From c48a57df45a4b94222df2f2139b11274110cfe82 Mon Sep 17 00:00:00 2001 From: Benjamin Renard Date: Wed, 12 Nov 2008 16:57:40 +0000 Subject: [PATCH] =?UTF-8?q?-=20LSsession=20:=20=20=20->=20Les=20profils=20?= =?UTF-8?q?utilisateurs=20sont=20maintenant=20scalable.=20Il=20est=20possi?= =?UTF-8?q?ble=20=20=20=20=20=20de=20cr=C3=A9er=20autant=20de=20profil=20v?= =?UTF-8?q?oulu=20avec=20autant=20de=20droits=20allou=C3=A9s=20sp=C3=A9cif?= =?UTF-8?q?iques=20=20=20=20=20->=20LSsession=20::=20whoami()=20et=20LSlda?= =?UTF-8?q?pObject=20::=20whoami()=20retourne=20la=20liste=20des=20profils?= =?UTF-8?q?=20=20=20=20=20=20=20=20correspondants=20=C3=A0=20l'utilisateur?= =?UTF-8?q?=20connect=C3=A9=20=20=20=20=20=20=20=20=20->=20Les=20m=C3=A9th?= =?UTF-8?q?odes=20ont=20=C3=A9t=C3=A9=20modifi=C3=A9es=20pour=20prendre=20?= =?UTF-8?q?en=20compte=20cela=20en=20faisant=20la=20somme=20=20=20=20=20?= =?UTF-8?q?=20=20=20=20=20=20=20des=20droits=20de=20chaque=20profils=20:?= =?UTF-8?q?=20=20=20=20=20=20=20=20=20=20=20-=20LSsession=20::=20canAccess?= =?UTF-8?q?()=20=20=20=20=20=20=20=20=20=20=20-=20LSsession=20::=20relatio?= =?UTF-8?q?nCanAccess()=20=20=20=20=20=20=20=20=20=20=20-=20LSsession=20::?= =?UTF-8?q?=20loadLSrights()=20=20=20=20=20=20=20=20=20=20=20-=20LSattribu?= =?UTF-8?q?te=20::=20myRigths()=20=20=20=20=20->=20LSsession=20::=20isAdmi?= =?UTF-8?q?n()=20a=20=C3=A9t=C3=A9=20remplac=C3=A9=20par=20isProfile()=20c?= =?UTF-8?q?apable=20de=20redonner=20la=20meme=20=20=20=20=20=20=20=20infor?= =?UTF-8?q?mation=20mais=20pour=20tout=20profil=20dont=20le=20nom=20est=20?= =?UTF-8?q?pass=C3=A9=20en=20param=C3=A8tre=20=20=20=20=20->=20LSsession?= =?UTF-8?q?=20::=20loadLSrights()=20:=20g=C3=A8re=20la=20d=C3=A9lagation?= =?UTF-8?q?=20de=20droits=20sur=20les=20objets=20r=C3=A9pondant=20a=20un?= =?UTF-8?q?=20=20=20=20=20=20=20=20filtre=20particulier=20ou=20dont=20un?= =?UTF-8?q?=20certain=20attribut=20poss=C3=A8de=20une=20certaine=20valeur?= =?UTF-8?q?=20=20=20=20=20->=20LSexample=20:=20=20=20=20=20=20=20=20=20->?= =?UTF-8?q?=20Ajout=20d'un=20attribut=20lsGodfatherDn=20pour=20la=20d?= =?UTF-8?q?=C3=A9l=C3=A9gation=20de=20droit=20objet=20par=20objet=20=20=20?= =?UTF-8?q?=20=20=20=20=20=20->=20Retravail=20des=20objets=20d'exemple=20p?= =?UTF-8?q?our=20faire=20en=20sorte=20de=20coller=20plus=20avec=20une=20r?= =?UTF-8?q?=C3=A9el=20=20=20=20=20=20=20=20=20=20=20=20utilisation?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../config.LSobjects.LSeecompany.php | 37 ++++ .../LSobjects/config.LSobjects.LSeegroup.php | 65 +++++- .../LSobjects/config.LSobjects.LSeepeople.php | 76 +++++-- trunk/conf/config.inc.php | 42 ++-- trunk/includes/class/class.LSattribute.php | 42 ++-- trunk/includes/class/class.LSsession.php | 185 ++++++++++++------ trunk/lsexample/ls.schema | 10 +- 7 files changed, 343 insertions(+), 114 deletions(-) diff --git a/trunk/conf/LSobjects/config.LSobjects.LSeecompany.php b/trunk/conf/LSobjects/config.LSobjects.LSeecompany.php index b26d94b0..d14fba73 100644 --- a/trunk/conf/LSobjects/config.LSobjects.LSeecompany.php +++ b/trunk/conf/LSobjects/config.LSobjects.LSeecompany.php @@ -26,10 +26,14 @@ $GLOBALS['LSobjects']['LSeecompany'] = array ( 