Skip to content
GitLab
Select Git revision
  • dev default
  • 6378-orcid-test-method-is-wrong-and-break-orcid-saving
  • core-php8
  • master
  • 6342-update-the-locales-for-1-5
  • 6344-template-issue-when-creating-a-template-with-empty-password-error-message-should-not-be-seen
  • 6365-core-locking-mechanism-is-not-changing-the-mail-ressource-it-does-lock-the-mail-account
  • 6365-core-when-lock-mechanism-is-trigger-the-user-should-not-be-editable-if-not-unlock
  • fusiondirectory-1.5
  • fusiondirectory-1.4
  • fusiondirectory-1.3.1
  • fusiondirectory-1.3
  • fusiondirectory-1.2.3
  • fusiondirectory-1.2.2
  • fusiondirectory-1.2.1
  • fusiondirectory-1.2
  • fusiondirectory-1.1.1
  • fusiondirectory-1.1
  • fusiondirectory-1.0.20
  • fusiondirectory-1.0.19
  • fusiondirectory-1.0.18
  • fusiondirectory-1.0.17
  • fusiondirectory-1.0.16
  • fusiondirectory-1.0.15
  • fusiondirectory-1.0.14
  • fusiondirectory-1.0.13
  • fusiondirectory-1.0.12
  • fusiondirectory-1.0.11
Find file BlameHistoryPermalink
class_acl.inc 11.33 KiB
1 
<?php
2 
/*
3 
  This code is part of FusionDirectory (http://www.fusiondirectory.org/)
4 
  Copyright (C) 2003-2010  Cajus Pollmeier
5 
  Copyright (C) 2011-2013  FusionDirectory
6
7 
  This program is free software; you can redistribute it and/or modify
8 
  it under the terms of the GNU General Public License as published by
9 
  the Free Software Foundation; either version 2 of the License, or
10 
  (at your option) any later version.
11
12 
  This program is distributed in the hope that it will be useful,
13 
  but WITHOUT ANY WARRANTY; without even the implied warranty of
14 
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
15 
  GNU General Public License for more details.
16
17 
  You should have received a copy of the GNU General Public License
18 
  along with this program; if not, write to the Free Software
19 
  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.
20 
*/
21
22 
/*!
23 
 * \file class_acl.inc
24 
 * Source code for Class ACL
25 
 */
26
27 
/*!
28 
 * \brief This class contains all the function needed to manage acl
29 
 * \see class_plugin
30 
 */
31 
class acl extends plugin
32 
{
33 
  /* attribute list for save action */
34 
  var $attributes     = array('gosaAclEntry');
35 
  var $objectclasses  = array('gosaAcl');
36
37 
  /* Helpers */
38 
  var $dialogState      = "head";
39 
  var $gosaAclEntry     = array();
40 
  var $aclType          = "";
41 
  var $aclObject        = "";
42 
  var $aclContents      = array();
43 
  var $aclFilter        = "";
44 
  var $aclMyObjects     = array();
45 
  var $roles            = array();
46 
  var $recipients       = array();
47 
  var $currentIndex     = 0;
48 
  var $wasNewEntry      = FALSE;
49 
  var $savedAclContents = array();
50 
  var $acl_category     = "acl/";
51
52 
  /*!
