* @author Denis Flaven * @license http://www.opensource.org/licenses/lgpl-license.php LGPL * @link www.itop.com * @since 1.0 * @version 1.1.1.1 $ */ // It is supposed that this profile does exist in the DB // Possible improvement: add it when executing the setup procedure // define('ADMIN_PROFILE_ID', 1); class URP_Users extends DBObject { public static function Init() { $aParams = array ( "category" => "addon/userrights", "name" => "user", "description" => "users and credentials", "key_type" => "autoincrement", "key_label" => "", "name_attcode" => "login", "state_attcode" => "", "reconc_keys" => array(), "db_table" => "priv_urp_users", "db_key_field" => "id", "db_finalclass_field" => "", ); MetaModel::Init_Params($aParams); //MetaModel::Init_InheritAttributes(); MetaModel::Init_AddAttribute(new AttributeInteger("userid", array("label"=>"User id", "description"=>"User identifier (depends on the business model)", "allowed_values"=>null, "sql"=>"userid", "default_value"=>0, "is_null_allowed"=>false, "depends_on"=>array()))); MetaModel::Init_AddAttribute(new AttributeString("login", array("label"=>"login", "description"=>"user identification string", "allowed_values"=>null, "sql"=>"login", "default_value"=>null, "is_null_allowed"=>false, "depends_on"=>array()))); MetaModel::Init_AddAttribute(new AttributeString("password", array("label"=>"password", "description"=>"user authentication string", "allowed_values"=>null, "sql"=>"pwd", "default_value"=>null, "is_null_allowed"=>false, "depends_on"=>array()))); MetaModel::Init_AddAttribute(new AttributeString("email", array("label"=>"email", "description"=>"email address", "allowed_values"=>null, "sql"=>"email", "default_value"=>null, "is_null_allowed"=>false, "depends_on"=>array()))); MetaModel::Init_AddAttribute(new AttributeString("firstname", array("label"=>"firstname", "description"=>"first name", "allowed_values"=>null, "sql"=>"firstname", "default_value"=>null, "is_null_allowed"=>false, "depends_on"=>array()))); MetaModel::Init_AddAttribute(new AttributeString("lastname", array("label"=>"lastname", "description"=>"last name", "allowed_values"=>null, "sql"=>"lastname", "default_value"=>null, "is_null_allowed"=>false, "depends_on"=>array()))); //MetaModel::Init_InheritFilters(); MetaModel::Init_AddFilterFromAttribute("userid"); MetaModel::Init_AddFilterFromAttribute("login"); } } class URP_Profiles extends DBObject { public static function Init() { $aParams = array ( "category" => "addon/userrights", "name" => "profile", "description" => "usage profiles", "key_type" => "autoincrement", "key_label" => "", "name_attcode" => "name", "state_attcode" => "", "reconc_keys" => array(), "db_table" => "priv_urp_profiles", "db_key_field" => "id", "db_finalclass_field" => "", ); MetaModel::Init_Params($aParams); //MetaModel::Init_InheritAttributes(); MetaModel::Init_AddAttribute(new AttributeString("name", array("label"=>"name", "description"=>"label", "allowed_values"=>null, "sql"=>"name", "default_value"=>null, "is_null_allowed"=>false, "depends_on"=>array()))); MetaModel::Init_AddAttribute(new AttributeString("description", array("label"=>"description", "description"=>"one line description", "allowed_values"=>null, "sql"=>"description", "default_value"=>null, "is_null_allowed"=>false, "depends_on"=>array()))); //MetaModel::Init_InheritFilters(); MetaModel::Init_AddFilterFromAttribute("name"); MetaModel::Init_AddFilterFromAttribute("description"); } } class URP_Dimensions extends DBObject { public static function Init() { $aParams = array ( "category" => "addon/userrights", "name" => "dimension", "description" => "application dimension (defining silos)", "key_type" => "autoincrement", "key_label" => "", "name_attcode" => "name", "state_attcode" => "", "reconc_keys" => array(), "db_table" => "priv_urp_dimensions", "db_key_field" => "id", "db_finalclass_field" => "", ); MetaModel::Init_Params($aParams); //MetaModel::Init_InheritAttributes(); MetaModel::Init_AddAttribute(new AttributeString("name", array("label"=>"name", "description"=>"label", "allowed_values"=>null, "sql"=>"name", "default_value"=>null, "is_null_allowed"=>false, "depends_on"=>array()))); MetaModel::Init_AddAttribute(new AttributeString("description", array("label"=>"description", "description"=>"one line description", "allowed_values"=>null, "sql"=>"description", "default_value"=>null, "is_null_allowed"=>false, "depends_on"=>array()))); MetaModel::Init_AddAttribute(new