5 commits - lib/api lib/Auth lib/kolab_client_task.php
Jeroen van Meeuwen
vanmeeuwen at kolabsys.com
Tue Apr 3 17:21:14 CEST 2012
lib/Auth/LDAP.php | 24 ++++++++++---
lib/api/kolab_api_service_group.php | 35 ++++++++++++++++----
lib/api/kolab_api_service_user.php | 57 +++++++++++++++++++++++++-------
lib/kolab_client_task.php | 63 +++++++++++++++++++++++++++++++++---
4 files changed, 151 insertions(+), 28 deletions(-)
New commits:
commit 291327794ac01894ccdb6a56158db371db94574d
Merge: 20d1730 2c68d1b
Author: Jeroen van Meeuwen (Kolab Systems) <vanmeeuwen at kolabsys.com>
Date: Tue Apr 3 17:20:58 2012 +0200
Merge branch 'master' of ssh://git.kolab.org/git/kolab-wap
commit 20d1730374316022357713234aa1aa91d21a79c8
Author: Jeroen van Meeuwen (Kolab Systems) <vanmeeuwen at kolabsys.com>
Date: Tue Apr 3 17:19:15 2012 +0200
Implement effective_rights for the menu
Check the attributelevelrights on a per attribute level
diff --git a/lib/kolab_client_task.php b/lib/kolab_client_task.php
index 9e1f8a2..a9a38e6 100644
--- a/lib/kolab_client_task.php
+++ b/lib/kolab_client_task.php
@@ -457,10 +457,18 @@ class kolab_client_task
}
$task = $this->get_task();
-// @TODO: hide menu items according to capabilities
-// $caps = (array) $this->capabilities();
+
+ $capabilities = $this->capabilities();
foreach ($this->menu as $idx => $label) {
+ console("$task: $task, idx: $idx, label: $label");
+
+ if (in_array($task, array('user', 'group'))) {
+ if (!in_array($task . "." . $idx, $capabilities['actions'])) {
+ continue;
+ }
+ }
+
if (strpos($idx, '.')) {
$action = $idx;
$class = preg_replace('/\.[a-z_-]+$/', '', $idx);
@@ -475,7 +483,10 @@ class kolab_client_task
$class, $idx, $action, $this->translate($label));
}
- return '<ul>' . implode("\n", $menu) . '</ul>';
+ if (is_array($menu))
+ return '<ul>' . implode("\n", $menu) . '</ul>';
+ else
+ return '<ul>' . $menu . '</ul>';
}
/**
@@ -879,6 +890,10 @@ class kolab_client_task
*/
protected function form_create($name, $attribs, $sections, $fields, $fields_map, $data, $add_mode)
{
+ // Get the rights on the entry and attribute level
+ $effective_rights = $this->api->get("user.effective_rights", array($name => $data['id']))->get();
+ //console($effective_rights);
+
// Assign sections to fields
foreach ($fields as $idx => $field) {
if (!$field['section']) {
@@ -934,6 +949,7 @@ class kolab_client_task
$field['value'] = implode("\n", $field['value']);
}
}
+
/*
if (!empty($field['suffix'])) {
$field['suffix'] = kolab_html::escape($this->translate($field['suffix']));
@@ -962,6 +978,45 @@ class kolab_client_task
$field['name'] = $idx;
}
+ if (empty($field['disabled'])) {
+ if (!array_key_exists($field['name'], $effective_rights['attributeLevelRights'])) {
+ // If the entry level rights contain 'add' and 'delete', well, you're an admin
+ if (
+ in_array('add', $effective_rights['entryLevelRights']) &&
+ in_array('delete', $effective_rights['entryLevelRights'])
+ ) {
+ $field['disabled'] = false;
+ } else {
+ $field['disabled'] = true;
+ }
+ } else {
+ if (!in_array('write', $effective_rights['attributeLevelRights'][$field['name']])) {
+ //console("no write on " . $field['name']);
+ $field['disabled'] = true;
+ } /* else {
+ console("write on " . $field['name']);
+ } */
+
+ }
+
+ // Some fields are special, such as the 'userpassword2' field
+ switch ($field['name']) {
+ case "userpassword2":
+ if (!array_key_exists('userpassword', $effective_rights['attributeLevelRights'])) {
+ $field['disabled'] = true;
+ } elseif (!in_array('write', $effective_rights['attributeLevelRights']['userpassword'])) {
+ $field['disabled'] = true;
+ } else {
+ $field['disabled'] = false;
+ }
+
+ break;
+ default:
+ break;
+ }
+
+ }
+
if (!empty($field['required']) && empty($field['readonly']) && empty($field['disabled'])) {
$req_fields[] = $idx;
}
@@ -979,7 +1034,7 @@ class kolab_client_task
'onclick' => "kadm.{$name}_save()",
));
- if (!empty($data['id'])) {
+ if (!empty($data['id']) && in_array('delete', $effective_rights['entryLevelRights'])) {
$id = $data['id'];
$form->add_button(array(
'value' => kolab_html::escape($this->translate('delete.button')),
commit 0e91ad0bbb503d37183e1c8b0cc24a11b5b8c6d4
Author: Jeroen van Meeuwen (Kolab Systems) <vanmeeuwen at kolabsys.com>
Date: Tue Apr 3 17:18:51 2012 +0200
Implement effective_rights for users
diff --git a/lib/api/kolab_api_service_user.php b/lib/api/kolab_api_service_user.php
index cbf815c..868374d 100644
--- a/lib/api/kolab_api_service_user.php
+++ b/lib/api/kolab_api_service_user.php
@@ -37,16 +37,39 @@ class kolab_api_service_user extends kolab_api_service
*/
public function capabilities($domain)
{
- return array(
- 'add' => 'w',
- 'delete' => 'w',
- 'edit' => 'w',
-// 'find' => 'r',
-// 'find_by_any_attribute' => 'r',
-// 'find_by_attribute' => 'r',
-// 'find_by_attributes' => 'r',
- 'info' => 'r',
- );
+ //console("kolab_api_service_group::capabilities");
+
+ $auth = Auth::get_instance();
+
+ $effective_rights = $auth->list_rights('group');
+
+ //console("effective_rights", $effective_rights);
+
+ $rights = array();
+
+ if (in_array('add', $effective_rights['entryLevelRights'])) {
+ $rights['add'] = "w";
+ }
+
+ if (in_array('delete', $effective_rights['entryLevelRights'])) {
+ $rights['delete'] = "w";
+ }
+
+ if (in_array('modrdn', $effective_rights['entryLevelRights'])) {
+ $rights['edit'] = "w";
+ }
+
+ if (in_array('read', $effective_rights['entryLevelRights'])) {
+ $rights['find'] = "r";
+ $rights['find_by_any_attribute'] = "r";
+ $rights['find_by_attribute'] = "r";
+ $rights['find_by_attributes'] = "r";
+ $rights['info'] = "r";
+ }
+
+ $rights['effective_rights'] = "r";
+
+ return $rights;
}
/**
@@ -59,9 +82,11 @@ class kolab_api_service_user extends kolab_api_service
*/
public function user_add($getdata, $postdata)
{
- console("user_add()", $postdata);
+ //console("user_add()", $postdata);
+
$user_attributes = $this->parse_input_attributes('user', $postdata);
- console("user_add()", $user_attributes);
+
+ //console("user_add()", $user_attributes);
$auth = Auth::get_instance();
$result = $auth->user_add($user_attributes, $postdata['type_id']);
@@ -117,6 +142,14 @@ class kolab_api_service_user extends kolab_api_service
return false;
}
+
+ public function user_effective_rights($getdata, $postdata)
+ {
+ $auth = Auth::get_instance();
+ $effective_rights = $auth->list_rights($getdata['user']);
+ return $effective_rights;
+ }
+
/**
* User information.
