LSsession: Fix relationCanAccess() method and add debuging infos

This commit is contained in:
Benjamin Renard 2021-02-03 12:44:38 +01:00
parent 841b3d0bcf
commit 305d7447ff

View file

@ -2146,16 +2146,16 @@ class LSsession {
} }
/** /**
* Retourne le droit de l'utilisateur à accèder à un objet * Return user access right to access to specify LSobject
* *
* @param[in] string $LSobject Le type de l'objet * @param[in] $LSobject string The LSobject type
* @param[in] string $dn Le DN de l'objet (le container_dn du type de l'objet par défaut) * @param[in] $dn string The LSobject DN (optional, default: the container_dn of the LSobject type)
* @param[in] string $right Le type de droit d'accès à tester ('r'/'w') * @param[in] $right string The requested access right ('r' or 'w', optional, default: 'r' or 'w')
* @param[in] string $attr Le nom de l'attribut auquel on test l'accès * @param[in] $attr string The requested attribute name (optional, default: any)
* *
* @retval boolean True si l'utilisateur a accès, false sinon * @retval boolean True is user can access to the specify LSobject, False otherwise
*/ */
public static function canAccess($LSobject,$dn=NULL,$right=NULL,$attr=NULL) { public static function canAccess($LSobject, $dn=NULL, $right=NULL, $attr=NULL) {
if (!self :: loadLSobject($LSobject)) { if (!self :: loadLSobject($LSobject)) {
return; return;
} }
@ -2166,7 +2166,7 @@ class LSsession {
if ($dn) { if ($dn) {
$whoami = self :: whoami($dn); $whoami = self :: whoami($dn);
if ($dn==self :: getLSuserObject() -> getValue('dn')) { if ($dn == self :: getLSuserObject() -> getValue('dn')) {
if (!self :: in_menu('SELF')) { if (!self :: in_menu('SELF')) {
self :: log_trace("canAccess('$LSobject', '$dn', '$right', '$attr'): SELF not in menu"); self :: log_trace("canAccess('$LSobject', '$dn', '$right', '$attr'): SELF not in menu");
return; return;
@ -2202,10 +2202,12 @@ class LSsession {
foreach($whoami as $who) { foreach($whoami as $who) {
$nr = LSconfig :: get('LSobjects.'.$LSobject.'.attrs.'.$attr.'.rights.'.$who); $nr = LSconfig :: get('LSobjects.'.$LSobject.'.attrs.'.$attr.'.rights.'.$who);
if($nr == 'w') { if($nr == 'w') {
self :: log_trace("canAccess('$LSobject', '$dn', '$right', '$attr'): grant WRITE access via LSprofile '$who'.");
$r = 'w'; $r = 'w';
} }
else if($nr == 'r') { else if($nr == 'r') {
if ($r=='n') { if ($r=='n') {
self :: log_trace("canAccess('$LSobject', '$dn', '$right', '$attr'): grant READ access via LSprofile '$who'.");
$r='r'; $r='r';
} }
} }
@ -2316,36 +2318,43 @@ class LSsession {
*/ */
public static function relationCanAccess($dn,$LSobject,$relationName,$right=NULL) { public static function relationCanAccess($dn,$LSobject,$relationName,$right=NULL) {
$relConf=LSconfig :: get('LSobjects.'.$LSobject.'.LSrelation.'.$relationName); $relConf=LSconfig :: get('LSobjects.'.$LSobject.'.LSrelation.'.$relationName);
if (!is_array($relConf)) if (!is_array($relConf)) {
self :: log_trace("relationCanAccess($dn,$LSobject,$relationName,$right): unknown relation");
return; return;
}
// Access always granted in CLI mode // Access always granted in CLI mode
if (php_sapi_name() == "cli") if (php_sapi_name() == "cli")
return true; return true;
$whoami = self :: whoami($dn); $whoami = self :: whoami($dn);
self :: log_trace("relationCanAccess($dn,$LSobject,$relationName,$right): whoami = ".varDump($whoami));
if (($right=='w') || ($right=='r')) { if (($right=='w') || ($right=='r')) {
$r = 'n'; $r = 'n';
foreach($whoami as $who) { foreach($whoami as $who) {
$nr = ((isset($relConf['rights'][$who]))?$relConf['rights'][$who]:''); $nr = ((isset($relConf['rights'][$who]))?$relConf['rights'][$who]:'');
if($nr == 'w') { if($nr == 'w') {
self :: log_trace("relationCanAccess($dn,$LSobject,$relationName,$right): grant WRITE access via LSprofile '$who'.");
$r = 'w'; $r = 'w';
} }
else if($nr == 'r') { else if($nr == 'r') {
if ($r=='n') { if ($r=='n') {
self :: log_trace("relationCanAccess($dn,$LSobject,$relationName,$right): grant READ access via LSprofile '$who'.");
$r='r'; $r='r';
} }
} }
} }
self :: log_trace("relationCanAccess($dn,$LSobject,$relationName,$right): right detected = '$r'");
if ($r == $right) { if (self :: checkRight($right, $r)) {
return true; return true;
} }
} }
else { else {
foreach($whoami as $who) { foreach($whoami as $who) {
if ((isset($relConf['rights'][$who])) && ( ($relConf['rights'][$who] == 'w') || ($relConf['rights'][$who] == 'r') ) ) { if ((isset($relConf['rights'][$who])) && ( ($relConf['rights'][$who] == 'w') || ($relConf['rights'][$who] == 'r') ) ) {
self :: log_trace("relationCanAccess($dn,$LSobject,$relationName,$right): granted via LSprofile '$who'.");
return true; return true;
} }
} }