1 <?php
3 class aclResolver
4 {
5 private $classMapping = array();
6 private $aclTypes = array();
7 private $affectingACLs = array();
9 private $renderedList = "";
11 // The users 'dn' and 'uid' used to verify the collected acls
12 private $validateDn;
13 private $validateUid;
14 private $acl_category;
15 private $parent;
17 // Used for the autocompleter
18 private $userMap;
20 function __construct($config, $dn, $parent)
21 {
22 $this->config = &$config;
23 $this->dn = $dn;
24 $this->parent = $parent;
26 // Replace this with a user defined one later.
27 $ui = get_userinfo();
28 $this->validateUid = $ui->uid;
29 $this->validateDn = $ui->dn;
31 // Build class mapping - only once, will not change during session.
32 if(!session::is_set('aclConverter::classMapping')){
33 $tmp= session::global_get('plist');
34 $plist= $tmp->info;
35 $map = array();
36 foreach($plist as $class => $plInfo){
37 if(isset($plInfo['plCategory']) && is_array($plInfo['plCategory'])){
38 foreach($plInfo['plCategory'] as $category => $desc){
39 if(!is_numeric($category)){
40 $map[$category] = $desc['description'];
41 }
42 }
43 }
44 }
45 foreach($plist as $class => $plInfo){
46 if(isset($plInfo['plCategory']) && is_array($plInfo['plCategory'])){
47 foreach($plInfo['plCategory'] as $category => $desc){
48 if(!isset($map[$category])) continue;
49 if(!is_numeric($category)){
50 $map[$category."/".$class] = $map[$category]." - ".$plInfo['plDescription'];
51 }else{
52 $map[$desc."/".$class] = $map[$desc]." - ".$plInfo['plDescription'];
53 }
54 }
56 }
57 }
58 session::set('aclConverter::classMapping', $map);
59 }
60 $this->classMapping = session::get('aclConverter::classMapping');
62 // Define ACL type translations
63 $this->aclTypes= array("reset" => _("Reset ACLs"),
64 "one" => _("One level"),
65 "base" => _("Current object"),
66 "sub" => _("Complete subtree"),
67 "psub" => _("Complete subtree (permanent)"),
68 "role" => _("Use ACL defined in role"));
70 // Enforce to reload acl result
71 $this->renderedList = "";
72 }
75 function reload()
76 {
77 // Go through all ACLs and get those matching the objects dn.
78 $ui = get_userinfo();
79 $ui->reset_acl_cache();
80 $ui->loadACL();
82 // Get ACL category for the current object.
83 if(isset($this->parent->acl_category) && !empty($this->parent->acl_category)){
84 $this->acl_category = preg_replace("/\/$/","",$this->parent->acl_category);
85 }
87 foreach($ui->allACLs as $dn => $acls){
88 if(preg_match("/".preg_quote($dn,'/')."$/i", $this->dn)){
90 // Foreach dn there is a collection of ACLs indexed by their priority
91 foreach($acls as $prio => $acl){
92 if($acl['type'] == "reset"){
93 $this->affectingACLs[$dn][$prio] = $acl;
94 continue;
95 }else{
97 // Only get those entries with a relevant acl-category
98 foreach($acl['acl'] as $category => $attributes){
99 if(preg_match("/^all($|\/)/", $category) ||
100 preg_match("/^".$this->acl_category."($|\/)/", $category)){
101 $this->affectingACLs[$dn][$prio] = $acl;
102 continue;
103 }
104 }
105 }
106 }
107 }
108 }
109 }
113 /*! \brief Create a human readable HTML result
114 */
115 function getReadableACL()
116 {
117 if(isset($_POST['aclTarget'])){
118 $d = get_post('aclTarget');
119 if(isset($this->userMap[$d])){
120 $this->validateDn = $this->userMap[$d]['dn'];
121 $this->validateUid = $this->userMap[$d]['uid'][0];
122 $this->renderedList = "";
123 }else{
125 foreach($this->userMap as $string => $data){
126 if($data['uid'][0] == $d){
127 $this->validateDn = $data['dn'];
128 $this->validateUid = $data['uid'][0];
129 $this->renderedList = "";
131 }
132 }
133 }
134 }
137 if(empty($this->renderedList)){
139 $this->reload();
141 // Autocompleter template
142 $autocompleter ="
143 <input class='filter_textfield' placeholder='"._("Enter another user name")."...'
