#166 Split authentication and management of user rights

SVN:trunk[621]
2026-04-25 11:38:44 +02:00 · 2010-07-24 14:42:55 +00:00
parent 650e5002af
commit 6e54a79940
17 changed files with 426 additions and 530 deletions
--- a/addons/userrights/userrightsmatrix.class.inc.php
+++ b/addons/userrights/userrightsmatrix.class.inc.php
@@ -23,28 +23,6 @@
 * @license     http://www.opensource.org/licenses/gpl-3.0.html LGPL
 */

-class UserRightsMatrixUsers extends DBObject
-{
-	public static function Init()
-	{
-		$aParams = array
-		(
-			"category" => "addon/userrights",
-			"key_type" => "autoincrement",
-			"name_attcode" => "login",
-			"state_attcode" => "",
-			"reconc_keys" => array(),
-			"db_table" => "priv_ur_matrixusers",
-			"db_key_field" => "id",
-			"db_finalclass_field" => "",
-		);
-		MetaModel::Init_Params($aParams);
-		//MetaModel::Init_InheritAttributes();
-		MetaModel::Init_AddAttribute(new AttributeInteger("userid", array("allowed_values"=>null, "sql"=>"userid", "default_value"=>0, "is_null_allowed"=>false, "depends_on"=>array())));
-		MetaModel::Init_AddAttribute(new AttributeString("login", array("allowed_values"=>null, "sql"=>"login", "default_value"=>null, "is_null_allowed"=>false, "depends_on"=>array())));
-		MetaModel::Init_AddAttribute(new AttributeString("password", array("allowed_values"=>null, "sql"=>"pwd", "default_value"=>null, "is_null_allowed"=>false, "depends_on"=>array())));
-	}
-}

 class UserRightsMatrixClassGrant extends DBObject
 {
@@ -63,7 +41,7 @@ class UserRightsMatrixClassGrant extends DBObject
 		);
 		MetaModel::Init_Params($aParams);
 		//MetaModel::Init_InheritAttributes();
-		MetaModel::Init_AddAttribute(new AttributeExternalKey("userid", array("targetclass"=>"UserRightsMatrixUsers", "jointype"=> "", "allowed_values"=>null, "sql"=>"userid", "is_null_allowed"=>false, "on_target_delete"=>DEL_MANUAL, "depends_on"=>array())));
+		MetaModel::Init_AddAttribute(new AttributeExternalKey("userid", array("targetclass"=>"User", "jointype"=> "", "allowed_values"=>null, "sql"=>"userid", "is_null_allowed"=>false, "on_target_delete"=>DEL_MANUAL, "depends_on"=>array())));
 		MetaModel::Init_AddAttribute(new AttributeExternalField("login", array("allowed_values"=>null, "extkey_attcode"=> 'userid', "target_attcode"=>"login")));
 		MetaModel::Init_AddAttribute(new AttributeString("class", array("allowed_values"=>null, "sql"=>"class", "default_value"=>null, "is_null_allowed"=>false, "depends_on"=>array())));

@@ -89,7 +67,7 @@ class UserRightsMatrixClassStimulusGrant extends DBObject
 		);
 		MetaModel::Init_Params($aParams);
 		//MetaModel::Init_InheritAttributes();
-		MetaModel::Init_AddAttribute(new AttributeExternalKey("userid", array("targetclass"=>"UserRightsMatrixUsers", "jointype"=> "", "allowed_values"=>null, "sql"=>"userid", "is_null_allowed"=>false, "on_target_delete"=>DEL_MANUAL, "depends_on"=>array())));
+		MetaModel::Init_AddAttribute(new AttributeExternalKey("userid", array("targetclass"=>"User", "jointype"=> "", "allowed_values"=>null, "sql"=>"userid", "is_null_allowed"=>false, "on_target_delete"=>DEL_MANUAL, "depends_on"=>array())));
 		MetaModel::Init_AddAttribute(new AttributeExternalField("login", array("allowed_values"=>null, "extkey_attcode"=> 'userid', "target_attcode"=>"login")));
 		MetaModel::Init_AddAttribute(new AttributeString("class", array("allowed_values"=>null, "sql"=>"class", "default_value"=>null, "is_null_allowed"=>false, "depends_on"=>array())));

@@ -115,7 +93,7 @@ class UserRightsMatrixAttributeGrant extends DBObject
 		);
 		MetaModel::Init_Params($aParams);
 		//MetaModel::Init_InheritAttributes();
-		MetaModel::Init_AddAttribute(new AttributeExternalKey("userid", array("targetclass"=>"UserRightsMatrixUsers", "jointype"=> "", "allowed_values"=>null, "sql"=>"userid", "is_null_allowed"=>false, "on_target_delete"=>DEL_MANUAL, "depends_on"=>array())));
+		MetaModel::Init_AddAttribute(new AttributeExternalKey("userid", array("targetclass"=>"User", "jointype"=> "", "allowed_values"=>null, "sql"=>"userid", "is_null_allowed"=>false, "on_target_delete"=>DEL_MANUAL, "depends_on"=>array())));
 		MetaModel::Init_AddAttribute(new AttributeExternalField("login", array("allowed_values"=>null, "extkey_attcode"=> 'userid', "target_attcode"=>"login")));
 		MetaModel::Init_AddAttribute(new AttributeString("class", array("allowed_values"=>null, "sql"=>"class", "default_value"=>null, "is_null_allowed"=>false, "depends_on"=>array())));
 		MetaModel::Init_AddAttribute(new AttributeString("attcode", array("allowed_values"=>null, "sql"=>"attcode", "default_value"=>null, "is_null_allowed"=>false, "depends_on"=>array())));
@@ -143,10 +121,11 @@ class UserRightsMatrix extends UserRightsAddOnAPI
 	public function CreateAdministrator($sAdminUser, $sAdminPwd, $sLanguage = 'EN US')
 	{
 		// Maybe we should check that no other user with userid == 0 exists
-		$oUser = new UserRightsMatrixUsers();
+		$oUser = new UserLocal();
 		$oUser->Set('login', $sAdminUser);
 		$oUser->Set('password', $sAdminPwd);
-		$oUser->Set('userid', 1); // one is for root !
+		$oUser->Set('contactid', 1); // one is for root !
+		$oUser->Set('language', $sLanguage); // Language was chosen during the installation

 		// Create a change to record the history of the User object
 		$oChange = MetaModel::NewObject("CMDBChange");
@@ -160,16 +139,16 @@ class UserRightsMatrix extends UserRightsAddOnAPI
 		return true;
 	}

-	public function IsAdministrator($iUserId)
+	public function IsAdministrator($oUser)
 	{
-		return ($iUserId == 1);
+		return ($oUser->GetKey() == 1);
 	}

 	public function Setup()
 	{
 		// Users must be added manually
 		// This procedure will then update the matrix when a new user is found or a new class/attribute appears
-		$oUserSet = new DBObjectSet(DBObjectSearch::FromOQL("SELECT UserRightsMatrixUsers"));
+		$oUserSet = new DBObjectSet(DBObjectSearch::FromOQL("SELECT User"));
 		while ($oUser = $oUserSet->Fetch())
 		{
 			$this->SetupUser($oUser->GetKey());
@@ -287,80 +266,13 @@ class UserRightsMatrix extends UserRightsAddOnAPI
 		return true;
 	}

-	public function CheckCredentials($sUserName, $sPassword)
-	{
-		$oSet = new DBObjectSet(DBObjectSearch::FromOQL("SELECT UserRightsMatrixUsers WHERE login = '$sUserName'"));
-		if ($oSet->Count() < 1)
-		{
-		// todo: throw an exception?
-			return false;
-		}
-
-		$oLogin = $oSet->Fetch();
-		if ($oLogin->Get('password') == $sPassword)
-		{
-			return $oLogin->Get('userid');
-		}
-		// todo: throw an exception?
-		return false;
-	}
-	
-	public function CanChangePassword()
-	{
-		return true;
-	}
-
-	public function ChangePassword($iUserId, $sOldPassword, $sNewPassword)
-	{
-		$oSet = new DBObjectSet(DBObjectSearch::FromOQL("SELECT UserRightsMatrixUsers WHERE userid = $iUserId"));
-		if ($oSet->Count() < 1)
-		{
-			return false;
-		}
-
-		$oLogin = $oSet->Fetch();
-		if ($oLogin->Get('password') == $sOldPassword)
-		{
-			$oLogin->Set('password', $sNewPassword);
-			$oLogin->DBUpdate();
-			return true;
-		}
-		return false;
-	}
-
-
-	public function GetUserId($sUserName)
-	{
-		$oSet = new DBObjectSet(DBObjectSearch::FromOQL("SELECT UserRightsMatrixUsers WHERE login = '$sUserName'"));
-		if ($oSet->Count() < 1)
-		{
-		// todo: throw an exception?
-			return false;
-		}
-
-		$oLogin = $oSet->Fetch();
-		return $oLogin->Get('userid');
-	}
-
-	// this module does not handle localization
-	public function GetUserLanguage($sUserName)
-	{
-		return 'EN US';
-	}
-
-	public function GetContactId($sUserName)
-	{
-		// this module has no link with the business data
-		return null;
-	}
-
 	public function GetFilter($sUserName, $sClass)
 	{
 		$oNullFilter  = new DBObjectSearch($sClass);
 		return $oNullFilter;
 	}

-	public function IsActionAllowed($iUserId, $sClass, $iActionCode, $oInstanceSet = null)
+	public function IsActionAllowed($oUser, $sClass, $iActionCode, $oInstanceSet = null)
 	{
 		if (!array_key_exists($iActionCode, self::$m_aActionCodes))
 		{
@@ -368,7 +280,7 @@ class UserRightsMatrix extends UserRightsAddOnAPI
 		}
 		$sAction = self::$m_aActionCodes[$iActionCode];

-		$oSet = new DBObjectSet(DBObjectSearch::FromOQL("SELECT UserRightsMatrixClassGrant WHERE class = '$sClass' AND action = '$sAction' AND userid = '$iUserId'"));
+		$oSet = new DBObjectSet(DBObjectSearch::FromOQL("SELECT UserRightsMatrixClassGrant WHERE class = '$sClass' AND action = '$sAction' AND userid = '{$oUser->GetKey()}'"));
 		if ($oSet->Count() < 1)
 		{
 			return UR_ALLOWED_NO;
@@ -388,7 +300,7 @@ class UserRightsMatrix extends UserRightsAddOnAPI
 		return $iRetCode;
 	}

-	public function IsActionAllowedOnAttribute($iUserId, $sClass, $sAttCode, $iActionCode, $oInstanceSet = null)
+	public function IsActionAllowedOnAttribute($oUser, $sClass, $sAttCode, $iActionCode, $oInstanceSet = null)
 	{
 		if (!array_key_exists($iActionCode, self::$m_aActionCodes))
 		{
@@ -396,7 +308,7 @@ class UserRightsMatrix extends UserRightsAddOnAPI
 		}
 		$sAction = self::$m_aActionCodes[$iActionCode];

-		$oSet = new DBObjectSet(DBObjectSearch::FromOQL("SELECT UserRightsMatrixAttributeGrant WHERE class = '$sClass' AND attcode = '$sAttCode' AND action = '$sAction' AND userid = '$iUserId'"));
+		$oSet = new DBObjectSet(DBObjectSearch::FromOQL("SELECT UserRightsMatrixAttributeGrant WHERE class = '$sClass' AND attcode = '$sAttCode' AND action = '$sAction' AND userid = '{$oUser->GetKey()}'"));
 		if ($oSet->Count() < 1)
 		{
 			return UR_ALLOWED_NO;
@@ -416,9 +328,9 @@ class UserRightsMatrix extends UserRightsAddOnAPI
 		return $iRetCode;
 	}

-	public function IsStimulusAllowed($iUserId, $sClass, $sStimulusCode, $oInstanceSet = null)
+	public function IsStimulusAllowed($oUser, $sClass, $sStimulusCode, $oInstanceSet = null)
 	{
-		$oSet = new DBObjectSet(DBObjectSearch::FromOQL("SELECT UserRightsMatrixClassStimulusGrant WHERE class = '$sClass' AND stimulus = '$sStimulusCode' AND userid = '$iUserId'"));
+		$oSet = new DBObjectSet(DBObjectSearch::FromOQL("SELECT UserRightsMatrixClassStimulusGrant WHERE class = '$sClass' AND stimulus = '$sStimulusCode' AND userid = '{$oUser->GetKey()}'"));
 		if ($oSet->Count() < 1)
 		{
 			return UR_ALLOWED_NO;
--- a/addons/userrights/userrightsnull.class.inc.php
+++ b/addons/userrights/userrightsnull.class.inc.php
@@ -32,7 +32,7 @@ class UserRightsNull extends UserRightsAddOnAPI
 		return true;
 	}

-	public function IsAdministrator($iUserId)
+	public function IsAdministrator($oUser)
 	{
 		return true;
 	}
@@ -47,54 +47,23 @@ class UserRightsNull extends UserRightsAddOnAPI
 		return true;
 	}

-	public function CheckCredentials($sUserName, $sPassword)
-	{
-		return 1;
-	}
-	
-	public function CanChangePassword()
-	{
-		return true;
-	}
-
-	public function ChangePassword($iUserId, $sOldPassword, $sNewPassword)
-	{
-		return true;
-	}
-
-	public function GetUserId($sUserName)
-	{
-		return 1;
-	}
-
-	public function GetUserLanguage($sUserName)
-	{
-		return 'EN US';
-	}
-
-	public function GetContactId($sUserName)
-	{
-		// this module has no link with the business data
-		return null;
-	}
-
 	public function GetFilter($sUserName, $sClass)
 	{
 		$oNullFilter  = new DBObjectSearch($sClass);
 		return $oNullFilter;
 	}

-	public function IsActionAllowed($iUserId, $sClass, $iActionCode, $oInstanceSet = null)
+	public function IsActionAllowed($oUser, $sClass, $iActionCode, $oInstanceSet = null)
 	{
 		return UR_ALLOWED_YES;
 	}

-	public function IsStimulusAllowed($iUserId, $sClass, $sStimulusCode, $oInstanceSet = null)
+	public function IsStimulusAllowed($oUser, $sClass, $sStimulusCode, $oInstanceSet = null)
 	{
 		return UR_ALLOWED_YES;
 	}

-	public function IsActionAllowedOnAttribute($iUserId, $sClass, $sAttCode, $iActionCode, $oInstanceSet = null)
+	public function IsActionAllowedOnAttribute($oUser, $sClass, $sAttCode, $iActionCode, $oInstanceSet = null)
 	{
 		return UR_ALLOWED_YES;
 	}
--- a/addons/userrights/userrightsprofile.class.inc.php
+++ b/addons/userrights/userrightsprofile.class.inc.php
@@ -50,134 +50,6 @@ class UserRightsBaseClass extends cmdbAbstractObject
 }