53 
   * \brief Acl contructor
54 
   *
55 
   * \param String $config Configuration file for ACL
56 
   *
57 
   * \param String $parent
58 
   *
59 
   * \param String $dn The DN
60 
   */
61 
  function acl (&$config, $dn = NULL, $baseobject = NULL)
62 
  {
63 
    /* Include config object */
64 
    parent::__construct($config, $dn, $baseobject);
65
66 
    /* Load ACL's */
67 
    $this->gosaAclEntry = array();
68 
    if (isset($this->attrs['gosaAclEntry'])) {
69 
      for ($i = 0; $i < $this->attrs['gosaAclEntry']['count']; $i++) {
70 
        $acl = $this->attrs['gosaAclEntry'][$i];
7172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140
$this->gosaAclEntry = array_merge($this->gosaAclEntry, acl::explodeACL($acl)); } } ksort($this->gosaAclEntry); /* Save parent - we've to know more about it than other plugins... */ if (($baseobject !== NULL) && isset($baseobject->parent)) { $this->parent =& $baseobject->parent; } $ldap = $config->get_ldap_link(); /* Roles TODO - use objects::ls?*/ $ldap->cd($config->current['BASE']); $ldap->search('(objectClass=gosaRole)', array('cn', 'description','gosaAclTemplate','dn')); while ($attrs = $ldap->fetch()) { $role_id = $attrs['dn']; $this->roles[$role_id]['acls'] = acl::explodeRole($attrs['gosaAclTemplate']); $this->roles[$role_id]['cn'] = $attrs['cn'][0]; if (isset($attrs['description'][0])) { $this->roles[$role_id]['description'] = $attrs['description'][0]; } } /* Finally - we want to get saved... */ $this->is_account = TRUE; } /*! * \brief Function sort an array by elements priority * * \param Array $list Array to be sorted */ function sort_by_priority($list) { uksort($list, function ($a, $b) { $infos_a = pluglist::pluginInfos(preg_replace('|^[^/]*/|', '', $a)); $infos_b = pluglist::pluginInfos(preg_replace('|^[^/]*/|', '', $b)); $pa = (isset($infos_a['plPriority'])?$infos_a['plPriority']:0); $pb = (isset($infos_b['plPriority'])?$infos_b['plPriority']:0); if ($pa == $pb) { return 0; } return ($pa < $pb ? -1 : 1); } ); return $list; } /*! * \brief Explode a role * * \param string $acl ACL to be exploded */ static function explodeRole($role) { if (!is_array($role)) { $role = array($role); } unset($role['count']); $result = array(); foreach ($role as $aclTemplate) { $list = explode(':', $aclTemplate, 2); $result[$list[0]] = self::extractACL($list[1]); } ksort($result);
141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210
return $result; } /*! * \brief Explode an acl * * \param string $acl ACL to be exploded */ static function explodeACL($acl) { $list = explode(':', $acl); if (count($list) == 5) { list($index, $type,$role,$members,$filter) = $list; $filter = base64_decode($filter); } else { $filter = ""; list($index, $type,$role,$members) = $list; } $a = array( $index => array( 'type' => $type, 'filter' => $filter, 'members' => acl::extractMembers($members), 'acl' => base64_decode($role), )); /* Handle unknown types */ if (!in_array($type, array('subtree', 'base'))) { msg_dialog::display(_("Internal error"), sprintf(_("Unkown ACL type '%s'!\nYou might need to run \"fusiondirectory-setup --migrate-acls\" to migrate your acls to the new format."), $type), ERROR_DIALOG); $a = array(); } return $a; } /*! * \brief Extract members of an acl * * \param $acl The acl to be extracted members part * * \return an array with members */ static function extractMembers($ms) { global $config; $a = array(); /* Seperate by ',' and place it in an array */ $ma = explode(',', $ms); /* Decode dn's, fill with informations from LDAP */ $ldap = $config->get_ldap_link(); foreach ($ma as $memberdn) { // Check for wildcard here $dn = base64_decode($memberdn); if ($dn != "*") { $ldap->cat($dn, array('cn', 'objectClass', 'description', 'uid')); /* Found entry... */ if ($ldap->count()) { $attrs = $ldap->fetch(); if (in_array_ics('gosaAccount', $attrs['objectClass'])) { $a['U:'.$dn] = $attrs['cn'][0]." [".$attrs['uid'][0]."]"; } else { $a['G:'.$dn] = $attrs['cn'][0]; if (isset($attrs['description'][0])) { $a['G:'.$dn] .= " [".$attrs['description'][0]."]"; } } /* ... or not */ } else {
211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280
