1 <?php
2 /*
3 * This code is part of GOsa (http://www.gosa-project.org)
4 * Copyright (C) 2003-2008 GONICUS GmbH
5 *
6 * ID: $$Id$$
7 *
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
12 *
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17 *
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
21 */
23 class acl extends plugin
24 {
25 /* Definitions */
26 var $plHeadline= "Access control";
27 var $plDescription= "Manage access control lists";
29 /* attribute list for save action */
30 var $attributes= array('gosaAclEntry');
31 var $objectclasses= array('gosaAcl');
33 /* Helpers */
34 var $dialogState= "head";
35 var $gosaAclEntry= array();
36 var $aclType= "";
37 var $aclObject= "";
38 var $aclContents= array();
39 var $target= "group";
40 var $aclTypes= array();
41 var $aclObjects= array();
42 var $aclFilter= "";
43 var $aclMyObjects= array();
44 var $users= array();
45 var $roles= array();
46 var $groups= array();
47 var $recipients= array();
48 var $isContainer= FALSE;
49 var $currentIndex= 0;
50 var $wasNewEntry= FALSE;
51 var $ocMapping= array();
52 var $savedAclContents= array();
53 var $myAclObjects = array();
55 function acl (&$config, $parent, $dn= NULL)
56 {
57 /* Include config object */
58 plugin::plugin($config, $dn);
60 /* Load ACL's */
61 $this->gosaAclEntry= array();
62 if (isset($this->attrs['gosaAclEntry'])){
63 for ($i= 0; $i<$this->attrs['gosaAclEntry']['count']; $i++){
64 $acl= $this->attrs['gosaAclEntry'][$i];
65 $this->gosaAclEntry= array_merge($this->gosaAclEntry, acl::explodeACL($acl));
66 }
67 }
68 ksort($this->gosaAclEntry);
70 /* Save parent - we've to know more about it than other plugins... */
71 $this->parent= &$parent;
73 /* Container? */
74 if (preg_match('/^(o|ou|c|l|dc)=/i', $dn)){
75 $this->isContainer= TRUE;
76 }
78 /* Users */
79 $ui= get_userinfo();
80 $tag= $ui->gosaUnitTag;
81 $ldap= $config->get_ldap_link();
82 $ldap->cd($config->current['BASE']);
83 if ($tag == ""){
84 $ldap->search('(objectClass=gosaAccount)', array('uid', 'cn'));
85 } else {
86 $ldap->search('(&(objectClass=gosaAccount)(gosaUnitTag='.$tag.'))', array('uid', 'cn'));
87 }
88 while ($attrs= $ldap->fetch()){
89 $this->users['U:'.$attrs['dn']]= $attrs['cn'][0].' ['.$attrs['uid'][0].']';
90 }
91 ksort($this->users);
93 /* Groups */
94 $ldap->cd($config->current['BASE']);
95 # if ($tag == ""){
96 $ldap->search('(objectClass=posixGroup)', array('cn', 'description'));
97 # } else {
98 # $ldap->search('(&(objectClass=posixGroup)(gosaUnitTag='.$tag.'))', array('cn', 'description'));
99 # }
100 while ($attrs= $ldap->fetch()){
101 $dsc= "";
102 if (isset($attrs['description'][0])){
103 $dsc= $attrs['description'][0];
104 }
105 $this->groups['G:'.$attrs['dn']]= $attrs['cn'][0].' ['.$dsc.']';
106 }
107 ksort($this->groups);
109 /* Roles */
110 $ldap->cd($config->current['BASE']);
111 # if ($tag == ""){
112 $ldap->search('(objectClass=gosaRole)', array('cn', 'description','gosaAclTemplate','dn'));
113 # } else {
114 # $ldap->search('(&(objectClass=gosaRole)(gosaUnitTag='.$tag.'))', array('cn', 'description','gosaAclTemplate','dn'));
115 # }
116 while ($attrs= $ldap->fetch()){
117 $dsc= "";
118 if (isset($attrs['description'][0])){
119 $dsc= $attrs['description'][0];
120 }
122 $role_id = $attrs['dn'];
124 $this->roles[$role_id]['acls'] =array();
125 for ($i= 0; $i < $attrs['gosaAclTemplate']['count']; $i++){
126 $acl= $attrs['gosaAclTemplate'][$i];
127 $this->roles[$role_id]['acls'] = array_merge($this->roles[$role_id]['acls'],acl::explodeACL($acl));
128 }
129 $this->roles[$role_id]['description'] = $dsc;
130 $this->roles[$role_id]['cn'] = $attrs['cn'][0];
131 }
133 /* Objects */
134 $tmp= session::get('plist');
135 $plist= $tmp->info;
136 $cats = array();
137 if (isset($this->parent) && $this->parent !== NULL){
138 $oc= array();
139 foreach ($this->parent->by_object as $key => $obj){
140 $oc= array_merge($oc, $obj->objectclasses);
141 if(isset($obj->acl_category)){
142 $cats[preg_replace("/\//","",$obj->acl_category)] = preg_replace("/\//","",$obj->acl_category);
143 }
144 }
145 if (in_array_ics('organizationalUnit', $oc)){
146 $this->isContainer= TRUE;
147 }
148 } else {
149 $oc= $this->attrs['objectClass'];
150 }
152 /* Extract available categories from plugin info list */
153 foreach ($plist as $class => $acls){
155 /* Only feed categories */
156 if (isset($acls['plCategory'])){
158 /* Walk through supplied list and feed only translated categories */
159 foreach($acls['plCategory'] as $idx => $data){
161 /* Non numeric index means -> base object containing more informations */
162 if (preg_match('/^[0-9]+$/', $idx)){
164 if (!isset($this->ocMapping[$data])){
165 $this->ocMapping[$data]= array();
166 $this->ocMapping[$data][]= '0';
167 }
169 if(isset($cats[$data])){
170 $this->myAclObjects[$data.'/'.$class]= $acls['plDescription'];
171 }
172 $this->ocMapping[$data][]= $class;
173 } else {
174 if (!isset($this->ocMapping[$idx])){
175 $this->ocMapping[$idx]= array();
176 $this->ocMapping[$idx][]= '0';
177 }
178 $this->ocMapping[$idx][]= $class;
179 $this->aclObjects[$idx]= $data['description'];
181 /* Additionally filter the classes we're interested in in "self edit" mode */
182 if (is_array($data['objectClass'])){
183 foreach($data['objectClass'] as $objectClass){
184 if (in_array_ics($objectClass, $oc)){
185 $this->myAclObjects[$idx.'/'.$class]= $acls['plDescription'];
186 break;
187 }
188 }
189 } else {
190 if (in_array_ics($data['objectClass'], $oc)){
191 $this->myAclObjects[$idx.'/'.$class]= $acls['plDescription'];
192 }
193 }
194 }
196 }
197 }
198 }
199 $this->aclObjects['all']= '* '._("All categories");
200 $this->ocMapping['all']= array('0' => 'all');
202 /* Sort categories */
203 asort($this->aclObjects);
205 /* Fill acl types */
206 if ($this->isContainer){
207 $this->aclTypes= array("reset" => _("Reset ACLs"),
208 "one" => _("One level"),
209 "base" => _("Current object"),
210 "sub" => _("Complete subtree"),
211 "psub" => _("Complete subtree (permanent)"),
212 "role" => _("Use ACL defined in role"));
213 } else {
214 $this->aclTypes= array("base" => _("Current object"),
215 "role" => _("Use ACL defined in role"));
216 }
217 asort($this->aclTypes);
218 $this->targets= array("user" => _("Users"), "group" => _("Groups"));
219 asort($this->targets);
221 /* Finally - we want to get saved... */
222 $this->is_account= TRUE;
223 }
226 function execute()
227 {
228 /* Call parent execute */
229 plugin::execute();
231 $tmp= session::get('plist');
232 $plist= $tmp->info;
234 /* Handle posts */
235 if (isset($_POST['new_acl'])){
236 $this->dialogState= 'create';
237 $this->dialog= TRUE;
238 $this->currentIndex= count($this->gosaAclEntry);
239 $this->loadAclEntry(TRUE);
240 }
242 $new_acl= array();
243 $aclDialog= FALSE;
244 $firstedit= FALSE;
246 /* Only handle posts, if we allowed to modify ACLs
247 */
248 if($this->acl_is_writeable("")){
249 foreach($_POST as $name => $post){
251 /* Actions... */
252 if (preg_match('/^acl_edit_.*_x/', $name)){
253 $this->dialogState= 'create';
254 $firstedit= TRUE;
255 $this->dialog= TRUE;
256 $this->currentIndex= preg_replace('/^acl_edit_([0-9]+).*$/', '\1', $name);
257 $this->loadAclEntry();
258 continue;
259 }
260 if (preg_match('/^acl_del_.*_x/', $name)){
261 unset($this->gosaAclEntry[preg_replace('/^acl_del_([0-9]+).*$/', '\1', $name)]);
262 continue;
263 }
265 if (preg_match('/^cat_edit_.*_x/', $name)){
266 $this->aclObject= preg_replace('/^cat_edit_([^_]+)_.*$/', '\1', $name);
267 $this->dialogState= 'edit';
268 foreach ($this->ocMapping[$this->aclObject] as $oc){
269 if (isset($this->aclContents[$oc])){
270 $this->savedAclContents[$oc]= $this->aclContents[$oc];
271 }
272 }
273 continue;
274 }
275 if (preg_match('/^cat_del_.*_x/', $name)){
276 $idx= preg_replace('/^cat_del_([^_]+)_.*$/', '\1', $name);
277 foreach ($this->ocMapping[$idx] as $key){
278 unset($this->aclContents["$idx/$key"]);
279 }
280 continue;
281 }
283 /* Sorting... */
284 if (preg_match('/^sortup_.*_x/', $name)){
285 $index= preg_replace('/^sortup_([0-9]+).*$/', '\1', $name);
286 if ($index > 0){
287 $tmp= $this->gosaAclEntry[$index];
288 $this->gosaAclEntry[$index]= $this->gosaAclEntry[$index-1];
289 $this->gosaAclEntry[$index-1]= $tmp;
290 }
291 continue;
292 }
293 if (preg_match('/^sortdown_.*_x/', $name)){
294 $index= preg_replace('/^sortdown_([0-9]+).*$/', '\1', $name);
295 if ($index < count($this->gosaAclEntry)-1){
296 $tmp= $this->gosaAclEntry[$index];
297 $this->gosaAclEntry[$index]= $this->gosaAclEntry[$index+1];
298 $this->gosaAclEntry[$index+1]= $tmp;
299 }
300 continue;
301 }
303 /* ACL saving... */
304 if (preg_match('/^acl_.*_[^xy]$/', $name)){
305 $aclDialog= TRUE;
306 list($dummy, $object, $attribute, $value)= split('_', $name);
308 /* Skip for detection entry */
309 if ($object == 'dummy') {
310 continue;
311 }
313 /* Ordinary ACLs */
314 if (!isset($new_acl[$object])){
315 $new_acl[$object]= array();
316 }
317 if (isset($new_acl[$object][$attribute])){
318 $new_acl[$object][$attribute].= $value;
319 } else {
320 $new_acl[$object][$attribute]= $value;
321 }
322 }
324 if(isset($_POST['selected_role'])){
325 $this->aclContents = "";
326 $this->aclContents = base64_decode($_POST['selected_role']);
327 }
328 }
329 }
331 if($this->acl_is_writeable("")){
333 /* Only be interested in new acl's, if we're in the right _POST place */
334 if ($aclDialog && $this->aclObject != "" && is_array($this->ocMapping[$this->aclObject])){
336 foreach ($this->ocMapping[$this->aclObject] as $oc){
338 if(isset($this->aclContents[$oc]) && is_array($this->aclContents)){
339 unset($this->aclContents[$oc]);
340 unset($this->aclContents[$this->aclObject.'/'.$oc]);
341 }else{
342 # trigger_error("Huhm?");
343 }
344 if (isset($new_acl[$oc]) && is_array($new_acl)){
345 $this->aclContents[$oc]= $new_acl[$oc];
346 }
347 if (isset($new_acl[$this->aclObject.'/'.$oc]) && is_array($new_acl)){
348 $this->aclContents[$this->aclObject.'/'.$oc]= $new_acl[$this->aclObject.'/'.$oc];
349 }
350 }
351 }
353 /* Save new acl in case of base edit mode */
354 if ($this->aclType == 'base' && !$firstedit){
355 $this->aclContents= $new_acl;
356 }
357 }
359 /* Cancel new acl? */
360 if (isset($_POST['cancel_new_acl'])){
361 $this->dialogState= 'head';
362 $this->dialog= FALSE;
363 if ($this->wasNewEntry){
364 unset ($this->gosaAclEntry[$this->currentIndex]);