-class URP_Users extends UserRightsBaseClass
-{
-	public static function Init()
-	{
-		$aParams = array
-		(
-			"category" => "addon/userrights",
-			"key_type" => "autoincrement",
-			"name_attcode" => "login",
-			"state_attcode" => "",
-			"reconc_keys" => array(),
-			"db_table" => "priv_urp_users",
-			"db_key_field" => "id",
-			"db_finalclass_field" => "",
-			"display_template" => "",
-		);
-		MetaModel::Init_Params($aParams);
-		//MetaModel::Init_InheritAttributes();
-
-		MetaModel::Init_AddAttribute(new AttributeExternalKey("userid", array("targetclass"=>"Person", "allowed_values"=>null, "sql"=>"userid", "is_null_allowed"=>true, "on_target_delete"=>DEL_MANUAL, "depends_on"=>array())));
-		MetaModel::Init_AddAttribute(new AttributeExternalField("last_name", array("allowed_values"=>null, "extkey_attcode"=> 'userid', "target_attcode"=>"name")));
-		MetaModel::Init_AddAttribute(new AttributeExternalField("first_name", array("allowed_values"=>null, "extkey_attcode"=> 'userid', "target_attcode"=>"first_name")));
-		MetaModel::Init_AddAttribute(new AttributeExternalField("email", array("allowed_values"=>null, "extkey_attcode"=> 'userid', "target_attcode"=>"email")));
-
-		MetaModel::Init_AddAttribute(new AttributeString("login", array("allowed_values"=>null, "sql"=>"login", "default_value"=>null, "is_null_allowed"=>false, "depends_on"=>array())));
-		MetaModel::Init_AddAttribute(new AttributePassword("password", array("allowed_values"=>null, "sql"=>"pwd", "default_value"=>null, "is_null_allowed"=>false, "depends_on"=>array())));
-
-		//MetaModel::Init_AddAttribute(new AttributeString("language", array("allowed_values"=>array('EN US,FR FR'), "sql"=>"language", "default_value"=>"EN US", "is_null_allowed"=>false, "depends_on"=>array())));
-		MetaModel::Init_AddAttribute(new AttributeApplicationLanguage("language", array("sql"=>"language", "default_value"=>"EN US", "is_null_allowed"=>false, "depends_on"=>array())));
-
-		MetaModel::Init_AddAttribute(new AttributeLinkedSetIndirect("profile_list", array("linked_class"=>"URP_UserProfile", "ext_key_to_me"=>"userid", "ext_key_to_remote"=>"profileid", "allowed_values"=>null, "count_min"=>1, "count_max"=>0, "depends_on"=>array())));
-
-		// Display lists
-		MetaModel::Init_SetZListItems('details', array('userid', 'first_name', 'email', 'login', 'password', 'language', 'profile_list')); // Attributes to be displayed for the complete details
-		MetaModel::Init_SetZListItems('list', array('first_name', 'last_name', 'login')); // Attributes to be displayed for a list
-		// Search criteria
-		MetaModel::Init_SetZListItems('standard_search', array('login', 'userid')); // Criteria of the std search form
-		MetaModel::Init_SetZListItems('advanced_search', array('login', 'userid')); // Criteria of the advanced search form
-	}
-
-	function GetGrantAsHtml($sClass, $iAction)
-	{
-		if (UserRights::IsActionAllowed($sClass, $iAction, null, $this->GetKey())) 
-		{
-			return '<span style="background-color: #ddffdd;">'.Dict::S('UI:UserManagement:ActionAllowed:Yes').'</span>';
-		}
-		else
-		{
-			return '<span style="background-color: #ffdddd;">'.Dict::S('UI:UserManagement:ActionAllowed:No').'</span>';
-		}
-	}
-	
-	function DoShowGrantSumary($oPage, $sClassCategory)
-	{
-		$iUserId = $this->GetKey();
-		if (UserRights::IsAdministrator($iUserId))
-		{
-			// Looks dirty, but ok that's THE ONE
-			$oPage->p(Dict::S('UI:UserManagement:AdminProfile+'));
-			return;
-		}
-
-		$aDisplayData = array();
-		foreach (MetaModel::GetClasses($sClassCategory) as $sClass)
-		{
-			$aClassStimuli = MetaModel::EnumStimuli($sClass);
-			if (count($aClassStimuli) > 0)
-			{
-				$aStimuli = array();
-				foreach ($aClassStimuli as $sStimulusCode => $oStimulus)
-				{
-					if (UserRights::IsStimulusAllowed($sClass, $sStimulusCode, null, $iUserId))
-					{
-						$aStimuli[] = '<span title="'.$sStimulusCode.': '.htmlentities($oStimulus->GetDescription()).'">'.htmlentities($oStimulus->GetLabel()).'</span>';
-					}
-				}
-				$sStimuli = implode(', ', $aStimuli);
-			}
-			else
-			{
-				$sStimuli = '<em title="'.Dict::S('UI:UserManagement:NoLifeCycleApplicable+').'">'.Dict::S('UI:UserManagement:NoLifeCycleApplicable').'</em>';
-			}
-			
-			$aDisplayData[] = array(
-				'class' => MetaModel::GetName($sClass),
-				'read' => $this->GetGrantAsHtml($sClass, UR_ACTION_READ),
-				'bulkread' => $this->GetGrantAsHtml($sClass, UR_ACTION_BULK_READ),
-				'write' => $this->GetGrantAsHtml($sClass, UR_ACTION_MODIFY),
-				'bulkwrite' => $this->GetGrantAsHtml($sClass, UR_ACTION_BULK_MODIFY),
-				'stimuli' => $sStimuli,
-			);
-		}
-	
-		$aDisplayConfig = array();
-		$aDisplayConfig['class'] = array('label' => Dict::S('UI:UserManagement:Class'), 'description' => Dict::S('UI:UserManagement:Class+'));
-		$aDisplayConfig['read'] = array('label' => Dict::S('UI:UserManagement:Action:Read'), 'description' => Dict::S('UI:UserManagement:Action:Read+'));
-		$aDisplayConfig['bulkread'] = array('label' => Dict::S('UI:UserManagement:Action:BulkRead'), 'description' => Dict::S('UI:UserManagement:Action:BulkRead+'));
-		$aDisplayConfig['write'] = array('label' => Dict::S('UI:UserManagement:Action:Modify'), 'description' => Dict::S('UI:UserManagement:Action:Modify+'));
-		$aDisplayConfig['bulkwrite'] = array('label' => Dict::S('UI:UserManagement:Action:BulkModify'), 'description' => Dict::S('UI:UserManagement:Action:BulkModify+'));
-		$aDisplayConfig['stimuli'] = array('label' => Dict::S('UI:UserManagement:Action:Stimuli'), 'description' => Dict::S('UI:UserManagement:Action:Stimuli+'));
-		$oPage->table($aDisplayConfig, $aDisplayData);
-	}
-
-	function DisplayBareRelations(WebPage $oPage, $bEditMode = false)
-	{
-		parent::DisplayBareRelations($oPage, $bEditMode);
-		if (!$bEditMode)
-		{
-			$oPage->SetCurrentTab(Dict::S('UI:UserManagement:GrantMatrix'));
-			$this->DoShowGrantSumary($oPage, 'bizmodel');
-	
-			// debug
-			if (false)
-			{
-				$oPage->SetCurrentTab('More on user rigths (dev only)');
-				$oPage->add("<h3>User rights</h3>\n");
-				$this->DoShowGrantSumary($oPage, 'addon/userrights');
-				$oPage->add("<h3>Change log</h3>\n");
-				$this->DoShowGrantSumary($oPage, 'core/cmdb');
-				$oPage->add("<h3>Application</h3>\n");
-				$this->DoShowGrantSumary($oPage, 'application');
-				$oPage->add("<h3>GUI</h3>\n");
-				$this->DoShowGrantSumary($oPage, 'gui');
-				
-			}					
-		}
-	}
-}


 class URP_Profiles extends UserRightsBaseClass
@@ -417,7 +289,7 @@ class URP_UserProfile extends UserRightsBaseClass
 		);
 		MetaModel::Init_Params($aParams);
 		//MetaModel::Init_InheritAttributes();
-		MetaModel::Init_AddAttribute(new AttributeExternalKey("userid", array("targetclass"=>"URP_Users", "jointype"=> "", "allowed_values"=>null, "sql"=>"userid", "is_null_allowed"=>false, "on_target_delete"=>DEL_AUTO, "depends_on"=>array())));
+		MetaModel::Init_AddAttribute(new AttributeExternalKey("userid", array("targetclass"=>"User", "jointype"=> "", "allowed_values"=>null, "sql"=>"userid", "is_null_allowed"=>false, "on_target_delete"=>DEL_AUTO, "depends_on"=>array())));
 		MetaModel::Init_AddAttribute(new AttributeExternalField("userlogin", array("allowed_values"=>null, "extkey_attcode"=> 'userid', "target_attcode"=>"login")));

 		MetaModel::Init_AddAttribute(new AttributeExternalKey("profileid", array("targetclass"=>"URP_Profiles", "jointype"=> "", "allowed_values"=>null, "sql"=>"profileid", "is_null_allowed"=>false, "on_target_delete"=>DEL_AUTO, "depends_on"=>array())));
@@ -475,7 +347,7 @@ class URP_ProfileProjection extends UserRightsBaseClass
 		MetaModel::Init_SetZListItems('advanced_search', array('dimensionid', 'profileid')); // Criteria of the advanced search form
 	}

-	public function ProjectUser(URP_Users $oUser)
+	public function ProjectUser(User $oUser)
 	{
 		$sExpr = $this->Get('value');
 		if ($sExpr == '<user>')
@@ -744,10 +616,10 @@ class UserRightsProfile extends UserRightsAddOnAPI
 		//$oContact->Set('employee_number', '');
 		$iContactId = $oContact->DBInsertTrackedNoReload($oChange);
 		
-		$oUser = new URP_Users();
+		$oUser = new UserLocal();
 		$oUser->Set('login', $sAdminUser);
 		$oUser->Set('password', $sAdminPwd);
-		$oUser->Set('userid', $iContactId);
+		$oUser->Set('contactid', $iContactId);
 		$oUser->Set('language', $sLanguage); // Language was chosen during the installation
 		$iUserId = $oUser->DBInsertTrackedNoReload($oChange);
 		
@@ -760,9 +632,9 @@ class UserRightsProfile extends UserRightsAddOnAPI
 		return true;
 	}

-	public function IsAdministrator($iUserId)
+	public function IsAdministrator($oUser)
 	{
-		if (in_array($iUserId, $this->m_aAdmins))
+		if (in_array($oUser->GetKey(), $this->m_aAdmins))
 		{
 			return true;
 		}
@@ -787,15 +659,12 @@ class UserRightsProfile extends UserRightsAddOnAPI
 		MetaModel::RegisterPlugin('userrights', 'ACbyProfile', array($this, 'CacheData'));
 	}

-	protected $m_aUsers = array(); // id -> object
 	protected $m_aDimensions = array(); // id -> object
 	protected $m_aClassProj = array(); // class,dimensionid -> object
 	protected $m_aProfiles = array(); // id -> object
 	protected $m_aUserProfiles = array(); // userid,profileid -> object
 	protected $m_aProPro = array(); // profileid,dimensionid -> object

-	protected $m_aLogin2UserId = array(); // login -> id
-
 	protected $m_aAdmins = array(); // id of users being linked to the well-known admin profile

 	protected $m_aClassActionGrants = array(); // profile, class, action -> permission
@@ -806,15 +675,6 @@ class UserRightsProfile extends UserRightsAddOnAPI
 	{
 		// Could be loaded in a shared memory (?)

-		$oUserSet = new DBObjectSet(DBObjectSearch::FromOQL("SELECT URP_Users"));
-		$this->m_aUsers = array();
-		$this->m_aLogin2UserId = array();  
-		while ($oUser = $oUserSet->Fetch())
-		{
-			$this->m_aUsers[$oUser->GetKey()] = $oUser;
-			$this->m_aLogin2UserId[$oUser->Get('login')] = $oUser->GetKey();  
-		}
-
 		$oDimensionSet = new DBObjectSet(DBObjectSearch::FromOQL("SELECT URP_Dimensions"));
 		$this->m_aDimensions = array(); 
 		while ($oDimension = $oDimensionSet->Fetch())
@@ -857,7 +717,6 @@ class UserRightsProfile extends UserRightsAddOnAPI

 /*
 		echo "<pre>\n";
-		print_r($this->m_aUsers);
 		print_r($this->m_aDimensions);
 		print_r($this->m_aClassProjs);
 		print_r($this->m_aProfiles);
@@ -870,94 +729,6 @@ exit;
 		return true;
 	}

-	public function CheckCredentials($sUserName, $sPassword)
-	{
-		$oSet = new DBObjectSet(DBObjectSearch::FromOQL("SELECT URP_Users WHERE login = :login"), array(), array('login' => $sUserName));
-		if ($oSet->Count() < 1)
-		{
-		// todo: throw an exception?
-			return false;
-		}
-
-		$oUser = $oSet->Fetch();
-		if ($oUser->Get('password') == $sPassword)
-		{
-			return $oUser->GetKey();
-		}
-		// todo: throw an exception?
-		return false;
-	}
-
-	public function CanChangePassword()
-	{
-		// For now everyone can change their password..
-		return true;
-	}
-
-	public function ChangePassword($iUserId, $sOldPassword, $sNewPassword)
-	{
-		$oSet = new DBObjectSet(DBObjectSearch::FromOQL("SELECT URP_Users WHERE id = :user_id"), array(), array('user_id' => $iUserId));
-		if ($oSet->Count() < 1)
-		{
-			return false;
-		}
-
-		$oLogin = $oSet->Fetch();
-		if ($oLogin->Get('password') == $sOldPassword)
-		{
-			$oLogin->Set('password', $sNewPassword);
-			$oChange = MetaModel::NewObject("CMDBChange");
-			$oChange->Set("date", time());
-			if (UserRights::GetUser() != UserRights::GetRealUser())
-			{
-				$sUserString = Dict::Format('UI:Archive_User_OnBehalfOf_User', UserRights::GetRealUser(), UserRights::GetUser());
-			}
-			else
-			{
-				$sUserString = UserRights::GetUser();
-			}
-			$oChange->Set("userinfo", $sUserString);
-			$oLogin->DBUpdateTracked($oChange);
-			return true;
-		}
-		return false;
-	}
-
-	public function GetUserId($sUserName)
-	{
-		if (array_key_exists($sUserName, $this->m_aLogin2UserId))
-		{
-			// This happens really when the list of users is being loaded into the cache!!!
-			$iUserId = $this->m_aLogin2UserId[$sUserName];  
-			return $iUserId;
-		}
-		return null;
-	}
-
-	public function GetUserLanguage($sUserName)
-	{
-		if (array_key_exists($sUserName, $this->m_aLogin2UserId))
-		{
-			// This happens really when the list of users is being loaded into the cache!!!
-			$iUserId = $this->m_aLogin2UserId[$sUserName];  
-			$oUser = $this->m_aUsers[$iUserId];
-			return $oUser->Get('language');
-		}
-		return 'EN US';
-	}
-
-	public function GetContactId($sUserName)
-	{
-		if (array_key_exists($sUserName, $this->m_aLogin2UserId))
-		{
-			// This happens really when the list of users is being loaded into the cache!!!
-			$iUserId = $this->m_aLogin2UserId[$sUserName];  
-			$oUser = $this->m_aUsers[$iUserId];
-			return $oUser->Get('userid');
-		}
-		return null;
-	}
-
 	public function GetFilter($sUserName, $sClass)
 	{
 		$oNullFilter  = new DBObjectSearch($sClass);
@@ -1051,10 +822,8 @@ exit;
 		return $aRes;
 	}
 	
-	public function IsActionAllowed($iUserId, $sClass, $iActionCode, $oInstanceSet = null)
+	public function IsActionAllowed($oUser, $sClass, $iActionCode, $oInstanceSet = null)
 	{
-		$oUser = $this->m_aUsers[$iUserId];
-
 		if (is_null($oInstanceSet))
 		{
 			$aObjectPermissions = $this->GetObjectActionGrant($oUser, $sClass, $iActionCode);
@@ -1092,10 +861,8 @@ exit;
 		}
 	}

-	public function IsActionAllowedOnAttribute($iUserId, $sClass, $sAttCode, $iActionCode, $oInstanceSet = null)
+	public function IsActionAllowedOnAttribute($oUser, $sClass, $sAttCode, $iActionCode, $oInstanceSet = null)
 	{
-		$oUser = $this->m_aUsers[$iUserId];
-
 		if (is_null($oInstanceSet))
 		{
 			$aObjectPermissions = $this->GetObjectActionGrant($oUser, $sClass, $iActionCode);
@@ -1173,10 +940,8 @@ exit;
 		return $oGrantRecord;
 	}

-	public function IsStimulusAllowed($iUserId, $sClass, $sStimulusCode, $oInstanceSet = null)
+	public function IsStimulusAllowed($oUser, $sClass, $sStimulusCode, $oInstanceSet = null)
 	{
-		$oUser = $this->m_aUsers[$iUserId];
-
 		// Note: this code is VERY close to the code of IsActionAllowed()

 		if (is_null($oInstanceSet))
--- a/application/displayblock.class.inc.php
+++ b/application/displayblock.class.inc.php
@@ -25,7 +25,6 @@

 require_once('../application/webpage.class.inc.php');
 require_once('../application/utils.inc.php');
-require_once('../core/userrights.class.inc.php');
 /**
 * Helper class to manage 'blocks' of HTML pieces that are parts of a page and contain some list of cmdb objects
 *
--- a/application/itopwebpage.class.inc.php
+++ b/application/itopwebpage.class.inc.php
@@ -251,7 +251,7 @@ EOF

 		// Add the admin menus
 		$oAdminMenu = new MenuGroup('AdminTools', 80 /* fRank */);
-		new OQLMenuNode('UserAccountsMenu', 'SELECT URP_Users', $oAdminMenu->GetIndex(), 1 /* fRank */);
+		new OQLMenuNode('UserAccountsMenu', 'SELECT User', $oAdminMenu->GetIndex(), 1 /* fRank */);
 		new OQLMenuNode('ProfilesMenu', 'SELECT URP_Profiles', $oAdminMenu->GetIndex(), 2 /* fRank */);
 		new TemplateMenuNode('NotificationsMenu', '../business/templates/notifications_menu.html', $oAdminMenu->GetIndex(), 3 /* fRank */);
 		new WebPageMenuNode('RunQueriesMenu', '../pages/run_query.php', $oAdminMenu->GetIndex(), 8 /* fRank */);
--- a/application/user.preferences.class.inc.php
+++ b/application/user.preferences.class.inc.php
@@ -154,7 +154,7 @@ class appUserPreferences extends DBObject
 		);
 		
 		MetaModel::Init_Params($aParams);
-		MetaModel::Init_AddAttribute(new AttributeExternalKey("userid", array("targetclass"=>"URP_Users", "allowed_values"=>null, "sql"=>"userid", "is_null_allowed"=>true, "on_target_delete"=>DEL_MANUAL, "depends_on"=>array())));
+		MetaModel::Init_AddAttribute(new AttributeExternalKey("userid", array("targetclass"=>"User", "allowed_values"=>null, "sql"=>"userid", "is_null_allowed"=>true, "on_target_delete"=>DEL_MANUAL, "depends_on"=>array())));
 		MetaModel::Init_AddAttribute(new AttributePropertySet("preferences", array("allowed_values"=>null, "sql"=>"preferences", "default_value"=>null, "is_null_allowed"=>true, "depends_on"=>array())));
 	}
 	
--- a/application/usercontext.class.inc.php
+++ b/application/usercontext.class.inc.php
@@ -24,7 +24,6 @@
 */

 require_once('../core/cmdbobject.class.inc.php');
-require_once('../core/userrights.class.inc.php');
 /**
 * Helper class to capture a user's restrictions (access rights, profiles...) as a set of limiting conditions
 *
--- a/core/cmdbobject.class.inc.php
+++ b/core/cmdbobject.class.inc.php
@@ -74,7 +74,6 @@ require_once('cmdbchangeop.class.inc.php');
 require_once('csvparser.class.inc.php');
 require_once('bulkchange.class.inc.php');

-require_once('userrights.class.inc.php');

 //
 // Error handling
--- a/core/config.class.inc.php
+++ b/core/config.class.inc.php
@@ -119,6 +119,7 @@ class Config
 			'../core/event.class.inc.php',
 			'../core/action.class.inc.php',
 			'../core/trigger.class.inc.php',
+			'../addons/authentication/authent.local.inc.php',
 		);
 		$this->m_aDataModels = array();
 		$this->m_aAddons = array(
--- a/core/metamodel.class.php
+++ b/core/metamodel.class.php
@@ -1042,6 +1042,8 @@ abstract class MetaModel
 							// Add it to the ZLists where the external key is present
 							//foreach(self::$m_aListData[$sClass] as $sListCode => $aAttributes)
 							$sListCode = 'list';
+							if (isset(self::$m_aListData[$sClass][$sListCode]))
+							{
 								$aAttributes = self::$m_aListData[$sClass][$sListCode];
 								// temporary.... no loop
 								{
@@ -1062,6 +1064,7 @@ abstract class MetaModel
 								}
 							}
 						}
+					}

 					// Get the real external key attribute
 					// It will be our reference to determine the other ext fields related to the same ext key
@@ -3136,6 +3139,10 @@ abstract class MetaModel
 		// Set the language... after the dictionaries have been loaded!
 		Dict::SetDefaultLanguage($oConfig->GetDefaultLanguage());

+		// Romain: this is the only way I've found to cope with the fact that
+		//         classes have to be derived from cmdbabstract (to be editable in the UI)
+		require_once('../application/cmdbabstract.class.inc.php');
+
 		foreach ($oConfig->GetAppModules() as $sModule => $sToInclude)
 		{
 			self::Plugin($sConfigFile, 'application', $sToInclude);
--- a/core/userrights.class.inc.php
+++ b/core/userrights.class.inc.php
@@ -54,21 +54,150 @@ abstract class UserRightsAddOnAPI
 	abstract public function CreateAdministrator($sAdminUser, $sAdminPwd, $sLanguage = 'EN US'); // could be used during initial installation

 	abstract public function Init(); // loads data (possible optimizations)
-	abstract public function CheckCredentials($sLogin, $sPassword); // returns the id of the user or false
-	abstract public function CanChangePassword(); // Whether or not a user can change her/his own password
-	abstract public function ChangePassword($iUserId, $sOldPassword, $sNewPassword); // Change the password of the specified user
-	abstract public function GetUserLanguage($sLogin); // returns the language code (e.g "EN US")
-	abstract public function GetUserId($sLogin); // returns the id of the user or false
-	abstract public function GetContactId($sLogin); // returns the id of the "business" user or false
+
+	// Cf UserContext...
 	abstract public function GetFilter($sLogin, $sClass); // returns a filter object
-	abstract public function IsActionAllowed($iUserId, $sClass, $iActionCode, /*dbObjectSet*/ $oInstanceSet = null);
-	abstract public function IsStimulusAllowed($iUserId, $sClass, $sStimulusCode, /*dbObjectSet*/ $oInstanceSet = null);
-	abstract public function IsActionAllowedOnAttribute($iUserId, $sClass, $sAttCode, $iActionCode, /*dbObjectSet*/ $oInstanceSet = null);
-	abstract public function IsAdministrator($iUserId);
+
+	abstract public function IsActionAllowed($oUser, $sClass, $iActionCode, /*dbObjectSet*/ $oInstanceSet = null);
+	abstract public function IsStimulusAllowed($oUser, $sClass, $sStimulusCode, /*dbObjectSet*/ $oInstanceSet = null);
+	abstract public function IsActionAllowedOnAttribute($oUser, $sClass, $sAttCode, $iActionCode, /*dbObjectSet*/ $oInstanceSet = null);
+	abstract public function IsAdministrator($oUser);
 	abstract public function FlushPrivileges();
 }


+abstract class User extends cmdbAbstractObject
+{
+	public static function Init()
+	{
+		$aParams = array
+		(
+			"category" => "core",
+			"key_type" => "autoincrement",
+			"name_attcode" => "login",
+			"state_attcode" => "",
+			"reconc_keys" => array(),
+			"db_table" => "priv_user",
+			"db_key_field" => "id",
+			"db_finalclass_field" => "",
+			"display_template" => "",
+		);
+		MetaModel::Init_Params($aParams);
+		//MetaModel::Init_InheritAttributes();
+
+		MetaModel::Init_AddAttribute(new AttributeExternalKey("contactid", array("targetclass"=>"Person", "allowed_values"=>null, "sql"=>"contactid", "is_null_allowed"=>true, "on_target_delete"=>DEL_MANUAL, "depends_on"=>array())));
+		MetaModel::Init_AddAttribute(new AttributeExternalField("last_name", array("allowed_values"=>null, "extkey_attcode"=> 'contactid', "target_attcode"=>"name")));
+		MetaModel::Init_AddAttribute(new AttributeExternalField("first_name", array("allowed_values"=>null, "extkey_attcode"=> 'contactid', "target_attcode"=>"first_name")));
+		MetaModel::Init_AddAttribute(new AttributeExternalField("email", array("allowed_values"=>null, "extkey_attcode"=> 'contactid', "target_attcode"=>"email")));
+
+		MetaModel::Init_AddAttribute(new AttributeString("login", array("allowed_values"=>null, "sql"=>"login", "default_value"=>null, "is_null_allowed"=>false, "depends_on"=>array())));
+
+		MetaModel::Init_AddAttribute(new AttributeApplicationLanguage("language", array("sql"=>"language", "default_value"=>"EN US", "is_null_allowed"=>false, "depends_on"=>array())));
+
+		MetaModel::Init_AddAttribute(new AttributeLinkedSetIndirect("profile_list", array("linked_class"=>"URP_UserProfile", "ext_key_to_me"=>"userid", "ext_key_to_remote"=>"profileid", "allowed_values"=>null, "count_min"=>1, "count_max"=>0, "depends_on"=>array())));
+
+		// Display lists
+		MetaModel::Init_SetZListItems('details', array('contactid', 'first_name', 'email', 'login', 'language', 'profile_list')); // Attributes to be displayed for the complete details
+		MetaModel::Init_SetZListItems('list', array('first_name', 'last_name', 'login')); // Attributes to be displayed for a list
+		// Search criteria
+		MetaModel::Init_SetZListItems('standard_search', array('login', 'contactid')); // Criteria of the std search form
+		MetaModel::Init_SetZListItems('advanced_search', array('login', 'contactid')); // Criteria of the advanced search form
+	}
+
+	abstract public function CheckCredentials($sPassword);
+	abstract public function TrustWebServerContext();
+	abstract public function CanChangePassword();
+	abstract public function ChangePassword($sOldPassword, $sNewPassword);
+
+	function GetGrantAsHtml($sClass, $iAction)
+	{
+		if (UserRights::IsActionAllowed($sClass, $iAction, null, $this)) 
+		{
+			return '<span style="background-color: #ddffdd;">'.Dict::S('UI:UserManagement:ActionAllowed:Yes').'</span>';
+		}
+		else
+		{
+			return '<span style="background-color: #ffdddd;">'.Dict::S('UI:UserManagement:ActionAllowed:No').'</span>';
+		}
+	}
+	
+	function DoShowGrantSumary($oPage, $sClassCategory)
+	{
+		if (UserRights::IsAdministrator($this))
+		{
+			// Looks dirty, but ok that's THE ONE
+			$oPage->p(Dict::S('UI:UserManagement:AdminProfile+'));
+			return;
+		}
+
+		$aDisplayData = array();
+		foreach (MetaModel::GetClasses($sClassCategory) as $sClass)
+		{
+			$aClassStimuli = MetaModel::EnumStimuli($sClass);
+			if (count($aClassStimuli) > 0)
+			{
+				$aStimuli = array();
+				foreach ($aClassStimuli as $sStimulusCode => $oStimulus)
+				{
+					if (UserRights::IsStimulusAllowed($sClass, $sStimulusCode, null, $this))
+					{
+						$aStimuli[] = '<span title="'.$sStimulusCode.': '.htmlentities($oStimulus->GetDescription()).'">'.htmlentities($oStimulus->GetLabel()).'</span>';
+					}
+				}
+				$sStimuli = implode(', ', $aStimuli);
+			}
+			else
+			{
+				$sStimuli = '<em title="'.Dict::S('UI:UserManagement:NoLifeCycleApplicable+').'">'.Dict::S('UI:UserManagement:NoLifeCycleApplicable').'</em>';
+			}
+			
+			$aDisplayData[] = array(
+				'class' => MetaModel::GetName($sClass),
+				'read' => $this->GetGrantAsHtml($sClass, UR_ACTION_READ),
+				'bulkread' => $this->GetGrantAsHtml($sClass, UR_ACTION_BULK_READ),
+				'write' => $this->GetGrantAsHtml($sClass, UR_ACTION_MODIFY),
+				'bulkwrite' => $this->GetGrantAsHtml($sClass, UR_ACTION_BULK_MODIFY),
+				'stimuli' => $sStimuli,
+			);
+		}
+	
+		$aDisplayConfig = array();
+		$aDisplayConfig['class'] = array('label' => Dict::S('UI:UserManagement:Class'), 'description' => Dict::S('UI:UserManagement:Class+'));
+		$aDisplayConfig['read'] = array('label' => Dict::S('UI:UserManagement:Action:Read'), 'description' => Dict::S('UI:UserManagement:Action:Read+'));
+		$aDisplayConfig['bulkread'] = array('label' => Dict::S('UI:UserManagement:Action:BulkRead'), 'description' => Dict::S('UI:UserManagement:Action:BulkRead+'));
+		$aDisplayConfig['write'] = array('label' => Dict::S('UI:UserManagement:Action:Modify'), 'description' => Dict::S('UI:UserManagement:Action:Modify+'));
+		$aDisplayConfig['bulkwrite'] = array('label' => Dict::S('UI:UserManagement:Action:BulkModify'), 'description' => Dict::S('UI:UserManagement:Action:BulkModify+'));
+		$aDisplayConfig['stimuli'] = array('label' => Dict::S('UI:UserManagement:Action:Stimuli'), 'description' => Dict::S('UI:UserManagement:Action:Stimuli+'));
+		$oPage->table($aDisplayConfig, $aDisplayData);
+	}
+
+	function DisplayBareRelations(WebPage $oPage, $bEditMode = false)
+	{
+		parent::DisplayBareRelations($oPage, $bEditMode);
+		if (!$bEditMode)
+		{
+			$oPage->SetCurrentTab(Dict::S('UI:UserManagement:GrantMatrix'));
+			$this->DoShowGrantSumary($oPage, 'bizmodel');
+	
+			// debug
+			if (false)
+			{
+				$oPage->SetCurrentTab('More on user rigths (dev only)');
+				$oPage->add("<h3>User rights</h3>\n");
+				$this->DoShowGrantSumary($oPage, 'addon/userrights');
+				$oPage->add("<h3>Change log</h3>\n");
+				$this->DoShowGrantSumary($oPage, 'core/cmdb');
+				$oPage->add("<h3>Application</h3>\n");
+				$this->DoShowGrantSumary($oPage, 'application');
+				$oPage->add("<h3>GUI</h3>\n");
+				$this->DoShowGrantSumary($oPage, 'gui');
+				
+			}					
+		}
+	}
+}
+
+

