userrightsprofile.class.inc.php 37 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998
  1. <?php
  2. // Copyright (C) 2010 Combodo SARL
  3. //
  4. // This program is free software; you can redistribute it and/or modify
  5. // it under the terms of the GNU General Public License as published by
  6. // the Free Software Foundation; version 3 of the License.
  7. //
  8. // This program is distributed in the hope that it will be useful,
  9. // but WITHOUT ANY WARRANTY; without even the implied warranty of
  10. // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  11. // GNU General Public License for more details.
  12. //
  13. // You should have received a copy of the GNU General Public License
  14. // along with this program; if not, write to the Free Software
  15. // Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
  16. /**
  17. * UserRightsProfile
  18. * User management Module, basing the right on profiles and a matrix (similar to UserRightsMatrix, but profiles and other decorations have been added)
  19. *
  20. * @author Erwan Taloc <erwan.taloc@combodo.com>
  21. * @author Romain Quetiez <romain.quetiez@combodo.com>
  22. * @author Denis Flaven <denis.flaven@combodo.com>
  23. * @license http://www.opensource.org/licenses/gpl-3.0.html LGPL
  24. */
  25. define('ADMIN_PROFILE_NAME', 'Administrator');
  26. define('PORTAL_PROFILE_NAME', 'Portal user');
  27. class UserRightsBaseClassGUI extends cmdbAbstractObject
  28. {
  29. // Whenever something changes, reload the privileges
  30. protected function AfterInsert()
  31. {
  32. UserRights::FlushPrivileges();
  33. }
  34. protected function AfterUpdate()
  35. {
  36. UserRights::FlushPrivileges();
  37. }
  38. protected function AfterDelete()
  39. {
  40. UserRights::FlushPrivileges();
  41. }
  42. }
  43. class UserRightsBaseClass extends DBObject
  44. {
  45. // Whenever something changes, reload the privileges
  46. protected function AfterInsert()
  47. {
  48. UserRights::FlushPrivileges();
  49. }
  50. protected function AfterUpdate()
  51. {
  52. UserRights::FlushPrivileges();
  53. }
  54. protected function AfterDelete()
  55. {
  56. UserRights::FlushPrivileges();
  57. }
  58. }
  59. class URP_Profiles extends UserRightsBaseClassGUI
  60. {
  61. public static function Init()
  62. {
  63. $aParams = array
  64. (
  65. "category" => "addon/userrights",
  66. "key_type" => "autoincrement",
  67. "name_attcode" => "name",
  68. "state_attcode" => "",
  69. "reconc_keys" => array(),
  70. "db_table" => "priv_urp_profiles",
  71. "db_key_field" => "id",
  72. "db_finalclass_field" => "",
  73. "display_template" => "",
  74. );
  75. MetaModel::Init_Params($aParams);
  76. //MetaModel::Init_InheritAttributes();
  77. MetaModel::Init_AddAttribute(new AttributeString("name", array("allowed_values"=>null, "sql"=>"name", "default_value"=>null, "is_null_allowed"=>false, "depends_on"=>array())));
  78. MetaModel::Init_AddAttribute(new AttributeString("description", array("allowed_values"=>null, "sql"=>"description", "default_value"=>null, "is_null_allowed"=>false, "depends_on"=>array())));
  79. MetaModel::Init_AddAttribute(new AttributeLinkedSetIndirect("user_list", array("linked_class"=>"URP_UserProfile", "ext_key_to_me"=>"profileid", "ext_key_to_remote"=>"userid", "allowed_values"=>null, "count_min"=>1, "count_max"=>0, "depends_on"=>array())));
  80. // Display lists
  81. MetaModel::Init_SetZListItems('details', array('name', 'description', 'user_list')); // Attributes to be displayed for the complete details
  82. MetaModel::Init_SetZListItems('list', array('description')); // Attributes to be displayed for a list
  83. // Search criteria
  84. MetaModel::Init_SetZListItems('standard_search', array('name')); // Criteria of the std search form
  85. MetaModel::Init_SetZListItems('advanced_search', array('name')); // Criteria of the advanced search form
  86. }
  87. protected $m_bCheckReservedNames = true;
  88. protected function DisableCheckOnReservedNames()
  89. {
  90. $this->m_bCheckReservedNames = false;
  91. }
  92. protected static $m_aActions = array(
  93. UR_ACTION_READ => 'Read',
  94. UR_ACTION_MODIFY => 'Modify',
  95. UR_ACTION_DELETE => 'Delete',
  96. UR_ACTION_BULK_READ => 'Bulk Read',
  97. UR_ACTION_BULK_MODIFY => 'Bulk Modify',
  98. UR_ACTION_BULK_DELETE => 'Bulk Delete',
  99. );
  100. protected static $m_aCacheActionGrants = null;
  101. protected static $m_aCacheStimulusGrants = null;
  102. protected static $m_aCacheProfiles = null;
  103. public static function DoCreateProfile($sName, $sDescription, $bReservedName = false)
  104. {
  105. if (is_null(self::$m_aCacheProfiles))
  106. {
  107. self::$m_aCacheProfiles = array();
  108. $oFilterAll = new DBObjectSearch('URP_Profiles');
  109. $oSet = new DBObjectSet($oFilterAll);
  110. while ($oProfile = $oSet->Fetch())
  111. {
  112. self::$m_aCacheProfiles[$oProfile->Get('name')] = $oProfile->GetKey();
  113. }
  114. }
  115. $sCacheKey = $sName;
  116. if (isset(self::$m_aCacheProfiles[$sCacheKey]))
  117. {
  118. return self::$m_aCacheProfiles[$sCacheKey];
  119. }
  120. $oNewObj = MetaModel::NewObject("URP_Profiles");
  121. $oNewObj->Set('name', $sName);
  122. $oNewObj->Set('description', $sDescription);
  123. if ($bReservedName)
  124. {
  125. $oNewObj->DisableCheckOnReservedNames();
  126. }
  127. $iId = $oNewObj->DBInsertNoReload();
  128. self::$m_aCacheProfiles[$sCacheKey] = $iId;
  129. return $iId;
  130. }
  131. public static function DoCreateActionGrant($iProfile, $iAction, $sClass, $bPermission = true)
  132. {
  133. $sAction = self::$m_aActions[$iAction];
  134. if (is_null(self::$m_aCacheActionGrants))
  135. {
  136. self::$m_aCacheActionGrants = array();
  137. $oFilterAll = new DBObjectSearch('URP_ActionGrant');
  138. $oSet = new DBObjectSet($oFilterAll);
  139. while ($oGrant = $oSet->Fetch())
  140. {
  141. self::$m_aCacheActionGrants[$oGrant->Get('profileid').'-'.$oGrant->Get('action').'-'.$oGrant->Get('class')] = $oGrant->GetKey();
  142. }
  143. }
  144. $sCacheKey = "$iProfile-$sAction-$sClass";
  145. if (isset(self::$m_aCacheActionGrants[$sCacheKey]))
  146. {
  147. return self::$m_aCacheActionGrants[$sCacheKey];
  148. }
  149. $oNewObj = MetaModel::NewObject("URP_ActionGrant");
  150. $oNewObj->Set('profileid', $iProfile);
  151. $oNewObj->Set('permission', $bPermission ? 'yes' : 'no');
  152. $oNewObj->Set('class', $sClass);
  153. $oNewObj->Set('action', $sAction);
  154. $iId = $oNewObj->DBInsertNoReload();
  155. self::$m_aCacheActionGrants[$sCacheKey] = $iId;
  156. return $iId;
  157. }
  158. public static function DoCreateStimulusGrant($iProfile, $sStimulusCode, $sClass)
  159. {
  160. if (is_null(self::$m_aCacheStimulusGrants))
  161. {
  162. self::$m_aCacheStimulusGrants = array();
  163. $oFilterAll = new DBObjectSearch('URP_StimulusGrant');
  164. $oSet = new DBObjectSet($oFilterAll);
  165. while ($oGrant = $oSet->Fetch())
  166. {
  167. self::$m_aCacheStimulusGrants[$oGrant->Get('profileid').'-'.$oGrant->Get('stimulus').'-'.$oGrant->Get('class')] = $oGrant->GetKey();
  168. }
  169. }
  170. $sCacheKey = "$iProfile-$sStimulusCode-$sClass";
  171. if (isset(self::$m_aCacheStimulusGrants[$sCacheKey]))
  172. {
  173. return self::$m_aCacheStimulusGrants[$sCacheKey];
  174. }
  175. $oNewObj = MetaModel::NewObject("URP_StimulusGrant");
  176. $oNewObj->Set('profileid', $iProfile);
  177. $oNewObj->Set('permission', 'yes');
  178. $oNewObj->Set('class', $sClass);
  179. $oNewObj->Set('stimulus', $sStimulusCode);
  180. $iId = $oNewObj->DBInsertNoReload();
  181. self::$m_aCacheStimulusGrants[$sCacheKey] = $iId;
  182. return $iId;
  183. }
  184. /*
  185. * Create the built-in Administrator profile with its reserved name
  186. */
  187. public static function DoCreateAdminProfile()
  188. {
  189. self::DoCreateProfile(ADMIN_PROFILE_NAME, 'Has the rights on everything (bypassing any control)', true /* reserved name */);
  190. }
  191. /*
  192. * Overload the standard behavior to preserve reserved names
  193. */
  194. public function DoCheckToWrite()
  195. {
  196. parent::DoCheckToWrite();
  197. if ($this->m_bCheckReservedNames)
  198. {
  199. $aChanges = $this->ListChanges();
  200. if (array_key_exists('name', $aChanges))
  201. {
  202. if ($this->GetOriginal('name') == ADMIN_PROFILE_NAME)
  203. {
  204. $this->m_aCheckIssues[] = "The name of the Administrator profile must not be changed";
  205. }
  206. elseif ($this->Get('name') == ADMIN_PROFILE_NAME)
  207. {
  208. $this->m_aCheckIssues[] = ADMIN_PROFILE_NAME." is a reserved to the built-in Administrator profile";
  209. }
  210. elseif ($this->GetOriginal('name') == PORTAL_PROFILE_NAME)
  211. {
  212. $this->m_aCheckIssues[] = "The name of the User Portal profile must not be changed";
  213. }
  214. elseif ($this->Get('name') == PORTAL_PROFILE_NAME)
  215. {
  216. $this->m_aCheckIssues[] = PORTAL_PROFILE_NAME." is a reserved to the built-in User Portal profile";
  217. }
  218. }
  219. }
  220. }
  221. function GetGrantAsHtml($oUserRights, $sClass, $sAction)
  222. {
  223. $iGrant = $oUserRights->GetProfileActionGrant($this->GetKey(), $sClass, $sAction);
  224. if (!is_null($iGrant))
  225. {
  226. return '<span style="background-color: #ddffdd;">'.Dict::S('UI:UserManagement:ActionAllowed:Yes').'</span>';
  227. }
  228. else
  229. {
  230. return '<span style="background-color: #ffdddd;">'.Dict::S('UI:UserManagement:ActionAllowed:No').'</span>';
  231. }
  232. }
  233. function DoShowGrantSumary($oPage)
  234. {
  235. if ($this->GetName() == "Administrator")
  236. {
  237. // Looks dirty, but ok that's THE ONE
  238. $oPage->p(Dict::S('UI:UserManagement:AdminProfile+'));
  239. return;
  240. }
  241. // Note: for sure, we assume that the instance is derived from UserRightsProfile
  242. $oUserRights = UserRights::GetModuleInstance();
  243. $aDisplayData = array();
  244. foreach (MetaModel::GetClasses('bizmodel') as $sClass)
  245. {
  246. // Skip non instantiable classes
  247. if (MetaModel::IsAbstract($sClass)) continue;
  248. $aStimuli = array();
  249. foreach (MetaModel::EnumStimuli($sClass) as $sStimulusCode => $oStimulus)
  250. {
  251. $oGrant = $oUserRights->GetClassStimulusGrant($this->GetKey(), $sClass, $sStimulusCode);
  252. if (is_object($oGrant) && ($oGrant->Get('permission') == 'yes'))
  253. {
  254. $aStimuli[] = '<span title="'.$sStimulusCode.': '.htmlentities($oStimulus->GetDescription(), ENT_QUOTES, 'UTF-8').'">'.htmlentities($oStimulus->GetLabel(), ENT_QUOTES, 'UTF-8').'</span>';
  255. }
  256. }
  257. $sStimuli = implode(', ', $aStimuli);
  258. $aDisplayData[] = array(
  259. 'class' => MetaModel::GetName($sClass),
  260. 'read' => $this->GetGrantAsHtml($oUserRights, $sClass, 'Read'),
  261. 'bulkread' => $this->GetGrantAsHtml($oUserRights, $sClass, 'Bulk Read'),
  262. 'write' => $this->GetGrantAsHtml($oUserRights, $sClass, 'Modify'),
  263. 'bulkwrite' => $this->GetGrantAsHtml($oUserRights, $sClass, 'Bulk Modify'),
  264. 'delete' => $this->GetGrantAsHtml($oUserRights, $sClass, 'Delete'),
  265. 'bulkdelete' => $this->GetGrantAsHtml($oUserRights, $sClass, 'Bulk Delete'),
  266. 'stimuli' => $sStimuli,
  267. );
  268. }
  269. $aDisplayConfig = array();
  270. $aDisplayConfig['class'] = array('label' => Dict::S('UI:UserManagement:Class'), 'description' => Dict::S('UI:UserManagement:Class+'));
  271. $aDisplayConfig['read'] = array('label' => Dict::S('UI:UserManagement:Action:Read'), 'description' => Dict::S('UI:UserManagement:Action:Read+'));
  272. $aDisplayConfig['bulkread'] = array('label' => Dict::S('UI:UserManagement:Action:BulkRead'), 'description' => Dict::S('UI:UserManagement:Action:BulkRead+'));
  273. $aDisplayConfig['write'] = array('label' => Dict::S('UI:UserManagement:Action:Modify'), 'description' => Dict::S('UI:UserManagement:Action:Modify+'));
  274. $aDisplayConfig['bulkwrite'] = array('label' => Dict::S('UI:UserManagement:Action:BulkModify'), 'description' => Dict::S('UI:UserManagement:Action:BulkModify+'));
  275. $aDisplayConfig['delete'] = array('label' => Dict::S('UI:UserManagement:Action:Delete'), 'description' => Dict::S('UI:UserManagement:Action:Delete+'));
  276. $aDisplayConfig['bulkdelete'] = array('label' => Dict::S('UI:UserManagement:Action:BulkDelete'), 'description' => Dict::S('UI:UserManagement:Action:BulkDelete+'));
  277. $aDisplayConfig['stimuli'] = array('label' => Dict::S('UI:UserManagement:Action:Stimuli'), 'description' => Dict::S('UI:UserManagement:Action:Stimuli+'));
  278. $oPage->table($aDisplayConfig, $aDisplayData);
  279. }
  280. function DisplayBareRelations(WebPage $oPage, $bEditMode = false)
  281. {
  282. parent::DisplayBareRelations($oPage, $bEditMode);
  283. if (!$bEditMode)
  284. {
  285. $oPage->SetCurrentTab(Dict::S('UI:UserManagement:GrantMatrix'));
  286. $this->DoShowGrantSumary($oPage);
  287. }
  288. }
  289. }
  290. class URP_UserProfile extends UserRightsBaseClassGUI
  291. {
  292. public static function Init()
  293. {
  294. $aParams = array
  295. (
  296. "category" => "addon/userrights",
  297. "key_type" => "autoincrement",
  298. "name_attcode" => "userid",
  299. "state_attcode" => "",
  300. "reconc_keys" => array(),
  301. "db_table" => "priv_urp_userprofile",
  302. "db_key_field" => "id",
  303. "db_finalclass_field" => "",
  304. "display_template" => "",
  305. );
  306. MetaModel::Init_Params($aParams);
  307. //MetaModel::Init_InheritAttributes();
  308. MetaModel::Init_AddAttribute(new AttributeExternalKey("userid", array("targetclass"=>"User", "jointype"=> "", "allowed_values"=>null, "sql"=>"userid", "is_null_allowed"=>false, "on_target_delete"=>DEL_AUTO, "depends_on"=>array())));
  309. MetaModel::Init_AddAttribute(new AttributeExternalField("userlogin", array("allowed_values"=>null, "extkey_attcode"=> 'userid', "target_attcode"=>"login")));
  310. MetaModel::Init_AddAttribute(new AttributeExternalKey("profileid", array("targetclass"=>"URP_Profiles", "jointype"=> "", "allowed_values"=>null, "sql"=>"profileid", "is_null_allowed"=>false, "on_target_delete"=>DEL_AUTO, "depends_on"=>array())));
  311. MetaModel::Init_AddAttribute(new AttributeExternalField("profile", array("allowed_values"=>null, "extkey_attcode"=> 'profileid', "target_attcode"=>"name")));
  312. MetaModel::Init_AddAttribute(new AttributeString("reason", array("allowed_values"=>null, "sql"=>"description", "default_value"=>null, "is_null_allowed"=>true, "depends_on"=>array())));
  313. // Display lists
  314. MetaModel::Init_SetZListItems('details', array('userid', 'profileid', 'reason')); // Attributes to be displayed for the complete details
  315. MetaModel::Init_SetZListItems('list', array('userid', 'profileid', 'reason')); // Attributes to be displayed for a list
  316. // Search criteria
  317. MetaModel::Init_SetZListItems('standard_search', array('userid', 'profileid')); // Criteria of the std search form
  318. MetaModel::Init_SetZListItems('advanced_search', array('userid', 'profileid')); // Criteria of the advanced search form
  319. }
  320. public function GetName()
  321. {
