bn8/ldapsaisie
1
0
Fork 0
mirror of https://gitlab.easter-eggs.com/ee/ldapsaisie.git synced 2024-11-18 00:09:06 +01:00
Code Issues Projects Releases Wiki Activity

- LSsession :

Browse source 
-> Les profils utilisateurs sont maintenant scalable. Il est possible
     de créer autant de profil voulu avec autant de droits alloués spécifiques
    -> LSsession :: whoami() et LSldapObject :: whoami() retourne la liste des profils
       correspondants à l'utilisateur connecté
        -> Les méthodes ont été modifiées pour prendre en compte cela en faisant la somme
           des droits de chaque profils :
          - LSsession :: canAccess()
          - LSsession :: relationCanAccess()
          - LSsession :: loadLSrights()
          - LSattribute :: myRigths()
    -> LSsession :: isAdmin() a été remplacé par isProfile() capable de redonner la meme
       information mais pour tout profil dont le nom est passé en paramètre
    -> LSsession :: loadLSrights() : gère la délagation de droits sur les objets répondant a un
       filtre particulier ou dont un certain attribut possède une certaine valeur
    -> LSexample :
        -> Ajout d'un attribut lsGodfatherDn pour la délégation de droit objet par objet
        -> Retravail des objets d'exemple pour faire en sorte de coller plus avec une réel
           utilisation
This commit is contained in:
Benjamin Renard 2008-11-12 16:57:40 +00:00
parent b03848b1a1
commit c48a57df45
7 changed files with 343 additions and 114 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

37
trunk/conf/LSobjects/config.LSobjects.LSeecompany.php
View file

@ -26,10 +26,14 @@ $GLOBALS['LSobjects']['LSeecompany'] = array (
'lscompany'
),
'rdn' => 'ou',
'orderby' => 'displayValue', // Valeurs possibles : 'displayValue' ou 'subDn'
'container_dn' => 'ou=companies',
'select_display_attrs' => '%{ou}',
'label' => _('Sociétés'),
'attrs' => array (
/* ----------- start -----------*/
'ou' => array (
'label' => _('Nom'),
'ldap_type' => 'ascii',
@ -48,6 +52,9 @@ $GLOBALS['LSobjects']['LSeecompany'] = array (
'create' => 1
)
),
/* ----------- end -----------*/
/* ----------- start -----------*/
'description' => array (
'label' => _('Description'),
'ldap_type' => 'ascii',
@ -55,6 +62,35 @@ $GLOBALS['LSobjects']['LSeecompany'] = array (
'required' => 0,
'rights' => array(
'user' => 'r',
'admin' => 'w',
'godfather' => 'w'
),
'view' => 1,
'form' => array (
'modify' => 1,
'create' => 1
)
),
/* ----------- end -----------*/
/* ----------- start -----------*/
'lsGodfatherDn' => array (
'label' => _('Parrain(s)'),
'ldap_type' => 'ascii',
'html_type' => 'select_object',
'selectable_object' => array(
'object_type' => 'LSeepeople',
'value_attribute' => '%{dn}'
),
'validation' => array (
array (
'basedn' => '%{val}',
'result' => 1,
'msg' => _("Un ou plusieurs de ces utilisateurs n'existent pas.")
)
),
'multiple' => 1,
'rights' => array(
'admin' => 'w'
),
'view' => 1,
@ -63,6 +99,7 @@ $GLOBALS['LSobjects']['LSeecompany'] = array (
'create' => 1
)
)
/* ----------- end -----------*/
)
);
?>

65
trunk/conf/LSobjects/config.LSobjects.LSeegroup.php
View file

@ -40,6 +40,8 @@ $GLOBALS['LSobjects']['LSeegroup'] = array (
'select_display_attrs' => '%{cn}',
'label' => _('Groupes'),
'attrs' => array (
/* ----------- start -----------*/
'cn' => array (
'label' => _('Nom'),
'ldap_type' => 'ascii',
@ -59,13 +61,17 @@ $GLOBALS['LSobjects']['LSeegroup'] = array (
'view' => 1,
'rights' => array(
'user' => 'r',
'admin' => 'w'
'admin' => 'w',
'godfather' => 'r'
),
'form' => array (
'modify' => 1,
'create' => 1
)
),
/* ----------- end -----------*/
/* ----------- start -----------*/
'gidNumber' => array (
'label' => _('Identifiant'),
'ldap_type' => 'numeric',
@ -87,6 +93,9 @@ $GLOBALS['LSobjects']['LSeegroup'] = array (
'modify' => 1
)
),
/* ----------- end -----------*/
/* ----------- start -----------*/
'uniqueMember' => array (
'label' => _('Membres'),
'ldap_type' => 'ascii',
@ -101,7 +110,8 @@ $GLOBALS['LSobjects']['LSeegroup'] = array (
),
'view' => 1,
'rights' => array(
'admin' => 'w'
'admin' => 'w',
'godfather' => 'w'
),
'form' => array (
'modify' => 1,
@ -115,7 +125,56 @@ $GLOBALS['LSobjects']['LSeegroup'] = array (
'value_attribute' => 'dn', // Spécifie le attributs dont la valeur sera retournée par
)
)
),
/* ----------- end -----------*/
/* ----------- start -----------*/
'description' => array (
'label' => _('Description'),
'ldap_type' => 'ascii',
'html_type' => 'textarea',
'multiple' => 1,
'rights' => array(
'user' => 'r',
'admin' => 'w',
'godfather' => 'r'
),
'view' => 1,
'form' => array (
'modify' => 1,
'create' => 1
)
),
/* ----------- end -----------*/
/* ----------- start -----------*/
'lsGodfatherDn' => array (
'label' => _('Parrain(s)'),
'ldap_type' => 'ascii',
'html_type' => 'select_object',
'selectable_object' => array(
'object_type' => 'LSeepeople',
'value_attribute' => '%{dn}'
),
'validation' => array (
array (
'basedn' => '%{val}',
'result' => 1,
'msg' => _("Un ou plusieurs de ces utilisateurs n'existent pas.")
)
),
'multiple' => 1,
'rights' => array(
'admin' => 'w'
),
'view' => 1,
'form' => array (
'modify' => 1,
'create' => 1
)
),
/* ----------- end -----------*/
)
);
?>

76
trunk/conf/LSobjects/config.LSobjects.LSeepeople.php
View file

@ -82,7 +82,8 @@ $GLOBALS['LSobjects']['LSeepeople'] = array (
'mail',
'userPassword',
'description',
'jpegPhoto'
'jpegPhoto',
'lsGodfatherDn'
)
),
'Posix' => array (
@ -135,8 +136,8 @@ $GLOBALS['LSobjects']['LSeepeople'] = array (
),
'rights' => array(
'self' => 'r',
'user' => 'r',
'admin' => 'w'
'admin' => 'w',
'godfather' => 'r'
),
'view' => 1,
'form' => array (
@ -169,7 +170,6 @@ $GLOBALS['LSobjects']['LSeepeople'] = array (
)
),
'rights' => array(
'self' => 'r',
'admin' => 'w'
),
'view' => 1,
@ -192,9 +192,10 @@ $GLOBALS['LSobjects']['LSeepeople'] = array (
),
),
'rights' => array(
'self' => 'w',
'self' => 'r',
'users' => 'r',
'admin' => 'w'
'admin' => 'w',
'godfather' => 'w'
),
'view' => 1,
'form' => array (
@ -212,9 +213,10 @@ $GLOBALS['LSobjects']['LSeepeople'] = array (
'html_type' => 'text',
'required' => 1,
'rights' => array(
'self' => 'w',
'self' => 'r',
'user' => 'r',
'admin' => 'w'
'admin' => 'w',
'godfather' => 'w'
),
'view' => 1,
'form' => array (
@ -237,9 +239,10 @@ $GLOBALS['LSobjects']['LSeepeople'] = array (
'required' => 1,
'validation' => 'valid',
'rights' => array(
'self' => 'w',
'self' => 'r',
'user' => 'r',
'admin' => 'w'
'admin' => 'w',
'godfather' => 'w'
),
'view' => 1,
'form' => array (
@ -265,8 +268,8 @@ $GLOBALS['LSobjects']['LSeepeople'] = array (
)
),
'rights' => array(
'self' => 'r',
'admin' => 'w'
'admin' => 'w',
'godfather' => 'r'
),
'view' => 1,
'form' => array (
@ -303,7 +306,6 @@ $GLOBALS['LSobjects']['LSeepeople'] = array (
'required' => 1,
'default_value' => 'no',
'rights' => array(
'self' => 'r',
'admin' => 'w'
),
'view' => 1,
@ -340,7 +342,7 @@ $GLOBALS['LSobjects']['LSeepeople'] = array (
'required' => 1,
'generate_function' => 'generate_homeDirectory',
'rights' => array(
'self' => 'r'
'admin' => 'r'
),
'view' => 1
),
@ -367,7 +369,8 @@ $GLOBALS['LSobjects']['LSeepeople'] = array (
'rights' => array(
'self' => 'r',
'user' => 'r',
'admin' => 'w'
'admin' => 'w',
'godfather' => 'w'
),
'view' => 1,
'form' => array (
@ -385,9 +388,10 @@ $GLOBALS['LSobjects']['LSeepeople'] = array (
'required' => 1,
'default_value' => 'M.',
'rights' => array(
'self' => 'w',
'self' => 'r',
'user' => 'r',
'admin' => 'w'
'admin' => 'w',
'godfather' => 'w'
),
'view' => 1,
'form' => array (
@ -409,9 +413,10 @@ $GLOBALS['LSobjects']['LSeepeople'] = array (
'html_type' => 'textarea',
'multiple' => 1,
'rights' => array(
'self' => 'w',
'self' => 'r',
'user' => 'r',
'admin' => 'w'
'admin' => 'w',
'godfather' => 'w'
),
'view' => 1,
'form' => array (
@ -538,9 +543,38 @@ $GLOBALS['LSobjects']['LSeepeople'] = array (
'rights' => array(
'self' => 'w',
'user' => 'r',
'admin' => 'w'
'admin' => 'w',
'godfather' => 'w'
)
)
),
/* ----------- end -----------*/
/* ----------- start -----------*/
'lsGodfatherDn' => array (
'label' => _('Parrain(s)'),
'ldap_type' => 'ascii',
'html_type' => 'select_object',
'selectable_object' => array(
'object_type' => 'LSeepeople',
'value_attribute' => '%{dn}'
),
'validation' => array (
array (
'basedn' => '%{val}',
'result' => 1,
'msg' => _("Un ou plusieurs de ces utilisateurs n'existent pas.")
)
),
'multiple' => 1,
'rights' => array(
'admin' => 'w'
),
'view' => 1,
'form' => array (
'modify' => 1,
'create' => 1
)
),
/* ----------- end -----------*/
) // Fin args

42
trunk/conf/config.inc.php
View file

@ -43,14 +43,28 @@ $GLOBALS['LSconfig'] = array(
'filter' => '(objectClass=*)',
'scope' => 'sub'
),
'LSadmins' => array (
'o=ls' => array (
'uid=eeggs,ou=people,o=ls' => NULL
'LSrights' => array (
'admin' => array (
'o=ls' => array (
'uid=eeggs,ou=people,o=ls' => NULL
),
'ou=people,o=ls' => array (
'cn=adminldap,ou=groups,o=ls' => array (
'attr' => 'uniqueMember',
'LSobject' => 'LSeegroup'
)
)
),
'ou=people,o=ls' => array (
'cn=adminldap,ou=groups,o=ls' => array (
'attr' => 'uniqueMember',
'LSobject' => 'LSeegroup'
'godfather' => array (
'LSobjects' => array (
'LSeepeople' => array (
'attr' => 'lsGodfatherDn',
'attr_value' => '%{dn}',
'basedn' => 'ou=people,o=ls'
),
'LSeegroup' => array (
'filter' => 'lsGodfatherDn=%{dn}'
)
)
)
),
@ -95,12 +109,14 @@ $GLOBALS['LSconfig'] = array(
'filter' => '(objectClass=*)',
'scope' => 'sub'
),
'LSadmins' => array (
'o=ls' => array (
'uid=eeggs,ou=people,o=ls' => NULL,
'cn=adminldap,ou=groups,o=ls' => array (
'attr' => 'uniqueMember',
'LSobject' => 'LSeegroup'
'LSrights' => array(
'admin' => array (
'o=ls' => array (
'uid=eeggs,ou=people,o=ls' => NULL,
'cn=adminldap,ou=groups,o=ls' => array (
'attr' => 'uniqueMember',
'LSobject' => 'LSeegroup'
)
)
)
),

