X-Git-Url: https://git.tokkee.org/?a=blobdiff_plain;f=include%2Fclass_userinfo.inc;h=783b66822fe500558313f1ca8a27c726243f02a5;hb=2dd0610553775a07cd552ccdcbbf650a18794a8c;hp=b8a2fa737c523943bdbbe252fabeee13f1d4bd00;hpb=0623a7b78df69eb8ae7b60e80d03ad7a99c57418;p=gosa.git diff --git a/include/class_userinfo.inc b/include/class_userinfo.inc index b8a2fa737..783b66822 100644 --- a/include/class_userinfo.inc +++ b/include/class_userinfo.inc @@ -31,7 +31,9 @@ class userinfo var $gosaUnitTag= ""; var $subtreeACL= array(); var $ACL= array(); + var $ocMapping= array(); var $groups= array(); + var $result_cache =array(); /* get acl's an put them into the userinfo object attr subtreeACL (userdn:components, userdn:component1#sub1#sub2,component2,...) */ @@ -67,33 +69,9 @@ class userinfo function loadACL() { - -#--------------------------------------------------------------------------OLD-BUT-ACTIVE----------------------------- - $ldap= $this->config->get_ldap_link(); - - /* Load ACL's from all groups we're in */ - $this->subtreeACL= array(); - $ldap->cd($this->config->current['BASE']); - if ($this->gidNumber == -1){ - $ldap->search("(&(objectClass=posixGroup)(objectClass=gosaObject)". - "(memberUid=$this->username))"); - } else { - $ldap->search("(&(objectClass=posixGroup)(objectClass=gosaObject)". - "(|(memberUid=$this->username)(gidNumber=$this->gidNumber)))"); - } - - while($attrs = $ldap->fetch()){ - $base= preg_replace('/^[^,]+,ou=[^,]+,/i', "",$ldap->getDN()); - $base= preg_replace("/[ ]*,[ ]*/", ",", $base); - - for ($i= 0; $i<$attrs["gosaSubtreeACL"]["count"]; $i++){ - $this->subtreeACL[$base][]= $attrs["gosaSubtreeACL"][$i]; - } - } -#echo "NEW ACL LOADING --------------------------------------------------------------------------------------------
"; - $this->ACL= array(); $this->groups= array(); + $this->result_cache =array(); $ldap= $this->config->get_ldap_link(); $ldap->cd($this->config->current['BASE']); @@ -119,6 +97,31 @@ class userinfo $aclc[$attrs['dn']]= $ol; } + /* Resolve roles here. + */ + foreach($aclc as $dn => $data){ + foreach($data as $prio => $aclc_value) { + if($aclc_value['type'] == "role"){ + + unset($aclc[$dn][$prio]); + + $ldap->cat($aclc_value['acl'],array("gosaAclTemplate")); + $attrs = $ldap->fetch(); + + if(isset($attrs['gosaAclTemplate'])){ + for($i= 0; $i<$attrs['gosaAclTemplate']['count']; $i++){ + $tmp = @acl::explodeAcl($attrs['gosaAclTemplate'][$i]); + + foreach($tmp as $new_acl){ + $new_acl['members'] = $aclc_value['members']; + $aclc[$dn][] =$new_acl; + } + } + } + } + } + } + /* ACL's read, sort for tree depth */ asort($aclp); @@ -131,18 +134,19 @@ class userinfo /* No members? This is good for all users... */ if (!count($type['members'])){ $interresting= TRUE; - } + } else { - /* Inspect members... */ - foreach ($type['members'] as $grp => $grpdsc){ - /* Some group inside the members that is relevant for us? */ - if (in_array_ics(preg_replace('/^G:/', '', $grp), $this->groups)){ - $interresting= TRUE; - } + /* Inspect members... */ + foreach ($type['members'] as $grp => $grpdsc){ + /* Some group inside the members that is relevant for us? */ + if (in_array_ics(preg_replace('/^G:/', '', $grp), $this->groups)){ + $interresting= TRUE; + } - /* User inside the members? */ - if (preg_replace('/^U:/', '', $grp) == $this->dn){ - $interresting= TRUE; + /* User inside the members? */ + if (preg_replace('/^U:/', '', $grp) == $this->dn){ + $interresting= TRUE; + } } } @@ -158,7 +162,21 @@ class userinfo } - function get_permissions($dn, $object, $attribute, $skip_write= FALSE) + function get_category_permissions($dn, $category) + { + /* Get list of objectClasses and get the permissions for it */ + $acl= ""; + if (isset($this->ocMapping[$category])){ + foreach($this->ocMapping[$category] as $oc){ + $acl.= $this->get_permissions($dn, $category."/".$oc); + } + } + + return ($acl); + } + + + function get_permissions($dn, $object, $attribute= "", $skip_write= FALSE) { $acl= array("r" => "", "w" => "", "c" => "", "d" => "", "m" => "", "a" => ""); @@ -189,6 +207,11 @@ class userinfo continue; } + if($subacl['type'] == "role") { + echo "role skipped"; + continue; + } + /* Per attribute ACL? */ if (isset($subacl['acl'][$object][$attribute])){ $acl= $this->mergeACL($acl, $subacl['type'], $subacl['acl'][$object][$attribute]); @@ -207,8 +230,15 @@ class userinfo continue; } - } + /* If attribute is "", we want to know, if we've *any* permissions here... */ + if ($attribute == "" && isset($subacl['acl'][$object])){ + foreach($subacl['acl'][$object] as $attr => $dummy){ + $acl= $this->mergeACL($acl, $subacl['type'], $subacl['acl'][$object][$attr]); + } + continue; + } + } } } @@ -229,6 +259,8 @@ class userinfo } + /* Extract all departments that are accessible (direct or 'on the way' to an + accessible department) */ function get_module_departments($module) { global $plist; @@ -238,6 +270,9 @@ class userinfo /* Extract all relevant objects for this module from plist */ foreach ($plist->info as $object => $info){ + if (!isset($info['plCategory'])){ + continue; + } foreach ($info['plCategory'] as $idx => $data){ if (preg_match('/^[0-9]+$/', $idx)){ if ($data == $module){ @@ -251,15 +286,17 @@ class userinfo } } - /* Get all gosaDepartments */ - $ldap= $this->config->get_ldap_link(); - $ldap->cd($this->config->current['BASE']); - $ldap->search('objectClass=gosaDepartment', array('dn')); - while ($attrs= $ldap->fetch()){ + /* Load departments here, if we are using php4 */ + if(is_php4() && !count($this->config->departments)){ + $this->config->get_departments(); + } + + /* For all gosaDepartments */ + foreach ($this->config->departments as $dn){ $acl= array("r" => "", "w" => "", "c" => "", "d" => "", "m" => "", "a" => ""); /* Build dn array */ - $path= split(',', $attrs['dn']); + $path= split(',', $dn); $path= array_reverse($path); /* Walk along the path to evaluate the acl */ @@ -284,31 +321,40 @@ class userinfo $acl= $this->cleanACL($acl, TRUE); continue; } + + if($subacl['type'] == 'role'){ + echo "role skipped"; + continue; + } /* Per object ACL? */ foreach ($objects as $object){ - if (isset($subacl['acl'][$object])){ - foreach($subacl['acl'][$object] as $attribute => $dcl){ - if (isset($subacl['acl'][$object][$attribute])){ - $acl= $this->mergeACL($acl, $subacl['type'], preg_replace('/[cdm]/', '', $subacl['acl'][$object][$attribute])); - } + if (isset($subacl['acl']["$module/$object"])){ + foreach($subacl['acl']["$module/$object"] as $attribute => $dcl){ + $acl= $this->mergeACL($acl, $subacl['type'], $subacl['acl']["$module/$object"][$attribute]); } } } /* Global ACL? */ - if (isset($subacl['acl'][0])){ - $acl= $this->mergeACL($acl, $subacl['type'], preg_replace('/[cdm]/', '', $subacl['acl'][0])); + if (isset($subacl['acl']["$module/all"][0])){ + $acl= $this->mergeACL($acl, $subacl['type'], $subacl['acl']["$module/all"][0]); + continue; + } + + /* Global ACL? */ + if (isset($subacl['acl']["all"][0])){ + $acl= $this->mergeACL($acl, $subacl['type'], $subacl['acl']["all"][0]); continue; } } } } - /* Add department, if we have (some) permissions for the requred module */ + /* Add department, if we have (some) permissions for the required module */ foreach ($acl as $val){ if ($val != ""){ - $deps[]= $attrs['dn']; + $deps[]= $dn; break; } } @@ -320,6 +366,9 @@ class userinfo function mergeACL($acl, $type, $newACL) { + if(preg_match("/w/",$newACL) && !preg_match("/r/",$newACL)){ + $newACL .= "r"; + } foreach(str_split($newACL) as $char){ /* Ignore invalid characters */ @@ -380,6 +429,49 @@ class userinfo return ($acl); } + + /* #FIXME This could be logical wrong or could be optimized in the future + Return combined acls for a given category. + All acls will be combined like boolean AND + As example ('rwcdm' + 'rcd' + 'wrm'= 'r') + + Results will be cached in $this->result_cache. + $this->result_cache will be resetted if load_acls is called. + */ + function has_complete_category_acls($dn,$category) + { + $acl = "rwcdm"; + $types = "rwcdm"; + + + if(!is_string($category)){ + trigger_error("category must be string"); + $acl = ""; + }else{ + if(!isset($this->result_cache['has_complete_category_acls'][$dn][$category])) { + if (isset($this->ocMapping[$category])){ + foreach($this->ocMapping[$category] as $oc){ + + /* Skip objectClass '0' (e.g. users/0) get_permissions will ever return '' ?? */ + if($oc == "0") continue; + $tmp = $this->get_permissions($dn, $category."/".$oc); + for($i = 0 ; $i < strlen($types); $i++) { + if(!preg_match("/".$types[$i]."/",$tmp)){ + $acl = preg_replace("/".$types[$i]."/","",$acl); + } + } + } + }else{ + trigger_error("Invalid type of category ".$category); + $acl = ""; + } + $this->result_cache['has_complete_category_acls'][$dn][$category] = $acl; + }else{ + $acl = $this->result_cache['has_complete_category_acls'][$dn][$category]; + } + } + return($acl); + } } // vim:tabstop=2:expandtab:shiftwidth=2:filetype=php:syntax:ruler: