mirror of
https://github.com/Combodo/iTop.git
synced 2026-04-23 10:38:45 +02:00
7dbbb1c299
#439 Make sure that changes made by a plugin get recorded + simplified the change tracking for the plugins. Simply call DBObject::DBInsert (resp. Update and Delete) and the change will be recorded for the current page. This is compatible with the old (not mandatory anymore) way that was requiring DBInsertTracked APIs (resp. Update, Delete). SVN:trunk[2236]
861 lines
30 KiB
PHP
861 lines
30 KiB
PHP
<?php
|
|
// Copyright (C) 2010 Combodo SARL
|
|
//
|
|
// This program is free software; you can redistribute it and/or modify
|
|
// it under the terms of the GNU General Public License as published by
|
|
// the Free Software Foundation; version 3 of the License.
|
|
//
|
|
// This program is distributed in the hope that it will be useful,
|
|
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
// GNU General Public License for more details.
|
|
//
|
|
// You should have received a copy of the GNU General Public License
|
|
// along with this program; if not, write to the Free Software
|
|
// Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
|
|
|
/**
|
|
* UserRightsProfile
|
|
* User management Module, basing the right on profiles and a matrix (similar to UserRightsMatrix, but profiles and other decorations have been added)
|
|
*
|
|
* @author Erwan Taloc <erwan.taloc@combodo.com>
|
|
* @author Romain Quetiez <romain.quetiez@combodo.com>
|
|
* @author Denis Flaven <denis.flaven@combodo.com>
|
|
* @license http://www.opensource.org/licenses/gpl-3.0.html LGPL
|
|
*/
|
|
|
|
define('ADMIN_PROFILE_NAME', 'Administrator');
|
|
define('PORTAL_PROFILE_NAME', 'Portal user');
|
|
|
|
class UserRightsBaseClassGUI extends cmdbAbstractObject
|
|
{
|
|
// Whenever something changes, reload the privileges
|
|
|
|
protected function AfterInsert()
|
|
{
|
|
UserRights::FlushPrivileges();
|
|
}
|
|
|
|
protected function AfterUpdate()
|
|
{
|
|
UserRights::FlushPrivileges();
|
|
}
|
|
|
|
protected function AfterDelete()
|
|
{
|
|
UserRights::FlushPrivileges();
|
|
}
|
|
}
|
|
|
|
|
|
class URP_Profiles extends UserRightsBaseClassGUI
|
|
{
|
|
public static function Init()
|
|
{
|
|
$aParams = array
|
|
(
|
|
"category" => "addon/userrights",
|
|
"key_type" => "autoincrement",
|
|
"name_attcode" => "name",
|
|
"state_attcode" => "",
|
|
"reconc_keys" => array(),
|
|
"db_table" => "priv_urp_profiles",
|
|
"db_key_field" => "id",
|
|
"db_finalclass_field" => "",
|
|
"display_template" => "",
|
|
);
|
|
MetaModel::Init_Params($aParams);
|
|
//MetaModel::Init_InheritAttributes();
|
|
MetaModel::Init_AddAttribute(new AttributeString("name", array("allowed_values"=>null, "sql"=>"name", "default_value"=>null, "is_null_allowed"=>false, "depends_on"=>array())));
|
|
MetaModel::Init_AddAttribute(new AttributeString("description", array("allowed_values"=>null, "sql"=>"description", "default_value"=>null, "is_null_allowed"=>false, "depends_on"=>array())));
|
|
|
|
MetaModel::Init_AddAttribute(new AttributeLinkedSetIndirect("user_list", array("linked_class"=>"URP_UserProfile", "ext_key_to_me"=>"profileid", "ext_key_to_remote"=>"userid", "allowed_values"=>null, "count_min"=>1, "count_max"=>0, "depends_on"=>array())));
|
|
|
|
// Display lists
|
|
MetaModel::Init_SetZListItems('details', array('name', 'description', 'user_list')); // Attributes to be displayed for the complete details
|
|
MetaModel::Init_SetZListItems('list', array('description')); // Attributes to be displayed for a list
|
|
// Search criteria
|
|
MetaModel::Init_SetZListItems('standard_search', array('name')); // Criteria of the std search form
|
|
MetaModel::Init_SetZListItems('advanced_search', array('name')); // Criteria of the advanced search form
|
|
}
|
|
|
|
protected static $m_aCacheProfiles = null;
|
|
|
|
public static function DoCreateProfile($sName, $sDescription)
|
|
{
|
|
if (is_null(self::$m_aCacheProfiles))
|
|
{
|
|
self::$m_aCacheProfiles = array();
|
|
$oFilterAll = new DBObjectSearch('URP_Profiles');
|
|
$oSet = new DBObjectSet($oFilterAll);
|
|
while ($oProfile = $oSet->Fetch())
|
|
{
|
|
self::$m_aCacheProfiles[$oProfile->Get('name')] = $oProfile->GetKey();
|
|
}
|
|
}
|
|
|
|
$sCacheKey = $sName;
|
|
if (isset(self::$m_aCacheProfiles[$sCacheKey]))
|
|
{
|
|
return self::$m_aCacheProfiles[$sCacheKey];
|
|
}
|
|
$oNewObj = MetaModel::NewObject("URP_Profiles");
|
|
$oNewObj->Set('name', $sName);
|
|