144 id='aclTarget' name='aclTarget' type='text' value=''
145 onChange=\"\$('aclTargetSubmit').focus();\">
147 <div id='autocomplete' class='autocomplete'></div>
148 <script type='text/javascript'>
149 new Ajax.Autocompleter(
150 'aclTarget',
151 'autocomplete',
152 'autocomplete.php',
153 { minChars: 3, frequency: 0.5 });
154 </script>
155 ".image("images/lists/submit.png","aclTargetSubmit");
157 // Base template - each entry start with this
158 $tpl =
159 "\n <tr class='acl-viewer-head %s'>".
160 "\n <td style='width:20px'>%s</td>".
161 "\n <td colspan=2><b>%s</b><div class='right'>%s</div></td>".
162 "\n </tr>".
163 "\n %s";
165 // If the acl consists of a user-object-filter then this template is used.
166 $filter_tpl =
167 "\n <tr class='%s'>".
168 "\n <td></td>".
169 "\n <td><b>"._("Filter")."</b></td>".
170 "\n <td><ul class='acl-viewer-items'><li>%s</li></ul></td>".
171 "\n </tr>";
173 // Used to display ACL owner of type "group"
174 $gmem_tpl =
175 "\n <tr class='%s'>".
176 "\n <td></td>".
177 "\n <td><b>"._("Groups")."</b></td>".
178 "\n <td><ul class='acl-viewer-items'>%s</ul></td>".
179 "\n </tr>";
181 // Used to display ACL owner of type "user"
182 $umem_tpl =
183 "\n <tr class='%s'>".
184 "\n <td></td>".
185 "\n <td><b>"._("Users")."</b></td>".
186 "\n <td><ul class='acl-viewer-items'>%s</ul></td>".
187 "\n </tr>";
189 // Used to display the acl contents, except 'reset' and 'role'
190 $acl_tpl =
191 "\n <tr class='%s'>".
192 "\n <td></td>".
193 "\n <td><b>"._("ACLs")."</b></td>".
194 "\n <td><ul class='acl-viewer-items'>%s</ul></td>".
195 "\n </tr>";
198 $user = "<h3>".sprintf(_("List of effective ACLs for '%s'"), $this->validateUid)."</h3>";
199 $str = "<table summary='"._("Object permissions")."'>";
200 $str .= " <tr><td>".$user."</td><td>".$autocompleter."</td></tr>";
201 $str .= "</table>";
202 $str .= "<div class='acl-viewer-container'>";
203 $str .= "<table summary='"._("Object permissions")."' cellpadding='0' cellspacing='0' class='acl-viewer'>";
204 $ldap = $this->config->get_ldap_link();
205 $ldap->cd($this->config->current['BASE']);
206 $ui = get_userinfo();
207 foreach($this->affectingACLs as $dn => $acls){
208 foreach($acls as $acl){
210 // Prepare entry icon (department or element?)
211 $image = (isset($this->config->idepartments[$dn]))? "images/select_department.png":"images/lists/element.png";
213 // The acl type (sub,psub,reset...)
214 $aclType = $this->aclTypes[$acl['type']];
216 // Does the filter match for current object?
