![[tokkee]](http://tokkee.org/images/avatar.png){kind=avatar}
1 <?php
2 /*
3 This code is part of GOsa (https://gosa.gonicus.de)
4 Copyright (C) 2003-2006 - Cajus Pollmeier <pollmeier@gonicus.de>
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 2 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program; if not, write to the Free Software
18 Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
19 */
21 require_once("tabs_acl_role.inc");
22 require_once("tabs_acl.inc");
24 class aclManagement extends plugin
25 {
26 /* Plugin definitions */
27 var $plHeadline = "ACLs";
28 var $plDescription = "This does something";
30 /* Dialog attributes */
31 var $acltabs = NULL;
32 var $ui = NULL;
33 var $acl = "";
34 var $DivListACL = NULL;
36 var $CopyPasteHandler;
38 function aclManagement($config, $ui)
39 {
40 /* Save configuration for internal use */
41 $this->config = $config;
42 $this->ui = $ui;
44 /* Copy & Paste enabled ?*/
45 if((isset($this->config->data['MAIN']['ENABLECOPYPASTE']))&&(preg_match("/true/i",$this->config->data['MAIN']['ENABLECOPYPASTE']))){
46 $this->CopyPasteHandler = new CopyPasteHandler($this->config);
47 }
49 /* Creat dialog object */
50 $this->DivListACL = new divListACL($this->config,$this);
51 }
54 function execute()
55 {
56 /* Call parent execute */
57 plugin::execute();
59 $_SESSION['LOCK_VARS_TO_USE'] = array("/^list/","/^id_/","/^list_acl_role_del/","/^list_acl_del/");
61 $smarty = get_smarty(); // Smarty instance
62 $s_action = ""; // Contains the action to be taken
63 $s_entry = ""; // The value for s_action
65 /* Edit entry button pressed? */
66 if( isset($_GET['act']) && $_GET['act'] == "list_edit_entry" ){
67 $s_action= "edit";
68 $s_entry= validate($_GET['id']);
69 }
71 /* Edit entry button pressed? */
72 if( isset($_GET['act']) && $_GET['act'] == "list_edit_role" ){
73 $s_action= "edit_role";
74 $s_entry= validate($_GET['id']);
75 }
77 $types = array(
78 "del" =>"^list_acl_del",
79 "edit" =>"^list_acl_edit",
80 "del_role" =>"^list_acl_role_del",
81 "edit_role" =>"^list_acl_role_edit",
82 "copy" =>"^copy",
83 "cut" =>"^cut",
84 "editPaste" =>"^editPaste",
85 "addrole" =>"^new_acl_role");
87 /* Test relevant POST values */
88 foreach($_POST as $key => $val){
90 /* Get every possible POST combination and set s_action/s_entry accordingly */
91 foreach($types as $act => $name){
93 if (preg_match("/".$name.".*/", $key)){
94 $s_action= $act;
95 $s_entry= preg_replace("/".$name."_/i", "", $key);
96 }
97 }
98 }
100 /* Remove coordinate prefix from POST, required by some browsers */
101 $s_entry= preg_replace("/_.$/", "", $s_entry);
103 /* Seperate possibly encoded tab and entry, default to tab "acl" */
104 if(preg_match("/.*-.*/", $s_entry)){
105 $s_tab= preg_replace("/^[^-]*-/i", "" ,$s_entry);
106 $s_entry= preg_replace("/-[^-]*$/i", "", $s_entry);
107 }else{
108 $s_tab= "generic";
109 }
112 /********************
113 Copy & Paste Handling ...
114 ********************/
116 /* Only perform copy&paste requests if it is enabled
117 */
118 if($this->CopyPasteHandler){
119 if($str = $this->copyPasteHandling($s_action,$s_entry)){
120 return $str;
121 }
122 }
125 /********************
126 * Add new Role entry
127 ********************/
129 if(($s_action == "addrole") && (!isset($this->acltabs->config))){
131 /* Get 'dn' from posted acl, must be unique */
132 $this->dn= "new";
134 /* Check permissions */
135 if(preg_match("/c/",$this->ui->get_permissions($this->DivListACL->selectedBase,"acl/acl"))){
137 /* Register acltabs to trigger edit dialog */
138 $this->acltabs= new aclroletab($this->config, NULL,$this->dn);
139 $this->acltabs->set_acl_base($this->DivListACL->selectedBase);
140 }else{
141 print_red(_("You are not allowed to create a new role."));
142 }
143 }
145 /********************
146 Edit existing entry
147 ********************/
149 if (($s_action=="edit" || $s_action=="edit_role") && (!isset($this->acltabs->config))){
151 /* Get 'dn' from posted acl, must be unique */
152 $this->dn= $this->list[trim($s_entry)]['dn'];
154 /* Check permissions */
155 if(preg_match("/r/",$this->ui->get_permissions($this->dn,"acl/acl"))){
157 /* Check locking, save current plugin in 'back_plugin', so
158 the dialog knows where to return. */
159 if (($acl= get_lock($this->dn)) != ""){
160 return(gen_locked_message ($acl, $this->dn));
161 }
163 /* Lock the current entry, so everyone will get the above dialog */
164 add_lock ($this->dn, $this->ui->dn);
166 /* Register acltabs to trigger edit dialog */
167 if($s_action=="edit_role"){
168 $this->acltabs= new aclroletab($this->config, NULL,$this->dn);
169 $this->acltabs-> set_acl_base($this->dn);
170 }else{
171 $this->acltabs= new acltab($this->config, NULL,$this->dn);
172 $this->acltabs-> set_acl_base($this->dn);
173 }
175 /* Set ACL and move DN to the headline */
176 $_SESSION['objectinfo']= $this->dn;
177 }else{
178 print_red(_("You are not allowed to edit this acl."));
179 }
180 }
183 /********************
184 Edit canceled
185 ********************/
186 if(isset($_POST['delete_lock'])){
187 del_lock ($this->dn);
188 unset($_SESSION['objectinfo']);
189 }
191 /* Reset all relevant data, if we get a _cancel request */
192 if (isset($_POST['edit_cancel'])){
193 if (isset($this->acltabs)){
194 del_lock ($this->dn);
195 unset ($this->acltabs);
196 }
197 $this->acltabs= NULL;
198 unset ($_SESSION['objectinfo']);
199 }
202 /********************
203 Delete entry requested, display confirm dialog
204 ********************/
206 /* Remove acl was requested */
207 if ($s_action=="del_role"){
209 /* Get 'dn' from posted acl */
210 $this->dn= $this->list[trim($s_entry)]['dn'];
212 /* Check permissions */
213 if(preg_match("/d/",$this->ui->get_permissions($this->dn,"aclroles/aclrole"))){
215 /* Check locking, save current plugin in 'back_plugin', so
216 the dialog knows where to return. */
217 if (($acl= get_lock($this->dn)) != ""){
218 return(gen_locked_message ($acl, $this->dn));
219 }
221 /* Lock the current entry, so nobody will edit it during deletion */
222 add_lock ($this->dn, $this->ui->dn);
223 $smarty->assign("info", sprintf(_("You're about to delete the acl %s."), @LDAP::fix($this->dn)));
224 $smarty->assign("is_role",true);
226 return($smarty->fetch(get_template_path('remove.tpl', TRUE)));
227 } else {
229 /* Obviously the acl isn't allowed to delete. Show message and
230 clean session. */
231 print_red (_("You are not allowed to delete this acl!"));
232 }
233 }
236 /********************
237 Delete entry confirmed
238 ********************/
240 /* Confirmation for deletion has been passed. Acl should be deleted. */
