![[tokkee]](http://tokkee.org/images/avatar.png){kind=avatar}
1 <?php
2 /*
3 This code is part of GOsa (https://gosa.gonicus.de)
4 Copyright (C) 2003-2006 - Cajus Pollmeier <pollmeier@gonicus.de>
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 2 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program; if not, write to the Free Software
18 Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
19 */
21 require_once("tabs_acl_role.inc");
22 require_once("tabs_acl.inc");
24 class aclManagement extends plugin
25 {
26 /* Plugin definitions */
27 var $plHeadline = "ACLs";
28 var $plDescription = "This does something";
30 /* Dialog attributes */
31 var $acltabs = NULL;
32 var $ui = NULL;
33 var $acl = "";
34 var $DivListACL = NULL;
36 var $CopyPasteHandler;
37 var $start_pasting_copied_objects = FALSE;
39 function aclManagement($config, $ui)
40 {
41 /* Save configuration for internal use */
42 $this->config = $config;
43 $this->ui = $ui;
45 /* Copy & Paste enabled ?*/
46 if((isset($this->config->data['MAIN']['ENABLECOPYPASTE']))&&(preg_match("/true/i",$this->config->data['MAIN']['ENABLECOPYPASTE']))){
47 $this->CopyPasteHandler = new CopyPasteHandler($this->config);
48 }
50 /* Creat dialog object */
51 $this->DivListACL = new divListACL($this->config,$this);
52 }
55 function execute()
56 {
57 /* Call parent execute */
58 plugin::execute();
60 $_SESSION['LOCK_VARS_TO_USE'] = array("/^list/","/^id_/","/^list_acl_role_del/","/^list_acl_del/");
62 $smarty = get_smarty(); // Smarty instance
63 $s_action = ""; // Contains the action to be taken
64 $s_entry = ""; // The value for s_action
66 /* Edit entry button pressed? */
67 if( isset($_GET['act']) && $_GET['act'] == "list_edit_entry" ){
68 $s_action= "edit";
69 $s_entry= validate($_GET['id']);
70 }
72 /* Edit entry button pressed? */
73 if( isset($_GET['act']) && $_GET['act'] == "list_edit_role" ){
74 $s_action= "edit_role";
75 $s_entry= validate($_GET['id']);
76 }
78 $types = array(
79 "del" =>"^list_acl_del",
80 "edit" =>"^list_acl_edit",
81 "del_role" =>"^list_acl_role_del",
82 "edit_role" =>"^list_acl_role_edit",
83 "copy" =>"^copy",
84 "cut" =>"^cut",
85 "copy_multiple"=> "^multiple_copy_objects",
86 "cut_multiple" => "^multiple_cut_objects",
87 "editPaste" =>"^editPaste",
88 "addrole" =>"^new_acl_role");
90 /* Test relevant POST values */
91 foreach($_POST as $key => $val){
93 /* Get every possible POST combination and set s_action/s_entry accordingly */
94 foreach($types as $act => $name){
96 if (preg_match("/".$name.".*/", $key)){
97 $s_action= $act;
98 $s_entry= preg_replace("/".$name."_/i", "", $key);
99 }
100 }
101 }
103 /* Remove coordinate prefix from POST, required by some browsers */
104 $s_entry= preg_replace("/_.$/", "", $s_entry);
106 /* Seperate possibly encoded tab and entry, default to tab "acl" */
107 if(preg_match("/.*-.*/", $s_entry)){
108 $s_tab= preg_replace("/^[^-]*-/i", "" ,$s_entry);
109 $s_entry= preg_replace("/-[^-]*$/i", "", $s_entry);
110 }else{
111 $s_tab= "generic";
112 }
115 /********************
116 Copy & Paste Handling ...
117 ********************/
119 /* Display the copy & paste dialog, if it is currently open */
120 $ret = $this->copyPasteHandling_from_queue($s_action,$s_entry);
121 if($ret){
122 return($ret);
123 }
126 /********************
127 * Add new Role entry
128 ********************/
130 if(($s_action == "addrole") && (!isset($this->acltabs->config))){
132 /* Get 'dn' from posted acl, must be unique */
133 $this->dn= "new";
135 /* Check permissions */
136 if(preg_match("/c/",$this->ui->get_permissions($this->DivListACL->selectedBase,"acl/acl"))){
138 /* Register acltabs to trigger edit dialog */
139 $this->acltabs= new aclroletab($this->config, NULL,$this->dn);
140 $this->acltabs->set_acl_base($this->DivListACL->selectedBase);
141 }else{
142 print_red(_("You are not allowed to create a new role."));
143 }
144 }
146 /********************
147 Edit existing entry
148 ********************/
150 if (($s_action=="edit" || $s_action=="edit_role") && (!isset($this->acltabs->config))){
152 /* Get 'dn' from posted acl, must be unique */
153 $this->dn= $this->list[trim($s_entry)]['dn'];
155 /* Check permissions */
156 if(preg_match("/r/",$this->ui->get_permissions($this->dn,"acl/acl"))){
158 /* Check locking, save current plugin in 'back_plugin', so
159 the dialog knows where to return. */
160 if (($acl= get_lock($this->dn)) != ""){
161 return(gen_locked_message ($acl, $this->dn));
162 }
164 /* Lock the current entry, so everyone will get the above dialog */
165 add_lock ($this->dn, $this->ui->dn);
167 /* Register acltabs to trigger edit dialog */
168 if($s_action=="edit_role"){
169 $this->acltabs= new aclroletab($this->config, NULL,$this->dn);
170 $this->acltabs-> set_acl_base($this->dn);
171 }else{
172 $this->acltabs= new acltab($this->config, NULL,$this->dn);
173 $this->acltabs-> set_acl_base($this->dn);
174 }
176 /* Set ACL and move DN to the headline */
177 $_SESSION['objectinfo']= $this->dn;
178 }else{
179 print_red(_("You are not allowed to edit this acl."));
180 }
181 }
184 /********************
185 Edit canceled
186 ********************/
187 if(isset($_POST['delete_lock'])){
188 del_lock ($this->dn);
189 unset($_SESSION['objectinfo']);
190 }
192 /* Reset all relevant data, if we get a _cancel request */
193 if (isset($_POST['edit_cancel'])){
194 if (isset($this->acltabs)){
195 del_lock ($this->dn);
196 unset ($this->acltabs);
197 }
198 $this->acltabs= NULL;
199 unset ($_SESSION['objectinfo']);
200 }
203 /********************
204 Delete entry requested, display confirm dialog
205 ********************/
207 /* Remove acl was requested */
208 if ($s_action=="del_role"){
210 /* Get 'dn' from posted acl */
211 $this->dn= $this->list[trim($s_entry)]['dn'];
213 /* Check permissions */
214 if(preg_match("/d/",$this->ui->get_permissions($this->dn,"aclroles/aclrole"))){
216 /* Check locking, save current plugin in 'back_plugin', so
217 the dialog knows where to return. */
218 if (($acl= get_lock($this->dn)) != ""){
219 return(gen_locked_message ($acl, $this->dn));
220 }
222 /* Lock the current entry, so nobody will edit it during deletion */
223 add_lock ($this->dn, $this->ui->dn);
224 $smarty->assign("info", sprintf(_("You're about to delete the acl %s."), @LDAP::fix($this->dn)));
225 $smarty->assign("is_role",true);
227 return($smarty->fetch(get_template_path('remove.tpl', TRUE)));
228 } else {
230 /* Obviously the acl isn't allowed to delete. Show message and
231 clean session. */
232 print_red (_("You are not allowed to delete this acl!"));
233 }
234 }
237 /********************
238 Delete entry confirmed
239 ********************/
241 /* Confirmation for deletion has been passed. Acl should be deleted. */
242 if (isset($_POST['delete_acl_role_confirmed'])){
244 /* Check permissions */
245 if(preg_match("/d/",$this->ui->get_permissions($this->dn,"aclroles/aclrole"))){
247 /* Delete request is permitted, perform LDAP action */
248 $this->acltabs= new aclroletab($this->config, NULL,$this->dn);
249 $this->acltabs->delete();
250 unset ($this->acltabs);
251 $this->acltabs= NULL;
252 } else {
254 /* Normally this shouldn't be reached, send some extra
255 logs to notify the administrator */
256 print_red (_("You are not allowed to delete this acl role!"));
258 if(isset($this->ui->uid)){
259 new log("security","aclroles/".get_class($this),$this->dn,array(),"Warning: '".$this->ui->uid."' tried to trick acl role deletion.");
260 }
261 }
263 /* Remove lock file after successfull deletion */
264 del_lock ($this->dn);
265 }
267 /********************
268 Delete entry requested, display confirm dialog
269 ********************/
271 /* Remove acl was requested */
272 if ($s_action=="del"){
274 /* Get 'dn' from posted acl */
275 $this->dn= $this->list[trim($s_entry)]['dn'];
277 /* Check permissions */
278 if(preg_match("/d/",$this->ui->get_permissions($this->dn,"acl/acl"))){
279 /* Check locking, save current plugin in 'back_plugin', so
280 the dialog knows where to return. */
281 if (($acl= get_lock($this->dn)) != ""){
282 $_SESSION['LOCK_VARS_TO_USE'] = array("/^list_acl_edit/","/^list_acl_del/","/^id_/");
283 return(gen_locked_message ($acl, $this->dn));
284 }
286 /* Lock the current entry, so nobody will edit it during deletion */
287 add_lock ($this->dn, $this->ui->dn);
288 $smarty->assign("info", sprintf(_("You're about to delete the acl %s."), @LDAP::fix($this->dn)));
289 $smarty->assign("is_role",false);
290 return($smarty->fetch(get_template_path('remove.tpl', TRUE)));
291 } else {
293 /* Obviously the acl isn't allowed to delete. Show message and
294 clean session. */
295 print_red (_("You are not allowed to delete this acl!"));
296 }
297 }
300 /********************
301 Delete entry confirmed
302 ********************/
304 /* Confirmation for deletion has been passed. Acl should be deleted. */
305 if (isset($_POST['delete_acl_confirm'])){
307 /* Check permissions */
308 if(preg_match("/d/",$this->ui->get_permissions($this->dn,"acl/acl"))){
310 /* Delete request is permitted, perform LDAP action */
311 $this->acltabs= new acl($this->config, NULL,$this->dn);
312 $this->acltabs->remove_from_parent();
313 unset ($this->acltabs);
314 $this->acltabs= NULL;
315 } else {
317 /* Normally this shouldn't be reached, send some extra
318 logs to notify the administrator */
319 print_red (_("You are not allowed to delete this acl!"));
321 if(isset($this->ui->uid)){
322 new log("security","aclroles/".get_class($this),$this->dn,array(),"Warning: '".$this->ui->uid."' tried to trick acl role deletion.");
324 }
325 }
327 /* Remove lock file after successfull deletion */
328 del_lock ($this->dn);
329 }
332 /********************
333 Delete entry Canceled
334 ********************/
336 /* Delete acl canceled? */
337 if (isset($_POST['delete_cancel'])){
338 del_lock ($this->dn);
339 }
342 /********************
343 Edit entry finished (Save)
344 ********************/
346 /* Finish acl edit is triggered by the tabulator dialog, so
347 the acl wants to save edited data. Check and save at this
348 point. */
349 if ((isset($_POST['edit_finish']) || isset($_POST['edit_apply'])) && (isset($this->acltabs->config))){
351 /* Check tabs, will feed message array */
352 $this->acltabs->save_object();
353 $message= $this->acltabs->check();
355 /* Save, or display error message? */
356 if (count($message) == 0){
358 /* Save acl data to ldap */
359 if($this->acltabs->save() == 1){
360 return;
361 }
363 if (!isset($_POST['edit_apply'])){
365 /* ACl has been saved successfully, remove lock from LDAP. */
366 if ($this->dn != "new"){
367 del_lock ($this->dn);
368 }
370 unset ($this->acltabs);
371 $this->acltabs= NULL;
372 unset ($_SESSION['objectinfo']);
373 }
374 } else {
375 /* Ok. There seem to be errors regarding to the tab data,
376 show message and continue as usual. */
377 show_errors($message);
378 }
379 }
382 /********************
383 Display subdialog
384 ********************/
387 /* Show tab dialog if object is present */
388 if(isset($this->acltabs->config)){
390 /* Save object */
391 $this->acltabs->save_object();
392 $display= $this->acltabs->execute();
394 /* Don't show buttons if tab dialog requests this */
395 if(isset($this->acltabs)){
397 /* Skip displaying save/cancel if there is a sub dialog open */
398 if (!isset($this->acltabs->dialog) || !$this->acltabs->dialog){
399 $display.= "<p style=\"text-align:right\">\n";
400 // $display.= "<input type=submit name=\"edit_finish\" style=\"width:80px\" value=\""._("Ok")."\">\n";
401 $display.= " \n";
403 /* Skip Apply if it is a new entry */
404 #if ($this->dn != "new"){
405 # $display.= "<input type=submit name=\"edit_apply\" value=\""._("Apply")."\">\n";
406 # $display.= " \n";
407 #}
409 // $display.= "<input type=submit name=\"edit_cancel\" value=\""._("Cancel")."\">\n";
410 $display.= "</p>";
411 }
412 }
413 return ($display);
414 }
416 /* Check if there is a snapshot dialog open */
417 $base = $this->DivListACL->selectedBase;
418 if($str = $this->showSnapshotDialog($base,$this->get_used_snapshot_bases())){
419 return($str);
420 }
422 /* Return rendered main page */
423 /* Display dialog with system list */
424 $this->DivListACL->parent = $this;
425 $this->DivListACL->execute();
427 /* Add departments if subsearch is disabled */
428 if(!$this->DivListACL->SubSearch){
429 $this->DivListACL->AddDepartments($this->DivListACL->selectedBase,3,1);
430 }
431 $this->reload();
432 $this->DivListACL->setEntries($this->list);
433 return($this->DivListACL->Draw());
434 }
437 function reload()
438 {
439 /* Get divlist informations from filter part */
440 $Regex = $this->DivListACL -> Regex;
441 $SubSearch = $this->DivListACL -> SubSearch;
442 $base = $this->DivListACL -> selectedBase;
443 $Attrs = array("ou","cn","description","gosaAclEntry","objectClass");
444 $res = array();
445 $tmp = array(); // Will contain temporary results
446 $ldap = $this->config->get_ldap_link();
447 $Filter = "(&(objectClass=gosaACL)(gosaAclEntry=*)(|(cn=".$Regex.")(ou=".$Regex.")))";
448 $FilterRoles= "(&(objectClass=gosaRole)(|(cn=".$Regex.")(ou=".$Regex.")))";
450 /* Fetch following structures, this will be used if !$SubSearch */
451 $fetch_this = array(
452 "ME" => array("TYPE" => "cat" , "FLAGS" => GL_SIZELIMIT ,"BASE"=>""),
453 "SYSTEMS" => array("TYPE" => "search" , "FLAGS" => GL_SIZELIMIT | GL_SUBSEARCH ,"BASE"=>"ou=systems,"),
454 "APPS" => array("TYPE" => "search" , "FLAGS" => GL_SIZELIMIT | GL_SUBSEARCH ,"BASE"=>"ou=apps,"),
455 "PEOPLE" => array("TYPE" => "search" , "FLAGS" => GL_SIZELIMIT | GL_SUBSEARCH ,"BASE"=>get_people_ou()),
456 "GROUPS" => array("TYPE" => "search" , "FLAGS" => GL_SIZELIMIT | GL_SUBSEARCH ,"BASE"=>get_groups_ou()));
458 /* Subsearch ? */
459 if($SubSearch){
461 /* Get all object in this base */
462 $Flags = GL_SIZELIMIT | GL_SUBSEARCH;
463 $fetch_base = $base;
464 $tmp = get_list($Filter, "acl", $fetch_base, $Attrs, $Flags);
465 $tmp2 = get_list($FilterRoles, "acl", $fetch_base, $Attrs, $Flags);
466 foreach($tmp as $entry){
467 $res[] = $entry;
468 }
469 foreach($tmp2 as $entry){
470 $res[] = $entry;
471 }
473 }else{
475 $tmp_roles = get_list($FilterRoles, "acl", "ou=aclroles,".$base, $Attrs,GL_SIZELIMIT);
477 foreach($tmp_roles as $entry){
478 $res[] = $entry;
479 }
481 /* Walk through all possible bases */
482 foreach($fetch_this as $type => $data){
484 /* Get requried attributes */
485 $Flags = $data['FLAGS'];
486 $fetch_base = $data['BASE'].$base;
487 $Type = $data['TYPE'];
489 /* Check if method is cat or search */
490 if($Type == "search"){
491 $tmp = get_list($Filter, "acl", $fetch_base, $Attrs, $Flags);