$oNewObj->Set('description', $sDescription);
|
|
$iId = $oNewObj->DBInsertNoReload();
|
|
self::$m_aCacheProfiles[$sCacheKey] = $iId;
|
|
return $iId;
|
|
}
|
|
|
|
function GetGrantAsHtml($oUserRights, $sClass, $sAction)
|
|
{
|
|
$bGrant = $oUserRights->GetProfileActionGrant($this->GetKey(), $sClass, $sAction);
|
|
if (is_null($bGrant))
|
|
{
|
|
return '<span style="background-color: #ffdddd;">'.Dict::S('UI:UserManagement:ActionAllowed:No').'</span>';
|
|
}
|
|
elseif ($bGrant)
|
|
{
|
|
return '<span style="background-color: #ddffdd;">'.Dict::S('UI:UserManagement:ActionAllowed:Yes').'</span>';
|
|
}
|
|
else
|
|
{
|
|
return '<span style="background-color: #ffdddd;">'.Dict::S('UI:UserManagement:ActionAllowed:No').'</span>';
|
|
}
|
|
}
|
|
|
|
function DoShowGrantSumary($oPage)
|
|
{
|
|
if ($this->GetRawName() == "Administrator")
|
|
{
|
|
// Looks dirty, but ok that's THE ONE
|
|
$oPage->p(Dict::S('UI:UserManagement:AdminProfile+'));
|
|
return;
|
|
}
|
|
|
|
// Note: for sure, we assume that the instance is derived from UserRightsProfile
|
|
$oUserRights = UserRights::GetModuleInstance();
|
|
|
|
$aDisplayData = array();
|
|
foreach (MetaModel::GetClasses('bizmodel') as $sClass)
|
|
{
|
|
// Skip non instantiable classes
|
|
if (MetaModel::IsAbstract($sClass)) continue;
|
|
|
|
$aStimuli = array();
|
|
foreach (MetaModel::EnumStimuli($sClass) as $sStimulusCode => $oStimulus)
|
|
{
|
|
$bGrant = $oUserRights->GetClassStimulusGrant($this->GetKey(), $sClass, $sStimulusCode);
|
|
if ($bGrant === true)
|
|
{
|
|
$aStimuli[] = '<span title="'.$sStimulusCode.': '.htmlentities($oStimulus->GetDescription(), ENT_QUOTES, 'UTF-8').'">'.htmlentities($oStimulus->GetLabel(), ENT_QUOTES, 'UTF-8').'</span>';
|
|
}
|
|
}
|
|
$sStimuli = implode(', ', $aStimuli);
|
|
|
|
$aDisplayData[] = array(
|
|
'class' => MetaModel::GetName($sClass),
|
|
'read' => $this->GetGrantAsHtml($oUserRights, $sClass, 'r'),
|
|
'bulkread' => $this->GetGrantAsHtml($oUserRights, $sClass, 'br'),
|
|
'write' => $this->GetGrantAsHtml($oUserRights, $sClass, 'w'),
|
|
'bulkwrite' => $this->GetGrantAsHtml($oUserRights, $sClass, 'bw'),
|
|
'delete' => $this->GetGrantAsHtml($oUserRights, $sClass, 'd'),
|
|
'bulkdelete' => $this->GetGrantAsHtml($oUserRights, $sClass, 'bd'),
|
|
'stimuli' => $sStimuli,
|
|
);
|
|
}
|
|
|
|
$aDisplayConfig = array();
|
|
$aDisplayConfig['class'] = array('label' => Dict::S('UI:UserManagement:Class'), 'description' => Dict::S('UI:UserManagement:Class+'));
|
|
$aDisplayConfig['read'] = array('label' => Dict::S('UI:UserManagement:Action:Read'), 'description' => Dict::S('UI:UserManagement:Action:Read+'));
|
|
$aDisplayConfig['bulkread'] = array('label' => Dict::S('UI:UserManagement:Action:BulkRead'), 'description' => Dict::S('UI:UserManagement:Action:BulkRead+'));
|
|
$aDisplayConfig['write'] = array('label' => Dict::S('UI:UserManagement:Action:Modify'), 'description' => Dict::S('UI:UserManagement:Action:Modify+'));
|
|
$aDisplayConfig['bulkwrite'] = array('label' => Dict::S('UI:UserManagement:Action:BulkModify'), 'description' => Dict::S('UI:UserManagement:Action:BulkModify+'));
|
|
$aDisplayConfig['delete'] = array('label' => Dict::S('UI:UserManagement:Action:Delete'), 'description' => Dict::S('UI:UserManagement:Action:Delete+'));
|
|
$aDisplayConfig['bulkdelete'] = array('label' => Dict::S('UI:UserManagement:Action:BulkDelete'), 'description' => Dict::S('UI:UserManagement:Action:BulkDelete+'));
|
|
$aDisplayConfig['stimuli'] = array('label' => Dict::S('UI:UserManagement:Action:Stimuli'), 'description' => Dict::S('UI:UserManagement:Action:Stimuli+'));
|
|
$oPage->table($aDisplayConfig, $aDisplayData);
|
|
}
|
|
|
|
function DisplayBareRelations(WebPage $oPage, $bEditMode = false)
|
|
{
|
|
parent::DisplayBareRelations($oPage, $bEditMode);
|
|
if (!$bEditMode)
|
|
{
|
|
$oPage->SetCurrentTab(Dict::S('UI:UserManagement:GrantMatrix'));
|
|
$this->DoShowGrantSumary($oPage);
|
|
}
|
|
}
|
|
|
|
public static function GetReadOnlyAttributes()
|
|
{
|
|
return array('name', 'description');
|
|
}
|
|
|
|
|
|
// returns an array of id => array of column => php value(so-called "real value")
|
|
public static function GetPredefinedObjects()
|
|
{
|
|
return ProfilesConfig::GetProfilesValues();
|
|
}
|
|
|
|
// Before deleting a profile,
|
|
// preserve DB integrity by deleting links to users
|
|
protected function OnDelete()
|
|
{
|
|
// Note: this may break the rule that says: "a user must have at least ONE profile" !
