1 <?php
2 /*
3 * This code is part of GOsa (http://www.gosa-project.org)
4 * Copyright (C) 2003-2008 GONICUS GmbH
5 *
6 * ID: $$Id$$
7 *
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
12 *
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
17 *
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
21 */
23 class aclManagement extends plugin
24 {
25 /* Plugin definitions */
26 var $plHeadline = "ACL";
27 var $plDescription = "Manage access control lists";
29 /* Dialog attributes */
30 var $acltabs = NULL;
31 var $ui = NULL;
32 var $acl = "";
33 var $DivListACL = NULL;
35 var $CopyPasteHandler;
36 var $start_pasting_copied_objects = FALSE;
37 var $dns = array();
39 var $acl_module = array("acl");
41 function aclManagement(&$config, &$ui)
42 {
43 /* Save configuration for internal use */
44 $this->config = &$config;
45 $this->ui = &$ui;
47 /* Copy & Paste enabled ?*/
48 if ($this->config->get_cfg_value("copyPaste") == "true"){
49 $this->CopyPasteHandler = new CopyPasteHandler($this->config);
50 }
52 /* Creat dialog object */
53 $this->DivListACL = new divListACL($this->config,$this);
54 }
57 function execute()
58 {
59 /* Call parent execute */
60 plugin::execute();
62 session::set('LOCK_VARS_TO_USE',array("/^item_selected/","/^menu_action/",
63 "/^list/","/^id_/","/^menu_action/","/^act$/","/^id$/"));
65 $smarty = get_smarty(); // Smarty instance
66 $s_action = ""; // Contains the action to be taken
67 $s_entry = ""; // The value for s_action
69 /* Edit entry button pressed? */
70 if( isset($_GET['act']) && $_GET['act'] == "list_edit_entry" ){
71 $s_action= "edit";
72 $s_entry= validate($_GET['id']);
73 }
75 /* Edit entry button pressed? */
76 if( isset($_GET['act']) && $_GET['act'] == "list_edit_role" ){
77 $s_action= "edit_role";
78 $s_entry= validate($_GET['id']);
79 }
81 $types = array(
82 "del" =>"^list_acl_del",
83 "edit" =>"^list_acl_edit",
84 "edit_role" =>"^list_acl_role_edit",
85 "copy" =>"^copy",
86 "cut" =>"^cut",
87 "copy_multiple"=> "^multiple_copy_objects",
88 "cut_multiple" => "^multiple_cut_objects",
89 "editPaste" =>"^editPaste",
90 "addrole" =>"^new_acl_role");
92 /* Test relevant POST values */
93 foreach($_POST as $key => $val){
95 /* Get every possible POST combination and set s_action/s_entry accordingly */
96 foreach($types as $act => $name){
98 if (preg_match("/".$name.".*/", $key)){
99 $s_action= $act;
100 $s_entry= preg_replace("/".$name."_/i", "", $key);
101 }
102 }
103 }
105 /* Remove coordinate prefix from POST, required by some browsers */
106 $s_entry= preg_replace("/_.$/", "", $s_entry);
108 /* Seperate possibly encoded tab and entry, default to tab "acl" */
109 if(preg_match("/.*-.*/", $s_entry)){
110 $s_tab= preg_replace("/^[^-]*-/i", "" ,$s_entry);
111 $s_entry= preg_replace("/-[^-]*$/i", "", $s_entry);
112 }else{
113 $s_tab= "generic";
114 }
117 /* handle C&P from layers menu */
118 if(isset($_POST['menu_action']) && preg_match("/^multiple_copy_systems/",$_POST['menu_action'])){
119 $s_action = "copy_multiple";
120 }
121 if(isset($_POST['menu_action']) && preg_match("/^multiple_cut_systems/",$_POST['menu_action'])){
122 $s_action = "cut_multiple";
123 }
124 if(isset($_POST['menu_action']) && preg_match("/^editPaste/",$_POST['menu_action'])){
125 $s_action = "editPaste";
126 }
128 /* Create options */
129 if(isset($_POST['menu_action']) && $_POST['menu_action'] == "new_acl_role"){
130 $s_action = "new";
131 }
133 /* handle remove from layers menu */
134 if(isset($_POST['menu_action']) && preg_match("/^remove_multiple/",$_POST['menu_action'])){
135 $s_action = "del_multiple";
136 }
139 /********************
140 Copy & Paste Handling ...
141 ********************/
143 /* Display the copy & paste dialog, if it is currently open */
144 $ret = $this->copyPasteHandling_from_queue($s_action,$s_entry);
145 if($ret){
146 return($ret);
147 }
150 /********************
151 * Add new Role entry
152 ********************/
154 if(($s_action == "new") && (!isset($this->acltabs->config))){
156 /* Get 'dn' from posted acl, must be unique */
157 $this->dn= "new";
159 /* Check permissions */
160 if(preg_match("/c/",$this->ui->get_permissions($this->DivListACL->selectedBase,"acl/aclrole"))){
162 /* Register acltabs to trigger edit dialog */
163 $this->acltabs= new aclroletab($this->config, NULL,$this->dn);
164 $this->acltabs->set_acl_base($this->DivListACL->selectedBase);
165 }else{
166 msg_dialog::display(_("Permission error"), msgPool::permCreate(), ERROR_DIALOG);
167 }
168 }
170 /********************
171 Edit existing entry
172 ********************/
174 if (($s_action=="edit" || $s_action=="edit_role") && (!isset($this->acltabs->config))){
176 /* Get 'dn' from posted acl, must be unique */
177 $this->dn= $this->list[trim($s_entry)]['dn'];
179 if(in_array("gosaRole",$this->list[trim($s_entry)]['objectClass'])){
180 $acl = "acl/aclrole";
181 }else{
182 $acl = "acl/acl";
183 }
185 /* Check permissions */
186 if(preg_match("/r/",$this->ui->get_permissions($this->dn,$acl))){
188 /* Check locking, save current plugin in 'back_plugin', so
189 the dialog knows where to return. */
190 if (($acl= get_lock($this->dn)) != ""){
191 return(gen_locked_message ($acl, $this->dn));
192 }
194 /* Lock the current entry, so everyone will get the above dialog */
195 add_lock ($this->dn, $this->ui->dn);
197 /* Register acltabs to trigger edit dialog */
198 if($s_action=="edit_role"){
199 $this->acltabs= new aclroletab($this->config, NULL,$this->dn);
200 $this->acltabs-> set_acl_base($this->dn);
201 }else{
202 $this->acltabs= new acltab($this->config, NULL,$this->dn);
203 $this->acltabs-> set_acl_base($this->dn);
204 }
206 /* Set ACL and move DN to the headline */
207 session::set('objectinfo',$this->dn);
208 }else{
209 msg_dialog::display(_("Permission error"), msgPool::permModify(), ERROR_DIALOG);
210 }
211 }
214 /********************
215 Edit canceled
216 ********************/
217 if(isset($_POST['delete_lock'])){
218 $this->remove_lock();
219 session::un_set('objectinfo');
220 }
222 /* Reset all relevant data, if we get a _cancel request */
223 if (isset($_POST['edit_cancel'])){
224 $this->remove_lock();
225 $this->acltabs= NULL;
226 session::un_set('objectinfo');
227 }
230 /********************
231 Delete entry requested, display confirm dialog
232 ********************/
234 /* Remove acl was requested */
235 if ($s_action=="del" || $s_action == "del_multiple"){
237 /* Collect entries to delete
238 */
239 if($s_action == "del"){
240 $ids = array(trim($s_entry));
241 }else{
242 $ids = $this->list_get_selected_items();
243 }
245 /* Check ACLs and collect removeable entries.
246 */
247 $this->ids = array();
248 $this->dns = array();
249 $disallowed = array();
250 foreach($ids as $id){
251 $dn = $this->list[$id]['dn'];
252 if(in_array("gosaRole",$this->list[$id]['objectClass'])){
253 $acl = $this->ui->get_permissions($dn, "acl/aclrole");
254 }else{
255 $acl = $this->ui->get_permissions($dn, "acl/acl");
256 }
257 if(!preg_match("/d/",$acl)){
258 $disallowed[] = $dn;
259 }else{
260 $this->ids[$id] = $id;
261 $this->dns[$id] = $dn;
262 }
263 }
265 /* Display a message box containing all entries that we are not allowed to remove.
266 */
267 if(count($disallowed)){
268 msg_dialog::display(_("Permission"),msgPool::permDelete($disallowed),INFO_DIALOG);
269 }
271 /* We have at least one entry that can be removed
272 */
273 if(count($this->ids)){
275 /* Display lock messages */
276 if ($user= get_multiple_locks($this->dns)){
277 return(gen_locked_message($user,$this->dns));
278 }
280 /* Create a readable string about what will be done.
281 */
282 $dns_names = array();
283 foreach($this->ids as $id){
285 /* Check permissions depending on the acl object type
286 */
287 $dn = $this->list[$id]['dn'];
288 if(in_array("gosaRole",$this->list[$id]['objectClass'])){
289 $acl = $this->ui->get_permissions($dn,"acl/aclrole");
290 $name = _("ACL role");
291 }else{
292 $acl = $this->ui->get_permissions($dn,"acl/acl");
293 $name = _("ACL");
294 }
295 $name = str_pad($name,10," ");
296 $name = preg_replace("/ /"," ",$name);
298 /* Append each entry to the displayed information dialog,
299 if we are allowed to remove the entry.
300 */
301 if(!preg_match("/d/",$acl)){
302 msg_dialog::display(_("Permission error"), msgPool::permDelete(), ERROR_DIALOG);
303 unset($this->dns[$id]);
304 unset($this->ids[$id]);
305 continue;
306 }
307 $dns_names[] = "</i><font style='font-weight:bold; font-family: courier;'>".$name."</font><i> ".LDAP::fix($dn);
308 }
309 if(count($this->dns)){
310 add_lock($this->dns,$this->ui->dn);
311 $smarty->assign("info", msgPool::deleteInfo($dns_names));
312 $smarty->assign("is_role",false);
313 return($smarty->fetch(get_template_path('remove.tpl', TRUE)));
314 }
315 }
316 }
319 /********************
320 Delete entry confirmed
321 ********************/
323 /* Confirmation for deletion has been passed. Acl should be deleted. */
324 if (isset($_POST['delete_acl_confirm'])){
326 foreach($this->ids as $id){
328 /* Depending on the type of acl we want to remove
329 create a new acl or a new gosaRole object
330 */
331 $dn = $this->list[$id]['dn'];
332 $this->dn = $dn;
333 if(in_array("gosaRole",$this->list[$id]['objectClass'])){
334 $acl = $this->ui->get_permissions($dn,"acl/aclrole");
335 $this->acltabs= new aclroletab($this->config,NULL, $this->dn);
336 }else{
337 $acl = $this->ui->get_permissions($dn,"acl/acl");
338 $this->acltabs= new acltab($this->config,NULL, $this->dn);
339 }
341 /* Check permissions */
342 if(preg_match("/d/",$acl)){
343 $this->acltabs->delete();
344 unset ($this->acltabs);
345 $this->acltabs= NULL;
346 } else {
347 msg_dialog::display(_("Permission error"),msgPool::permDelete(), ERROR_DIALOG);
348 if(isset($this->ui->uid)){
349 new log("security","acl/".get_class($this),$this->dn,array(),
350 "Warning: '".$this->ui->uid."' tried to trick acl role deletion.");