  322. return Dict::Format('UI:UserManagement:LinkBetween_User_And_Profile', $this->Get('userlogin'), $this->Get('profile'));
  323. }
  324. }
  325. class URP_UserOrg extends UserRightsBaseClassGUI
  326. {
  327. public static function Init()
  328. {
  329. $aParams = array
  330. (
  331. "category" => "addon/userrights",
  332. "key_type" => "autoincrement",
  333. "name_attcode" => "userid",
  334. "state_attcode" => "",
  335. "reconc_keys" => array(),
  336. "db_table" => "priv_urp_userorg",
  337. "db_key_field" => "id",
  338. "db_finalclass_field" => "",
  339. "display_template" => "",
  340. );
  341. MetaModel::Init_Params($aParams);
  342. //MetaModel::Init_InheritAttributes();
  343. MetaModel::Init_AddAttribute(new AttributeExternalKey("userid", array("targetclass"=>"User", "jointype"=> "", "allowed_values"=>null, "sql"=>"userid", "is_null_allowed"=>false, "on_target_delete"=>DEL_AUTO, "depends_on"=>array())));
  344. MetaModel::Init_AddAttribute(new AttributeExternalField("userlogin", array("allowed_values"=>null, "extkey_attcode"=> 'userid', "target_attcode"=>"login")));
  345. MetaModel::Init_AddAttribute(new AttributeExternalKey("allowed_org_id", array("targetclass"=>"Organization", "jointype"=> "", "allowed_values"=>null, "sql"=>"allowed_org_id", "is_null_allowed"=>false, "on_target_delete"=>DEL_AUTO, "depends_on"=>array())));
  346. MetaModel::Init_AddAttribute(new AttributeExternalField("allowed_org_name", array("allowed_values"=>null, "extkey_attcode"=> 'allowed_org_id', "target_attcode"=>"name")));
  347. MetaModel::Init_AddAttribute(new AttributeString("reason", array("allowed_values"=>null, "sql"=>"reason", "default_value"=>null, "is_null_allowed"=>true, "depends_on"=>array())));
  348. // Display lists
  349. MetaModel::Init_SetZListItems('details', array('userid', 'allowed_org_id', 'reason')); // Attributes to be displayed for the complete details
  350. MetaModel::Init_SetZListItems('list', array('allowed_org_id', 'reason')); // Attributes to be displayed for a list
  351. // Search criteria
  352. MetaModel::Init_SetZListItems('standard_search', array('userid', 'allowed_org_id')); // Criteria of the std search form
  353. MetaModel::Init_SetZListItems('advanced_search', array('userid', 'allowed_org_id')); // Criteria of the advanced search form
  354. }
  355. public function GetName()
  356. {
  357. return Dict::Format('UI:UserManagement:LinkBetween_User_And_Org', $this->Get('userlogin'), $this->Get('allowed_org_name'));
  358. }
  359. }
  360. class URP_ActionGrant extends UserRightsBaseClass
  361. {
  362. public static function Init()
  363. {
  364. $aParams = array
  365. (
  366. "category" => "addon/userrights",
  367. "key_type" => "autoincrement",
  368. "name_attcode" => "profileid",
  369. "state_attcode" => "",
  370. "reconc_keys" => array(),
  371. "db_table" => "priv_urp_grant_actions",
  372. "db_key_field" => "id",
  373. "db_finalclass_field" => "",
  374. "display_template" => "",
  375. );
  376. MetaModel::Init_Params($aParams);
  377. //MetaModel::Init_InheritAttributes();
  378. // Common to all grant classes (could be factorized by class inheritence, but this has to be benchmarked)
  379. MetaModel::Init_AddAttribute(new AttributeExternalKey("profileid", array("targetclass"=>"URP_Profiles", "jointype"=> "", "allowed_values"=>null, "sql"=>"profileid", "is_null_allowed"=>false, "on_target_delete"=>DEL_MANUAL, "depends_on"=>array())));
  380. MetaModel::Init_AddAttribute(new AttributeExternalField("profile", array("allowed_values"=>null, "extkey_attcode"=> 'profileid', "target_attcode"=>"name")));
  381. MetaModel::Init_AddAttribute(new AttributeClass("class", array("class_category"=>"", "more_values"=>"", "sql"=>"class", "default_value"=>null, "is_null_allowed"=>false, "depends_on"=>array())));
  382. MetaModel::Init_AddAttribute(new AttributeEnum("permission", array("allowed_values"=>new ValueSetEnum('yes,no'), "sql"=>"permission", "default_value"=>"yes", "is_null_allowed"=>false, "depends_on"=>array())));
  383. MetaModel::Init_AddAttribute(new AttributeString("action", array("allowed_values"=>null, "sql"=>"action", "default_value"=>"", "is_null_allowed"=>false, "depends_on"=>array())));
  384. // Display lists
  385. MetaModel::Init_SetZListItems('details', array('profileid', 'class', 'permission', 'action')); // Attributes to be displayed for the complete details
  386. MetaModel::Init_SetZListItems('list', array('class', 'permission', 'action')); // Attributes to be displayed for a list
  387. // Search criteria
  388. MetaModel::Init_SetZListItems('standard_search', array('profileid', 'class', 'permission', 'action')); // Criteria of the std search form
  389. MetaModel::Init_SetZListItems('advanced_search', array('profileid', 'class', 'permission', 'action')); // Criteria of the advanced search form
  390. }
  391. }
  392. class URP_StimulusGrant extends UserRightsBaseClass
  393. {
  394. public static function Init()
  395. {
  396. $aParams = array
  397. (
  398. "category" => "addon/userrights",
  399. "key_type" => "autoincrement",
