![[tokkee]](http://tokkee.org/images/avatar.png){kind=avatar}
1 <?php
2 /*
3 * This code is part of GOsa (http://www.gosa-project.org)
4 * Copyright (C) 2003-2008 GONICUS GmbH
5 *
6 * ID: $$Id$$
7 *
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
12 *
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17 *
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
21 */
23 class aclManagement extends plugin
24 {
25 /* Plugin definitions */
26 var $plHeadline = "ACL";
27 var $plDescription = "Manage access control lists";
29 /* Dialog attributes */
30 var $acltabs = NULL;
31 var $ui = NULL;
32 var $acl = "";
33 var $DivListACL = NULL;
35 var $CopyPasteHandler;
36 var $start_pasting_copied_objects = FALSE;
37 var $dns = array();
39 var $acl_module = array("acl","aclroles");
41 function aclManagement(&$config, &$ui)
42 {
43 /* Save configuration for internal use */
44 $this->config = &$config;
45 $this->ui = &$ui;
47 /* Copy & Paste enabled ?*/
48 if((isset($this->config->data['MAIN']['ENABLECOPYPASTE']))&&(preg_match("/true/i",$this->config->data['MAIN']['ENABLECOPYPASTE']))){
49 $this->CopyPasteHandler = new CopyPasteHandler($this->config);
50 }
52 /* Creat dialog object */
53 $this->DivListACL = new divListACL($this->config,$this);
54 }
57 function execute()
58 {
59 /* Call parent execute */
60 plugin::execute();
62 session::set('LOCK_VARS_TO_USE',array("/^item_selected/","/^menu_action/","/^list/","/^id_/","/^list_acl_role_del/","/^list_acl_del/","/^menu_action/"));
64 $smarty = get_smarty(); // Smarty instance
65 $s_action = ""; // Contains the action to be taken
66 $s_entry = ""; // The value for s_action
68 /* Edit entry button pressed? */
69 if( isset($_GET['act']) && $_GET['act'] == "list_edit_entry" ){
70 $s_action= "edit";
71 $s_entry= validate($_GET['id']);
72 }
74 /* Edit entry button pressed? */
75 if( isset($_GET['act']) && $_GET['act'] == "list_edit_role" ){
76 $s_action= "edit_role";
77 $s_entry= validate($_GET['id']);
78 }
80 $types = array(
81 "del" =>"^list_acl_del",
82 "edit" =>"^list_acl_edit",
83 "del_role" =>"^list_acl_role_del",
84 "edit_role" =>"^list_acl_role_edit",
85 "copy" =>"^copy",
86 "cut" =>"^cut",
87 "copy_multiple"=> "^multiple_copy_objects",
88 "cut_multiple" => "^multiple_cut_objects",
89 "editPaste" =>"^editPaste",
90 "addrole" =>"^new_acl_role");
92 /* Test relevant POST values */
93 foreach($_POST as $key => $val){
95 /* Get every possible POST combination and set s_action/s_entry accordingly */
96 foreach($types as $act => $name){
98 if (preg_match("/".$name.".*/", $key)){
99 $s_action= $act;
100 $s_entry= preg_replace("/".$name."_/i", "", $key);
101 }
102 }
103 }
105 /* Remove coordinate prefix from POST, required by some browsers */
106 $s_entry= preg_replace("/_.$/", "", $s_entry);
108 /* Seperate possibly encoded tab and entry, default to tab "acl" */
109 if(preg_match("/.*-.*/", $s_entry)){
110 $s_tab= preg_replace("/^[^-]*-/i", "" ,$s_entry);
111 $s_entry= preg_replace("/-[^-]*$/i", "", $s_entry);
112 }else{
113 $s_tab= "generic";
114 }
117 /* handle C&P from layers menu */
118 if(isset($_POST['menu_action']) && preg_match("/^multiple_copy_systems/",$_POST['menu_action'])){
119 $s_action = "copy_multiple";
120 }
121 if(isset($_POST['menu_action']) && preg_match("/^multiple_cut_systems/",$_POST['menu_action'])){
122 $s_action = "cut_multiple";
123 }
124 if(isset($_POST['menu_action']) && preg_match("/^editPaste/",$_POST['menu_action'])){
125 $s_action = "editPaste";
126 }
128 /* Create options */
129 if(isset($_POST['menu_action']) && $_POST['menu_action'] == "new_acl_role"){
130 $s_action = "new";
131 }
133 /* handle remove from layers menu */
134 if(isset($_POST['menu_action']) && preg_match("/^remove_multiple/",$_POST['menu_action'])){
135 $s_action = "del_multiple";
