composer/iTop
6
0
Fork 0
mirror of https://github.com/Combodo/iTop.git synced 2026-04-24 11:08:45 +02:00
Code Issues Packages Projects Releases Wiki Activity

#166 Split authentication and management of user rights

Browse Source 
SVN:trunk[621]
This commit is contained in:
Romain Quetiez
2010-07-24 14:42:55 +00:00
parent 650e5002af
commit 6e54a79940
17 changed files with 426 additions and 530 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
core/cmdbobject.class.inc.php
View File

@@ -74,7 +74,6 @@ require_once('cmdbchangeop.class.inc.php');
require_once('csvparser.class.inc.php');
require_once('bulkchange.class.inc.php');
require_once('userrights.class.inc.php');
//
// Error handling

1
core/config.class.inc.php
View File

@@ -119,6 +119,7 @@ class Config
'../core/event.class.inc.php',
'../core/action.class.inc.php',
'../core/trigger.class.inc.php',
'../addons/authentication/authent.local.inc.php',
);
$this->m_aDataModels = array();
$this->m_aAddons = array(

27
core/metamodel.class.php
View File

@@ -1042,22 +1042,25 @@ abstract class MetaModel
// Add it to the ZLists where the external key is present
//foreach(self::$m_aListData[$sClass] as $sListCode => $aAttributes)
$sListCode = 'list';
$aAttributes = self::$m_aListData[$sClass][$sListCode];
// temporary.... no loop
if (isset(self::$m_aListData[$sClass][$sListCode]))
{
if (in_array($sAttCode, $aAttributes))
$aAttributes = self::$m_aListData[$sClass][$sListCode];
// temporary.... no loop
{
$aNewList = array();
foreach($aAttributes as $iPos => $sAttToDisplay)
if (in_array($sAttCode, $aAttributes))
{
if (is_string($sAttToDisplay) && ($sAttToDisplay == $sAttCode))
$aNewList = array();
foreach($aAttributes as $iPos => $sAttToDisplay)
{
// Insert the final class right before
$aNewList[] = $sClassRecallAttCode;
if (is_string($sAttToDisplay) && ($sAttToDisplay == $sAttCode))
{
// Insert the final class right before
$aNewList[] = $sClassRecallAttCode;
}
$aNewList[] = $sAttToDisplay;
}
$aNewList[] = $sAttToDisplay;
self::$m_aListData[$sClass][$sListCode] = $aNewList;
}
self::$m_aListData[$sClass][$sListCode] = $aNewList;
}
}
}
@@ -3136,6 +3139,10 @@ abstract class MetaModel
// Set the language... after the dictionaries have been loaded!
Dict::SetDefaultLanguage($oConfig->GetDefaultLanguage());
// Romain: this is the only way I've found to cope with the fact that
// classes have to be derived from cmdbabstract (to be editable in the UI)
require_once('../application/cmdbabstract.class.inc.php');
foreach ($oConfig->GetAppModules() as $sModule => $sToInclude)
{
self::Plugin($sConfigFile, 'application', $sToInclude);

363
core/userrights.class.inc.php
View File

@@ -54,21 +54,150 @@ abstract class UserRightsAddOnAPI
abstract public function CreateAdministrator($sAdminUser, $sAdminPwd, $sLanguage = 'EN US'); // could be used during initial installation
abstract public function Init(); // loads data (possible optimizations)
abstract public function CheckCredentials($sLogin, $sPassword); // returns the id of the user or false
abstract public function CanChangePassword(); // Whether or not a user can change her/his own password
abstract public function ChangePassword($iUserId, $sOldPassword, $sNewPassword); // Change the password of the specified user
abstract public function GetUserLanguage($sLogin); // returns the language code (e.g "EN US")
abstract public function GetUserId($sLogin); // returns the id of the user or false
abstract public function GetContactId($sLogin); // returns the id of the "business" user or false
// Cf UserContext...
abstract public function GetFilter($sLogin, $sClass); // returns a filter object
abstract public function IsActionAllowed($iUserId, $sClass, $iActionCode, /*dbObjectSet*/ $oInstanceSet = null);
abstract public function IsStimulusAllowed($iUserId, $sClass, $sStimulusCode, /*dbObjectSet*/ $oInstanceSet = null);
abstract public function IsActionAllowedOnAttribute($iUserId, $sClass, $sAttCode, $iActionCode, /*dbObjectSet*/ $oInstanceSet = null);
abstract public function IsAdministrator($iUserId);
abstract public function IsActionAllowed($oUser, $sClass, $iActionCode, /*dbObjectSet*/ $oInstanceSet = null);
abstract public function IsStimulusAllowed($oUser, $sClass, $sStimulusCode, /*dbObjectSet*/ $oInstanceSet = null);
abstract public function IsActionAllowedOnAttribute($oUser, $sClass, $sAttCode, $iActionCode, /*dbObjectSet*/ $oInstanceSet = null);
abstract public function IsAdministrator($oUser);
abstract public function FlushPrivileges();
}
abstract class User extends cmdbAbstractObject
{
public static function Init()
{
$aParams = array
(
"category" => "core",
"key_type" => "autoincrement",
"name_attcode" => "login",
"state_attcode" => "",
"reconc_keys" => array(),
"db_table" => "priv_user",
"db_key_field" => "id",
"db_finalclass_field" => "",
"display_template" => "",
);
MetaModel::Init_Params($aParams);
//MetaModel::Init_InheritAttributes();
MetaModel::Init_AddAttribute(new AttributeExternalKey("contactid", array("targetclass"=>"Person", "allowed_values"=>null, "sql"=>"contactid", "is_null_allowed"=>true, "on_target_delete"=>DEL_MANUAL, "depends_on"=>array())));
MetaModel::Init_AddAttribute(new AttributeExternalField("last_name", array("allowed_values"=>null, "extkey_attcode"=> 'contactid', "target_attcode"=>"name")));
MetaModel::Init_AddAttribute(new AttributeExternalField("first_name", array("allowed_values"=>null, "extkey_attcode"=> 'contactid', "target_attcode"=>"first_name")));
MetaModel::Init_AddAttribute(new AttributeExternalField("email", array("allowed_values"=>null, "extkey_attcode"=> 'contactid', "target_attcode"=>"email")));
MetaModel::Init_AddAttribute(new AttributeString("login", array("allowed_values"=>null, "sql"=>"login", "default_value"=>null, "is_null_allowed"=>false, "depends_on"=>array())));
MetaModel::Init_AddAttribute(new AttributeApplicationLanguage("language", array("sql"=>"language", "default_value"=>"EN US", "is_null_allowed"=>false, "depends_on"=>array())));
MetaModel::Init_AddAttribute(new AttributeLinkedSetIndirect("profile_list", array("linked_class"=>"URP_UserProfile", "ext_key_to_me"=>"userid", "ext_key_to_remote"=>"profileid", "allowed_values"=>null, "count_min"=>1, "count_max"=>0, "depends_on"=>array())));
// Display lists
MetaModel::Init_SetZListItems('details', array('contactid', 'first_name', 'email', 'login', 'language', 'profile_list')); // Attributes to be displayed for the complete details
MetaModel::Init_SetZListItems('list', array('first_name', 'last_name', 'login')); // Attributes to be displayed for a list
// Search criteria
MetaModel::Init_SetZListItems('standard_search', array('login', 'contactid')); // Criteria of the std search form
MetaModel::Init_SetZListItems('advanced_search', array('login', 'contactid')); // Criteria of the advanced search form
}
abstract public function CheckCredentials($sPassword);
abstract public function TrustWebServerContext();
abstract public function CanChangePassword();
abstract public function ChangePassword($sOldPassword, $sNewPassword);
function GetGrantAsHtml($sClass, $iAction)
{
if (UserRights::IsActionAllowed($sClass, $iAction, null, $this))
{
return '<span style="background-color: #ddffdd;">'.Dict::S('UI:UserManagement:ActionAllowed:Yes').'</span>';
}
else
{
return '<span style="background-color: #ffdddd;">'.Dict::S('UI:UserManagement:ActionAllowed:No').'</span>';
}
}
function DoShowGrantSumary($oPage, $sClassCategory)
{
if (UserRights::IsAdministrator($this))
{
// Looks dirty, but ok that's THE ONE
$oPage->p(Dict::S('UI:UserManagement:AdminProfile+'));
return;
}
$aDisplayData = array();
foreach (MetaModel::GetClasses($sClassCategory) as $sClass)
{
$aClassStimuli = MetaModel::EnumStimuli($sClass);
if (count($aClassStimuli) > 0)
{
$aStimuli = array();
foreach ($aClassStimuli as $sStimulusCode => $oStimulus)
{
if (UserRights::IsStimulusAllowed($sClass, $sStimulusCode, null, $this))
{
$aStimuli[] = '<span title="'.$sStimulusCode.': '.htmlentities($oStimulus->GetDescription()).'">'.htmlentities($oStimulus->GetLabel()).'</span>';
}
}
$sStimuli = implode(', ', $aStimuli);
}
else
{
$sStimuli = '<em title="'.Dict::S('UI:UserManagement:NoLifeCycleApplicable+').'">'.Dict::S('UI:UserManagement:NoLifeCycleApplicable').'</em>';
}
$aDisplayData[] = array(
'class' => MetaModel::GetName($sClass),
'read' => $this->GetGrantAsHtml($sClass, UR_ACTION_READ),
'bulkread' => $this->GetGrantAsHtml($sClass, UR_ACTION_BULK_READ),
'write' => $this->GetGrantAsHtml($sClass, UR_ACTION_MODIFY),
'bulkwrite' => $this->GetGrantAsHtml($sClass, UR_ACTION_BULK_MODIFY),
'stimuli' => $sStimuli,
);
}
$aDisplayConfig = array();
$aDisplayConfig['class'] = array('label' => Dict::S('UI:UserManagement:Class'), 'description' => Dict::S('UI:UserManagement:Class+'));
$aDisplayConfig['read'] = array('label' => Dict::S('UI:UserManagement:Action:Read'), 'description' => Dict::S('UI:UserManagement:Action:Read+'));
$aDisplayConfig['bulkread'] = array('label' => Dict::S('UI:UserManagement:Action:BulkRead'), 'description' => Dict::S('UI:UserManagement:Action:BulkRead+'));
$aDisplayConfig['write'] = array('label' => Dict::S('UI:UserManagement:Action:Modify'), 'description' => Dict::S('UI:UserManagement:Action:Modify+'));
$aDisplayConfig['bulkwrite'] = array('label' => Dict::S('UI:UserManagement:Action:BulkModify'), 'description' => Dict::S('UI:UserManagement:Action:BulkModify+'));
$aDisplayConfig['stimuli'] = array('label' => Dict::S('UI:UserManagement:Action:Stimuli'), 'description' => Dict::S('UI:UserManagement:Action:Stimuli+'));
$oPage->table($aDisplayConfig, $aDisplayData);
}
function DisplayBareRelations(WebPage $oPage, $bEditMode = false)
{
parent::DisplayBareRelations($oPage, $bEditMode);
if (!$bEditMode)
{
$oPage->SetCurrentTab(Dict::S('UI:UserManagement:GrantMatrix'));
$this->DoShowGrantSumary($oPage, 'bizmodel');
// debug
if (false)
{
$oPage->SetCurrentTab('More on user rigths (dev only)');
$oPage->add("<h3>User rights</h3>\n");
$this->DoShowGrantSumary($oPage, 'addon/userrights');
$oPage->add("<h3>Change log</h3>\n");
$this->DoShowGrantSumary($oPage, 'core/cmdb');
$oPage->add("<h3>Application</h3>\n");
$this->DoShowGrantSumary($oPage, 'application');
$oPage->add("<h3>GUI</h3>\n");
$this->DoShowGrantSumary($oPage, 'gui');
}
}
}
}
/**
* User management core API
@@ -78,11 +207,8 @@ abstract class UserRightsAddOnAPI
class UserRights
{
protected static $m_oAddOn;
protected static $m_sUser;
protected static $m_sRealUser;
protected static $m_iUserId;
protected static $m_iRealUserId;
protected static $m_sUserLanguage;
protected static $m_oUser;
protected static $m_oRealUser;
public static function SelectModule($sModuleName)
{
@@ -98,11 +224,8 @@ class UserRights
}
self::$m_oAddOn = new $sModuleName;
self::$m_oAddOn->Init();
self::$m_sUser = '';
self::$m_sRealUser = '';
self::$m_iUserId = 0;
self::$m_iRealUserId = 0;
self::$m_sUserLanguage = 'EN US';
self::$m_oUser = null;
self::$m_oRealUser = null;
}
public static function GetModuleInstance()
@@ -125,20 +248,39 @@ class UserRights
protected static function IsLoggedIn()
{
return (!empty(self::$m_sUser));
if (self::$m_oUser == null)
{
return false;
}
else
{
return true;
}
}
public static function Login($sName, $sPassword)
{
self::$m_iUserId = self::$m_oAddOn->CheckCredentials($sName, $sPassword);
if (self::$m_iUserId !== false)
$oUser = self::FindUser($sName);
if (is_null($oUser))
{
self::$m_sUser = $sName;
self::$m_iRealUserId = self::$m_iUserId;
self::$m_sRealUser = $sName;
self::$m_sUserLanguage = self::$m_oAddOn->GetUserLanguage($sName);
Dict::SetUserLanguage(self::GetUserLanguage());
return true;
return false;
}
if (!$oUser->CheckCredentials($sPassword))
{
return false;
}
self::$m_oUser = $oUser;
self::$m_oRealUser = $oUser;
Dict::SetUserLanguage(self::GetUserLanguage());
return true;
}
public static function TrustWebServerContext()
{
if (!is_null(self::$m_oUser))
{
return self::$m_oUser->TrustWebServerContext();
}
else
{
@@ -148,9 +290,9 @@ class UserRights
public static function CanChangePassword()
{
if (!is_null(self::$m_iUserId))
if (!is_null(self::$m_oUser))
{
return self::$m_oAddOn->CanChangePassword(self::$m_iUserId);
return self::$m_oUser->CanChangePassword();
}
else
{
@@ -160,9 +302,9 @@ class UserRights
public static function ChangePassword($sCurrentPassword, $sNewPassword)
{
if (!is_null(self::$m_iUserId))
if (!is_null(self::$m_oUser))
{
return self::$m_oAddOn->ChangePassword(self::$m_iUserId, $sCurrentPassword, $sNewPassword);
return self::$m_oUser->ChangePassword($sCurrentPassword, $sNewPassword);
}
else
{
@@ -174,28 +316,45 @@ class UserRights
{
if (!self::CheckLogin()) return false;
self::$m_iRealUserId = self::$m_oAddOn->CheckCredentials($sName, $sPassword);
if (self::$m_iRealUserId !== false)
{
self::$m_sUser = $sName;
self::$m_sUserLanguage = self::$m_oAddOn->GetUserLanguage($sName);
Dict::SetUserLanguage(self::GetUserLanguage());
return true;
}
else
$oUser = self::FindUser($sName);
if (is_null($oUser))
{
return false;
}
if (!$oUser->CheckCredentials($sPassword))
{
return false;
}
self::$m_oRealUser = self::$m_oUser;
self::$m_oUser = $oUser;
Dict::SetUserLanguage(self::GetUserLanguage());
return true;
}
public static function GetUser()
{
return self::$m_sUser;
if (is_null(self::$m_oUser))
{
return '';
}
else
{
return self::$m_oUser->Get('login');
}
}
public static function GetUserLanguage()
{
return self::$m_sUserLanguage;
if (is_null(self::$m_oUser))
{
return 'EN US';
}
else
{
return self::$m_oUser->Get('language');
}
}
public static function GetUserId($sName = '')
@@ -203,33 +362,66 @@ class UserRights
if (empty($sName))
{
// return current user id
return self::$m_iUserId;
if (is_null(self::$m_oUser))
{
return null;
}
return self::$m_oUser->GetKey();
}
else
{
// find the id out of the login string
return self::$m_oAddOn->GetUserId($sName);
$oUser = self::$m_oAddOn->FindUser($sName);
if (is_null($oUser))
{
return null;
}
return $oUser->GetKey();
}
}
public static function GetContactId($sName = '')
{
// note: returns null if the user management module is not related to the business data model
if (empty($sName))
{
$sName = self::$m_sUser;
$oUser = self::$m_oUser;
}
return self::$m_oAddOn->GetContactId($sName);
else
{
$oUser = FindUser($sName);
}
if (is_null($oUser))
{
return '';
}
return $oUser->Get('contactid');
}
public static function IsImpersonated()
{
if (is_null(self::$m_oRealUser))
{
return false;
}
return true;
}
public static function GetRealUser()
{
return self::$m_sRealUser;
if (is_null(self::$m_oRealUser))
{
return '';
}
return self::$m_oRealUser->Get('login');
}
public static function GetRealUserId()
{
return self::$m_iRealUserId;
if (is_null(self::$m_oRealUser))
{
return '';
}
return self::$m_oRealUser->GetKey();
}
protected static function CheckLogin()
@@ -242,7 +434,6 @@ class UserRights
return true;
}
public static function GetFilter($sClass)
{
if (!self::CheckLogin()) return false;
@@ -254,13 +445,13 @@ class UserRights
// the rest is allowed (#@# to be improved)
if (!MetaModel::HasCategory($sClass, 'bizmodel')) return new DBObjectSearch($sClass);
return self::$m_oAddOn->GetFilter(self::$m_iUserId, $sClass);
return self::$m_oAddOn->GetFilter(self::$m_oUser->GetKey(), $sClass);
}
public static function IsActionAllowed($sClass, $iActionCode, /*dbObjectSet*/ $oInstanceSet = null, $iUserId = null)
public static function IsActionAllowed($sClass, $iActionCode, /*dbObjectSet*/ $oInstanceSet = null, $oUser = null)
{
if (!self::CheckLogin()) return false;
if (self::IsAdministrator($iUserId)) return true;
if (self::IsAdministrator($oUser)) return true;
// this module is forbidden for non admins
if (MetaModel::HasCategory($sClass, 'addon/userrights')) return false;
@@ -268,20 +459,17 @@ class UserRights
// the rest is allowed (#@# to be improved)
if (!MetaModel::HasCategory($sClass, 'bizmodel')) return true;
if (is_null($iUserId))
if (is_null($oUser))
{
return self::$m_oAddOn->IsActionAllowed(self::$m_iUserId, $sClass, $iActionCode, $oInstanceSet);
}
else
{
return self::$m_oAddOn->IsActionAllowed($iUserId, $sClass, $iActionCode, $oInstanceSet);
$oUser = self::$m_oUser;
}
return self::$m_oAddOn->IsActionAllowed($oUser, $sClass, $iActionCode, $oInstanceSet);
}
public static function IsStimulusAllowed($sClass, $sStimulusCode, /*dbObjectSet*/ $oInstanceSet = null, $iUserId = null)
public static function IsStimulusAllowed($sClass, $sStimulusCode, /*dbObjectSet*/ $oInstanceSet = null, $oUser = null)
{
if (!self::CheckLogin()) return false;
if (self::IsAdministrator($iUserId)) return true;
if (self::IsAdministrator($oUser)) return true;
// this module is forbidden for non admins
if (MetaModel::HasCategory($sClass, 'addon/userrights')) return false;
@@ -289,20 +477,17 @@ class UserRights
// the rest is allowed (#@# to be improved)
if (!MetaModel::HasCategory($sClass, 'bizmodel')) return true;
if (is_null($iUserId))
if (is_null($oUser))
{
return self::$m_oAddOn->IsStimulusAllowed(self::$m_iUserId, $sClass, $sStimulusCode, $oInstanceSet);
}
else
{
return self::$m_oAddOn->IsStimulusAllowed($iUserId, $sClass, $sStimulusCode, $oInstanceSet);
$oUser = self::$m_oUser;
}
return self::$m_oAddOn->IsStimulusAllowed($oUser, $sClass, $sStimulusCode, $oInstanceSet);
}
public static function IsActionAllowedOnAttribute($sClass, $sAttCode, $iActionCode, /*dbObjectSet*/ $oInstanceSet = null, $iUserId = null)
public static function IsActionAllowedOnAttribute($sClass, $sAttCode, $iActionCode, /*dbObjectSet*/ $oInstanceSet = null, $oUser = null)
{
if (!self::CheckLogin()) return false;
if (self::IsAdministrator($iUserId)) return true;
if (self::IsAdministrator($oUser)) return true;
// this module is forbidden for non admins
if (MetaModel::HasCategory($sClass, 'addon/userrights')) return false;
@@ -310,28 +495,22 @@ class UserRights
// the rest is allowed (#@# to be improved)
if (!MetaModel::HasCategory($sClass, 'bizmodel')) return true;
if (is_null($iUserId))
if (is_null($oUser))
{
return self::$m_oAddOn->IsActionAllowedOnAttribute(self::$m_iUserId, $sClass, $sAttCode, $iActionCode, $oInstanceSet);
}
else
{
return self::$m_oAddOn->IsActionAllowedOnAttribute($iUserId, $sClass, $sAttCode, $iActionCode, $oInstanceSet);
$oUser = self::$m_oUser;
}
return self::$m_oAddOn->IsActionAllowedOnAttribute($oUser, $sClass, $sAttCode, $iActionCode, $oInstanceSet);
}
public static function IsAdministrator($iUserId = null)
public static function IsAdministrator($oUser = null)
{
if (!self::CheckLogin()) return false;
if (is_null($iUserId))
if (is_null($oUser))
{
return self::$m_oAddOn->IsAdministrator(self::$m_iUserId);
}
else
{
return self::$m_oAddOn->IsAdministrator($iUserId);
$oUser = self::$m_oUser;
}
return self::$m_oAddOn->IsAdministrator($oUser);
}
public static function FlushPrivileges()
@@ -339,6 +518,22 @@ class UserRights
return self::$m_oAddOn->FlushPrivileges();
}
static $m_aCacheUsers;
protected static function FindUser($sLogin)
{
if (!isset(self::$m_aCacheUsers))
{
self::$m_aCacheUsers = array();
}
if (!isset(self::$m_aCacheUsers[$sLogin]))
{
$oSearch = DBObjectSearch::FromOQL("SELECT User WHERE login = :login");
$oSet = new DBObjectSet($oSearch, array(), array('login' => $sLogin));
$oUser = $oSet->fetch();
self::$m_aCacheUsers[$sLogin] = $oUser;
}
return self::$m_aCacheUsers[$sLogin];
}
}