365 }
366 }
368 /* Store ACL in main object? */
369 if (isset($_POST['submit_new_acl'])){
370 $this->gosaAclEntry[$this->currentIndex]['type']= $this->aclType;
371 $this->gosaAclEntry[$this->currentIndex]['members']= $this->recipients;
372 $this->gosaAclEntry[$this->currentIndex]['acl']= $this->aclContents;
373 $this->gosaAclEntry[$this->currentIndex]['filter']= $this->aclFilter;
374 $this->dialogState= 'head';
375 $this->dialog= FALSE;
376 }
378 /* Cancel edit acl? */
379 if (isset($_POST['cancel_edit_acl'])){
380 $this->dialogState= 'create';
381 foreach ($this->ocMapping[$this->aclObject] as $oc){
382 if (isset($this->savedAclContents[$oc])){
383 $this->aclContents[$oc]= $this->savedAclContents[$oc];
384 }
385 }
386 }
388 /* Save edit acl? */
389 if (isset($_POST['submit_edit_acl'])){
390 $this->dialogState= 'create';
391 }
393 /* Add acl? */
394 if (isset($_POST['add_acl']) && $_POST['aclObject'] != ""){
395 $this->dialogState= 'edit';
396 $this->savedAclContents= array();
397 foreach ($this->ocMapping[$this->aclObject] as $oc){
398 if (isset($this->aclContents[$oc])){
399 $this->savedAclContents[$oc]= $this->aclContents[$oc];
400 }
401 }
402 }
404 /* Add to list? */
405 if (isset($_POST['add']) && isset($_POST['source'])){
406 foreach ($_POST['source'] as $key){
407 if ($this->target == 'user'){
408 $this->recipients[$key]= $this->users[$key];
409 }
410 if ($this->target == 'group'){
411 $this->recipients[$key]= $this->groups[$key];
412 }
413 }
414 ksort($this->recipients);
415 }
417 /* Remove from list? */
418 if (isset($_POST['del']) && isset($_POST['recipient'])){
419 foreach ($_POST['recipient'] as $key){
420 unset($this->recipients[$key]);
421 }
422 }
424 /* Save common values */
425 if($this->acl_is_writeable("")){
426 foreach (array("aclType","aclFilter", "aclObject", "target") as $key){
427 if (isset($_POST[$key])){
428 $this->$key= validate($_POST[$key]);
429 }
430 }
431 }
433 /* Create templating instance */
434 $smarty= get_smarty();
436 if ($this->dialogState == 'head'){
437 /* Draw list */
438 $aclList= new divSelectBox("aclList");
439 $aclList->SetHeight(450);
441 /* Fill in entries */
442 foreach ($this->gosaAclEntry as $key => $entry){
443 if(!$this->acl_is_readable("")) continue;
445 $action ="";
447 $field1= array("string" => $this->aclTypes[$entry['type']], "attach" => "style='width:150px'");
448 $field2= array("string" => $this->assembleAclSummary($entry));
450 if($this->acl_is_writeable("")){
451 $action.= "<input type='image' name='sortup_$key' alt='up' title='"._("Up")."' src='images/lists/sort-up.png' align='top'>";
452 $action.= "<input type='image' name='sortdown_$key' alt='down' title='"._("Down")."' src='images/lists/sort-down.png'>";
453 }
455 $action.= "<input class='center' type='image' src='images/lists/edit.png' alt='"._("Edit")."' name='acl_edit_$key' title='".msgPool::editButton(_("ACL"))."'>";
457 if($this->acl_is_removeable()){
458 $action.= "<input class='center' type='image' src='images/lists/trash.png' alt='"._("Delete")."' name='acl_del_$key' title='".msgPool::delButton(_("ACL"))."'>";
459 }
461 $field3= array("string" => $action, "attach" => "style='border-right:0px;width:50px;text-align:right;'");
462 $aclList->AddEntry(array($field1, $field2, $field3));
463 }
465 $smarty->assign("aclList", $aclList->DrawList());
466 }
468 if ($this->dialogState == 'create'){
469 /* Draw list */
470 $aclList= new divSelectBox("aclList");
471 $aclList->SetHeight(150);
473 /* Add settings for all categories to the (permanent) list */
474 foreach ($this->aclObjects as $section => $dsc){
475 $summary= "";
476 foreach($this->ocMapping[$section] as $oc){
477 if (isset($this->aclContents[$oc]) && count($this->aclContents[$oc]) && isset($this->aclContents[$oc][0]) &&
478 $this->aclContents[$oc][0] != ""){
480 $summary.= "$oc, ";
481 continue;
482 }
483 if (isset($this->aclContents["$section/$oc"]) && count($this->aclContents["$section/$oc"])){
484 $summary.= "$oc, ";
485 continue;
486 }
487 if (isset($this->aclContents[$oc]) && !isset($this->aclContents[$oc][0]) && count($this->aclContents[$oc])){
488 $summary.= "$oc, ";
489 }
490 }
492 /* Set summary... */
493 if ($summary == ""){
494 $summary= '<i>'._("No ACL settings for this category!").'</i>';
495 } else {
496 $summary= sprintf(_("Contains ACLs for these objects: %s"), preg_replace('/, $/', '', $summary));
497 }
499 $field1= array("string" => $dsc, "attach" => "style='width:100px'");
500 $field2= array("string" => $summary);
501 $action= "<input class='center' type='image' src='images/lists/edit.png' alt='"._("Edit")."' name='cat_edit_$section' title='".msgPool::editButton(_("category ACL"))."'>";
502 $action.= "<input class='center' type='image' src='images/lists/trash.png' alt='"._("Delete")."' name='cat_del_$section' title='".msgPool::delButton(_("category ACL"))."'>";
503 $field3= array("string" => $action, "attach" => "style='border-right:0px;width:50px'");
504 $aclList->AddEntry(array($field1, $field2, $field3));
505 }
507 $smarty->assign("aclList", $aclList->DrawList());
508 $smarty->assign("aclType", $this->aclType);
509 $smarty->assign("aclFilter", $this->aclFilter);
