From ee193942fc2a59ed31a6169a428c4f68e3131bf4 Mon Sep 17 00:00:00 2001 From: cajus Date: Wed, 12 Jul 2006 12:08:37 +0000 Subject: [PATCH] Updated acl handling - still not functional git-svn-id: https://oss.gonicus.de/repositories/gosa/trunk@4128 594d385d-05f5-0310-b6e9-bd551577e9d8 --- html/main.php | 1 - include/class_acl.inc | 4 +- include/class_userinfo.inc | 212 ++++++++++++++++++++++++++++++++++++- include/functions.inc | 2 +- 4 files changed, 212 insertions(+), 7 deletions(-) diff --git a/html/main.php b/html/main.php index b2c94f405..365763c9c 100644 --- a/html/main.php +++ b/html/main.php @@ -392,7 +392,6 @@ echo $display; $_SESSION['plist']= $plist; $_SESSION['config']= $config; - /* Echo compilation time * / $r = split(" ",$start); $ms = $r[0]; diff --git a/include/class_acl.inc b/include/class_acl.inc index 15aa1f8f6..e5b604bc4 100644 --- a/include/class_acl.inc +++ b/include/class_acl.inc @@ -130,8 +130,8 @@ class acl extends plugin "one" => _("One level"), "base" => _("Current object"), "sub" => _("Complete subtree"), - "psub" => _("Complete subtree (permanent)"), - "role" => _("Use ACL defined in role")); + "psub" => _("Complete subtree (permanent)")); + //"role" => _("Use ACL defined in role")); } else { $this->aclTypes= array("base" => _("Current object"), "role" => _("Use ACL defined in role")); diff --git a/include/class_userinfo.inc b/include/class_userinfo.inc index f110833ca..d7c1fec4b 100644 --- a/include/class_userinfo.inc +++ b/include/class_userinfo.inc @@ -67,6 +67,8 @@ class userinfo function loadACL() { + +#--------------------------------------------------------------------------OLD-BUT-ACTIVE----------------------------- $ldap= $this->config->get_ldap_link(); /* Load ACL's from all groups we're in */ @@ -88,8 +90,8 @@ class userinfo $this->subtreeACL[$base][]= $attrs["gosaSubtreeACL"][$i]; } } - #echo "NEW ACL LOADING --------------------------------------------------------------------------------------------
"; + $this->ACL= array(); $this->groups= array(); $ldap= $this->config->get_ldap_link(); @@ -156,9 +158,213 @@ class userinfo } - function get_permissions($dn, $object= "", $attribute= "") + function get_permissions($dn, $object, $attribute) + { + $acl= array("r" => "", "w" => "", "c" => "", "d" => "", "m" => ""); + + /* Build dn array */ + $path= split(',', $dn); + $path= array_reverse($path); + + /* Walk along the path to evaluate the acl */ + $cpath= ""; + foreach ($path as $element){ + + /* Clean potential ACLs for each level */ + $acl= $this->cleanACL($acl); + + if ($cpath == ""){ + $cpath= $element; + } else { + $cpath= $element.','.$cpath; + } + if (isset($this->ACL[$cpath])){ + + /* Inspect this ACL, place the result into ACL */ + foreach ($this->ACL[$cpath] as $subacl){ + + /* Reset? Just clean the ACL and turn over to the next one... */ + if ($subacl['type'] == 'reset'){ + $acl= $this->cleanACL($acl, TRUE); + continue; + } + + /* Per attribute ACL? */ + if (isset($subacl['acl'][$object][$attribute])){ + $acl= $this->mergeACL($acl, $subacl['type'], $subacl['acl'][$object][$attribute]); + continue; + } + + /* Per object ACL? */ + if (isset($subacl['acl'][$object][0])){ + $acl= $this->mergeACL($acl, $subacl['type'], preg_replace('/[cdm]/', '', $subacl['acl'][$object][0])); + continue; + } + + /* Global ACL? */ + if (isset($subacl['acl'][0])){ + $acl= $this->mergeACL($acl, $subacl['type'], preg_replace('/[cdm]/', '', $subacl['acl'][0])); + continue; + } + + } + + } + } + + /* Assemble string */ + $ret= ""; + foreach ($acl as $key => $value){ + if ($value != ""){ + $ret.