Skip to content
GitLab
Select Git revision
  • dev default
  • 6378-orcid-test-method-is-wrong-and-break-orcid-saving
  • core-php8
  • master
  • 6342-update-the-locales-for-1-5
  • 6344-template-issue-when-creating-a-template-with-empty-password-error-message-should-not-be-seen
  • 6365-core-locking-mechanism-is-not-changing-the-mail-ressource-it-does-lock-the-mail-account
  • 6365-core-when-lock-mechanism-is-trigger-the-user-should-not-be-editable-if-not-unlock
  • fusiondirectory-1.5
  • fusiondirectory-1.4
  • fusiondirectory-1.3.1
  • fusiondirectory-1.3
  • fusiondirectory-1.2.3
  • fusiondirectory-1.2.2
  • fusiondirectory-1.2.1
  • fusiondirectory-1.2
  • fusiondirectory-1.1.1
  • fusiondirectory-1.1
  • fusiondirectory-1.0.20
  • fusiondirectory-1.0.19
  • fusiondirectory-1.0.18
  • fusiondirectory-1.0.17
  • fusiondirectory-1.0.16
  • fusiondirectory-1.0.15
  • fusiondirectory-1.0.14
  • fusiondirectory-1.0.13
  • fusiondirectory-1.0.12
  • fusiondirectory-1.0.11
Find file BlameHistoryPermalink
class_userinfo.inc 31.73 KiB
1 
<?php
2 
/*
3 
  This code is part of FusionDirectory (http://www.fusiondirectory.org/)
4 
  Copyright (C) 2003-2010  Cajus Pollmeier
5 
  Copyright (C) 2011-2018  FusionDirectory
6
7 
  This program is free software; you can redistribute it and/or modify
8 
  it under the terms of the GNU General Public License as published by
9 
  the Free Software Foundation; either version 2 of the License, or
10 
  (at your option) any later version.
11
12 
  This program is distributed in the hope that it will be useful,
13 
  but WITHOUT ANY WARRANTY; without even the implied warranty of
14 
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
15 
  GNU General Public License for more details.
16
17 
  You should have received a copy of the GNU General Public License
18 
  along with this program; if not, write to the Free Software
19 
  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.
20 
*/
21
22 
/*!
23 
 * \file class_userinfo.inc
24 
 * Source code for the class userinfo
25 
 */
26
27 
/*!
28 
 * \brief Class userinfo
29 
 * This class contains all informations and functions
30 
 * about user
31 
 */
32
33 
class userinfo
34 
{
35 
  var $dn;
36 
  var $cn;
37 
  var $uid;
38 
  var $sn           = '';
39 
  var $givenName    = '';
40 
  var $gidNumber    = -1;
41 
  var $language     = "";
42 
  var $subtreeACL   = [];
43 
  var $ACL          = [];
44 
  var $groups       = [];
45 
  var $roles        = [];
46 
  var $result_cache = [];
47 
  var $ignoreACL    = FALSE;
48
49 
  var $ACLperPath             = [];
50 
  var $ACLperPath_usesFilter  = [];
51
52 
  /*! \brief LDAP size limit handler */
53 
  protected $sizeLimitHandler;
54
55 
  /* get acl's an put them into the userinfo object
56 
     attr subtreeACL (userdn:components, userdn:component1#sub1#sub2,component2,...) */
57 
  function __construct ($userdn)
58 
  {
59 
    global $config;
60 
    $this->dn         = $userdn;
61 
    $this->ignoreACL  = ($config->get_cfg_value('ignoreAcl') == $this->dn);
62
63 
    $this->loadLDAPInfo();
64
65 
    /* Initialize ACL_CACHE */
66 
    $this->reset_acl_cache();
67
68 
    $this->sizeLimitHandler = new ldapSizeLimit();
69 
  }
70
7172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140
/*! \brief Loads user information from LDAP */ function loadLDAPInfo () { global $config; $ldap = $config->get_ldap_link(); $ldap->cat($this->dn, ['cn', 'sn', 'givenName', 'uid', 'gidNumber', 'preferredLanguage']); $attrs = $ldap->fetch(); $this->uid = $attrs['uid'][0]; if (isset($attrs['cn'][0])) { $this->cn = $attrs['cn'][0]; } elseif (isset($attrs['givenName'][0]) && isset($attrs['sn'][0])) { $this->cn = $attrs['givenName'][0].' '.$attrs['sn'][0]; } else { $this->cn = $attrs['uid'][0]; } if (isset($attrs['gidNumber'][0])) { $this->gidNumber = $attrs['gidNumber'][0]; } if (isset($attrs['sn'][0])) { $this->sn = $attrs['sn'][0]; } if (isset($attrs['givenName'][0])) { $this->givenName = $attrs['givenName'][0]; } /* Assign user language */ if (isset($attrs['preferredLanguage'][0])) { $this->language = $attrs['preferredLanguage'][0]; } } /*! * \brief Reset acl cache */ public function reset_acl_cache () { /* Initialize ACL_CACHE */ session::set('ACL_CACHE', []); } /*! * \brief Load an acl */ function loadACL () { global $config; $this->ACL = []; $this->groups = []; $this->roles = []; $this->result_cache = []; $this->reset_acl_cache(); $ldap = $config->get_ldap_link(); $ldap->cd($config->current['BASE']); /* Get member groups... */ $ldap->search('(&(objectClass=groupOfNames)(member='.ldap_escape_f($this->dn).'))', ['dn']); while ($attrs = $ldap->fetch()) { $this->groups[$attrs['dn']] = $attrs['dn']; } /* Get member POSIX groups... */ $ldap->search('(&(objectClass=posixGroup)(memberUid='.ldap_escape_f($this->uid).'))', ['dn']); while ($attrs = $ldap->fetch()) { $this->groups[$attrs['dn']] = $attrs['dn']; } /* Get member roles... */ $ldap->search('(&(objectClass=organizationalRole)(roleOccupant='.ldap_escape_f($this->dn).'))', ['dn']);
141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210
while ($attrs = $ldap->fetch()) { $this->roles[$attrs['dn']] = $attrs['dn']; } /* Crawl through ACLs and move relevant to the tree */ $ldap->search("(objectClass=gosaACL)", ['dn', 'gosaAclEntry']); $aclp = []; $aclc = []; while ($attrs = $ldap->fetch()) { /* Insert links in ACL array */ $aclp[$attrs['dn']] = substr_count($attrs['dn'], ','); $aclc[$attrs['dn']] = []; $ol = []; for ($i = 0; $i < $attrs['gosaAclEntry']['count']; $i++) { $ol = array_merge($ol, acl::explodeAcl($attrs['gosaAclEntry'][$i])); } $aclc[$attrs['dn']] = $ol; } /* Resolve roles here */ foreach ($aclc as $dn => $data) { foreach ($data as $prio => $aclc_value) { unset($aclc[$dn][$prio]); $ldap->cat($aclc_value['acl'], ["gosaAclTemplate"]); $attrs = $ldap->fetch(); if (isset($attrs['gosaAclTemplate'])) { $roleAcls = acl::explodeRole($attrs['gosaAclTemplate']); foreach ($roleAcls as $roleAcl) { $aclc[$dn][] = [ 'acl' => $roleAcl, 'type' => $aclc_value['type'], 'members' => $aclc_value['members'], 'filter' => $aclc_value['filter'] ]; } } } } /* ACL's read, sort for tree depth */ asort($aclp); /* Sort in tree order */ foreach ($aclp as $dn => $acl) { /* Check if we need to keep this ACL */ foreach ($aclc[$dn] as $idx => $type) { $interresting = FALSE; /* No members? This ACL rule is deactivated ... */ if (!count($type['members'])) { $interresting = FALSE; } else { /* Inspect members... */ foreach (array_keys($type['members']) as $grp) { /* Some group inside the members that is relevant for us? */ if (in_array_ics(preg_replace('/^G:/', '', $grp), $this->groups)) { $interresting = TRUE; } /* Some role inside the members that is relevant for us? */ if (in_array_ics(preg_replace('/^R:/', '', $grp), $this->roles)) { $interresting = TRUE; } /* User inside the members? */ if (mb_strtoupper(preg_replace('/^U:/', '', $grp)) == mb_strtoupper($this->dn)) { $interresting = TRUE;
211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280
} /* Wildcard? */ if (preg_match('/^G:\*/', $grp)) { $interresting = TRUE; } } } if ($interresting) { if (!isset($this->ACL[$dn])) { $this->ACL[$dn] = []; } $this->ACL[$dn][$idx] = $type; } } } /* Create an array which represent all relevant permissions settings per dn. The array will look like this: . ['ou=base'] ['ou=base'] = array(ACLs); . . ['ou=dep1,ou=base']['ou=dep1,ou=base'] = array(ACLs); . ['ou=base'] = array(ACLs); For object located in 'ou=dep1,ou=base' we have to both ACLs, for objects in 'ou=base' we only have to apply on ACL. */ $without_self_acl = $all_acl = []; foreach ($this->ACL as $dn => $acl) { $sdn = $dn; do { if (isset($this->ACL[$dn])) { $all_acl[$sdn][$dn] = $this->ACL[$dn]; $without_self_acl[$sdn][$dn] = $this->ACL[$dn]; foreach ($without_self_acl[$sdn][$dn] as $acl_id => $acl_set) { /* Remember which ACL set has speicial user filter */ if (isset($acl_set['filter'][1])) { $this->ACLperPath_usesFilter[$sdn] = TRUE; } /* Remove all acl entries which are especially for the current user (self acl) */ foreach ($acl_set['acl'] as $object => $object_acls) { if (isset($object_acls[0]) && (strpos($object_acls[0], "s") !== FALSE)) { unset($without_self_acl[$sdn][$dn][$acl_id]['acl'][$object]); } } } } $dn = preg_replace("/^[^,]*+,/", "", $dn); } while (strpos($dn, ',') !== FALSE); } $this->ACLperPath = $without_self_acl; /* Append Self entry */ $dn = $this->dn; while (strpos($dn, ",") && !isset($all_acl[$dn])) { $dn = preg_replace("/^[^,]*+,/", "", $dn); } if (isset($all_acl[$dn])) { $this->ACLperPath[$this->dn] = $all_acl[$dn]; } } /*!