lib/api
Aleksander Machniak
machniak at kolabsys.com
Wed Oct 3 13:58:29 CEST 2012
lib/api/kolab_api_service_type.php | 38 +++++++++++++++++++++++--------------
1 file changed, 24 insertions(+), 14 deletions(-)
New commits:
commit 023af17a800c604eabcb3d891abfd6e6c9344e13
Author: Aleksander Machniak <alec at alec.pl>
Date: Wed Oct 3 13:57:41 2012 +0200
Better effective rights checking, also do checks before executing any SQL queries
diff --git a/lib/api/kolab_api_service_type.php b/lib/api/kolab_api_service_type.php
index e6c56a1..0c47c89 100644
--- a/lib/api/kolab_api_service_type.php
+++ b/lib/api/kolab_api_service_type.php
@@ -37,16 +37,16 @@ class kolab_api_service_type extends kolab_api_service
*/
public function capabilities($domain)
{
- $auth = Auth::get_instance();
+ $effective_rights = $this->type_effective_rights();
+ $rights = array();
- //$effective_rights = $auth->list_rights('user');
-
- $rights = array();
-
- // @TODO: set rights according to user group or sth
- if ($_SESSION['user']->get_userid() == 'cn=Directory Manager') {
+ if (in_array('add', (array)$effective_rights['entryLevelRights'])) {
$rights['add'] = "w";
+ }
+ if (in_array('delete', (array)$effective_rights['entryLevelRights'])) {
$rights['delete'] = "w";
+ }
+ if (in_array('modrdn', (array)$effective_rights['entryLevelRights'])) {
$rights['edit'] = "w";
}
@@ -78,7 +78,10 @@ class kolab_api_service_type extends kolab_api_service
return false;
}
- // @TODO: check privileges
+ $effective_rights = $this->type_effective_rights();
+ if (!in_array('add', (array)$effective_rights['entryLevelRights'])) {
+ return false;
+ }
$type = $postdata['type'];
$query = array(
@@ -128,10 +131,13 @@ class kolab_api_service_type extends kolab_api_service
return false;
}
- $object_name = $postdata['type'];
- $object_id = $postdata['id'];
+ $object_name = $postdata['type'];
+ $object_id = $postdata['id'];
+ $effective_rights = $this->type_effective_rights();
- // @TODO: check privileges
+ if (!in_array('delete', (array)$effective_rights['entryLevelRights'])) {
+ return false;
+ }
$this->db->query("DELETE FROM {$object_name}_types WHERE id = " . intval($object_id));
@@ -160,7 +166,11 @@ class kolab_api_service_type extends kolab_api_service
return false;
}
- // @TODO: check privileges
+ $effective_rights = $this->type_effective_rights();
+ if (!in_array('modrdn', (array)$effective_rights['entryLevelRights'])) {
+ return false;
+ }
+
$type = $postdata['type'];
$query = array(
'key' => $postdata['key'],
@@ -190,7 +200,7 @@ class kolab_api_service_type extends kolab_api_service
return $postdata;
}
- public function type_effective_rights($getdata, $postdata)
+ public function type_effective_rights($getdata = null, $postdata = null)
{
$effective_rights = array();
// @TODO: set rights according to user group or sth
@@ -198,7 +208,7 @@ class kolab_api_service_type extends kolab_api_service
$attr_acl = array('read', 'write', 'delete');
$effective_rights = array(
'entryLevelRights' => array(
- 'read', 'add', 'delete', 'write',
+ 'read', 'add', 'delete', 'modrdn',
),
'attributeLevelRights' => array(
'key' => $attr_acl,
More information about the commits
mailing list