= $key; + } + } + + return ($ret); + } + + + function get_module_departments($module) + { + global $plist; + + $objects= array(); + $deps= array(); + + /* Extract all relevant objects for this module from plist */ + foreach ($plist->info as $object => $info){ + if (isset($info['plDepends']['objectClass']) && $info['plDepends']['objectClass'] == $module){ + $objects[$object]= $object; + } + } + + /* Get all gosaDepartments */ + $ldap= $this->config->get_ldap_link(); + $ldap->cd($this->config->current['BASE']); + $ldap->search('objectClass=gosaDepartment', array('dn')); + while ($attrs= $ldap->fetch()){ + $acl= array("r" => "", "w" => "", "c" => "", "d" => "", "m" => ""); + + /* Build dn array */ + $path= split(',', $attrs['dn']); + $path= array_reverse($path); + + /* Walk along the path to evaluate the acl */ + $cpath= ""; + foreach ($path as $element){ + + /* Clean potential ACLs for each level */ + $acl= $this->cleanACL($acl); + + if ($cpath == ""){ + $cpath= $element; + } else { + $cpath= $element.','.$cpath; + } + if (isset($this->ACL[$cpath])){ + + /* Inspect this ACL, place the result into ACL */ + foreach ($this->ACL[$cpath] as $subacl){ + + /* Reset? Just clean the ACL and turn over to the next one... */ + if ($subacl['type'] == 'reset'){ + $acl= $this->cleanACL($acl, TRUE); + continue; + } + + /* Per object ACL? */ + foreach ($objects as $object){ + if (isset($subacl['acl'][$object])){ + foreach($subacl['acl'][$object] as $attribute => $dcl){ + if (isset($subacl['acl'][$object][$attribute])){ + $acl= $this->mergeACL($acl, $subacl['type'], preg_replace('/[cdm]/', '', $subacl['acl'][$object][$attribute])); + } + } + } + } + + /* Global ACL? */ + if (isset($subacl['acl'][0])){ + $acl= $this->mergeACL($acl, $subacl['type'], preg_replace('/[cdm]/', '', $subacl['acl'][0])); + continue; + } + } + } + } + + /* Add department, if we have (some) permissions for the requred module */ + foreach ($acl as $val){ + if ($val != ""){ + $deps[]= $attrs['dn']; + break; + } + } + } + + return ($deps); + } + + + function mergeACL($acl, $type, $newACL) { - echo "Evaluating permissions for $dn, object $object/$attribute
"; + foreach(str_split($newACL) as $char){ + + /* Ignore invalid characters */ + if (!preg_match('/[rwcdm]/', $char)){ + continue; + } + + /* Skip permanent and subtree entries */ + if (preg_match('/[sp]/', $acl[$char])){ + continue; + } + + switch ($type){ + case 'psub': + $acl[$char]= 'p'; + break; + + case 'sub': + $acl[$char]= 's'; + break; + + case 'one': + $acl[$char]= 1; + break; + + case 'base': + if ($acl[$char] != 1){ + $acl[$char]= 0; + } + break; + } + } + + return ($acl); + } + + + function cleanACL($acl, $reset= FALSE) + { + foreach ($acl as $key => $value){ + + /* Reset removes everything but 'p' */ + if ($reset && $value != 'p'){ + $acl[$key]= ""; + continue; + } + + /* Decrease tree level */ + if (preg_match('/^[0-9]+$/', $value)){ + if ($value > 0){ + $acl[$key]= $value - 1; + } else { + $acl[$key]= ""; + } + } + } + + return ($acl); } } diff --git a/include/functions.inc b/include/functions.inc index a4e7b952b..899aadb8d 100644 --- a/include/functions.inc +++ b/include/functions.inc @@ -38,8 +38,8 @@ require_once ("class_ldap.inc"); require_once ("class_config.inc"); require_once ("class_plugin.inc"); require_once ("class_acl.inc"); -require_once ("class_userinfo.inc"); require_once ("class_pluglist.inc"); +require_once ("class_userinfo.inc"); require_once ("class_tabs.inc"); require_once ("class_mail-methods.inc"); require_once ("class_password-methods.inc"); -- 2.30.2