mirror of
https://gitlab.easter-eggs.com/ee/ldapsaisie.git
synced 2024-12-18 14:33:49 +01:00
- LSsession :
-> Les profils utilisateurs sont maintenant scalable. Il est possible de créer autant de profil voulu avec autant de droits alloués spécifiques -> LSsession :: whoami() et LSldapObject :: whoami() retourne la liste des profils correspondants à l'utilisateur connecté -> Les méthodes ont été modifiées pour prendre en compte cela en faisant la somme des droits de chaque profils : - LSsession :: canAccess() - LSsession :: relationCanAccess() - LSsession :: loadLSrights() - LSattribute :: myRigths() -> LSsession :: isAdmin() a été remplacé par isProfile() capable de redonner la meme information mais pour tout profil dont le nom est passé en paramètre -> LSsession :: loadLSrights() : gère la délagation de droits sur les objets répondant a un filtre particulier ou dont un certain attribut possède une certaine valeur -> LSexample : -> Ajout d'un attribut lsGodfatherDn pour la délégation de droit objet par objet -> Retravail des objets d'exemple pour faire en sorte de coller plus avec une réel utilisation
This commit is contained in:
parent
b03848b1a1
commit
c48a57df45
7 changed files with 343 additions and 114 deletions
|
@ -26,10 +26,14 @@ $GLOBALS['LSobjects']['LSeecompany'] = array (
|
|||
'lscompany'
|
||||
),
|
||||
'rdn' => 'ou',
|
||||
'orderby' => 'displayValue', // Valeurs possibles : 'displayValue' ou 'subDn'
|
||||
'container_dn' => 'ou=companies',
|
||||
'select_display_attrs' => '%{ou}',
|
||||
'label' => _('Sociétés'),
|
||||
|
||||
'attrs' => array (
|
||||
|
||||
/* ----------- start -----------*/
|
||||
'ou' => array (
|
||||
'label' => _('Nom'),
|
||||
'ldap_type' => 'ascii',
|
||||
|
@ -48,6 +52,9 @@ $GLOBALS['LSobjects']['LSeecompany'] = array (
|
|||
'create' => 1
|
||||
)
|
||||
),
|
||||
/* ----------- end -----------*/
|
||||
|
||||
/* ----------- start -----------*/
|
||||
'description' => array (
|
||||
'label' => _('Description'),
|
||||
'ldap_type' => 'ascii',
|
||||
|
@ -55,6 +62,35 @@ $GLOBALS['LSobjects']['LSeecompany'] = array (
|
|||
'required' => 0,
|
||||
'rights' => array(
|
||||
'user' => 'r',
|
||||
'admin' => 'w',
|
||||
'godfather' => 'w'
|
||||
),
|
||||
'view' => 1,
|
||||
'form' => array (
|
||||
'modify' => 1,
|
||||
'create' => 1
|
||||
)
|
||||
),
|
||||
/* ----------- end -----------*/
|
||||
|
||||
/* ----------- start -----------*/
|
||||
'lsGodfatherDn' => array (
|
||||
'label' => _('Parrain(s)'),
|
||||
'ldap_type' => 'ascii',
|
||||
'html_type' => 'select_object',
|
||||
'selectable_object' => array(
|
||||
'object_type' => 'LSeepeople',
|
||||
'value_attribute' => '%{dn}'
|
||||
),
|
||||
'validation' => array (
|
||||
array (
|
||||
'basedn' => '%{val}',
|
||||
'result' => 1,
|
||||
'msg' => _("Un ou plusieurs de ces utilisateurs n'existent pas.")
|
||||
)
|
||||
),
|
||||
'multiple' => 1,
|
||||
'rights' => array(
|
||||
'admin' => 'w'
|
||||
),
|
||||
'view' => 1,
|
||||
|
@ -63,6 +99,7 @@ $GLOBALS['LSobjects']['LSeecompany'] = array (
|
|||
'create' => 1
|
||||
)
|
||||
)
|
||||
/* ----------- end -----------*/
|
||||
)
|
||||
);
|
||||
?>
|
||||
|
|
|
@ -40,6 +40,8 @@ $GLOBALS['LSobjects']['LSeegroup'] = array (
|
|||
'select_display_attrs' => '%{cn}',
|
||||
'label' => _('Groupes'),
|
||||
'attrs' => array (
|
||||
|
||||
/* ----------- start -----------*/
|
||||
'cn' => array (
|
||||
'label' => _('Nom'),
|
||||
'ldap_type' => 'ascii',
|
||||
|
@ -59,13 +61,17 @@ $GLOBALS['LSobjects']['LSeegroup'] = array (
|
|||
'view' => 1,
|
||||
'rights' => array(
|
||||
'user' => 'r',
|
||||
'admin' => 'w'
|
||||
'admin' => 'w',
|
||||
'godfather' => 'r'
|
||||
),
|
||||
'form' => array (
|
||||
'modify' => 1,
|
||||
'create' => 1
|
||||
)
|
||||
),
|
||||
/* ----------- end -----------*/
|
||||
|
||||
/* ----------- start -----------*/
|
||||
'gidNumber' => array (
|
||||
'label' => _('Identifiant'),
|
||||
'ldap_type' => 'numeric',
|
||||
|
@ -87,6 +93,9 @@ $GLOBALS['LSobjects']['LSeegroup'] = array (
|
|||
'modify' => 1
|
||||
)
|
||||
),
|
||||
/* ----------- end -----------*/
|
||||
|
||||
/* ----------- start -----------*/
|
||||
'uniqueMember' => array (
|
||||
'label' => _('Membres'),
|
||||
'ldap_type' => 'ascii',
|
||||
|
@ -101,7 +110,8 @@ $GLOBALS['LSobjects']['LSeegroup'] = array (
|
|||
),
|
||||
'view' => 1,
|
||||
'rights' => array(
|
||||
'admin' => 'w'
|
||||
'admin' => 'w',
|
||||
'godfather' => 'w'
|
||||
),
|
||||
'form' => array (
|
||||
'modify' => 1,
|
||||
|
@ -115,7 +125,56 @@ $GLOBALS['LSobjects']['LSeegroup'] = array (
|
|||
|
||||
'value_attribute' => 'dn', // Spécifie le attributs dont la valeur sera retournée par
|
||||
)
|
||||
)
|
||||
),
|
||||
/* ----------- end -----------*/
|
||||
|
||||
/* ----------- start -----------*/
|
||||
'description' => array (
|
||||
'label' => _('Description'),
|
||||
'ldap_type' => 'ascii',
|
||||
'html_type' => 'textarea',
|
||||
'multiple' => 1,
|
||||
'rights' => array(
|
||||
'user' => 'r',
|
||||
'admin' => 'w',
|
||||
'godfather' => 'r'
|
||||
),
|
||||
'view' => 1,
|
||||
'form' => array (
|
||||
'modify' => 1,
|
||||
'create' => 1
|
||||
)
|
||||
),
|
||||
/* ----------- end -----------*/
|
||||
|
||||
/* ----------- start -----------*/
|
||||
'lsGodfatherDn' => array (
|
||||
'label' => _('Parrain(s)'),
|
||||
'ldap_type' => 'ascii',
|
||||
'html_type' => 'select_object',
|
||||
'selectable_object' => array(
|
||||
'object_type' => 'LSeepeople',
|
||||
'value_attribute' => '%{dn}'
|
||||
),
|
||||
'validation' => array (
|
||||
array (
|
||||
'basedn' => '%{val}',
|
||||
'result' => 1,
|
||||
'msg' => _("Un ou plusieurs de ces utilisateurs n'existent pas.")
|
||||
)
|
||||
),
|
||||
'multiple' => 1,
|
||||
'rights' => array(
|
||||
'admin' => 'w'
|
||||
),
|
||||
'view' => 1,
|
||||
'form' => array (
|
||||
'modify' => 1,
|
||||
'create' => 1
|
||||
)
|
||||
),
|
||||
/* ----------- end -----------*/
|
||||
|
||||
)
|
||||
);
|
||||
?>
|
||||
|
|
|
@ -82,7 +82,8 @@ $GLOBALS['LSobjects']['LSeepeople'] = array (
|
|||
'mail',
|
||||
'userPassword',
|
||||
'description',
|
||||
'jpegPhoto'
|
||||
'jpegPhoto',
|
||||
'lsGodfatherDn'
|
||||
)
|
||||
),
|
||||
'Posix' => array (
|
||||
|
@ -135,8 +136,8 @@ $GLOBALS['LSobjects']['LSeepeople'] = array (
|
|||
),
|
||||
'rights' => array(
|
||||
'self' => 'r',
|
||||
'user' => 'r',
|
||||
'admin' => 'w'
|
||||
'admin' => 'w',
|
||||
'godfather' => 'r'
|
||||
),
|
||||
'view' => 1,
|
||||
'form' => array (
|
||||
|
@ -169,7 +170,6 @@ $GLOBALS['LSobjects']['LSeepeople'] = array (
|
|||
)
|
||||
),
|
||||
'rights' => array(
|
||||
'self' => 'r',
|
||||
'admin' => 'w'
|
||||
),
|
||||
'view' => 1,
|
||||
|
@ -192,9 +192,10 @@ $GLOBALS['LSobjects']['LSeepeople'] = array (
|
|||
),
|
||||
),
|
||||
'rights' => array(
|
||||
'self' => 'w',
|
||||
'self' => 'r',
|
||||
'users' => 'r',
|
||||
'admin' => 'w'
|
||||
'admin' => 'w',
|
||||
'godfather' => 'w'
|
||||
),
|
||||
'view' => 1,
|
||||
'form' => array (
|
||||
|
@ -212,9 +213,10 @@ $GLOBALS['LSobjects']['LSeepeople'] = array (
|
|||
'html_type' => 'text',
|
||||
'required' => 1,
|
||||
'rights' => array(
|
||||
'self' => 'w',
|
||||
'self' => 'r',
|
||||
'user' => 'r',
|
||||
'admin' => 'w'
|
||||
'admin' => 'w',
|
||||
'godfather' => 'w'
|
||||
),
|
||||
'view' => 1,
|
||||
'form' => array (
|
||||
|
@ -237,9 +239,10 @@ $GLOBALS['LSobjects']['LSeepeople'] = array (
|
|||
'required' => 1,
|
||||
'validation' => 'valid',
|
||||
'rights' => array(
|
||||
'self' => 'w',
|
||||
'self' => 'r',
|
||||
'user' => 'r',
|
||||
'admin' => 'w'
|
||||
'admin' => 'w',
|
||||
'godfather' => 'w'
|
||||
),
|
||||
'view' => 1,
|
||||
'form' => array (
|
||||
|
@ -265,8 +268,8 @@ $GLOBALS['LSobjects']['LSeepeople'] = array (
|
|||
)
|
||||
),
|
||||
'rights' => array(
|
||||
'self' => 'r',
|
||||
'admin' => 'w'
|
||||
'admin' => 'w',
|
||||
'godfather' => 'r'
|
||||
),
|
||||
'view' => 1,
|
||||
'form' => array (
|
||||
|
@ -303,7 +306,6 @@ $GLOBALS['LSobjects']['LSeepeople'] = array (
|
|||
'required' => 1,
|
||||
'default_value' => 'no',
|
||||
'rights' => array(
|
||||
'self' => 'r',
|
||||
'admin' => 'w'
|
||||
),
|
||||
'view' => 1,
|
||||
|
@ -340,7 +342,7 @@ $GLOBALS['LSobjects']['LSeepeople'] = array (
|
|||
'required' => 1,
|
||||
'generate_function' => 'generate_homeDirectory',
|
||||
'rights' => array(
|
||||
'self' => 'r'
|
||||
'admin' => 'r'
|
||||
