![[tokkee]](http://tokkee.org/images/avatar.png){kind=avatar}
43b238543c3a5360929cfec5e88d21555d4c9667
1 <?php
2 /*
3 This code is part of GOsa (https://gosa.gonicus.de)
4 Copyright (C) 2003-2006 - Cajus Pollmeier <pollmeier@gonicus.de>
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 2 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program; if not, write to the Free Software
18 Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
19 */
21 class aclManagement extends plugin
22 {
23 /* Plugin definitions */
24 var $plHeadline = "ACLs";
25 var $plDescription = "Manage access control lists";
27 /* Dialog attributes */
28 var $acltabs = NULL;
29 var $ui = NULL;
30 var $acl = "";
31 var $DivListACL = NULL;
33 var $CopyPasteHandler;
34 var $start_pasting_copied_objects = FALSE;
36 function aclManagement(&$config, &$ui)
37 {
38 /* Save configuration for internal use */
39 $this->config = &$config;
40 $this->ui = &$ui;
42 /* Copy & Paste enabled ?*/
43 if((isset($this->config->data['MAIN']['ENABLECOPYPASTE']))&&(preg_match("/true/i",$this->config->data['MAIN']['ENABLECOPYPASTE']))){
44 $this->CopyPasteHandler = new CopyPasteHandler($this->config);
45 }
47 /* Creat dialog object */
48 $this->DivListACL = new divListACL($this->config,$this);
49 }
52 function execute()
53 {
54 /* Call parent execute */
55 plugin::execute();
57 session::set('LOCK_VARS_TO_USE',array("/^list/","/^id_/","/^list_acl_role_del/","/^list_acl_del/","/^menu_action/"));
59 $smarty = get_smarty(); // Smarty instance
60 $s_action = ""; // Contains the action to be taken
61 $s_entry = ""; // The value for s_action
63 /* Edit entry button pressed? */
64 if( isset($_GET['act']) && $_GET['act'] == "list_edit_entry" ){
65 $s_action= "edit";
66 $s_entry= validate($_GET['id']);
67 }
69 /* Edit entry button pressed? */
70 if( isset($_GET['act']) && $_GET['act'] == "list_edit_role" ){
71 $s_action= "edit_role";
72 $s_entry= validate($_GET['id']);
73 }
75 $types = array(
76 "del" =>"^list_acl_del",
77 "edit" =>"^list_acl_edit",
78 "del_role" =>"^list_acl_role_del",
79 "edit_role" =>"^list_acl_role_edit",
80 "copy" =>"^copy",
81 "cut" =>"^cut",
82 "copy_multiple"=> "^multiple_copy_objects",
83 "cut_multiple" => "^multiple_cut_objects",
84 "editPaste" =>"^editPaste",
85 "addrole" =>"^new_acl_role");
87 /* Test relevant POST values */
88 foreach($_POST as $key => $val){
90 /* Get every possible POST combination and set s_action/s_entry accordingly */
91 foreach($types as $act => $name){
93 if (preg_match("/".$name.".*/", $key)){
94 $s_action= $act;
95 $s_entry= preg_replace("/".$name."_/i", "", $key);
96 }
97 }
98 }
100 /* Remove coordinate prefix from POST, required by some browsers */
101 $s_entry= preg_replace("/_.$/", "", $s_entry);
103 /* Seperate possibly encoded tab and entry, default to tab "acl" */
104 if(preg_match("/.*-.*/", $s_entry)){
105 $s_tab= preg_replace("/^[^-]*-/i", "" ,$s_entry);
106 $s_entry= preg_replace("/-[^-]*$/i", "", $s_entry);
107 }else{
108 $s_tab= "generic";
109 }
112 /* handle C&P from layers menu */
113 if(isset($_POST['menu_action']) && preg_match("/^multiple_copy_systems/",$_POST['menu_action'])){
114 $s_action = "copy_multiple";
115 }
116 if(isset($_POST['menu_action']) && preg_match("/^multiple_cut_systems/",$_POST['menu_action'])){
117 $s_action = "cut_multiple";
118 }
119 if(isset($_POST['menu_action']) && preg_match("/^editPaste/",$_POST['menu_action'])){
120 $s_action = "editPaste";
121 }
123 /* Create options */
124 if(isset($_POST['menu_action']) && $_POST['menu_action'] == "new_acl_role"){
125 $s_action = "new";
126 }
128 /* handle remove from layers menu */
129 if(isset($_POST['menu_action']) && preg_match("/^remove_multiple/",$_POST['menu_action'])){
130 $s_action = "del_multiple";