  400. "name_attcode" => "profileid",
  401. "state_attcode" => "",
  402. "reconc_keys" => array(),
  403. "db_table" => "priv_urp_grant_stimulus",
  404. "db_key_field" => "id",
  405. "db_finalclass_field" => "",
  406. "display_template" => "",
  407. );
  408. MetaModel::Init_Params($aParams);
  409. //MetaModel::Init_InheritAttributes();
  410. // Common to all grant classes (could be factorized by class inheritence, but this has to be benchmarked)
  411. MetaModel::Init_AddAttribute(new AttributeExternalKey("profileid", array("targetclass"=>"URP_Profiles", "jointype"=> "", "allowed_values"=>null, "sql"=>"profileid", "is_null_allowed"=>false, "on_target_delete"=>DEL_MANUAL, "depends_on"=>array())));
  412. MetaModel::Init_AddAttribute(new AttributeExternalField("profile", array("allowed_values"=>null, "extkey_attcode"=> 'profileid', "target_attcode"=>"name")));
  413. MetaModel::Init_AddAttribute(new AttributeClass("class", array("class_category"=>"", "more_values"=>"", "sql"=>"class", "default_value"=>null, "is_null_allowed"=>false, "depends_on"=>array())));
  414. MetaModel::Init_AddAttribute(new AttributeEnum("permission", array("allowed_values"=>new ValueSetEnum('yes,no'), "sql"=>"permission", "default_value"=>"yes", "is_null_allowed"=>false, "depends_on"=>array())));
  415. MetaModel::Init_AddAttribute(new AttributeString("stimulus", array("allowed_values"=>null, "sql"=>"action", "default_value"=>"", "is_null_allowed"=>false, "depends_on"=>array())));
  416. // Display lists
  417. MetaModel::Init_SetZListItems('details', array('profileid', 'class', 'permission', 'stimulus')); // Attributes to be displayed for the complete details
  418. MetaModel::Init_SetZListItems('list', array('class', 'permission', 'stimulus')); // Attributes to be displayed for a list
  419. // Search criteria
  420. MetaModel::Init_SetZListItems('standard_search', array('profileid', 'class', 'permission', 'stimulus')); // Criteria of the std search form
  421. MetaModel::Init_SetZListItems('advanced_search', array('profileid', 'class', 'permission', 'stimulus')); // Criteria of the advanced search form
  422. }
  423. }
  424. class URP_AttributeGrant extends UserRightsBaseClass
  425. {
  426. public static function Init()
  427. {
  428. $aParams = array
  429. (
  430. "category" => "addon/userrights",
  431. "key_type" => "autoincrement",
  432. "name_attcode" => "actiongrantid",
  433. "state_attcode" => "",
  434. "reconc_keys" => array(),
  435. "db_table" => "priv_urp_grant_attributes",
  436. "db_key_field" => "id",
  437. "db_finalclass_field" => "",
  438. "display_template" => "",
  439. );
  440. MetaModel::Init_Params($aParams);
  441. //MetaModel::Init_InheritAttributes();
  442. MetaModel::Init_AddAttribute(new AttributeExternalKey("actiongrantid", array("targetclass"=>"URP_ActionGrant", "jointype"=> "", "allowed_values"=>null, "sql"=>"actiongrantid", "is_null_allowed"=>false, "on_target_delete"=>DEL_MANUAL, "depends_on"=>array())));
  443. MetaModel::Init_AddAttribute(new AttributeString("attcode", array("allowed_values"=>null, "sql"=>"attcode", "default_value"=>null, "is_null_allowed"=>false, "depends_on"=>array())));
  444. // Display lists
  445. MetaModel::Init_SetZListItems('details', array('actiongrantid', 'attcode')); // Attributes to be displayed for the complete details
  446. MetaModel::Init_SetZListItems('list', array('attcode')); // Attributes to be displayed for a list
  447. // Search criteria
  448. MetaModel::Init_SetZListItems('standard_search', array('actiongrantid', 'attcode')); // Criteria of the std search form
  449. MetaModel::Init_SetZListItems('advanced_search', array('actiongrantid', 'attcode')); // Criteria of the advanced search form
  450. }
  451. }
  452. class UserRightsProfile extends UserRightsAddOnAPI
  453. {
  454. static public $m_aActionCodes = array(
  455. UR_ACTION_READ => 'read',
  456. UR_ACTION_MODIFY => 'modify',
  457. UR_ACTION_DELETE => 'delete',
  458. UR_ACTION_BULK_READ => 'bulk read',
  459. UR_ACTION_BULK_MODIFY => 'bulk modify',
  460. UR_ACTION_BULK_DELETE => 'bulk delete',
  461. );
  462. // Installation: create the very first user
  463. public function CreateAdministrator($sAdminUser, $sAdminPwd, $sLanguage = 'EN US')
  464. {
  465. // Create a change to record the history of the User object
  466. $oChange = MetaModel::NewObject("CMDBChange");
  467. $oChange->Set("date", time());
  468. $oChange->Set("userinfo", "Initialization");
  469. $iChangeId = $oChange->DBInsert();
  470. // Support drastic data model changes: no organization class (or not writable)!
  471. if (MetaModel::IsValidClass('Organization') && !MetaModel::IsAbstract('Organization'))
  472. {
  473. $oOrg = new Organization();
  474. $oOrg->Set('name', 'My Company/Department');
  475. $oOrg->Set('code', 'SOMECODE');
  476. $iOrgId = $oOrg->DBInsertTrackedNoReload($oChange, true /* skip security */);
  477. }
  478. else
  479. {
  480. $iOrgId = 0;
  481. }
  482. // Support drastic data model changes: no Person class (or not writable)!
  483. if (MetaModel::IsValidClass('Person') && !MetaModel::IsAbstract('Person'))
  484. {
  485. $oContact = new Person();
  486. $oContact->Set('name', 'My last name');
  487. $oContact->Set('first_name', 'My first name');
  488. if (MetaModel::IsValidAttCode('Person', 'org_id'))
  489. {
  490. $oContact->Set('org_id', $iOrgId);
  491. }
  492. $oContact->Set('email', 'my.email@foo.org');
  493. $iContactId = $oContact->DBInsertTrackedNoReload($oChange, true /* skip security */);
  494. }
  495. else
  496. {
  497. $iContactId = 0;
  498. }
  499. $oUser = new UserLocal();
  500. $oUser->Set('login', $sAdminUser);
  501. $oUser->Set('password', $sAdminPwd);
  502. if (MetaModel::IsValidAttCode('UserLocal', 'contactid'))
  503. {
  504. $oUser->Set('contactid', $iContactId);
  505. }
  506. $oUser->Set('language', $sLanguage); // Language was chosen during the installation
  507. // Add this user to the very specific 'admin' profile
  508. $oAdminProfile = MetaModel::GetObjectFromOQL("SELECT URP_Profiles WHERE name = :name", array('name' => ADMIN_PROFILE_NAME), true /*all data*/);
  509. if (is_object($oAdminProfile))
  510. {
  511. $oUserProfile = new URP_UserProfile();
  512. //$oUserProfile->Set('userid', $iUserId);
  513. $oUserProfile->Set('profileid', $oAdminProfile->GetKey());
  514. $oUserProfile->Set('reason', 'By definition, the administrator must have the administrator profile');
  515. //$oUserProfile->DBInsertTrackedNoReload($oChange, true /* skip security */);
  516. $oSet = DBObjectSet::FromObject($oUserProfile);
  517. $oUser->Set('profile_list', $oSet);
  518. }
  519. $iUserId = $oUser->DBInsertTrackedNoReload($oChange, true /* skip security */);
  520. return true;
  521. }
  522. public function Init()
  523. {
  524. }
  525. protected $m_aAdmins; // id of users being linked to the well-known admin profile
  526. protected $m_aPortalUsers; // id of users being linked to the well-known admin profile
  527. protected $m_aProfiles; // id -> object
  528. protected $m_aUserProfiles; // userid,profileid -> object
  529. protected $m_aUserOrgs; // userid,orgid -> object
  530. // Those arrays could be completed on demand (inheriting parent permissions)
  531. protected $m_aClassActionGrants = null; // profile, class, action -> actiongrantid (or false if NO, or null/missing if undefined)
  532. protected $m_aClassStimulusGrants = array(); // profile, class, stimulus -> permission
  533. // Built on demand, could be optimized if necessary (doing a query for each attribute that needs to be read)
  534. protected $m_aObjectActionGrants = array();
  535. public function ResetCache()
  536. {
  537. // Loaded by Load cache
  538. $this->m_aProfiles = null;
  539. $this->m_aUserProfiles = null;
  540. $this->m_aUserOrgs = null;
  541. $this->m_aAdmins = null;
  542. $this->m_aPortalUsers = null;
  543. // Loaded on demand (time consuming as compared to the others)
  544. $this->m_aClassActionGrants = null;
  545. $this->m_aClassStimulusGrants = null;
  546. $this->m_aObjectActionGrants = array();
  547. }
  548. // Separate load: this cache is much more time consuming while loading
  549. // Thus it is loaded iif required
  550. // Could be improved by specifying the profile id
  551. public function LoadActionGrantCache()
  552. {
  553. if (!is_null($this->m_aClassActionGrants)) return;
  554. $oKPI = new ExecutionKPI();
  555. $oFilter = DBObjectSearch::FromOQL_AllData("SELECT URP_ActionGrant AS p WHERE p.permission = 'yes'");
  556. $aGrants = $oFilter->ToDataArray();
  557. foreach($aGrants as $aGrant)
  558. {
  559. $this->m_aClassActionGrants[$aGrant['profileid']][$aGrant['class']][strtolower($aGrant['action'])] = $aGrant['id'];
  560. }
  561. $oKPI->ComputeAndReport('Load of action grants');
  562. }
  563. public function LoadCache()
  564. {
  565. if (!is_null($this->m_aProfiles)) return;
  566. // Could be loaded in a shared memory (?)
