Skip to content
GitLab
Select Git revision
  • dev default
  • 6378-orcid-test-method-is-wrong-and-break-orcid-saving
  • core-php8
  • master
  • 6342-update-the-locales-for-1-5
  • 6344-template-issue-when-creating-a-template-with-empty-password-error-message-should-not-be-seen
  • 6365-core-locking-mechanism-is-not-changing-the-mail-ressource-it-does-lock-the-mail-account
  • 6365-core-when-lock-mechanism-is-trigger-the-user-should-not-be-editable-if-not-unlock
  • fusiondirectory-1.5
  • fusiondirectory-1.4
  • fusiondirectory-1.3.1
  • fusiondirectory-1.3
  • fusiondirectory-1.2.3
  • fusiondirectory-1.2.2
  • fusiondirectory-1.2.1
  • fusiondirectory-1.2
  • fusiondirectory-1.1.1
  • fusiondirectory-1.1
  • fusiondirectory-1.0.20
  • fusiondirectory-1.0.19
  • fusiondirectory-1.0.18
  • fusiondirectory-1.0.17
  • fusiondirectory-1.0.16
  • fusiondirectory-1.0.15
  • fusiondirectory-1.0.14
  • fusiondirectory-1.0.13
  • fusiondirectory-1.0.12
  • fusiondirectory-1.0.11
Find file BlameHistoryPermalink
class_userinfo.inc 34.69 KiB
1 
<?php
2 
/*
3 
  This code is part of FusionDirectory (http://www.fusiondirectory.org/)
4
5 
  Copyright (C) 2003-2010  Cajus Pollmeier
6 
  Copyright (C) 2011-2020  FusionDirectory
7
8 
  This program is free software; you can redistribute it and/or modify
9 
  it under the terms of the GNU General Public License as published by
10 
  the Free Software Foundation; either version 2 of the License, or
11 
  (at your option) any later version.
12
13 
  This program is distributed in the hope that it will be useful,
14 
  but WITHOUT ANY WARRANTY; without even the implied warranty of
15 
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
16 
  GNU General Public License for more details.
17
18 
  You should have received a copy of the GNU General Public License
19 
  along with this program; if not, write to the Free Software
20 
  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.
21 
*/
22
23 
/*!
24 
 * \file class_userinfo.inc
25 
 * Source code for the class userinfo
26 
 */
27
28 
/* Define shadow states */
29 
define('POSIX_ACCOUNT_EXPIRED',           1);
30 
define('POSIX_WARN_ABOUT_EXPIRATION',     2);
31 
define('POSIX_FORCE_PASSWORD_CHANGE',     4);
32 
define('POSIX_DISALLOW_PASSWORD_CHANGE',  8);
33
34 
/*!
35 
 * \brief Class userinfo
36 
 * This class contains all informations and functions
37 
 * about user
38 
 */
39
40 
class userinfo
41 
{
42 
  var $dn;
43 
  var $cn;
44 
  var $uid;
45 
  var $sn           = '';
46 
  var $givenName    = '';
47 
  var $gidNumber    = -1;
48 
  var $language     = "";
49 
  var $groups       = [];
50 
  var $roles        = [];
51
52 
  /*! \brief LDAP attributes of this user at login */
53 
  protected $cachedAttrs  = [];
54
55 
  protected $result_cache = [];
56 
  protected $ignoreACL    = FALSE;
57 
  protected $ACL          = [];
58 
  protected $ACLperPath   = [];
59
60 
  /*! \brief LDAP size limit handler */
61 
  protected $sizeLimitHandler;
62
63 
  /*! \brief Current management base */
64 
  protected $currentBase;
65
66 
  /*! \brief Password change should be forced */
67 
  protected $forcePasswordChange = FALSE;
68
69 
  function __construct ($userdn)
70 
  {
7172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140