492 foreach($tmp as $entry){
493 $res[] = $entry;
494 }
495 }else{
496 $ldap->cat($fetch_base,$Attrs);
497 $attrs = $ldap->fetch();
498 if($attrs && isset($attrs['gosaAclEntry'])){
499 $re2 = preg_replace("/\*/",".*",$Regex);
501 if(!isset($attrs['ou']) && !isset($attrs['cn'])){
502 $namingAttr= preg_replace("/^[^=]*+=([^,]*),.*$/","\\1",$fetch_base);
503 if(preg_match("/".$re2."/i",$namingAttr)){
504 $res[] = $attrs;
505 }
506 }elseif( (isset($attrs['cn'][0]) && preg_match("/".$re2."/i",$attrs['cn'][0]))
507 ||(isset($attrs['ou'][0]) && preg_match("/".$re2."/i",$attrs['ou'][0]))){
508 $res[] = $attrs;
509 }
510 }
511 }
512 }
513 }
514 $this->list = $res;
515 }
518 function copyPasteHandling_from_queue($s_action,$s_entry)
519 {
520 /* Check if Copy & Paste is disabled */
521 if(!is_object($this->CopyPasteHandler)){
522 return("");
523 }
525 /* Add a single entry to queue */
526 if($s_action == "cut" || $s_action == "copy"){
528 /* Cleanup object queue */
529 $this->CopyPasteHandler->cleanup_queue();
530 $dn = $this->list[$s_entry]['dn'];
532 if(isset($this->list[$s_entry]['objectClass']) && in_array("gosaRole",$this->list[$s_entry]['objectClass'])){
533 $this->CopyPasteHandler->add_to_queue($dn,$s_action,"aclroletab","ACLROLETAB","aclroles");
534 }
535 }
537 /* Add entries to queue */
538 if($s_action == "copy_multiple" || $s_action == "cut_multiple"){
540 /* Cleanup object queue */
541 $this->CopyPasteHandler->cleanup_queue();
543 /* Add new entries to CP queue */
544 foreach($this->list_get_selected_items() as $id){
545 $dn = $this->list[$id]['dn'];
547 if(isset($this->list[$id]['objectClass']) && in_array("gosaRole",$this->list[$id]['objectClass'])){
549 if($s_action == "copy_multiple"){
550 $this->CopyPasteHandler->add_to_queue($dn,"copy","aclroletab","ACLROLETAB","aclroles");
551 }
552 if($s_action == "cut_multiple"){
553 $this->CopyPasteHandler->add_to_queue($dn,"cut","aclroletab","ACLROLETAB","aclroles");
554 }
555 }
556 }
557 }
559 /* Start pasting entries */
560 if($s_action == "editPaste"){
561 $this->start_pasting_copied_objects = TRUE;
562 }
563 /* Return C&P dialog */
564 if($this->start_pasting_copied_objects && $this->CopyPasteHandler->entries_queued()){
566 /* Load entry from queue and set base */
567 $this->CopyPasteHandler->load_entry_from_queue();
568 $this->CopyPasteHandler->SetVar("base",$this->DivListACL->selectedBase);
570 /* Get dialog */
571 $data = $this->CopyPasteHandler->execute();
573 /* Return dialog data */
574 if(!empty($data)){
575 return($data);
576 }
577 }
579 /* Automatically disable status for pasting */
580 if(!$this->CopyPasteHandler->entries_queued()){
581 $this->start_pasting_copied_objects = FALSE;
582 }
583 return("");
584 }
587 function list_get_selected_items()
588 {
589 $ids = array();
590 foreach($_POST as $name => $value){
591 if(preg_match("/^item_selected_[0-9]*$/",$name)){
592 $id = preg_replace("/^item_selected_/","",$name);
593 $ids[$id] = $id;
594 }
595 }
596 return($ids);
597 }
600 function remove_lock()
601 {
602 /* Remove acl lock if a DN is marked as "currently edited" */
603 if (isset($this->acltabs->dn)){
604 del_lock ($this->acltabs->dn);
605 }
606 }
609 function save_object()
610 {
611 /* Handle divlist filter && department selection*/
612 if(!is_object($this->acltabs)){
613 $this->DivListACL->save_object();
614 }
615 }
617 /* A set of disabled and therefore overloaded functions. They are
618 not needed in this class. */
619 function remove_from_parent() { }
620 function check() { }
622 function save() {
623 echo "SAVE ACL";
624 }
626 function adapt_from_template($dn) { }
627 function password_change_needed() { }
630 /* Return departments, that will be included within snapshot detection */
631 function get_used_snapshot_bases()
632 {
633 return(array());
634 }
636 }
637 // vim:tabstop=2:expandtab:shiftwidth=2:filetype=php:syntax:ruler:
638 ?>