136 }
139 /********************
140 Copy & Paste Handling ...
141 ********************/
143 /* Display the copy & paste dialog, if it is currently open */
144 $ret = $this->copyPasteHandling_from_queue($s_action,$s_entry);
145 if($ret){
146 return($ret);
147 }
150 /********************
151 * Add new Role entry
152 ********************/
154 if(($s_action == "new") && (!isset($this->acltabs->config))){
156 /* Get 'dn' from posted acl, must be unique */
157 $this->dn= "new";
159 /* Check permissions */
160 if(preg_match("/c/",$this->ui->get_permissions($this->DivListACL->selectedBase,"aclroles/aclrole"))){
162 /* Register acltabs to trigger edit dialog */
163 $this->acltabs= new aclroletab($this->config, NULL,$this->dn);
164 $this->acltabs->set_acl_base($this->DivListACL->selectedBase);
165 }else{
166 msg_dialog::display(_("Permission error"), msgPool::permCreate(), ERROR_DIALOG);
167 }
168 }
170 /********************
171 Edit existing entry
172 ********************/
174 if (($s_action=="edit" || $s_action=="edit_role") && (!isset($this->acltabs->config))){
176 /* Get 'dn' from posted acl, must be unique */
177 $this->dn= $this->list[trim($s_entry)]['dn'];
179 if(in_array("gosaRole",$this->list[trim($s_entry)]['objectClass'])){
180 $acl = "aclroles/aclrole";
181 }else{
182 $acl = "acl/acl";
183 }
185 /* Check permissions */
186 if(preg_match("/r/",$this->ui->get_permissions($this->dn,$acl))){
188 /* Check locking, save current plugin in 'back_plugin', so
189 the dialog knows where to return. */
190 if (($acl= get_lock($this->dn)) != ""){
191 return(gen_locked_message ($acl, $this->dn));
192 }
194 /* Lock the current entry, so everyone will get the above dialog */
195 add_lock ($this->dn, $this->ui->dn);
197 /* Register acltabs to trigger edit dialog */
198 if($s_action=="edit_role"){
199 $this->acltabs= new aclroletab($this->config, NULL,$this->dn);
200 $this->acltabs-> set_acl_base($this->dn);
201 }else{
202 $this->acltabs= new acltab($this->config, NULL,$this->dn);
203 $this->acltabs-> set_acl_base($this->dn);
204 }
206 /* Set ACL and move DN to the headline */
207 session::set('objectinfo',$this->dn);
208 }else{
209 msg_dialog::display(_("Permission error"), msgPool::permModify(), ERROR_DIALOG);
210 }
211 }
214 /********************
215 Edit canceled
216 ********************/
217 if(isset($_POST['delete_lock'])){
218 $this->remove_lock();
219 session::un_set('objectinfo');
220 }
222 /* Reset all relevant data, if we get a _cancel request */
223 if (isset($_POST['edit_cancel'])){
224 $this->remove_lock();
225 $this->acltabs= NULL;
226 session::un_set('objectinfo');
227 }
230 /********************
231 Delete entry requested, display confirm dialog
232 ********************/
234 /* Remove acl was requested */
235 if ($s_action=="del_role"){
237 /* Get 'dn' from posted acl */
238 $this->dn= $this->list[trim($s_entry)]['dn'];
240 /* Check permissions */
241 if(preg_match("/d/",$this->ui->get_permissions($this->dn,"aclroles/aclrole"))){
243 /* Check locking, save current plugin in 'back_plugin', so
244 the dialog knows where to return. */
245 if (($acl= get_lock($this->dn)) != ""){
246 return(gen_locked_message ($acl, $this->dn));
247 }
249 /* Lock the current entry, so nobody will edit it during deletion */
250 add_lock ($this->dn, $this->ui->dn);
251 $smarty->assign("info", msgPool::deleteInfo(@LDAP::fix($this->dn)));
