From bf209ccd04350a115bdf483eb602604f0f36a805 Mon Sep 17 00:00:00 2001 From: Benjamin Renard Date: Wed, 11 Nov 2009 20:00:59 +0000 Subject: [PATCH] LSrelation : Fix the bug that permit to change relation with object that user can't modify --- .../LSobjects/config.LSobjects.LScompany.php | 1 - .../LSobjects/config.LSobjects.LSgroup.php | 2 +- .../LSobjects/config.LSobjects.LSpeople.php | 6 ++-- trunk/conf/config.inc.php | 5 ++++ trunk/includes/class/class.LSldapObject.php | 30 +++++++++++++++---- .../class/class.LSobjects.LSgroup.php | 18 +++++++++-- trunk/includes/class/class.LSrelation.php | 28 +++++++++++++++-- trunk/includes/js/LSrelation.js | 2 +- trunk/templates/default/LSrelations.tpl | 2 +- 9 files changed, 77 insertions(+), 17 deletions(-) diff --git a/trunk/conf/LSobjects/config.LSobjects.LScompany.php b/trunk/conf/LSobjects/config.LSobjects.LScompany.php index 845d31dd..3261098d 100644 --- a/trunk/conf/LSobjects/config.LSobjects.LScompany.php +++ b/trunk/conf/LSobjects/config.LSobjects.LScompany.php @@ -26,7 +26,6 @@ $GLOBALS['LSobjects']['LScompany'] = array ( 'lscompany' ), 'rdn' => 'ou', - 'orderby' => 'displayName', // possible cases : 'displayName' ou 'subDn' 'container_dn' => 'ou=companies', 'display_name_format' => '%{ou}', 'label' => 'Companies', diff --git a/trunk/conf/LSobjects/config.LSobjects.LSgroup.php b/trunk/conf/LSobjects/config.LSobjects.LSgroup.php index a87ea9b2..2c630218 100644 --- a/trunk/conf/LSobjects/config.LSobjects.LSgroup.php +++ b/trunk/conf/LSobjects/config.LSobjects.LSgroup.php @@ -26,7 +26,6 @@ $GLOBALS['LSobjects']['LSgroup'] = array ( 'posixGroup' ), 'rdn' => 'cn', - 'orderby' => 'displayName', // Valeurs possibles : 'displayName' ou 'subDn' 'container_dn' => 'ou=groups', 'container_auto_create' => array( 'objectclass' => array( @@ -121,6 +120,7 @@ $GLOBALS['LSobjects']['LSgroup'] = array ( 'view' => 1, 'rights' => array( 'admin' => 'w', + 'admingroup' => 'w', 'godfather' => 'w' ), 'form' => array ( diff --git a/trunk/conf/LSobjects/config.LSobjects.LSpeople.php b/trunk/conf/LSobjects/config.LSobjects.LSpeople.php index 4276d221..da0ab18d 100644 --- a/trunk/conf/LSobjects/config.LSobjects.LSpeople.php +++ b/trunk/conf/LSobjects/config.LSobjects.LSpeople.php @@ -27,7 +27,6 @@ $GLOBALS['LSobjects']['LSpeople'] = array ( 'posixAccount', 'sambaSamAccount', ), - 'orderby' => 'displayName', // Valeurs possibles : 'displayName' ou 'subDn' 'rdn' => 'uid', 'container_dn' => 'ou=people', @@ -59,9 +58,12 @@ $GLOBALS['LSobjects']['LSpeople'] = array ( 'update_function' => 'updateUserGroups', 'remove_function' => 'deleteOneMember', 'rename_function' => 'renameOneMember', + 'canEdit_function' => 'canEditGroupRelation', + 'canEdit_attribute' => 'uniqueMember', 'rights' => array( 'self' => 'r', - 'admin' => 'w' + 'admin' => 'w', + 'admingroup' => 'w' ) ) ), diff --git a/trunk/conf/config.inc.php b/trunk/conf/config.inc.php index c2c43616..f404cb20 100644 --- a/trunk/conf/config.inc.php +++ b/trunk/conf/config.inc.php @@ -122,6 +122,11 @@ $GLOBALS['LSconfig'] = array( 'LSobject' => 'LSgroup' ) ) + ), + 'admingroup' => array ( + 'ou=company1,ou=companies,o=ls' => array ( + 'uid=user1,ou=people,ou=company1,ou=companies,o=ls' => NULL + ) ) ), 'authObjectType' => 'LSpeople', diff --git a/trunk/includes/class/class.LSldapObject.php b/trunk/includes/class/class.LSldapObject.php index d0bdc310..edab0d5f 100644 --- a/trunk/includes/class/class.LSldapObject.php +++ b/trunk/includes/class/class.LSldapObject.php @@ -1493,15 +1493,23 @@ class LSldapObject { * @param[in] $attrValue La valeur que doit avoir l'attribut : * - soit le dn (par defaut) * - soit la valeur [0] d'un attribut + * @param[in] $canEditFunction Le nom de la fonction pour vérifier que la + * relation avec l'objet est éditable par le user * * @retval boolean true si l'objet à été ajouté, False sinon **/ - function addOneObjectInRelation($object,$attr,$objectType,$attrValue='dn') { + function addOneObjectInRelation($object,$attr,$objectType,$attrValue='dn',$canEditFunction=NULL) { if ((!$attr)||(!$objectType)) { LSerror :: addErrorCode('LSrelations_05','addOneObjectInRelation'); return; } if ($object instanceof $objectType) { + if ($canEditFunction) { + if (!$this -> $canEditFunction()) { + LSerror :: addErrorCode('LSsession_11'); + return; + } + } if ($this -> attrs[$attr] instanceof LSattribute) { if ($attrValue=='dn') { $val = $object -> getDn(); @@ -1543,15 +1551,23 @@ class LSldapObject { * @param[in] $attrValue La valeur que doit avoir l'attribut : * - soit le dn (par defaut) * - soit la valeur [0] d'un attribut + * @param[in] $canEditFunction Le nom de la fonction pour vérifier que la + * relation avec l'objet est éditable par le user * * @retval boolean true si l'objet à été supprimé, False sinon **/ - function deleteOneObjectInRelation($object,$attr,$objectType,$attrValue='dn') { + function deleteOneObjectInRelation($object,$attr,$objectType,$attrValue='dn',$canEditFunction=NULL) { if ((!$attr)||(!$objectType)) { LSerror :: addErrorCode('LSrelations_05','deleteOneObjectInRelation'); return; } if ($object instanceof $objectType) { + if ($canEditFunction) { + if (!$this -> $canEditFunction()) { + LSerror :: addErrorCode('LSsession_11'); + return; + } + } if ($this -> attrs[$attr] instanceof LSattribute) { if ($attrValue=='dn') { $val = $object -> getDn(); @@ -1638,10 +1654,12 @@ class LSldapObject { * @param[in] $attrValue La valeur que doit avoir l'attribut : * - soit le dn (par defaut) * - soit la valeur [0] d'un attribut + * @param[in] $canEditFunction Le nom de la fonction pour vérifier que la + * relation avec l'objet est éditable par le user * * @retval boolean true si tout c'est bien passé, False sinon **/ - function updateObjectsInRelation($object,$listDns,$attr,$objectType,$attrValue='dn') { + function updateObjectsInRelation($object,$listDns,$attr,$objectType,$attrValue='dn',$canEditFunction=NULL) { if ((!$attr)||(!$objectType)) { LSerror :: addErrorCode('LSrelations_05','updateObjectsInRelation'); return; @@ -1685,7 +1703,7 @@ class LSldapObject { continue; } else { - if (!$currentObjects[$i] -> deleteOneObjectInRelation($object,$attr,$objectType,$attrValue)) { + if (!$currentObjects[$i] -> deleteOneObjectInRelation($object,$attr,$objectType,$attrValue,$canEditFunction)) { return; } } @@ -1698,7 +1716,7 @@ class LSldapObject { else { $obj = new $type(); if ($obj -> loadData($dn)) { - if (!$obj -> addOneObjectInRelation($object,$attr,$objectType,$attrValue)) { + if (!$obj -> addOneObjectInRelation($object,$attr,$objectType,$attrValue,$canEditFunction)) { return; } } @@ -1717,7 +1735,7 @@ class LSldapObject { foreach($listDns as $dn) { $obj = new $type(); if ($obj -> loadData($dn)) { - if (!$obj -> addOneObjectInRelation($object,$attr,$objectType,$attrValue)) { + if (!$obj -> addOneObjectInRelation($object,$attr,$objectType,$attrValue,$canEditFunction)) { return; } } diff --git a/trunk/includes/class/class.LSobjects.LSgroup.php b/trunk/includes/class/class.LSobjects.LSgroup.php index 1d2d9a04..04fc4530 100644 --- a/trunk/includes/class/class.LSobjects.LSgroup.php +++ b/trunk/includes/class/class.LSobjects.LSgroup.php @@ -64,7 +64,7 @@ class LSgroup extends LSldapObject { * @retval boolean true si l'utilisateur à été ajouté, False sinon **/ function addOneMember($object) { - return $this -> addOneObjectInRelation($object,$this -> memberAttr, $this -> userObjectType); + return $this -> addOneObjectInRelation($object,$this -> memberAttr, $this -> userObjectType,'dn','canEditGroupRelation'); } /** @@ -75,7 +75,7 @@ class LSgroup extends LSldapObject { * @retval boolean true si l'utilisateur à