Prepared class_acl.inc to use ACL checks.

[gosa.git] / gosa-core / include / class_userinfo.inc

diff --git a/gosa-core/include/class_userinfo.inc b/gosa-core/include/class_userinfo.inc
index 992b15308ce5df451e560b678ad886ba307cade5..5413cd00ab4c5784a61f26274dee4a6653fa83aa 100644 (file)
--- a/gosa-core/include/class_userinfo.inc
+++ b/gosa-core/include/class_userinfo.inc
@@ -178,12 +178,21 @@ class userinfo
 
   function get_category_permissions($dn, $category)
   {
+    /* If we are forced to skip ACLs checks for the current user 
+        then return all permissions.
+     */
+    if($this->ignore_acl_for_current_user()){
+      return("rwcdm");
+    }
+
     /* Get list of objectClasses and get the permissions for it */
     $acl= "";
     if (isset($this->ocMapping[$category])){
       foreach($this->ocMapping[$category] as $oc){
         $acl.= $this->get_permissions($dn, $category."/".$oc);
       }
+    }else{
+      trigger_error("ACL request for an invalid category (".$category.").");
     }
 
     return ($acl);
@@ -192,6 +201,13 @@ class userinfo
 
   function get_permissions($dn, $object, $attribute= "", $skip_write= FALSE)
   {
+    /* If we are forced to skip ACLs checks for the current user 
+        then return all permissions.
+     */
+    if($this->ignore_acl_for_current_user()){
+      return("rwcdm");
+    }
+
     /* Push cache answer? */
     $ACL_CACHE = &session::get('ACL_CACHE');
     if (isset($ACL_CACHE["$dn+$object+$attribute"])){
@@ -205,6 +221,10 @@ class userinfo
       return($ret);
     }
 
+    /* Get ldap object, for later filter checks 
+     */
+    $ldap = $this->config->get_ldap_link();
+
     $acl= array("r" => "", "w" => "", "c" => "", "d" => "", "m" => "", "a" => "");
 
     /* Build dn array */
@@ -239,6 +259,27 @@ class userinfo
             continue;
           }
 
+         /* With user filter */
+         if (isset($subacl['filter']) && !empty($subacl['filter'])){
+           $sdn = preg_replace("/^[^,]*+,/","",$dn);
+           $ldap->cd($sdn);
+           $ldap->ls($subacl['filter'],$sdn);
+           if(!$ldap->count()){
+             continue;
+           }else{
+             $found = FALSE; 
+             while($attrs = $ldap->fetch()){
+               if($attrs['dn'] == $dn){
+                 $found = TRUE;
+                 break;
+               }
+             }
+             if(!$found){
+               continue;
+             }
+           }
+         }
+
           /* Per attribute ACL? */
           if (isset($subacl['acl'][$object][$attribute])){
             $acl= $this->mergeACL($acl, $subacl['type'], $subacl['acl'][$object][$attribute]);
@@ -272,7 +313,7 @@ class userinfo
     /* Assemble string */
     $ret= "";
     foreach ($acl as $key => $value){
-      if ($value != ""){
+      if ($value !== ""){
         $ret.= $key;
       }
     }
@@ -291,6 +332,14 @@ class userinfo
      accessible department) */
   function get_module_departments($module)
   {
+    
+    /* If we are forced to skip ACLs checks for the current user 
+        then return all departments as valid.
+     */
+    if($this->ignore_acl_for_current_user()){
+      return(array_keys($this->config->idepartments));
+    }
+
     /* Use cached results if possilbe */
     $ACL_CACHE = session::get('ACL_CACHE');
     if(isset($ACL_CACHE['MODULE_DEPARTMENTS'][serialize($module)])){
@@ -503,6 +552,16 @@ class userinfo
     }
     return($acl);
   }
+
+ 
+  /*! \brief  Returns TRUE if the current user is configured in IGNORE_ACL=".." in your gosa.conf 
+      @param  Return Boolean TRUE if we have to skip ACL checks else FALSE.
+   */ 
+  function ignore_acl_for_current_user()
+  {
+    return(isset($this->config->current['IGNORE_ACL']) && $this->config->current['IGNORE_ACL'] == $this->dn);
+  }
+
 }
 
 // vim:tabstop=2:expandtab:shiftwidth=2:filetype=php:syntax:ruler: