Core  3.2
PHP API documentation
 All Data Structures Namespaces Files Functions Variables Pages
Class.Permission.php
Go to the documentation of this file.
1 <?php
2 /*
3  * @author Anakeen
4  * @package FDL
5 */
6 /**
7  * Permission to execute actions
8  *
9  * @author Anakeen
10  * @version $Id: Class.Permission.php,v 1.10 2006/06/01 12:54:05 eric Exp $
11  * @package FDL
12  * @subpackage CORE
13  */
14 /**
15  */
16 
17 include_once ('Class.DbObj.php');
18 include_once ('Class.QueryDb.php');
19 include_once ('Class.Application.php');
20 include_once ('Class.Action.php');
21 include_once ('Class.Acl.php');
22 include_once ('Class.User.php');
23 include_once ('Class.Group.php');
24 
25 class Permission extends DbObj
26 {
27  var $fields = array(
28  "id_user",
29  "id_application",
30  "id_acl",
31  "computed"
32  );
33 
34  var $id_fields = array(
35  "id_user",
36  "id_application"
37  );
38 
39  var $dbtable = "permission";
40  var $privileges = array(); // privileges array for a user (including group) in an application
41  private $upprivileges = false; // specifific privileges array for a user in an application
42  private $unprivileges = false; // specifific NO privileges array for a user in an application
43  private $gprivileges = false; // privileges array for the group user
44  var $sqlcreate = '
45 create table permission (id_user int not null,
46  id_application int not null,
47  id_acl int not null,
48  computed boolean default false);
49 create index permission_idx1 on permission(id_user);
50 create index permission_idx2 on permission(id_application);
51 create index permission_idx3 on permission(id_acl);
52 create index permission_idx4 on permission(computed);
53  ';
54 
55  public $id_user;
56  public $id_application;
57  public $id_acl;
58  /**
59  * @var bool
60  */
61  public $computed;
62 
63  var $actions = array(); // actions array for a user (including group) in an application
64  function __construct($dbaccess = '', $id = '', $res = '', $dbid = 0, $computed = true)
65  {
66  if ($id && $id[0] && $id[1]) {
67  parent::__construct($dbaccess, $id, $res, $dbid);
68  } else {
69  parent::__construct($dbaccess, '', $res, $dbid);
70  }
71  if (!$this->isAffected()) {
72 
73  if (is_array($id) && $id[0] && $id[1]) {
74  $this->Affect(array(
75  "id_user" => $id[0],
76  "id_application" => $id[1],
77  "computed" => (!empty($id[2]))
78  ));
79  $this->GetPrivileges(false, $computed);
80  }
81  }
82  }
83  function postSelect($id)
84  {
85  // init privileges
86  $this->GetPrivileges();
87  }
88  function PostDelete()
89  {
90  // update privileges
91  $this->GetPrivileges();
92  }
93 
94  function PostUpdate()
95  {
96  // update privileges
97  $this->GetPrivileges();
98  }
99 
100  function PreInsert()
101  {
102  // no duplicate items
103  if ($this->Exists($this->id_user, $this->id_application, $this->id_acl)) return "Permission ({$this->id_user},{$this->id_application},{$this->id_acl}) already exists...";
104 
105  return "";
106  }
107  function postInsert()
108  {
109  if (!$this->computed) {
110  $this->exec_query(sprintf("delete from permission where id_application=%d and abs(id_acl)=%d and computed", $this->id_application, abs($this->id_acl)));
111  }
112 
113  return "";
114  }
115  /**
116  * Gives the list of Permission for a user on an application
117  * @param Account $user
118  * @param Application $app
119  * @return array
120  */
121  function ListUserPermissions($user, $app)
122  {
123  $query = new QueryDb($this->dbaccess, "Permission");
124  $query->basic_elem->sup_where = array(
125  "id_user='{$user->id}'",
126  "id_application='{$app->id}'"
127  );
128  $list = $query->Query();
129  $res = array();
130  $i = 0;
131  while ($i < $query->nb) {
132  $res[$i] = new Acl($this->dbaccess, $list[$i]->id_acl);
133  $i++;
134  }
135  return ($res);
136  }
137  // Gives the list of application where a user has permission