 /**
 * User management core API  
@@ -78,11 +207,8 @@ abstract class UserRightsAddOnAPI
 class UserRights
 {
 	protected static $m_oAddOn;
-	protected static $m_sUser;
-	protected static $m_sRealUser;
-	protected static $m_iUserId;
-	protected static $m_iRealUserId;
-	protected static $m_sUserLanguage;
+	protected static $m_oUser;
+	protected static $m_oRealUser;

 	public static function SelectModule($sModuleName)
 	{
@@ -98,11 +224,8 @@ class UserRights
 		}
 		self::$m_oAddOn = new $sModuleName;
 		self::$m_oAddOn->Init();
-		self::$m_sUser = '';
-		self::$m_sRealUser = '';
-		self::$m_iUserId = 0;
-		self::$m_iRealUserId = 0;
-		self::$m_sUserLanguage = 'EN US';
+		self::$m_oUser = null;
+		self::$m_oRealUser = null;
 	}

 	public static function GetModuleInstance()
@@ -125,21 +248,40 @@ class UserRights

 	protected static function IsLoggedIn()
 	{
-		return (!empty(self::$m_sUser));
+		if (self::$m_oUser == null)
+		{
+			return false;
+		}
+		else
+		{
+			return true;
+		}	
 	}

 	public static function Login($sName, $sPassword)
 	{
-		self::$m_iUserId = self::$m_oAddOn->CheckCredentials($sName, $sPassword);
-		if (self::$m_iUserId !== false)
+		$oUser = self::FindUser($sName);
+		if (is_null($oUser))
 		{
-			self::$m_sUser = $sName;
-			self::$m_iRealUserId = self::$m_iUserId;
-			self::$m_sRealUser = $sName;
-			self::$m_sUserLanguage = self::$m_oAddOn->GetUserLanguage($sName);
+			return false;
+		}
+
+		if (!$oUser->CheckCredentials($sPassword))
+		{
+			return false;
+		}
+		self::$m_oUser = $oUser;
+		self::$m_oRealUser = $oUser;
 		Dict::SetUserLanguage(self::GetUserLanguage());
 		return true;
 	}
+
+	public static function TrustWebServerContext()
+	{
+		if (!is_null(self::$m_oUser))
+		{
+ 			return self::$m_oUser->TrustWebServerContext();
+		}
 		else
 		{
 			return false;
@@ -148,9 +290,9 @@ class UserRights

 	public static function CanChangePassword()
 	{
-		if (!is_null(self::$m_iUserId))
+		if (!is_null(self::$m_oUser))
 		{
- 			return self::$m_oAddOn->CanChangePassword(self::$m_iUserId);
+ 			return self::$m_oUser->CanChangePassword();
 		}
 		else
 		{
@@ -160,9 +302,9 @@ class UserRights

 	public static function ChangePassword($sCurrentPassword, $sNewPassword)
 	{
-		if (!is_null(self::$m_iUserId))
+		if (!is_null(self::$m_oUser))
 		{
- 			return self::$m_oAddOn->ChangePassword(self::$m_iUserId, $sCurrentPassword, $sNewPassword);
+ 			return self::$m_oUser->ChangePassword($sCurrentPassword, $sNewPassword);
 		}
 		else
 		{
@@ -174,28 +316,45 @@ class UserRights
 	{
 		if (!self::CheckLogin()) return false;

-		self::$m_iRealUserId = self::$m_oAddOn->CheckCredentials($sName, $sPassword);
-		if (self::$m_iRealUserId !== false)
-		{
-			self::$m_sUser = $sName;
-			self::$m_sUserLanguage = self::$m_oAddOn->GetUserLanguage($sName);
-			Dict::SetUserLanguage(self::GetUserLanguage());
-			return true;
-		}
-		else
+		$oUser = self::FindUser($sName);
+		if (is_null($oUser))
 		{
 			return false;
 		}
+		if (!$oUser->CheckCredentials($sPassword))
+		{
+			return false;
+		}
+
+		self::$m_oRealUser = self::$m_oUser;
+		self::$m_oUser = $oUser;
+		Dict::SetUserLanguage(self::GetUserLanguage());
+		return true;
 	}

 	public static function GetUser()
 	{
-		return self::$m_sUser;
+		if (is_null(self::$m_oUser))
+		{
+			return '';
+		}
+		else
+		{
+			return self::$m_oUser->Get('login');
+		}
 	}

 	public static function GetUserLanguage()
 	{
-		return self::$m_sUserLanguage;
+		if (is_null(self::$m_oUser))
+		{
+			return 'EN US';
+		
+		}
+		else
+		{
+			return self::$m_oUser->Get('language');
+		}
 	}

 	public static function GetUserId($sName = '')
@@ -203,33 +362,66 @@ class UserRights
 		if (empty($sName))
 		{
 			// return current user id
-			return self::$m_iUserId;
+			if (is_null(self::$m_oUser))
+			{
+				return null;
+			}
+			return self::$m_oUser->GetKey();
 		}
 		else
 		{
 			// find the id out of the login string
-			return self::$m_oAddOn->GetUserId($sName);
+			$oUser = self::$m_oAddOn->FindUser($sName);
+			if (is_null($oUser))
+			{
+				return null;
+			}
+			return $oUser->GetKey();
 		}
 	}

 	public static function GetContactId($sName = '')
 	{
-		// note: returns null if the user management module is not related to the business data model
 		if (empty($sName))
 		{
-			$sName = self::$m_sUser;
+			$oUser = self::$m_oUser;
 		}
-		return self::$m_oAddOn->GetContactId($sName);
+		else
+		{
+			$oUser = FindUser($sName);
+		}
+		if (is_null($oUser))
+		{
+			return '';
+		}
+		return $oUser->Get('contactid');
+	}
+
+	public static function IsImpersonated()
+	{
+		if (is_null(self::$m_oRealUser))
+		{
+			return false;
+		}
+		return true;
 	}

 	public static function GetRealUser()
 	{
-		return self::$m_sRealUser;
+		if (is_null(self::$m_oRealUser))
+		{
+			return '';
+		}
+		return self::$m_oRealUser->Get('login');
 	}

 	public static function GetRealUserId()
 	{
-		return self::$m_iRealUserId;
+		if (is_null(self::$m_oRealUser))
+		{
+			return '';
+		}
+		return self::$m_oRealUser->GetKey();
 	}

 	protected static function CheckLogin()
@@ -242,7 +434,6 @@ class UserRights
 		return true;
 	}

-
 	public static function GetFilter($sClass)
 	{
 		if (!self::CheckLogin()) return false;
@@ -254,13 +445,13 @@ class UserRights
 		// the rest is allowed (#@# to be improved)
 		if (!MetaModel::HasCategory($sClass, 'bizmodel')) return new DBObjectSearch($sClass);

-		return self::$m_oAddOn->GetFilter(self::$m_iUserId, $sClass);
+		return self::$m_oAddOn->GetFilter(self::$m_oUser->GetKey(), $sClass);
 	}

-	public static function IsActionAllowed($sClass, $iActionCode, /*dbObjectSet*/ $oInstanceSet = null, $iUserId = null)
+	public static function IsActionAllowed($sClass, $iActionCode, /*dbObjectSet*/ $oInstanceSet = null, $oUser = null)
 	{
 		if (!self::CheckLogin()) return false;
-		if (self::IsAdministrator($iUserId)) return true;
+		if (self::IsAdministrator($oUser)) return true;

 		// this module is forbidden for non admins
 		if (MetaModel::HasCategory($sClass, 'addon/userrights')) return false;
@@ -268,20 +459,17 @@ class UserRights
 		// the rest is allowed (#@# to be improved)
 		if (!MetaModel::HasCategory($sClass, 'bizmodel')) return true;

-		if (is_null($iUserId))
+		if (is_null($oUser))
 		{
-			return self::$m_oAddOn->IsActionAllowed(self::$m_iUserId, $sClass, $iActionCode, $oInstanceSet);
-		}
-		else
-		{
-			return self::$m_oAddOn->IsActionAllowed($iUserId, $sClass, $iActionCode, $oInstanceSet);
+			$oUser = self::$m_oUser;
 		}
+		return self::$m_oAddOn->IsActionAllowed($oUser, $sClass, $iActionCode, $oInstanceSet);
 	}

-	public static function IsStimulusAllowed($sClass, $sStimulusCode, /*dbObjectSet*/ $oInstanceSet = null, $iUserId = null)
+	public static function IsStimulusAllowed($sClass, $sStimulusCode, /*dbObjectSet*/ $oInstanceSet = null, $oUser = null)
 	{
 		if (!self::CheckLogin()) return false;
-		if (self::IsAdministrator($iUserId)) return true;
+		if (self::IsAdministrator($oUser)) return true;

 		// this module is forbidden for non admins
 		if (MetaModel::HasCategory($sClass, 'addon/userrights')) return false;
@@ -289,20 +477,17 @@ class UserRights
 		// the rest is allowed (#@# to be improved)
 		if (!MetaModel::HasCategory($sClass, 'bizmodel')) return true;

-		if (is_null($iUserId))
+		if (is_null($oUser))
 		{
-			return self::$m_oAddOn->IsStimulusAllowed(self::$m_iUserId, $sClass, $sStimulusCode, $oInstanceSet);
-		}
-		else
-		{
-			return self::$m_oAddOn->IsStimulusAllowed($iUserId, $sClass, $sStimulusCode, $oInstanceSet);
+			$oUser = self::$m_oUser;
 		}
+		return self::$m_oAddOn->IsStimulusAllowed($oUser, $sClass, $sStimulusCode, $oInstanceSet);
 	}

-	public static function IsActionAllowedOnAttribute($sClass, $sAttCode, $iActionCode, /*dbObjectSet*/ $oInstanceSet = null, $iUserId = null)
+	public static function IsActionAllowedOnAttribute($sClass, $sAttCode, $iActionCode, /*dbObjectSet*/ $oInstanceSet = null, $oUser = null)
 	{
 		if (!self::CheckLogin()) return false;
-		if (self::IsAdministrator($iUserId)) return true;
+		if (self::IsAdministrator($oUser)) return true;

 		// this module is forbidden for non admins
 		if (MetaModel::HasCategory($sClass, 'addon/userrights')) return false;
@@ -310,28 +495,22 @@ class UserRights
 		// the rest is allowed (#@# to be improved)
 		if (!MetaModel::HasCategory($sClass, 'bizmodel')) return true;

-		if (is_null($iUserId))
+		if (is_null($oUser))
 		{
-			return self::$m_oAddOn->IsActionAllowedOnAttribute(self::$m_iUserId, $sClass, $sAttCode, $iActionCode, $oInstanceSet);
-		}
-		else
-		{
-			return self::$m_oAddOn->IsActionAllowedOnAttribute($iUserId, $sClass, $sAttCode, $iActionCode, $oInstanceSet);
+			$oUser = self::$m_oUser;
 		}
+		return self::$m_oAddOn->IsActionAllowedOnAttribute($oUser, $sClass, $sAttCode, $iActionCode, $oInstanceSet);
 	}

-	public static function IsAdministrator($iUserId = null)
+	public static function IsAdministrator($oUser = null)
 	{
 		if (!self::CheckLogin()) return false;

-		if (is_null($iUserId))
+		if (is_null($oUser))
 		{
-			return self::$m_oAddOn->IsAdministrator(self::$m_iUserId);
-		}
-		else
-		{
-			return self::$m_oAddOn->IsAdministrator($iUserId);
+			$oUser = self::$m_oUser;
 		}
+		return self::$m_oAddOn->IsAdministrator($oUser);
 	}

 	public static function FlushPrivileges()
@@ -339,6 +518,22 @@ class UserRights
 		return self::$m_oAddOn->FlushPrivileges();
 	}

+	static $m_aCacheUsers;
+	protected static function FindUser($sLogin)
+	{
+		if (!isset(self::$m_aCacheUsers))
+		{
+			self::$m_aCacheUsers = array();
+		}
+		if (!isset(self::$m_aCacheUsers[$sLogin]))
+		{
+			$oSearch = DBObjectSearch::FromOQL("SELECT User WHERE login = :login");
+			$oSet = new DBObjectSet($oSearch, array(), array('login' => $sLogin));
+			$oUser = $oSet->fetch();
+			self::$m_aCacheUsers[$sLogin] = $oUser;
+		}
+		return self::$m_aCacheUsers[$sLogin];
+	}
 }


--- a/dictionaries/dictionary.itop.ui.php
+++ b/dictionaries/dictionary.itop.ui.php
@@ -115,32 +115,59 @@ Dict::Add('EN US', 'English', 'English', array(
 //

 //
-// Class: URP_Users
+// Class: User
 //

 Dict::Add('EN US', 'English', 'English', array(
-	'Class:URP_Users' => 'User',
-	'Class:URP_Users+' => 'Users and credentials',
-	'Class:URP_Users/Attribute:userid' => 'Contact (person)',
-	'Class:URP_Users/Attribute:userid+' => 'Personal details from the business data',
-	'Class:URP_Users/Attribute:last_name' => 'Last name',
-	'Class:URP_Users/Attribute:last_name+' => 'Name of the corresponding contact',
-	'Class:URP_Users/Attribute:first_name' => 'First name',
-	'Class:URP_Users/Attribute:first_name+' => 'First name of the corresponding contact',
-	'Class:URP_Users/Attribute:email' => 'Email',
-	'Class:URP_Users/Attribute:email+' => 'Email of the corresponding contact',
-	'Class:URP_Users/Attribute:login' => 'Login',
-	'Class:URP_Users/Attribute:login+' => 'user identification string',
-	'Class:URP_Users/Attribute:password' => 'Password',
-	'Class:URP_Users/Attribute:password+' => 'user authentication string',
-	'Class:URP_Users/Attribute:language' => 'Language',
-	'Class:URP_Users/Attribute:language+' => 'user language',
-	'Class:URP_Users/Attribute:language/Value:EN US' => 'English',
-	'Class:URP_Users/Attribute:language/Value:EN US+' => 'English U.S.',
-	'Class:URP_Users/Attribute:language/Value:FR FR' => 'French',
-	'Class:URP_Users/Attribute:language/Value:FR FR+' => 'FR FR',
-	'Class:URP_Users/Attribute:profile_list' => 'Profiles',
-	'Class:URP_Users/Attribute:profile_list+' => 'Roles, granting rights for that person',
+	'Class:User' => 'User',
+	'Class:User+' => 'User login',
+	'Class:User/Attribute:contactid' => 'Contact (person)',
+	'Class:User/Attribute:contactid+' => 'Personal details from the business data',
+	'Class:User/Attribute:last_name' => 'Last name',
+	'Class:User/Attribute:last_name+' => 'Name of the corresponding contact',
+	'Class:User/Attribute:first_name' => 'First name',
+	'Class:User/Attribute:first_name+' => 'First name of the corresponding contact',
+	'Class:User/Attribute:email' => 'Email',
+	'Class:User/Attribute:email+' => 'Email of the corresponding contact',
+	'Class:User/Attribute:login' => 'Login',
+	'Class:User/Attribute:login+' => 'user identification string',
+	'Class:User/Attribute:language' => 'Language',
+	'Class:User/Attribute:language+' => 'user language',
+	'Class:User/Attribute:language/Value:EN US' => 'English',
+	'Class:User/Attribute:language/Value:EN US+' => 'English U.S.',
+	'Class:User/Attribute:language/Value:FR FR' => 'French',
+	'Class:User/Attribute:language/Value:FR FR+' => 'FR FR',
+	'Class:User/Attribute:profile_list' => 'Profiles',
+	'Class:User/Attribute:profile_list+' => 'Roles, granting rights for that person',
+));
+
+//
+// Class: UserLocal
+//
+
+Dict::Add('EN US', 'English', 'English', array(
+	'Class:UserLocal' => 'iTop user',
+	'Class:UserLocal+' => 'User authentified by iTop',
+	'Class:UserLocal/Attribute:contactid' => 'Contact (person)',
+	'Class:UserLocal/Attribute:contactid+' => 'Personal details from the business data',
+	'Class:UserLocal/Attribute:last_name' => 'Last name',
+	'Class:UserLocal/Attribute:last_name+' => 'Name of the corresponding contact',
+	'Class:UserLocal/Attribute:first_name' => 'First name',
+	'Class:UserLocal/Attribute:first_name+' => 'First name of the corresponding contact',
+	'Class:UserLocal/Attribute:email' => 'Email',
+	'Class:UserLocal/Attribute:email+' => 'Email of the corresponding contact',
+	'Class:UserLocal/Attribute:login' => 'Login',
+	'Class:UserLocal/Attribute:login+' => 'user identification string',
+	'Class:UserLocal/Attribute:password' => 'Password',
+	'Class:UserLocal/Attribute:password+' => 'user authentication string',
+	'Class:UserLocal/Attribute:language' => 'Language',
+	'Class:UserLocal/Attribute:language+' => 'user language',
+	'Class:UserLocal/Attribute:language/Value:EN US' => 'English',
+	'Class:UserLocal/Attribute:language/Value:EN US+' => 'English U.S.',
+	'Class:UserLocal/Attribute:language/Value:FR FR' => 'French',
+	'Class:UserLocal/Attribute:language/Value:FR FR+' => 'FR FR',
+	'Class:UserLocal/Attribute:profile_list' => 'Profiles',
+	'Class:UserLocal/Attribute:profile_list+' => 'Roles, granting rights for that person',
 ));

 //
--- a/dictionaries/fr.dictionary.itop.ui.php
+++ b/dictionaries/fr.dictionary.itop.ui.php
@@ -115,26 +115,47 @@ Dict::Add('FR FR', 'French', 'Français', array(
 //

 //
-// Class: URP_Users
+// Class: User
 //

 Dict::Add('FR FR', 'French', 'Français', array(
-	'Class:URP_Users' => 'Compte utilisateur',
-	'Class:URP_Users+' => 'Login utilisateur',
-	'Class:URP_Users/Attribute:userid' => 'Contact (personne)',
-	'Class:URP_Users/Attribute:userid+' => '',
-	'Class:URP_Users/Attribute:last_name' => 'Nom',
-	'Class:URP_Users/Attribute:last_name+' => '',
-	'Class:URP_Users/Attribute:first_name' => 'Prénom',
-	'Class:URP_Users/Attribute:first_name+' => '',
-	'Class:URP_Users/Attribute:email' => 'Adresse email',
-	'Class:URP_Users/Attribute:email+' => '',
-	'Class:URP_Users/Attribute:login' => 'Login',
-	'Class:URP_Users/Attribute:login+' => '',
-	'Class:URP_Users/Attribute:password' => 'Mot de passe',
-	'Class:URP_Users/Attribute:password+' => '',
-	'Class:URP_Users/Attribute:profile_list' => 'Profils',
-	'Class:URP_Users/Attribute:profile_list+' => 'Rôles, ouvrants les droits d\'accès',
+	'Class:User' => 'Compte utilisateur',
+	'Class:User+' => 'Login utilisateur',
+	'Class:User/Attribute:contactid' => 'Contact (personne)',
+	'Class:User/Attribute:contactid+' => '',
+	'Class:User/Attribute:last_name' => 'Nom',
+	'Class:User/Attribute:last_name+' => '',
+	'Class:User/Attribute:first_name' => 'Prénom',
+	'Class:User/Attribute:first_name+' => '',
+	'Class:User/Attribute:email' => 'Adresse email',
+	'Class:User/Attribute:email+' => '',
+	'Class:User/Attribute:login' => 'Login',
+	'Class:User/Attribute:login+' => '',
+	'Class:User/Attribute:profile_list' => 'Profils',
+	'Class:User/Attribute:profile_list+' => 'Rôles, ouvrants les droits d\'accès',
+));
+
+//
+// Class: UserLocal
+//
+
+Dict::Add('FR FR', 'French', 'Français', array(
+	'Class:UserLocal' => 'Utilisateur iTop',
+	'Class:UserLocal+' => 'Utilisateur authentifié par iTop',
+	'Class:UserLocal/Attribute:contactid' => 'Contact (personne)',
+	'Class:UserLocal/Attribute:contactid+' => '',
+	'Class:UserLocal/Attribute:last_name' => 'Nom',
+	'Class:UserLocal/Attribute:last_name+' => '',
+	'Class:UserLocal/Attribute:first_name' => 'Prénom',
+	'Class:UserLocal/Attribute:first_name+' => '',
+	'Class:UserLocal/Attribute:email' => 'Adresse email',
+	'Class:UserLocal/Attribute:email+' => '',
+	'Class:UserLocal/Attribute:login' => 'Login',
+	'Class:UserLocal/Attribute:login+' => '',
+	'Class:UserLocal/Attribute:password' => 'Mot de passe',
+	'Class:UserLocal/Attribute:password+' => '',
+	'Class:UserLocal/Attribute:profile_list' => 'Profils',
+	'Class:UserLocal/Attribute:profile_list+' => 'Rôles, ouvrants les droits d\'accès',
 ));

 //
--- a/pages/UI.php
+++ b/pages/UI.php
@@ -127,7 +127,7 @@ function DeleteObjects(WebPage $oP, $sClass, $aObjects, $bDeleteConfirmed)
 		//
 		$oMyChange = MetaModel::NewObject("CMDBChange");
 		$oMyChange->Set("date", time());
-		if (UserRights::GetUser() != UserRights::GetRealUser())
+		if (UserRights::IsImpersonated())
 		{
 			$sUserString = Dict::Format('UI:Archive_User_OnBehalfOf_User', UserRights::GetRealUser(), UserRights::GetUser());
 		}
@@ -836,7 +836,7 @@ try
 					{
 						$oMyChange = MetaModel::NewObject("CMDBChange");
 						$oMyChange->Set("date", time());
-						if (UserRights::GetUser() != UserRights::GetRealUser())
+						if (UserRights::IsImpersonated())
 						{
 							$sUserString = Dict::Format('UI:Archive_User_OnBehalfOf_User', UserRights::GetRealUser(), UserRights::GetUser());
 						}
@@ -942,7 +942,7 @@ try
 				$oObj = $oContext->GetObject($sClass, $iCloneId);
 				$oMyChange = MetaModel::NewObject("CMDBChange");
 				$oMyChange->Set("date", time());
-				if (UserRights::GetUser() != UserRights::GetRealUser())
+				if (UserRights::IsImpersonated())
 				{
 					$sUserString = Dict::Format('UI:Archive_User_OnBehalfOf_User', UserRights::GetRealUser(), UserRights::GetUser());
 				}
@@ -985,7 +985,7 @@ try
 			$sClassLabel = MetaModel::GetName($sClass);
 			$oMyChange = MetaModel::NewObject("CMDBChange");
 			$oMyChange->Set("date", time());
-			if (UserRights::GetUser() != UserRights::GetRealUser())
+			if (UserRights::IsImpersonated())
 			{
 				$sUserString = Dict::Format('UI:Archive_User_OnBehalfOf_User', UserRights::GetRealUser(), UserRights::GetUser());
 			}
@@ -1019,7 +1019,7 @@ try
 				$sClassLabel = MetaModel::GetName($sClass);
 				$oMyChange = MetaModel::NewObject("CMDBChange");
 				$oMyChange->Set("date", time());
-				if (UserRights::GetUser() != UserRights::GetRealUser())
+				if (UserRights::IsImpersonated())
 				{
 					$sUserString = Dict::Format('UI:Archive_User_OnBehalfOf_User', UserRights::GetRealUser(), UserRights::GetUser());
 				}
@@ -1177,7 +1177,7 @@ EOF
 				{
 					$oMyChange = MetaModel::NewObject("CMDBChange");
 					$oMyChange->Set("date", time());
-					if (UserRights::GetUser() != UserRights::GetRealUser())
+					if (UserRights::IsImpersonated())
 					{
 						$sUserString = Dict::Format('UI:Archive_User_OnBehalfOf_User', UserRights::GetRealUser(), UserRights::GetUser());
 					}
@@ -1229,7 +1229,7 @@ EOF
 		$sLinkingAttCode = utils::ReadParam('linking_attcode', '', 'post');
 		$oMyChange = MetaModel::NewObject("CMDBChange");
 		$oMyChange->Set("date", time());
-		if (UserRights::GetUser() != UserRights::GetRealUser())
+		if (UserRights::IsImpersonated())
 		{
 			$sUserString = Dict::Format('UI:Archive_User_OnBehalfOf_User', UserRights::GetRealUser(), UserRights::GetUser());
 		}
--- a/setup/benchmark.php
+++ b/setup/benchmark.php
@@ -129,12 +129,12 @@ class BenchmarkDataCreation
 		// User login
 		//
 		$aData = array(
-			'userid' => self::FindId('bizPerson'),
+			'contactid' => self::FindId('bizPerson'),
 			'login' => 'foo',
 			'password' => 'foo',
 			'language' => 'EN US',
 		);
-		$iLogin = $this->CreateObject('URP_Users', $aData, $oChange);
+		$iLogin = $this->CreateObject('User', $aData, $oChange);

 		// Assign profiles to the new login
 		//
--- a/setup/index.php
+++ b/setup/index.php
@@ -360,6 +360,7 @@ function InitDataModel(SetupWebPage $oP, $sConfigFileName, $bModelOnly = true)
 	require_once('../core/dbobject.class.php');
 	require_once('../core/dbobjectsearch.class.php');
 	require_once('../core/dbobjectset.class.php');
+	require_once('../application/cmdbabstract.class.inc.php');
 	require_once('../core/userrights.class.inc.php');
 	$oP->log("Info - MetaModel::Startup from file '$sConfigFileName' (ModelOnly = $bModelOnly)");

--- a/setup/xmldataloader.class.inc.php
+++ b/setup/xmldataloader.class.inc.php
@@ -100,6 +100,7 @@ class XMLDataLoader
 		require_once('../core/dbobject.class.php');
 		require_once('../core/dbobjectsearch.class.php');
 		require_once('../core/dbobjectset.class.php');
+		require_once('../application/cmdbabstract.class.inc.php');
 		require_once('../core/userrights.class.inc.php');
 		MetaModel::Startup($sConfigFileName);
 	}