AttributeString("type", array("label"=>"type", "description"=>"class name or data type (projection unit)", "allowed_values"=>new ValueSetEnumClasses('bizmodel', 'String,Integer'), "sql"=>"type", "default_value"=>null, "is_null_allowed"=>false, "depends_on"=>array()))); //MetaModel::Init_InheritFilters(); MetaModel::Init_AddFilterFromAttribute("name"); MetaModel::Init_AddFilterFromAttribute("description"); MetaModel::Init_AddFilterFromAttribute("type"); } public function CheckProjectionSpec($oProjectionSpec, $sProjectedClass) { $sExpression = $oProjectionSpec->Get('value'); $sAttribute = $oProjectionSpec->Get('attribute'); // Shortcut: "any value" or "no value" means no projection if (empty($sExpression)) return; if ($sExpression == '') return; // 1st - compute the data type for the dimension // $sType = $this->Get('type'); if (MetaModel::IsValidClass($sType)) { $sExpectedType = $sType; } else { $sExpectedType = '_scalar_'; } // 2nd - compute the data type for the projection // $sTargetClass = ''; if (($sExpression == '') || ($sExpression == '')) { $sTargetClass = $sProjectedClass; } elseif ($sExpression == '') { $sTargetClass = ''; } else { // Evaluate wether it is a constant or not try { $oObjectSearch = DBObjectSearch::FromOQL($sExpression); $sTargetClass = $oObjectSearch->GetClass(); } catch (OqlException $e) { } } if (empty($sTargetClass)) { $sFoundType = '_void_'; } else { if (empty($sAttribute)) { $sFoundType = $sTargetClass; } else { if (!MetaModel::IsValidAttCode($sTargetClass, $sAttribute)) { throw new CoreException('Unkown attribute code in projection specification', array('found' => $sAttribute, 'expecting' => MetaModel::GetAttributesList($sTargetClass), 'class' => $sTargetClass, 'projection' => $oProjectionSpec)); } $oAttDef = MetaModel::GetAttributeDef($sTargetClass, $sAttribute); if ($oAttDef->IsExternalKey()) { $sFoundType = $oAttDef->GetTargetClass(); } else { $sFoundType = '_scalar_'; } } } // Compare the dimension type and projection type if (($sFoundType != '_void_') && ($sFoundType != $sExpectedType)) { throw new CoreException('Wrong type in projection specification', array('found' => $sFoundType, 'expecting' => $sExpectedType, 'expression' => $sExpression, 'attribute' => $sAttribute, 'projection' => $oProjectionSpec)); } } } class URP_UserProfile extends DBObject { public static function Init() { $aParams = array ( "category" => "addon/userrights", "name" => "user_profile", "description" => "user profiles", "key_type" => "autoincrement", "key_label" => "", "name_attcode" => "", "state_attcode" => "", "reconc_keys" => array(), "db_table" => "priv_urp_userprofile", "db_key_field" => "id", "db_finalclass_field" => "", ); MetaModel::Init_Params($aParams); //MetaModel::Init_InheritAttributes(); MetaModel::Init_AddAttribute(new AttributeExternalKey("userid", array("targetclass"=>"URP_Users", "jointype"=> "", "label"=>"User", "description"=>"user account", "allowed_values"=>null, "sql"=>"userid", "is_null_allowed"=>false, "depends_on"=>array()))); MetaModel::Init_AddAttribute(new AttributeExternalField("userlogin", array("label"=>"Login", "description"=>"User's login", "allowed_values"=>null, "extkey_attcode"=> 'userid', "target_attcode"=>"login"))); MetaModel::Init_AddAttribute(new AttributeExternalKey("profileid", array("targetclass"=>"URP_Profiles", "jointype"=> "", "label"=>"profile", "description"=>"usage profile", "allowed_values"=>null, "sql"=>"profileid", "is_null_allowed"=>false, "depends_on"=>array()))); MetaModel::Init_AddAttribute(new AttributeExternalField("profile", array("label"=>"Profile", "description"=>"Profile name", "allowed_values"=>null, "extkey_attcode"=> 'profileid', "target_attcode"=>"name"))); //MetaModel::Init_InheritFilters(); MetaModel::Init_AddFilterFromAttribute("userid"); MetaModel::Init_AddFilterFromAttribute("profileid"); } } class URP_ProfileProjection extends DBObject { public static function Init() { $aParams = array ( "category" => "addon/userrights", "name" => "profile_projection", "description" => "profile projections", "key_type" => "autoincrement", "key_label" => "", "name_attcode" => "", "state_attcode" => "", "reconc_keys" => array(), "db_table" => "priv_urp_profileprojection", "db_key_field" => "id", "db_finalclass_field" => "", ); MetaModel::Init_Params($aParams); //MetaModel::Init_InheritAttributes(); MetaModel::Init_AddAttribute(new