241 if (isset($_POST['delete_acl_role_confirmed'])){
243 /* Check permissions */
244 if(preg_match("/d/",$this->ui->get_permissions($this->dn,"aclroles/aclrole"))){
246 /* Delete request is permitted, perform LDAP action */
247 $this->acltabs= new aclroletab($this->config, NULL,$this->dn);
248 $this->acltabs->delete();
249 gosa_log ("ACL role object '".$this->dn."' has been removed");
250 unset ($this->acltabs);
251 $this->acltabs= NULL;
252 } else {
254 /* Normally this shouldn't be reached, send some extra
255 logs to notify the administrator */
256 print_red (_("You are not allowed to delete this acl role!"));
258 if(isset($this->ui->uid)){
259 gosa_log ("Warning: '".$this->ui->uid."' tried to trick acl role deletion.");
260 }
261 }
263 /* Remove lock file after successfull deletion */
264 del_lock ($this->dn);
265 }
267 /********************
268 Delete entry requested, display confirm dialog
269 ********************/
271 /* Remove acl was requested */
272 if ($s_action=="del"){
274 /* Get 'dn' from posted acl */
275 $this->dn= $this->list[trim($s_entry)]['dn'];
277 /* Check permissions */
278 if(preg_match("/d/",$this->ui->get_permissions($this->dn,"acl/acl"))){
279 /* Check locking, save current plugin in 'back_plugin', so
280 the dialog knows where to return. */
281 if (($acl= get_lock($this->dn)) != ""){
282 $_SESSION['LOCK_VARS_TO_USE'] = array("/^list_acl_edit/","/^list_acl_del/","/^id_/");
283 return(gen_locked_message ($acl, $this->dn));
284 }
286 /* Lock the current entry, so nobody will edit it during deletion */
287 add_lock ($this->dn, $this->ui->dn);
288 $smarty->assign("info", sprintf(_("You're about to delete the acl %s."), @LDAP::fix($this->dn)));
289 $smarty->assign("is_role",false);
290 return($smarty->fetch(get_template_path('remove.tpl', TRUE)));
291 } else {
293 /* Obviously the acl isn't allowed to delete. Show message and
294 clean session. */
295 print_red (_("You are not allowed to delete this acl!"));
296 }
297 }
300 /********************
301 Delete entry confirmed
302 ********************/
304 /* Confirmation for deletion has been passed. Acl should be deleted. */
305 if (isset($_POST['delete_acl_confirm'])){
307 /* Check permissions */
308 if(preg_match("/d/",$this->ui->get_permissions($this->dn,"acl/acl"))){
310 /* Delete request is permitted, perform LDAP action */
311 $this->acltabs= new acl($this->config, NULL,$this->dn);
312 $this->acltabs->remove_from_parent();
313 gosa_log ("ACL object '".$this->dn."' has been removed");
314 unset ($this->acltabs);
315 $this->acltabs= NULL;
316 } else {
318 /* Normally this shouldn't be reached, send some extra
319 logs to notify the administrator */
320 print_red (_("You are not allowed to delete this acl!"));
322 if(isset($this->ui->uid)){
323 gosa_log ("Warning: '".$this->ui->uid."' tried to trick acl deletion.");
324 }
325 }
327 /* Remove lock file after successfull deletion */
328 del_lock ($this->dn);
329 }
332 /********************
333 Delete entry Canceled
334 ********************/
336 /* Delete acl canceled? */
337 if (isset($_POST['delete_cancel'])){
338 del_lock ($this->dn);
339 }
342 /********************
343 Edit entry finished (Save)
344 ********************/
346 /* Finish acl edit is triggered by the tabulator dialog, so
347 the acl wants to save edited data. Check and save at this
348 point. */
349 if ((isset($_POST['edit_finish']) || isset($_POST['edit_apply'])) && (isset($this->acltabs->config))){
351 /* Check tabs, will feed message array */
352 $this->acltabs->save_object();
353 $message= $this->acltabs->check();
355 /* Save, or display error message? */
356 if (count($message) == 0){
358 /* Save acl data to ldap */
359 if($this->acltabs->save() == 1){
360 gosa_log ("ACL object '".$this->dn."' saving failed.");
361 return;
362 }
363 gosa_log ("ACL object '".$this->dn."' has been saved");
365 if (!isset($_POST['edit_apply'])){
367 /* ACl has been saved successfully, remove lock from LDAP. */
368 if ($this->dn != "new"){
369 del_lock ($this->dn);
370 }
372 unset ($this->acltabs);
373 $this->acltabs= NULL;
374 unset ($_SESSION['objectinfo']);
375 }
376 } else {
377 /* Ok. There seem to be errors regarding to the tab data,
378 show message and continue as usual. */
379 show_errors($message);
380 }
381 }
384 /********************
385 Display subdialog
386 ********************/
389 /* Show tab dialog if object is present */
390 if(isset($this->acltabs->config)){
392 /* Save object */
393 $this->acltabs->save_object();
394 $display= $this->acltabs->execute();
396 /* Don't show buttons if tab dialog requests this */
397 if(isset($this->acltabs)){
399 /* Skip displaying save/cancel if there is a sub dialog open */
400 if (!isset($this->acltabs->dialog) || !$this->acltabs->dialog){
401 $display.= "<p style=\"text-align:right\">\n";
402 // $display.= "<input type=submit name=\"edit_finish\" style=\"width:80px\" value=\""._("Ok")."\">\n";
403 $display.= " \n";
405 /* Skip Apply if it is a new entry */
406 #if ($this->dn != "new"){
407 # $display.= "<input type=submit name=\"edit_apply\" value=\""._("Apply")."\">\n";
408 # $display.= " \n";
409 #}
411 // $display.= "<input type=submit name=\"edit_cancel\" value=\""._("Cancel")."\">\n";
412 $display.= "</p>";
413 }
414 }
415 return ($display);
416 }
418 /* Check if there is a snapshot dialog open */
419 $base = $this->DivListACL->selectedBase;
420 if($str = $this->showSnapshotDialog($base,$this->get_used_snapshot_bases())){
421 return($str);
422 }
424 /* Return rendered main page */
425 /* Display dialog with system list */
426 $this->DivListACL->parent = $this;
427 $this->DivListACL->execute();
429 /* Add departments if subsearch is disabled */
430 if(!$this->DivListACL->SubSearch){
431 $this->DivListACL->AddDepartments($this->DivListACL->selectedBase,3);
432 }
433 $this->reload();
434 $this->DivListACL->setEntries($this->list);
435 return($this->DivListACL->Draw());
436 }
439 function reload()
440 {
441 /* Get divlist informations from filter part */
442 $Regex = $this->DivListACL -> Regex;
443 $SubSearch = $this->DivListACL -> SubSearch;
444 $base = $this->DivListACL -> selectedBase;
445 $Attrs = array("ou","cn","description","gosaAclEntry","objectClass");
446 $res = array();
447 $tmp = array(); // Will contain temporary results
448 $ldap = $this->config->get_ldap_link();
449 $Filter = "(&(objectClass=gosaACL)(gosaAclEntry=*)(|(cn=".$Regex.")(ou=".$Regex.")))";
450 $FilterRoles= "(&(objectClass=gosaRole)(|(cn=".$Regex.")(ou=".$Regex.")))";
452 /* Fetch following structures, this will be used if !$SubSearch */
453 $fetch_this = array(
454 "ME" => array("TYPE" => "cat" , "FLAGS" => GL_SIZELIMIT ,"BASE"=>""),
455 "SYSTEMS" => array("TYPE" => "search" , "FLAGS" => GL_SIZELIMIT | GL_SUBSEARCH ,"BASE"=>"ou=systems,"),
456 "APPS" => array("TYPE" => "search" , "FLAGS" => GL_SIZELIMIT | GL_SUBSEARCH ,"BASE"=>"ou=apps,"),
457 "PEOPLE" => array("TYPE" => "search" , "FLAGS" => GL_SIZELIMIT | GL_SUBSEARCH ,"BASE"=>get_people_ou()),
458 "GROUPS" => array("TYPE" => "search" , "FLAGS" => GL_SIZELIMIT | GL_SUBSEARCH ,"BASE"=>get_groups_ou()));
460 /* Subsearch ? */
461 if($SubSearch){
463 /* Get all object in this base */
464 $Flags = GL_SIZELIMIT | GL_SUBSEARCH;
465 $fetch_base = $base;
466 $tmp = get_list($Filter, "acl", $fetch_base, $Attrs, $Flags);
467 $tmp2 = get_list($FilterRoles, "acl", $fetch_base, $Attrs, $Flags);
468 foreach($tmp as $entry){
469 $res[] = $entry;
470 }
471 foreach($tmp2 as $entry){
472 $res[] = $entry;
473 }
475 }else{
477 $tmp_roles = get_list($FilterRoles, "acl", "ou=aclroles,".$base, $Attrs,GL_SIZELIMIT);
479 foreach($tmp_roles as $entry){
480 $res[] = $entry;
481 }
483 /* Walk through all possible bases */
484 foreach($fetch_this as $type => $data){
486 /* Get requried attributes */
487 $Flags = $data['FLAGS'];
488 $fetch_base = $data['BASE'].$base;
489 $Type = $data['TYPE'];
491 /* Check if method is cat or search */
492 if($Type == "search"){
493 $tmp = get_list($Filter, "acl", $fetch_base, $Attrs, $Flags);
494 foreach($tmp as $entry){
495 $res[] = $entry;
496 }
497 }else{
498 $ldap->cat($fetch_base,$Attrs);
499 $attrs = $ldap->fetch();
500 if($attrs && isset($attrs['gosaAclEntry'])){
501 $re2 = preg_replace("/\*/",".*",$Regex);
503 if(!isset($attrs['ou']) && !isset($attrs['cn'])){
504 $namingAttr= preg_replace("/^[^=]*+=([^,]*),.*$/","\\1",$fetch_base);
505 if(preg_match("/".$re2."/i",$namingAttr)){
506 $res[] = $attrs;
507 }
508 }elseif( (isset($attrs['cn'][0]) && preg_match("/".$re2."/i",$attrs['cn'][0]))
509 ||(isset($attrs['ou'][0]) && preg_match("/".$re2."/i",$attrs['ou'][0]))){
510 $res[] = $attrs;
511 }
512 }
513 }
514 }
515 }
516 $this->list = $res;
517 }
520 /* Perform copy & paste requests
521 If copy&paste is in progress this returns a dialog to fix required attributes
522 */
523 function copyPasteHandling($s_action,$s_entry)
524 {
525 /* Paste copied/cutted object in here
526 */
527 $ui = get_userinfo();
528 if(($s_action == "editPaste") || ($this->CopyPasteHandler->stillOpen())){
529 $this->CopyPasteHandler->save_object();
530 $this->CopyPasteHandler->SetVar("base",$this->DivListGroup->selectedBase);
531 if($str = $this->CopyPasteHandler->execute()){
532 return( $str);
533 };
534 /* Ensure that the new object is shown in the list now */
535 $this->reload();
536 }
539 /* Copy current object to CopyHandler
540 */
541 if($s_action == "copy"){
543 $dn = $this->list[trim($s_entry)]['dn'];
544 $acl_all = $ui->has_complete_category_acls($this->DivListACL->selectedBase,"acl") ;
545 if(preg_match("/(c.*w|w.*c)/",$acl_all)){
547 $this->CopyPasteHandler->Clear();
548 $obj = new acl($this->config, NULL, $dn, TRUE);
549 $obj->set_acl_base($dn);
550 $objNew = new acl($this->config, NULL,"new", TRUE);
551 $objNew->set_acl_base($dn);
553 $this->CopyPasteHandler->Copy($obj,$objNew);
554 }else{
555 print_red("You are not allowed to copy this entry.");
556 }
557 }
559 /* Copy current object to CopyHandler
560 */
561 if($s_action == "cut"){
563 $dn = $this->list[trim($s_entry)]['dn'];
564 $acl_all = $ui->has_complete_category_acls($this->DivListACL->selectedBase,"acl") ;
565 if(preg_match("/(c.*w|w.*c)/",$acl_all)){
567 $this->CopyPasteHandler->Clear();
568 $obj= new acl($this->config,NULL, $dn, TRUE);
569 $obj->set_acl_base($dn);
570 $this->CopyPasteHandler->Cut($obj);
571 }else{
572 print_red("You are not allowed to cut this entry.");
573 }
574 }
575 }
578 function remove_lock()
579 {
580 /* Remove acl lock if a DN is marked as "currently edited" */
581 if (isset($this->acltabs->dn)){
582 del_lock ($this->acltabs->dn);
583 }
584 }
587 function save_object()
588 {
589 /* Handle divlist filter && department selection*/
590 if(!is_object($this->acltabs)){
591 $this->DivListACL->save_object();
592 }
593 }
595 /* A set of disabled and therefore overloaded functions. They are
596 not needed in this class. */
597 function remove_from_parent() { }
598 function check() { }
600 function save() {
601 echo "SAVE ACL";
602 }
604 function adapt_from_template($dn) { }
605 function password_change_needed() { }
608 /* Return departments, that will be included within snapshot detection */
609 function get_used_snapshot_bases()
610 {
611 return(array());
612 }
614 }
615 // vim:tabstop=2:expandtab:shiftwidth=2:filetype=php:syntax:ruler:
616 ?>