* @author Romain Quetiez * @author Denis Flaven * @license http://www.opensource.org/licenses/gpl-3.0.html LGPL */ class UserRightException extends CoreException { } define('UR_ALLOWED_NO', 0); define('UR_ALLOWED_YES', 1); define('UR_ALLOWED_DEPENDS', 2); define('UR_ACTION_READ', 1); // View an object define('UR_ACTION_MODIFY', 2); // Create/modify an object/attribute define('UR_ACTION_DELETE', 3); // Delete an object define('UR_ACTION_BULK_READ', 4); // Export multiple objects define('UR_ACTION_BULK_MODIFY', 5); // Create/modify multiple objects define('UR_ACTION_BULK_DELETE', 6); // Delete multiple objects define('UR_ACTION_APPLICATION_DEFINED', 10000); // Application specific actions (CSV import, View schema...) /** * User management module API * * @package iTopORM */ abstract class UserRightsAddOnAPI { abstract public function Setup(); // initial installation abstract public function CreateAdministrator($sAdminUser, $sAdminPwd, $sLanguage = 'EN US'); // could be used during initial installation abstract public function Init(); // loads data (possible optimizations) // Cf UserContext... abstract public function GetFilter($sLogin, $sClass); // returns a filter object abstract public function IsActionAllowed($oUser, $sClass, $iActionCode, /*dbObjectSet*/ $oInstanceSet = null); abstract public function IsStimulusAllowed($oUser, $sClass, $sStimulusCode, /*dbObjectSet*/ $oInstanceSet = null); abstract public function IsActionAllowedOnAttribute($oUser, $sClass, $sAttCode, $iActionCode, /*dbObjectSet*/ $oInstanceSet = null); abstract public function IsAdministrator($oUser); abstract public function FlushPrivileges(); } abstract class User extends cmdbAbstractObject { public static function Init() { $aParams = array ( "category" => "core", "key_type" => "autoincrement", "name_attcode" => "login", "state_attcode" => "", "reconc_keys" => array(), "db_table" => "priv_user", "db_key_field" => "id", "db_finalclass_field" => "", "display_template" => "", ); MetaModel::Init_Params($aParams); //MetaModel::Init_InheritAttributes(); MetaModel::Init_AddAttribute(new AttributeExternalKey("contactid", array("targetclass"=>"Person", "allowed_values"=>null, "sql"=>"contactid", "is_null_allowed"=>true, "on_target_delete"=>DEL_MANUAL, "depends_on"=>array()))); MetaModel::Init_AddAttribute(new AttributeExternalField("last_name", array("allowed_values"=>null, "extkey_attcode"=> 'contactid', "target_attcode"=>"name"))); MetaModel::Init_AddAttribute(new AttributeExternalField("first_name", array("allowed_values"=>null, "extkey_attcode"=> 'contactid', "target_attcode"=>"first_name"))); MetaModel::Init_AddAttribute(new AttributeExternalField("email", array("allowed_values"=>null, "extkey_attcode"=> 'contactid', "target_attcode"=>"email"))); MetaModel::Init_AddAttribute(new AttributeString("login", array("allowed_values"=>null, "sql"=>"login", "default_value"=>null, "is_null_allowed"=>false, "depends_on"=>array()))); MetaModel::Init_AddAttribute(new AttributeApplicationLanguage("language", array("sql"=>"language", "default_value"=>"EN US", "is_null_allowed"=>false, "depends_on"=>array()))); MetaModel::Init_AddAttribute(new AttributeLinkedSetIndirect("profile_list", array("linked_class"=>"URP_UserProfile", "ext_key_to_me"=>"userid", "ext_key_to_remote"=>"profileid", "allowed_values"=>null, "count_min"=>1, "count_max"=>0, "depends_on"=>array()))); // Display lists MetaModel::Init_SetZListItems('details', array('contactid', 