131 }
134 /********************
135 Copy & Paste Handling ...
136 ********************/
138 /* Display the copy & paste dialog, if it is currently open */
139 $ret = $this->copyPasteHandling_from_queue($s_action,$s_entry);
140 if($ret){
141 return($ret);
142 }
145 /********************
146 * Add new Role entry
147 ********************/
149 if(($s_action == "new") && (!isset($this->acltabs->config))){
151 /* Get 'dn' from posted acl, must be unique */
152 $this->dn= "new";
154 /* Check permissions */
155 if(preg_match("/c/",$this->ui->get_permissions($this->DivListACL->selectedBase,"acl/acl"))){
157 /* Register acltabs to trigger edit dialog */
158 $this->acltabs= new aclroletab($this->config, NULL,$this->dn);
159 $this->acltabs->set_acl_base($this->DivListACL->selectedBase);
160 }else{
161 msg_dialog::display(_("Permission error"), _("You have no permission to create a new role!"), ERROR_DIALOG);
162 }
163 }
165 /********************
166 Edit existing entry
167 ********************/
169 if (($s_action=="edit" || $s_action=="edit_role") && (!isset($this->acltabs->config))){
171 /* Get 'dn' from posted acl, must be unique */
172 $this->dn= $this->list[trim($s_entry)]['dn'];
174 /* Check permissions */
175 if(preg_match("/r/",$this->ui->get_permissions($this->dn,"acl/acl"))){
177 /* Check locking, save current plugin in 'back_plugin', so
178 the dialog knows where to return. */
179 if (($acl= get_lock($this->dn)) != ""){
180 return(gen_locked_message ($acl, $this->dn));
181 }
183 /* Lock the current entry, so everyone will get the above dialog */
184 add_lock ($this->dn, $this->ui->dn);
186 /* Register acltabs to trigger edit dialog */
187 if($s_action=="edit_role"){
188 $this->acltabs= new aclroletab($this->config, NULL,$this->dn);
189 $this->acltabs-> set_acl_base($this->dn);
190 }else{
191 $this->acltabs= new acltab($this->config, NULL,$this->dn);
192 $this->acltabs-> set_acl_base($this->dn);
193 }
195 /* Set ACL and move DN to the headline */
196 session::set('objectinfo',$this->dn);
197 }else{
198 msg_dialog::display(_("Permission error"), _("You have no permission to edit this ACL!"), ERROR_DIALOG);
199 }
200 }
203 /********************
204 Edit canceled
205 ********************/
206 if(isset($_POST['delete_lock'])){
207 del_lock ($this->dn);
208 session::un_set('objectinfo');
209 }
211 /* Reset all relevant data, if we get a _cancel request */
212 if (isset($_POST['edit_cancel'])){
213 if (isset($this->acltabs)){
214 del_lock ($this->dn);
215 unset ($this->acltabs);
216 }
217 $this->acltabs= NULL;
218 session::un_set('objectinfo');
219 }
222 /********************
223 Delete entry requested, display confirm dialog
224 ********************/
226 /* Remove acl was requested */
227 if ($s_action=="del_role"){
229 /* Get 'dn' from posted acl */
230 $this->dn= $this->list[trim($s_entry)]['dn'];
232 /* Check permissions */
233 if(preg_match("/d/",$this->ui->get_permissions($this->dn,"aclroles/aclrole"))){
235 /* Check locking, save current plugin in 'back_plugin', so
236 the dialog knows where to return. */
237 if (($acl= get_lock($this->dn)) != ""){
238 return(gen_locked_message ($acl, $this->dn));
239 }
241 /* Lock the current entry, so nobody will edit it during deletion */
242 add_lock ($this->dn, $this->ui->dn);
243 $smarty->assign("info", sprintf(_("You're about to delete the acl %s."), @LDAP::fix($this->dn)));
244 $smarty->assign("is_role",true);
246 return($smarty->fetch(get_template_path('remove.tpl', TRUE)));
247 } else {
249 /* Obviously the acl isn't allowed to delete. Show message and
250 clean session. */
251 msg_dialog::display(_("Permission error"), _("You have no permission to delete this entry!"), ERROR_DIALOG);
252 }
253 }
256 /********************
257 Delete entry confirmed
258 ********************/
260 /* Confirmation for deletion has been passed. Acl should be deleted. */
261 if (isset($_POST['delete_acl_role_confirmed'])){
263 /* Check permissions */
264 if(preg_match("/d/",$this->ui->get_permissions($this->dn,"aclroles/aclrole"))){
266 /* Delete request is permitted, perform LDAP action */
267 $this->acltabs= new aclroletab($this->config, NULL,$this->dn);
268 $this->acltabs->delete();
269 unset ($this->acltabs);
270 $this->acltabs= NULL;
271 } else {
273 /* Normally this shouldn't be reached, send some extra
274 logs to notify the administrator */
275 msg_dialog::display(_("Permission error"), _("You have no permission to delete this entry!"), ERROR_DIALOG);
277 if(isset($this->ui->uid)){
278 new log("security","aclroles/".get_class($this),$this->dn,array(),"Warning: '".$this->ui->uid."' tried to trick acl role deletion.");
279 }
280 }
282 /* Remove lock file after successfull deletion */
283 del_lock ($this->dn);
284 }
286 /********************
287 Delete entry requested, display confirm dialog
288 ********************/
290 /* Remove acl was requested */
291 if ($s_action=="del"){
293 /* Get 'dn' from posted acl */
294 $this->dn= $this->list[trim($s_entry)]['dn'];
296 /* Check permissions */
297 if(preg_match("/d/",$this->ui->get_permissions($this->dn,"acl/acl"))){
298 /* Check locking, save current plugin in 'back_plugin', so
299 the dialog knows where to return. */
300 if (($acl= get_lock($this->dn)) != ""){
301 session::set('LOCK_VARS_TO_USE',array("/^list_acl_edit/","/^list_acl_del/","/^id_/"));
302 return(gen_locked_message ($acl, $this->dn));
303 }
305 /* Lock the current entry, so nobody will edit it during deletion */
306 add_lock ($this->dn, $this->ui->dn);
307 $smarty->assign("info", sprintf(_("You're about to delete the acl %s."), @LDAP::fix($this->dn)));
308 $smarty->assign("is_role",false);
309 return($smarty->fetch(get_template_path('remove.tpl', TRUE)));
310 } else {
312 /* Obviously the acl isn't allowed to delete. Show message and
313 clean session. */
314 msg_dialog::display(_("Permission error"), _("You have no permission to delete this entry!"), ERROR_DIALOG);
315 }
316 }
319 /********************
320 Delete entry confirmed
321 ********************/
323 /* Confirmation for deletion has been passed. Acl should be deleted. */
324 if (isset($_POST['delete_acl_confirm'])){
326 /* Check permissions */
327 if(preg_match("/d/",$this->ui->get_permissions($this->dn,"acl/acl"))){
329 /* Delete request is permitted, perform LDAP action */
330 $this->acltabs= new acl($this->config, NULL,$this->dn);
331 $this->acltabs->remove_from_parent();
332 unset ($this->acltabs);
333 $this->acltabs= NULL;
334 } else {
336 /* Normally this shouldn't be reached, send some extra
337 logs to notify the administrator */
338 msg_dialog::display(_("Permission error"), _("You have no permission to delete this entry!"), ERROR_DIALOG);
340 if(isset($this->ui->uid)){
341 new log("security","aclroles/".get_class($this),$this->dn,array(),"Warning: '".$this->ui->uid."' tried to trick acl role deletion.");
343 }
344 }
346 /* Remove lock file after successfull deletion */
347 del_lock ($this->dn);
348 }
351 /********************
352 Delete entry Canceled
353 ********************/
355 /* Delete acl canceled? */
356 if (isset($_POST['delete_cancel'])){
357 del_lock ($this->dn);
358 }
361 /********************
362 Edit entry finished (Save)
363 ********************/
365 /* Finish acl edit is triggered by the tabulator dialog, so
366 the acl wants to save edited data. Check and save at this
367 point. */
368 if ((isset($_POST['edit_finish']) || isset($_POST['edit_apply'])) && (isset($this->acltabs->config))){
370 /* Check tabs, will feed message array */
371 $this->acltabs->save_object();
372 $message= $this->acltabs->check();
374 /* Save, or display error message? */
375 if (count($message) == 0){
377 /* Save acl data to ldap */
378 if($this->acltabs->save() == 1){
379 return;
380 }
382 if (!isset($_POST['edit_apply'])){
384 /* ACl has been saved successfully, remove lock from LDAP. */
385 if ($this->dn != "new"){
