2 commits - lib/Auth lib/kolab_client_task.php
Jeroen van Meeuwen
vanmeeuwen at kolabsys.com
Wed Apr 4 00:13:33 CEST 2012
lib/Auth/LDAP.php | 33 ++++++++++++++------
lib/kolab_client_task.php | 74 +++++++++++++++++++++++++++++++++++++++-------
2 files changed, 88 insertions(+), 19 deletions(-)
New commits:
commit 15e304586a52a9cda59c23b3eb650cf130577b39
Author: Jeroen van Meeuwen (Kolab Systems) <vanmeeuwen at kolabsys.com>
Date: Wed Apr 4 00:12:53 2012 +0200
Override the default 'disabled' and 'readonly' attributes to fields depending on the access defined in $auth->list_rights($entry)
diff --git a/lib/kolab_client_task.php b/lib/kolab_client_task.php
index 71b9935..1f5a4b2 100644
--- a/lib/kolab_client_task.php
+++ b/lib/kolab_client_task.php
@@ -875,6 +875,7 @@ class kolab_client_task
'type' => kolab_form::INPUT_HIDDEN,
'value' => $data['entrydn']
);
+
}
return array($fields, $types, $type);
@@ -982,45 +983,98 @@ class kolab_client_task
$field['name'] = $idx;
}
- if (empty($field['disabled'])) {
+ //console("before authz: " . $field['name'], $field);
+
+ // Only edit those fields that actually have merit
+ if (array_key_exists('disabled', $field) || array_key_exists('readonly', $field)) {
if (!array_key_exists($field['name'], $effective_rights['attributeLevelRights'])) {
+ //console("No explicit rights on attribute " . $field['name']);
// If the entry level rights contain 'add' and 'delete', well, you're an admin
if (
in_array('add', $effective_rights['entryLevelRights']) &&
in_array('delete', $effective_rights['entryLevelRights'])
) {
- $field['disabled'] = false;
+
+ //console("Overriding any permissions for field " . $field['name'] . ", simply because we have the access to delete and add back the entry.");
+ if (array_key_exists('disabled', $field) && $field['disabled']) {
+ //console("overriding disabled state on " . $field['name']);
+ $field['disabled'] = false;
+ }
+ if (array_key_exists('readonly', $field) && $field['readonly']) {
+ //console("overriding readonly state on " . $field['name']);
+ $field['readonly'] = false;
+ }
+
} else {
- $field['disabled'] = true;
+ //console("no explicit write permissions on " . $field['name'] . ", disabling");
+ if (array_key_exists('disabled', $field) && $field['disabled']) {
+ //console("overriding disabled state on " . $field['name']);
+ $field['disabled'] = false;
+ }
+ if (array_key_exists('readonly', $field) && !$field['readonly']) {
+ //console("overriding readonly state on " . $field['name']);
+ $field['readonly'] = true;
+ }
}
} else {
+ //console("Explicit rights on attribute " . $field['name'] . " found");
if (!in_array('write', $effective_rights['attributeLevelRights'][$field['name']])) {
- //console("no write on " . $field['name']);
- $field['disabled'] = true;
- } /* else {
- console("write on " . $field['name']);
- } */
+ //console("no write permissions on " . $field['name'] . ", marking read-only");
+/* if (array_key_exists('disabled', $field) && !$field['disabled']) {
+ console("overriding disabled state on " . $field['name']);
+ $field['disabled'] = true;
+ }
+*/
+ if (array_key_exists('readonly', $field) && !$field['readonly']) {
+ //console("overriding readonly state on " . $field['name']);
+ $field['readonly'] = true;
+ }
+ } else {
+ //console("explicit write permissions on " . $field['name']);
+
+ if (array_key_exists('disabled', $field) && $field['disabled']) {
+ //console("overriding disabled state on " . $field['name']);
+ $field['disabled'] = false;
+ }
+ if (array_key_exists('readonly', $field) && $field['readonly']) {
+ //console("overriding readonly state on " . $field['name']);
+ $field['readonly'] = false;
+ }
+ }
}
// Some fields are special, such as the 'userpassword2' field
switch ($field['name']) {
+ case "type_id":