42
trunk/includes/class/class.LSattribute.php
View file

@ -258,25 +258,31 @@ class LSattribute {
return $this -> _myRights;
}
$return='n';
switch ($this -> ldapObject -> whoami()) {
case 'admin':
if($this -> config['rights']['admin']=='w') {
$return='w';
}
else {
$return='r';
}
break;
case 'self':
if (($this -> config['rights']['self'] == 'w') || ($this -> config['rights']['self'] == 'r')) {
$return=$this -> config['rights']['self'];
}
break;
default: //user
if (($this -> config['rights']['user'] == 'w') || ($this -> config['rights']['user'] == 'r')) {
$return=$this -> config['rights']['user'];
}
$whoami = $this -> ldapObject -> whoami();
foreach($whoami as $who) {
switch ($who) {
case 'admin':
if($this -> config['rights']['admin']=='w') {
$return='w';
break;
}
else {
$return='r';
}
break;
default:
if ($this -> config['rights'][$who] == 'w') {
$return='w';
break;
}
else if($this -> config['rights'][$who] == 'r') {
$return='r';
}
break;
}
if ($return=='w') {
break;
}
}
$this -> _myRights = $return;
return $return;

185
trunk/includes/class/class.LSsession.php
View file

@ -42,9 +42,7 @@ class LSsession {
var $_JSconfigParams = array();
var $CssFiles = array();
var $template = NULL;
var $LSrights = array (
'topDn_admin' => array ()
);
var $LSrights = array();
var $LSaccess = array();
var $tmp_file = array();
var $_subDnLdapServer = array();
@ -1002,46 +1000,82 @@ class LSsession {
* @retval boolean True si le chargement à réussi, false sinon.
**/
function loadLSrights() {
if (is_array($this -> ldapServer['LSadmins'])) {
foreach ($this -> ldapServer['LSadmins'] as $topDn => $adminsInfos) {
if (is_array($adminsInfos)) {
foreach($adminsInfos as $dn => $conf) {
if ((isset($conf['attr'])) && (isset($conf['LSobject']))) {
if( $this -> loadLSobject($conf['LSobject']) ) {
if ($object = new $conf['LSobject']()) {
if ($object -> loadData($dn)) {
$listDns=$object -> getValue($conf['attr']);
if (is_array($listDns)) {
if (in_array($this -> dn,$listDns)) {
$this -> LSrights['topDn_admin'][] = $topDn;
if (is_array($this -> ldapServer['LSrights'])) {
foreach ($this -> ldapServer['LSrights'] as $profile => $profileInfos) {
if (is_array($profileInfos)) {
foreach ($profileInfos as $topDn => $rightsInfos) {
if ($topDn == 'LSobjects') {
if (is_array($rightsInfos)) {
foreach ($rightsInfos as $LSobject => $listInfos) {
if ($this -> loadLSobject($LSobject)) {
if ($object = new $LSobject()) {
if ($listInfos['filter']) {
$filter = $this -> LSuserObject -> getFData($listInfos['filter']);
}
else {
$filter = $listInfos['attr'].'='.$this -> LSuserObject -> getFData($listInfos['attr_value']);
}
$list = $object -> search($filter,$listInfos['basedn'],$listInfos['params']);
foreach($list as $obj) {
$this -> LSrights[$profile][] = $obj['dn'];
}
}
else {
LSdebug('Impossible de créer l\'objet de type : '.$LSobject);
}
}
else {
LSdebug('Impossible de chargé le dn : '.$dn);
$GLOBALS['LSerror'] -> addErrorCode(1004,$LSobject);
}
}
else {
LSdebug('Impossible de créer l\'objet de type : '.$conf['LSobject']);
}
}
else {
$GLOBALS['LSerror'] -> addErrorCode(1004,$conf['LSobject']);
LSdebug('LSobjects => [] doit etre un tableau');
}
}
else {
if ($this -> dn == $dn) {
$this -> LSrights['topDn_admin'][] = $topDn;
if (is_array($rightsInfos)) {
foreach($rightsInfos as $dn => $conf) {
if ((isset($conf['attr'])) && (isset($conf['LSobject']))) {
if( $this -> loadLSobject($conf['LSobject']) ) {
if ($object = new $conf['LSobject']()) {
if ($object -> loadData($dn)) {
$listDns=$object -> getValue($conf['attr']);
if (is_array($listDns)) {
if (in_array($this -> dn,$listDns)) {
$this -> LSrights[$profile][] = $topDn;
}
}
}
else {
LSdebug('Impossible de chargé le dn : '.$dn);
}
}
else {
LSdebug('Impossible de créer l\'objet de type : '.$conf['LSobject']);
}
}
else {
$GLOBALS['LSerror'] -> addErrorCode(1004,$conf['LSobject']);
}
}
else {
if ($this -> dn == $dn) {
$this -> LSrights[$profile][] = $topDn;
}
}
}
}
}
}
}
else {
if ( $this -> dn == $adminsInfos ) {
$this -> LSrights['topDn_admin'][] = $topDn;
}
}
}
else {
if ( $this -> dn == $rightsInfos ) {
$this -> LSrights[$profile][] = $topDn;
}
}
} // fin else ($topDn == 'LSobjects')
} // fin foreach($profileInfos)
} // fin is_array($profileInfos)
} // fin foreach LSrights
LSdebug($this -> LSrights);
return true;
}
else {
@ -1143,19 +1177,22 @@ class LSsession {
}
/**
* Dit si l'utilisateur est admin de le DN spécifié
* Dit si l'utilisateur est du profil pour le DN spécifié
*
* @param[in] string DN de l'objet
* @param[in] string $profile de l'objet
* @param[in] string $dn DN de l'objet
*
* @retval boolean True si l'utilisateur est admin sur l'objet, false sinon.
* @retval boolean True si l'utilisateur est du profil sur l'objet, false sinon.
*/
function isAdmin($dn) {
foreach($this -> LSrights['topDn_admin'] as $topDn_admin) {
if($dn == $topDn_admin) {
return true;
}
else if ( isCompatibleDNs($dn,$topDn_admin) ) {
return true;
function isProfile($dn,$profile) {
if (is_array($this -> LSrights[$profile])) {
foreach($this -> LSrights[$profile] as $topDn) {
if($dn == $topDn) {
return true;
}
else if ( isCompatibleDNs($dn,$topDn) ) {
return true;
}
}
}
return;
@ -1169,15 +1206,19 @@ class LSsession {
* @retval string 'admin'/'self'/'user' pour Admin , l'utilisateur lui même ou un simple utilisateur
*/
function whoami($dn) {
if ($this -> isAdmin($dn)) {
return 'admin';
$retval = array('user');
foreach($this -> LSrights as $profile => $infos) {
if($this -> isProfile($dn,$profile)) {
$retval[]=$profile;
}
}
if ($this -> dn == $dn) {
return 'self';
$retval[]='self';
}
return 'user';
return $retval;
}
/**
@ -1223,15 +1264,28 @@ class LSsession {
if (!isset($GLOBALS['LSobjects'][$LSobject]['attrs'][$attr])) {
return;
}
$r = 'n';
foreach($whoami as $who) {
$nr = $GLOBALS['LSobjects'][$LSobject]['attrs'][$attr]['rights'][$who];
if($nr == 'w') {
$r = 'w';
}
else if($nr == 'r') {
if ($r=='n') {
$r='r';
}
}
}
if (($right=='r')||($right=='w')) {
if ($GLOBALS['LSobjects'][$LSobject]['attrs'][$attr]['rights'][$whoami]==$right) {
if ($r==$right) {
return true;
}
return;
}
else {
if ( ($GLOBALS['LSobjects'][$LSobject]['attrs'][$attr]['rights'][$whoami]=='r') || ($GLOBALS['LSobjects'][$LSobject]['attrs'][$attr]['rights'][$whoami]=='w') ) {
if ( ($r=='r') || ($r=='w') ) {
return true;
}
return;
@ -1241,16 +1295,20 @@ class LSsession {
// Pour un attribut quelconque
if (is_array($GLOBALS['LSobjects'][$LSobject]['attrs'])) {
if (($right=='r')||($right=='w')) {
foreach ($GLOBALS['LSobjects'][$LSobject]['attrs'] as $attr_name => $attr_config) {
if ($attr_config['rights'][$whoami]==$right) {
return true;
foreach($whoami as $who) {
foreach ($GLOBALS['LSobjects'][$LSobject]['attrs'] as $attr_name => $attr_config) {
if ($attr_config['rights'][$who]==$right) {
return true;
}
}
}
}
else {
foreach ($GLOBALS['LSobjects'][$LSobject]['attrs'] as $attr_name => $attr_config) {
if ( ($attr_config['rights'][$whoami]=='r') || ($attr_config['rights'][$whoami]=='w') ) {
return true;
foreach($whoami as $who) {
foreach ($GLOBALS['LSobjects'][$LSobject]['attrs'] as $attr_name => $attr_config) {
if ( ($attr_config['rights'][$who]=='r') || ($attr_config['rights'][$who]=='w') ) {
return true;
}
}
}
}
@ -1310,13 +1368,28 @@ class LSsession {
$whoami = $this -> whoami($dn);
if (($right=='w') || ($right=='r')) {
if ($GLOBALS['LSobjects'][$LSobject]['relations'][$relationName]['rights'][$whoami] == $right) {
$r = 'n';
foreach($whoami as $who) {
$nr = $GLOBALS['LSobjects'][$LSobject]['relations'][$relationName]['rights'][$who];
if($nr == 'w') {
$r = 'w';
}
else if($nr == 'r') {
if ($r=='n') {
$r='r';
}
}
}
if ($r == $right) {
return true;
}
}
else {
if (($GLOBALS['LSobjects'][$LSobject]['relations'][$relationName]['rights'][$whoami] == 'w') || ($GLOBALS['LSobjects'][$LSobject]['relations'][$relationName]['rights'][$whoami] == 'r')) {
return true;
foreach($whoami as $who) {
if (($GLOBALS['LSobjects'][$LSobject]['relations'][$relationName]['rights'][$who] == 'w') || ($GLOBALS['LSobjects'][$LSobject]['relations'][$relationName]['rights'][$who] == 'r')) {
return true;
}
}
}
return;