global $config; $this->dn = $userdn; $this->ignoreACL = ($config->get_cfg_value('ignoreAcl') == $this->dn); $this->loadLDAPInfo(); /* Initialize ACL_CACHE */ $this->reset_acl_cache(); $this->sizeLimitHandler = new ldapSizeLimit(); } /*! \brief Loads user information from LDAP */ function loadLDAPInfo () { global $config; $ldap = $config->get_ldap_link(); $ldap->cat($this->dn, ['*']); $attrs = $ldap->fetch(TRUE); $this->uid = $attrs['uid'][0]; if (isset($attrs['cn'][0])) { $this->cn = $attrs['cn'][0]; } elseif (isset($attrs['givenName'][0]) && isset($attrs['sn'][0])) { $this->cn = $attrs['givenName'][0].' '.$attrs['sn'][0]; } else { $this->cn = $attrs['uid'][0]; } if (isset($attrs['gidNumber'][0])) { $this->gidNumber = $attrs['gidNumber'][0]; } if (isset($attrs['sn'][0])) { $this->sn = $attrs['sn'][0]; } if (isset($attrs['givenName'][0])) { $this->givenName = $attrs['givenName'][0]; } /* Assign user language */ if (isset($attrs['preferredLanguage'][0])) { $this->language = $attrs['preferredLanguage'][0]; } $this->cachedAttrs = $attrs; } /*! * \brief Reset acl cache */ public function reset_acl_cache () { /* Initialize ACL_CACHE */ session::set('ACL_CACHE', []); } /*! * \brief Load an acl */ function loadACL () { global $config, $plist; $this->ACL = []; $this->groups = []; $this->roles = []; $this->result_cache = []; $this->reset_acl_cache(); $ldap = $config->get_ldap_link(); $ldap->cd($config->current['BASE']);
141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210
$targetFilterLimit = $config->get_cfg_value('AclTargetFilterLimit', 100); /* Get member groups... */ $ldap->search('(&(objectClass=groupOfNames)(member='.ldap_escape_f($this->dn).'))', ['dn']); while ($attrs = $ldap->fetch()) { $this->groups[$attrs['dn']] = $attrs['dn']; } /* Get member POSIX groups... */ $ldap->search('(&(objectClass=posixGroup)(memberUid='.ldap_escape_f($this->uid).'))', ['dn']); while ($attrs = $ldap->fetch()) { $this->groups[$attrs['dn']] = $attrs['dn']; } /* Get member roles... */ $ldap->search('(&(objectClass=organizationalRole)(roleOccupant='.ldap_escape_f($this->dn).'))', ['dn']); while ($attrs = $ldap->fetch()) { $this->roles[$attrs['dn']] = $attrs['dn']; } /* Crawl through ACLs and move relevant to the tree */ $ldap->search('(objectClass=gosaACL)', ['dn', 'gosaAclEntry']); $ACLsContent = []; while ($attrs = $ldap->fetch()) { /* Insert links in ACL array */ $mergedAcls = []; for ($i = 0; $i < $attrs['gosaAclEntry']['count']; $i++) { $mergedAcls = array_merge($mergedAcls, acl::explodeACL($attrs['gosaAclEntry'][$i])); } $ACLsContent[$attrs['dn']] = $mergedAcls; } $ACLsContentResolved = []; /* Resolve roles here */ foreach ($ACLsContent as $dn => $ACLRules) { foreach ($ACLRules as $ACLRule) { $ldap->cat($ACLRule['acl'], ['gosaAclTemplate']); $attrs = $ldap->fetch(); if (!isset($attrs['gosaAclTemplate'])) { continue; } $interesting = FALSE; /* Inspect members... */ foreach (array_keys($ACLRule['members']) as $member) { /* Wildcard? */ if ($member === 'G:*') { $interesting = TRUE; break; } list($memberType, $memberDn) = explode(':', $member, 2); switch ($memberType) { case 'G': if (in_array_ics($memberDn, $this->groups)) { $interesting = TRUE; break 2; } break; case 'R': if (in_array_ics($memberDn, $this->roles)) { $interesting = TRUE; break 2; } break; case 'U':
211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280
if (mb_strtolower($memberDn) === mb_strtolower($this->dn)) { $interesting = TRUE; break 2; } break; default: throw FusionDirectoryException('Unknown ACL member type '.$memberType); } } if (!$interesting) { continue; } if (!empty($ACLRule['userfilter']) && !$ldap->object_match_filter($this->dn, $ACLRule['userfilter'])) { /* We do not match the user filter */ continue; } if (!empty($ACLRule['targetfilter'])) { $ldap->cd($dn); $ldap->set_size_limit($targetFilterLimit); $targetFilter = templateHandling::parseString($ACLRule['targetfilter'], $this->cachedAttrs, 'ldap_escape_f'); $ldap->search($targetFilter, ['dn']); if ($ldap->hitSizeLimit()) { msg_dialog::display( _('Error'), sprintf( _('An ACL assignment for the connected user matched more than than the %d objects limit. This user will not have the ACL rights he should.'), $targetFilterLimit ), ERROR_DIALOG ); } $targetDns = []; while ($targetAttrs = $ldap->fetch()) { $targetDns[] = $targetAttrs['dn']; } $ldap->set_size_limit(0); } else { $targetDns = [$dn]; } $roleAcls = acl::explodeRole($attrs['gosaAclTemplate']); foreach ($roleAcls as $roleAcl) { foreach ($targetDns as $targetDn) { $ACLsContentResolved[$targetDn][] = [ 'acl' => $roleAcl, 'type' => $ACLRule['type'], 'members' => $ACLRule['members'], ]; } } } } /* Sort by tree depth */ uksort( $ACLsContentResolved, function ($dn1, $dn2) { return substr_count($dn1, ',') <=> substr_count($dn2, ','); } ); /* Insert in $this->ACL */ foreach ($ACLsContentResolved as $dn => $ACLRules) { foreach ($ACLRules as $idx => $ACLRule) { if (!isset($this->ACL[$dn])) { $this->ACL[$dn] = [];
281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350
} $this->ACL[$dn][$idx] = $ACLRule; } } /* Create an array which represent all relevant permissions settings per dn. The array will look like this: . ['ou=base'] ['ou=base'] = array(ACLs); . . ['ou=dep1,ou=base']['ou=dep1,ou=base'] = array(ACLs); . ['ou=base'] = array(ACLs); For objects located in 'ou=dep1,ou=base' we have to apply both ACLs, for objects in 'ou=base' we only have to apply one ACL. */ $all_acl = []; foreach ($this->ACL as $dn => $acl) { $all_acl[$dn][$dn] = $acl; $sdn = $dn; while (strpos($dn, ',') !== FALSE) { $dn = preg_replace('/^[^,]*+,/', '', $dn); if (isset($this->ACL[$dn])) { $all_acl[$sdn][$dn] = array_filter( $this->ACL[$dn], function ($ACLInfos) { return ($ACLInfos['type'] === 'subtree'); } ); } } } $this->ACLperPath = $all_acl; /* Append Self entry */ $dn = $this->dn; while (strpos($dn, ',') && !isset($all_acl[$dn])) { $dn = preg_replace('/^[^,]*+,/', '', $dn); } if (isset($all_acl[$dn])) { $this->ACLperPath[$this->dn] = $all_acl[$dn]; if ($dn !== $this->dn) { $this->ACLperPath[$this->dn][$dn] = array_filter( $this->ACLperPath[$this->dn][$dn], function ($ACLInfos) { return ($ACLInfos['type'] === 'subtree'); } ); } } /* Reset plist menu and ACL cache if needed */ if (is_object($plist)) { $plist->resetCache(); } } /*! * \brief Returns an array containing all target objects we've permissions on * * \return Return the next id or NULL if failed */ function get_acl_target_objects () { return array_keys($this->ACLperPath);
351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420
} /*! * \brief Get permissions by category * * \param string $dn Dn from which we want to know permissions. * * \param string $category Category for which we want the acl eg: server * * \return all the permissions for the dn and category */ function get_category_permissions ($dn, $category) { return $this->get_permissions($dn, $category.'/0', ''); } /*! * \brief Check if the given object (dn) is copyable * * \param string $dn The object dn * * \param string $object The acl category (e.g. user) * * \return boolean TRUE if the given object is copyable else FALSE */ function is_copyable ($dn, $object): bool { return (strpos($this->get_complete_category_acls($dn, $object), 'r') !