Acl::RESOURCE_TEAM_FARMS, Acl::PERM_FARMS_STATISTICS, $isDenyRole);
$this->createAclPermissionRule($accountRoleId, $permFarmsManage, Acl::RESOURCE_OWN_FARMS, self::PERM_FARMS_MANAGE, $isDenyRole);
$this->createAclPermissionRule($accountRoleId, $permFarmsManage, Acl::RESOURCE_OWN_FARMS, Acl::PERM_FARMS_CHANGE_OWNERSHIP, $isDenyRole);
$this->createAclPermissionRule($accountRoleId, $permFarmsLaunch, Acl::RESOURCE_OWN_FARMS, Acl::PERM_FARMS_LAUNCH_TERMINATE, $isDenyRole);
$this->createAclPermissionRule($accountRoleId, $permFarmsClone, Acl::RESOURCE_OWN_FARMS, Acl::PERM_FARMS_CLONE, $isDenyRole);
$this->createAclPermissionRule($accountRoleId, $resourceFarmServers, Acl::RESOURCE_OWN_FARMS, Acl::PERM_FARMS_SERVERS, $isDenyRole);
$this->createAclPermissionRule($accountRoleId, $resourceStatistics, Acl::RESOURCE_OWN_FARMS, Acl::PERM_FARMS_STATISTICS, $isDenyRole);
} else {
// your own farms access only
$this->setGrantedAccountResource($accountRoleId, Acl::RESOURCE_OWN_FARMS, '1');
if (!$isDenyRole) {
// block access to ALL and teams farms if default acl role == all access
$this->setGrantedAccountResource($accountRoleId, Acl::RESOURCE_FARMS, '0');
$this->setGrantedAccountResource($accountRoleId, Acl::RESOURCE_TEAM_FARMS, '0');
// also block permissions for ALL farms and TEAM farms
foreach ($permissionsArray as $perm) {
$this->setGrantedAccountPermission($accountRoleId, Acl::RESOURCE_FARMS, $perm, '0');
$this->setGrantedAccountPermission($accountRoleId, Acl::RESOURCE_TEAM_FARMS, $perm, '0');
}
}
$this->createAclPermissionRule($accountRoleId, $permFarmsManage, Acl::RESOURCE_OWN_FARMS, self::PERM_FARMS_MANAGE, $isDenyRole);
$this->createAclPermissionRule($accountRoleId, $permFarmsManage, Acl::RESOURCE_OWN_FARMS, Acl::PERM_FARMS_CHANGE_OWNERSHIP, $isDenyRole);
$this->createAclPermissionRule($accountRoleId, $permFarmsLaunch, Acl::RESOURCE_OWN_FARMS, Acl::PERM_FARMS_LAUNCH_TERMINATE, $isDenyRole);
$this->createAclPermissionRule($accountRoleId, $permFarmsClone, Acl::RESOURCE_OWN_FARMS, Acl::PERM_FARMS_CLONE, $isDenyRole);
$this->createAclPermissionRule($accountRoleId, $resourceFarmServers, Acl::RESOURCE_OWN_FARMS, Acl::PERM_FARMS_SERVERS, $isDenyRole);
$this->createAclPermissionRule($accountRoleId, $resourceStatistics, Acl::RESOURCE_OWN_FARMS, Acl::PERM_FARMS_STATISTICS, $isDenyRole);
}
} else {
if ($resourceFarms === '0' && !$isDenyRole) {
foreach ([Acl::RESOURCE_FARMS, Acl::RESOURCE_OWN_FARMS, Acl::RESOURCE_TEAM_FARMS] as $resource) {
$this->setGrantedAccountResource($accountRoleId, $resource, '0');
foreach ($permissionsArray as $perm) {
$this->setGrantedAccountPermission($accountRoleId, $resource, $perm, '0');
}
}
}
}
}
//Removes deprecated resources
$this->db->Execute("DELETE FROM `acl_account_role_resources` WHERE `resource_id` IN (?, ?)", [self::RESOURCE_FARMS_SERVERS, self::RESOURCE_FARMS_STATISTICS]);
$this->db->Execute("DELETE FROM `acl_account_role_resource_permissions` WHERE `resource_id` = ?", [self::RESOURCE_FARMS_SERVERS]);
}