386 del_lock ($this->dn);
387 }
389 unset ($this->acltabs);
390 $this->acltabs= NULL;
391 session::un_set('objectinfo');
392 }
393 } else {
394 /* Ok. There seem to be errors regarding to the tab data,
395 show message and continue as usual. */
396 show_errors($message);
397 }
398 }
401 /********************
402 Display subdialog
403 ********************/
406 /* Show tab dialog if object is present */
407 if(isset($this->acltabs->config)){
409 /* Save object */
410 $this->acltabs->save_object();
411 $display= $this->acltabs->execute();
413 /* Don't show buttons if tab dialog requests this */
414 if(isset($this->acltabs)){
416 /* Skip displaying save/cancel if there is a sub dialog open */
417 if (!isset($this->acltabs->dialog) || !$this->acltabs->dialog){
418 $display.= "<p style=\"text-align:right\">\n";
419 // $display.= "<input type=submit name=\"edit_finish\" style=\"width:80px\" value=\""._("Ok")."\">\n";
420 $display.= " \n";
422 /* Skip Apply if it is a new entry */
423 #if ($this->dn != "new"){
424 # $display.= "<input type=submit name=\"edit_apply\" value=\""._("Apply")."\">\n";
425 # $display.= " \n";
426 #}
428 // $display.= "<input type=submit name=\"edit_cancel\" value=\""._("Cancel")."\">\n";
429 $display.= "</p>";
430 }
431 }
432 return ($display);
433 }
435 /* Check if there is a snapshot dialog open */
436 $base = $this->DivListACL->selectedBase;
437 if($str = $this->showSnapshotDialog($base,$this->get_used_snapshot_bases())){
438 return($str);
439 }
441 /* Return rendered main page */
442 /* Display dialog with system list */
443 $this->DivListACL->parent = $this;
444 $this->DivListACL->execute();
446 /* Add departments if subsearch is disabled */
447 if(!$this->DivListACL->SubSearch){
448 $this->DivListACL->AddDepartments($this->DivListACL->selectedBase,3,1);
449 }
450 $this->reload();
451 $this->DivListACL->setEntries($this->list);
452 return($this->DivListACL->Draw());
453 }
456 function reload()
457 {
458 /* Get divlist informations from filter part */
459 $Regex = $this->DivListACL -> Regex;
460 $SubSearch = $this->DivListACL -> SubSearch;
461 $base = $this->DivListACL -> selectedBase;
462 $Attrs = array("ou","cn","description","gosaAclEntry","objectClass");
463 $res = array();
464 $tmp = array(); // Will contain temporary results
465 $ldap = $this->config->get_ldap_link();
466 $Filter = "(&(objectClass=gosaACL)(gosaAclEntry=*)(|(cn=".$Regex.")(ou=".$Regex.")))";
467 $FilterRoles= "(&(objectClass=gosaRole)(|(cn=".$Regex.")(ou=".$Regex.")))";
469 /* Fetch following structures, this will be used if !$SubSearch */
470 $fetch_this = array(
471 "ME" => array("TYPE" => "cat" , "FLAGS" => GL_SIZELIMIT ,"BASE"=>""),
472 "SYSTEMS" => array("TYPE" => "search" , "FLAGS" => GL_SIZELIMIT | GL_SUBSEARCH ,"BASE"=>get_ou('systemsou')),
473 "APPS" => array("TYPE" => "search" , "FLAGS" => GL_SIZELIMIT | GL_SUBSEARCH ,"BASE"=>get_ou('applicationou')),
474 "PEOPLE" => array("TYPE" => "search" , "FLAGS" => GL_SIZELIMIT | GL_SUBSEARCH ,"BASE"=>get_people_ou()),
475 "GROUPS" => array("TYPE" => "search" , "FLAGS" => GL_SIZELIMIT | GL_SUBSEARCH ,"BASE"=>get_groups_ou()));
477 /* Subsearch ? */
478 if($SubSearch){
480 /* Get all object in this base */
481 $Flags = GL_SIZELIMIT | GL_SUBSEARCH;
482 $fetch_base = $base;
483 $tmp = get_list($Filter, "acl", $fetch_base, $Attrs, $Flags);
484 $tmp2 = get_list($FilterRoles, "acl", $fetch_base, $Attrs, $Flags);
485 foreach($tmp as $entry){
486 $res[] = $entry;
487 }
488 foreach($tmp2 as $entry){
489 $res[] = $entry;
490 }
492 }else{
494 $tmp_roles = get_list($FilterRoles, "acl", get_ou('aclroleou').$base, $Attrs,GL_SIZELIMIT);
496 foreach($tmp_roles as $entry){
497 $res[] = $entry;
498 }
500 /* Walk through all possible bases */
501 foreach($fetch_this as $type => $data){
503 /* Get requried attributes */
504 $Flags = $data['FLAGS'];
505 $fetch_base = $data['BASE'].$base;
506 $Type = $data['TYPE'];
508 /* Check if method is cat or search */