== FALSE); } /*! * \brief Check if the given object (dn) is cutable * * \param string $dn The object dn * * \param string $object The acl category (e.g. user) * * \param string $class The acl class (e.g. user) * * \return boolean TRUE if the given object is cutable else FALSE */ function is_cutable ($dn, $object, $class): bool { $remove = (strpos($this->get_permissions($dn, $object.'/'.$class), 'd') !== FALSE); $read = (strpos($this->get_complete_category_acls($dn, $object), 'r') !== FALSE); return ($remove && $read); } /*! * \brief Checks if we are allowed to paste an object to the given destination ($dn) * * \param string $dn The destination dn * * \param string $object The acl category (e.g. user) * * \return Boolean TRUE if we are allowed to paste an object. */ function is_pasteable ($dn, $object): bool { return (strpos($this->get_complete_category_acls($dn, $object), 'w') !== FALSE); } /*! * \brief Checks if we are allowed to restore a snapshot for the given dn. * * \param string $dn The destination dn
421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490
* * \param string $categories The acl category (e.g. user) * * \param boolean $deleted Is it a deleted or existing object * * \return boolean TRUE if we are allowed to restore a snapshot. */ function allow_snapshot_restore ($dn, $categories, $deleted): bool { $permissions = $this->get_snapshot_permissions($dn, $categories); return in_array(($deleted ? 'restore_deleted' : 'restore_over'), $permissions); } /*! * \brief Checks if we are allowed to create a snapshot of the given dn. * * \param string $dn The source dn * * \param string $categories The acl category (e.g. user) * * \return boolean TRUE if we are allowed to create a snapshot. */ function allow_snapshot_create ($dn, $categories): bool { $permissions = $this->get_snapshot_permissions($dn, $categories); return in_array('c', $permissions); } /*! * \brief Checks if we are allowed to delete a snapshot of the given dn. * * \param string $dn The source dn * * \param string $categories The acl category (e.g. user) * * \return boolean TRUE if we are allowed to delete a snapshot. */ function allow_snapshot_delete ($dn, $categories): bool { $permissions = $this->get_snapshot_permissions($dn, $categories); return in_array('d', $permissions); } function get_snapshot_permissions ($dn, $categories) { if (!is_array($categories)) { $categories = [$categories]; } /* Possible permissions for snapshots */ $objectPermissions = ['r', 'c', 'd']; $attributePermissions = ['restore_over', 'restore_deleted']; foreach ($categories as $category) { $acl = $this->get_permissions($dn, $category.'/SnapshotHandler'); foreach ($objectPermissions as $i => $perm) { if (strpos($acl, $perm) === FALSE) { unset($objectPermissions[$i]); } } foreach ($attributePermissions as $i => $attribute) { $acl = $this->get_permissions($dn, $category.'/SnapshotHandler', $attribute); if (strpos($acl, 'w') === FALSE) { unset($attributePermissions[$i]); } } } return array_merge($objectPermissions, $attributePermissions); }
491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560
