User->recursive = 0; global $user; # We should actually be able to list our own user, but I'm not bothering at this time. if ($user['System'] == 'None' ) { throw new UnauthorizedException(__('Insufficient Privileges')); return; } $users = $this->Paginator->paginate('User'); $this->set(compact('users')); } /** * view method * * @throws NotFoundException * @param string $id * @return void */ public function view($id = null) { $this->User->recursive = 1; global $user; # We can view ourselves $canView = ($user['System'] != 'None') or ($user['Id'] == $id); if (!$canView) { throw new UnauthorizedException(__('Insufficient Privileges')); return; } if (!$this->User->exists($id)) { throw new NotFoundException(__('Invalid user')); } $options = array('conditions' => array('User.' . $this->User->primaryKey => $id)); $user = $this->User->find('first', $options); $this->set(array( 'user' => $user, '_serialize' => array('user') )); } /** * add method * * @return void */ public function add() { ZM\Debug(1, "in add"); if ($this->request->is('post')) { ZM\Debug(1, "is post"); global $user; if ($user['System'] != 'Edit') { throw new UnauthorizedException(__('Insufficient Privileges')); return; } $this->User->create(); if ($this->User->save($this->request->data)) { $message = 'Saved'; } else { $message = 'Error'; // if there is a validation message, use it if (!$this->User->validates()) { $message = $this->User->validationErrors; } } } else { $message = 'Add without post data'; } $this->set(array( 'user' => $this->User, 'message' => $message, '_serialize' => array('message') )); } /** * edit method * * @throws NotFoundException * @param string $id * @return void */ public function edit($id = null) { $this->User->id = $id; global $user; $canEdit = ($user['System'] == 'Edit') or (($user['Id'] == $id) and ZM_USER_SELF_EDIT); if (!$canEdit) { throw new UnauthorizedException(__('Insufficient Privileges')); return; } if (!$this->User->exists($id)) { throw new NotFoundException(__('Invalid user')); } if ($this->request->is('post') || $this->request->is('put')) { if ( $this->User->save($this->request->data) ) { $message = 'Saved'; } else { $message = 'Error'; if (!$this->User->validates()) { $message = $this->User->validationErrors; } } } else { # What is this doing? Resetting the request data? I understand clearing the password field # but generally I feel like the request data should be read only $this->request->data = $this->User->read(null, $id); unset($this->request->data['User']['Password']); } $this->set(array( 'message' => $message, '_serialize' => array('message') )); } /** * delete method * * @throws NotFoundException * @param string $id * @return void */ public function delete($id = null) { $this->User->id = $id; global $user; # Can't delete ourselves if ( ($user['System'] != 'Edit') or ($user['Id'] == $id) ) { throw new UnauthorizedException(__('Insufficient Privileges')); return; } if ( !$this->User->exists() ) { throw new NotFoundException(__('Invalid user')); } $this->request->allowMethod('post', 'delete'); if ($this->User->delete()) { $message = 'The user has been deleted.'; } else { $message = 'The user could not be deleted. Please, try again.'; } $this->set(array( 'message' => $message, '_serialize' => array('message') )); } } # end class UsersController