SKZH
/
ITSSTOOLS


			
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306
							<?php

/**
 * UserRights
 * User management API 
 *
 * @package     iTopORM
 * @author      Romain Quetiez <romainquetiez@yahoo.fr>
 * @author      Denis Flaven <denisflave@free.fr>
 * @license     http://www.opensource.org/licenses/lgpl-license.php LGPL
 * @link        www.itop.com
 * @since       1.0
 * @version     1.1.1.1 $
 */

class UserRightException extends CoreException
{
}


define('UR_ALLOWED_NO', 0);
define('UR_ALLOWED_YES', 1);
define('UR_ALLOWED_DEPENDS', 2);

define('UR_ACTION_READ', 1); // View an object
define('UR_ACTION_MODIFY', 2); // Create/modify an object/attribute
define('UR_ACTION_DELETE', 3); // Delete an object

define('UR_ACTION_BULK_READ', 4); // Export multiple objects
define('UR_ACTION_BULK_MODIFY', 5); // Create/modify multiple objects
define('UR_ACTION_BULK_DELETE', 6); // Delete multiple objects

define('UR_ACTION_APPLICATION_DEFINED', 10000); // Application specific actions (CSV import, View schema...)

/**
 * User management module API  
 *
 * @package     iTopORM
 * @author      Romain Quetiez <romainquetiez@yahoo.fr>
 * @license     http://www.opensource.org/licenses/lgpl-license.php LGPL
 * @link        www.itop.com
 * @since       1.0
 * @version     $itopversion$
 */
abstract class UserRightsAddOnAPI
{
	abstract public function Setup(); // initial installation
	abstract public function CreateAdministrator($sAdminUser, $sAdminPwd); // could be used during initial installation

	abstract public function Init(); // loads data (possible optimizations)
	abstract public function CheckCredentials($sLogin, $sPassword); // returns the id of the user or false
	abstract public function GetUserId($sLogin); // returns the id of the user or false
	abstract public function GetContactId($sLogin); // returns the id of the "business" user or false
	abstract public function GetFilter($sLogin, $sClass); // returns a filter object
	abstract public function IsActionAllowed($iUserId, $sClass, $iActionCode, /*dbObjectSet*/ $oInstanceSet = null);
	abstract public function IsStimulusAllowed($iUserId, $sClass, $sStimulusCode, /*dbObjectSet*/ $oInstanceSet = null);
	abstract public function IsActionAllowedOnAttribute($iUserId, $sClass, $sAttCode, $iActionCode, /*dbObjectSet*/ $oInstanceSet = null);
	abstract public function IsAdministrator($iUserId);
	abstract public function FlushPrivileges();
}


/**
 * User management core API  
 *
 * @package     iTopORM
 * @author      Romain Quetiez <romainquetiez@yahoo.fr>
 * @license     http://www.opensource.org/licenses/lgpl-license.php LGPL
 * @link        www.itop.com
 * @since       1.0
 * @version     $itopversion$
 */
class UserRights
{
	protected static $m_oAddOn;
	protected static $m_sUser;
	protected static $m_sRealUser;
	protected static $m_iUserId;
	protected static $m_iRealUserId;

	public static function SelectModule($sModuleName)
	{
		if (!class_exists($sModuleName))
		{
			throw new CoreException("Could not select this module, '$sModuleName' in not a valid class name");
			return;
		}
		if (!is_subclass_of($sModuleName, 'UserRightsAddOnAPI'))
		{
			throw new CoreException("Could not select this module, the class '$sModuleName' is not derived from UserRightsAddOnAPI");
			return;
		}
		self::$m_oAddOn = new $sModuleName;
		self::$m_oAddOn->Init();
		self::$m_sUser = '';
		self::$m_sRealUser = '';
		self::$m_iUserId = 0;
		self::$m_iRealUserId = 0;
	}

	public static function GetModuleInstance()
	{
		return self::$m_oAddOn;
	}

	// Installation: create the very first user
	public static function CreateAdministrator($sAdminUser, $sAdminPwd)
	{
		return self::$m_oAddOn->CreateAdministrator($sAdminUser, $sAdminPwd);
	}
	