'lscompany' ), 'rdn' => 'ou', + 'orderby' => 'displayValue', // Valeurs possibles : 'displayValue' ou 'subDn' 'container_dn' => 'ou=companies', 'select_display_attrs' => '%{ou}', 'label' => _('Sociétés'), + 'attrs' => array ( + + /* ----------- start -----------*/ 'ou' => array ( 'label' => _('Nom'), 'ldap_type' => 'ascii', @@ -48,6 +52,9 @@ $GLOBALS['LSobjects']['LSeecompany'] = array ( 'create' => 1 ) ), + /* ----------- end -----------*/ + + /* ----------- start -----------*/ 'description' => array ( 'label' => _('Description'), 'ldap_type' => 'ascii', @@ -55,6 +62,35 @@ $GLOBALS['LSobjects']['LSeecompany'] = array ( 'required' => 0, 'rights' => array( 'user' => 'r', + 'admin' => 'w', + 'godfather' => 'w' + ), + 'view' => 1, + 'form' => array ( + 'modify' => 1, + 'create' => 1 + ) + ), + /* ----------- end -----------*/ + + /* ----------- start -----------*/ + 'lsGodfatherDn' => array ( + 'label' => _('Parrain(s)'), + 'ldap_type' => 'ascii', + 'html_type' => 'select_object', + 'selectable_object' => array( + 'object_type' => 'LSeepeople', + 'value_attribute' => '%{dn}' + ), + 'validation' => array ( + array ( + 'basedn' => '%{val}', + 'result' => 1, + 'msg' => _("Un ou plusieurs de ces utilisateurs n'existent pas.") + ) + ), + 'multiple' => 1, + 'rights' => array( 'admin' => 'w' ), 'view' => 1, @@ -63,6 +99,7 @@ $GLOBALS['LSobjects']['LSeecompany'] = array ( 'create' => 1 ) ) + /* ----------- end -----------*/ ) ); ?> diff --git a/trunk/conf/LSobjects/config.LSobjects.LSeegroup.php b/trunk/conf/LSobjects/config.LSobjects.LSeegroup.php index d8c1fa5d..adc57bfc 100644 --- a/trunk/conf/LSobjects/config.LSobjects.LSeegroup.php +++ b/trunk/conf/LSobjects/config.LSobjects.LSeegroup.php @@ -40,6 +40,8 @@ $GLOBALS['LSobjects']['LSeegroup'] = array ( 'select_display_attrs' => '%{cn}', 'label' => _('Groupes'), 'attrs' => array ( + + /* ----------- start -----------*/ 'cn' => array ( 'label' => _('Nom'), 'ldap_type' => 'ascii', @@ -59,13 +61,17 @@ $GLOBALS['LSobjects']['LSeegroup'] = array ( 'view' => 1, 'rights' => array( 'user' => 'r', - 'admin' => 'w' + 'admin' => 'w', + 'godfather' => 'r' ), 'form' => array ( 'modify' => 1, 'create' => 1 ) ), + /* ----------- end -----------*/ + + /* ----------- start -----------*/ 'gidNumber' => array ( 'label' => _('Identifiant'), 'ldap_type' => 'numeric', @@ -87,6 +93,9 @@ $GLOBALS['LSobjects']['LSeegroup'] = array ( 'modify' => 1 ) ), + /* ----------- end -----------*/ + + /* ----------- start -----------*/ 'uniqueMember' => array ( 'label' => _('Membres'), 'ldap_type' => 'ascii', @@ -101,7 +110,8 @@ $GLOBALS['LSobjects']['LSeegroup'] = array ( ), 'view' => 1, 'rights' => array( - 'admin' => 'w' + 'admin' => 'w', + 'godfather' => 'w' ), 'form' => array ( 'modify' => 1, @@ -115,7 +125,56 @@ $GLOBALS['LSobjects']['LSeegroup'] = array ( 'value_attribute' => 'dn', // Spécifie le attributs dont la valeur sera retournée par ) - ) + ), + /* ----------- end -----------*/ + + /* ----------- start -----------*/ + 'description' => array ( + 'label' => _('Description'), + 'ldap_type' => 'ascii', + 'html_type' => 'textarea', + 'multiple' => 1, + 'rights' => array( + 'user' => 'r', + 'admin' => 'w', + 'godfather' => 'r' + ), + 'view' => 1, + 'form' => array ( + 'modify' => 1, + 'create' => 1 + ) + ), + /* ----------- end -----------*/ + + /* ----------- start -----------*/ + 'lsGodfatherDn' => array ( + 'label' => _('Parrain(s)'), + 'ldap_type' => 'ascii', + 'html_type' => 'select_object', + 'selectable_object' => array( + 'object_type' => 'LSeepeople', + 'value_attribute' => '%{dn}' + ), + 'validation' => array ( + array ( + 'basedn' => '%{val}', + 'result' => 1, + 'msg' => _("Un ou plusieurs de ces utilisateurs n'existent pas.") + ) + ), + 'multiple' => 1, + 'rights' => array( + 'admin' => 'w' + ), + 'view' => 1, + 'form' => array ( + 'modify' => 1, + 'create' => 1 + ) + ), + /* ----------- end -----------*/ + ) ); ?> diff --git a/trunk/conf/LSobjects/config.LSobjects.LSeepeople.php b/trunk/conf/LSobjects/config.LSobjects.LSeepeople.php index bb224c41..84ad8b6b 100644 --- a/trunk/conf/LSobjects/config.LSobjects.LSeepeople.php +++ b/trunk/conf/LSobjects/config.LSobjects.LSeepeople.php @@ -82,7 +82,8 @@ $GLOBALS['LSobjects']['LSeepeople'] = array ( 'mail', 'userPassword', 'description', - 'jpegPhoto' + 'jpegPhoto', + 'lsGodfatherDn' ) ), 'Posix' => array ( @@ -135,8 +136,8 @@ $GLOBALS['LSobjects']['LSeepeople'] = array ( ), 'rights' => array( 'self' => 'r', - 'user' => 'r', - 'admin' => 'w' + 'admin' => 'w', + 'godfather' => 'r' ), 'view' => 1, 'form' => array ( @@ -169,7 +170,6 @@ $GLOBALS['LSobjects']['LSeepeople'] = array ( ) ), 'rights' => array( - 'self' => 'r', 'admin' => 'w' ), 'view' => 1, @@ -192,9 +192,10 @@ $GLOBALS['LSobjects']['LSeepeople'] = array ( ), ), 'rights' => array( - 'self' => 'w', + 'self' => 'r', 'users' => 'r', - 'admin' => 'w' + 'admin' => 'w', + 'godfather' => 'w' ), 'view' => 1, 'form' => array ( @@ -212,9 +213,10 @@ $GLOBALS['LSobjects']['LSeepeople'] = array ( 'html_type' => 'text', 'required' => 1, 'rights' => array( - 'self' => 'w', + 'self' => 'r', 'user' => 'r', - 'admin' => 'w' + 'admin' => 'w', + 'godfather' => 'w' ), 'view' => 1, 'form' => array ( @@ -237,9 +239,10 @@ $GLOBALS['LSobjects']['LSeepeople'] = array ( 'required' => 1, 'validation' => 'valid', 'rights' => array( - 'self' => 'w', + 'self' => 'r', 'user' => 'r', - 'admin' => 'w' + 'admin' => 'w', + 'godfather' => 'w' ), 'view' => 1, 'form' => array ( @@ -265,8 +268,8 @@ $GLOBALS['LSobjects']['LSeepeople'] = array ( ) ), 'rights' => array( - 'self' => 'r', - 'admin' => 'w' + 'admin' => 'w', + 'godfather' => 'r' ), 'view' => 1, 'form' => array ( @@ -303,7 +306,6 @@ $GLOBALS['LSobjects']['LSeepeople'] = array ( 'required' => 1, 'default_value' => 'no', 'rights' => array( - 'self' => 'r', 'admin' => 'w' ), 'view' => 1, @@ -340,7 +342,7 @@ $GLOBALS['LSobjects']['LSeepeople'] = array ( 'required' => 1, 'generate_function' => 'generate_homeDirectory', 'rights' => array( - 'self' => 'r' + 'admin' => 'r' ), 'view' => 1 ), @@ -367,7 +369,8 @@ $GLOBALS['LSobjects']['LSeepeople'] = array ( 'rights' => array( 'self' => 'r', 'user' => 'r', - 'admin' => 'w' + 'admin' => 'w', + 'godfather' => 'w' ), 'view' => 1, 'form' => array ( @@ -385,9 +388,10 @@ $GLOBALS['LSobjects']['LSeepeople'] = array ( 'required' => 1, 'default_value' => 'M.', 'rights' => array( - 