138  function ListUserApplications($user)
139  {
140  $query = new QueryDb($this->dbaccess, "Permission");
141  $query->basic_elem->sup_where = array(
142  "id_user='{$user->id}'"
143  );
144 
145  $list = $query->Query();
146  $res = array();
147  $i = 0;
148  while ($i < $query->nb) {
149  $this->log->debug("ListUserApplicaion");
150  $res[$i] = new Application($this->dbaccess, $list[$i]->id_application);
151  $i++;
152  }
153  return ($res);
154  }
155 
156  function ListApplicationUsers($app)
157  {
158  $query = new QueryDb($this->dbaccess, "Permission");
159  $query->basic_elem->sup_where = array(
160  "id_application='{$app->id}'"
161  );
162 
163  $list = $query->Query();
164  $res = array();
165  $i = 0;
166  while ($i < $query->nb) {
167  $res[$i] = new Account($this->dbaccess, $list[$i]->id_user);
168  $i++;
169  }
170  return ($res);
171  }
172 
173  function Exists($userid, $applicationid, $aclid = 0)
174  {
175  $query = new QueryDb($this->dbaccess, "Permission");
176  $query->basic_elem->sup_where = array(
177  "id_application='$applicationid'",
178  "id_user='{$userid}'",
179  "( computed = FALSE OR computed IS NULL )"
180  );
181  if ($aclid != 0) {
182  $naclid = - $aclid;
183  $query->AddQuery("(id_acl={$aclid}) OR (id_acl= {$naclid}) ");
184  }
185  $query->Query(0, 0, "TABLE");
186 
187  return ($query->nb > 0);
188  }
189 
190  function IsOver($user, $application, $acl)
191  {
192  $query = new QueryDb($this->dbaccess, "Permission");
193  $query->basic_elem->sup_where = array(
194  "id_application='{$application->id}'",
195  "id_user='{$user->id}'"
196  );
197  $list = $query->Query();
198  if ($query->nb == 0) return FALSE;
199  $aclu = new Acl($this->dbaccess, $list[0]->id_acl);
200  return ($aclu->grant_level >= $acl->grant_level);
201  }
202 
203  function GrantLevel($user, $application)
204  {
205  $query = new QueryDb($this->dbaccess, "Permission");
206  $query->basic_elem->sup_where = array(
207  "id_application='{$application->id}'",
208  "id_user='{$user->id}'"
209  );
210  $list = $query->Query();
211  if ($query->nb == 0) return (0);
212  $acl = new Acl($this->dbaccess, $list[0]->id_acl);
213  return ($acl->grant_level);
214  }
215 
216  function DelAppPerm($id)
217  {
218  $query = new QueryDb($this->dbaccess, "Permission");
219  $query->basic_elem->sup_where = array(
220  "id_application=$id"
221  );
222  $list = $query->Query();
223  $this->log->debug("DEL APP PERM");
224  if ($query->nb > 0) {
225  /*
226  * @var Permission $v
227  */
228  foreach ($list as $v) {
229  $v->Delete();
230  }
231  } else {
232  $this->log->debug("NO PERM");
233  }
234  }
235  /**
236  * return ACL up list for a user
237  */
238  public function GetUpPrivileges()
239  {
240  if ($this->upprivileges === false) {
241  $this->GetPrivileges(true, false);
242  }
243  return $this->upprivileges;
244  }
245  /**
246  * return ACL un list for a user
247  */
248  public function GetUnPrivileges()
249  {
250  if ($this->unprivileges === false) {
251  $this->GetPrivileges(true, false);
252  }
253  return $this->unprivileges;
254  }
255  /**
256  * return ACL un list for a user
257  */
258  public function GetGPrivileges()
259  {
260  if ($this->gprivileges === false) {
261  $this->GetPrivileges(true, false);
262  }
263  return $this->gprivileges;
264  }
265  /**
266  * Get all ACL for a given application
267  */
268  public function getAllAclForApplication($appid)
269  {
270  $query = new QueryDb($this->dbaccess, "acl");
271  $query->basic_elem->sup_where = array(
272  "id_application = '" . $appid . "'"
273  );
274  $res = $query->Query();
275  $aclList = array();
276  if ($query->nb > 0) {
277  foreach ($res as $v) {
278  $aclList[] = $v->id;
279  }
280  }
281  return $aclList;
282  }
283  /**
284  * Returns the resulting ACL for a given (user, application), computing
285  * ACL value if they are empty.