/*! * \brief Get the permissions for a specified dn * * \param string $dn The object dn * * \param string $object The acl category (e.g. user) * * \param string $attribute * * \param bool $skip_write Remove the write acl for this dn * */ function get_permissions ($dn, $object, $attribute = '', $skip_write = FALSE) { global $config; /* If we are forced to skip ACLs checks for the current user then return all permissions. */ if ($this->ignore_acl_for_current_user()) { if ($skip_write) { return 'r'; } return 'rwcdm'; } $attribute = static::sanitizeAttributeName($attribute); /* Push cache answer? */ $ACL_CACHE = &session::get_ref('ACL_CACHE'); if (isset($ACL_CACHE["$dn+$object+$attribute"])) { $ret = $ACL_CACHE["$dn+$object+$attribute"]; if ($skip_write) { $ret = str_replace(['w','c','d','m'], '', $ret); } return $ret; } /* Detect the set of ACLs we have to check for this object */ $parentACLdn = $dn; while (!isset($this->ACLperPath[$parentACLdn]) && (strpos($parentACLdn, ',') !== FALSE)) { $parentACLdn = preg_replace('/^[^,]*+,/', '', $parentACLdn); } if (!isset($this->ACLperPath[$parentACLdn])) { $ACL_CACHE["$dn+$object+$attribute"] = ''; return ''; } if (($parentACLdn !== $dn) && isset($ACL_CACHE["sub:$parentACLdn+$object+$attribute"])) { /* Load parent subtree ACLs from cache */ $permissions = $ACL_CACHE["sub:$parentACLdn+$object+$attribute"]; } else { $permissions = new ACLPermissions(); /* Merge relevent permissions from parent ACLs */ foreach ($this->ACLperPath[$parentACLdn] as $parentdn => $ACLs) { /* Inspect this ACL, place the result into permissions */ foreach ($ACLs as $subacl) { if ($permissions->isFull()) { /* Stop merging if we have all rights already */ break 2; } if (($dn != $this->dn) && isset($subacl['acl'][$object][0]) && ($subacl['acl'][$object][0]->isSelf())) { /* Self ACL */ continue; } if (($subacl['type'] === 'base') && ($parentdn !== $dn)) { /* Base assignment on another dn */ continue;
561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630
} /* Special global ACL */ if (isset($subacl['acl']['all'][0])) { $permissions->merge($subacl['acl']['all'][0]); } /* Category ACLs (e.g. $object = "user/0") */ if (strstr($object, '/0')) { $ocs = preg_replace("/\/0$/", '', $object); if (isset($config->data['CATEGORIES'][$ocs]) && ($attribute == '')) { foreach ($config->data['CATEGORIES'][$ocs]['classes'] as $oc) { if (isset($subacl['acl'][$ocs.'/'.$oc])) { if (($dn != $this->dn) && isset($subacl['acl'][$ocs.'/'.$oc][0]) && ($subacl['acl'][$ocs.'/'.$oc][0]->isSelf())) { /* Skip self ACL */ continue; } foreach ($subacl['acl'][$ocs.'/'.$oc] as $anyPermissions) { $permissions->merge($anyPermissions); } } } } continue; } /* If attribute is "", we want to know, if we've *any* permissions here... Merge global class ACLs [0] with attributes specific ACLs [attribute]. */ if (($attribute == '') && isset($subacl['acl'][$object])) { foreach ($subacl['acl'][$object] as $anyPermissions) { $permissions->merge($anyPermissions); } continue; } /* Per attribute ACL? */ if (isset($subacl['acl'][$object][$attribute])) { $permissions->merge($subacl['acl'][$object][$attribute]); } /* Per object ACL? */ if (isset($subacl['acl'][$object][0])) { $permissions->merge($subacl['acl'][$object][0]); } } } } if ($parentACLdn !== $dn) { $ACL_CACHE["sub:$parentACLdn+$object+$attribute"] = $permissions; } $ACL_CACHE["$dn+$object+$attribute"] = $permissions; /* Remove write if needed */ return $permissions->toString($skip_write); } /*! * \brief Extract all departments that are accessible * * Extract all departments that are accessible (direct or 'on the way' to an * accessible department) * * \param string|array $module The module * * \param bool $skip_self_acls FALSE