2 commits - lib/Auth lib/kolab_client_task.php

Jeroen van Meeuwen vanmeeuwen at kolabsys.com
Wed Apr 4 00:13:33 CEST 2012


 lib/Auth/LDAP.php         |   33 ++++++++++++++------
 lib/kolab_client_task.php |   74 +++++++++++++++++++++++++++++++++++++++-------
 2 files changed, 88 insertions(+), 19 deletions(-)

New commits:
commit 15e304586a52a9cda59c23b3eb650cf130577b39
Author: Jeroen van Meeuwen (Kolab Systems) <vanmeeuwen at kolabsys.com>
Date:   Wed Apr 4 00:12:53 2012 +0200

    Override the default 'disabled' and 'readonly' attributes to fields depending on the access defined in $auth->list_rights($entry)

diff --git a/lib/kolab_client_task.php b/lib/kolab_client_task.php
index 71b9935..1f5a4b2 100644
--- a/lib/kolab_client_task.php
+++ b/lib/kolab_client_task.php
@@ -875,6 +875,7 @@ class kolab_client_task
                     'type'      => kolab_form::INPUT_HIDDEN,
                     'value'     => $data['entrydn']
                 );
+
         }
 
         return array($fields, $types, $type);
@@ -982,45 +983,98 @@ class kolab_client_task
                     $field['name'] = $idx;
                 }
 
-                if (empty($field['disabled'])) {
+                //console("before authz: " . $field['name'], $field);
+
+                // Only edit those fields that actually have merit
+                if (array_key_exists('disabled', $field) || array_key_exists('readonly', $field)) {
                     if (!array_key_exists($field['name'], $effective_rights['attributeLevelRights'])) {
+                        //console("No explicit rights on attribute " . $field['name']);
                         // If the entry level rights contain 'add' and 'delete', well, you're an admin
                         if (
                                 in_array('add', $effective_rights['entryLevelRights']) &&
                                 in_array('delete', $effective_rights['entryLevelRights'])
                             ) {
-                            $field['disabled'] = false;
+
+                            //console("Overriding any permissions for field " . $field['name'] . ", simply because we have the access to delete and add back the entry.");
+                            if (array_key_exists('disabled', $field) && $field['disabled']) {
+                                //console("overriding disabled state on " . $field['name']);
+                                $field['disabled'] = false;
+                            }
+                            if (array_key_exists('readonly', $field) && $field['readonly']) {
+                                //console("overriding readonly state on " . $field['name']);
+                                $field['readonly'] = false;
+                            }
+
                         } else {
-                            $field['disabled'] = true;
+                            //console("no explicit write permissions on " . $field['name'] . ", disabling");
+                            if (array_key_exists('disabled', $field) && $field['disabled']) {
+                                //console("overriding disabled state on " . $field['name']);
+                                $field['disabled'] = false;
+                            }
+                            if (array_key_exists('readonly', $field) && !$field['readonly']) {
+                                //console("overriding readonly state on " . $field['name']);
+                                $field['readonly'] = true;
+                            }
                         }
                     } else {
+                        //console("Explicit rights on attribute " . $field['name'] . " found");
                         if (!in_array('write', $effective_rights['attributeLevelRights'][$field['name']])) {
-                            //console("no write on " . $field['name']);
-                            $field['disabled'] = true;
-                        } /* else {
-                            console("write on " . $field['name']);
-                        } */
+                            //console("no write permissions on " . $field['name'] . ", marking read-only");
+/*                            if (array_key_exists('disabled', $field) && !$field['disabled']) {
+                                console("overriding disabled state on " . $field['name']);
+                                $field['disabled'] = true;
+                            }
+*/
+                            if (array_key_exists('readonly', $field) && !$field['readonly']) {
+                                //console("overriding readonly state on " . $field['name']);
+                                $field['readonly'] = true;
+                            }
+                        } else {
+                            //console("explicit write permissions on " . $field['name']);
+
+                            if (array_key_exists('disabled', $field) && $field['disabled']) {
+                                //console("overriding disabled state on " . $field['name']);
+                                $field['disabled'] = false;
+                            }
+                            if (array_key_exists('readonly', $field) && $field['readonly']) {
+                                //console("overriding readonly state on " . $field['name']);
+                                $field['readonly'] = false;
+                            }
+                        }
 
                     }
 
                     // Some fields are special, such as the 'userpassword2' field
                     switch ($field['name']) {
+                        case "type_id":
+                            $field['disabled'] = false;
+                            break;
                         case "userpassword2":
-                            if (!array_key_exists('userpassword', $effective_rights['attributeLevelRights'])) {
+                            if (
+                                    in_array('add', $effective_rights['entryLevelRights']) &&
+                                    in_array('delete', $effective_rights['entryLevelRights'])
+                                ) {
+                                $field['disabled'] = false;
+                                $field['readonly'] = false;
+                            } elseif (!array_key_exists('userpassword', $effective_rights['attributeLevelRights'])) {
                                 $field['disabled'] = true;
+                                $field['readonly'] = true;
                             } elseif (!in_array('write', $effective_rights['attributeLevelRights']['userpassword'])) {
                                 $field['disabled'] = true;
+                                $field['readonly'] = true;
                             } else {
                                 $field['disabled'] = false;
+                                $field['readonly'] = false;
                             }
 
                             break;
                         default:
                             break;
                     }
-
                 }
 
+                //console("after authz " . $field['name'], $field);
+
                 if (!empty($field['required']) && empty($field['readonly']) && empty($field['disabled'])) {
                     $req_fields[] = $idx;
                 }


commit 3671a90b6adce88fefdf55cf987ed05b30410ed0
Author: Jeroen van Meeuwen (Kolab Systems) <vanmeeuwen at kolabsys.com>
Date:   Wed Apr 4 00:09:23 2012 +0200

    Use the correct values (the user details array, not the result from user_info()) in the call to modify_entry()
    Ignore an empty 'userpassword' attribute value for the form - it means the password is not changed
    Insert the unique_attribute value into search results

diff --git a/lib/Auth/LDAP.php b/lib/Auth/LDAP.php
index 036fb7e..3fbbd7b 100644
--- a/lib/Auth/LDAP.php
+++ b/lib/Auth/LDAP.php
@@ -518,7 +518,7 @@ class LDAP
         $_user = $this->user_info($_user_dn, array());
 
         // We should start throwing stuff over the fence here.
-        return $this->modify_entry($_user_dn, $_user, $attributes);
+        return $this->modify_entry($_user_dn, $_user[$_user_dn], $attributes);
     }
 
     public function user_delete($user)
@@ -979,7 +979,8 @@ class LDAP
 
     private function modify_entry($subject_dn, $old_attrs, $new_attrs)
     {
-        console($old_attrs);
+        //console("OLD ATTRIBUTES", $old_attrs);
+        //console("NEW ATTRIBUTES", $new_attrs);
 
         // TODO: Get $rdn_attr - we have type_id in $new_attrs
         $dn_components = ldap_explode_dn($subject_dn, 0);
@@ -987,9 +988,7 @@ class LDAP
 
         $rdn_attr = $rdn_components[0];
 
-        console($rdn_attr);
-
-//        return;
+        //console($rdn_attr);
 
         $mod_array = Array(
                 "add"       => Array(), // For use with ldap_mod_add()
@@ -1008,8 +1007,14 @@ class LDAP
                         $mod_array['rename'][$subject_dn] = $rdn_attr . '=' . $new_attrs[$attr];
                     } else {
                         if (empty($new_attrs[$attr])) {
-                            console("Adding to del: $attr");
-                            $mod_array['del'][$attr] = (array)($old_attr_value);
+                            switch ($attr) {
+                                case "userpassword":
+                                    break;
+                                default:
+                                    console("Adding to del: $attr");
+                                    $mod_array['del'][$attr] = (array)($old_attr_value);
+                                    break;
+                            }
                         } else {
                             console("Adding to replace: $attr");
                             $mod_array['replace'][$attr] = (array)($new_attrs[$attr]);
@@ -1029,8 +1034,14 @@ class LDAP
             if (array_key_exists($attr, $old_attrs)) {
                 if (empty($value)) {
                     if (!array_key_exists($attr, $mod_array['del'])) {
-                        console("Adding to del(2): $attr");
-                        $mod_array['del'][$attr] = (array)($old_attrs[$attr]);
+                        switch ($attr) {
+                            case "userpassword":
+                                break;
+                            default:
+                                console("Adding to del(2): $attr");
+                                $mod_array['del'][$attr] = (array)($old_attrs[$attr]);
+                                break;
+                        }
                     }
                 } else {
                     if (!($old_attrs[$attr] === $value) && !($attr === $rdn_attr)) {
@@ -1379,6 +1390,10 @@ class LDAP
 
         $this->_bind($_SESSION['user']->user_bind_dn, $_SESSION['user']->user_bind_pw);
 
+        if (!in_array($this->unique_attribute(), $attributes)) {
+            $attributes[] = $this->unique_attribute();
+        }
+
         if (($search_results = @ldap_search($this->conn, $base_dn, $search_filter, $attributes)) == false) {
             //message("Could not search in " . __METHOD__ . " in " . __FILE__ . " on line " . __LINE__ . ": " . $this->_errstr());
             return false;





More information about the commits mailing list