510 $smarty->assign("aclTypes", $this->aclTypes);
511 $smarty->assign("target", $this->target);
512 $smarty->assign("targets", $this->targets);
514 /* Assign possible target types */
515 $smarty->assign("targets", $this->targets);
516 foreach ($this->attributes as $attr){
517 $smarty->assign($attr, $this->$attr);
518 }
521 /* Generate list */
522 $tmp= array();
523 foreach (array("user" => "users", "group" => "groups") as $field => $arr){
524 if ($this->target == $field){
525 foreach ($this->$arr as $key => $value){
526 if (!isset($this->recipients[$key])){
527 $tmp[$key]= $value;
528 }
529 }
530 }
531 }
532 $smarty->assign('sources', $tmp);
533 $smarty->assign('recipients', $this->recipients);
535 /* Acl selector if scope is base */
536 if ($this->aclType == 'base'){
537 $smarty->assign('aclSelector', $this->buildAclSelector($this->myAclObjects));
538 }
540 /* Role selector if scope is base */
541 if ($this->aclType == 'role'){
542 $smarty->assign('roleSelector', "Role selector");#, $this->buildRoleSelector($this->myAclObjects));
543 $smarty->assign('roleSelector', $this->buildRoleSelector($this->roles));
544 }
545 }
547 if ($this->dialogState == 'edit'){
548 $smarty->assign('headline', sprintf(_("Edit ACL for '%s' - scope is '%s'"), $this->aclObjects[$this->aclObject], $this->aclTypes[$this->aclType]));
550 /* Collect objects for selected category */
551 foreach ($this->ocMapping[$this->aclObject] as $idx => $class){
552 if ($idx == 0){
553 continue;
554 }
555 $aclObjects[$this->aclObject.'/'.$class]= $plist[$class]['plDescription'];
556 }
557 if ($this->aclObject == 'all'){
558 $aclObjects['all']= _("All objects in current subtree");
559 }
561 /* Role selector if scope is base */
562 if ($this->aclType == 'role'){
563 $smarty->assign('roleSelector', $this->buildRoleSelector($this->roles));
564 } else {
565 $smarty->assign('aclSelector', $this->buildAclSelector($aclObjects));
566 }
567 }
569 /* Show main page */
570 $smarty->assign("dialogState", $this->dialogState);
572 /* Assign acls */
573 $smarty->assign("acl_createable",$this->acl_is_createable());
574 $smarty->assign("acl_writeable" ,$this->acl_is_writeable(""));
575 $smarty->assign("acl_readable" ,$this->acl_is_readable(""));
576 $smarty->assign("acl_removeable",$this->acl_is_removeable());
578 return ($smarty->fetch (get_template_path('acl.tpl')));
579 }
582 function sort_by_priority($list)
583 {
584 $tmp= session::get('plist');
585 $plist= $tmp->info;
586 asort($plist);
587 $newSort = array();
589 foreach($list as $name => $translation){
590 $na = preg_replace("/^.*\//","",$name);
591 $prio = 0;
592 if(isset($plist[$na]['plPriority'])){
593 $prio= $plist[$na]['plPriority'] ;
594 }
596 $newSort[$name] = $prio;
597 }
599 asort($newSort);
601 $ret = array();
602 foreach($newSort as $name => $prio){
603 $ret[$name] = $list[$name];
604 }
605 return($ret);
606 }
609 function buildRoleSelector($list)
610 {
611 $D_List =new divSelectBox("Acl_Roles");
613 $selected = $this->aclContents;
614 if(!is_string($this->aclContents) || !isset($list[$this->aclContents])){
615 $selected = key($list);
616 }
618 $str ="";
619 foreach($list as $dn => $values){
621 if($dn == $selected){
622 $option = "<input type='radio' name='selected_role' value='".base64_encode($dn)."' checked>";
623 }else{
624 $option = "<input type='radio' name='selected_role' value='".base64_encode($dn)."'>";
625 }
627 $field1 = array("string" => $option) ;
628 $field2 = array("string" => $values['cn'], "attach" => "style='width:200px;'") ;
629 $field3 = array("string" => $values['description'],"attach" => "style='border-right:0px;'") ;
631 $D_List->AddEntry(array($field1,$field2,$field3));
632 }
633 return($D_List->DrawList());
634 }
637 function buildAclSelector($list)
638 {
639 $display= "<input type='hidden' name='acl_dummy_0_0_0' value='1'>";
640 $cols= 3;
641 $tmp= session::get('plist');
642 $plist= $tmp->info;
643 asort($plist);
645 /* Add select all/none buttons */
646 $style = "style='width:100px;'";
648 if($this->acl_is_writeable("")){
649 $display .= "<input ".$style." type='button' name='toggle_all_create' onClick=\"acl_toggle_all('_0_c$');\" value='Toggle C'>";
650 $display .= "<input ".$style." type='button' name='toggle_all_move' onClick=\"acl_toggle_all('_0_m$');\" value='Toggle M'>";
651 $display .= "<input ".$style." type='button' name='toggle_all_remove' onClick=\"acl_toggle_all('_0_d$');\" value='Toggle D'> - ";
652 $display .= "<input ".$style." type='button' name='toggle_all_read' onClick=\"acl_toggle_all('_0_r$');\" value='Toggle R'>";
653 $display .= "<input ".$style." type='button' name='toggle_all_write' onClick=\"acl_toggle_all('_0_w$');\" value='Toggle W'> - ";
655 $display .= "<input ".$style." type='button' name='toggle_all_sub_read' onClick=\"acl_toggle_all('[^0]_r$');\" value='R+'>";
656 $display .= "<input ".$style." type='button' name='toggle_all_sub_write' onClick=\"acl_toggle_all('[^0]_w$');\" value='W+'>";
658 $display .= "<br>";
660 $style = "style='width:50px;'";
661 $display .= "<input ".$style." type='button' name='set_true_all_create' onClick=\"acl_set_all('_0_c$',true);\" value='C+'>";