+ $field['disabled'] = false;
+ break;
case "userpassword2":
- if (!array_key_exists('userpassword', $effective_rights['attributeLevelRights'])) {
+ if (
+ in_array('add', $effective_rights['entryLevelRights']) &&
+ in_array('delete', $effective_rights['entryLevelRights'])
+ ) {
+ $field['disabled'] = false;
+ $field['readonly'] = false;
+ } elseif (!array_key_exists('userpassword', $effective_rights['attributeLevelRights'])) {
$field['disabled'] = true;
+ $field['readonly'] = true;
} elseif (!in_array('write', $effective_rights['attributeLevelRights']['userpassword'])) {
$field['disabled'] = true;
+ $field['readonly'] = true;
} else {
$field['disabled'] = false;
+ $field['readonly'] = false;
}
break;
default:
break;
}
-
}
+ //console("after authz " . $field['name'], $field);
+
if (!empty($field['required']) && empty($field['readonly']) && empty($field['disabled'])) {
$req_fields[] = $idx;
}
commit 3671a90b6adce88fefdf55cf987ed05b30410ed0
Author: Jeroen van Meeuwen (Kolab Systems) <vanmeeuwen at kolabsys.com>
Date: Wed Apr 4 00:09:23 2012 +0200
Use the correct values (the user details array, not the result from user_info()) in the call to modify_entry()
Ignore an empty 'userpassword' attribute value for the form - it means the password is not changed
Insert the unique_attribute value into search results
diff --git a/lib/Auth/LDAP.php b/lib/Auth/LDAP.php
index 036fb7e..3fbbd7b 100644
--- a/lib/Auth/LDAP.php
+++ b/lib/Auth/LDAP.php
@@ -518,7 +518,7 @@ class LDAP
$_user = $this->user_info($_user_dn, array());
// We should start throwing stuff over the fence here.
- return $this->modify_entry($_user_dn, $_user, $attributes);
+ return $this->modify_entry($_user_dn, $_user[$_user_dn], $attributes);
}
public function user_delete($user)
@@ -979,7 +979,8 @@ class LDAP
private function modify_entry($subject_dn, $old_attrs, $new_attrs)
{
- console($old_attrs);
+ //console("OLD ATTRIBUTES", $old_attrs);
+ //console("NEW ATTRIBUTES", $new_attrs);
// TODO: Get $rdn_attr - we have type_id in $new_attrs
$dn_components = ldap_explode_dn($subject_dn, 0);
@@ -987,9 +988,7 @@ class LDAP
$rdn_attr = $rdn_components[0];
- console($rdn_attr);
-
-// return;
+ //console($rdn_attr);
$mod_array = Array(
"add" => Array(), // For use with ldap_mod_add()
@@ -1008,8 +1007,14 @@ class LDAP
$mod_array['rename'][$subject_dn] = $rdn_attr . '=' . $new_attrs[$attr];
} else {
if (empty($new_attrs[$attr])) {
- console("Adding to del: $attr");
- $mod_array['del'][$attr] = (array)($old_attr_value);
+ switch ($attr) {
+ case "userpassword":
+ break;
+ default:
+ console("Adding to del: $attr");
+ $mod_array['del'][$attr] = (array)($old_attr_value);
+ break;
+ }
} else {
console("Adding to replace: $attr");
$mod_array['replace'][$attr] = (array)($new_attrs[$attr]);
@@ -1029,8 +1034,14 @@ class LDAP
if (array_key_exists($attr, $old_attrs)) {
if (empty($value)) {
if (!array_key_exists($attr, $mod_array['del'])) {
- console("Adding to del(2): $attr");
- $mod_array['del'][$attr] = (array)($old_attrs[$attr]);
+ switch ($attr) {
+ case "userpassword":
+ break;
+ default:
+ console("Adding to del(2): $attr");
+ $mod_array['del'][$attr] = (array)($old_attrs[$attr]);
+ break;
+ }
}
} else {
if (!($old_attrs[$attr] === $value) && !($attr === $rdn_attr)) {
@@ -1379,6 +1390,10 @@ class LDAP
$this->_bind($_SESSION['user']->user_bind_dn, $_SESSION['user']->user_bind_pw);
+ if (!in_array($this->unique_attribute(), $attributes)) {
+ $attributes[] = $this->unique_attribute();
+ }
+
if (($search_results = @ldap_search($this->conn, $base_dn, $search_filter, $attributes)) == false) {
//message("Could not search in " . __METHOD__ . " in " . __FILE__ . " on line " . __LINE__ . ": " . $this->_errstr());
return false;
More information about the commits
mailing list