1 <?php
2 /*
3 * This code is part of GOsa (http://www.gosa-project.org)
4 * Copyright (C) 2003-2008 GONICUS GmbH
5 *
6 * ID: $$Id$$
7 *
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
12 *
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17 *
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
21 */
23 class aclManagement extends plugin
24 {
25 /* Plugin definitions */
26 var $plHeadline = "ACL";
27 var $plDescription = "Manage access control lists";
29 /* Dialog attributes */
30 var $acltabs = NULL;
31 var $ui = NULL;
32 var $acl = "";
33 var $DivListACL = NULL;
35 var $CopyPasteHandler;
36 var $start_pasting_copied_objects = FALSE;
37 var $dns = array();
39 function aclManagement(&$config, &$ui)
40 {
41 /* Save configuration for internal use */
42 $this->config = &$config;
43 $this->ui = &$ui;
45 /* Copy & Paste enabled ?*/
46 if((isset($this->config->data['MAIN']['ENABLECOPYPASTE']))&&(preg_match("/true/i",$this->config->data['MAIN']['ENABLECOPYPASTE']))){
47 $this->CopyPasteHandler = new CopyPasteHandler($this->config);
48 }
50 /* Creat dialog object */
51 $this->DivListACL = new divListACL($this->config,$this);
52 }
55 function execute()
56 {
57 /* Call parent execute */
58 plugin::execute();
60 session::set('LOCK_VARS_TO_USE',array("/^item_selected/","/^menu_action/","/^list/","/^id_/","/^list_acl_role_del/","/^list_acl_del/","/^menu_action/"));
62 $smarty = get_smarty(); // Smarty instance
63 $s_action = ""; // Contains the action to be taken
64 $s_entry = ""; // The value for s_action
66 /* Edit entry button pressed? */
67 if( isset($_GET['act']) && $_GET['act'] == "list_edit_entry" ){
68 $s_action= "edit";
69 $s_entry= validate($_GET['id']);
70 }
72 /* Edit entry button pressed? */
73 if( isset($_GET['act']) && $_GET['act'] == "list_edit_role" ){
74 $s_action= "edit_role";
75 $s_entry= validate($_GET['id']);
76 }
78 $types = array(
79 "del" =>"^list_acl_del",
80 "edit" =>"^list_acl_edit",
81 "del_role" =>"^list_acl_role_del",
82 "edit_role" =>"^list_acl_role_edit",
83 "copy" =>"^copy",
84 "cut" =>"^cut",
85 "copy_multiple"=> "^multiple_copy_objects",
86 "cut_multiple" => "^multiple_cut_objects",
87 "editPaste" =>"^editPaste",
88 "addrole" =>"^new_acl_role");
90 /* Test relevant POST values */
91 foreach($_POST as $key => $val){
93 /* Get every possible POST combination and set s_action/s_entry accordingly */
94 foreach($types as $act => $name){
96 if (preg_match("/".$name.".*/", $key)){
97 $s_action= $act;
98 $s_entry= preg_replace("/".$name."_/i", "", $key);
99 }
100 }
101 }
103 /* Remove coordinate prefix from POST, required by some browsers */
104 $s_entry= preg_replace("/_.$/", "", $s_entry);
106 /* Seperate possibly encoded tab and entry, default to tab "acl" */
107 if(preg_match("/.*-.*/", $s_entry)){
108 $s_tab= preg_replace("/^[^-]*-/i", "" ,$s_entry);
109 $s_entry= preg_replace("/-[^-]*$/i", "", $s_entry);
110 }else{
111 $s_tab= "generic";
112 }
115 /* handle C&P from layers menu */
116 if(isset($_POST['menu_action']) && preg_match("/^multiple_copy_systems/",$_POST['menu_action'])){
117 $s_action = "copy_multiple";
118 }
119 if(isset($_POST['menu_action']) && preg_match("/^multiple_cut_systems/",$_POST['menu_action'])){
120 $s_action = "cut_multiple";
121 }
122 if(isset($_POST['menu_action']) && preg_match("/^editPaste/",$_POST['menu_action'])){
123 $s_action = "editPaste";
124 }
126 /* Create options */
127 if(isset($_POST['menu_action']) && $_POST['menu_action'] == "new_acl_role"){
128 $s_action = "new";
129 }
131 /* handle remove from layers menu */
132 if(isset($_POST['menu_action']) && preg_match("/^remove_multiple/",$_POST['menu_action'])){
133 $s_action = "del_multiple";
134 }
137 /********************
138 Copy & Paste Handling ...
139 ********************/
141 /* Display the copy & paste dialog, if it is currently open */
142 $ret = $this->copyPasteHandling_from_queue($s_action,$s_entry);
143 if($ret){
144 return($ret);
145 }
148 /********************
149 * Add new Role entry
150 ********************/
152 if(($s_action == "new") && (!isset($this->acltabs->config))){
154 /* Get 'dn' from posted acl, must be unique */
155 $this->dn= "new";
157 /* Check permissions */
158 if(preg_match("/c/",$this->ui->get_permissions($this->DivListACL->selectedBase,"aclroles/aclrole"))){
160 /* Register acltabs to trigger edit dialog */
161 $this->acltabs= new aclroletab($this->config, NULL,$this->dn);
162 $this->acltabs->set_acl_base($this->DivListACL->selectedBase);
163 }else{
164 msg_dialog::display(_("Permission error"), msgPool::permCreate(), ERROR_DIALOG);
165 }
166 }
168 /********************
169 Edit existing entry
170 ********************/
172 if (($s_action=="edit" || $s_action=="edit_role") && (!isset($this->acltabs->config))){
174 /* Get 'dn' from posted acl, must be unique */
175 $this->dn= $this->list[trim($s_entry)]['dn'];
177 if(in_array("gosaRole",$this->list[trim($s_entry)]['objectClass'])){
178 $acl = "aclroles/aclrole";
179 }else{
180 $acl = "acl/acl";
181 }
183 /* Check permissions */
184 if(preg_match("/r/",$this->ui->get_permissions($this->dn,$acl))){
186 /* Check locking, save current plugin in 'back_plugin', so
187 the dialog knows where to return. */
188 if (($acl= get_lock($this->dn)) != ""){
189 return(gen_locked_message ($acl, $this->dn));
190 }
192 /* Lock the current entry, so everyone will get the above dialog */
193 add_lock ($this->dn, $this->ui->dn);
195 /* Register acltabs to trigger edit dialog */
196 if($s_action=="edit_role"){
197 $this->acltabs= new aclroletab($this->config, NULL,$this->dn);
198 $this->acltabs-> set_acl_base($this->dn);
199 }else{
200 $this->acltabs= new acltab($this->config, NULL,$this->dn);
201 $this->acltabs-> set_acl_base($this->dn);
202 }
204 /* Set ACL and move DN to the headline */
205 session::set('objectinfo',$this->dn);
206 }else{
207 msg_dialog::display(_("Permission error"), msgPool::permModify(), ERROR_DIALOG);
208 }
209 }
212 /********************
213 Edit canceled
214 ********************/
215 if(isset($_POST['delete_lock'])){
216 $this->remove_lock();
217 session::un_set('objectinfo');
218 }
220 /* Reset all relevant data, if we get a _cancel request */
221 if (isset($_POST['edit_cancel'])){
222 $this->remove_lock();
223 $this->acltabs= NULL;
224 session::un_set('objectinfo');
225 }
228 /********************
229 Delete entry requested, display confirm dialog
230 ********************/
232 /* Remove acl was requested */
233 if ($s_action=="del_role"){
235 /* Get 'dn' from posted acl */
236 $this->dn= $this->list[trim($s_entry)]['dn'];
238 /* Check permissions */
239 if(preg_match("/d/",$this->ui->get_permissions($this->dn,"aclroles/aclrole"))){
241 /* Check locking, save current plugin in 'back_plugin', so
242 the dialog knows where to return. */
243 if (($acl= get_lock($this->dn)) != ""){
244 return(gen_locked_message ($acl, $this->dn));
245 }
247 /* Lock the current entry, so nobody will edit it during deletion */
248 add_lock ($this->dn, $this->ui->dn);
249 $smarty->assign("info", msgPool::deleteInfo(@LDAP::fix($this->dn)));
250 $smarty->assign("is_role",true);
252 return($smarty->fetch(get_template_path('remove.tpl', TRUE)));
253 } else {
255 /* Obviously the acl isn't allowed to delete. Show message and
256 clean session. */
257 msg_dialog::display(_("Permission error"), msgPool::permDelete(), ERROR_DIALOG);
258 }
259 }
262 /********************
263 Delete entry confirmed
264 ********************/
266 /* Confirmation for deletion has been passed. Acl should be deleted. */
267 if (isset($_POST['delete_acl_role_confirmed'])){
269 /* Check permissions */
270 if(preg_match("/d/",$this->ui->get_permissions($this->dn,"aclroles/aclrole"))){
272 /* Delete request is permitted, perform LDAP action */
273 $this->acltabs= new aclroletab($this->config, NULL,$this->dn);
274 $this->acltabs->delete();
275 unset ($this->acltabs);
276 $this->acltabs= NULL;
277 } else {
279 /* Normally this shouldn't be reached, send some extra
280 logs to notify the administrator */
281 msg_dialog::display(_("Permission error"), msgPool::permDelete(), ERROR_DIALOG);
283 if(isset($this->ui->uid)){
284 new log("security","aclroles/".get_class($this),$this->dn,array(),"Warning: '".$this->ui->uid."' tried to trick acl role deletion.");
285 }
286 }
288 /* Remove lock file after successfull deletion */
289 $this->remove_lock();
290 }
292 /********************
293 Delete entry requested, display confirm dialog
294 ********************/
296 /* Remove acl was requested */
297 if ($s_action=="del" || $s_action == "del_multiple"){
299 /* Get 'dn' from posted acl */
300 if($s_action == "del"){
301 $this->dns = array( $this->list[trim($s_entry)]['dn']);
302 }else{
303 $this->dns = array();
304 foreach($this->list_get_selected_items() as $id){
305 $this->dns[] = $this->list[$id]['dn'];
306 }
307 }
309 $disallowed = array();
310 foreach($this->dns as $key => $dn){
311 $acl = $this->ui->get_permissions($dn, "aclroles/aclrole");
312 if(!preg_match("/d/",$acl)){
313 unset($this->dns[$key]);
314 $disallowed[] = $dn;
315 }
316 }
318 if(count($disallowed)){
319 msg_dialog::display(_("Permission"),msgPool::permDelete($disallowed),INFO_DIALOG);
320 }
322 if(count($this->dns)){
325 /* Display lock messages */
326 if ($user= get_multiple_locks($this->dns)){
327 return(gen_locked_message($user,$this->dns));
328 }
330 $dns_names = array();
331 foreach($this->dns as $key => $dn){
333 /* Check permissions */
334 if(!preg_match("/d/",$this->ui->get_permissions($dn,"aclroles/aclrole"))){
336 /* Obviously the acl isn't allowed to delete. Show message and
337 clean session. */
338 msg_dialog::display(_("Permission error"), msgPool::permDelete(), ERROR_DIALOG);
339 unset($this->dns[$key]);
340 continue;
341 }
343 $dns_names[] = LDAP::fix($dn);
344 }
346 if(count($this->dns)){
347 add_lock($this->dns,$this->ui->dn);
348 $smarty->assign("info", msgPool::deleteInfo($dns_names));
349 $smarty->assign("is_role",false);
350 return($smarty->fetch(get_template_path('remove.tpl', TRUE)));
351 }
352 }
353 }
356 /********************
357 Delete entry confirmed
358 ********************/
360 /* Confirmation for deletion has been passed. Acl should be deleted. */
361 if (isset($_POST['delete_acl_confirm'])){
363 /* Check permissions */
364 if(preg_match("/d/",$this->ui->get_permissions($this->dn,"aclroles/aclrole"))){
366 /* Delete request is permitted, perform LDAP action */
367 $this->acltabs= new acl($this->config, NULL,$this->dn);
