index 3e18c076950cc0fd0c4a6fb101ed61ce09859008..9ce014935a932ba0eaad49a9ef035ed63deab054 100644 (file)
function get_category_permissions($dn, $category)
{
+ /* If we are forced to skip ACLs checks for the current user
+ then return all permissions.
+ */
+ if($this->ignore_acl_for_current_user()){
+ return("rwcdm");
+ }
+
/* Get list of objectClasses and get the permissions for it */
$acl= "";
if (isset($this->ocMapping[$category])){
foreach($this->ocMapping[$category] as $oc){
$acl.= $this->get_permissions($dn, $category."/".$oc);
}
+ }else{
+ trigger_error("ACL request for an invalid category (".$category.").");
}
return ($acl);
}
+
+ /*! \brief Check if the given object (dn) is copyable
+ @param String The object dn
+ @param String The acl category (e.g. users)
+ @param String The acl class (e.g. user)
+ @return Boolean TRUE if the given object is copyable else FALSE
+ */
+ function is_copyable($dn, $object, $class)
+ {
+ return(preg_match("/r/",$this->has_complete_category_acls($dn, $object)));
+ }
+
+
+ /*! \brief Check if the given object (dn) is cutable
+ @param String The object dn
+ @param String The acl category (e.g. users)
+ @param String The acl class (e.g. user)
+ @return Boolean TRUE if the given object is cutable else FALSE
+ */
+ function is_cutable($dn, $object, $class)
+ {
+ $remove = preg_match("/d/",$this->get_permissions($dn,$object."/".$class));
+ $read = preg_match("/r/",$this->has_complete_category_acls($dn, $object));
+ return($remove && $read);
+ }
+
+
+ /*! \brief Checks if we are allowed to paste an object to the given destination ($dn)
+ @param String The destination dn
+ @param String The acl category (e.g. users)
+ @param String The acl class (e.g. user)
+ @return Boolean TRUE if we are allowed to paste an object.
+ */
+ function is_pasteable($dn, $object)
+ {
+ return(preg_match("/w/",$this->has_complete_category_acls($dn, $object)));
+ }
+
+
+ /*! \brief Checks if we are allowed to restore a snapshot for the given dn.
+ @param String The destination dn
+ @param String The acl category (e.g. users)
+ @return Boolean TRUE if we are allowed to restore a snapshot.
+ */
+ function allow_snapshot_restore($dn, $object)
+ {
+ if(!is_array($object)){
+ $object = array($object);
+ }
+ $r = $w = $c = TRUE;
+ foreach($object as $category){
+ $w &= preg_match("/w/",$this->has_complete_category_acls($dn, $category));
+ $c &= preg_match("/c/",$this->has_complete_category_acls($dn, $category));
+ $r &= preg_match("/r/",$this->has_complete_category_acls($dn, $category));
+# print_a(array($category => array($r.$w.$c)));
+ }
+ return($r && $w );
+ }
+
+
+ /*! \brief Checks if we are allowed to create a snapshot of the given dn.
+ @param String The source dn
+ @param String The acl category (e.g. users)
+ @return Boolean TRUE if we are allowed to restore a snapshot.
+ */
+ function allow_snapshot_create($dn, $object)
+ {
+ if(!is_array($object)){
+ $object = array($object);
+ }
+ $r = $w = $c = TRUE;
+ foreach($object as $category){
+ $w &= preg_match("/w/",$this->has_complete_category_acls($dn, $category));
+ $c &= preg_match("/c/",$this->has_complete_category_acls($dn, $category));
+ $r &= preg_match("/r/",$this->has_complete_category_acls($dn, $category));
+# print_a(array($category => array($r.$w.$c)));
+ }
+ return($r) ;
+ }
+
function get_permissions($dn, $object, $attribute= "", $skip_write= FALSE)
{
+ /* If we are forced to skip ACLs checks for the current user
+ then return all permissions.
+ */
+ if($this->ignore_acl_for_current_user()){
+ return("rwcdm");
+ }
+
/* Push cache answer? */
$ACL_CACHE = &session::get('ACL_CACHE');
if (isset($ACL_CACHE["$dn+$object+$attribute"])){
return($ret);
}
+ /* Get ldap object, for later filter checks
+ */
+ $ldap = $this->config->get_ldap_link();
+
$acl= array("r" => "", "w" => "", "c" => "", "d" => "", "m" => "", "a" => "");
/* Build dn array */
continue;
}
+ /* With user filter */
+ if (isset($subacl['filter']) && !empty($subacl['filter'])){
+ $sdn = preg_replace("/^[^,]*+,/","",$dn);
+ $ldap->cd($sdn);
+ $ldap->ls($subacl['filter'],$sdn);
+ if(!$ldap->count()){
+ continue;
+ }else{
+ $found = FALSE;
+ while($attrs = $ldap->fetch()){
+ if($attrs['dn'] == $dn){
+ $found = TRUE;
+ break;
+ }
+ }
+ if(!$found){
+ continue;
+ }
+ }
+ }
+
/* Per attribute ACL? */
if (isset($subacl['acl'][$object][$attribute])){
$acl= $this->mergeACL($acl, $subacl['type'], $subacl['acl'][$object][$attribute]);
/* Assemble string */
$ret= "";
foreach ($acl as $key => $value){
- if ($value != ""){
+ if ($value !== ""){
$ret.= $key;
}
}
accessible department) */
function get_module_departments($module)
{
+
+ /* If we are forced to skip ACLs checks for the current user
+ then return all departments as valid.
+ */
+ if($this->ignore_acl_for_current_user()){
+ return(array_keys($this->config->idepartments));
+ }
+
/* Use cached results if possilbe */
$ACL_CACHE = session::get('ACL_CACHE');
if(isset($ACL_CACHE['MODULE_DEPARTMENTS'][serialize($module)])){
}
return($acl);
}
+
+
+ /*! \brief Returns TRUE if the current user is configured in IGNORE_ACL=".." in your gosa.conf
+ @param Return Boolean TRUE if we have to skip ACL checks else FALSE.
+ */
+ function ignore_acl_for_current_user()
+ {
+ return(isset($this->config->current['IGNORE_ACL']) && $this->config->current['IGNORE_ACL'] == $this->dn);
+ }
+
}
// vim:tabstop=2:expandtab:shiftwidth=2:filetype=php:syntax:ruler: