X-Git-Url: https://git.tokkee.org/?a=blobdiff_plain;f=include%2Fclass_userinfo.inc;h=68455e08765db4dd6345f8a8193c21a04c790bb4;hb=0adbff1190cf5933e2f48f5c9022496de7bade2e;hp=79e9526793437484a4699054ac3248f1a205e749;hpb=46d7e9f177450b6eafd745b90b3c7766c8e66aae;p=gosa.git diff --git a/include/class_userinfo.inc b/include/class_userinfo.inc index 79e952679..68455e087 100644 --- a/include/class_userinfo.inc +++ b/include/class_userinfo.inc @@ -24,17 +24,22 @@ class userinfo var $ip; var $username; var $cn; + var $uid; var $gidNumber= -1; var $language= ""; var $config; + var $gosaUnitTag= ""; var $subtreeACL= array(); + var $ACL= array(); + var $ocMapping= array(); + var $groups= array(); /* get acl's an put them into the userinfo object attr subtreeACL (userdn:components, userdn:component1#sub1#sub2,component2,...) */ function userinfo($config, $userdn){ $this->config= $config; $ldap= $this->config->get_ldap_link(); - $ldap->cat($userdn); + $ldap->cat($userdn,array('sn', 'givenName', 'uid', 'gidNumber', 'preferredLanguage', 'gosaUnitTag')); $attrs= $ldap->fetch(); if (isset($attrs['givenName'][0]) && isset($attrs['sn'][0])){ @@ -51,13 +56,20 @@ class userinfo $this->language= $attrs['preferredLanguage'][0]; } + if (isset($attrs['gosaUnitTag'][0])){ + $this->gosaUnitTag= $attrs['gosaUnitTag'][0]; + } + $this->dn= $userdn; + $this->uid= $attrs['uid'][0]; $this->ip= $_SERVER['REMOTE_ADDR']; } function loadACL() { + +#--------------------------------------------------------------------------OLD-BUT-ACTIVE----------------------------- $ldap= $this->config->get_ldap_link(); /* Load ACL's from all groups we're in */ @@ -79,6 +91,323 @@ class userinfo $this->subtreeACL[$base][]= $attrs["gosaSubtreeACL"][$i]; } } +#echo "NEW ACL LOADING --------------------------------------------------------------------------------------------
"; + + $this->ACL= array(); + $this->groups= array(); + $ldap= $this->config->get_ldap_link(); + $ldap->cd($this->config->current['BASE']); + + /* Get member groups... */ + $ldap->search("(&(objectClass=posixGroup)(memberUid=".$this->uid."))", array('dn')); + while ($attrs= $ldap->fetch()){ + $this->groups[$attrs['dn']]= $attrs['dn']; + } + + /* Crawl through ACLs and move relevant to the tree */ + $ldap->search("(objectClass=gosaACL)", array('dn', 'gosaAclEntry')); + $aclp= array(); + $aclc= array(); + while ($attrs= $ldap->fetch()){ + + /* Insert links in ACL array */ + $aclp[$attrs['dn']]= substr_count($attrs['dn'], ','); + $aclc[$attrs['dn']]= array(); + $ol= array(); + for($i= 0; $i<$attrs['gosaAclEntry']['count']; $i++){ + $ol= array_merge($ol, @acl::explodeAcl($attrs['gosaAclEntry'][$i])); + } + $aclc[$attrs['dn']]= $ol; + } + + /* ACL's read, sort for tree depth */ + asort($aclp); + + /* Sort in tree order */ + foreach ($aclp as $dn => $acl){ + /* Check if we need to keep this ACL */ + foreach($aclc[$dn] as $idx => $type){ + $interresting= FALSE; + + /* No members? This is good for all users... */ + if (!count($type['members'])){ + $interresting= TRUE; + } else { + + /* Inspect members... */ + foreach ($type['members'] as $grp => $grpdsc){ + /* Some group inside the members that is relevant for us? */ + if (in_array_ics(preg_replace('/^G:/', '', $grp), $this->groups)){ + $interresting= TRUE; + } + + /* User inside the members? */ + if (preg_replace('/^U:/', '', $grp) == $this->dn){ + $interresting= TRUE; + } + } + } + + if ($interresting){ + if (!isset($this->ACL[$dn])){ + $this->ACL[$dn]= array(); + } + $this->ACL[$dn][$idx]= $type; + } + } + + } + + } + + + function get_category_permissions($dn, $category) + { + /* Get list of objectClasses and get the permissions for it */ + $acl= ""; + if (isset($this->ocMapping[$category])){ + foreach($this->ocMapping[$category] as $oc){ + $acl.= $this->get_permissions($dn, $category."/".$oc); + } + } + + return ($acl); + } + + + function get_permissions($dn, $object, $attribute= "", $skip_write= FALSE) + { + $acl= array("r" => "", "w" => "", "c" => "", "d" => "", "m" => "", "a" => ""); + + /* Build dn array */ + $path= split(',', $dn); + $path= array_reverse($path); + + /* Walk along the path to evaluate the acl */ + $cpath= ""; + foreach ($path as $element){ + + /* Clean potential ACLs for each level */ + $acl= $this->cleanACL($acl); + + if ($cpath == ""){ + $cpath= $element; + } else { + $cpath= $element.','.