	// Installation (e.g: give default values for users)
	public static function Setup()
	{
		// to be discussed...
		return self::$m_oAddOn->Setup();
	}

	protected static function IsLoggedIn()
	{
		return (!empty(self::$m_sUser));
	}

	public static function Login($sName, $sPassword)
	{
		self::$m_iUserId = self::$m_oAddOn->CheckCredentials($sName, $sPassword);
		if ( self::$m_iUserId !== false )
		{
			self::$m_sUser = $sName;
			self::$m_iRealUserId = self::$m_iUserId;
			self::$m_sRealUser = $sName;
			return true;
		}
		else
		{
			return false;
		}
	}

	public static function Impersonate($sName, $sPassword)
	{
		if (!self::CheckLogin()) return false;

		self::$m_iRealUserId = self::$m_oAddOn->CheckCredentials($sName, $sPassword);
		if ( self::$m_iRealUserId !== false)
		{
			self::$m_sUser = $sName;
			return true;
		}
		else
		{
			return false;
		}
	}

	public static function GetUser()
	{
		return self::$m_sUser;
	}

	public static function GetUserId($sName = '')
	{
		if (empty($sName))
		{
			// return current user id
			return self::$m_iUserId;
		}
		else
		{
			// find the id out of the login string
			return self::$m_oAddOn->GetUserId($sName);
		}
	}

	public static function GetContactId($sName = '')
	{
		// note: returns null if the user management module is not related to the business data model
		if (empty($sName))
		{
			$sName = self::$m_sUser;
		}
		return self::$m_oAddOn->GetContactId($sName);
	}

	public static function GetRealUser()
	{
		return self::$m_sRealUser;
	}

	public static function GetRealUserId()
	{
		return self::$m_iRealUserId;
	}

	protected static function CheckLogin()
	{
		if (!self::IsLoggedIn())
		{
			//throw new UserRightException('No user logged in', array());	
			return false;
		}
		return true;
	}


	public static function GetFilter($sClass)
	{
		if (!self::CheckLogin()) return false;
		if (self::IsAdministrator()) return new DBObjectSearch($sClass);

		// this module is forbidden for non admins
		if (MetaModel::HasCategory($sClass, 'addon/userrights')) return false;

		// the rest is allowed (#@# to be improved)
		if (!MetaModel::HasCategory($sClass, 'bizmodel')) return new DBObjectSearch($sClass);

		return self::$m_oAddOn->GetFilter(self::$m_iUserId, $sClass);
	}

	public static function IsActionAllowed($sClass, $iActionCode, /*dbObjectSet*/ $oInstanceSet = null, $iUserId = null)
	{
		if (!self::CheckLogin()) return false;
		if (self::IsAdministrator($iUserId)) return true;

		// this module is forbidden for non admins
		if (MetaModel::HasCategory($sClass, 'addon/userrights')) return false;

		// the rest is allowed (#@# to be improved)
		if (!MetaModel::HasCategory($sClass, 'bizmodel')) return true;

		if (is_null($iUserId))
		{
			return self::$m_oAddOn->IsActionAllowed(self::$m_iUserId, $sClass, $iActionCode, $oInstanceSet);
		}
		else
		{
			return self::$m_oAddOn->IsActionAllowed($iUserId, $sClass, $iActionCode, $oInstanceSet);
		}
	}

	public static function IsStimulusAllowed($sClass, $sStimulusCode, /*dbObjectSet*/ $oInstanceSet = null, $iUserId = null)
	{
		if (!self::CheckLogin()) return false;
		if (self::IsAdministrator($iUserId)) return true;

		// this module is forbidden for non admins
		if (MetaModel::HasCategory($sClass, 'addon/userrights')) return false;

		// the rest is allowed (#@# to be improved)
		if (!MetaModel::HasCategory($sClass, 'bizmodel')) return true;

		if (is_null($iUserId))
		{
			return self::$m_oAddOn->IsStimulusAllowed(self::$m_iUserId, $sClass, $sStimulusCode, $oInstanceSet);
		}
		else
		{
			return self::$m_oAddOn->IsStimulusAllowed($iUserId, $sClass, $sStimulusCode, $oInstanceSet);
		}
	}

	public static function IsActionAllowedOnAttribute($sClass, $sAttCode, $iActionCode, /*dbObjectSet*/ $oInstanceSet = null, $iUserId = null)
	{
		if (!self::CheckLogin()) return false;
		if (self::IsAdministrator($iUserId)) return true;

		// this module is forbidden for non admins
		if (MetaModel::HasCategory($sClass, 'addon/userrights')) return false;

		// the rest is allowed (#@# to be improved)
		if (!MetaModel::HasCategory($sClass, 'bizmodel')) return true;

		if (is_null($iUserId))
		{
			return self::$m_oAddOn->IsActionAllowedOnAttribute(self::$m_iUserId, $sClass, $sAttCode, $iActionCode, $oInstanceSet);
		}
		else
		{
			return self::$m_oAddOn->IsActionAllowedOnAttribute($iUserId, $sClass, $sAttCode, $iActionCode, $oInstanceSet);
		}
	}

	public static function IsAdministrator($iUserId = null)
	{
		if (!self::CheckLogin()) return false;

		if (is_null($iUserId))
		{
			return self::$m_oAddOn->IsAdministrator(self::$m_iUserId);
		}
		else
		{
			return self::$m_oAddOn->IsAdministrator($iUserId);
		}
	}

	public static function FlushPrivileges()
	{
		return self::$m_oAddOn->FlushPrivileges();
	}

}


?>