),
|
||||
'view' => 1
|
||||
),
|
||||
|
@ -367,7 +369,8 @@ $GLOBALS['LSobjects']['LSeepeople'] = array (
|
|||
'rights' => array(
|
||||
'self' => 'r',
|
||||
'user' => 'r',
|
||||
'admin' => 'w'
|
||||
'admin' => 'w',
|
||||
'godfather' => 'w'
|
||||
),
|
||||
'view' => 1,
|
||||
'form' => array (
|
||||
|
@ -385,9 +388,10 @@ $GLOBALS['LSobjects']['LSeepeople'] = array (
|
|||
'required' => 1,
|
||||
'default_value' => 'M.',
|
||||
'rights' => array(
|
||||
'self' => 'w',
|
||||
'self' => 'r',
|
||||
'user' => 'r',
|
||||
'admin' => 'w'
|
||||
'admin' => 'w',
|
||||
'godfather' => 'w'
|
||||
),
|
||||
'view' => 1,
|
||||
'form' => array (
|
||||
|
@ -409,9 +413,10 @@ $GLOBALS['LSobjects']['LSeepeople'] = array (
|
|||
'html_type' => 'textarea',
|
||||
'multiple' => 1,
|
||||
'rights' => array(
|
||||
'self' => 'w',
|
||||
'self' => 'r',
|
||||
'user' => 'r',
|
||||
'admin' => 'w'
|
||||
'admin' => 'w',
|
||||
'godfather' => 'w'
|
||||
),
|
||||
'view' => 1,
|
||||
'form' => array (
|
||||
|
@ -538,9 +543,38 @@ $GLOBALS['LSobjects']['LSeepeople'] = array (
|
|||
'rights' => array(
|
||||
'self' => 'w',
|
||||
'user' => 'r',
|
||||
'admin' => 'w'
|
||||
'admin' => 'w',
|
||||
'godfather' => 'w'
|
||||
)
|
||||
)
|
||||
),
|
||||
/* ----------- end -----------*/
|
||||
|
||||
/* ----------- start -----------*/
|
||||
'lsGodfatherDn' => array (
|
||||
'label' => _('Parrain(s)'),
|
||||
'ldap_type' => 'ascii',
|
||||
'html_type' => 'select_object',
|
||||
'selectable_object' => array(
|
||||
'object_type' => 'LSeepeople',
|
||||
'value_attribute' => '%{dn}'
|
||||
),
|
||||
'validation' => array (
|
||||
array (
|
||||
'basedn' => '%{val}',
|
||||
'result' => 1,
|
||||
'msg' => _("Un ou plusieurs de ces utilisateurs n'existent pas.")
|
||||
)
|
||||
),
|
||||
'multiple' => 1,
|
||||
'rights' => array(
|
||||
'admin' => 'w'
|
||||
),
|
||||
'view' => 1,
|
||||
'form' => array (
|
||||
'modify' => 1,
|
||||
'create' => 1
|
||||
)
|
||||
),
|
||||
/* ----------- end -----------*/
|
||||
|
||||
) // Fin args
|
||||
|
|
|
@ -43,14 +43,28 @@ $GLOBALS['LSconfig'] = array(
|
|||
'filter' => '(objectClass=*)',
|
||||
'scope' => 'sub'
|
||||
),
|
||||
'LSadmins' => array (
|
||||
'o=ls' => array (
|
||||
'uid=eeggs,ou=people,o=ls' => NULL
|
||||
'LSrights' => array (
|
||||
'admin' => array (
|
||||
'o=ls' => array (
|
||||
'uid=eeggs,ou=people,o=ls' => NULL
|
||||
),
|
||||
'ou=people,o=ls' => array (
|
||||
'cn=adminldap,ou=groups,o=ls' => array (
|
||||
'attr' => 'uniqueMember',
|
||||
'LSobject' => 'LSeegroup'
|
||||
)
|
||||
)
|
||||
),
|
||||
'ou=people,o=ls' => array (
|
||||
'cn=adminldap,ou=groups,o=ls' => array (
|
||||
'attr' => 'uniqueMember',
|
||||
'LSobject' => 'LSeegroup'
|
||||
'godfather' => array (
|
||||
'LSobjects' => array (
|
||||
'LSeepeople' => array (
|
||||
'attr' => 'lsGodfatherDn',
|
||||
'attr_value' => '%{dn}',
|
||||
'basedn' => 'ou=people,o=ls'
|
||||
),
|
||||
'LSeegroup' => array (
|
||||
'filter' => 'lsGodfatherDn=%{dn}'
|
||||
)
|
||||
)
|
||||
)
|
||||
),
|
||||
|
@ -95,12 +109,14 @@ $GLOBALS['LSconfig'] = array(
|
|||
'filter' => '(objectClass=*)',
|
||||
'scope' => 'sub'
|
||||
),
|
||||
'LSadmins' => array (
|
||||
'o=ls' => array (
|
||||
'uid=eeggs,ou=people,o=ls' => NULL,
|
||||
'cn=adminldap,ou=groups,o=ls' => array (
|
||||
'attr' => 'uniqueMember',
|
||||
'LSobject' => 'LSeegroup'
|
||||
'LSrights' => array(
|
||||
'admin' => array (
|
||||
'o=ls' => array (
|
||||
'uid=eeggs,ou=people,o=ls' => NULL,
|
||||
'cn=adminldap,ou=groups,o=ls' => array (
|
||||
'attr' => 'uniqueMember',
|
||||
'LSobject' => 'LSeegroup'
|
||||
)
|
||||
)
|
||||
)
|
||||
),
|
||||
|
|
|
@ -258,25 +258,31 @@ class LSattribute {
|
|||
return $this -> _myRights;
|
||||
}
|
||||
$return='n';
|
||||
switch ($this -> ldapObject -> whoami()) {
|
||||
case 'admin':
|
||||
if($this -> config['rights']['admin']=='w') {
|
||||
$return='w';
|
||||
}
|
||||
else {
|
||||
$return='r';
|
||||
}
|
||||
break;
|
||||
case 'self':
|
||||
if (($this -> config['rights']['self'] == 'w') || ($this -> config['rights']['self'] == 'r')) {
|
||||
$return=$this -> config['rights']['self'];
|
||||
}
|
||||
break;
|
||||
default: //user
|
||||
if (($this -> config['rights']['user'] == 'w') || ($this -> config['rights']['user'] == 'r')) {
|
||||
$return=$this -> config['rights']['user'];
|
||||
}
|
||||
$whoami = $this -> ldapObject -> whoami();
|
||||
foreach($whoami as $who) {
|
||||
switch ($who) {
|
||||
case 'admin':
|
||||
if($this -> config['rights']['admin']=='w') {
|
||||
$return='w';
|
||||
break;
|
||||
}
|
||||
else {
|
||||
$return='r';
|
||||
}
|
||||
break;
|
||||
default:
|
||||
if ($this -> config['rights'][$who] == 'w') {
|
||||
$return='w';
|
||||
break;
|
||||
}
|
||||
else if($this -> config['rights'][$who] == 'r') {
|
||||
$return='r';
|
||||
}
|
||||
break;
|
||||
}
|
||||
if ($return=='w') {
|
||||
break;
|
||||
}
|
||||
}
|
||||
$this -> _myRights = $return;
|
||||
return $return;
|
||||
|
|
|
@ -42,9 +42,7 @@ class LSsession {
|
|||
var $_JSconfigParams = array();
|
||||
var $CssFiles = array();
|
||||
var $template = NULL;
|
||||
var $LSrights = array (
|
||||
'topDn_admin' => array ()
|
||||
);
|
||||
var $LSrights = array();
|
||||
var $LSaccess = array();
|
||||
var $tmp_file = array();
|
||||
var $_subDnLdapServer = array();
|
||||
|
@ -1002,46 +1000,82 @@ class LSsession {
|
|||
* @retval boolean True si le chargement à réussi, false sinon.
|
||||
**/
|
||||
function loadLSrights() {
|
||||
if (is_array($this -> ldapServer['LSadmins'])) {
|
||||
foreach ($this -> ldapServer['LSadmins'] as $topDn => $adminsInfos) {
|
||||
if (is_array($adminsInfos)) {
|
||||
foreach($adminsInfos as $dn => $conf) {
|
||||
if ((isset($conf['attr'])) && (isset($conf['LSobject']))) {
|
||||
if( $this -> loadLSobject($conf['LSobject']) ) {
|
||||
if ($object = new $conf['LSobject']()) {
|
||||
if ($object -> loadData($dn)) {
|
||||
$listDns=$object -> getValue($conf['attr']);
|
||||
if (is_array($listDns)) {
|
||||
if (in_array($this -> dn,$listDns)) {
|
||||
$this -> LSrights['topDn_admin'][] = $topDn;
|
||||
if (is_array($this -> ldapServer['LSrights'])) {
|
||||
foreach ($this -> ldapServer['LSrights'] as $profile => $profileInfos) {
|
||||
if (is_array($profileInfos)) {
|
||||
foreach ($profileInfos as $topDn => $rightsInfos) {
|
||||
if ($topDn == 'LSobjects') {
|
||||
if (is_array($rightsInfos)) {
|
||||
foreach ($rightsInfos as $LSobject => $listInfos) {
|
||||
if ($this -> loadLSobject($LSobject)) {
|
||||
if ($object = new $LSobject()) {
|
||||
if ($listInfos['filter']) {
|
||||
$filter = $this -> LSuserObject -> getFData($listInfos['filter']);
|
||||
}
|
||||
else {
|
||||
$filter = $listInfos['attr'].'='.$this -> LSuserObject -> getFData($listInfos['attr_value']);
|
||||
}
|
||||
$list = $object -> search($filter,$listInfos['basedn'],$listInfos['params']);
|
||||
foreach($list as $obj) {
|
||||
$this -> LSrights[$profile][] = $obj['dn'];
|
||||
}
|
||||
}
|
||||
else {
|
||||
LSdebug('Impossible de créer l\'objet de type : '.$LSobject);
|
||||
}
|
||||
}
|
||||
else {
|
||||
LSdebug('Impossible de chargé le dn : '.$dn);
|
||||
$GLOBALS['LSerror'] -> addErrorCode(1004,$LSobject);
|
||||
}
|
||||
}
|
||||
else {
|
||||
LSdebug('Impossible de créer l\'objet de type : '.$conf['LSobject']);
|
||||
}
|
||||
}
|
||||
else {
|
||||
$GLOBALS['LSerror'] -> addErrorCode(1004,$conf['LSobject']);
|
||||
LSdebug('LSobjects => [] doit etre un tableau');
|
||||
}
|
||||
}
|
||||
else {
|
||||
if ($this -> dn == $dn) {
|
||||
$this -> LSrights['topDn_admin'][] = $topDn;
|
||||
if (is_array($rightsInfos)) {
|
||||
foreach($rightsInfos as $dn => $conf) {
|
||||
if ((isset($conf['attr'])) && (isset($conf['LSobject']))) {
|
||||
if( $this -> loadLSobject($conf['LSobject']) ) {
|
||||
if ($object = new $conf['LSobject']()) {
|
||||
if ($object -> loadData($dn)) {
|
||||
$listDns=$object -> getValue($conf['attr']);
|
||||
if (is_array($listDns)) {
|
||||
if (in_array($this -> dn,$listDns)) {
|
||||
$this -> LSrights[$profile][] = $topDn;
|
||||
}
|
||||
}
|
||||
}
|
||||
else {
|
||||
LSdebug('Impossible de chargé le dn : '.$dn);
|
||||
}
|
||||
}
|
||||
else {
|
||||
LSdebug('Impossible de créer l\'objet de type : '.$conf['LSobject']);
|
||||
}
|
||||
}
|
||||
else {
|
||||
$GLOBALS['LSerror'] -> addErrorCode(1004,$conf['LSobject']);
|
||||
}
|
||||
}
|
||||
else {
|
||||
if ($this -> dn == $dn) {
|
||||
$this -> LSrights[$profile][] = $topDn;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
else {
|
||||
if ( $this -> dn == $adminsInfos ) {
|
||||
$this -> LSrights['topDn_admin'][] = $topDn;
|
||||
}
|
||||
}
|
||||
}
|
||||
else {
|
||||
if ( $this -> dn == $rightsInfos ) {
|
||||
$this -> LSrights[$profile][] = $topDn;
|
||||
}
|
||||
}
|
||||
} // fin else ($topDn == 'LSobjects')
|
||||
} // fin foreach($profileInfos)
|
||||
} // fin is_array($profileInfos)
|
||||
} // fin foreach LSrights
|
||||
LSdebug($this -> LSrights);
|
||||
return true;
|
||||
}
|
||||
else {
|
||||
|
@ -1143,19 +1177,22 @@ class LSsession {
|
|||
}
|
||||
|
||||
/**
|
||||
* Dit si l'utilisateur est admin de le DN spécifié
|
||||
* Dit si l'utilisateur est du profil pour le DN spécifié
|
||||
*
|
||||
* @param[in] string DN de l'objet
|
||||
* @param[in] string $profile de l'objet
|
||||
* @param[in] string $dn DN de l'objet
|
||||
*
|
||||
* @retval boolean True si l'utilisateur est admin sur l'objet, false sinon.
|
||||
* @retval boolean True si l'utilisateur est du profil sur l'objet, false sinon.
|
||||
*/
|
||||
function isAdmin($dn) {
|
||||
foreach($this -> LSrights['topDn_admin'] as $topDn_admin) {
|
||||
if($dn == $topDn_admin) {
|
||||
return true;
|
||||
}
|
||||
else if ( isCompatibleDNs($dn,$topDn_admin) ) {
|
||||
return true;
|
||||
function isProfile($dn,$profile) {
|
||||
if (is_array($this -> LSrights[$profile])) {
|
||||
foreach($this -> LSrights[$profile] as $topDn) {
|
||||
if($dn == $topDn) {
|
||||
return true;
|
||||
}
|
||||
else if ( isCompatibleDNs($dn,$topDn) ) {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
}
|
||||
return;
|
||||
|
@ -1169,15 +1206,19 @@ class LSsession {
|
|||
* @retval string 'admin'/'self'/'user' pour Admin , l'utilisateur lui même ou un simple utilisateur
|
||||
*/
|
||||
function whoami($dn) {
|
||||
if ($this -> isAdmin($dn)) {
|
||||
return 'admin';
|
||||
$retval = array('user');
|
||||
|
||||
foreach($this -> LSrights as $profile => $infos) {
|
||||
if($this -> isProfile($dn,$profile)) {
|
||||
$retval[]=$profile;
|
||||
}
|
||||
}
|
||||
|
||||
if ($this -> dn == $dn) {
|
||||
return 'self';
|
||||
$retval[]='self';
|
||||
}
|
||||
|
||||
return 'user';
|
||||
return $retval;
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -1223,15 +1264,28 @@ class LSsession {
|
|||
if (!isset($GLOBALS['LSobjects'][$LSobject]['attrs'][$attr])) {
|
||||
return;
|
||||
}
|
||||
|
||||
$r = 'n';
|
||||
foreach($whoami as $who) {
|
||||
$nr = $GLOBALS['LSobjects'][$LSobject]['attrs'][$attr]['rights'][$who];
|
||||
if($nr == 'w') {
|
||||
$r = 'w';
|
||||
}
|
||||
else if($nr == 'r') {
|
||||
if ($r=='n') {
|
||||
$r='r';
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if (($right=='r')||($right=='w')) {
|
||||
if ($GLOBALS['LSobjects'][$LSobject]['attrs'][$attr]['rights'][$whoami]==$right) {
|
||||
if ($r==$right) {
|
||||
return true;
|
||||
}
|
||||
return;
|
||||
}
|
||||
else {
|
||||
if ( ($GLOBALS['LSobjects'][$LSobject]['attrs'][$attr]['rights'][$whoami]=='r') || ($GLOBALS['LSobjects'][$LSobject]['attrs'][$attr]['rights'][$whoami]=='w') ) {
|
||||
if ( ($r=='r') || ($r=='w') ) {
|
||||
return true;
|
||||
}
|
||||
return;
|
||||
|
@ -1241,16 +1295,20 @@ class LSsession {
|
|||
// Pour un attribut quelconque
|
||||
if (is_array($GLOBALS['LSobjects'][$LSobject]['attrs'])) {
|
||||
if (($right=='r')||($right=='w')) {
|
||||
foreach ($GLOBALS['LSobjects'][$LSobject]['attrs'] as $attr_name => $attr_config) {
|
||||
if ($attr_config['rights'][$whoami]==$right) {
|
||||
return true;
|
||||
foreach($whoami as $who) {
|
||||
foreach ($GLOBALS['LSobjects'][$LSobject]['attrs'] as $attr_name => $attr_config) {
|
||||
if ($attr_config['rights'][$who]==$right) {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
else {
|
||||
foreach ($GLOBALS['LSobjects'][$LSobject]['attrs'] as $attr_name => $attr_config) {
|
||||
if ( ($attr_config['rights'][$whoami]=='r') || ($attr_config['rights'][$whoami]=='w') ) {
|
||||
return true;
|
||||
foreach($whoami as $who) {
|
||||
foreach ($GLOBALS['LSobjects'][$LSobject]['attrs'] as $attr_name => $attr_config) {
|
||||
if ( ($attr_config['rights'][$who]=='r') || ($attr_config['rights'][$who]=='w') ) {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -1310,13 +1368,28 @@ class LSsession {
|
|||
$whoami = $this -> whoami($dn);
|
||||
|
||||
if (($right=='w') || ($right=='r')) {
|
||||
if ($GLOBALS['LSobjects'][$LSobject]['relations'][$relationName]['rights'][$whoami] == $right) {
|
||||
$r = 'n';
|
||||
foreach($whoami as $who) {
|
||||
$nr = $GLOBALS['LSobjects'][$LSobject]['relations'][$relationName]['rights'][$who];
|
||||
if($nr == 'w') {
|
||||
$r = 'w';
|
||||
}
|
||||
else if($nr == 'r') {
|
||||
if ($r=='n') {
|
||||
$r='r';
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if ($r == $right) {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
else {
|
||||
if (($GLOBALS['LSobjects'][$LSobject]['relations'][$relationName]['rights'][$whoami] == 'w') || ($GLOBALS['LSobjects'][$LSobject]['relations'][$relationName]['rights'][$whoami] == 'r')) {
|
||||
return true;
|
||||
foreach($whoami as $who) {
|
||||
if (($GLOBALS['LSobjects'][$LSobject]['relations'][$relationName]['rights'][$who] == 'w') || ($GLOBALS['LSobjects'][$LSobject]['relations'][$relationName]['rights'][$who] == 'r')) {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
}
|
||||
return;
|
||||
|
|
|
@ -19,6 +19,10 @@ attributetype ( LsLDAPAttribute:2 NAME 'lsRecoveryHash'
|
|||
DESC 'Password Recover Hash'
|
||||
EQUALITY caseIgnoreMatch
|
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)
|
||||
|
||||
attributetype ( LsLDAPAttribute:3 NAME 'lsGodfatherDn'
|
||||
SUP distinguishedName
|
||||
DESC 'Godfather dn of this entry' )
|
||||
# </Ls attributes>
|
||||
|
||||
# <Ls Objectclass>
|
||||
|
@ -29,14 +33,14 @@ objectclass (LsLDAPObjectClass:1
|
|||
MUST ( uid $ cn )
|
||||
MAY ( jpegPhoto $ sn $ givenName $ postalAddress $ postalCode $ l $ st $ c $
|
||||
telephoneNumber $ mobile $ fax $ mail $ personalTitle $ description $
|
||||
userPassword $ lsallowedservices $ lsRecoveryHash ))
|
||||
userPassword $ lsallowedservices $ lsRecoveryHash $ lsGodfatherDn ))
|
||||
|
||||
objectclass (LsLDAPObjectClass:3
|
||||
NAME 'lsgroup'
|
||||
DESC 'LS group Objectclass'
|
||||
STRUCTURAL
|
||||
MUST ( cn )
|
||||
MAY ( uniquemember $ description ))
|
||||
MAY ( uniquemember $ description $ lsGodfatherDn ))
|
||||
|
||||
objectclass (LsLDAPObjectClass:4
|
||||
NAME 'lssysaccount'
|
||||
|
@ -50,7 +54,7 @@ objectclass ( LsLDAPObjectClass:5
|
|||
SUP organizationalUnit
|
||||
STRUCTURAL
|
||||
MUST ( ou )
|
||||
MAY ( description ))
|
||||
MAY ( description $ lsGodfatherDn ))
|
||||
|
||||
# </Ls Objectclass>
|
||||
|
||||
|
|
Loading…
Reference in a new issue