252 $smarty->assign("is_role",true);
254 return($smarty->fetch(get_template_path('remove.tpl', TRUE)));
255 } else {
257 /* Obviously the acl isn't allowed to delete. Show message and
258 clean session. */
259 msg_dialog::display(_("Permission error"), msgPool::permDelete(), ERROR_DIALOG);
260 }
261 }
264 /********************
265 Delete entry confirmed
266 ********************/
268 /* Confirmation for deletion has been passed. Acl should be deleted. */
269 if (isset($_POST['delete_acl_role_confirmed'])){
271 /* Check permissions */
272 if(preg_match("/d/",$this->ui->get_permissions($this->dn,"aclroles/aclrole"))){
274 /* Delete request is permitted, perform LDAP action */
275 $this->acltabs= new aclroletab($this->config, NULL,$this->dn);
276 $this->acltabs->delete();
277 unset ($this->acltabs);
278 $this->acltabs= NULL;
279 } else {
281 /* Normally this shouldn't be reached, send some extra
282 logs to notify the administrator */
283 msg_dialog::display(_("Permission error"), msgPool::permDelete(), ERROR_DIALOG);
285 if(isset($this->ui->uid)){
286 new log("security","aclroles/".get_class($this),$this->dn,array(),"Warning: '".$this->ui->uid."' tried to trick acl role deletion.");
287 }
288 }
290 /* Remove lock file after successfull deletion */
291 $this->remove_lock();
292 }
294 /********************
295 Delete entry requested, display confirm dialog
296 ********************/
298 /* Remove acl was requested */
299 if ($s_action=="del" || $s_action == "del_multiple"){
301 /* Get 'dn' from posted acl */
302 if($s_action == "del"){
303 $this->dns = array( $this->list[trim($s_entry)]['dn']);
304 }else{
305 $this->dns = array();
306 foreach($this->list_get_selected_items() as $id){
307 $this->dns[] = $this->list[$id]['dn'];
308 }
309 }
311 $disallowed = array();
312 foreach($this->dns as $key => $dn){
313 $acl = $this->ui->get_permissions($dn, "aclroles/aclrole");
314 if(!preg_match("/d/",$acl)){
315 unset($this->dns[$key]);
316 $disallowed[] = $dn;
317 }
318 }
320 if(count($disallowed)){
321 msg_dialog::display(_("Permission"),msgPool::permDelete($disallowed),INFO_DIALOG);
322 }
324 if(count($this->dns)){
327 /* Display lock messages */
328 if ($user= get_multiple_locks($this->dns)){
329 return(gen_locked_message($user,$this->dns));
330 }
332 $dns_names = array();
333 foreach($this->dns as $key => $dn){
335 /* Check permissions */
336 if(!preg_match("/d/",$this->ui->get_permissions($dn,"aclroles/aclrole"))){
338 /* Obviously the acl isn't allowed to delete. Show message and
339 clean session. */
340 msg_dialog::display(_("Permission error"), msgPool::permDelete(), ERROR_DIALOG);
341 unset($this->dns[$key]);
342 continue;
343 }
345 $dns_names[] = LDAP::fix($dn);
346 }
348 if(count($this->dns)){
349 add_lock($this->dns,$this->ui->dn);
350 $smarty->assign("info", msgPool::deleteInfo($dns_names));
351 $smarty->assign("is_role",false);
352 return($smarty->fetch(get_template_path('remove.tpl', TRUE)));
353 }
354 }
355 }
358 /********************
359 Delete entry confirmed
360 ********************/
362 /* Confirmation for deletion has been passed. Acl should be deleted. */
363 if (isset($_POST['delete_acl_confirm'])){
365 /* Check permissions */
366 if(preg_match("/d/",$this->ui->get_permissions($this->dn,"aclroles/aclrole"))){
368 /* Delete request is permitted, perform LDAP action */