286  */
287  public function GetComputedPrivileges($uid, $appid)
288  {
289  $query = new QueryDb($this->dbaccess, "permission");
290  $query->basic_elem->sup_where = array(
291  "id_application = '" . $appid . "'",
292  "id_user = '" . $uid . "'",
293  "computed = TRUE"
294  );
295  $computedAcl = array();
296  $list = $query->Query();
297  if ($query->nb > 0) {
298  foreach ($list as $v) {
299  $computedAcl[abs($v->id_acl) ] = $v->id_acl;
300  }
301  }
302  $allAclList = $this->getAllAclForApplication($appid);
303  foreach ($allAclList as $acl) {
304  if (!array_key_exists($acl, $computedAcl)) {
305  $computedAcl[abs($acl) ] = $this->computePerm($uid, $appid, abs($acl));
306  }
307  }
308  return array_values($computedAcl);
309  }
310  /**
311  * Return the ACL value for a given (user, app, acl), computing it if it's not
312  * already computed, and storing the results.
313  */
314  public function computePerm($uid, $appid, $acl)
315  {
316  $db = new DbObj($this->dbaccess);
317  $db->exec_query(sprintf("SELECT computePerm(%d, %d, %d)", $uid, $appid, abs($acl)));
318  $perm = $db->fetch_array(0);
319  return $perm['computeperm'];
320  }
321  /**
322  * return ACL list for a user
323  */
324  public function GetPrivileges($force = false, $computed = true)
325  {
326 
327  if (!$force) {
328  $privileges = "";
329  if ($computed) {
330  $privileges = $this->GetComputedPrivileges($this->id_user, $this->id_application);
331  if (count($privileges) <= 0) {
332  $privileges = "";
333  }
334  }
335  if ($privileges !== "") {
336  $this->privileges = $privileges;
337  return $this->privileges;
338  }
339  }
340  $this->privileges = array();
341  $this->upprivileges = array();
342  $this->unprivileges = array();
343  $this->gprivileges = array();
344  // add groups privilege
345  $ugroup = new Group($this->dbaccess, $this->id_user);
346 
347  foreach ($ugroup->groups as $gid) {
348 
349  $gperm = new permission($this->dbaccess, array(
350  $gid,
351  $this->id_application,
352  false
353  ) , '', 0, $computed);
354  // add group
355  foreach ($gperm->privileges as $gacl) {
356  if (!in_array($gacl, $this->privileges)) {
357  $this->gprivileges[] = $gacl;
358  $this->privileges[] = $gacl;
359  }
360  }
361  }
362 
363  $query = new QueryDb($this->dbaccess, "Permission");
364  $query->basic_elem->sup_where = array(
365  "id_application='{$this->id_application}'",
366  "id_user='{$this->id_user}'",
367  (!$computed) ? "( computed = FALSE OR computed IS NULL )" : "true"
368  );
369  $list = $query->Query();
370  if ($query->nb > 0) {
371  foreach ($list as $v) {
372  if ($v->id_acl > 0) {
373  // add privilege
374  $this->upprivileges[] = $v->id_acl;
375  if (!in_array($v->id_acl, $this->privileges)) {
376  $this->privileges[] = $v->id_acl;
377  }
378  } else {
379  // suppress privilege
380  $this->unprivileges[] = - ($v->id_acl);
381 
382  $nk = array_search(-($v->id_acl) , $this->privileges, false);
383  if (is_integer($nk)) {
384  unset($this->privileges[$nk]);
385  }
386  }
387  }
388  }
389 
390  return ($this->privileges);
391  }
392  /**
393  * return true if user has this privilege
394  * @param string $idacl acl id
395  * @param bool $strict set to true to not use substitute user account property
396  * @return bool
397  */
398  function hasPrivilege($idacl, $strict = false)
399  {
400  $grant = (($this->id_user == 1) || // admin user
401  (in_array($idacl, $this->privileges)));
402  if ($grant) return true;
403  if ($strict) return $grant;
404  return $this->substituteHasPrivilege($idacl);
405  }
406  /**
407  * return true if incumbent user has this privilege
408  * @param string $idacl acl id
409  * @return bool
410  */
411  function substituteHasPrivilege($idacl)
412  {
413  $u = new Account($this->dbaccess, $this->id_user);
414  $incumbents = $u->getIncumbents();
415  foreach ($incumbents as $aIncumbent) {
416  $p = new Permission($this->dbaccess, array(
417  $aIncumbent,
418  $this->id_application
419  ));
420  $grant = $p->hasPrivilege($idacl, true);
421  if ($grant) return true;
422  }
423  return false;
424  }
425  // id_user field must be set before