AttributeExternalKey("dimensionid", array("targetclass"=>"URP_Dimensions", "jointype"=> "", "label"=>"Dimension", "description"=>"application dimension", "allowed_values"=>null, "sql"=>"dimensionid", "is_null_allowed"=>false, "depends_on"=>array()))); MetaModel::Init_AddAttribute(new AttributeExternalField("dimension", array("label"=>"Dimension", "description"=>"application dimension", "allowed_values"=>null, "extkey_attcode"=> 'dimensionid', "target_attcode"=>"name"))); MetaModel::Init_AddAttribute(new AttributeExternalKey("profileid", array("targetclass"=>"URP_Profiles", "jointype"=> "", "label"=>"profile", "description"=>"usage profile", "allowed_values"=>null, "sql"=>"profileid", "is_null_allowed"=>false, "depends_on"=>array()))); MetaModel::Init_AddAttribute(new AttributeExternalField("profile", array("label"=>"Profile", "description"=>"Profile name", "allowed_values"=>null, "extkey_attcode"=> 'profileid', "target_attcode"=>"name"))); MetaModel::Init_AddAttribute(new AttributeString("value", array("label"=>"Value expression", "description"=>"OQL expression (using \$user) | constant | | +attribute code", "allowed_values"=>null, "sql"=>"value", "default_value"=>"", "is_null_allowed"=>false, "depends_on"=>array()))); MetaModel::Init_AddAttribute(new AttributeString("attribute", array("label"=>"Attribute", "description"=>"Target attribute code (optional)", "allowed_values"=>null, "sql"=>"attribute", "default_value"=>"", "is_null_allowed"=>false, "depends_on"=>array()))); //MetaModel::Init_InheritFilters(); MetaModel::Init_AddFilterFromAttribute("dimensionid"); MetaModel::Init_AddFilterFromAttribute("profileid"); } public function ProjectUser(URP_Users $oUser) { $sExpr = $this->Get('value'); if ($sExpr == '') { $sColumn = $this->Get('attribute'); if (empty($sColumn)) { $aRes = array($oUser->GetKey()); } else { $aRes = array($oUser->Get($sColumn)); } } elseif ($sExpr == '') { $aRes = null; } elseif (strtolower(substr($sExpr, 0, 6)) == 'select') { $sColumn = $this->Get('attribute'); // SELECT... $oValueSetDef = new ValueSetObjects($sExpr, $sColumn); $aValues = $oValueSetDef->GetValues(array('user' => $oUser), ''); $aRes = array_keys($aValues); } else { // Constant value(s) $aRes = explode(';', trim($sExpr)); } return $aRes; } } class URP_ClassProjection extends DBObject { public static function Init() { $aParams = array ( "category" => "addon/userrights", "name" => "class_projection", "description" => "class projections", "key_type" => "autoincrement", "key_label" => "", "name_attcode" => "", "state_attcode" => "", "reconc_keys" => array(), "db_table" => "priv_urp_classprojection", "db_key_field" => "id", "db_finalclass_field" => "", ); MetaModel::Init_Params($aParams); //MetaModel::Init_InheritAttributes(); MetaModel::Init_AddAttribute(new AttributeExternalKey("dimensionid", array("targetclass"=>"URP_Dimensions", "jointype"=> "", "label"=>"Dimension", "description"=>"application dimension", "allowed_values"=>null, "sql"=>"dimensionid", "is_null_allowed"=>false, "depends_on"=>array()))); MetaModel::Init_AddAttribute(new AttributeExternalField("dimension", array("label"=>"Dimension", "description"=>"application dimension", "allowed_values"=>null, "extkey_attcode"=> 'dimensionid', "target_attcode"=>"name"))); MetaModel::Init_AddAttribute(new AttributeString("class", array("label"=>"Class", "description"=>"Target class", "allowed_values"=>null, "sql"=>"class", "default_value"=>"", "is_null_allowed"=>false, "depends_on"=>array()))); MetaModel::Init_AddAttribute(new AttributeString("value", array("label"=>"Value expression", "description"=>"OQL expression (using \$this) | constant | | +attribute code", "allowed_values"=>null, "sql"=>"value", "default_value"=>"", "is_null_allowed"=>false, "depends_on"=>array()))); MetaModel::Init_AddAttribute(new AttributeString("attribute", array("label"=>"Attribute", "description"=>"Target attribute code (optional)", "allowed_values"=>null, "sql"=>"attribute", "default_value"=>"", "is_null_allowed"=>false, "depends_on"=>array()))); //MetaModel::Init_InheritFilters(); MetaModel::Init_AddFilterFromAttribute("dimensionid"); // #@# verifier MetaModel::Init_AddFilterFromAttribute("class"); } public function ProjectObject($oObject) { $sExpr = $this->Get('value'); if ($sExpr == '') { $sColumn = $this->Get('attribute'); if (empty($sColumn)) { $aRes = array($oObject->GetKey()); } else { $aRes = array($oObject->Get($sColumn)); } } elseif ($sExpr == '') { $aRes = null; } elseif (strtolower(substr($sExpr, 0, 6)) == 'select') { $sColumn = $this->Get('attribute'); // SELECT... $oValueSetDef = new ValueSetObjects($sExpr, $sColumn); $aValues = $oValueSetDef->GetValues(array('this' => $oObject), ''); $aRes = array_keys($aValues); } elseif ($sExpr == '') { $aRes = null; } else { // Constant value(s) $aRes = explode(';', trim($sExpr)); } return $aRes; } } class URP_ActionGrant extends DBObject { public static function Init() { $aParams = array ( "category" => "addon/userrights", "name" => "action_permission", "description" => "permissions on classes", "key_type" => "autoincrement", "key_label" => "", "name_attcode" => "", "state_attcode" => "", "reconc_keys" => array(), "db_table" => "priv_urp_grant_actions", "db_key_field" => "id", "db_finalclass_field" => "", ); MetaModel::Init_Params($aParams); //MetaModel::Init_InheritAttributes(); // Common to all grant classes (could be factorized by class inheritence, but this has to be benchmarked) MetaModel::Init_AddAttribute(new AttributeExternalKey("profileid", array("targetclass"=>"URP_Profiles", "jointype"=> "", "label"=>"Profile", "description"=>"usage profile", "allowed_values"=>null, "sql"=>"profileid", "is_null_allowed"=>false, "depends_on"=>array()))); MetaModel::Init_AddAttribute(new AttributeExternalField("profile", array("label"=>"Profile", "description"=>"usage profile", "allowed_values"=>null, "extkey_attcode"=> 'profileid', "target_attcode"=>"name"))); MetaModel::Init_AddAttribute(new AttributeString("class", array("label"=>"class", "description"=>"class name", "allowed_values"=>null, "sql"=>"class", "default_value"=>null, "is_null_allowed"=>false, "depends_on"=>array()))); MetaModel::Init_AddAttribute(new AttributeEnum("permission", array("label"=>"permission", "description"=>"allowed or not allowed?", "allowed_values"=>new ValueSetEnum('yes,no'), "sql"=>"permission", "default_value"=>"yes", "is_null_allowed"=>false, "depends_on"=>array()))); MetaModel::Init_AddAttribute(new AttributeString("action", array("label"=>"action", "description"=>"operations to perform on the given class", "allowed_values"=>null, "sql"=>"action", "default_value"=>"", "is_null_allowed"=>false, "depends_on"=>array()))); //MetaModel::Init_InheritFilters(); // Common to all grant classes (could be factorized by class inheritence, but this has to be benchmarked) MetaModel::Init_AddFilterFromAttribute("profileid"); MetaModel::Init_AddFilterFromAttribute("profile"); MetaModel::Init_AddFilterFromAttribute("class"); MetaModel::Init_AddFilterFromAttribute("permission"); MetaModel::Init_AddFilterFromAttribute("action"); } } class URP_StimulusGrant extends DBObject { public static function Init() { $aParams = array ( "category" => "addon/userrights", "name" => "stimulus_permission", "description" => "permissions on stimilus in the life cycle of the object", "key_type" => "autoincrement", "key_label" => "", "name_attcode" => "", "state_attcode" => "", "reconc_keys" => array(), "db_table" => "priv_urp_grant_stimulus", "db_key_field" => "id", "db_finalclass_field" => "", ); MetaModel::Init_Params($aParams); //MetaModel::Init_InheritAttributes(); // Common to all grant classes (could be factorized by class inheritence, but this has to be benchmarked) MetaModel::Init_AddAttribute(new AttributeExternalKey("profileid", array("targetclass"=>"URP_Profiles", "jointype"=> "", "label"=>"Profile", "description"=>"usage profile", "allowed_values"=>null, "sql"=>"profileid", "is_null_allowed"=>false, "depends_on"=>array()))); MetaModel::Init_AddAttribute(new AttributeExternalField("profile", array("label"=>"Profile", "description"=>"usage profile", "allowed_values"=>null, "extkey_attcode"=> 'profileid', "target_attcode"=>"name"))); MetaModel::Init_AddAttribute(new AttributeString("class", array("label"=>"class", "description"=>"class name", "allowed_values"=>null, "sql"=>"class", "default_value"=>null, "is_null_allowed"=>false, "depends_on"=>array()))); MetaModel::Init_AddAttribute(new AttributeEnum("permission", array("label"=>"permission", "description"=>"allowed or not allowed?", "allowed_values"=>new ValueSetEnum('yes,no'), "sql"=>"permission", "default_value"=>"yes", "is_null_allowed"=>false, "depends_on"=>array()))); MetaModel::Init_AddAttribute(new