![[tokkee]](http://tokkee.org/images/avatar.png){kind=avatar}
1 <?php
2 /*
3 * This code is part of GOsa (http://www.gosa-project.org)
4 * Copyright (C) 2003-2008 GONICUS GmbH
5 *
6 * ID: $$Id$$
7 *
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
12 *
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17 *
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
21 */
23 class aclManagement extends plugin
24 {
25 /* Plugin definitions */
26 var $plHeadline = "ACLs";
27 var $plDescription = "Manage access control lists";
29 /* Dialog attributes */
30 var $acltabs = NULL;
31 var $ui = NULL;
32 var $acl = "";
33 var $DivListACL = NULL;
35 var $CopyPasteHandler;
36 var $start_pasting_copied_objects = FALSE;
38 function aclManagement(&$config, &$ui)
39 {
40 /* Save configuration for internal use */
41 $this->config = &$config;
42 $this->ui = &$ui;
44 /* Copy & Paste enabled ?*/
45 if((isset($this->config->data['MAIN']['ENABLECOPYPASTE']))&&(preg_match("/true/i",$this->config->data['MAIN']['ENABLECOPYPASTE']))){
46 $this->CopyPasteHandler = new CopyPasteHandler($this->config);
47 }
49 /* Creat dialog object */
50 $this->DivListACL = new divListACL($this->config,$this);
51 }
54 function execute()
55 {
56 /* Call parent execute */
57 plugin::execute();
59 session::set('LOCK_VARS_TO_USE',array("/^list/","/^id_/","/^list_acl_role_del/","/^list_acl_del/","/^menu_action/"));
61 $smarty = get_smarty(); // Smarty instance
62 $s_action = ""; // Contains the action to be taken
63 $s_entry = ""; // The value for s_action
65 /* Edit entry button pressed? */
66 if( isset($_GET['act']) && $_GET['act'] == "list_edit_entry" ){
67 $s_action= "edit";
68 $s_entry= validate($_GET['id']);
69 }
71 /* Edit entry button pressed? */
72 if( isset($_GET['act']) && $_GET['act'] == "list_edit_role" ){
73 $s_action= "edit_role";
74 $s_entry= validate($_GET['id']);
75 }
77 $types = array(
78 "del" =>"^list_acl_del",
79 "edit" =>"^list_acl_edit",
80 "del_role" =>"^list_acl_role_del",
81 "edit_role" =>"^list_acl_role_edit",
82 "copy" =>"^copy",
83 "cut" =>"^cut",
84 "copy_multiple"=> "^multiple_copy_objects",
85 "cut_multiple" => "^multiple_cut_objects",
86 "editPaste" =>"^editPaste",
87 "addrole" =>"^new_acl_role");
89 /* Test relevant POST values */
90 foreach($_POST as $key => $val){
92 /* Get every possible POST combination and set s_action/s_entry accordingly */
93 foreach($types as $act => $name){
95 if (preg_match("/".$name.".*/", $key)){
96 $s_action= $act;
97 $s_entry= preg_replace("/".$name."_/i", "", $key);
98 }
99 }
100 }
102 /* Remove coordinate prefix from POST, required by some browsers */
103 $s_entry= preg_replace("/_.$/", "", $s_entry);
105 /* Seperate possibly encoded tab and entry, default to tab "acl" */
106 if(preg_match("/.*-.*/", $s_entry)){
107 $s_tab= preg_replace("/^[^-]*-/i", "" ,$s_entry);
108 $s_entry= preg_replace("/-[^-]*$/i", "", $s_entry);
109 }else{
110 $s_tab= "generic";
111 }
114 /* handle C&P from layers menu */
115 if(isset($_POST['menu_action']) && preg_match("/^multiple_copy_systems/",$_POST['menu_action'])){
116 $s_action = "copy_multiple";
117 }
118 if(isset($_POST['menu_action']) && preg_match("/^multiple_cut_systems/",$_POST['menu_action'])){
119 $s_action = "cut_multiple";
120 }
121 if(isset($_POST['menu_action']) && preg_match("/^editPaste/",$_POST['menu_action'])){
122 $s_action = "editPaste";
123 }
125 /* Create options */
126 if(isset($_POST['menu_action']) && $_POST['menu_action'] == "new_acl_role"){
127 $s_action = "new";
128 }
130 /* handle remove from layers menu */
131 if(isset($_POST['menu_action']) && preg_match("/^remove_multiple/",$_POST['menu_action'])){
132 $s_action = "del_multiple";