'first_name', 'email', 'login', 'language', 'profile_list')); // Attributes to be displayed for the complete details MetaModel::Init_SetZListItems('list', array('finalclass', 'first_name', 'last_name', 'login')); // Attributes to be displayed for a list // Search criteria MetaModel::Init_SetZListItems('standard_search', array('login', 'contactid')); // Criteria of the std search form MetaModel::Init_SetZListItems('advanced_search', array('login', 'contactid')); // Criteria of the advanced search form } abstract public function CheckCredentials($sPassword); abstract public function TrustWebServerContext(); abstract public function CanChangePassword(); abstract public function ChangePassword($sOldPassword, $sNewPassword); function GetGrantAsHtml($sClass, $iAction) { if (UserRights::IsActionAllowed($sClass, $iAction, null, $this)) { return ''.Dict::S('UI:UserManagement:ActionAllowed:Yes').''; } else { return ''.Dict::S('UI:UserManagement:ActionAllowed:No').''; } } function DoShowGrantSumary($oPage, $sClassCategory) { if (UserRights::IsAdministrator($this)) { // Looks dirty, but ok that's THE ONE $oPage->p(Dict::S('UI:UserManagement:AdminProfile+')); return; } $aDisplayData = array(); foreach (MetaModel::GetClasses($sClassCategory) as $sClass) { // Skip non instantiable classes if (MetaModel::IsAbstract($sClass)) continue; $aClassStimuli = MetaModel::EnumStimuli($sClass); if (count($aClassStimuli) > 0) { $aStimuli = array(); foreach ($aClassStimuli as $sStimulusCode => $oStimulus) { if (UserRights::IsStimulusAllowed($sClass, $sStimulusCode, null, $this)) { $aStimuli[] = ''.htmlentities($oStimulus->GetLabel()).''; } } $sStimuli = implode(', ', $aStimuli); } else { $sStimuli = ''.Dict::S('UI:UserManagement:NoLifeCycleApplicable').''; } $aDisplayData[] = array( 'class' => MetaModel::GetName($sClass), 'read' => $this->GetGrantAsHtml($sClass, UR_ACTION_READ), 'bulkread' => $this->GetGrantAsHtml($sClass, UR_ACTION_BULK_READ), 'write' => $this->GetGrantAsHtml($sClass, UR_ACTION_MODIFY), 'bulkwrite' => $this->GetGrantAsHtml($sClass, UR_ACTION_BULK_MODIFY), 'stimuli' => $sStimuli, ); } $aDisplayConfig = array(); $aDisplayConfig['class'] = array('label' => Dict::S('UI:UserManagement:Class'), 'description' => Dict::S('UI:UserManagement:Class+')); $aDisplayConfig['read'] = array('label' => Dict::S('UI:UserManagement:Action:Read'), 'description' => Dict::S('UI:UserManagement:Action:Read+')); $aDisplayConfig['bulkread'] = array('label' => Dict::S('UI:UserManagement:Action:BulkRead'), 'description' => Dict::S('UI:UserManagement:Action:BulkRead+')); $aDisplayConfig['write'] = array('label' => Dict::S('UI:UserManagement:Action:Modify'), 'description' => Dict::S('UI:UserManagement:Action:Modify+')); $aDisplayConfig['bulkwrite'] = array('label' => Dict::S('UI:UserManagement:Action:BulkModify'), 'description' => Dict::S('UI:UserManagement:Action:BulkModify+')); $aDisplayConfig['stimuli'] = array('label' => Dict::S('UI:UserManagement:Action:Stimuli'), 'description' => Dict::S('UI:UserManagement:Action:Stimuli+')); $oPage->table($aDisplayConfig, $aDisplayData); } function DisplayBareRelations(WebPage $oPage, $bEditMode = false) { parent::DisplayBareRelations($oPage, $bEditMode); if (!$bEditMode) { $oPage->SetCurrentTab(Dict::S('UI:UserManagement:GrantMatrix')); $this->DoShowGrantSumary($oPage, 'bizmodel'); // debug if (false) { $oPage->SetCurrentTab('More on user rigths (dev only)'); $oPage->add("

User rights

\n"); $this->DoShowGrantSumary($oPage, 'addon/userrights'); $oPage->add("

Change log

\n"); $this->DoShowGrantSumary($oPage, 'core/cmdb'); $oPage->add("

Application

\n"); $this->DoShowGrantSumary($oPage, 'application'); $oPage->add("

GUI

\n"); $this->DoShowGrantSumary($oPage, 'gui'); } } } } /** * User management core API * * @package iTopORM */ class UserRights { protected static $m_oAddOn; protected static $m_oUser; protected static $m_oRealUser; public static function SelectModule($sModuleName) { if (!class_exists($sModuleName)) { throw new CoreException("Could not select this module, '$sModuleName' in not a valid class name"); return; } if (!is_subclass_of($sModuleName, 'UserRightsAddOnAPI')) { throw new CoreException("Could not select this module, the class '$sModuleName' is not derived from UserRightsAddOnAPI"); return; } self::$m_oAddOn = new $sModuleName; self::$m_oAddOn->Init(); self::$m_oUser = null; self::$m_oRealUser = null; } public static function GetModuleInstance() { return self::$m_oAddOn; } // Installation: create the very first user public static function CreateAdministrator($sAdminUser, $sAdminPwd, $sLanguage = 'EN US') { return self::$m_oAddOn->CreateAdministrator($sAdminUser, $sAdminPwd, $sLanguage); } // Installation (e.g: give default values for users) public static function Setup() { // to be discussed... return self::$m_oAddOn->Setup(); } protected static function IsLoggedIn() { if (self::$m_oUser == null) { return false; } else { return true; } } public static function Login($sName, $sPassword) { $oUser = self::FindUser($sName); if (is_null($oUser)) { return false; } if (!$oUser->CheckCredentials($sPassword)) { return false; } self::$m_oUser = $oUser; self::$m_oRealUser = $oUser; Dict::SetUserLanguage(self::GetUserLanguage()); return true; } public static function TrustWebServerContext() { if (!is_null(self::$m_oUser)) { return self::$m_oUser->TrustWebServerContext(); } else { return false; } } public static function CanChangePassword() { if (!is_null(self::$m_oUser)) { return self::$m_oUser->CanChangePassword(); } else { return false; } } public static function ChangePassword($sCurrentPassword, $sNewPassword) { if (!is_null(self::$m_oUser)) { return self::$m_oUser->ChangePassword($sCurrentPassword, $sNewPassword); } else { return false; } } public static function Impersonate($sName, $sPassword) { if (!self::CheckLogin()) return false; $oUser = self::FindUser($sName); if (is_null($oUser)) { return false; } if (!$oUser->CheckCredentials($sPassword)) { return false; } self::$m_oRealUser = self::$m_oUser; self::$m_oUser = $oUser; Dict::SetUserLanguage(self::GetUserLanguage()); return true; } public static function GetUser() { if (is_null(self::$m_oUser)) { return ''; } else { return self::$m_oUser->Get('login'); } } public static function GetUserLanguage() { if (is_null(self::$m_oUser)) { return 'EN US'; } else { return self::$m_oUser->Get('language'); } } public static function GetUserId($sName = '') { if (empty($sName)) { // return current user id if (is_null(self::$m_oUser)) { return null; } return self::$m_oUser->GetKey(); } else { // find the id out of the login string $oUser = self::$m_oAddOn->FindUser($sName); if (is_null($oUser)) { return null; } return $oUser->GetKey(); } } public static function GetContactId($sName = '') { if (empty($sName)) { $oUser = self::$m_oUser; } else { $oUser = FindUser($sName); } if (is_null($oUser)) { return ''; } return $oUser->Get('contactid'); } public static function IsImpersonated() { if (is_null(self::$m_oRealUser)) { return false; } return true; } public static function GetRealUser() { if (is_null(self::$m_oRealUser)) { return ''; } return self::$m_oRealUser->Get('login'); } public static function GetRealUserId() { if (is_null(self::$m_oRealUser)) { return ''; } return self::$m_oRealUser->GetKey(); } protected static function CheckLogin() { if (!self::IsLoggedIn()) { //throw new UserRightException('No user logged in', array()); return false; } return true; } public static function GetFilter($sClass) { if (!self::CheckLogin()) return false; if (self::IsAdministrator()) return new DBObjectSearch($sClass); // this module is forbidden for non admins if (MetaModel::HasCategory($sClass, 'addon/userrights')) return false; // the rest is allowed (#@# to be improved) if (!MetaModel::HasCategory($sClass, 'bizmodel')) return new DBObjectSearch($sClass); return self::$m_oAddOn->GetFilter(self::$m_oUser->GetKey(), $sClass); } public static function IsActionAllowed($sClass, $iActionCode, /*dbObjectSet*/ $oInstanceSet = null, $oUser = null) { if (!self::CheckLogin()) return false; if (self::IsAdministrator($oUser)) return true; // this module is forbidden for non admins if (MetaModel::HasCategory($sClass, 'addon/userrights')) return false; // the rest is allowed (#@# to be improved) if (!MetaModel::HasCategory($sClass, 'bizmodel')) return true; if (is_null($oUser)) { $oUser = self::$m_oUser; } return self::$m_oAddOn->IsActionAllowed($oUser, $sClass, $iActionCode, $oInstanceSet); } public static function IsStimulusAllowed($sClass, $sStimulusCode, /*dbObjectSet*/ $oInstanceSet = null, $oUser = null) { if (!self::CheckLogin()) return false; if (self::IsAdministrator($oUser)) return true; // this module is forbidden for non admins if (MetaModel::HasCategory($sClass, 'addon/userrights')) return false; // the rest is allowed (#@# to be improved) if (!MetaModel::HasCategory($sClass, 'bizmodel')) return true; if (is_null($oUser)) { $oUser = self::$m_oUser; } return self::$m_oAddOn->IsStimulusAllowed($oUser, $sClass, $sStimulusCode, $oInstanceSet); } public static function IsActionAllowedOnAttribute($sClass, $sAttCode, $iActionCode, /*dbObjectSet*/ $oInstanceSet = null, $oUser = null) { if (!self::CheckLogin()) return false; if (self::IsAdministrator($oUser)) return true; // this module is forbidden for non admins if (MetaModel::HasCategory($sClass, 'addon/userrights')) return false; // the rest is allowed (#@# to be improved) if (!MetaModel::HasCategory($sClass, 'bizmodel')) return true; if (is_null($oUser)) { $oUser = self::$m_oUser; } return self::$m_oAddOn->IsActionAllowedOnAttribute($oUser, $sClass, $sAttCode, $iActionCode, $oInstanceSet); } public static function IsAdministrator($oUser = null) { if (!self::CheckLogin()) return false; if (is_null($oUser)) { $oUser = self::$m_oUser; } return self::$m_oAddOn->IsAdministrator($oUser); } public static function FlushPrivileges() { return self::$m_oAddOn->FlushPrivileges(); } static $m_aCacheUsers; protected static function FindUser($sLogin) { if (!isset(self::$m_aCacheUsers)) { self::$m_aCacheUsers = array(); } if (!isset(self::$m_aCacheUsers[$sLogin])) { $oSearch = DBObjectSearch::FromOQL("SELECT User WHERE login = :login"); $oSet = new DBObjectSet($oSearch, array(), array('login' => $sLogin)); $oUser = $oSet->fetch(); self::$m_aCacheUsers[$sLogin] = $oUser; } return self::$m_aCacheUsers[$sLogin]; } } ?>