217 $filter ="";
218 $match = TRUE;
219 if(!empty($acl['filter'])){
220 $match = $ldap->object_match_filter($this->dn,$acl['filter']);
221 $filter= $acl['filter'];
222 if(!$match){
223 $filter= "<span>".$filter."</span>";
224 }
225 }
227 // Check membership
228 $gmem = $umem = "";
229 $users = $groups = array();
230 $found = FALSE;
231 foreach($acl['members'] as $type => $name){
233 // Check if we're part of the members
234 if(preg_match("/^U:/", $type)){
235 if(preg_match("/^U:".preg_quote($this->validateDn,'/')."/", $type)){
236 $users[] = $name;
237 $found = TRUE;
238 continue;
239 }
240 $users[] = "<span>".$name."</span>";
241 }
243 // Check if we're part of the group members
244 if(preg_match("/^G/", $type)){
245 if($type == "G:*"){
246 $found = TRUE;
247 $groups[] = $name;
248 continue;
249 }
250 if(preg_match("/^G:/", $type)){
251 $gdn = preg_replace("/^G:/","",$type);
252 $ldap->cat($gdn,array('memberUid'));
253 if($ldap->count()){
254 $attrs = $ldap->fetch();
255 if(isset($attrs['memberUid']) && in_array_strict($this->validateUid, $attrs['memberUid'])){
256 $found = TRUE;
257 $groups[] = $name;
258 continue;
259 }
260 }
261 }
263 // Mark groups that doesn't match
264 $groups[] = "<span>".$name."</span>";
265 }
266 }
268 // Build up ACL definition list
269 $defs ="";
270 if($acl['type']!='reset'){
271 foreach($acl['acl'] as $type => $acl){
272 if(isset($this->classMapping[$type])){
273 $defs .= "<li>".$this->classMapping[$type].": ".$this->aclToString($acl)."</li>";
274 }else{
275 $defs .= "<li>".$type.": ".$this->aclToString($acl)."</li>";
276 }
277 }
278 }
280 // Display the acl block in a special color if its not matching
281 $class="";
282 if(!$found || !$match){
283 $class = "acl-viewer-blocked";
284 }
285 if(!empty($filter)) $filter =sprintf($filter_tpl,$class,$filter);
286 if(!empty($defs)) $defs = sprintf($acl_tpl,$class,$defs);
287 if(count($users)) $umem = sprintf($umem_tpl,$class,"<li>".implode($users,'</li><li>')."</li>");
288 if(count($groups)) $gmem = sprintf($gmem_tpl,$class,"<li>".implode($groups,'</li><li>')."</li>");
289 $str.= sprintf($tpl,$class, image($image), $dn, $aclType, $filter.$gmem.$umem.$defs);
290 }
291 }
292 $str .= "</table>";
293 $str .= "</div>";
294 $this->renderedList = $str;
295 }
296 return($this->renderedList);
297 }
299 function aclToString($acls)
300 {
301 $str ="<ul class='acl-category-list'>";
302 foreach($acls as $name => $acl){
303 if($name == "0") $name = _("All");
304 $str .= "<li><i>".$name.":</i> ";
305 $str .= "<ul class='acl-list'>";
306 if(preg_match("/s/", $acl)){
307 $str.="<li><u>"._("Restrict changes to user's own object").'</u></li>';
308 }
309 if(preg_match("/r/", $acl)) $str.="<li>"._("read").'</li>';
310 if(preg_match("/w/", $acl)) $str.="<li>"._("write").'</li>';
311 if(preg_match("/c/", $acl)) $str.="<li>"._("create").'</li>';
312 if(preg_match("/d/", $acl)) $str.="<li>"._("remove").'</li>';
313 if(preg_match("/m/", $acl)) $str.="<li>"._("move").'</li>';
314 $str.= "</ul>";
315 }
316 return($str."</ul>");
317 }
319 function processAutocomplete()
320 {
321 $ldap = $this->config->get_ldap_link();
322 $ldap->cd($this->config->current['BASE']);
323 $ldap->search("(&(objectClass=gosaAccount)(|(sn=*".get_post('aclTarget')."*)".
324 "(uid=*".get_post('aclTarget')."*)(givenName=*".get_post('aclTarget')."*)))",
325 array('uid','dn','sn','givenName'));
326 echo "<ul>";
327 while($attrs = $ldap->fetch()){
328 $display = $attrs['givenName'][0]." ".$attrs['sn'][0]." [".$attrs['uid'][0]."]";
329 echo "<li>{$display}</li>";
330 $this->userMap[$display] = $attrs;
331 }
332 echo "</ul>";
333 }
334 }
336 ?>