662 $display .= "<input ".$style." type='button' name='set_false_all_create' onClick=\"acl_set_all('_0_c$',false);\" value='C-'>";
663 $display .= "<input ".$style." type='button' name='set_true_all_move' onClick=\"acl_set_all('_0_m$',true);\" value='M+'>";
664 $display .= "<input ".$style." type='button' name='set_false_all_move' onClick=\"acl_set_all('_0_m$',false);\" value='M-'>";
665 $display .= "<input ".$style." type='button' name='set_true_all_remove' onClick=\"acl_set_all('_0_d$',true);\" value='D+'>";
666 $display .= "<input ".$style." type='button' name='set_false_all_remove' onClick=\"acl_set_all('_0_d$',false);\" value='D-'> - ";
667 $display .= "<input ".$style." type='button' name='set_true_all_read' onClick=\"acl_set_all('_0_r$',true);\" value='R+'>";
668 $display .= "<input ".$style." type='button' name='set_false_all_read' onClick=\"acl_set_all('_0_r$',false);\" value='R-'>";
669 $display .= "<input ".$style." type='button' name='set_true_all_write' onClick=\"acl_set_all('_0_w$',true);\" value='W+'>";
670 $display .= "<input ".$style." type='button' name='set_false_all_write' onClick=\"acl_set_all('_0_w$',false);\" value='W-'> - ";
672 $display .= "<input ".$style." type='button' name='set_true_all_read' onClick=\"acl_set_all('[^0]_r$',true);\" value='R+'>";
673 $display .= "<input ".$style." type='button' name='set_false_all_read' onClick=\"acl_set_all('[^0]_r$',false);\" value='R-'>";
674 $display .= "<input ".$style." type='button' name='set_true_all_write' onClick=\"acl_set_all('[^0]_w$',true);\" value='W+'>";
675 $display .= "<input ".$style." type='button' name='set_false_all_write' onClick=\"acl_set_all('[^0]_w$',false);\" value='W-'>";
676 }
678 /* Build general objects */
679 $list =$this->sort_by_priority($list);
680 foreach ($list as $key => $name){
682 /* Create sub acl if it does not exist */
683 if (!isset($this->aclContents[$key])){
684 $this->aclContents[$key]= array();
685 $this->aclContents[$key][0]= '';
686 }
687 $currentAcl= $this->aclContents[$key];
689 /* Get the overall plugin acls
690 */
691 $overall_acl ="";
692 if(isset($currentAcl[0])){
693 $overall_acl = $currentAcl[0];
694 }
696 /* Object header */
697 if(session::get('js')) {
698 if(isset($_SERVER['HTTP_USER_AGENT']) && preg_match("/gecko/i",$_SERVER['HTTP_USER_AGENT'])) {
699 $display.= "\n<table style='width:100%;border:1px solid #A0A0A0' cellspacing=0 cellpadding=2>".
700 "\n <tr>".
701 "\n <td style='background-color:#C8C8C8;height:1.8em;' colspan=".($cols-1)."><b>"._("Object").": $name</b></td>".
702 "\n <td align='right' style='background-color:#C8C8C8;height:1.8em;'>".
703 "\n <input type='button' onclick='divtoggle(\"".preg_replace("/[^a-z0-9]/i","_",$name)."\");' value='"._("Show/hide advanced settings")."' /></td>".
704 "\n </tr>";
705 } else if (isset($_SERVER['HTTP_USER_AGENT']) && preg_match("/ie/i",$_SERVER['HTTP_USER_AGENT'])) {
706 $display.= "\n<table style='width:100%;border:1px solid #A0A0A0' cellspacing=0 cellpadding=2>".
707 "\n <tr>".
708 "\n <td style='background-color:#C8C8C8;height:1.8em;' colspan=".($cols-1)."><b>"._("Object").": $name</b></td>".
709 "\n <td align='right' style='background-color:#C8C8C8;height:1.8em;'>".
710 "\n <input type='button' onclick='divtoggle(\"".preg_replace("/[^a-z0-9]/i","_",$name)."\");' value='"._("Show/hide advanced settings")."' /></td>".
711 "\n </tr>";
712 } else {
713 $display.= "\n<table style='width:100%;border:1px solid #A0A0A0' cellspacing=0 cellpadding=2>".
714 "\n <tr>".
715 "\n <td style='background-color:#C8C8C8;height:1.8em;' colspan=$cols><b>"._("Object").": $name</b></td>".
716 "\n </tr>";
717 }
718 } else {
719 $display.= "\n<table style='width:100%;border:1px solid #A0A0A0' cellspacing=0 cellpadding=2>".
720 "\n <tr>".
721 "\n <td style='background-color:#C8C8C8;height:1.8em;' colspan=$cols><b>"._("Object").": $name</b></td>".
722 "\n </tr>";
723 }
725 /* Generate options */
726 $spc= " ";
727 # if ($this->isContainer && $this->aclType != 'base'){
728 $options= $this->mkchkbx($key."_0_c", _("Create objects"), preg_match('/c/', $overall_acl)).$spc;
729 $options.= $this->mkchkbx($key."_0_m", _("Move objects"), preg_match('/m/', $overall_acl)).$spc;
730 $options.= $this->mkchkbx($key."_0_d", _("Remove objects"), preg_match('/d/', $overall_acl)).$spc;
731 if ($plist[preg_replace('%^.*/%', '', $key)]['plSelfModify']){
732 $options.= $this->mkchkbx($key."_0_s", _("Modifyable by owner"), preg_match('/s/', $overall_acl)).$spc;
733 }
734 # } else {
735 # $options= $this->mkchkbx($key."_0_m", _("Move object"), preg_match('/m/', $overall_acl)).$spc;
736 # $options.= $this->mkchkbx($key."_0_d", _("Remove object"), preg_match('/d/', $overall_acl)).$spc;
737 # if ($plist[preg_replace('%^.*/%', '', $key)]['plSelfModify']){
738 # $options.= $this->mkchkbx($key."_0_s", _("Modifyable by owner"), preg_match('/s/', $overall_acl)).$spc;
739 # }
740 # }
742 /* Global options */
743 $more_options= $this->mkchkbx($key."_0_r", _("read"), preg_match('/r/', $overall_acl)).$spc;
744 $more_options.= $this->mkchkbx($key."_0_w", _("write"), preg_match('/w/', $overall_acl));
746 $display.= "\n <tr>".
747 "\n <td style='background-color:#E0E0E0' colspan=".($cols-1).">$options</td>".
748 "\n <td style='background-color:#D4D4D4'> "._("Complete object").": $more_options</td>".
749 "\n </tr>";
751 /* Walk through the list of attributes */
752 $cnt= 1;
753 $splist= $plist[preg_replace('%^.*/%', '', $key)]['plProvidedAcls'];
754 # asort($splist);
755 if(session::get('js')) {
756 if(isset($_SERVER['HTTP_USER_AGENT']) && preg_match("/gecko/i",$_SERVER['HTTP_USER_AGENT'])) {
757 $display.= "\n <tr id='tr_".preg_replace("/[^a-z0-9]/i","_",$name)."' style='vertical-align:top;height:0px;'>".
758 "\n <td colspan=".$cols.">".
759 "\n <div id='".preg_replace("/[^a-z0-9]/i","_",$name)."' style='overflow:hidden;visibility:hidden;height:0px;vertical-align:top;width:100%;'>".
760 "\n <table style='width:100%;'>";
761 } else if (isset($_SERVER['HTTP_USER_AGENT']) && preg_match("/ie/i",$_SERVER['HTTP_USER_AGENT'])) {
762 $display.= "\n <tr id='tr_".preg_replace("/[^a-z0-9]/i","_",$name)."' style='vertical-align:top;height:0px;'>".
763 "\n <td colspan=".$cols.">".
764 "\n <div id='".preg_replace("/[^a-z0-9]/i","_",$name)."' style='position:absolute;overflow:hidden;visibility:hidden;height:0px;vertical-align:top;width:100%;'>".
765 "\n <table style='width:100%;'>";
766 }
767 }
768 foreach($splist as $attr => $dsc){
770 /* Skip pl* attributes, they are internal... */
771 if (preg_match('/^pl[A-Z]+.*$/', $attr)){
772 continue;
773 }
775 /* Open table row */
776 if ($cnt == 1){
777 $display.= "\n <tr>";
778 }
780 /* Close table row */
781 if ($cnt == $cols){
782 $cnt= 1;
783 $rb= "";
784 $end= "\n </tr>";
785 } else {
786 $cnt++;
787 $rb= "border-right:1px solid #A0A0A0;";
788 $end= "";
789 }
791 /* Collect list of attributes */
792 $state= "";
793 if (isset($currentAcl[$attr])){
794 $state= $currentAcl[$attr];
795 }
796 $display.= "\n <td style='border-top:1px solid #A0A0A0;${rb}width:".(int)(100/$cols)."%'>".
797 "\n <b>$dsc</b> ($attr)<br>".$this->mkrwbx($key."_".$attr, $state)."</td>$end";
798 }
800 /* Fill missing td's if needed */
801 if (--$cnt != $cols && $cnt != 0){
802 $display.= str_repeat("\n <td style='border-top:1px solid #A0A0A0; width:".(int)(100/$cols)."%'> </td>", $cols-$cnt);
803 }
805 if(session::get('js')) {
806 if(isset($_SERVER['HTTP_USER_AGENT']) && (preg_match("/gecko/i",$_SERVER['HTTP_USER_AGENT'])) || (preg_match("/ie/i",$_SERVER['HTTP_USER_AGENT']))) {
807 $display.= "\n </table>".
808 "\n </div>".
809 "\n </td>".
810 "\n </tr>";
811 }
812 }
814 $display.= "\n</table><br />\n";
815 }
817 return ($display);
818 }
821 function mkchkbx($name, $text, $state= FALSE)
822 {
823 $state= $state?"checked":"";
824 if($this->acl_is_writeable("")){
825 return "\n <input id='acl_".preg_replace("/[^a-z0-9]/i","_",$name)."' type=checkbox name='acl_$name' $state>".
826 "\n <label for='acl_".preg_replace("/[^a-z0-9]/i","_",$name)."'>$text</label>";
827 }else{
828 return "\n <input type='checkbox' disabled name='dummy_".microtime(1)."' $state>$text";
829 }
830 }
833 function mkrwbx($name, $state= "")
834 {
835 $rstate= preg_match('/r/', $state)?'checked':'';
836 $wstate= preg_match('/w/', $state)?'checked':'';
838 if($this->acl_is_writeable("")){
839 return ("\n <input id='acl_".preg_replace("/[^a-z0-9]/i","_",$name)."_r' type=checkbox name='acl_${name}_r' $rstate>".
840 "\n <label for='acl_".preg_replace("/[^a-z0-9]/i","_",$name)."_r'>"._("read")."</label>".
841 "\n <input id='acl_".preg_replace("/[^a-z0-9]/i","_",$name)."_w' type=checkbox name='acl_${name}_w' $wstate>".
842 "\n <label for='acl_".preg_replace("/[^a-z0-9]/i","_",$name)."_w'>"._("write")."</label>");
843 }else{
844 return ("\n <input disabled type=checkbox name='dummy_".microtime(1)."' $rstate>"._("read").
845 "\n <input disabled type=checkbox name='dummy_".microtime(1)."' $wstate>"._("write"));
846 }
847 }
850 static function explodeACL($acl)
851 {
853 $list= split(':', $acl);
854 if(count($list) == 5){
855 list($index, $type,$member,$permission,$filter)= $list;
856 $filter = base64_decode($filter);
857 }else{
858 $filter = "";
859 list($index, $type,$member,$permission)= $list;
860 }
862 $a= array( $index => array("type" => $type,
863 "filter"=> $filter,
864 "members" => acl::extractMembers($acl,$type == "role")));
866 /* Handle different types */
867 switch ($type){
869 case 'psub':
870 case 'sub':
871 case 'one':
872 case 'base':
873 $a[$index]['acl']= acl::extractACL($acl);
874 break;
876 case 'role':
877 $a[$index]['acl']= base64_decode(preg_replace('/^[^:]+:[^:]+:([^:]+).*$/', '\1', $acl));
878 break;
880 case 'reset':
881 break;
883 default:
884 msg_dialog::display(_("Internal error"), sprintf(_("Unkown ACL type '%s'!"), $type), ERROR_DIALOG);
885 $a= array();
886 }
887 return ($a);
888 }
891 static function extractMembers($acl,$role = FALSE)
892 {
893 global $config;
894 $a= array();
896 /* Rip acl off the string, seperate by ',' and place it in an array */
897 if($role){
898 $ms= preg_replace('/^[^:]+:[^:]+:[^:]+:([^:]+).*$/', '\1', $acl);
899 }else{
900 $ms= preg_replace('/^[^:]+:[^:]+:([^:]+).*$/', '\1', $acl);
901 }
902 if ($ms == $acl){
903 return $a;
904 }
905 $ma= split(',', $ms);
907 /* Decode dn's, fill with informations from LDAP */
908 $ldap= $config->get_ldap_link();
909 foreach ($ma as $memberdn){
910 $dn= base64_decode($memberdn);
911 $ldap->cat($dn, array('cn', 'objectClass', 'description', 'uid'));
913 /* Found entry... */
914 if ($ldap->count()){
915 $attrs= $ldap->fetch();
916 if (in_array_ics('gosaAccount', $attrs['objectClass'])){
917 $a['U:'.$dn]= $attrs['cn'][0]." [".$attrs['uid'][0]."]";
918 } else {
919 $a['G:'.$dn]= $attrs['cn'][0];
920 if (isset($attrs['description'][0])){
921 $a['G:'.$dn].= " [".$attrs['description'][0]."]";
922 }
923 }
925 /* ... or not */
926 } else {
927 $a['U:'.$dn]= sprintf(_("Unknown entry '%s'!"), $dn);
928 }
929 }
931 return ($a);
932 }
935 static function extractACL($acl)
936 {
937 /* Rip acl off the string, seperate by ',' and place it in an array */
938 $as= preg_replace('/^[^:]+:[^:]+:[^:]*:([^:]*).*$/', '\1', $acl);
939 $aa= split(',', $as);
940 $a= array();
942 /* Dis-assemble single ACLs */
943 foreach($aa as $sacl){
945 /* Dis-assemble field ACLs */
946 $ao= split('#', $sacl);
947 $gobject= "";
948 foreach($ao as $idx => $ssacl){
950 /* First is department with global acl */
951 $object= preg_replace('/^([^;]+);.*$/', '\1', $ssacl);
952 $gacl= preg_replace('/^[^;]+;(.*)$/', '\1', $ssacl);
953 if ($idx == 0){
954 /* Create hash for this object */
955 $gobject= $object;
956 $a[$gobject]= array();
958 /* Append ACL if set */
959 if ($gacl != ""){
960 $a[$gobject]= array($gacl);
961 }
962 } else {
964 /* All other entries get appended... */
965 list($field, $facl)= split(';', $ssacl);
966 $a[$gobject][$field]= $facl;
967 }
969 }
970 }
972 return ($a);
973 }
976 function assembleAclSummary($entry)
977 {
978 $summary= "";
980 /* Summarize ACL */
981 if (isset($entry['acl'])){
982 $acl= "";
984 if($entry['type'] == "role"){
986 if(isset($this->roles[$entry['acl']])){
987 $summary.= sprintf(_("Role: %s"), $this->roles[$entry['acl']]['cn']);
988 }else{
989 $summary.= sprintf(_("Role: %s"), "<i>"._("unknown role")."</i>");
990 }
991 }else{
992 foreach ($entry['acl'] as $name => $object){
993 if (count($object)){
994 $acl.= "$name, ";
995 }
996 }
997 $summary.= sprintf(_("Contains settings for these objects: %s"), preg_replace('/, $/', '', $acl));
998 }
999 }
1001 /* Summarize members */
1002 if ($summary != ""){
1003 $summary.= ", ";
1004 }
1005 if (count($entry['members'])){
1006 $summary.= _("Members").": ";
1007 foreach ($entry['members'] as $cn){
1008 $cn= preg_replace('/ \[.*$/', '', $cn);
1009 $summary.= $cn.", ";
1010 }
1011 } else {
1012 $summary.= _("ACL takes effect for all users");
1013 }
1015 return (preg_replace('/, $/', '', $summary));
1016 }
1019 function loadAclEntry($new= FALSE)
1020 {
1021 /* New entry gets presets... */
1022 if ($new){
1023 $this->aclType= 'base';
1024 $this->aclFilter= "";
1025 $this->recipients= array();
1026 $this->aclContents= array();
1027 } else {
1028 $acl= $this->gosaAclEntry[$this->currentIndex];
1029 $this->aclType= $acl['type'];
1030 $this->recipients= $acl['members'];
1031 $this->aclContents= $acl['acl'];
1032 $this->aclFilter= $acl['filter'];
1033 }
1035 $this->wasNewEntry= $new;
1036 }
1039 function aclPostHandler()
1040 {
1041 if (isset($_POST['save_acl'])){
1042 $this->save();
1043 return TRUE;
1044 }
1046 return FALSE;
1047 }
1050 function PrepareForCopyPaste($source)
1051 {
1052 plugin::PrepareForCopyPaste($source);
1054 $dn = $source['dn'];
1055 $acl_c = new acl($this->config, $this->parent,$dn);
1056 $this->gosaAclEntry = $acl_c->gosaAclEntry;
1057 }
1060 function save()
1061 {
1062 /* Assemble ACL's */
1063 $tmp_acl= array();
1065 foreach ($this->gosaAclEntry as $prio => $entry){
1066 $final= "";
1067 $members= "";
1068 if (isset($entry['members'])){
1069 foreach ($entry['members'] as $key => $dummy){
1070 $members.= base64_encode(preg_replace('/^.:/', '', $key)).',';
1071 }
1072 }
1074 if($entry['type'] != "role"){
1075 $final= $prio.":".$entry['type'].":".preg_replace('/,$/', '', $members);
1076 }else{
1077 $final= $prio.":".$entry['type'].":".base64_encode($entry['acl']).":".preg_replace('/,$/', '', $members);
1078 }
1080 /* ACL's if needed */
1081 if ($entry['type'] != "reset" && $entry['type'] != "role"){
1082 $acl= ":";
1083 if (isset($entry['acl'])){
1084 foreach ($entry['acl'] as $object => $contents){
1086 /* Only save, if we've some contents in there... */
1087 if (count($contents)){
1088 $acl.= $object.";";
1090 foreach($contents as $attr => $permission){
1092 /* First entry? Its the one for global settings... */
1093 if ($attr == '0'){
1094 $acl.= $permission;
1095 } else {
1096 $acl.= '#'.$attr.';'.$permission;
1097 }
1099 }
1100 $acl.= ',';
1101 }
1103 }
1104 }
1105 $final.= preg_replace('/,$/', '', $acl);
1106 }
1108 /* Append additional filter options
1109 */
1110 if(!empty($entry['filter'])){
1111 $final .= ":".base64_encode($entry['filter']);
1112 }
1114 $tmp_acl[]= $final;
1115 }
1117 /* Call main method */
1118 plugin::save();
1120 /* Finally (re-)assign it... */
1121 $this->attrs['gosaAclEntry']= $tmp_acl;
1123 /* Remove acl from this entry if it is empty... */
1124 if (!count($tmp_acl)){
1125 /* Remove attribute */
1126 if ($this->initially_was_account){
1127 $this->attrs['gosaAclEntry']= array();
1128 } else {
1129 if (isset($this->attrs['gosaAclEntry'])){
1130 unset($this->attrs['gosaAclEntry']);
1131 }
1132 }
1134 /* Remove object class */
1135 $this->attrs['objectClass']= array_remove_entries(array('gosaAcl'), $this->attrs['objectClass']);
1136 }
1138 /* Do LDAP modifications */
1139 $ldap= $this->config->get_ldap_link();
1140 $ldap->cd($this->dn);
1141 $this->cleanup();
1142 $ldap->modify ($this->attrs);
1144 if(count($this->attrs)){
1145 new log("modify","acls/".get_class($this),$this->dn,array_keys($this->attrs),$ldap->get_error());
1146 }
1148 if (!$ldap->success()){
1149 msg_dialog::display(_("LDAP error"), msgPool::ldaperror($ldap->get_error(), $this->dn, LDAP_MOD, get_class()));
1150 }
1152 /* Refresh users ACLs */
1153 $ui= get_userinfo();
1154 $ui->loadACL();
1155 session::set('ui',$ui);
1156 }
1159 function remove_from_parent()
1160 {
1161 plugin::remove_from_parent();
1163 /* include global link_info */
1164 $ldap= $this->config->get_ldap_link();
1166 $ldap->cd($this->dn);
1167 $this->cleanup();
1168 $ldap->modify ($this->attrs);
1170 new log("remove","acls/".get_class($this),$this->dn,array_keys($this->attrs),$ldap->get_error());
1172 /* Optionally execute a command after we're done */
1173 $this->handle_post_events("remove",array("uid" => $this->uid));
1174 }
1177 /* Return plugin informations for acl handling */
1178 static function plInfo()
1179 {
1180 return (array(
1181 "plShortName" => _("ACL"),
1182 "plDescription" => _("ACL")." ("._("Access control list").")",
1183 "plSelfModify" => FALSE,
1184 "plDepends" => array(),
1185 "plPriority" => 0,
1186 "plSection" => array("administration"),
1187 "plCategory" => array("acl" => array("description" => _("ACL")." & "._("ACL roles"),
1188 "objectClass" => array("gosaAcl","gosaRole"))),
1189 "plProvidedAcls"=> array(
1190 "cn" => _("Role name"),
1191 "description" => _("Role description"))
1193 ));
1194 }
1197 /* Remove acls defined for $src */
1198 function remove_acl()
1199 {
1200 $this->remove_acl_for_dn($this->dn);
1201 }
1204 /* Remove acls defined for $src */
1205 function remove_acl_for_dn($src = "")
1206 {
1207 if($src == ""){
1208 $src = $this->dn;
1209 }
1210 $ldap = $this->config->get_ldap_link();
1211 $ldap->cd($this->config->current['BASE']);
1212 $ldap->search("(&(objectClass=gosaAcl)(gosaAclEntry=*".base64_encode($src)."*))",array("gosaAclEntry","dn"));
1213 while($attrs = $ldap->fetch()){
1214 $acl = new acl($this->config,$this->parent,$attrs['dn']);
1215 foreach($acl->gosaAclEntry as $id => $entry){
1216 foreach($entry['members'] as $m_id => $member){
1217 if($m_id == "U:".$src){
1218 unset($acl->gosaAclEntry[$id]['members'][$m_id]);
1219 gosa_log("modify","users/acl",$attrs['dn'],array(),sprintf("Removed acl for user %s on object %s.",$src,$attrs['dn']));
1220 }
1221 if($m_id == "G:".$src){
1222 unset($acl->gosaAclEntry[$id]['members'][$m_id]);
1223 gosa_log("modify","groups/acl",$attrs['dn'],array(),sprintf("Removed acl for group %s on object %s.",$src,$attrs['dn']));
1224 }
1225 }
1226 }
1227 $acl -> save();
1228 }
1229 }
1231 function update_acl_membership($src,$dst)
1232 {
1233 $ldap = $this->config->get_ldap_link();
1234 $ldap->cd($this->config->current['BASE']);
1235 $ldap->search("(&(objectClass=gosaAcl)(gosaAclEntry=*".base64_encode($src)."*))",array("gosaAclEntry","dn"));
1236 while($attrs = $ldap->fetch()){
1237 $acl = new acl($this->config,$this->parent,$attrs['dn']);
1238 foreach($acl->gosaAclEntry as $id => $entry){
1239 foreach($entry['members'] as $m_id => $member){
1240 if($m_id == "U:".$src){
1241 unset($acl->gosaAclEntry[$id]['members'][$m_id]);
1242 $new = "U:".$dst;
1243 $acl->gosaAclEntry[$id]['members'][$new] = $new;
1244 gosa_log("modify","users/acl",$attrs['dn'],array(),sprintf("Updated acl for user %s on object %s.",$src,$attrs['dn']));
1245 }
1246 if($m_id == "G:".$src){
1247 unset($acl->gosaAclEntry[$id]['members'][$m_id]);
1248 $new = "G:".$dst;
1249 $acl->gosaAclEntry[$id]['members'][$new] = $new;
1250 gosa_log("modify","groups/acl",$attrs['dn'],array(),sprintf("Updated acl for group %s on object %s.",$src,$attrs['dn']));
1251 }
1252 }
1253 }
1254 $acl -> save();
1255 }
1256 }
1258 }
1260 // vim:tabstop=2:expandtab:shiftwidth=2:filetype=php:syntax:ruler:
1261 ?>