368 $this->acltabs->remove_from_parent();
369 unset ($this->acltabs);
370 $this->acltabs= NULL;
371 } else {
373 /* Normally this shouldn't be reached, send some extra
374 logs to notify the administrator */
375 msg_dialog::display(_("Permission error"),msgPool::permDelete(), ERROR_DIALOG);
377 if(isset($this->ui->uid)){
378 new log("security","aclroles/".get_class($this),$this->dn,array(),"Warning: '".$this->ui->uid."' tried to trick acl role deletion.");
380 }
381 }
383 /* Remove lock file after successfull deletion */
384 $this->remove_lock();
385 }
388 /********************
389 Delete entry Canceled
390 ********************/
392 /* Delete acl canceled? */
393 if (isset($_POST['delete_acl_cancel'])){
394 $this->remove_lock();
395 }
398 /********************
399 Edit entry finished (Save)
400 ********************/
402 /* Finish acl edit is triggered by the tabulator dialog, so
403 the acl wants to save edited data. Check and save at this
404 point. */
405 if ((isset($_POST['edit_finish']) || isset($_POST['edit_apply'])) && (isset($this->acltabs->config))){
407 /* Check tabs, will feed message array */
408 $this->acltabs->save_object();
409 $message= $this->acltabs->check();
411 /* Save, or display error message? */
412 if (count($message) == 0){
414 /* Save acl data to ldap */
415 if($this->acltabs->save() == 1){
416 return;
417 }
419 if (!isset($_POST['edit_apply'])){
421 /* ACl has been saved successfully, remove lock from LDAP. */
422 if ($this->dn != "new"){
423 $this->remove_lock();
424 }
426 unset ($this->acltabs);
427 $this->acltabs= NULL;
428 session::un_set('objectinfo');
429 }
430 } else {
431 /* Ok. There seem to be errors regarding to the tab data,
432 show message and continue as usual. */
433 msg_dialog::displayChecks($message);
434 }
435 }
438 /********************
439 Display subdialog
440 ********************/
443 /* Show tab dialog if object is present */
444 if(isset($this->acltabs->config)){
446 /* Save object */
447 $this->acltabs->save_object();
448 $display= $this->acltabs->execute();
450 /* Don't show buttons if tab dialog requests this */
451 if(isset($this->acltabs)){
453 /* Skip displaying save/cancel if there is a sub dialog open */
454 if (!isset($this->acltabs->dialog) || !$this->acltabs->dialog){
455 $display.= "<p style=\"text-align:right\">\n";
456 // $display.= "<input type=submit name=\"edit_finish\" style=\"width:80px\" value=\"".msgPool::okButton()."\">\n";
457 $display.= " \n";
459 /* Skip Apply if it is a new entry */
460 #if ($this->dn != "new"){
461 # $display.= "<input type=submit name=\"edit_apply\" value=\"".msgPool::applyButton()."\">\n";
462 # $display.= " \n";
463 #}
465 // $display.= "<input type=submit name=\"edit_cancel\" value=\"".msgPool::cancelButton()."\">\n";
466 $display.= "</p>";
467 }
468 }
469 return ($display);
470 }
472 /* Check if there is a snapshot dialog open */
473 $base = $this->DivListACL->selectedBase;
474 if($str = $this->showSnapshotDialog($base,$this->get_used_snapshot_bases())){
475 return($str);
476 }
478 /* Return rendered main page */
479 /* Display dialog with system list */
480 $this->DivListACL->parent = $this;
481 $this->DivListACL->execute();
483 /* Add departments if subsearch is disabled */
484 if(!$this->DivListACL->SubSearch){
485 $this->DivListACL->AddDepartments($this->DivListACL->selectedBase,3,1);
486 }
487 $this->reload();
488 $this->DivListACL->setEntries($this->list);
489 return($this->DivListACL->Draw());
490 }
493 function reload()
494 {
495 /* Get divlist informations from filter part */
496 $Regex = $this->DivListACL -> Regex;
497 $SubSearch = $this->DivListACL -> SubSearch;
498 $base = $this->DivListACL -> selectedBase;
499 $Attrs = array("ou","cn","description","gosaAclEntry","objectClass");
500 $res = array();
501 $tmp = array(); // Will contain temporary results
502 $ldap = $this->config->get_ldap_link();
503 $Filter = "(&(objectClass=gosaACL)(gosaAclEntry=*)(|(cn=".$Regex.")(ou=".$Regex.")))";
504 $FilterRoles= "(&(objectClass=gosaRole)(|(cn=".$Regex.")(ou=".$Regex.")))";
506 /* Fetch following structures, this will be used if !$SubSearch */
507 $fetch_this = array(
508 "ME" => array("TYPE" => "cat" , "FLAGS" => GL_SIZELIMIT ,"BASE"=>""),
509 "SYSTEMS" => array("TYPE" => "search" , "FLAGS" => GL_SIZELIMIT | GL_SUBSEARCH ,"BASE"=>get_ou('systemsou')),
510 "APPS" => array("TYPE" => "search" , "FLAGS" => GL_SIZELIMIT | GL_SUBSEARCH ,"BASE"=>get_ou('applicationou')),
511 "PEOPLE" => array("TYPE" => "search" , "FLAGS" => GL_SIZELIMIT | GL_SUBSEARCH ,"BASE"=>get_people_ou()),
512 "GROUPS" => array("TYPE" => "search" , "FLAGS" => GL_SIZELIMIT | GL_SUBSEARCH ,"BASE"=>get_groups_ou()));
514 /* Subsearch ? */
515 if($SubSearch){
517 /* Get all object in this base */
518 $Flags = GL_SIZELIMIT | GL_SUBSEARCH;
519 $fetch_base = $base;
520 $tmp = get_list($Filter, "acl", $fetch_base, $Attrs, $Flags);
521 $tmp2 = get_list($FilterRoles, "acl", $fetch_base, $Attrs, $Flags);
522 foreach($tmp as $entry){
523 $res[] = $entry;
524 }
525 foreach($tmp2 as $entry){
526 $res[] = $entry;
527 }
529 }else{
531 $tmp_roles = get_list($FilterRoles, "acl", get_ou('aclroleou').$base, $Attrs,GL_SIZELIMIT);
533 foreach($tmp_roles as $entry){
534 $res[] = $entry;
535 }
537 /* Walk through all possible bases */
538 foreach($fetch_this as $type => $data){
540 /* Get requried attributes */
541 $Flags = $data['FLAGS'];
542 $fetch_base = $data['BASE'].$base;
543 $Type = $data['TYPE'];
545 /* Check if method is cat or search */
546 if($Type == "search"){
547 $tmp = get_list($Filter, "acl", $fetch_base, $Attrs, $Flags);
548 foreach($tmp as $entry){
549 $res[$entry['dn']] = $entry;
550 }
551 }else{
552 $ldap->cat($fetch_base,$Attrs);
553 $attrs = $ldap->fetch();
554 if($attrs && isset($attrs['gosaAclEntry'])){
555 $re2 = preg_replace("/\*/",".*",$Regex);
557 if(!isset($attrs['ou']) && !isset($attrs['cn'])){
558 $namingAttr= preg_replace("/^[^=]*+=([^,]*),.*$/","\\1",$fetch_base);
559 if(preg_match("/".$re2."/i",$namingAttr)){
560 $res[$attrs['dn']] = $attrs;
561 }
562 }elseif( (isset($attrs['cn'][0]) && preg_match("/".$re2."/i",$attrs['cn'][0]))
563 ||(isset($attrs['ou'][0]) && preg_match("/".$re2."/i",$attrs['ou'][0]))){
564 $res[$attrs['dn']] = $attrs;
565 }
566 }
567 }
568 }
569 }
570 $this->list = array_values($res);
571 }
574 function copyPasteHandling_from_queue($s_action,$s_entry)
575 {
576 /* Check if Copy & Paste is disabled */
577 if(!is_object($this->CopyPasteHandler)){
578 return("");
579 }
581 $ui = get_userinfo();
583 /* Add a single entry to queue */
584 if($s_action == "cut" || $s_action == "copy"){
586 /* Cleanup object queue */
587 $this->CopyPasteHandler->cleanup_queue();
588 $dn = $this->list[$s_entry]['dn'];
590 /* We can only copy & cut roles */
591 if(isset($this->list[$id]['objectClass']) && in_array("gosaRole",$this->list[$s_entry]['objectClass'])){
592 if($s_action == "copy" && preg_match("/r/",$ui->has_complete_category_acls($dn,"aclroles"))){
593 $this->CopyPasteHandler->add_to_queue($dn,$s_action,"aclroletab","ACLROLETAB","aclroles");
594 }
595 if($s_action == "cut" && preg_match("/(r.*d|d.*r)/",$ui->has_complete_category_acls($dn,"aclroles"))){
596 $this->CopyPasteHandler->add_to_queue($dn,$s_action,"aclroletab","ACLROLETAB","aclroles");
597 }
598 }
599 }
601 /* Add entries to queue */
602 if($s_action == "copy_multiple" || $s_action == "cut_multiple"){
604 /* Cleanup object queue */
605 $this->CopyPasteHandler->cleanup_queue();
607 /* Add new entries to CP queue */
608 foreach($this->list_get_selected_items() as $id){
609 $dn = $this->list[$id]['dn'];
611 if(isset($this->list[$id]['objectClass']) && in_array("gosaRole",$this->list[$id]['objectClass'])){
613 if($s_action == "copy_multiple" && preg_match("/r/",$ui->has_complete_category_acls($dn,"aclroles"))){
614 $this->CopyPasteHandler->add_to_queue($dn,"copy","aclroletab","ACLROLETAB","aclroles");
615 }
616 if($s_action == "cut_multiple" && preg_match("/(r.*d|d.*r)/",$ui->has_complete_category_acls($dn,"aclroles"))){
617 $this->CopyPasteHandler->add_to_queue($dn,"cut","aclroletab","ACLROLETAB","aclroles");
618 }
619 }
620 }
621 }
623 /* Start pasting entries */
624 if($s_action == "editPaste"){
625 $this->start_pasting_copied_objects = TRUE;
626 }
627 /* Return C&P dialog */
628 if($this->start_pasting_copied_objects && $this->CopyPasteHandler->entries_queued()){
630 /* Get dialog */
631 $this->CopyPasteHandler->SetVar("base",$this->DivListACL->selectedBase);
632 $data = $this->CopyPasteHandler->execute();
634 /* Return dialog data */
635 if(!empty($data)){
636 return($data);
637 }
638 }
640 /* Automatically disable status for pasting */
641 if(!$this->CopyPasteHandler->entries_queued()){
642 $this->start_pasting_copied_objects = FALSE;
643 }
644 return("");
645 }
648 function list_get_selected_items()
649 {
650 $ids = array();
651 foreach($_POST as $name => $value){
652 if(preg_match("/^item_selected_[0-9]*$/",$name)){
653 $id = preg_replace("/^item_selected_/","",$name);
654 $ids[$id] = $id;
655 }
656 }
657 return($ids);
658 }
661 function remove_lock()
662 {
663 /* Remove acl lock if a DN is marked as "currently edited" */
664 if (isset($this->acltabs->dn)){
665 del_lock ($this->acltabs->dn);
666 }
667 del_lock ($this->dn);
668 del_lock ($this->dns);
669 }
672 function save_object()
673 {
674 /* Handle divlist filter && department selection*/
675 if(!is_object($this->acltabs)){
676 $this->DivListACL->save_object();
677 }
678 if(is_object($this->CopyPasteHandler)){
679 $this->CopyPasteHandler->save_object();
680 }
681 }
683 /* A set of disabled and therefore overloaded functions. They are
684 not needed in this class. */
685 function remove_from_parent() { }
686 function check() { }
688 function save() {
689 echo "SAVE ACL";
690 }
692 function adapt_from_template($dn, $skip= array()) { }
693 function password_change_needed() { }
696 /* Return departments, that will be included within snapshot detection */
697 function get_used_snapshot_bases()
698 {
699 return(array());
700 }
702 }
703 // vim:tabstop=2:expandtab:shiftwidth=2:filetype=php:syntax:ruler:
704 ?>