'self' => 'w', + 'self' => 'r', 'user' => 'r', - 'admin' => 'w' + 'admin' => 'w', + 'godfather' => 'w' ), 'view' => 1, 'form' => array ( @@ -409,9 +413,10 @@ $GLOBALS['LSobjects']['LSeepeople'] = array ( 'html_type' => 'textarea', 'multiple' => 1, 'rights' => array( - 'self' => 'w', + 'self' => 'r', 'user' => 'r', - 'admin' => 'w' + 'admin' => 'w', + 'godfather' => 'w' ), 'view' => 1, 'form' => array ( @@ -538,9 +543,38 @@ $GLOBALS['LSobjects']['LSeepeople'] = array ( 'rights' => array( 'self' => 'w', 'user' => 'r', - 'admin' => 'w' + 'admin' => 'w', + 'godfather' => 'w' ) - ) + ), + /* ----------- end -----------*/ + + /* ----------- start -----------*/ + 'lsGodfatherDn' => array ( + 'label' => _('Parrain(s)'), + 'ldap_type' => 'ascii', + 'html_type' => 'select_object', + 'selectable_object' => array( + 'object_type' => 'LSeepeople', + 'value_attribute' => '%{dn}' + ), + 'validation' => array ( + array ( + 'basedn' => '%{val}', + 'result' => 1, + 'msg' => _("Un ou plusieurs de ces utilisateurs n'existent pas.") + ) + ), + 'multiple' => 1, + 'rights' => array( + 'admin' => 'w' + ), + 'view' => 1, + 'form' => array ( + 'modify' => 1, + 'create' => 1 + ) + ), /* ----------- end -----------*/ ) // Fin args diff --git a/trunk/conf/config.inc.php b/trunk/conf/config.inc.php index cadd1f10..0e48c0c3 100644 --- a/trunk/conf/config.inc.php +++ b/trunk/conf/config.inc.php @@ -43,14 +43,28 @@ $GLOBALS['LSconfig'] = array( 'filter' => '(objectClass=*)', 'scope' => 'sub' ), - 'LSadmins' => array ( - 'o=ls' => array ( - 'uid=eeggs,ou=people,o=ls' => NULL + 'LSrights' => array ( + 'admin' => array ( + 'o=ls' => array ( + 'uid=eeggs,ou=people,o=ls' => NULL + ), + 'ou=people,o=ls' => array ( + 'cn=adminldap,ou=groups,o=ls' => array ( + 'attr' => 'uniqueMember', + 'LSobject' => 'LSeegroup' + ) + ) ), - 'ou=people,o=ls' => array ( - 'cn=adminldap,ou=groups,o=ls' => array ( - 'attr' => 'uniqueMember', - 'LSobject' => 'LSeegroup' + 'godfather' => array ( + 'LSobjects' => array ( + 'LSeepeople' => array ( + 'attr' => 'lsGodfatherDn', + 'attr_value' => '%{dn}', + 'basedn' => 'ou=people,o=ls' + ), + 'LSeegroup' => array ( + 'filter' => 'lsGodfatherDn=%{dn}' + ) ) ) ), @@ -95,12 +109,14 @@ $GLOBALS['LSconfig'] = array( 'filter' => '(objectClass=*)', 'scope' => 'sub' ), - 'LSadmins' => array ( - 'o=ls' => array ( - 'uid=eeggs,ou=people,o=ls' => NULL, - 'cn=adminldap,ou=groups,o=ls' => array ( - 'attr' => 'uniqueMember', - 'LSobject' => 'LSeegroup' + 'LSrights' => array( + 'admin' => array ( + 'o=ls' => array ( + 'uid=eeggs,ou=people,o=ls' => NULL, + 'cn=adminldap,ou=groups,o=ls' => array ( + 'attr' => 'uniqueMember', + 'LSobject' => 'LSeegroup' + ) ) ) ), diff --git a/trunk/includes/class/class.LSattribute.php b/trunk/includes/class/class.LSattribute.php index d7b24382..6d4d7411 100644 --- a/trunk/includes/class/class.LSattribute.php +++ b/trunk/includes/class/class.LSattribute.php @@ -258,25 +258,31 @@ class LSattribute { return $this -> _myRights; } $return='n'; - switch ($this -> ldapObject -> whoami()) { - case 'admin': - if($this -> config['rights']['admin']=='w') { - $return='w'; - } - else { - $return='r'; - } - break; - case 'self': - if (($this -> config['rights']['self'] == 'w') || ($this -> config['rights']['self'] == 'r')) { - $return=$this -> config['rights']['self']; - } - break; - default: //user - if (($this -> config['rights']['user'] == 'w') || ($this -> config['rights']['user'] == 'r')) { - $return=$this -> config['rights']['user']; - } + $whoami = $this -> ldapObject -> whoami(); + foreach($whoami as $who) { + switch ($who) { + case 'admin': + if($this -> config['rights']['admin']=='w') { + $return='w'; + break; + } + else { + $return='r'; + } + break; + default: + if ($this -> config['rights'][$who] == 'w') { + $return='w'; + break; + } + else if($this -> config['rights'][$who] == 'r') { + $return='r'; + } + break; + } + if ($return=='w') { break; + } } $this -> _myRights = $return; return $return; diff --git a/trunk/includes/class/class.LSsession.php b/trunk/includes/class/class.LSsession.php index 52400b00..8b880765 100644 --- a/trunk/includes/class/class.LSsession.php +++ b/trunk/includes/class/class.LSsession.php @@ -42,9 +42,7 @@ class LSsession { var $_JSconfigParams = array(); var $CssFiles = array(); var $template = NULL; - var $LSrights = array ( - 'topDn_admin' => array () - ); + var $LSrights = array(); var $LSaccess = array(); var $tmp_file = array(); var $_subDnLdapServer = array(); @@ -1002,46 +1000,82 @@ class LSsession { * @retval boolean True si le chargement à réussi, false sinon. **/ function loadLSrights() { - if (is_array($this -> ldapServer['LSadmins'])) { - foreach ($this -> ldapServer['LSadmins'] as $topDn => $adminsInfos) { - if (is_array($adminsInfos)) { - foreach($adminsInfos as $dn => $conf) { - if ((isset($conf['attr'])) && (isset($conf['LSobject']))) { - if( $this -> loadLSobject($conf['LSobject']) ) { - if ($object = new $conf['LSobject']()) { - if ($object -> loadData($dn)) { - $listDns=$object -> getValue($conf['attr']); - if (is_array($listDns)) { - if (in_array($this -> dn,$listDns)) { - $this -> LSrights['topDn_admin'][] = $topDn; + if (is_array($this -> ldapServer['LSrights'])) { + foreach ($this -> ldapServer['LSrights'] as $profile => $profileInfos) { + if (is_array($profileInfos)) { + foreach ($profileInfos as $topDn => $rightsInfos) { + if ($topDn == 'LSobjects') { + if (is_array($rightsInfos)) { + foreach ($rightsInfos as $LSobject => $listInfos) { + if ($this -> loadLSobject($LSobject)) { + if ($object = new $LSobject()) { + if ($listInfos['filter']) { + $filter = $this -> LSuserObject -> getFData($listInfos['filter']); } + else { + $filter = $listInfos['attr'].'='.$this -> LSuserObject -> getFData($listInfos['attr_value']); + } + $list = $object -> search($filter,$listInfos['basedn'],$listInfos['params']); + foreach($list as $obj) { + $this -> LSrights[$profile][] = $obj['dn']; + } + } + else { + LSdebug('Impossible de créer l\'objet de type : '.$LSobject); } } else { - LSdebug('Impossible de chargé le dn : '.$dn); + $GLOBALS['LSerror'] -> addErrorCode(1004,$LSobject); } } - else { - LSdebug('Impossible de créer l\'objet de type : '.