  567. $oKPI = new ExecutionKPI();
  568. $oProfileSet = new DBObjectSet(DBObjectSearch::FromOQL_AllData("SELECT URP_Profiles"));
  569. $this->m_aProfiles = array();
  570. while ($oProfile = $oProfileSet->Fetch())
  571. {
  572. $this->m_aProfiles[$oProfile->GetKey()] = $oProfile;
  573. }
  574. $oUserProfileSet = new DBObjectSet(DBObjectSearch::FromOQL_AllData("SELECT URP_UserProfile"));
  575. $this->m_aUserProfiles = array();
  576. $this->m_aAdmins = array();
  577. $this->m_aPortalUsers = array();
  578. while ($oUserProfile = $oUserProfileSet->Fetch())
  579. {
  580. $this->m_aUserProfiles[$oUserProfile->Get('userid')][$oUserProfile->Get('profileid')] = $oUserProfile;
  581. if ($oUserProfile->Get('profile') == ADMIN_PROFILE_NAME)
  582. {
  583. $this->m_aAdmins[] = $oUserProfile->Get('userid');
  584. }
  585. elseif ($oUserProfile->Get('profile') == PORTAL_PROFILE_NAME)
  586. {
  587. $this->m_aPortalUsers[] = $oUserProfile->Get('userid');
  588. }
  589. }
  590. $oUserOrgSet = new DBObjectSet(DBObjectSearch::FromOQL_AllData("SELECT URP_UserOrg"));
  591. $this->m_aUserOrgs = array();
  592. while ($oUserOrg = $oUserOrgSet->Fetch())
  593. {
  594. $this->m_aUserOrgs[$oUserOrg->Get('userid')][$oUserOrg->Get('allowed_org_id')] = $oUserOrg;
  595. }
  596. $this->m_aClassStimulusGrants = array();
  597. $oStimGrantSet = new DBObjectSet(DBObjectSearch::FromOQL_AllData("SELECT URP_StimulusGrant"));
  598. $this->m_aStimGrants = array();
  599. while ($oStimGrant = $oStimGrantSet->Fetch())
  600. {
  601. $this->m_aClassStimulusGrants[$oStimGrant->Get('profileid')][$oStimGrant->Get('class')][$oStimGrant->Get('stimulus')] = $oStimGrant;
  602. }
  603. $oKPI->ComputeAndReport('Load of user management cache (excepted Action Grants)');
  604. /*
  605. echo "<pre>\n";
  606. print_r($this->m_aProfiles);
  607. print_r($this->m_aUserProfiles);
  608. print_r($this->m_aUserOrgs);
  609. print_r($this->m_aClassActionGrants);
  610. print_r($this->m_aClassStimulusGrants);
  611. echo "</pre>\n";
  612. exit;
  613. */
  614. return true;
  615. }
  616. public function IsAdministrator($oUser)
  617. {
  618. $this->LoadCache();
  619. if (in_array($oUser->GetKey(), $this->m_aAdmins))
  620. {
  621. return true;
  622. }
  623. else
  624. {
  625. return false;
  626. }
  627. }
  628. public function IsPortalUser($oUser)
  629. {
  630. $this->LoadCache();
  631. if (in_array($oUser->GetKey(), $this->m_aPortalUsers))
  632. {
  633. return true;
  634. }
  635. else
  636. {
  637. return false;
  638. }
  639. }
  640. public function GetSelectFilter($oUser, $sClass)
  641. {
  642. $this->LoadCache();
  643. $aObjectPermissions = $this->GetUserActionGrant($oUser, $sClass, UR_ACTION_READ);
  644. if ($aObjectPermissions['permission'] == UR_ALLOWED_NO)
  645. {
  646. return false;
  647. }
  648. // Determine how to position the objects of this class
  649. //
  650. $aCallSpec = array($sClass, 'MapContextParam');
  651. if ($sClass == 'Organization')
  652. {
  653. $sAttCode = 'id';
  654. }
  655. elseif (is_callable($aCallSpec))
  656. {
  657. $sAttCode = call_user_func($aCallSpec, 'org_id'); // Returns null when there is no mapping for this parameter
  658. if ($sAttCode == null)
  659. {
  660. return true;
  661. }
  662. if (!MetaModel::IsValidAttCode($sClass, $sAttCode))
  663. {
  664. // Skip silently. The data model checker will tell you something about this...
  665. return true;
  666. }
  667. }
  668. elseif(MetaModel::IsValidAttCode($sClass, 'org_id'))
  669. {
  670. $sAttCode = 'org_id';
  671. }
  672. else
  673. {
  674. // The objects of this class are not positioned in this dimension
  675. // All of them are visible
  676. return true;
  677. }
  678. // Position the user
  679. //
  680. @$aUserOrgs = $this->m_aUserOrgs[$oUser->GetKey()];
  681. if (!isset($aUserOrgs) || count($aUserOrgs) == 0)
  682. {
  683. // No position means 'Everywhere'
  684. return true;
  685. }
  686. $oExpression = new FieldExpression($sAttCode, $sClass);
  687. $oFilter = new DBObjectSearch($sClass);
  688. $aIds = array_keys($aUserOrgs);
  689. $oListExpr = ListExpression::FromScalars($aIds);
  690. // Check if the condition points to a hierarchical key
  691. $bConditionAdded = false;
  692. if ($sAttCode == 'id')
  693. {
  694. // Filtering on the objects themselves
  695. $sHierarchicalKeyCode = MetaModel::IsHierarchicalClass($sClass);
  696. if ($sHierarchicalKeyCode !== false)
  697. {
  698. $oRootFilter = new DBObjectSearch($sClass);
  699. $oCondition = new BinaryExpression($oExpression, 'IN', $oListExpr);
  700. $oRootFilter->AddConditionExpression($oCondition);
  701. $oFilter->AddCondition_PointingTo($oRootFilter, $sHierarchicalKeyCode, TREE_OPERATOR_BELOW); // Use the 'below' operator by default
  702. $bConditionAdded = true;
  703. }
  704. }
  705. else
  706. {
  707. $oAttDef = MetaModel::GetAttributeDef($sClass, $sAttCode);
  708. if ($oAttDef->IsExternalKey())
  709. {
  710. $sHierarchicalKeyCode = MetaModel::IsHierarchicalClass($oAttDef->GetTargetClass());
  711. if ($sHierarchicalKeyCode !== false)
  712. {
  713. $oRootFilter = new DBObjectSearch($oAttDef->GetTargetClass());
  714. $oExpression = new FieldExpression('id', $oAttDef->GetTargetClass());
  715. $oCondition = new BinaryExpression($oExpression, 'IN', $oListExpr);
  716. $oRootFilter->AddConditionExpression($oCondition);
  717. $oHKFilter = new DBObjectSearch($oAttDef->GetTargetClass());
  718. $oHKFilter->AddCondition_PointingTo($oRootFilter, $sHierarchicalKeyCode, TREE_OPERATOR_BELOW); // Use the 'below' operator by default
  719. $oFilter->AddCondition_PointingTo($oHKFilter, $sAttCode);
  720. $bConditionAdded = true;
  721. }
  722. }
  723. }
  724. if (!$bConditionAdded)
  725. {
  726. $oCondition = new BinaryExpression($oExpression, 'IN', $oListExpr);
  727. $oFilter->AddConditionExpression($oCondition);
  728. }
  729. return $oFilter;
  730. }
  731. // This verb has been made public to allow the development of an accurate feedback for the current configuration
  732. public function GetProfileActionGrant($iProfile, $sClass, $sAction)
  733. {
  734. $this->LoadActionGrantCache();
  735. // Note: action is forced lowercase to be more flexible (historical bug)
  736. $sAction = strtolower($sAction);
  737. if (isset($this->m_aClassActionGrants[$iProfile][$sClass][$sAction]))
  738. {
  739. return $this->m_aClassActionGrants[$iProfile][$sClass][$sAction];
  740. }
  741. // Recursively look for the grant record in the class hierarchy
  742. $sParentClass = MetaModel::GetParentPersistentClass($sClass);
  743. if (empty($sParentClass))
  744. {
  745. $iGrant = null;
  746. }
  747. else
  748. {
  749. // Recursively look for the grant record in the class hierarchy
  750. $iGrant = $this->GetProfileActionGrant($iProfile, $sParentClass, $sAction);
  751. }
  752. $this->m_aClassActionGrants[$iProfile][$sClass][$sAction] = $iGrant;
  753. return $iGrant;
  754. }
  755. protected function GetUserActionGrant($oUser, $sClass, $iActionCode)
  756. {
  757. $this->LoadCache();
  758. // load and cache permissions for the current user on the given class
  759. //
  760. $iUser = $oUser->GetKey();
  761. $aTest = @$this->m_aObjectActionGrants[$iUser][$sClass][$iActionCode];
  762. if (is_array($aTest)) return $aTest;
  763. $sAction = self::$m_aActionCodes[$iActionCode];
  764. $iPermission = UR_ALLOWED_NO;
  765. $aAttributes = array();
  766. if (isset($this->m_aUserProfiles[$iUser]))
  767. {
  768. foreach($this->m_aUserProfiles[$iUser] as $iProfile => $oProfile)
  769. {
  770. $iGrant = $this->GetProfileActionGrant($iProfile, $sClass, $sAction);
  771. if (is_null($iGrant) || !$iGrant)
  772. {
  773. continue; // loop to the next profile
  774. }
  775. else
  776. {
  777. $iPermission = UR_ALLOWED_YES;
  778. // update the list of attributes with those allowed for this profile
  779. //
  780. $oSearch = DBObjectSearch::FromOQL_AllData("SELECT URP_AttributeGrant WHERE actiongrantid = :actiongrantid");
  781. $oSet = new DBObjectSet($oSearch, array(), array('actiongrantid' => $iGrant));
  782. $aProfileAttributes = $oSet->GetColumnAsArray('attcode', false);
  783. if (count($aProfileAttributes) == 0)
  784. {
  785. $aAllAttributes = array_keys(MetaModel::ListAttributeDefs($sClass));
  786. $aAttributes = array_merge($aAttributes, $aAllAttributes);
  787. }
  788. else
  789. {
  790. $aAttributes = array_merge($aAttributes, $aProfileAttributes);
  791. }
  792. }
  793. }
  794. }
  795. $aRes = array(
  796. 'permission' => $iPermission,
  797. 'attributes' => $aAttributes,
  798. );
  799. $this->m_aObjectActionGrants[$iUser][$sClass][$iActionCode] = $aRes;
  800. return $aRes;
  801. }
  802. public function IsActionAllowed($oUser, $sClass, $iActionCode, $oInstanceSet = null)
  803. {
  804. $this->LoadCache();
  805. // Note: The object set is ignored because it was interesting to optimize for huge data sets
  806. // and acceptable to consider only the root class of the object set
  807. $aObjectPermissions = $this->GetUserActionGrant($oUser, $sClass, $iActionCode);
  808. return $aObjectPermissions['permission'];
  809. }
  810. public function IsActionAllowedOnAttribute($oUser, $sClass, $sAttCode, $iActionCode, $oInstanceSet = null)
  811. {
  812. $this->LoadCache();
  813. // Note: The object set is ignored because it was interesting to optimize for huge data sets
  814. // and acceptable to consider only the root class of the object set
  815. $aObjectPermissions = $this->GetUserActionGrant($oUser, $sClass, $iActionCode);
  816. $aAttributes = $aObjectPermissions['attributes'];
  817. if (in_array($sAttCode, $aAttributes))
  818. {
  819. return $aObjectPermissions['permission'];
  820. }
  821. else
  822. {
  823. return UR_ALLOWED_NO;
  824. }
  825. }
  826. // This verb has been made public to allow the development of an accurate feedback for the current configuration
  827. public function GetClassStimulusGrant($iProfile, $sClass, $sStimulusCode)
  828. {
  829. $this->LoadCache();
  830. if (isset($this->m_aClassStimulusGrants[$iProfile][$sClass][$sStimulusCode]))
  831. {
  832. return $this->m_aClassStimulusGrants[$iProfile][$sClass][$sStimulusCode];
  833. }
  834. else
  835. {
  836. return null;
  837. }
  838. }
  839. public function IsStimulusAllowed($oUser, $sClass, $sStimulusCode, $oInstanceSet = null)
  840. {
  841. $this->LoadCache();
  842. // Note: this code is VERY close to the code of IsActionAllowed()
  843. $iUser = $oUser->GetKey();
  844. // Note: The object set is ignored because it was interesting to optimize for huge data sets
  845. // and acceptable to consider only the root class of the object set
  846. $iPermission = UR_ALLOWED_NO;
  847. if (isset($this->m_aUserProfiles[$iUser]))
  848. {
  849. foreach($this->m_aUserProfiles[$iUser] as $iProfile => $oProfile)
  850. {
  851. $oGrantRecord = $this->GetClassStimulusGrant($iProfile, $sClass, $sStimulusCode);
  852. if (!is_null($oGrantRecord))
  853. {
  854. // no need to fetch the record, we've requested the records having permission = 'yes'
  855. $iPermission = UR_ALLOWED_YES;
  856. }
  857. }
  858. }
  859. return $iPermission;
  860. }
  861. public function FlushPrivileges()
  862. {
  863. $this->ResetCache();
  864. }
  865. }
  866. UserRights::SelectModule('UserRightsProfile');
  867. ?>