été supprimé, False sinon **/ function deleteOneMember($object) { - return $this -> deleteOneObjectInRelation($object,$this -> memberAttr,$this -> userObjectType); + return $this -> deleteOneObjectInRelation($object,$this -> memberAttr,$this -> userObjectType,'dn','canEditGroupRelation'); } /** @@ -99,7 +99,19 @@ class LSgroup extends LSldapObject { * @retval boolean true si tout c'est bien passé, False sinon **/ function updateUserGroups($object,$listDns) { - return $this -> updateObjectsInRelation($object,$listDns,$this -> memberAttr,$this -> userObjectType); + return $this -> updateObjectsInRelation($object,$listDns,$this -> memberAttr,$this -> userObjectType,'dn','canEditGroupRelation'); + } + + /** + * Test si l'utilisateur peut d'editer la relation avec ce groupe + * + * @retval boolean true si tout l'utilisateur peut éditer la relation, False sinon + **/ + function canEditGroupRelation($dn=NULL) { + if (!$dn) { + $dn=$this -> dn; + } + return LSsession :: canEdit($this -> type_name,$this -> dn,$this -> memberAttr); } } diff --git a/trunk/includes/class/class.LSrelation.php b/trunk/includes/class/class.LSrelation.php index cb9b54c3..8504efb3 100644 --- a/trunk/includes/class/class.LSrelation.php +++ b/trunk/includes/class/class.LSrelation.php @@ -80,7 +80,7 @@ class LSrelation { if (LSsession :: relationCanEdit($object -> getValue('dn'),$object->getType(),$relationName)) { $return['actions'][] = array( 'label' => _('Modify'), - 'url' => 'select.php?LSobject='.$relationConf['LSobject'].'&multiple=1', + 'url' => 'select.php?LSobject='.$relationConf['LSobject'].'&multiple=1'.((isset($relationConf['canEdit_attribute']))?'&editableAttr='.$relationConf['canEdit_attribute']:''), 'action' => 'modify' ); } @@ -99,6 +99,12 @@ class LSrelation { 'text' => $o -> getDisplayName(NULL,true), 'dn' => $o -> getDn() ); + if (isset($relationConf['canEdit_function'])) { + $o_infos['canEdit']= $o -> $relationConf['canEdit_function'](); + } + else { + $o_infos['canEdit']=true; + } $return['objectList'][] = $o_infos; } } @@ -187,7 +193,18 @@ class LSrelation { $list = $objRel -> $relationConf['list_function']($object); if (is_array($list)&&(!empty($list))) { foreach($list as $o) { - $data['html'].= "
  • ".$o -> getDisplayName(NULL,true)."
  • \n"; + if (isset($relationConf['canEdit_function'])) { + if ($o -> $relationConf['canEdit_function']()) { + $class=' LSrelation_editable'; + } + else { + $class=''; + } + } + else { + $class=' LSrelation_editable'; + } + $data['html'].= "
  • ".$o -> getDisplayName(NULL,true)."
  • \n"; } } else { @@ -249,12 +266,19 @@ class LSrelation { $ok=false; foreach($list as $o) { if($o -> getDn() == $_REQUEST['dn']) { + if (isset($relationConf['canEdit_function'])) { + if (!$o -> $relationConf['canEdit_function']()) { + LSerror :: addErrorCode('LSsession_11'); + break; + } + } if (!$o -> $relationConf['remove_function']($object)) { LSerror :: addErrorCode('LSrelations_03',$conf['relationName']); } else { $ok = true; } + break; } } if (!$ok) { diff --git a/trunk/includes/js/LSrelation.js b/trunk/includes/js/LSrelation.js index 0ba1570c..daefdb27 100644 --- a/trunk/includes/js/LSrelation.js +++ b/trunk/includes/js/LSrelation.js @@ -28,7 +28,7 @@ var LSrelation = new Class({ el.destroy(); }, this); this.deleteBtnId = 0; - $$('a.LSrelation').each(function(a) { + $$('a.LSrelation_editable').each(function(a) { this.deleteBtn[this.deleteBtnId] = new Element('img'); this.deleteBtn[this.deleteBtnId].src = varLSdefault.imagePath('delete.png'); this.deleteBtn[this.deleteBtnId].setStyle('cursor','pointer'); diff --git a/trunk/templates/default/LSrelations.tpl b/trunk/templates/default/LSrelations.tpl index ed312385..738d3e72 100644 --- a/trunk/templates/default/LSrelations.tpl +++ b/trunk/templates/default/LSrelations.tpl @@ -8,7 +8,7 @@ {/if}