|
|
$oLnkSet = $this->Get('user_list');
|
|
while($oLnk = $oLnkSet->Fetch())
|
|
{
|
|
$oLnk->DBDelete();
|
|
}
|
|
}
|
|
}
|
|
|
|
|
|
|
|
class URP_UserProfile extends UserRightsBaseClassGUI
|
|
{
|
|
public static function Init()
|
|
{
|
|
$aParams = array
|
|
(
|
|
"category" => "addon/userrights",
|
|
"key_type" => "autoincrement",
|
|
"name_attcode" => "userid",
|
|
"state_attcode" => "",
|
|
"reconc_keys" => array(),
|
|
"db_table" => "priv_urp_userprofile",
|
|
"db_key_field" => "id",
|
|
"db_finalclass_field" => "",
|
|
"display_template" => "",
|
|
);
|
|
MetaModel::Init_Params($aParams);
|
|
//MetaModel::Init_InheritAttributes();
|
|
MetaModel::Init_AddAttribute(new AttributeExternalKey("userid", array("targetclass"=>"User", "jointype"=> "", "allowed_values"=>null, "sql"=>"userid", "is_null_allowed"=>false, "on_target_delete"=>DEL_AUTO, "depends_on"=>array())));
|
|
MetaModel::Init_AddAttribute(new AttributeExternalField("userlogin", array("allowed_values"=>null, "extkey_attcode"=> 'userid', "target_attcode"=>"login")));
|
|
|
|
MetaModel::Init_AddAttribute(new AttributeExternalKey("profileid", array("targetclass"=>"URP_Profiles", "jointype"=> "", "allowed_values"=>null, "sql"=>"profileid", "is_null_allowed"=>false, "on_target_delete"=>DEL_AUTO, "depends_on"=>array())));
|
|
MetaModel::Init_AddAttribute(new AttributeExternalField("profile", array("allowed_values"=>null, "extkey_attcode"=> 'profileid', "target_attcode"=>"name")));
|
|
|
|
MetaModel::Init_AddAttribute(new AttributeString("reason", array("allowed_values"=>null, "sql"=>"description", "default_value"=>null, "is_null_allowed"=>true, "depends_on"=>array())));
|
|
|
|
// Display lists
|
|
MetaModel::Init_SetZListItems('details', array('userid', 'profileid', 'reason')); // Attributes to be displayed for the complete details
|
|
MetaModel::Init_SetZListItems('list', array('userid', 'profileid', 'reason')); // Attributes to be displayed for a list
|
|
// Search criteria
|
|
MetaModel::Init_SetZListItems('standard_search', array('userid', 'profileid')); // Criteria of the std search form
|
|
MetaModel::Init_SetZListItems('advanced_search', array('userid', 'profileid')); // Criteria of the advanced search form
|
|
}
|
|
|
|
public function GetName()
|
|
{
|
|
return Dict::Format('UI:UserManagement:LinkBetween_User_And_Profile', $this->Get('userlogin'), $this->Get('profile'));
|
|
}
|
|
}
|
|
|
|
class URP_UserOrg extends UserRightsBaseClassGUI
|
|
{
|
|
public static function Init()
|
|
{
|
|
$aParams = array
|
|
(
|
|
"category" => "addon/userrights",
|
|
"key_type" => "autoincrement",
|
|
"name_attcode" => "userid",
|
|
"state_attcode" => "",
|
|
"reconc_keys" => array(),
|
|
"db_table" => "priv_urp_userorg",
|
|
"db_key_field" => "id",
|
|
"db_finalclass_field" => "",
|
|
"display_template" => "",
|
|
);
|
|
MetaModel::Init_Params($aParams);
|
|
//MetaModel::Init_InheritAttributes();
|
|
MetaModel::Init_AddAttribute(new AttributeExternalKey("userid", array("targetclass"=>"User", "jointype"=> "", "allowed_values"=>null, "sql"=>"userid", "is_null_allowed"=>false, "on_target_delete"=>DEL_AUTO, "depends_on"=>array())));
|
|
MetaModel::Init_AddAttribute(new AttributeExternalField("userlogin", array("allowed_values"=>null, "extkey_attcode"=> 'userid', "target_attcode"=>"login")));
|
|
|
|
MetaModel::Init_AddAttribute(new AttributeExternalKey("allowed_org_id", array("targetclass"=>"Organization", "jointype"=> "", "allowed_values"=>null, "sql"=>"allowed_org_id", "is_null_allowed"=>false, "on_target_delete"=>DEL_AUTO, "depends_on"=>array())));
|
|
MetaModel::Init_AddAttribute(new AttributeExternalField("allowed_org_name", array("allowed_values"=>null, "extkey_attcode"=> 'allowed_org_id', "target_attcode"=>"name")));
|
|
|
|
MetaModel::Init_AddAttribute(new AttributeString("reason", array("allowed_values"=>null, "sql"=>"reason", "default_value"=>null, "is_null_allowed"=>true, "depends_on"=>array())));
|
|
|
|
// Display lists
|
|
MetaModel::Init_SetZListItems('details', array('userid', 'allowed_org_id', 'reason')); // Attributes to be displayed for the complete details
|
|
MetaModel::Init_SetZListItems('list', array('allowed_org_id', 'reason')); // Attributes to be displayed for a list
|
|
// Search criteria
|
|
MetaModel::Init_SetZListItems('standard_search', array('userid', 'allowed_org_id')); // Criteria of the std search form
|
|
MetaModel::Init_SetZListItems('advanced_search', array('userid', 'allowed_org_id')); // Criteria of the advanced search form
|
|
}
|
|
|
|
public function GetName()
|
|
{
|
|
return Dict::Format('UI:UserManagement:LinkBetween_User_And_Org', $this->Get('userlogin'), $this->Get('allowed_org_name'));
|
|
}
|
|
}
|
|
|
|
|
|
|
|
|
|
class UserRightsProfile extends UserRightsAddOnAPI
|
|
{
|
|
static public $m_aActionCodes = array(
|
|
UR_ACTION_READ => 'r',
|
|
UR_ACTION_MODIFY => 'w',
|
|
UR_ACTION_DELETE => 'd',
|
|
UR_ACTION_BULK_READ => 'br',
|
|
UR_ACTION_BULK_MODIFY => 'bw',
|
|
UR_ACTION_BULK_DELETE => 'bd',
|
|
);
|
|
|
|
// Installation: create the very first user
|
|
public function CreateAdministrator($sAdminUser, $sAdminPwd, $sLanguage = 'EN US')
|
|
{
|
|
CMDBObject::SetTrackInfo('Initialization');
|
|
|
|
$oChange = CMDBObject::GetCurrentChange();
|
|
|
|
$iContactId = 0;
|
|
// Support drastic data model changes: no organization class (or not writable)!
|
|
if (MetaModel::IsValidClass('Organization') && !MetaModel::IsAbstract('Organization'))
|
|
{
|
|
$oOrg = new Organization();
|
|
$oOrg->Set('name', 'My Company/Department');
|
|
$oOrg->Set('code', 'SOMECODE');
|
|
$iOrgId = $oOrg->DBInsertTrackedNoReload($oChange, true /* skip security */);
|
|
|
|
// Support drastic data model changes: no Person class (or not writable)!
|
|
if (MetaModel::IsValidClass('Person') && !MetaModel::IsAbstract('Person'))
|
|
{
|
|
$oContact = new Person();
|
|
$oContact->Set('name', 'My last name');
|
|
$oContact->Set('first_name', 'My first name');
|
|
if (MetaModel::IsValidAttCode('Person', 'org_id'))
|
|
{
|
|
$oContact->Set('org_id', $iOrgId);
|
|
}
|
|
if (MetaModel::IsValidAttCode('Person', 'phone'))
|
|
{
|
|
$oContact->Set('phone', '+00 000 000 000');
|
|
}
|
|
$oContact->Set('email', 'my.email@foo.org');
|
|
$iContactId = $oContact->DBInsertTrackedNoReload($oChange, true /* skip security */);
|
|
}
|
|
}
|
|
|
|
|
|
$oUser = new UserLocal();
|
|
$oUser->Set('login', $sAdminUser);
|
|
$oUser->Set('password', $sAdminPwd);
|
|
if (MetaModel::IsValidAttCode('UserLocal', 'contactid') && ($iContactId != 0))
|
|
{
|
|
$oUser->Set('contactid', $iContactId);
|
|
}
|
|
$oUser->Set('language', $sLanguage); // Language was chosen during the installation
|
|
|
|
// Add this user to the very specific 'admin' profile
|
|
$oAdminProfile = MetaModel::GetObjectFromOQL("SELECT URP_Profiles WHERE name = :name", array('name' => ADMIN_PROFILE_NAME), true /*all data*/);
|
|
if (is_object($oAdminProfile))
|
|
{
|
|
$oUserProfile = new URP_UserProfile();
|
|
//$oUserProfile->Set('userid', $iUserId);
|
|
$oUserProfile->Set('profileid', $oAdminProfile->GetKey());
|
|
$oUserProfile->Set('reason', 'By definition, the administrator must have the administrator profile');
|
|
//$oUserProfile->DBInsertTrackedNoReload($oChange, true /* skip security */);
|
|
$oSet = DBObjectSet::FromObject($oUserProfile);
|
|
$oUser->Set('profile_list', $oSet);
|
|
}
|
|
$iUserId = $oUser->DBInsertTrackedNoReload($oChange, true /* skip security */);
|
|
return true;
|
|
}
|
|
|
|
public function Init()
|
|
{
|
|
}
|
|
|
|
|
|
protected $m_aAdmins = array(); // id -> bool, true if the user has the well-known admin profile
|
|
protected $m_aPortalUsers = array(); // id -> bool, true if the user has the well-known portal user profile
|
|
|
|
protected $m_aProfiles; // id -> object
|
|
protected $m_aUserProfiles = array(); // userid,profileid -> object
|
|
protected $m_aUserOrgs = array(); // userid -> array of orgid
|
|
|
|
// Built on demand, could be optimized if necessary (doing a query for each attribute that needs to be read)
|
|
protected $m_aObjectActionGrants = array();
|
|
|
|
/**
|
|
* Read and cache organizations allowed to the given user
|
|
*
|
|
* @param oUser
|
|
* @param sClass -not used here but can be used in overloads
|
|
*/
|
|
protected function GetUserOrgs($oUser, $sClass)
|
|
{
|
|
$iUser = $oUser->GetKey();
|
|
if (!array_key_exists($iUser, $this->m_aUserOrgs))
|
|
{
|
|
$this->m_aUserOrgs[$iUser] = array();
|
|
|
|
$sHierarchicalKeyCode = MetaModel::IsHierarchicalClass('Organization');
|
|
if ($sHierarchicalKeyCode !== false)
|
|
{
|
|
$sUserOrgQuery = 'SELECT UserOrg, Org FROM Organization AS Org JOIN Organization AS Root ON Org.'.$sHierarchicalKeyCode.' BELOW Root.id JOIN URP_UserOrg AS UserOrg ON UserOrg.allowed_org_id = Root.id WHERE UserOrg.userid = :userid';
|
|
$oUserOrgSet = new DBObjectSet(DBObjectSearch::FromOQL_AllData($sUserOrgQuery), array(), array('userid' => $iUser));
|
|
while ($aRow = $oUserOrgSet->FetchAssoc())
|
|
{
|
|
$oUserOrg = $aRow['UserOrg'];
|
|
$oOrg = $aRow['Org'];
|
|
$this->m_aUserOrgs[$iUser][] = $oOrg->GetKey();
|
|
}
|
|
}
|
|
else
|
|
{
|
|
$oSearch = new DBObjectSearch('URP_UserOrg');
|
|
$oSearch->AllowAllData();
|
|
$oCondition = new BinaryExpression(new FieldExpression('userid'), '=', new VariableExpression('userid'));
|
|
$oSearch->AddConditionExpression($oCondition);
|
|
|
|
$oUserOrgSet = new DBObjectSet($oSearch, array(), array('userid' => $iUser));
|
|
while ($oUserOrg = $oUserOrgSet->Fetch())
|
|
{
|
|
$this->m_aUserOrgs[$iUser][] = $oUserOrg->Get('allowed_org_id');
|
|
}
|
|
}
|
|
}
|
|
return $this->m_aUserOrgs[$iUser];
|
|
}
|
|
|
|
/**
|
|
* Read and cache profiles of the given user
|
|
*/
|
|
protected function GetUserProfiles($iUser)
|
|
{
|
|
if (!array_key_exists($iUser, $this->m_aUserProfiles))
|
|
{
|
|
$oSearch = new DBObjectSearch('URP_UserProfile');
|
|
$oSearch->AllowAllData();
|
|
$oCondition = new BinaryExpression(new FieldExpression('userid'), '=', new VariableExpression('userid'));
|
|
$oSearch->AddConditionExpression($oCondition);
|
|
|
|
$this->m_aUserProfiles[$iUser] = array();
|
|
$oUserProfileSet = new DBObjectSet($oSearch, array(), array('userid' => $iUser));
|
|
while ($oUserProfile = $oUserProfileSet->Fetch())
|
|
{
|
|
$this->m_aUserProfiles[$iUser][$oUserProfile->Get('profileid')] = $oUserProfile;
|
|
}
|
|
}
|
|
return $this->m_aUserProfiles[$iUser];
|
|
|
|
}
|
|
|
|
public function ResetCache()
|
|
{
|
|
// Loaded by Load cache
|
|
$this->m_aProfiles = null;
|
|
$this->m_aUserProfiles = array();
|
|
$this->m_aUserOrgs = array();
|
|
|
|
$this->m_aAdmins = array();
|
|
$this->m_aPortalUsers = array();
|
|
|
|
// Cache
|
|
$this->m_aObjectActionGrants = array();
|
|
}
|
|
|
|
public function LoadCache()
|
|
{
|
|
if (!is_null($this->m_aProfiles)) return;
|
|
// Could be loaded in a shared memory (?)
|
|
|
|
$oKPI = new ExecutionKPI();
|
|
|
|
if (self::HasSharing())
|
|
{
|
|
SharedObject::InitSharedClassProperties();
|
|
}
|
|
|
|
$oProfileSet = new DBObjectSet(DBObjectSearch::FromOQL_AllData("SELECT URP_Profiles"));
|
|
$this->m_aProfiles = array();
|
|
while ($oProfile = $oProfileSet->Fetch())
|
|
{
|
|
$this->m_aProfiles[$oProfile->GetKey()] = $oProfile;
|
|
}
|
|
|
|
$oKPI->ComputeAndReport('Load of user management cache (excepted Action Grants)');
|
|
|
|
/*
|
|
echo "<pre>\n";
|
|
print_r($this->m_aProfiles);
|
|
print_r($this->m_aUserProfiles);
|
|
print_r($this->m_aUserOrgs);
|
|
echo "</pre>\n";
|
|
exit;
|
|
*/
|
|
|
|
return true;
|
|
}
|
|
|
|
public function IsAdministrator($oUser)
|
|
{
|
|
//$this->LoadCache();
|
|
$iUser = $oUser->GetKey();
|
|
if (!array_key_exists($iUser, $this->m_aAdmins))
|
|
{
|
|
$bIsAdmin = false;
|
|
foreach($this->GetUserProfiles($iUser) as $oUserProfile)
|
|
{
|
|
if ($oUserProfile->Get('profile') == ADMIN_PROFILE_NAME)
|
|
{
|
|
$bIsAdmin = true;
|
|
break;
|
|
}
|
|
}
|
|
$this->m_aAdmins[$iUser] = $bIsAdmin;
|
|
}
|
|
return $this->m_aAdmins[$iUser];
|
|
}
|
|
|
|
public function IsPortalUser($oUser)
|
|
{
|
|
//$this->LoadCache();
|
|
$iUser = $oUser->GetKey();
|
|
if (!array_key_exists($iUser, $this->m_aPortalUsers))
|
|
{
|
|
$bIsPortalUser = false;
|
|
foreach($this->GetUserProfiles($iUser) as $oUserProfile)
|
|
{
|
|
if ($oUserProfile->Get('profile') == PORTAL_PROFILE_NAME)
|
|
{
|
|
$bIsPortalUser = true;
|
|
break;
|
|
}
|
|
}
|
|
$this->m_aPortalUsers[$iUser] = $bIsPortalUser;
|
|
}
|
|
return $this->m_aPortalUsers[$iUser];
|
|
}
|
|
|
|
public function GetSelectFilter($oUser, $sClass, $aSettings = array())
|
|
{
|
|
$this->LoadCache();
|
|
|
|
$aObjectPermissions = $this->GetUserActionGrant($oUser, $sClass, UR_ACTION_READ);
|
|
if ($aObjectPermissions['permission'] == UR_ALLOWED_NO)
|
|
{
|
|
return false;
|
|
}
|
|
|
|
// Determine how to position the objects of this class
|
|
//
|
|
$sAttCode = self::GetOwnerOrganizationAttCode($sClass);
|
|
if (is_null($sAttCode))
|
|
{
|
|
// No filtering for this object
|
|
return true;
|
|
}
|
|
// Position the user
|
|
//
|
|
$aUserOrgs = $this->GetUserOrgs($oUser, $sClass);
|
|
if (count($aUserOrgs) == 0)
|
|
{
|
|
// No org means 'any org'
|
|
return true;
|
|
}
|
|
|
|
$oExpression = new FieldExpression($sAttCode, $sClass);
|
|
$oFilter = new DBObjectSearch($sClass);
|
|
$oListExpr = ListExpression::FromScalars($aUserOrgs);
|
|
|
|
$oCondition = new BinaryExpression($oExpression, 'IN', $oListExpr);
|
|
$oFilter->AddConditionExpression($oCondition);
|
|
|
|
if (self::HasSharing())
|
|
{
|
|
if (($sAttCode == 'id') && isset($aSettings['bSearchMode']) && $aSettings['bSearchMode'])
|
|
{
|
|
// Querying organizations (or derived)
|
|
// and the expected list of organizations will be used as a search criteria
|
|
// Therefore the query can also return organization having objects shared with the allowed organizations
|
|
//
|
|
// 1) build the list of organizations sharing something with the allowed organizations
|
|
// Organization <== sharing_org_id == SharedObject having org_id IN {user orgs}
|
|
$oShareSearch = new DBObjectSearch('SharedObject');
|
|
$oOrgField = new FieldExpression('org_id', 'SharedObject');
|
|
$oShareSearch->AddConditionExpression(new BinaryExpression($oOrgField, 'IN', $oListExpr));
|
|
|
|
$oSearchSharers = new DBObjectSearch('Organization');
|
|
$oSearchSharers->AllowAllData();
|
|
$oSearchSharers->AddCondition_ReferencedBy($oShareSearch, 'sharing_org_id');
|
|
$aSharers = array();
|
|
foreach($oSearchSharers->ToDataArray(array('id')) as $aRow)
|
|
{
|
|
$aSharers[] = $aRow['id'];
|
|
}
|
|
// 2) Enlarge the overall results: ... OR id IN(id1, id2, id3)
|
|
if (count($aSharers) > 0)
|
|
{
|
|
$oSharersList = ListExpression::FromScalars($aSharers);
|
|
$oFilter->MergeConditionExpression(new BinaryExpression($oExpression, 'IN', $oSharersList));