369 $this->acltabs= new acl($this->config, NULL,$this->dn);
370 $this->acltabs->remove_from_parent();
371 unset ($this->acltabs);
372 $this->acltabs= NULL;
373 } else {
375 /* Normally this shouldn't be reached, send some extra
376 logs to notify the administrator */
377 msg_dialog::display(_("Permission error"),msgPool::permDelete(), ERROR_DIALOG);
379 if(isset($this->ui->uid)){
380 new log("security","aclroles/".get_class($this),$this->dn,array(),"Warning: '".$this->ui->uid."' tried to trick acl role deletion.");
382 }
383 }
385 /* Remove lock file after successfull deletion */
386 $this->remove_lock();
387 }
390 /********************
391 Delete entry Canceled
392 ********************/
394 /* Delete acl canceled? */
395 if (isset($_POST['delete_acl_cancel'])){
396 $this->remove_lock();
397 }
400 /********************
401 Edit entry finished (Save)
402 ********************/
404 /* Finish acl edit is triggered by the tabulator dialog, so
405 the acl wants to save edited data. Check and save at this
406 point. */
407 if ((isset($_POST['edit_finish']) || isset($_POST['edit_apply'])) && (isset($this->acltabs->config))){
409 /* Check tabs, will feed message array */
410 $this->acltabs->save_object();
411 $message= $this->acltabs->check();
413 /* Save, or display error message? */
414 if (count($message) == 0){
416 /* Save acl data to ldap */
417 if($this->acltabs->save() == 1){
418 return;
419 }
421 if (!isset($_POST['edit_apply'])){
423 /* ACl has been saved successfully, remove lock from LDAP. */
424 if ($this->dn != "new"){
425 $this->remove_lock();
426 }
428 unset ($this->acltabs);
429 $this->acltabs= NULL;
430 session::un_set('objectinfo');
431 }
432 } else {
433 /* Ok. There seem to be errors regarding to the tab data,
434 show message and continue as usual. */
435 msg_dialog::displayChecks($message);
436 }
437 }
440 /********************
441 Display subdialog
442 ********************/
445 /* Show tab dialog if object is present */
446 if(isset($this->acltabs->config)){
448 /* Save object */
449 $this->acltabs->save_object();
450 $display= $this->acltabs->execute();
452 /* Don't show buttons if tab dialog requests this */
453 if(isset($this->acltabs)){
455 /* Skip displaying save/cancel if there is a sub dialog open */
456 if (!isset($this->acltabs->dialog) || !$this->acltabs->dialog){
457 $display.= "<p style=\"text-align:right\">\n";
458 // $display.= "<input type=submit name=\"edit_finish\" style=\"width:80px\" value=\"".msgPool::okButton()."\">\n";
459 $display.= " \n";
461 /* Skip Apply if it is a new entry */
462 #if ($this->dn != "new"){
463 # $display.= "<input type=submit name=\"edit_apply\" value=\"".msgPool::applyButton()."\">\n";
464 # $display.= " \n";
465 #}
467 // $display.= "<input type=submit name=\"edit_cancel\" value=\"".msgPool::cancelButton()."\">\n";
468 $display.= "</p>";
469 }
470 }
471 return ($display);
472 }
474 /* Check if there is a snapshot dialog open */
475 $base = $this->DivListACL->selectedBase;
476 if($str = $this->showSnapshotDialog($base,$this->get_used_snapshot_bases(),$this)){
477 return($str);
478 }
480 /* Return rendered main page */
481 /* Display dialog with system list */
482 $this->DivListACL->parent = $this;
483 $this->DivListACL->execute();
485 /* Add departments if subsearch is disabled */
486 if(!$this->DivListACL->SubSearch){