351 }
352 }
353 }
355 /* Remove lock file after successfull deletion */
356 $this->remove_lock();
357 }
360 /********************
361 Delete entry Canceled
362 ********************/
364 /* Delete acl canceled? */
365 if (isset($_POST['delete_acl_cancel'])){
366 $this->remove_lock();
367 }
370 /********************
371 Edit entry finished (Save)
372 ********************/
374 /* Finish acl edit is triggered by the tabulator dialog, so
375 the acl wants to save edited data. Check and save at this
376 point. */
377 if ((isset($_POST['edit_finish']) || isset($_POST['edit_apply'])) && (isset($this->acltabs->config))){
379 /* Check tabs, will feed message array */
380 $this->acltabs->save_object();
381 $message= $this->acltabs->check();
383 /* Save, or display error message? */
384 if (count($message) == 0){
386 /* Save acl data to ldap */
387 if($this->acltabs->save() == 1){
388 return;
389 }
391 if (!isset($_POST['edit_apply'])){
393 /* ACl has been saved successfully, remove lock from LDAP. */
394 if ($this->dn != "new"){
395 $this->remove_lock();
396 }
398 unset ($this->acltabs);
399 $this->acltabs= NULL;
400 session::un_set('objectinfo');
401 }
402 } else {
403 /* Ok. There seem to be errors regarding to the tab data,
404 show message and continue as usual. */
405 msg_dialog::displayChecks($message);
406 }
407 }
410 /********************
411 Display subdialog
412 ********************/
415 /* Show tab dialog if object is present */
416 if(isset($this->acltabs->config)){
418 /* Save object */
419 $this->acltabs->save_object();
420 $display= $this->acltabs->execute();
422 /* Don't show buttons if tab dialog requests this */
423 if(isset($this->acltabs)){
425 /* Skip displaying save/cancel if there is a sub dialog open */
426 if (!isset($this->acltabs->dialog) || !$this->acltabs->dialog){
427 $display.= "<p style=\"text-align:right\">\n";
428 // $display.= "<input type=submit name=\"edit_finish\" style=\"width:80px\" value=\"".msgPool::okButton()."\">\n";
429 $display.= " \n";
431 /* Skip Apply if it is a new entry */
432 #if ($this->dn != "new"){
433 # $display.= "<input type=submit name=\"edit_apply\" value=\"".msgPool::applyButton()."\">\n";
434 # $display.= " \n";
435 #}
437 // $display.= "<input type=submit name=\"edit_cancel\" value=\"".msgPool::cancelButton()."\">\n";
438 $display.= "</p>";
439 }
440 }
441 return ($display);
442 }
444 /* Check if there is a snapshot dialog open */
445 $base = $this->DivListACL->selectedBase;
446 if($str = $this->showSnapshotDialog($base,$this->get_used_snapshot_bases(),$this)){
447 return($str);
448 }
450 /* Return rendered main page */
451 /* Display dialog with system list */
452 $this->DivListACL->parent = $this;
453 $this->DivListACL->execute();
455 /* Add departments if subsearch is disabled */
456 if(!$this->DivListACL->SubSearch){
457 $this->DivListACL->AddDepartments($this->DivListACL->selectedBase,3,1);
458 }
459 $this->reload();
460 $this->DivListACL->setEntries($this->list);
461 return($this->DivListACL->Draw());
462 }
465 function reload()
466 {
467 /* Get divlist informations from filter part */
468 $Regex = $this->DivListACL -> Regex;
469 $SubSearch = $this->DivListACL -> SubSearch;
470 $base = $this->DivListACL -> selectedBase;