$conf['LSobject']); - } } else { - $GLOBALS['LSerror'] -> addErrorCode(1004,$conf['LSobject']); + LSdebug('LSobjects => [] doit etre un tableau'); } } else { - if ($this -> dn == $dn) { - $this -> LSrights['topDn_admin'][] = $topDn; + if (is_array($rightsInfos)) { + foreach($rightsInfos as $dn => $conf) { + if ((isset($conf['attr'])) && (isset($conf['LSobject']))) { + if( $this -> loadLSobject($conf['LSobject']) ) { + if ($object = new $conf['LSobject']()) { + if ($object -> loadData($dn)) { + $listDns=$object -> getValue($conf['attr']); + if (is_array($listDns)) { + if (in_array($this -> dn,$listDns)) { + $this -> LSrights[$profile][] = $topDn; + } + } + } + else { + LSdebug('Impossible de chargé le dn : '.$dn); + } + } + else { + LSdebug('Impossible de créer l\'objet de type : '.$conf['LSobject']); + } + } + else { + $GLOBALS['LSerror'] -> addErrorCode(1004,$conf['LSobject']); + } + } + else { + if ($this -> dn == $dn) { + $this -> LSrights[$profile][] = $topDn; + } + } + } } - } - } - } - else { - if ( $this -> dn == $adminsInfos ) { - $this -> LSrights['topDn_admin'][] = $topDn; - } - } - } + else { + if ( $this -> dn == $rightsInfos ) { + $this -> LSrights[$profile][] = $topDn; + } + } + } // fin else ($topDn == 'LSobjects') + } // fin foreach($profileInfos) + } // fin is_array($profileInfos) + } // fin foreach LSrights + LSdebug($this -> LSrights); return true; } else { @@ -1143,19 +1177,22 @@ class LSsession { } /** - * Dit si l'utilisateur est admin de le DN spécifié + * Dit si l'utilisateur est du profil pour le DN spécifié * - * @param[in] string DN de l'objet + * @param[in] string $profile de l'objet + * @param[in] string $dn DN de l'objet * - * @retval boolean True si l'utilisateur est admin sur l'objet, false sinon. + * @retval boolean True si l'utilisateur est du profil sur l'objet, false sinon. */ - function isAdmin($dn) { - foreach($this -> LSrights['topDn_admin'] as $topDn_admin) { - if($dn == $topDn_admin) { - return true; - } - else if ( isCompatibleDNs($dn,$topDn_admin) ) { - return true; + function isProfile($dn,$profile) { + if (is_array($this -> LSrights[$profile])) { + foreach($this -> LSrights[$profile] as $topDn) { + if($dn == $topDn) { + return true; + } + else if ( isCompatibleDNs($dn,$topDn) ) { + return true; + } } } return; @@ -1169,15 +1206,19 @@ class LSsession { * @retval string 'admin'/'self'/'user' pour Admin , l'utilisateur lui même ou un simple utilisateur */ function whoami($dn) { - if ($this -> isAdmin($dn)) { - return 'admin'; + $retval = array('user'); + + foreach($this -> LSrights as $profile => $infos) { + if($this -> isProfile($dn,$profile)) { + $retval[]=$profile; + } } if ($this -> dn == $dn) { - return 'self'; + $retval[]='self'; } - return 'user'; + return $retval; } /** @@ -1223,15 +1264,28 @@ class LSsession { if (!isset($GLOBALS['LSobjects'][$LSobject]['attrs'][$attr])) { return; } + + $r = 'n'; + foreach($whoami as $who) { + $nr = $GLOBALS['LSobjects'][$LSobject]['attrs'][$attr]['rights'][$who]; + if($nr == 'w') { + $r = 'w'; + } + else if($nr == 'r') { + if ($r=='n') { + $r='r'; + } + } + } if (($right=='r')||($right=='w')) { - if ($GLOBALS['LSobjects'][$LSobject]['attrs'][$attr]['rights'][$whoami]==$right) { + if ($r==$right) { return true; } return; } else { - if ( ($GLOBALS['LSobjects'][$LSobject]['attrs'][$attr]['rights'][$whoami]=='r') || ($GLOBALS['LSobjects'][$LSobject]['attrs'][$attr]['rights'][$whoami]=='w') ) { + if ( ($r=='r') || ($r=='w') ) { return true; } return; @@ -1241,16 +1295,20 @@ class LSsession { // Pour un attribut quelconque if (is_array($GLOBALS['LSobjects'][$LSobject]['attrs'])) { if (($right=='r')||($right=='w')) { - foreach ($GLOBALS['LSobjects'][$LSobject]['attrs'] as $attr_name => $attr_config) { - if ($attr_config['rights'][$whoami]==$right) { - return true; + foreach($whoami as $who) { + foreach ($GLOBALS['LSobjects'][$LSobject]['attrs'] as $attr_name => $attr_config) { + if ($attr_config['rights'][$who]==$right) { + return true; + } } } } else { - foreach ($GLOBALS['LSobjects'][$LSobject]['attrs'] as $attr_name => $attr_config) { - if ( ($attr_config['rights'][$whoami]=='r') || ($attr_config['rights'][$whoami]=='w') ) { - return true; + foreach($whoami as $who) { + foreach ($GLOBALS['LSobjects'][$LSobject]['attrs'] as $attr_name => $attr_config) { + if ( ($attr_config['rights'][$who]=='r') || ($attr_config['rights'][$who]=='w') ) { + return true; + } } } } @@ -1310,13 +1368,28 @@ class LSsession { $whoami = $this -> whoami($dn); if (($right=='w') || ($right=='r')) { - if ($GLOBALS['LSobjects'][$LSobject]['relations'][$relationName]['rights'][$whoami] == $right) { + $r = 'n'; + foreach($whoami as $who) { + $nr = $GLOBALS['LSobjects'][$LSobject]['relations'][$relationName]['rights'][$who]; + if($nr == 'w') { + $r = 'w'; + } + else if($nr == 'r') { + if ($r=='n') { + $r='r'; + } + } + } + + if ($r == $right) { return true; } } else { - if (($GLOBALS['LSobjects'][$LSobject]['relations'][$relationName]['rights'][$whoami] == 'w') || ($GLOBALS['LSobjects'][$LSobject]['relations'][$relationName]['rights'][$whoami] == 'r')) { - return true; + foreach($whoami as $who) { + if (($GLOBALS['LSobjects'][$LSobject]['relations'][$relationName]['rights'][$who] == 'w') || ($GLOBALS['LSobjects'][$LSobject]['relations'][$relationName]['rights'][$who] == 'r')) { + return true; + } } } return; diff --git a/trunk/lsexample/ls.schema b/trunk/lsexample/ls.schema index d5681828..45f84718 100644 --- a/trunk/lsexample/ls.schema +++ b/trunk/lsexample/ls.schema @@ -19,6 +19,10 @@ attributetype ( LsLDAPAttribute:2 NAME 'lsRecoveryHash' DESC 'Password Recover Hash' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15) + +attributetype ( LsLDAPAttribute:3 NAME 'lsGodfatherDn' + SUP distinguishedName + DESC 'Godfather dn of this entry' ) # # @@ -29,14 +33,14 @@ objectclass (LsLDAPObjectClass:1 MUST ( uid $ cn ) MAY ( jpegPhoto $ sn $ givenName $ postalAddress $ postalCode $ l $ st $ c $ telephoneNumber $ mobile $ fax $ mail $ personalTitle $ description $ - userPassword $ lsallowedservices $ lsRecoveryHash )) + userPassword $ lsallowedservices $ lsRecoveryHash $ lsGodfatherDn )) objectclass (LsLDAPObjectClass:3 NAME 'lsgroup' DESC 'LS group Objectclass' STRUCTURAL MUST ( cn ) - MAY ( uniquemember $ description )) + MAY ( uniquemember $ description $ lsGodfatherDn )) objectclass (LsLDAPObjectClass:4 NAME 'lssysaccount' @@ -50,7 +54,7 @@ objectclass ( LsLDAPObjectClass:5 SUP organizationalUnit STRUCTURAL MUST ( ou ) - MAY ( description )) + MAY ( description $ lsGodfatherDn )) #