133 }
136 /********************
137 Copy & Paste Handling ...
138 ********************/
140 /* Display the copy & paste dialog, if it is currently open */
141 $ret = $this->copyPasteHandling_from_queue($s_action,$s_entry);
142 if($ret){
143 return($ret);
144 }
147 /********************
148 * Add new Role entry
149 ********************/
151 if(($s_action == "new") && (!isset($this->acltabs->config))){
153 /* Get 'dn' from posted acl, must be unique */
154 $this->dn= "new";
156 /* Check permissions */
157 if(preg_match("/c/",$this->ui->get_permissions($this->DivListACL->selectedBase,"acl/acl"))){
159 /* Register acltabs to trigger edit dialog */
160 $this->acltabs= new aclroletab($this->config, NULL,$this->dn);
161 $this->acltabs->set_acl_base($this->DivListACL->selectedBase);
162 }else{
163 msg_dialog::display(_("Permission error"), _("You have no permission to create a new role!"), ERROR_DIALOG);
164 }
165 }
167 /********************
168 Edit existing entry
169 ********************/
171 if (($s_action=="edit" || $s_action=="edit_role") && (!isset($this->acltabs->config))){
173 /* Get 'dn' from posted acl, must be unique */
174 $this->dn= $this->list[trim($s_entry)]['dn'];
176 /* Check permissions */
177 if(preg_match("/r/",$this->ui->get_permissions($this->dn,"acl/acl"))){
179 /* Check locking, save current plugin in 'back_plugin', so
180 the dialog knows where to return. */
181 if (($acl= get_lock($this->dn)) != ""){
182 return(gen_locked_message ($acl, $this->dn));
183 }
185 /* Lock the current entry, so everyone will get the above dialog */
186 add_lock ($this->dn, $this->ui->dn);
188 /* Register acltabs to trigger edit dialog */
189 if($s_action=="edit_role"){
190 $this->acltabs= new aclroletab($this->config, NULL,$this->dn);
191 $this->acltabs-> set_acl_base($this->dn);
192 }else{
193 $this->acltabs= new acltab($this->config, NULL,$this->dn);
194 $this->acltabs-> set_acl_base($this->dn);
195 }
197 /* Set ACL and move DN to the headline */
198 session::set('objectinfo',$this->dn);
199 }else{
200 msg_dialog::display(_("Permission error"), _("You have no permission to edit this ACL!"), ERROR_DIALOG);
201 }
202 }
205 /********************
206 Edit canceled
207 ********************/
208 if(isset($_POST['delete_lock'])){
209 del_lock ($this->dn);
210 session::un_set('objectinfo');
211 }
213 /* Reset all relevant data, if we get a _cancel request */
214 if (isset($_POST['edit_cancel'])){
215 if (isset($this->acltabs)){
216 del_lock ($this->dn);
217 unset ($this->acltabs);
218 }
219 $this->acltabs= NULL;
220 session::un_set('objectinfo');
221 }
224 /********************
225 Delete entry requested, display confirm dialog
226 ********************/
228 /* Remove acl was requested */
229 if ($s_action=="del_role"){
231 /* Get 'dn' from posted acl */
232 $this->dn= $this->list[trim($s_entry)]['dn'];
234 /* Check permissions */
235 if(preg_match("/d/",$this->ui->get_permissions($this->dn,"aclroles/aclrole"))){
237 /* Check locking, save current plugin in 'back_plugin', so
238 the dialog knows where to return. */
239 if (($acl= get_lock($this->dn)) != ""){
240 return(gen_locked_message ($acl, $this->dn));
241 }
243 /* Lock the current entry, so nobody will edit it during deletion */
244 add_lock ($this->dn, $this->ui->dn);
245 $smarty->assign("info", sprintf(_("You're about to delete the acl %s."), @LDAP::fix($this->dn)));
246 $smarty->assign("is_role",true);
248 return($smarty->fetch(get_template_path('remove.tpl', TRUE)));
249 } else {
251 /* Obviously the acl isn't allowed to delete. Show message and
252 clean session. */
253 msg_dialog::display(_("Permission error"), _("You have no permission to delete this entry!"), ERROR_DIALOG);
254 }
255 }
258 /********************
259 Delete entry confirmed
260 ********************/
262 /* Confirmation for deletion has been passed. Acl should be deleted. */
263 if (isset($_POST['delete_acl_role_confirmed'])){
265 /* Check permissions */
266 if(preg_match("/d/",$this->ui->get_permissions($this->dn,"aclroles/aclrole"))){
268 /* Delete request is permitted, perform LDAP action */
269 $this->acltabs= new aclroletab($this->config, NULL,$this->dn);
270 $this->acltabs->delete();
271 unset ($this->acltabs);
272 $this->acltabs= NULL;
273 } else {
275 /* Normally this shouldn't be reached, send some extra
276 logs to notify the administrator */
277 msg_dialog::display(_("Permission error"), _("You have no permission to delete this entry!"), ERROR_DIALOG);
279 if(isset($this->ui->uid)){
280 new log("security","aclroles/".get_class($this),$this->dn,array(),"Warning: '".$this->ui->uid."' tried to trick acl role deletion.");
281 }
282 }
284 /* Remove lock file after successfull deletion */
285 del_lock ($this->dn);
286 }
288 /********************
289 Delete entry requested, display confirm dialog
290 ********************/
292 /* Remove acl was requested */
293 if ($s_action=="del"){
295 /* Get 'dn' from posted acl */
296 $this->dn= $this->list[trim($s_entry)]['dn'];
298 /* Check permissions */
299 if(preg_match("/d/",$this->ui->get_permissions($this->dn,"acl/acl"))){
300 /* Check locking, save current plugin in 'back_plugin', so
301 the dialog knows where to return. */
302 if (($acl= get_lock($this->dn)) != ""){
303 session::set('LOCK_VARS_TO_USE',array("/^list_acl_edit/","/^list_acl_del/","/^id_/"));
304 return(gen_locked_message ($acl, $this->dn));
305 }
307 /* Lock the current entry, so nobody will edit it during deletion */
308 add_lock ($this->dn, $this->ui->dn);
309 $smarty->assign("info", sprintf(_("You're about to delete the acl %s."), @LDAP::fix($this->dn)));
310 $smarty->assign("is_role",false);
311 return($smarty->fetch(get_template_path('remove.tpl', TRUE)));
312 } else {
314 /* Obviously the acl isn't allowed to delete. Show message and
315 clean session. */
316 msg_dialog::display(_("Permission error"), _("You have no permission to delete this entry!"), ERROR_DIALOG);
317 }
318 }
321 /********************
322 Delete entry confirmed
323 ********************/
325 /* Confirmation for deletion has been passed. Acl should be deleted. */
326 if (isset($_POST['delete_acl_confirm'])){
328 /* Check permissions */
329 if(preg_match("/d/",$this->ui->get_permissions($this->dn,"acl/acl"))){
331 /* Delete request is permitted, perform LDAP action */
332 $this->acltabs= new acl($this->config, NULL,$this->dn);
333 $this->acltabs->remove_from_parent();
334 unset ($this->acltabs);
335 $this->acltabs= NULL;
336 } else {
338 /* Normally this shouldn't be reached, send some extra
339 logs to notify the administrator */
340 msg_dialog::display(_("Permission error"), _("You have no permission to delete this entry!"), ERROR_DIALOG);
342 if(isset($this->ui->uid)){
343 new log("security","aclroles/".get_class($this),$this->dn,array(),"Warning: '".$this->ui->uid."' tried to trick acl role deletion.");
345 }
346 }
348 /* Remove lock file after successfull deletion */
349 del_lock ($this->dn);
350 }
353 /********************
354 Delete entry Canceled
355 ********************/
357 /* Delete acl canceled? */
358 if (isset($_POST['delete_cancel'])){
359 del_lock ($this->dn);
360 }
363 /********************
364 Edit entry finished (Save)
365 ********************/
367 /* Finish acl edit is triggered by the tabulator dialog, so
368 the acl wants to save edited data. Check and save at this
369 point. */
370 if ((isset($_POST['edit_finish']) || isset($_POST['edit_apply'])) && (isset($this->acltabs->config))){
372 /* Check tabs, will feed message array */
373 $this->acltabs->save_object();
374 $message= $this->acltabs->check();
376 /* Save, or display error message? */
377 if (count($message) == 0){
379 /* Save acl data to ldap */
380 if($this->acltabs->save() == 1){
381 return;
382 }
384 if (!isset($_POST['edit_apply'])){
386 /* ACl has been saved successfully, remove lock from LDAP. */
387 if ($this->dn != "new"){
388 del_lock ($this->dn);
389 }
391 unset ($this->acltabs);
392 $this->acltabs= NULL;
393 session::un_set('objectinfo');
394 }
395 } else {
396 /* Ok. There seem to be errors regarding to the tab data,
397 show message and continue as usual. */
398 msg_dialog::displayChecks($message);
399 }
400 }
403 /********************
404 Display subdialog
405 ********************/
408 /* Show tab dialog if object is present */
409 if(isset($this->acltabs->config)){
411 /* Save object */
412 $this->acltabs->save_object();
413 $display= $this->acltabs->execute();
415 /* Don't show buttons if tab dialog requests this */
416 if(isset($this->acltabs)){
418 /* Skip displaying save/cancel if there is a sub dialog open */
419 if (!isset($this->acltabs->dialog) || !$this->acltabs->dialog){
420 $display.= "<p style=\"text-align:right\">\n";
421 // $display.= "<input type=submit name=\"edit_finish\" style=\"width:80px\" value=\""._("Ok")."\">\n";
422 $display.= " \n";
424 /* Skip Apply if it is a new entry */
425 #if ($this->dn != "new"){
426 # $display.= "<input type=submit name=\"edit_apply\" value=\""._("Apply")."\">\n";
427 # $display.= " \n";
428 #}
430 // $display.= "<input type=submit name=\"edit_cancel\" value=\""._("Cancel")."\">\n";
431 $display.= "</p>";
432 }
433 }
434 return ($display);
435 }
437 /* Check if there is a snapshot dialog open */
438 $base = $this->DivListACL->selectedBase;
439 if($str = $this->showSnapshotDialog($base,$this->get_used_snapshot_bases())){
440 return($str);
441 }
443 /* Return rendered main page */
444 /* Display dialog with system list */
445 $this->DivListACL->parent = $this;
446 $this->DivListACL->execute();
448 /* Add departments if subsearch is disabled */
449 if(!$this->DivListACL->SubSearch){
450 $this->DivListACL->AddDepartments($this->DivListACL->selectedBase,3,1);
451 }
452 $this->reload();
453 $this->DivListACL->setEntries($this->list);
454 return($this->DivListACL->Draw());
455 }
458 function reload()
459 {
460 /* Get divlist informations from filter part */
461 $Regex = $this->DivListACL -> Regex;
462 $SubSearch = $this->DivListACL -> SubSearch;
463 $base = $this->DivListACL -> selectedBase;
464 $Attrs = array("ou","cn","description","gosaAclEntry","objectClass");
465 $res = array();
466 $tmp = array(); // Will contain temporary results
467 $ldap = $this->config->get_ldap_link();
468 $Filter = "(&(objectClass=gosaACL)(gosaAclEntry=*)(|(cn=".$Regex.")(ou=".$Regex.")))";
469 $FilterRoles= "(&(objectClass=gosaRole)(|(cn=".$Regex.")(ou=".$Regex.")))";
471 /* Fetch following structures, this will be used if !$SubSearch */
472 $fetch_this = array(
473 "ME" => array("TYPE" => "cat" , "FLAGS" => GL_SIZELIMIT ,"BASE"=>""),
474 "SYSTEMS" => array("TYPE" => "search" , "FLAGS" => GL_SIZELIMIT | GL_SUBSEARCH ,"BASE"=>get_ou('systemsou')),
475 "APPS" => array("TYPE" => "search" , "FLAGS" => GL_SIZELIMIT | GL_SUBSEARCH ,"BASE"=>get_ou('applicationou')),
476 "PEOPLE" => array("TYPE" => "search" , "FLAGS" => GL_SIZELIMIT | GL_SUBSEARCH ,"BASE"=>get_people_ou()),
477 "GROUPS" => array("TYPE" => "search" , "FLAGS" => GL_SIZELIMIT | GL_SUBSEARCH ,"BASE"=>get_groups_ou()));
479 /* Subsearch ? */
480 if($SubSearch){
482 /* Get all object in this base */
483 $Flags = GL_SIZELIMIT | GL_SUBSEARCH;
484 $fetch_base = $base;
485 $tmp = get_list($Filter, "acl", $fetch_base, $Attrs, $Flags);
486 $tmp2 = get_list($FilterRoles, "acl", $fetch_base, $Attrs, $Flags);
487 foreach($tmp as $entry){
488 $res[] = $entry;
489 }
490 foreach($tmp2 as $entry){
491 $res[] = $entry;
492 }
494 }else{
496 $tmp_roles = get_list($FilterRoles, "acl", get_ou('aclroleou').$base, $Attrs,GL_SIZELIMIT);
498 foreach($tmp_roles as $entry){
499 $res[] = $entry;
500 }
502 /* Walk through all possible bases */
503 foreach($fetch_this as $type => $data){
505 /* Get requried attributes */
506 $Flags = $data['FLAGS'];
507 $fetch_base = $data['BASE'].$base;
508 $Type = $data['TYPE'];
510 /* Check if method is cat or search */
511 if($Type == "search"){
512 $tmp = get_list($Filter, "acl", $fetch_base, $Attrs, $Flags);
513 foreach($tmp as $entry){
514 $res[$entry['dn']] = $entry;
515 }
516 }else{
517 $ldap->cat($fetch_base,$Attrs);
518 $attrs = $ldap->fetch();
519 if($attrs && isset($attrs['gosaAclEntry'])){
520 $re2 = preg_replace("/\*/",".*",$Regex);
522 if(!isset($attrs['ou']) && !isset($attrs['cn'])){
523 $namingAttr= preg_replace("/^[^=]*+=([^,]*),.*$/","\\1",$fetch_base);
524 if(preg_match("/".$re2."/i",$namingAttr)){
525 $res[$attrs['dn']] = $attrs;
526 }
527 }elseif( (isset($attrs['cn'][0]) && preg_match("/".$re2."/i",$attrs['cn'][0]))
528 ||(isset($attrs['ou'][0]) && preg_match("/".$re2."/i",$attrs['ou'][0]))){
529 $res[$attrs['dn']] = $attrs;
530 }
531 }
532 }
533 }
534 }
535 $this->list = array_values($res);
536 }
539 function copyPasteHandling_from_queue($s_action,$s_entry)
540 {
541 /* Check if Copy & Paste is disabled */
542 if(!is_object($this->CopyPasteHandler)){
543 return("");
544 }
546 /* Add a single entry to queue */
547 if($s_action == "cut" || $s_action == "copy"){
549 /* Cleanup object queue */
550 $this->CopyPasteHandler->cleanup_queue();
551 $dn = $this->list[$s_entry]['dn'];
553 if(isset($this->list[$s_entry]['objectClass']) && in_array("gosaRole",$this->list[$s_entry]['objectClass'])){
554 $this->CopyPasteHandler->add_to_queue($dn,$s_action,"aclroletab","ACLROLETAB","aclroles");
555 }
556 }
558 /* Add entries to queue */
559 if($s_action == "copy_multiple" || $s_action == "cut_multiple"){
561 /* Cleanup object queue */
562 $this->CopyPasteHandler->cleanup_queue();
564 /* Add new entries to CP queue */
565 foreach($this->list_get_selected_items() as $id){
566 $dn = $this->list[$id]['dn'];
568 if(isset($this->list[$id]['objectClass']) && in_array("gosaRole",$this->list[$id]['objectClass'])){
570 if($s_action == "copy_multiple"){
571 $this->CopyPasteHandler->add_to_queue($dn,"copy","aclroletab","ACLROLETAB","aclroles");
572 }
573 if($s_action == "cut_multiple"){
574 $this->CopyPasteHandler->add_to_queue($dn,"cut","aclroletab","ACLROLETAB","aclroles");
575 }
576 }
577 }
578 }
580 /* Start pasting entries */
581 if($s_action == "editPaste"){
582 $this->start_pasting_copied_objects = TRUE;
583 }
584 /* Return C&P dialog */
585 if($this->start_pasting_copied_objects && $this->CopyPasteHandler->entries_queued()){
587 /* Get dialog */
588 $this->CopyPasteHandler->SetVar("base",$this->DivListACL->selectedBase);
589 $data = $this->CopyPasteHandler->execute();
591 /* Return dialog data */
592 if(!empty($data)){
593 return($data);
594 }
595 }
597 /* Automatically disable status for pasting */
598 if(!$this->CopyPasteHandler->entries_queued()){
599 $this->start_pasting_copied_objects = FALSE;
600 }
601 return("");
602 }
605 function list_get_selected_items()
606 {
607 $ids = array();
608 foreach($_POST as $name => $value){
609 if(preg_match("/^item_selected_[0-9]*$/",$name)){
610 $id = preg_replace("/^item_selected_/","",$name);
611 $ids[$id] = $id;
612 }
613 }
614 return($ids);
615 }
618 function remove_lock()
619 {
620 /* Remove acl lock if a DN is marked as "currently edited" */
621 if (isset($this->acltabs->dn)){
622 del_lock ($this->acltabs->dn);
623 }
624 }
627 function save_object()
628 {
629 /* Handle divlist filter && department selection*/
630 if(!is_object($this->acltabs)){
631 $this->DivListACL->save_object();
632 }
633 }
635 /* A set of disabled and therefore overloaded functions. They are
636 not needed in this class. */
637 function remove_from_parent() { }
638 function check() { }
640 function save() {
641 echo "SAVE ACL";
642 }
644 function adapt_from_template($dn) { }
645 function password_change_needed() { }
648 /* Return departments, that will be included within snapshot detection */
649 function get_used_snapshot_bases()
650 {
651 return(array());
652 }
654 }
655 // vim:tabstop=2:expandtab:shiftwidth=2:filetype=php:syntax:ruler:
656 ?>