471 $Attrs = array("ou","cn","description","gosaAclEntry","objectClass");
472 $res = array();
473 $tmp = array(); // Will contain temporary results
474 $ldap = $this->config->get_ldap_link();
475 $Filter = "(&(objectClass=gosaACL)(gosaAclEntry=*)(|(cn=".$Regex.")(ou=".$Regex.")))";
476 $FilterRoles= "(&(objectClass=gosaRole)(|(cn=".$Regex.")(ou=".$Regex.")))";
478 /* Fetch following structures, this will be used if !$SubSearch */
479 $fetch_this = array(
480 "ME" => array("TYPE" => "cat" , "FLAGS" => GL_SIZELIMIT ,"BASE"=>""),
481 "SYSTEMS" => array("TYPE" => "search" , "FLAGS" => GL_SIZELIMIT | GL_SUBSEARCH ,"BASE"=>get_ou('systemRDN')),
482 "APPS" => array("TYPE" => "search" , "FLAGS" => GL_SIZELIMIT | GL_SUBSEARCH ,"BASE"=>get_ou('applicationRDN')),
483 "PEOPLE" => array("TYPE" => "search" , "FLAGS" => GL_SIZELIMIT | GL_SUBSEARCH ,"BASE"=>get_people_ou()),
484 "GROUPS" => array("TYPE" => "search" , "FLAGS" => GL_SIZELIMIT | GL_SUBSEARCH ,"BASE"=>get_groups_ou()));
486 /* Append the ldap base to be able to set alcs if there were currently no acls set
487 */
488 if($base == $this->config->current['BASE']){
489 $res[$base] = array("dn"=>$this->config->current["BASE"],"ou"=>".","objectClass"=>array("gosaACL"));
490 }
492 /* Subsearch ? */
493 if($SubSearch){
495 /* Get all object in this base */
496 $Flags = GL_SIZELIMIT | GL_SUBSEARCH;
497 $fetch_base = $base;
498 $tmp = get_list($Filter, "acl", $fetch_base, $Attrs, $Flags);
499 $tmp2 = get_list($FilterRoles, "acl", $fetch_base, $Attrs, $Flags);
500 foreach($tmp as $entry){
501 $res[] = $entry;
502 }
503 foreach($tmp2 as $entry){
504 $res[] = $entry;
505 }
507 }else{
509 $tmp_roles = get_list($FilterRoles, "acl", get_ou('aclRoleRDN').$base, $Attrs,GL_SIZELIMIT);
511 foreach($tmp_roles as $entry){
512 $res[] = $entry;
513 }
515 /* Walk through all possible bases */
516 foreach($fetch_this as $type => $data){
518 /* Get requried attributes */
519 $Flags = $data['FLAGS'];
520 $fetch_base = $data['BASE'].$base;
521 $Type = $data['TYPE'];
523 /* Check if method is cat or search */
524 if($Type == "search"){
525 $tmp = get_list($Filter, "acl", $fetch_base, $Attrs, $Flags);
526 foreach($tmp as $entry){
527 $res[$entry['dn']] = $entry;
528 }
529 }else{
530 $ldap->cat($fetch_base,$Attrs);
531 $attrs = $ldap->fetch();
532 if($attrs && isset($attrs['gosaAclEntry'])){
533 $re2 = preg_replace("/\*/",".*",$Regex);
535 if(!isset($attrs['ou']) && !isset($attrs['cn'])){
536 $namingAttr= preg_replace("/^[^=]*+=([^,]*),.*$/","\\1",$fetch_base);
537 if(preg_match("/".$re2."/i",$namingAttr)){
538 $res[$attrs['dn']] = $attrs;
539 }
540 }elseif( (isset($attrs['cn'][0]) && preg_match("/".$re2."/i",$attrs['cn'][0]))
541 ||(isset($attrs['ou'][0]) && preg_match("/".$re2."/i",$attrs['ou'][0]))){
542 $res[$attrs['dn']] = $attrs;
543 }
544 }
545 }
546 }
547 }
548 $this->list = array_values($res);
549 }
552 function copyPasteHandling_from_queue($s_action,$s_entry)
553 {
554 /* Check if Copy & Paste is disabled */
555 if(!is_object($this->CopyPasteHandler)){
556 return("");
557 }
559 $ui = get_userinfo();
561 /* Add a single entry to queue */
562 if($s_action == "cut" || $s_action == "copy"){
564 /* Cleanup object queue */
565 $this->CopyPasteHandler->cleanup_queue();