AttributeString("stimulus", array("label"=>"stimulus", "description"=>"stimulus code", "allowed_values"=>null, "sql"=>"action", "default_value"=>"", "is_null_allowed"=>false, "depends_on"=>array()))); //MetaModel::Init_InheritFilters(); // Common to all grant classes (could be factorized by class inheritence, but this has to be benchmarked) MetaModel::Init_AddFilterFromAttribute("profileid"); MetaModel::Init_AddFilterFromAttribute("profile"); MetaModel::Init_AddFilterFromAttribute("class"); MetaModel::Init_AddFilterFromAttribute("permission"); MetaModel::Init_AddFilterFromAttribute("stimulus"); } } class URP_AttributeGrant extends DBObject { public static function Init() { $aParams = array ( "category" => "addon/userrights", "name" => "attribute_permission", "description" => "permissions at the attributes level", "key_type" => "autoincrement", "key_label" => "", "name_attcode" => "", "state_attcode" => "", "reconc_keys" => array(), "db_table" => "priv_urp_grant_attributes", "db_key_field" => "id", "db_finalclass_field" => "", ); MetaModel::Init_Params($aParams); //MetaModel::Init_InheritAttributes(); MetaModel::Init_AddAttribute(new AttributeExternalKey("actiongrantid", array("targetclass"=>"URP_ActionGrant", "jointype"=> "", "label"=>"Action grant", "description"=>"action grant", "allowed_values"=>null, "sql"=>"actiongrantid", "is_null_allowed"=>false, "depends_on"=>array()))); MetaModel::Init_AddAttribute(new AttributeString("attcode", array("label"=>"attribute", "description"=>"attribute code", "allowed_values"=>null, "sql"=>"attcode", "default_value"=>null, "is_null_allowed"=>false, "depends_on"=>array()))); //MetaModel::Init_InheritFilters(); MetaModel::Init_AddFilterFromAttribute("actiongrantid"); MetaModel::Init_AddFilterFromAttribute("attcode"); } } class UserRightsProfile extends UserRightsAddOnAPI { static public $m_aActionCodes = array( UR_ACTION_READ => 'read', UR_ACTION_MODIFY => 'modify', UR_ACTION_DELETE => 'delete', UR_ACTION_BULK_READ => 'bulk read', UR_ACTION_BULK_MODIFY => 'bulk modify', UR_ACTION_BULK_DELETE => 'bulk delete', ); // Installation: create the very first user public function CreateAdministrator($sAdminUser, $sAdminPwd) { $oUser = new URP_Users(); $oUser->Set('login', $sAdminUser); $oUser->Set('password', $sAdminPwd); $oUser->Set('email', 'n/a'); $oUser->Set('firstname', 'administrator'); $oUser->Set('lastname', 'itop'); $oUser->Set('userid', 1); // let's mark it as #1 (for what purpose?) $iUserId = $oUser->DBInsertNoReload(); // Add this user to the very specific 'admin' profile $oUserProfile = new URP_UserProfile(); $oUserProfile->Set('userid', $iUserId); $oUserProfile->Set('profileid', ADMIN_PROFILE_ID); $oUserProfile->DBInsertNoReload(); return true; } public function Setup() { // Dimensions/Profiles/Classes/Attributes/Stimuli could be added anytime // This procedure will then update the matrix with expected default values // $oProfileSet = new DBObjectSet(DBObjectSearch::FromOQL("SELECT URP_Profiles")); while ($oProfile = $oProfileSet->Fetch()) { $this->SetupProfile($oProfile); } $oDimensionSet = new DBObjectSet(DBObjectSearch::FromOQL("SELECT URP_Dimensions")); while ($oDimension = $oDimensionSet->Fetch()) { $this->SetupDimension($oDimension); } return true; } protected function SetupDimension($oDimension, $bNewDimension = false) { $iDimensionId = $oDimension->GetKey(); // Create projections, for any class where it applies // foreach(array('bizmodel', 'application', 'gui', 'core/cmdb') as $sCategory) { foreach (MetaModel::GetClasses($sCategory) as $sClass) { if ($bNewDimension) { $bAddCell = true; } else { $oSet = new DBObjectSet(DBObjectSearch::FromOQL("SELECT URP_ClassProjection WHERE class = :class AND dimensionid = :dimension"), array(), array('class'=>$sClass, 'dimension'=>$iDimensionId)); $bAddCell = ($oSet->Count() < 1); } if ($bAddCell) { // Create a new entry $oCProj = MetaModel::NewObject("URP_ClassProjection"); $oCProj->Set("dimensionid", $iDimensionId); $oCProj->Set("class", $sClass); $oCProj->Set("value", "true"); $iId = $oCProj->DBInsertNoReload(); } } } // Create projections, for any existing profile // $oProfileSet = new DBObjectSet(DBObjectSearch::FromOQL("SELECT URP_Profiles")); while ($oProfile = $oProfileSet->Fetch()) { $iProfileId = $oProfile->GetKey(); if ($bNewDimension) { $bAddCell = true; } else { $oSet = new DBObjectSet(DBObjectSearch::FromOQL("SELECT URP_ProfileProjection WHERE dimensionid = :dimension AND profileid = :profile"), array(), array('dimension'=>$iDimensionId, 'profile'=>$iProfileId)); $bAddCell = ($oSet->Count() < 1); } if ($bAddCell) { // Create a new entry $oDProj = MetaModel::NewObject("URP_ProfileProjection"); $oDProj->Set("dimensionid", $iDimensionId); $oDProj->Set("profileid", $iProfileId); $oDProj->Set("value", "true"); $iId = $oDProj->DBInsertNoReload(); } } } protected function SetupProfile($oProfile, $bNewProfile = false) { $iProfileId = $oProfile->GetKey(); // Create grant records, for any class where it matters (the rest could be done later on) // foreach(array('bizmodel') as $sCategory) { foreach (MetaModel::GetClasses($sCategory) as $sClass) { foreach (self::$m_aActionCodes as $iActionCode => $sAction) { if ($bNewProfile) { $bAddCell = true; } else { $oSet = new DBObjectSet(DBObjectSearch::FromOQL("SELECT URP_ActionGrant WHERE class = :class AND action = :action AND profileid = :profile"), array(), array('class'=>$sClass, 'action'=>$sAction, 'profile'=>$iProfileId)); $bAddCell = ($oSet->Count() < 1); } if ($bAddCell) { // Create a new entry $oMyActionGrant = MetaModel::NewObject("URP_ActionGrant"); $oMyActionGrant->Set("profileid", $iProfileId); $oMyActionGrant->Set("class", $sClass); $oMyActionGrant->Set("action", $sAction); $oMyActionGrant->Set("permission", "yes"); $iId = $oMyActionGrant->DBInsertNoReload(); } } foreach (MetaModel::EnumStimuli($sClass) as $sStimulusCode => $oStimulus) { if ($bNewProfile) { $bAddCell = true; } else { $oSet = new DBObjectSet(DBObjectSearch::FromOQL("SELECT URP_StimulusGrant WHERE class = :class AND stimulus = :stimulus AND profileid = :profile"), array(), array('class'=>$sClass, 'stimulus'=>$sStimulusCode, 'profile'=>$iProfileId)); $bAddCell = ($oSet->Count() < 1); } if ($bAddCell) { // Create a new entry $oMyStGrant = MetaModel::NewObject("URP_StimulusGrant"); $oMyStGrant->Set("profileid", $iProfileId); $oMyStGrant->Set("class", $sClass); $oMyStGrant->Set("stimulus", $sStimulusCode); $oMyStGrant->Set("permission", "yes"); $iId = $oMyStGrant->DBInsertNoReload(); } } } } // Create the "My Bookmarks" menu item (parent_id = 0, rank = 6) if ($bNewProfile) { $bAddMenu = true; } else { //$oSet = new DBObjectSet(DBObjectSearch::FromOQL("SELECT menuNode WHERE type = 'user' AND parent_id = 0 AND user_id = $iUserId")); //$bAddMenu = ($oSet->Count() < 1); } $bAddMenu = false; if ($bAddMenu) { $oMenu = MetaModel::NewObject('menuNode'); $oMenu->Set('type', 'user'); $oMenu->Set('parent_id', 0); // It's a toplevel entry $oMenu->Set('rank', 6); // Located just above the Admin Tools section (=7) $oMenu->Set('name', 'My Bookmarks'); $oMenu->Set('label', 'My Favorite Items'); $oMenu->Set('hyperlink', 'UI.php'); $oMenu->Set('template', '

My bookmarks

This section contains my most favorite search results

'); $oMenu->Set('user_id', $iUserId); $oMenu->DBInsert(); } } public function Init() { MetaModel::RegisterPlugin('userrights', 'ACbyProfile', array($this, 'CacheData')); } protected $m_aUsers = array(); // id -> object protected $m_aDimensions = array(); // id -> object protected $m_aClassProj = array(); // class,dimensionid -> object protected $m_aProfiles = array(); // id -> object protected $m_aUserProfiles = array(); // userid,profileid -> object protected $m_aProPro = array(); // profileid,dimensionid -> object protected $m_aAdmins = array(); // id of users being linked to the profile #ADMIN_PROFILE_ID protected $m_aClassActionGrants = array(); // profile, class, action -> permission protected $m_aObjectActionGrants = array(); // userid, class, id, action -> permission, list of attributes public function CacheData() { // Could be loaded in a shared memory (?) $oUserSet = new DBObjectSet(DBObjectSearch::FromOQL("SELECT URP_Users")); while ($oUser = $oUserSet->Fetch()) { $this->m_aUsers[$oUser->GetKey()] = $oUser; } $oDimensionSet = new DBObjectSet(DBObjectSearch::FromOQL("SELECT URP_Dimensions")); while ($oDimension = $oDimensionSet->Fetch()) { $this->m_aDimensions[$oDimension->GetKey()] = $oDimension; } $oClassProjSet = new DBObjectSet(DBObjectSearch::FromOQL("SELECT URP_ClassProjection")); while ($oClassProj = $oClassProjSet->Fetch()) { $this->m_aClassProjs[$oClassProj->Get('class')][$oClassProj->Get('dimensionid')] = $oClassProj; } $oProfileSet = new DBObjectSet(DBObjectSearch::FromOQL("SELECT URP_Profiles")); while ($oProfile = $oProfileSet->Fetch()) { $this->m_aProfiles[$oProfile->GetKey()] = $oProfile; } $oUserProfileSet = new DBObjectSet(DBObjectSearch::FromOQL("SELECT URP_UserProfile")); while ($oUserProfile = $oUserProfileSet->Fetch()) { $this->m_aUserProfiles[$oUserProfile->Get('userid')][$oUserProfile->Get('profileid')] = $oUserProfile; if ($oUserProfile->Get('profileid') == ADMIN_PROFILE_ID) { $this->m_aAdmins[] = $oUserProfile->Get('userid'); } } $oProProSet = new DBObjectSet(DBObjectSearch::FromOQL("SELECT URP_ProfileProjection")); while ($oProPro = $oProProSet->Fetch()) { $this->m_aProPros[$oProPro->Get('profileid')][$oProPro->Get('dimensionid')] = $oProPro; } /* echo "
\n";
		print_r($this->m_aUsers);
		print_r($this->m_aDimensions);
		print_r($this->m_aClassProjs);
		print_r($this->m_aProfiles);
		print_r($this->m_aUserProfiles);
		print_r($this->m_aProPros);
		echo "
\n"; exit; */ return true; } public function CheckCredentials($sUserName, $sPassword) { $oSet = new DBObjectSet(DBObjectSearch::FromOQL("SELECT URP_Users WHERE login = :login"), array(), array('login' => $sUserName)); if ($oSet->Count() < 1) { // todo: throw an exception? return false; } $oUser = $oSet->Fetch(); if ($oUser->Get('password') == $sPassword) { return $oUser->GetKey(); } // todo: throw an exception? return false; } public function GetUserId($sUserName) { $oSet = new DBObjectSet(DBObjectSearch::FromOQL("SELECT URP_Users WHERE login = :login"), array(), array('login' => $sUserName)); if ($oSet->Count() < 1) { // todo: throw an exception? return false; } $oUser = $oSet->Fetch(); return $oUser->GetKey(); } public function GetFilter($sUserName, $sClass) { $oNullFilter = new DBObjectSearch($sClass); return $oNullFilter; } protected function GetClassActionGrant($iProfile, $sClass, $sAction) { $aTest = @$this->m_aClassActionGrants[$iProfile][$sClass][$sAction]; if (isset($aTest)) return $aTest; // Get the permission for this profile/class/action $oSearch = DBObjectSearch::FromOQL("SELECT URP_ActionGrant WHERE class = :class AND action = :action AND profileid = :profile AND permission = 'yes'"); $oSet = new DBObjectSet($oSearch, array(), array('class'=>$sClass, 'action'=>$sAction, 'profile'=>$iProfile)); if ($oSet->Count() < 1) { return null; } $oGrantRecord = $oSet->Fetch(); $this->m_aClassActionGrants[$iProfile][$sClass][$sAction] = $oGrantRecord; return $oGrantRecord; } protected function GetObjectActionGrant($oUser, $sClass, $iActionCode, $oObject) { // load and cache permissions for the current user on the given object // $aTest = @$this->m_aObjectActionGrants[$oUser->GetKey()][$sClass][$oObject->GetKey][$iActionCode]; if (is_array($aTest)) return $aTest; $sAction = self::$m_aActionCodes[$iActionCode]; $iInstancePermission = UR_ALLOWED_NO; $aAttributes = array(); foreach($this->GetMatchingProfiles($oUser, $oObject) as $iProfile) { $oGrantRecord = $this->GetClassActionGrant($iProfile, $sClass, $sAction); if (is_null($oGrantRecord)) { continue; // loop to the next profile } else { $iInstancePermission = UR_ALLOWED_YES; // update the list of attributes with those allowed for this profile // $oSearch = DBObjectSearch::FromOQL("SELECT URP_AttributeGrant WHERE actiongrantid = :actiongrantid"); $oSet = new DBObjectSet($oSearch, array(), array('actiongrantid' => $oGrantRecord->GetKey())); $aProfileAttributes = $oSet->GetColumnAsArray('attcode', false); if (count($aProfileAttributes) == 0) { $aAllAttributes = array_keys(MetaModel::ListAttributeDefs($sClass)); $aAttributes = array_merge($aAttributes, $aAllAttributes); } else { $aAttributes = array_merge($aAttributes, $aProfileAttributes); } } } $aRes = array( 'permission' => $iInstancePermission, 'attributes' => $aAttributes, ); $this->m_aObjectActionGrants[$oUser->GetKey()][$sClass][$oObject->GetKey()][$iActionCode] = $aRes; return $aRes; } public function IsActionAllowed($iUserId, $sClass, $iActionCode, dbObjectSet $oInstances) { // super admin rights if (in_array($iUserId, $this->m_aAdmins)) return true; $oUser = $this->m_aUsers[$iUserId]; $oInstances->Rewind(); while($oObject = $oInstances->Fetch()) { $aObjectPermissions = $this->GetObjectActionGrant($oUser, $sClass, $iActionCode, $oObject); $iInstancePermission = $aObjectPermissions['permission']; if (isset($iGlobalPermission)) { if ($iInstancePermission != $iGlobalPermission) { $iGlobalPermission = UR_ALLOWED_DEPENDS; break; } } else { $iGlobalPermission = $iInstancePermission; } } $oInstances->Rewind(); if (isset($iGlobalPermission)) { return $iGlobalPermission; } else { return UR_ALLOWED_NO; } } public function IsActionAllowedOnAttribute($iUserId, $sClass, $sAttCode, $iActionCode, dbObjectSet $oInstances) { // super admin rights if (in_array($iUserId, $this->m_aAdmins)) return true; $oUser = $this->m_aUsers[$iUserId]; $oInstances->Rewind(); while($oObject = $oInstances->Fetch()) { $aObjectPermissions = $this->GetObjectActionGrant($oUser, $sClass, $iActionCode, $oObject); $aAttributes = $aObjectPermissions['attributes']; if (in_array($sAttCode, $aAttributes)) { $iInstancePermission = $aObjectPermissions['permission']; } else { $iInstancePermission = UR_ALLOWED_NO; } if (isset($iGlobalPermission)) { if ($iInstancePermission != $iGlobalPermission) { $iGlobalPermission = UR_ALLOWED_DEPENDS; } } else { $iGlobalPermission = $iInstancePermission; } } $oInstances->Rewind(); if (isset($iGlobalPermission)) { return $iGlobalPermission; } else { return UR_ALLOWED_NO; } } public function IsStimulusAllowed($iUserId, $sClass, $sStimulusCode, dbObjectSet $oInstances) { // super admin rights if (in_array($iUserId, $this->m_aAdmins)) return true; $oUser = $this->m_aUsers[$iUserId]; // Note: this code is VERY close to the code of IsActionAllowed() $oInstances->Rewind(); while($oObject = $oInstances->Fetch()) { $iInstancePermission = UR_ALLOWED_NO; foreach($this->GetMatchingProfiles($oUser, $oObject) as $iProfile) { // Get the permission for this profile/class/stimulus $oSearch = DBObjectSearch::FromOQL("SELECT URP_StimulusGrant WHERE class = :class AND stimulus = :stimulus AND profileid = :profile AND permission = 'yes'"); $oSet = new DBObjectSet($oSearch, array(), array('class'=>$sClass, 'stimulus'=>$sStimulusCode, 'profile'=>$iProfile)); if ($oSet->Count() < 1) { return UR_ALLOWED_NO; } // no need to fetch the record, we've requested the records having permission = 'yes' $iInstancePermission = UR_ALLOWED_YES; } if (isset($iGlobalPermission)) { if ($iInstancePermission != $iGlobalPermission) { $iGlobalPermission = UR_ALLOWED_DEPENDS; } } else { $iGlobalPermission = $iInstancePermission; } } $oInstances->Rewind(); if (isset($iGlobalPermission)) { return $iGlobalPermission; } else { return UR_ALLOWED_NO; } } protected function GetMatchingProfilesByDim($oUser, $oObject, $oDimension) { // // List profiles for which the user projection overlaps the object projection in the given dimension // $iUser = $oUser->GetKey(); $sClass = get_class($oObject); $iPKey = $oObject->GetKey(); $iDimension = $oDimension->GetKey(); $aObjectProjection = $this->m_aClassProjs[$sClass][$iDimension]->ProjectObject($oObject); $aRes = array(); if (array_key_exists($iUser, $this->m_aUserProfiles) > 0) { foreach ($this->m_aUserProfiles[$iUser] as $iProfile => $oProfile) { if (is_null($aObjectProjection)) { $aRes[] = $iProfile; } else { // user projection to be cached on a given page ! $aUserProjection = $this->m_aProPros[$iProfile][$iDimension]->ProjectUser($oUser); if (is_null($aUserProjection)) { $aRes[] = $iProfile; } else { $aMatchingValues = array_intersect($aObjectProjection, $aUserProjection); if (count($aMatchingValues) > 0) { $aRes[] = $iProfile; } } } } } return $aRes; } protected $m_aMatchingProfiles = array(); // cache of the matching profiles for a given user/object protected function GetMatchingProfiles($oUser, $oObject) { $iUser = $oUser->GetKey(); $sClass = get_class($oObject); $iObject = $oObject->GetKey(); // // List profiles for which the user projection overlaps the object projection in each and every dimension // Caches the result // $aTest = @$this->m_aMatchingProfiles[$iUser][$sClass][$iObject]; if (is_array($aTest)) { return $aTest; } $aProfileRes = array(); foreach ($this->m_aDimensions as $iDimension => $oDimension) { foreach ($this->GetMatchingProfilesByDim($oUser, $oObject, $oDimension) as $iProfile) { @$aProfileRes[$iProfile] += 1; } } $aRes = array(); $iDimCount = count($this->m_aDimensions); foreach ($aProfileRes as $iProfile => $iMatches) { if ($iMatches == $iDimCount) { $aRes[] = $iProfile; } } $this->m_aMatchingProfiles[$iUser][$sClass][$iObject] = $aRes; return $aRes; } } UserRights::SelectModule('UserRightsProfile'); ?>