mirror of
https://gitlab.easter-eggs.com/ee/ldapsaisie.git
synced 2024-11-18 16:19:06 +01:00
LSsession: Fix relationCanAccess() method and add debuging infos
This commit is contained in:
Benjamin Renard
parent
841b3d0bcf
commit
305d7447ff
1 changed files with 19 additions and 10 deletions
|
|
@ -2146,16 +2146,16 @@ class LSsession {
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Retourne le droit de l'utilisateur à accèder à un objet
|
* Return user access right to access to specify LSobject
|
||||||
*
|
*
|
||||||
* @param[in] string $LSobject Le type de l'objet
|
* @param[in] $LSobject string The LSobject type
|
||||||
* @param[in] string $dn Le DN de l'objet (le container_dn du type de l'objet par défaut)
|
* @param[in] $dn string The LSobject DN (optional, default: the container_dn of the LSobject type)
|
||||||
* @param[in] string $right Le type de droit d'accès à tester ('r'/'w')
|
* @param[in] $right string The requested access right ('r' or 'w', optional, default: 'r' or 'w')
|
||||||
* @param[in] string $attr Le nom de l'attribut auquel on test l'accès
|
* @param[in] $attr string The requested attribute name (optional, default: any)
|
||||||
*
|
*
|
||||||
* @retval boolean True si l'utilisateur a accès, false sinon
|
* @retval boolean True is user can access to the specify LSobject, False otherwise
|
||||||
*/
|
*/
|
||||||
public static function canAccess($LSobject,$dn=NULL,$right=NULL,$attr=NULL) {
|
public static function canAccess($LSobject, $dn=NULL, $right=NULL, $attr=NULL) {
|
||||||
if (!self :: loadLSobject($LSobject)) {
|
if (!self :: loadLSobject($LSobject)) {
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
@ -2166,7 +2166,7 @@ class LSsession {
|
||||||
|
|
||||||
if ($dn) {
|
if ($dn) {
|
||||||
$whoami = self :: whoami($dn);
|
$whoami = self :: whoami($dn);
|
||||||
if ($dn==self :: getLSuserObject() -> getValue('dn')) {
|
if ($dn == self :: getLSuserObject() -> getValue('dn')) {
|
||||||
if (!self :: in_menu('SELF')) {
|
if (!self :: in_menu('SELF')) {
|
||||||
self :: log_trace("canAccess('$LSobject', '$dn', '$right', '$attr'): SELF not in menu");
|
self :: log_trace("canAccess('$LSobject', '$dn', '$right', '$attr'): SELF not in menu");
|
||||||
return;
|
return;
|
||||||
|
|
@ -2202,10 +2202,12 @@ class LSsession {
|
||||||
foreach($whoami as $who) {
|
foreach($whoami as $who) {
|
||||||
$nr = LSconfig :: get('LSobjects.'.$LSobject.'.attrs.'.$attr.'.rights.'.$who);
|
$nr = LSconfig :: get('LSobjects.'.$LSobject.'.attrs.'.$attr.'.rights.'.$who);
|
||||||
if($nr == 'w') {
|
if($nr == 'w') {
|
||||||
|
self :: log_trace("canAccess('$LSobject', '$dn', '$right', '$attr'): grant WRITE access via LSprofile '$who'.");
|
||||||
$r = 'w';
|
$r = 'w';
|
||||||
}
|
}
|
||||||
else if($nr == 'r') {
|
else if($nr == 'r') {
|
||||||
if ($r=='n') {
|
if ($r=='n') {
|
||||||
|
self :: log_trace("canAccess('$LSobject', '$dn', '$right', '$attr'): grant READ access via LSprofile '$who'.");
|
||||||
$r='r';
|
$r='r';
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
@ -2316,36 +2318,43 @@ class LSsession {
|
||||||
*/
|
*/
|
||||||
public static function relationCanAccess($dn,$LSobject,$relationName,$right=NULL) {
|
public static function relationCanAccess($dn,$LSobject,$relationName,$right=NULL) {
|
||||||
$relConf=LSconfig :: get('LSobjects.'.$LSobject.'.LSrelation.'.$relationName);
|
$relConf=LSconfig :: get('LSobjects.'.$LSobject.'.LSrelation.'.$relationName);
|
||||||
if (!is_array($relConf))
|
if (!is_array($relConf)) {
|
||||||
|
self :: log_trace("relationCanAccess($dn,$LSobject,$relationName,$right): unknown relation");
|
||||||
return;
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
// Access always granted in CLI mode
|
// Access always granted in CLI mode
|
||||||
if (php_sapi_name() == "cli")
|
if (php_sapi_name() == "cli")
|
||||||
return true;
|
return true;
|
||||||
|
|
||||||
$whoami = self :: whoami($dn);
|
$whoami = self :: whoami($dn);
|
||||||
|
self :: log_trace("relationCanAccess($dn,$LSobject,$relationName,$right): whoami = ".varDump($whoami));
|
||||||
|
|
||||||
if (($right=='w') || ($right=='r')) {
|
if (($right=='w') || ($right=='r')) {
|
||||||
$r = 'n';
|
$r = 'n';
|
||||||
foreach($whoami as $who) {
|
foreach($whoami as $who) {
|
||||||
$nr = ((isset($relConf['rights'][$who]))?$relConf['rights'][$who]:'');
|
$nr = ((isset($relConf['rights'][$who]))?$relConf['rights'][$who]:'');
|
||||||
if($nr == 'w') {
|
if($nr == 'w') {
|
||||||
|
self :: log_trace("relationCanAccess($dn,$LSobject,$relationName,$right): grant WRITE access via LSprofile '$who'.");
|
||||||
$r = 'w';
|
$r = 'w';
|
||||||
}
|
}
|
||||||
else if($nr == 'r') {
|
else if($nr == 'r') {
|
||||||
if ($r=='n') {
|
if ($r=='n') {
|
||||||
|
self :: log_trace("relationCanAccess($dn,$LSobject,$relationName,$right): grant READ access via LSprofile '$who'.");
|
||||||
$r='r';
|
$r='r';
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
self :: log_trace("relationCanAccess($dn,$LSobject,$relationName,$right): right detected = '$r'");
|
||||||
|
|
||||||
if ($r == $right) {
|
if (self :: checkRight($right, $r)) {
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
foreach($whoami as $who) {
|
foreach($whoami as $who) {
|
||||||
if ((isset($relConf['rights'][$who])) && ( ($relConf['rights'][$who] == 'w') || ($relConf['rights'][$who] == 'r') ) ) {
|
if ((isset($relConf['rights'][$who])) && ( ($relConf['rights'][$who] == 'w') || ($relConf['rights'][$who] == 'r') ) ) {
|
||||||
|
self :: log_trace("relationCanAccess($dn,$LSobject,$relationName,$right): granted via LSprofile '$who'.");
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue