From: hickert Date: Wed, 23 Dec 2009 13:45:51 +0000 (+0000) Subject: Added a seperate ACL filter X-Git-Url: https://git.tokkee.org/?a=commitdiff_plain;h=78cb669137c992ee059883d3fd0df879c36e262b;p=gosa.git Added a seperate ACL filter git-svn-id: https://oss.gonicus.de/repositories/gosa/trunk@14937 594d385d-05f5-0310-b6e9-bd551577e9d8 --- diff --git a/gosa-core/plugins/admin/acl/acl-filter.xml b/gosa-core/plugins/admin/acl/acl-filter.xml index 01b9a7b56..0a9bd5f08 100644 --- a/gosa-core/plugins/admin/acl/acl-filter.xml +++ b/gosa-core/plugins/admin/acl/acl-filter.xml @@ -9,17 +9,7 @@ - LDAP - (|$ACL$ROLE)$NAME - cat - dn - objectClass - cn - ou - description - - - LDAP + ACL (|$ACL$ROLE)$NAME dn objectClass @@ -40,9 +30,10 @@ (|(cn=*$*)(ou=*$*)(description=*$*)) true - LDAP + ACL (&(|(objectClass=gosaAcl)(objectClass=gosaRole))(|(ou=*$NAME*)(description=*$NAME*)(cn=*$NAME*))) ou + cn description 0.5 3 diff --git a/gosa-core/plugins/admin/acl/acl-list.xml b/gosa-core/plugins/admin/acl/acl-list.xml index 8e3ce12d7..5db47fb36 100644 --- a/gosa-core/plugins/admin/acl/acl-list.xml +++ b/gosa-core/plugins/admin/acl/acl-list.xml @@ -16,7 +16,7 @@ gosaAcl acl acl - plugins/users/images/select_template.png + images/lists/locked.png @@ -24,7 +24,7 @@ gosaRole acl acl - plugins/users/images/select_user.png + plugins/acl/images/role.png @@ -47,7 +47,7 @@ - ou + dn string %{filter:filterLabel(row,dn,"%s",ou,cn,pid,base)} true diff --git a/gosa-core/plugins/admin/acl/class_aclManagement.inc b/gosa-core/plugins/admin/acl/class_aclManagement.inc index dc652a6e5..6329dc01b 100644 --- a/gosa-core/plugins/admin/acl/class_aclManagement.inc +++ b/gosa-core/plugins/admin/acl/class_aclManagement.inc @@ -45,7 +45,7 @@ class aclManagement extends management # $filter= session::global_get(get_class($this)."_filter"); # } else { $filter = new filter(get_template_path("acl-filter.xml", true)); -# $filter->setObjectStorage($this->storagePoints); + $filter->setObjectStorage($this->storagePoints); # } $this->setFilter($filter); diff --git a/gosa-core/plugins/admin/acl/class_filterACL.inc b/gosa-core/plugins/admin/acl/class_filterACL.inc new file mode 100644 index 000000000..a12e22796 --- /dev/null +++ b/gosa-core/plugins/admin/acl/class_filterACL.inc @@ -0,0 +1,147 @@ +get_ldap_link(TRUE); + $flag= ($scope == "sub")?GL_SUBSEARCH:0; + $result= filterACL::get_list($base, $filter, $attributes, $category, $objectStorage, $flag | GL_SIZELIMIT, "cat"); + $result= array_merge($result,filterACL::get_list($base, $filter, $attributes, $category, $objectStorage, $flag | GL_SIZELIMIT, "")); + return(filterACL::unifyResult($result)); + } + + static function unifyResult($result) + { + $res=array(); + foreach($result as $entry){ + if(!isset($res[$entry['dn']])){ + $res[$entry['dn']]=$entry; + } + } + return(array_values($res)); + } + + static function get_list($base, $filter, $attributes, $category, $objectStorage, $flags= GL_SUBSEARCH, $method= "") + { + $ui= session::global_get('ui'); + $config= session::global_get('config'); + + // Move to arrays for category and objectStorage + if (!is_array($category)) { + $category= array($category); + } + if (!is_array($objectStorage)) { + $objectStorage= array($objectStorage); + } + + if(empty($method)){ + $method= (empty($objectStorage) && !($flags & GL_SUBSEARCH))?"ls":"search"; + } + + // Initialize search bases + $bases= array(); + + // Get list of sub bases to search on + if (count($objectStorage) == 0) { + $bases[$base]= ""; + } else { + foreach ($objectStorage as $oc) { + $oc= preg_replace('/,$/', '', $oc); + $tmp= split(',', $oc); + if (count($tmp) == 1) { + preg_match('/([^=]+)=(.*)$/', $oc, $m); + if ($flags & GL_SUBSEARCH) { + $bases[$base][]= $m[1].":dn:=".$m[2]; + } else { + $bases["$oc,$base"][]= $m[1].":dn:=".$m[2]; + } + } else { + // No, there's no \, in pre defined RDN values + preg_match('/^([^,]+),(.*)$/', $oc, $matches); + preg_match('/([^=]+)=(.*)$/', $matches[1], $m); + if ($flags & GL_SUBSEARCH) { + $bases[$base][]= $m[1].":dn:=".$m[2]; + } else { + $bases[$matches[2].",$base"][]= $m[1].":dn:=".$m[2]; + } + } + } + } + + // Get LDAP link + $ldap= $config->get_ldap_link($flags & GL_SIZELIMIT); + + // Do search for every base + $result= array(); + $limit_exceeded = FALSE; + foreach($bases as $base => $dnFilters) { + + // Break if the size limit is exceeded + if($limit_exceeded){ + return($result); + } + + // Switch to new base and search + if (is_array($dnFilters)){ + $dnFilter= "(|"; + foreach ($dnFilters as $df) { + $dnFilter.= "($df)"; + } + $dnFilter.= ")"; + } else { + $dnFilter= ""; + } + $ldap->cd($base); + if ($method == "ls") { + $ldap->ls("(&$filter$dnFilter)", $base, $attributes); + } elseif($method == "cat") { + $ldap->cat($base, $attributes); + } else { + $ldap->search("(&$filter$dnFilter)", $attributes); + } + + // Check for size limit exceeded messages for GUI feedback + if (preg_match("/size limit/i", $ldap->get_error())){ + session::set('limit_exceeded', TRUE); + $limit_exceeded = TRUE; + } + + /* Crawl through result entries and perform the migration to the + result array */ + while($attrs = $ldap->fetch()) { + $dn= $ldap->getDN(); + + /* Convert dn into a printable format */ + if ($flags & GL_CONVERT){ + $attrs["dn"]= convert_department_dn($dn); + } else { + $attrs["dn"]= $dn; + } + + /* Skip ACL checks if we are forced to skip those checks */ + if($flags & GL_NO_ACL_CHECK){ + $result[]= $attrs; + }else{ + + /* Sort in every value that fits the permissions */ + foreach ($category as $o){ + if((preg_match("/\//",$o) && preg_match("/r/",$ui->get_permissions($dn,$o))) || + (!preg_match("/\//",$o) && preg_match("/r/",$ui->get_category_permissions($dn, $o)))){ + $result[]= $attrs; + break; + } + } + } + } + + } + + return $result; + } + + +} + +?>