509 if($Type == "search"){
510 $tmp = get_list($Filter, "acl", $fetch_base, $Attrs, $Flags);
511 foreach($tmp as $entry){
512 $res[$entry['dn']] = $entry;
513 }
514 }else{
515 $ldap->cat($fetch_base,$Attrs);
516 $attrs = $ldap->fetch();
517 if($attrs && isset($attrs['gosaAclEntry'])){
518 $re2 = preg_replace("/\*/",".*",$Regex);
520 if(!isset($attrs['ou']) && !isset($attrs['cn'])){
521 $namingAttr= preg_replace("/^[^=]*+=([^,]*),.*$/","\\1",$fetch_base);
522 if(preg_match("/".$re2."/i",$namingAttr)){
523 $res[$attrs['dn']] = $attrs;
524 }
525 }elseif( (isset($attrs['cn'][0]) && preg_match("/".$re2."/i",$attrs['cn'][0]))
526 ||(isset($attrs['ou'][0]) && preg_match("/".$re2."/i",$attrs['ou'][0]))){
527 $res[$attrs['dn']] = $attrs;
528 }
529 }
530 }
531 }
532 }
533 $this->list = array_values($res);
534 }
537 function copyPasteHandling_from_queue($s_action,$s_entry)
538 {
539 /* Check if Copy & Paste is disabled */
540 if(!is_object($this->CopyPasteHandler)){
541 return("");
542 }
544 /* Add a single entry to queue */
545 if($s_action == "cut" || $s_action == "copy"){
547 /* Cleanup object queue */
548 $this->CopyPasteHandler->cleanup_queue();
549 $dn = $this->list[$s_entry]['dn'];
551 if(isset($this->list[$s_entry]['objectClass']) && in_array("gosaRole",$this->list[$s_entry]['objectClass'])){
552 $this->CopyPasteHandler->add_to_queue($dn,$s_action,"aclroletab","ACLROLETAB","aclroles");
553 }
554 }
556 /* Add entries to queue */
557 if($s_action == "copy_multiple" || $s_action == "cut_multiple"){
559 /* Cleanup object queue */
560 $this->CopyPasteHandler->cleanup_queue();
562 /* Add new entries to CP queue */
563 foreach($this->list_get_selected_items() as $id){
564 $dn = $this->list[$id]['dn'];
566 if(isset($this->list[$id]['objectClass']) && in_array("gosaRole",$this->list[$id]['objectClass'])){
568 if($s_action == "copy_multiple"){
569 $this->CopyPasteHandler->add_to_queue($dn,"copy","aclroletab","ACLROLETAB","aclroles");
570 }
571 if($s_action == "cut_multiple"){
572 $this->CopyPasteHandler->add_to_queue($dn,"cut","aclroletab","ACLROLETAB","aclroles");
573 }
574 }
575 }
576 }
578 /* Start pasting entries */
579 if($s_action == "editPaste"){
580 $this->start_pasting_copied_objects = TRUE;
581 }
582 /* Return C&P dialog */
583 if($this->start_pasting_copied_objects && $this->CopyPasteHandler->entries_queued()){
585 /* Get dialog */
586 $this->CopyPasteHandler->SetVar("base",$this->DivListACL->selectedBase);
587 $data = $this->CopyPasteHandler->execute();
589 /* Return dialog data */
590 if(!empty($data)){
591 return($data);
592 }
593 }
595 /* Automatically disable status for pasting */
596 if(!$this->CopyPasteHandler->entries_queued()){
597 $this->start_pasting_copied_objects = FALSE;
598 }
599 return("");
600 }
603 function list_get_selected_items()
604 {
605 $ids = array();
606 foreach($_POST as $name => $value){
607 if(preg_match("/^item_selected_[0-9]*$/",$name)){
608 $id = preg_replace("/^item_selected_/","",$name);
609 $ids[$id] = $id;
610 }
611 }
612 return($ids);
613 }
616 function remove_lock()
617 {
618 /* Remove acl lock if a DN is marked as "currently edited" */
619 if (isset($this->acltabs->dn)){
620 del_lock ($this->acltabs->dn);
621 }
622 }
625 function save_object()
626 {
627 /* Handle divlist filter && department selection*/
628 if(!is_object($this->acltabs)){
629 $this->DivListACL->save_object();
630 }
631 }
633 /* A set of disabled and therefore overloaded functions. They are
634 not needed in this class. */
635 function remove_from_parent() { }
636 function check() { }
638 function save() {
639 echo "SAVE ACL";
640 }
642 function adapt_from_template($dn) { }
643 function password_change_needed() { }
646 /* Return departments, that will be included within snapshot detection */
647 function get_used_snapshot_bases()
648 {
649 return(array());
650 }
652 }
653 // vim:tabstop=2:expandtab:shiftwidth=2:filetype=php:syntax:ruler:
654 ?>