$cpath; + } + if (isset($this->ACL[$cpath])){ + + /* Inspect this ACL, place the result into ACL */ + foreach ($this->ACL[$cpath] as $subacl){ + + /* Reset? Just clean the ACL and turn over to the next one... */ + if ($subacl['type'] == 'reset'){ + $acl= $this->cleanACL($acl, TRUE); + continue; + } + + /* Per attribute ACL? */ + if (isset($subacl['acl'][$object][$attribute])){ + $acl= $this->mergeACL($acl, $subacl['type'], $subacl['acl'][$object][$attribute]); + continue; + } + + /* Per object ACL? */ + if (isset($subacl['acl'][$object][0])){ + $acl= $this->mergeACL($acl, $subacl['type'], $subacl['acl'][$object][0]); + continue; + } + + /* Global ACL? */ + if (isset($subacl['acl']['all'][0])){ + $acl= $this->mergeACL($acl, $subacl['type'], $subacl['acl']['all'][0]); + continue; + } + + /* If attribute is "", we want to know, if we've *any* permissions here... */ + if ($attribute == "" && isset($subacl['acl'][$object])){ + foreach($subacl['acl'][$object] as $attr => $dummy){ + $acl= $this->mergeACL($acl, $subacl['type'], $subacl['acl'][$object][$attr]); + } + continue; + } + + } + } + } + + /* Assemble string */ + $ret= ""; + foreach ($acl as $key => $value){ + if ($value != ""){ + $ret.= $key; + } + } + + /* Remove write if needed */ + if ($skip_write){ + $ret= preg_replace('/w/', '', $ret); + } + + return ($ret); + } + + + /* Extract all departments that are accessible (direct or 'on the way' to an + accessible department) */ + function get_module_departments($module) + { + global $plist; + + $objects= array(); + $deps= array(); + + /* Extract all relevant objects for this module from plist */ + foreach ($plist->info as $object => $info){ + if (!isset($info['plCategory'])){ + continue; + } + foreach ($info['plCategory'] as $idx => $data){ + if (preg_match('/^[0-9]+$/', $idx)){ + if ($data == $module){ + $objects[$object]= $object; + } + } else { + if ($idx == $module){ + $objects[$object]= $object; + } + } + } + } + + /* For all gosaDepartments */ + foreach ($this->config->departments as $dn){ + $acl= array("r" => "", "w" => "", "c" => "", "d" => "", "m" => "", "a" => ""); + + /* Build dn array */ + $path= split(',', $dn); + $path= array_reverse($path); + + /* Walk along the path to evaluate the acl */ + $cpath= ""; + foreach ($path as $element){ + + /* Clean potential ACLs for each level */ + $acl= $this->cleanACL($acl); + + if ($cpath == ""){ + $cpath= $element; + } else { + $cpath= $element.','.$cpath; + } + if (isset($this->ACL[$cpath])){ + + /* Inspect this ACL, place the result into ACL */ + foreach ($this->ACL[$cpath] as $subacl){ + + /* Reset? Just clean the ACL and turn over to the next one... */ + if ($subacl['type'] == 'reset'){ + $acl= $this->cleanACL($acl, TRUE); + continue; + } + + /* Per object ACL? */ + foreach ($objects as $object){ + if (isset($subacl['acl']["$module/$object"])){ + foreach($subacl['acl']["$module/$object"] as $attribute => $dcl){ + $acl= $this->mergeACL($acl, $subacl['type'], $subacl['acl']["$module/$object"][$attribute]); + } + } + } + + /* Global ACL? */ + if (isset($subacl['acl']["$module/all"][0])){ + $acl= $this->mergeACL($acl, $subacl['type'], $subacl['acl']["$module/all"][0]); + continue; + } + + /* Global ACL? */ + if (isset($subacl['acl']["all"][0])){ + $acl= $this->mergeACL($acl, $subacl['type'], $subacl['acl']["all"][0]); + continue; + } + } + } + } + + /* Add department, if we have (some) permissions for the required module */ + foreach ($acl as $val){ + if ($val != ""){ + $deps[]= $dn; + break; + } + } + } + + return ($deps); + } + + + function mergeACL($acl, $type, $newACL) + { + foreach(str_split($newACL) as $char){ + + /* Ignore invalid characters */ + if (!preg_match('/[rwcdm]/', $char)){ + continue; + } + + /* Skip permanent and subtree entries */ + if (preg_match('/[sp]/', $acl[$char])){ + continue; + } + + switch ($type){ + case 'psub': + $acl[$char]= 'p'; + break; + + case 'sub': + $acl[$char]= 's'; + break; + + case 'one': + $acl[$char]= 1; + break; + + case 'base': + if ($acl[$char] != 1){ + $acl[$char]= 0; + } + break; + } + } + + return ($acl); + } + + + function cleanACL($acl, $reset= FALSE) + { + foreach ($acl as $key => $value){ + + /* Reset removes everything but 'p' */ + if ($reset && $value != 'p'){ + $acl[$key]= ""; + continue; + } + + /* Decrease tree level */ + if (preg_match('/^[0-9]+$/', $value)){ + if ($value > 0){ + $acl[$key]= $value - 1; + } else { + $acl[$key]= ""; + } + } + } + + return ($acl); } }