index 957dc78f6b5fd4b69cb8f7f02ed7900908549d2a..65cdfdfd9ff0c606b93412305d910ce55f3b4350 100644 (file)
$cpath= "";
foreach ($path as $element){
$cpath= "";
foreach ($path as $element){
+ /* Clean potential ACLs for each level */
+ if(in_array($cpath,$this->config->departments)){
+ $acl= $this->cleanACL($acl);
+ }
+
if ($cpath == ""){
$cpath= $element;
} else {
$cpath= $element.','.$cpath;
}
if ($cpath == ""){
$cpath= $element;
} else {
$cpath= $element.','.$cpath;
}
- if (isset($this->ACL[$cpath])){
- /* Clean potential ACLs for each level */
- $acl= $this->cleanACL($acl);
+ if (isset($this->ACL[$cpath])){
/* Inspect this ACL, place the result into ACL */
foreach ($this->ACL[$cpath] as $subacl){
/* Inspect this ACL, place the result into ACL */
foreach ($this->ACL[$cpath] as $subacl){
continue;
}
continue;
}
- /* With user filter */
- if (isset($subacl['filter']) && !empty($subacl['filter'])){
- $sdn = preg_replace("/^[^,]*+,/","",$dn);
- $ldap->cd($sdn);
- $ldap->ls($subacl['filter'],$sdn);
- if(!$ldap->count()){
- continue;
- }else{
- $found = FALSE;
- while($attrs = $ldap->fetch()){
- if($attrs['dn'] == $dn){
- $found = TRUE;
- break;
- }
- }
- if(!$found){
- continue;
- }
- }
- }
+ /* With user filter */
+ if (isset($subacl['filter']) && !empty($subacl['filter'])){
+ $sdn = preg_replace("/^[^,]*+,/","",$dn);
+ $ldap->cd($sdn);
+ $ldap->ls($subacl['filter'],$sdn);
+ if(!$ldap->count()){
+ continue;
+ }else{
+ $found = FALSE;
+ while($attrs = $ldap->fetch()){
+ if($attrs['dn'] == $dn){
+ $found = TRUE;
+ break;
+ }
+ }
+ if(!$found){
+ continue;
+ }
+ }
+ }
+
+ /* Self ACLs?
+ */
+ if(isset($subacl['acl'][$object][0]) && preg_match("/s/",$subacl['acl'][$object][0]) && $dn != $this->dn){
+ continue;
+ }
+
+ /* If attribute is "", we want to know, if we've *any* permissions here...
+ Merge global class ACLs [0] with attributes specific ACLs [attribute].
+ */
+ if ($attribute == "" && isset($subacl['acl'][$object])){
+ foreach($subacl['acl'][$object] as $attr => $dummy){
+ $acl= $this->mergeACL($acl, $subacl['type'], $subacl['acl'][$object][$attr]);
+ }
+ continue;
+ }
/* Per attribute ACL? */
if (isset($subacl['acl'][$object][$attribute])){
/* Per attribute ACL? */
if (isset($subacl['acl'][$object][$attribute])){
$acl= $this->mergeACL($acl, $subacl['type'], $subacl['acl']['all'][0]);
continue;
}
$acl= $this->mergeACL($acl, $subacl['type'], $subacl['acl']['all'][0]);
continue;
}
-
- /* If attribute is "", we want to know, if we've *any* permissions here... */
- if ($attribute == "" && isset($subacl['acl'][$object])){
- foreach($subacl['acl'][$object] as $attr => $dummy){
- $acl= $this->mergeACL($acl, $subacl['type'], $subacl['acl'][$object][$attr]);
- }
- continue;
- }
-
}
}
}
}
}
}
+ /* If the requested ACL is for a container object, then alter
+ ACLs by applying cleanACL a last time.
+ */
+ if(in_array($dn,$this->config->departments)){
+ $acl = $this->cleanACL($acl);
+ }
+
/* Assemble string */
$ret= "";
foreach ($acl as $key => $value){
/* Assemble string */
$ret= "";
foreach ($acl as $key => $value){
/* Extract all departments that are accessible (direct or 'on the way' to an
accessible department) */
/* Extract all departments that are accessible (direct or 'on the way' to an
accessible department) */
- function get_module_departments($module)
+ function get_module_departments($module, $skip_self_acls = FALSE )
{
/* If we are forced to skip ACLs checks for the current user
{
/* If we are forced to skip ACLs checks for the current user
}
}
}
}
-
-
/* Search for per object ACLs.
*/
$this->config->get_departments();
/* Search for per object ACLs.
*/
$this->config->get_departments();
foreach($infos as $info){
$found = FALSE;
foreach($info['acl'] as $cat => $data){
foreach($infos as $info){
$found = FALSE;
foreach($info['acl'] as $cat => $data){
+
+ /* Skip self acls?
+ */
+ if($skip_self_acls && preg_match("//s",$data['0'])) continue;
+
if(is_array($module)){
foreach($module as $mod){
if(preg_match("/^".normalizePreg($mod)."/",$cat)){
if(is_array($module)){
foreach($module as $mod){
if(preg_match("/^".normalizePreg($mod)."/",$cat)){
/* For all gosaDepartments */
foreach ($this->config->departments as $dn){
/* For all gosaDepartments */
foreach ($this->config->departments as $dn){
- $acl= array("r" => "", "w" => "", "c" => "", "d" => "", "m" => "", "a" => "");
-
- /* Build dn array */
- $path= split(',', $dn);
- $path= array_reverse($path);
-
- /* Walk along the path to evaluate the acl */
- $cpath= "";
- foreach ($path as $element){
-
- /* Clean potential ACLs for each level */
- $acl= $this->cleanACL($acl);
-
- if ($cpath == ""){
- $cpath= $element;
- } else {
- $cpath= $element.','.$cpath;
- }
- if (isset($this->ACL[$cpath])){
-
- /* Inspect this ACL, place the result into ACL */
- foreach ($this->ACL[$cpath] as $subacl){
-
- /* Reset? Just clean the ACL and turn over to the next one... */
- if ($subacl['type'] == 'reset'){
- $acl= $this->cleanACL($acl, TRUE);
- continue;
- }
-
- if($subacl['type'] == 'role'){
- echo "role skipped";
- continue;
- }
-
- /* Per object ACL? */
- foreach ($objects as $object){
- if (isset($subacl['acl']["$module/$object"])){
- foreach($subacl['acl']["$module/$object"] as $attribute => $dcl){
- $acl= $this->mergeACL($acl, $subacl['type'], $subacl['acl']["$module/$object"][$attribute]);
- }
- }
- }
-
- /* Global ACL? */
- if (isset($subacl['acl']["$module/all"][0])){
- $acl= $this->mergeACL($acl, $subacl['type'], $subacl['acl']["$module/all"][0]);
- continue;
- }
-
- /* Global ACL? */
- if (isset($subacl['acl']["all"][0])){
- $acl= $this->mergeACL($acl, $subacl['type'], $subacl['acl']["all"][0]);
- continue;
- }
- }
- }
+ if(!is_array($module)){
+ $module = array($module);
}
}
-
- /* Add department, if we have (some) permissions for the required module */
- foreach ($acl as $val){
- if ($val != ""){
- $deps[]= $dn;
- break;
+ $acl = "";
+ foreach($module as $mod){
+ if(preg_match("/\//",$mod)){
+ $acl.= $this->get_permissions($dn,$mod);
+ }else{
+ $acl.= $this->get_category_permissions($dn,$mod);
}
}
}
}
+ if($acl !== "") $deps[] = $dn;
}
}
-
+
$ACL_CACHE = &session::get('ACL_CACHE');
$ACL_CACHE['MODULE_DEPARTMENTS'][serialize($module)] = $deps;
return ($deps);
$ACL_CACHE = &session::get('ACL_CACHE');
$ACL_CACHE['MODULE_DEPARTMENTS'][serialize($module)] = $deps;
return ($deps);