|
|
}
|
|
}
|
|
|
|
$aShareProperties = SharedObject::GetSharedClassProperties($sClass);
|
|
if ($aShareProperties)
|
|
{
|
|
$sShareClass = $aShareProperties['share_class'];
|
|
$sShareAttCode = $aShareProperties['attcode'];
|
|
|
|
$oSearchShares = new DBObjectSearch($sShareClass);
|
|
$oSearchShares->AllowAllData();
|
|
|
|
$sHierarchicalKeyCode = MetaModel::IsHierarchicalClass('Organization');
|
|
$oOrgField = new FieldExpression('org_id', $sShareClass);
|
|
$oSearchShares->AddConditionExpression(new BinaryExpression($oOrgField, 'IN', $oListExpr));
|
|
$aShared = array();
|
|
foreach($oSearchShares->ToDataArray(array($sShareAttCode)) as $aRow)
|
|
{
|
|
$aShared[] = $aRow[$sShareAttCode];
|
|
}
|
|
if (count($aShared) > 0)
|
|
{
|
|
$oObjId = new FieldExpression('id', $sClass);
|
|
$oSharedIdList = ListExpression::FromScalars($aShared);
|
|
$oFilter->MergeConditionExpression(new BinaryExpression($oObjId, 'IN', $oSharedIdList));
|
|
}
|
|
}
|
|
} // if HasSharing
|
|
|
|
return $oFilter;
|
|
}
|
|
|
|
// This verb has been made public to allow the development of an accurate feedback for the current configuration
|
|
public function GetProfileActionGrant($iProfile, $sClass, $sAction)
|
|
{
|
|
// Note: action is forced lowercase to be more flexible (historical bug)
|
|
$sAction = strtolower($sAction);
|
|
|
|
return ProfilesConfig::GetProfileActionGrant($iProfile, $sClass, $sAction);
|
|
}
|
|
|
|
protected function GetUserActionGrant($oUser, $sClass, $iActionCode)
|
|
{
|
|
$this->LoadCache();
|
|
|
|
// load and cache permissions for the current user on the given class
|
|
//
|
|
$iUser = $oUser->GetKey();
|
|
$aTest = @$this->m_aObjectActionGrants[$iUser][$sClass][$iActionCode];
|
|
if (is_array($aTest)) return $aTest;
|
|
|
|
$sAction = self::$m_aActionCodes[$iActionCode];
|
|
|
|
$bStatus = null;
|
|
$aAttributes = array();
|
|
foreach($this->GetUserProfiles($iUser) as $iProfile => $oProfile)
|
|
{
|
|
$bGrant = $this->GetProfileActionGrant($iProfile, $sClass, $sAction);
|
|
if (!is_null($bGrant))
|
|
{
|
|
if ($bGrant)
|
|
{
|
|
if (is_null($bStatus))
|
|
{
|
|
$bStatus = true;
|
|
}
|
|
}
|
|
else
|
|
{
|
|
$bStatus = false;
|
|
}
|
|
}
|
|
}
|
|
|
|
$iPermission = $bStatus ? UR_ALLOWED_YES : UR_ALLOWED_NO;
|
|
|
|
$aRes = array(
|
|
'permission' => $iPermission,
|
|
// 'attributes' => $aAttributes,
|
|
);
|
|
$this->m_aObjectActionGrants[$iUser][$sClass][$iActionCode] = $aRes;
|
|
return $aRes;
|
|
}
|
|
|
|
public function IsActionAllowed($oUser, $sClass, $iActionCode, $oInstanceSet = null)
|
|
{
|
|
$this->LoadCache();
|
|
|
|
$aObjectPermissions = $this->GetUserActionGrant($oUser, $sClass, $iActionCode);
|
|
$iPermission = $aObjectPermissions['permission'];
|
|
|
|
// Note: In most cases the object set is ignored because it was interesting to optimize for huge data sets
|
|
// and acceptable to consider only the root class of the object set
|
|
|
|
if ($iPermission != UR_ALLOWED_YES)
|
|
{
|
|
// It is already NO for everyone... that's the final word!
|
|
}
|
|
elseif ($iActionCode == UR_ACTION_READ)
|
|
{
|
|
// We are protected by GetSelectFilter: the object set contains objects allowed or shared for reading
|
|
}
|
|
elseif ($iActionCode == UR_ACTION_BULK_READ)
|
|
{
|
|
// We are protected by GetSelectFilter: the object set contains objects allowed or shared for reading
|
|
}
|
|
elseif ($oInstanceSet)
|
|
{
|
|
// We are protected by GetSelectFilter: the object set contains objects allowed or shared for reading
|
|
// We have to answer NO for objects shared for reading purposes
|
|
if (self::HasSharing())
|
|
{
|
|
$aClassProps = SharedObject::GetSharedClassProperties($sClass);
|
|
if ($aClassProps)
|
|
{
|
|
// This class is shared, GetSelectFilter may allow some objects for read only
|
|
// But currently we are checking wether the objects might be written...
