LSsession: Fix relationCanAccess() method and add debuging infos

This commit is contained in:
Benjamin Renard 2021-02-03 12:44:38 +01:00
parent 841b3d0bcf
commit 305d7447ff

View file

@ -2146,16 +2146,16 @@ class LSsession {
}
/**
* Retourne le droit de l'utilisateur à accèder à un objet
* Return user access right to access to specify LSobject
*
* @param[in] string $LSobject Le type de l'objet
* @param[in] string $dn Le DN de l'objet (le container_dn du type de l'objet par défaut)
* @param[in] string $right Le type de droit d'accès à tester ('r'/'w')
* @param[in] string $attr Le nom de l'attribut auquel on test l'accès
* @param[in] $LSobject string The LSobject type
* @param[in] $dn string The LSobject DN (optional, default: the container_dn of the LSobject type)
* @param[in] $right string The requested access right ('r' or 'w', optional, default: 'r' or 'w')
* @param[in] $attr string The requested attribute name (optional, default: any)
*
* @retval boolean True si l'utilisateur a accès, false sinon
* @retval boolean True is user can access to the specify LSobject, False otherwise
*/
public static function canAccess($LSobject,$dn=NULL,$right=NULL,$attr=NULL) {
public static function canAccess($LSobject, $dn=NULL, $right=NULL, $attr=NULL) {
if (!self :: loadLSobject($LSobject)) {
return;
}
@ -2166,7 +2166,7 @@ class LSsession {
if ($dn) {
$whoami = self :: whoami($dn);
if ($dn==self :: getLSuserObject() -> getValue('dn')) {
if ($dn == self :: getLSuserObject() -> getValue('dn')) {
if (!self :: in_menu('SELF')) {
self :: log_trace("canAccess('$LSobject', '$dn', '$right', '$attr'): SELF not in menu");
return;
@ -2202,10 +2202,12 @@ class LSsession {
foreach($whoami as $who) {
$nr = LSconfig :: get('LSobjects.'.$LSobject.'.attrs.'.$attr.'.rights.'.$who);
if($nr == 'w') {
self :: log_trace("canAccess('$LSobject', '$dn', '$right', '$attr'): grant WRITE access via LSprofile '$who'.");
$r = 'w';
}
else if($nr == 'r') {
if ($r=='n') {
self :: log_trace("canAccess('$LSobject', '$dn', '$right', '$attr'): grant READ access via LSprofile '$who'.");
$r='r';
}
}
@ -2316,36 +2318,43 @@ class LSsession {
*/
public static function relationCanAccess($dn,$LSobject,$relationName,$right=NULL) {
$relConf=LSconfig :: get('LSobjects.'.$LSobject.'.LSrelation.'.$relationName);
if (!is_array($relConf))
if (!is_array($relConf)) {
self :: log_trace("relationCanAccess($dn,$LSobject,$relationName,$right): unknown relation");
return;
}
// Access always granted in CLI mode
if (php_sapi_name() == "cli")
return true;
$whoami = self :: whoami($dn);
self :: log_trace("relationCanAccess($dn,$LSobject,$relationName,$right): whoami = ".varDump($whoami));
if (($right=='w') || ($right=='r')) {
$r = 'n';
foreach($whoami as $who) {
$nr = ((isset($relConf['rights'][$who]))?$relConf['rights'][$who]:'');
if($nr == 'w') {
self :: log_trace("relationCanAccess($dn,$LSobject,$relationName,$right): grant WRITE access via LSprofile '$who'.");
$r = 'w';
}
else if($nr == 'r') {
if ($r=='n') {
self :: log_trace("relationCanAccess($dn,$LSobject,$relationName,$right): grant READ access via LSprofile '$who'.");
$r='r';
}
}
}
self :: log_trace("relationCanAccess($dn,$LSobject,$relationName,$right): right detected = '$r'");
if ($r == $right) {
if (self :: checkRight($right, $r)) {
return true;
}
}
else {
foreach($whoami as $who) {
if ((isset($relConf['rights'][$who])) && ( ($relConf['rights'][$who] == 'w') || ($relConf['rights'][$who] == 'r') ) ) {
self :: log_trace("relationCanAccess($dn,$LSobject,$relationName,$right): granted via LSprofile '$who'.");
return true;
}
}