487 $this->DivListACL->AddDepartments($this->DivListACL->selectedBase,3,1);
488 }
489 $this->reload();
490 $this->DivListACL->setEntries($this->list);
491 return($this->DivListACL->Draw());
492 }
495 function reload()
496 {
497 /* Get divlist informations from filter part */
498 $Regex = $this->DivListACL -> Regex;
499 $SubSearch = $this->DivListACL -> SubSearch;
500 $base = $this->DivListACL -> selectedBase;
501 $Attrs = array("ou","cn","description","gosaAclEntry","objectClass");
502 $res = array();
503 $tmp = array(); // Will contain temporary results
504 $ldap = $this->config->get_ldap_link();
505 $Filter = "(&(objectClass=gosaACL)(gosaAclEntry=*)(|(cn=".$Regex.")(ou=".$Regex.")))";
506 $FilterRoles= "(&(objectClass=gosaRole)(|(cn=".$Regex.")(ou=".$Regex.")))";
508 /* Fetch following structures, this will be used if !$SubSearch */
509 $fetch_this = array(
510 "ME" => array("TYPE" => "cat" , "FLAGS" => GL_SIZELIMIT ,"BASE"=>""),
511 "SYSTEMS" => array("TYPE" => "search" , "FLAGS" => GL_SIZELIMIT | GL_SUBSEARCH ,"BASE"=>get_ou('systemsou')),
512 "APPS" => array("TYPE" => "search" , "FLAGS" => GL_SIZELIMIT | GL_SUBSEARCH ,"BASE"=>get_ou('applicationou')),
513 "PEOPLE" => array("TYPE" => "search" , "FLAGS" => GL_SIZELIMIT | GL_SUBSEARCH ,"BASE"=>get_people_ou()),
514 "GROUPS" => array("TYPE" => "search" , "FLAGS" => GL_SIZELIMIT | GL_SUBSEARCH ,"BASE"=>get_groups_ou()));
516 /* Subsearch ? */
517 if($SubSearch){
519 /* Get all object in this base */
520 $Flags = GL_SIZELIMIT | GL_SUBSEARCH;
521 $fetch_base = $base;
522 $tmp = get_list($Filter, "acl", $fetch_base, $Attrs, $Flags);
523 $tmp2 = get_list($FilterRoles, "acl", $fetch_base, $Attrs, $Flags);
524 foreach($tmp as $entry){
525 $res[] = $entry;
526 }
527 foreach($tmp2 as $entry){
528 $res[] = $entry;
529 }
531 }else{
533 $tmp_roles = get_list($FilterRoles, "acl", get_ou('aclroleou').$base, $Attrs,GL_SIZELIMIT);
535 foreach($tmp_roles as $entry){
536 $res[] = $entry;
537 }
539 /* Walk through all possible bases */
540 foreach($fetch_this as $type => $data){
542 /* Get requried attributes */
543 $Flags = $data['FLAGS'];
544 $fetch_base = $data['BASE'].$base;
545 $Type = $data['TYPE'];
547 /* Check if method is cat or search */
548 if($Type == "search"){
549 $tmp = get_list($Filter, "acl", $fetch_base, $Attrs, $Flags);
550 foreach($tmp as $entry){
551 $res[$entry['dn']] = $entry;
552 }
553 }else{
554 $ldap->cat($fetch_base,$Attrs);
555 $attrs = $ldap->fetch();
556 if($attrs && isset($attrs['gosaAclEntry'])){
557 $re2 = preg_replace("/\*/",".*",$Regex);
559 if(!isset($attrs['ou']) && !isset($attrs['cn'])){
560 $namingAttr= preg_replace("/^[^=]*+=([^,]*),.*$/","\\1",$fetch_base);
561 if(preg_match("/".$re2."/i",$namingAttr)){
562 $res[$attrs['dn']] = $attrs;
563 }
564 }elseif( (isset($attrs['cn'][0]) && preg_match("/".$re2."/i",$attrs['cn'][0]))
565 ||(isset($attrs['ou'][0]) && preg_match("/".$re2."/i",$attrs['ou'][0]))){
566 $res[$attrs['dn']] = $attrs;
567 }
568 }
569 }
570 }
571 }
572 $this->list = array_values($res);
573 }
576 function copyPasteHandling_from_queue($s_action,$s_entry)
577 {
578 /* Check if Copy & Paste is disabled */
579 if(!is_object($this->CopyPasteHandler)){
580 return("");
581 }
583 $ui = get_userinfo();
585 /* Add a single entry to queue */
586 if($s_action == "cut" || $s_action == "copy"){
588 /* Cleanup object queue */