426  function AddUserPermission($appname, $aclname)
427  {
428  $app = new Application($this->dbaccess);
429  $appid = $app->GetIdFromName($appname);
430  if ($appid != 0) {
431 
432  $this->id_application = $appid;
433 
434  $acl = new Acl($this->dbaccess);
435  if ($acl->Set($aclname, $this->id_application)) {
436  $this->id_acl = $acl->id;
437  $this->Add();
438  }
439  }
440  }
441  /**
442  * return ACTION list for a user
443  *
444  * @author Philippe VALENCIA <pvalencia@fram.fr>
445  * @return array actions available for current user
446  */
447  function GetActions()
448  {
449 
450  $this->actions = array();
451 
452  $acls = $this->GetPrivileges();
453 
454  if (!count($acls)) return array();
455 
456  $sSql = " select distinct action.name from action inner join acl on
457 action.acl = acl.name where ";
458  $sSql.= " action.id_application = '" . $this->id_application . "' AND ";
459  $sSql.= " acl.id in ('" . implode("','", $acls) . "')";
460 
461  $res = pg_query($this->dbid, $sSql);
462 
463  $i = 0;
464  while ($arr = pg_fetch_array($res, $i)) {
465  $this->actions[] = $arr[0];
466  $i++;
467  }
468  return $this->actions;
469  }
470  /**
471  * delete permissions
472  */
473  public function deletePermission($id_user = null, $id_application = null, $id_acl = null, $computed = null)
474  {
475  $sqlCond = array();
476  if ($id_user != null) {
477  $sqlCond[] = sprintf("( id_user = %d )", pg_escape_string($id_user));
478  }
479  if ($id_application != null) {
480  $sqlCond[] = sprintf("( id_application = %d )", pg_escape_string($id_application));
481  }
482  if ($id_acl != null) {
483  $sqlCond[] = sprintf("( abs(id_acl) = abs(%d) )", pg_escape_string($id_acl));
484  }
485  if ($computed != null) {
486  if ($computed = true) {
487  $sqlCond[] = "( computed = TRUE )";
488  } else {
489  $sqlCond[] = "( computed = FALSE OR computed IS NULL )";
490  }
491  }
492 
493  if (count($sqlCond) > 0) {
494  return $this->exec_query(sprintf("DELETE FROM permission WHERE ( %s )", join(" AND ", $sqlCond)));
495  }
496 
497  return false;
498  }
499 }
500 
Permission\ListUserApplications
ListUserApplications($user)
Definition: Class.Permission.php:138
$appname
$appname
Definition: change_action.php:29
Permission\hasPrivilege
hasPrivilege($idacl, $strict=false)
Definition: Class.Permission.php:398
Permission\ListApplicationUsers
ListApplicationUsers($app)
Definition: Class.Permission.php:156
DbObj\exec_query
exec_query($sql, $lvl=0, $prepare=false)
Definition: Class.DbObj.php:698
Permission\GetComputedPrivileges
GetComputedPrivileges($uid, $appid)
Definition: Class.Permission.php:287
DbObj\Add
Add($nopost=false, $nopre=false)
Definition: Class.DbObj.php:413
Permission\GrantLevel
GrantLevel($user, $application)
Definition: Class.Permission.php:203
Permission\getAllAclForApplication
getAllAclForApplication($appid)
Definition: Class.Permission.php:268
Permission\IsOver
IsOver($user, $application, $acl)
Definition: Class.Permission.php:190
Permission\substituteHasPrivilege
substituteHasPrivilege($idacl)
Definition: Class.Permission.php:411
DbObj\isAffected
isAffected()
Definition: Class.DbObj.php:296
$db
$db
Definition: updateclass.php:48
Permission\GetPrivileges
GetPrivileges($force=false, $computed=true)
Definition: Class.Permission.php:324
Permission\AddUserPermission
AddUserPermission($appname, $aclname)
Definition: Class.Permission.php:426
Permission\Exists
Exists($userid, $applicationid, $aclid=0)
Definition: Class.Permission.php:173
$force
$force
Definition: destroyFamily.php:21
$app
$app
Definition: change_action.php:35
Permission\__construct
__construct($dbaccess= '', $id= '', $res= '', $dbid=0, $computed=true)
Definition: Class.Permission.php:64
$query
if(($docid!==0)&&(!is_numeric($docid))) $query
Definition: generateDocumentClass.php:40
Permission\computePerm
computePerm($uid, $appid, $acl)
Definition: Class.Permission.php:314
Permission\deletePermission
deletePermission($id_user=null, $id_application=null, $id_acl=null, $computed=null)
Definition: Class.Permission.php:473
Permission\ListUserPermissions
ListUserPermissions($user, $app)
Definition: Class.Permission.php:121
← centre documentaire © anakeen