*
commit ecea24827823a8159ee6d595a15bba1580c218e0
Author: Jeroen van Meeuwen (Kolab Systems) <vanmeeuwen at kolabsys.com>
Date: Tue Apr 3 17:18:15 2012 +0200
Implement capabilities based on effective_rights for groups
diff --git a/lib/api/kolab_api_service_group.php b/lib/api/kolab_api_service_group.php
index 9b9c076..22bd2fd 100644
--- a/lib/api/kolab_api_service_group.php
+++ b/lib/api/kolab_api_service_group.php
@@ -37,13 +37,34 @@ class kolab_api_service_group extends kolab_api_service
*/
public function capabilities($domain)
{
- return array(
- 'add' => 'w',
- 'delete' => 'w',
- 'edit' => 'w',
- 'info' => 'r',
- 'members_list' => 'r',
- );
+ //console("kolab_api_service_group::capabilities");
+
+ $auth = Auth::get_instance();
+
+ $effective_rights = $auth->list_rights('group');
+
+ //console("effective_rights", $effective_rights);
+
+ $rights = array();
+
+ if (in_array('add', $effective_rights['entryLevelRights'])) {
+ $rights['add'] = "w";
+ }
+
+ if (in_array('delete', $effective_rights['entryLevelRights'])) {
+ $rights['delete'] = "w";
+ }
+
+ if (in_array('modrdn', $effective_rights['entryLevelRights'])) {
+ $rights['edit'] = "w";
+ }
+
+ if (in_array('read', $effective_rights['entryLevelRights'])) {
+ $rights['info'] = "r";
+ $rights['members_list'] = "r";
+ }
+
+ return $rights;
}
/**
commit 2e219db69afc0eae2ee16352f525a3fe0abec84c
Author: Jeroen van Meeuwen (Kolab Systems) <vanmeeuwen at kolabsys.com>
Date: Tue Apr 3 17:17:39 2012 +0200
Check in effective_rights()
diff --git a/lib/Auth/LDAP.php b/lib/Auth/LDAP.php
index 102dd03..974e999 100644
--- a/lib/Auth/LDAP.php
+++ b/lib/Auth/LDAP.php
@@ -260,13 +260,23 @@ class LDAP
}
}
- public function effective_rights($subject_dn)
+ public function effective_rights($subject)
{
$attributes = array();
$output = array();
$conf = Conf::get_instance();
+ $entry_dn = $this->entry_dn($subject);
+ if (!$entry_dn) {
+ $entry_dn = $conf->get($subject . "_base_dn");
+ }
+ if (!$entry_dn) {
+ $entry_dn = $conf->get("base_dn");
+ }
+
+ //console("effective_rights for $subject resolves to $entry_dn");
+
$command = array(
// TODO: Very 64-bit specific
'/usr/lib64/mozldap/ldapsearch',
@@ -290,12 +300,16 @@ class LDAP
'dn:' . $_SESSION['user']->user_bind_dn // User DN
)
) . '"',
- '"(entrydn=' . $subject_dn . ')"'
+ '"(entrydn=' . $entry_dn . ')"'
);
+ //console("Executing command " . implode(' ', $command));
+
exec(implode(' ', $command), $output);
+ //console("Output", $output);
+
$lines = array();
foreach ($output as $line_num => $line) {
if (substr($line, 0, 1) == " ") {
@@ -922,7 +936,7 @@ class LDAP
foreach ($attribute_values as $access_right) {
$access_right_components = explode(":", $access_right);
- $access_attribute = array_shift($access_right_components);
+ $access_attribute = strtolower(array_shift($access_right_components));
$access_value = array_shift($access_right_components);
$attribute_value[$access_attribute] = array();
@@ -1093,10 +1107,10 @@ class LDAP
{
if (is_array($this->sort_result_key)) {
foreach ($this->sort_result_key as $attrib) {
- if (array_key_exists($attrib, $a)) {
+ if (array_key_exists($attrib, $a) && !$str1) {
$str1 = $a[$attrib];
}
- if (array_key_exists($attrib, $b)) {
+ if (array_key_exists($attrib, $b) && !$str2) {
$str2 = $b[$attrib];
}
}
More information about the commits
mailing list