10
trunk/lsexample/ls.schema
View file

@ -19,6 +19,10 @@ attributetype ( LsLDAPAttribute:2 NAME 'lsRecoveryHash'
DESC 'Password Recover Hash'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)
attributetype ( LsLDAPAttribute:3 NAME 'lsGodfatherDn'
SUP distinguishedName
DESC 'Godfather dn of this entry' )
# </Ls attributes>
# <Ls Objectclass>
@ -29,14 +33,14 @@ objectclass (LsLDAPObjectClass:1
MUST ( uid $ cn )
MAY ( jpegPhoto $ sn $ givenName $ postalAddress $ postalCode $ l $ st $ c $
telephoneNumber $ mobile $ fax $ mail $ personalTitle $ description $
userPassword $ lsallowedservices $ lsRecoveryHash ))
userPassword $ lsallowedservices $ lsRecoveryHash $ lsGodfatherDn ))
objectclass (LsLDAPObjectClass:3
NAME 'lsgroup'
DESC 'LS group Objectclass'
STRUCTURAL
MUST ( cn )
MAY ( uniquemember $ description ))
MAY ( uniquemember $ description $ lsGodfatherDn ))
objectclass (LsLDAPObjectClass:4
NAME 'lssysaccount'
@ -50,7 +54,7 @@ objectclass ( LsLDAPObjectClass:5
SUP organizationalUnit
STRUCTURAL
MUST ( ou )
MAY ( description ))
MAY ( description $ lsGodfatherDn ))
# </Ls Objectclass>