$a['U:'.$dn] = sprintf(_("Unknown entry '%s'!"), $dn); } } else { $a['G:*'] = sprintf(_("All users")); } } return $a; } /*! * \brief Extract an acl * * \param string $acl The acl to be extracted */ static function extractACL($acl) { /* Rip acl off the string, seperate by ',' and place it in an array */ $as = preg_replace('/^[^:]+:[^:]+:[^:]*:([^:]*).*$/', '\1', $acl); $aa = explode(',', $as); $a = array(); /* Dis-assemble single ACLs */ foreach ($aa as $sacl) { /* Dis-assemble field ACLs */ $ao = explode('#', $sacl); $gobject = ""; foreach ($ao as $idx => $ssacl) { /* First is department with global acl */ $object = preg_replace('/^([^;]+);.*$/', '\1', $ssacl); $gacl = preg_replace('/^[^;]+;(.*)$/', '\1', $ssacl); if ($idx == 0) { /* Create hash for this object */ $gobject = $object; $a[$gobject] = array(); /* Append ACL if set */ if ($gacl != "") { $a[$gobject] = array($gacl); } } else { /* All other entries get appended... */ list($field, $facl) = explode(';', $ssacl); $a[$gobject][$field] = $facl; } } } return $a; } /*! * \brief Removes object from parent */ function remove_from_parent() { parent::remove_from_parent(); /* include global link_info */ $ldap = $this->config->get_ldap_link(); $ldap->cd($this->dn); $this->cleanup(); $ldap->modify($this->attrs); new log('remove', 'acls/'.get_class($this), $this->dn, array_keys($this->attrs), $ldap->get_error());
281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350
/* Optionally execute a command after we're done */ $this->handle_post_events('remove'); } /* * \brief Return plugin informations for acl handling */ static function plInfo() { return array( 'plShortName' => _('ACL'), 'plDescription' => _('Manage access control lists'), 'plSelfModify' => FALSE, 'plPriority' => 0, 'plCategory' => array('acl' => array('description' => _('ACL').'&nbsp;&amp;&nbsp;'._('ACL roles'), 'objectClass' => array('gosaAcl','gosaRole'))), 'plObjectType' => array(), 'plProvidedAcls' => array() ); } /*! * \brief Remove acls defined for $src * * \param String $dn The DN * * FIXME */ static function remove_acl_for($dn) { global $config; $ldap = $config->get_ldap_link(); $ldap->cd($config->current['BASE']); $ldap->search("(&(objectClass=gosaAcl)(gosaAclEntry=*".base64_encode($dn)."*))", array("gosaAclEntry","dn")); $new_entries = array(); while ($attrs = $ldap->fetch()) { if (!isset($attrs['gosaAclEntry'])) { continue; } unset($attrs['gosaAclEntry']['count']); // Remove entry directly foreach ($attrs['gosaAclEntry'] as $entry) { $parts = explode(':', $entry); $members = explode(',', $parts[2]); $new_members = array(); foreach ($members as $member) { if (base64_decode($member) != $dn) { $new_members[] = $member; } else { fusiondirectory_log("modify", "user/acl", $attrs['dn'], array(), sprintf("Removed acl for %s on object %s.", $dn, $attrs['dn'])); } } /* We can completely remove the entry if there are no members anymore */ if (count($new_members)) { $parts[2] = implode(",", $new_members); $new_entries[] = implode(":", $parts); } } // There should be a modification, so write it back $ldap->cd($attrs['dn']); $new_attrs = array("gosaAclEntry" => $new_entries); $ldap->modify($new_attrs); if (!$ldap->success()) { msg_dialog::display(_("LDAP error"), msgPool::ldaperror($ldap->get_error(), $dn, LDAP_MOD, get_class()), ERROR_DIALOG);
351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394
} } } /*! * \brief Update the acl membership * * \param String $src The source * * \param String $dst The destination */ static function update_acl_membership($src, $dst) { global $config; $ldap = $config->get_ldap_link(); $ldap->cd($config->current['BASE']); $ldap->search("(&(objectClass=gosaAcl)(gosaAclEntry=*".base64_encode($src)."*))", array("gosaAclEntry","dn")); while ($attrs = $ldap->fetch()) { $acl = new acl($config, $attrs['dn']); foreach ($acl->gosaAclEntry as $id => $entry) { foreach ($entry['members'] as $m_id => $member) { if ($m_id == "U:".$src) { unset($acl->gosaAclEntry[$id]['members'][$m_id]); $new = "U:".$dst; $acl->gosaAclEntry[$id]['members'][$new] = $new; fusiondirectory_log("modify", "user/acl", $attrs['dn'], array(), sprintf("Updated acl for user %s on object %s.", $src, $attrs['dn'])); } if ($m_id == "G:".$src) { unset($acl->gosaAclEntry[$id]['members'][$m_id]); $new = "G:".$dst; $acl->gosaAclEntry[$id]['members'][$new] = $new; fusiondirectory_log("modify", "group/acl", $attrs['dn'], array(), sprintf("Updated acl for group %s on object %s.", $src, $attrs['dn'])); } } } $acl->save(); } } } ?>