566 $dn = $this->list[$s_entry]['dn'];
568 /* We can only copy & cut roles */
569 if(isset($this->list[$s_entry]['objectClass']) && in_array("gosaRole",$this->list[$s_entry]['objectClass'])){
570 if($s_action == "copy" && $ui->is_copyable($dn,"acl","aclrole")){
571 $this->CopyPasteHandler->add_to_queue($dn,$s_action,"aclroletab","ACLROLETAB","acl");
572 }
573 if($s_action == "cut" && $ui->is_cutable($dn,"acl","aclrole")){
574 $this->CopyPasteHandler->add_to_queue($dn,$s_action,"aclroletab","ACLROLETAB","acl");
575 }
576 }
577 }
579 /* Add entries to queue */
580 if($s_action == "copy_multiple" || $s_action == "cut_multiple"){
582 /* Cleanup object queue */
583 $this->CopyPasteHandler->cleanup_queue();
585 /* Add new entries to CP queue */
586 foreach($this->list_get_selected_items() as $id){
587 $dn = $this->list[$id]['dn'];
589 if(isset($this->list[$id]['objectClass']) && in_array("gosaRole",$this->list[$id]['objectClass'])){
591 if($s_action == "copy_multiple" && $ui->is_copyable($dn,"acl","aclrole")){
592 $this->CopyPasteHandler->add_to_queue($dn,"copy","aclroletab","ACLROLETAB","acl");
593 }
594 if($s_action == "cut_multiple" && $ui->is_cutable($dn,"acl","aclrole")){
595 $this->CopyPasteHandler->add_to_queue($dn,"cut","aclroletab","ACLROLETAB","acl");
596 }
597 }
598 }
599 }
601 /* Start pasting entries */
602 if($s_action == "editPaste"){
603 $this->start_pasting_copied_objects = TRUE;
604 }
605 /* Return C&P dialog */
606 if($this->start_pasting_copied_objects && $this->CopyPasteHandler->entries_queued()){
608 /* Get dialog */
609 $this->CopyPasteHandler->SetVar("base",$this->DivListACL->selectedBase);
610 $data = $this->CopyPasteHandler->execute();
612 /* Return dialog data */
613 if(!empty($data)){
614 return($data);
615 }
616 }
618 /* Automatically disable status for pasting */
619 if(!$this->CopyPasteHandler->entries_queued()){
620 $this->start_pasting_copied_objects = FALSE;
621 }
622 return("");
623 }
626 function list_get_selected_items()
627 {
628 $ids = array();
629 foreach($_POST as $name => $value){
630 if(preg_match("/^item_selected_[0-9]*$/",$name)){
631 $id = preg_replace("/^item_selected_/","",$name);
632 $ids[$id] = $id;
633 }
634 }
635 return($ids);
636 }
639 function remove_lock()
640 {
641 /* Remove acl lock if a DN is marked as "currently edited" */
642 if (isset($this->acltabs->dn)){
643 del_lock ($this->acltabs->dn);
644 }
645 del_lock ($this->dn);
646 del_lock ($this->dns);
647 }
650 function save_object()
651 {
652 /* Handle divlist filter && department selection*/
653 if(!is_object($this->acltabs)){
654 $this->DivListACL->save_object();
655 }
656 if(is_object($this->CopyPasteHandler)){
657 $this->CopyPasteHandler->save_object();
658 }
659 }
661 /* A set of disabled and therefore overloaded functions. They are
662 not needed in this class. */
663 function remove_from_parent() { }
664 function check() { }
666 function save() {
667 echo "SAVE ACL";
668 }
670 function adapt_from_template($dn, $skip= array()) { }
671 function password_change_needed() { }
674 /* Return departments, that will be included within snapshot detection */
675 function get_used_snapshot_bases()
676 {
677 return(array());
678 }
680 }
681 // vim:tabstop=2:expandtab:shiftwidth=2:filetype=php:syntax:ruler:
682 ?>