589 $this->CopyPasteHandler->cleanup_queue();
590 $dn = $this->list[$s_entry]['dn'];
592 /* We can only copy & cut roles */
593 if(isset($this->list[$s_entry]['objectClass']) && in_array("gosaRole",$this->list[$s_entry]['objectClass'])){
594 if($s_action == "copy" && $ui->is_copyable($dn,"aclroles","aclrole")){
595 $this->CopyPasteHandler->add_to_queue($dn,$s_action,"aclroletab","ACLROLETAB","aclroles");
596 }
597 if($s_action == "cut" && $ui->is_cutable($dn,"aclroles","aclrole")){
598 $this->CopyPasteHandler->add_to_queue($dn,$s_action,"aclroletab","ACLROLETAB","aclroles");
599 }
600 }
601 }
603 /* Add entries to queue */
604 if($s_action == "copy_multiple" || $s_action == "cut_multiple"){
606 /* Cleanup object queue */
607 $this->CopyPasteHandler->cleanup_queue();
609 /* Add new entries to CP queue */
610 foreach($this->list_get_selected_items() as $id){
611 $dn = $this->list[$id]['dn'];
613 if(isset($this->list[$id]['objectClass']) && in_array("gosaRole",$this->list[$id]['objectClass'])){
615 if($s_action == "copy_multiple" && $ui->is_copyable($dn,"aclroles","aclrole")){
616 $this->CopyPasteHandler->add_to_queue($dn,"copy","aclroletab","ACLROLETAB","aclroles");
617 }
618 if($s_action == "cut_multiple" && $ui->is_cutable($dn,"aclroles","aclrole")){
619 $this->CopyPasteHandler->add_to_queue($dn,"cut","aclroletab","ACLROLETAB","aclroles");
620 }
621 }
622 }
623 }
625 /* Start pasting entries */
626 if($s_action == "editPaste"){
627 $this->start_pasting_copied_objects = TRUE;
628 }
629 /* Return C&P dialog */
630 if($this->start_pasting_copied_objects && $this->CopyPasteHandler->entries_queued()){
632 /* Get dialog */
633 $this->CopyPasteHandler->SetVar("base",$this->DivListACL->selectedBase);
634 $data = $this->CopyPasteHandler->execute();
636 /* Return dialog data */
637 if(!empty($data)){
638 return($data);
639 }
640 }
642 /* Automatically disable status for pasting */
643 if(!$this->CopyPasteHandler->entries_queued()){
644 $this->start_pasting_copied_objects = FALSE;
645 }
646 return("");
647 }
650 function list_get_selected_items()
651 {
652 $ids = array();
653 foreach($_POST as $name => $value){
654 if(preg_match("/^item_selected_[0-9]*$/",$name)){
655 $id = preg_replace("/^item_selected_/","",$name);
656 $ids[$id] = $id;
657 }
658 }
659 return($ids);
660 }
663 function remove_lock()
664 {
665 /* Remove acl lock if a DN is marked as "currently edited" */
666 if (isset($this->acltabs->dn)){
667 del_lock ($this->acltabs->dn);
668 }
669 del_lock ($this->dn);
670 del_lock ($this->dns);
671 }
674 function save_object()
675 {
676 /* Handle divlist filter && department selection*/
677 if(!is_object($this->acltabs)){
678 $this->DivListACL->save_object();
679 }
680 if(is_object($this->CopyPasteHandler)){
681 $this->CopyPasteHandler->save_object();
682 }
683 }
685 /* A set of disabled and therefore overloaded functions. They are
686 not needed in this class. */
687 function remove_from_parent() { }
688 function check() { }
690 function save() {
691 echo "SAVE ACL";
692 }
694 function adapt_from_template($dn, $skip= array()) { }
695 function password_change_needed() { }
698 /* Return departments, that will be included within snapshot detection */
699 function get_used_snapshot_bases()
700 {
701 return(array());
702 }
704 }
705 // vim:tabstop=2:expandtab:shiftwidth=2:filetype=php:syntax:ruler:
706 ?>