|
|
// Let's exclude the objects based on the relevant criteria
|
|
|
|
$sOrgAttCode = self::GetOwnerOrganizationAttCode($sClass);
|
|
if (!is_null($sOrgAttCode))
|
|
{
|
|
$aUserOrgs = $this->GetUserOrgs($oUser, $sClass);
|
|
if (!is_null($aUserOrgs) && count($aUserOrgs) > 0)
|
|
{
|
|
$iCountNO = 0;
|
|
$iCountYES = 0;
|
|
$oInstanceSet->Rewind();
|
|
while($oObject = $oInstanceSet->Fetch())
|
|
{
|
|
$iOrg = $oObject->Get($sOrgAttCode);
|
|
if (in_array($iOrg, $aUserOrgs))
|
|
{
|
|
$iCountYES++;
|
|
}
|
|
else
|
|
{
|
|
$iCountNO++;
|
|
}
|
|
}
|
|
if ($iCountNO == 0)
|
|
{
|
|
$iPermission = UR_ALLOWED_YES;
|
|
}
|
|
elseif ($iCountYES == 0)
|
|
{
|
|
$iPermission = UR_ALLOWED_NO;
|
|
}
|
|
else
|
|
{
|
|
$iPermission = UR_ALLOWED_DEPENDS;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
return $iPermission;
|
|
}
|
|
|
|
public function IsActionAllowedOnAttribute($oUser, $sClass, $sAttCode, $iActionCode, $oInstanceSet = null)
|
|
{
|
|
$this->LoadCache();
|
|
|
|
// Note: The object set is ignored because it was interesting to optimize for huge data sets
|
|
// and acceptable to consider only the root class of the object set
|
|
$aObjectPermissions = $this->GetUserActionGrant($oUser, $sClass, $iActionCode);
|
|
return $aObjectPermissions['permission'];
|
|
}
|
|
|
|
// This verb has been made public to allow the development of an accurate feedback for the current configuration
|
|
public function GetClassStimulusGrant($iProfile, $sClass, $sStimulusCode)
|
|
{
|
|
return ProfilesConfig::GetProfileStimulusGrant($iProfile, $sClass, $sStimulusCode);
|
|
}
|
|
|
|
public function IsStimulusAllowed($oUser, $sClass, $sStimulusCode, $oInstanceSet = null)
|
|
{
|
|
$this->LoadCache();
|
|
// Note: this code is VERY close to the code of IsActionAllowed()
|
|
$iUser = $oUser->GetKey();
|
|
|
|
// Note: The object set is ignored because it was interesting to optimize for huge data sets
|
|
// and acceptable to consider only the root class of the object set
|
|
$bStatus = null;
|
|
foreach($this->GetUserProfiles($iUser) as $iProfile => $oProfile)
|
|
{
|
|
$bGrant = $this->GetClassStimulusGrant($iProfile, $sClass, $sStimulusCode);
|
|
if (!is_null($bGrant))
|
|
{
|
|
if ($bGrant)
|
|
{
|
|
if (is_null($bStatus))
|
|
{
|
|
$bStatus = true;
|
|
}
|
|
}
|
|
else
|
|
{
|
|
$bStatus = false;
|
|
}
|
|
}
|
|
}
|
|
|
|
$iPermission = $bStatus ? UR_ALLOWED_YES : UR_ALLOWED_NO;
|
|
return $iPermission;
|
|
}
|
|
|
|
public function FlushPrivileges()
|
|
{
|
|
$this->ResetCache();
|
|
}
|
|
|
|
/**
|
|
* Find out which attribute is corresponding the the dimension 'owner org'
|
|
* returns null if no such attribute has been found (no filtering should occur)
|
|
*/
|
|
public static function GetOwnerOrganizationAttCode($sClass)
|
|
{
|
|
$sAttCode = null;
|
|
|
|
$aCallSpec = array($sClass, 'MapContextParam');
|
|
if (($sClass == 'Organization') || is_subclass_of($sClass, 'Organization'))
|
|
{
|
|
$sAttCode = 'id';
|
|
}
|
|
elseif (is_callable($aCallSpec))
|
|
{
|
|
$sAttCode = call_user_func($aCallSpec, 'org_id'); // Returns null when there is no mapping for this parameter
|
|
if (!MetaModel::IsValidAttCode($sClass, $sAttCode))
|
|
{
|
|
// Skip silently. The data model checker will tell you something about this...
|
|
$sAttCode = null;
|
|
}
|
|
}
|
|
elseif(MetaModel::IsValidAttCode($sClass, 'org_id'))
|
|
{
|
|
$sAttCode = 'org_id';
|
|
}
|
|
|
|
return $sAttCode;
|
|
}
|
|
|
|
/**
|
|
* Determine wether the objects can be shared by the mean of a class SharedObject
|
|
**/
|
|
protected static function HasSharing()
|
|
{
|
|
static $bHasSharing;
|
|
if (!isset($bHasSharing))
|
|
{
|
|
$bHasSharing = class_exists('SharedObject');
|
|
}
|
|
return $bHasSharing;
|
|
}
|
|
}
|
|
|
|
|
|
UserRights::SelectModule('UserRightsProfile');
|
|
|
|
?>
|