userrightsprofile.class.inc.php 55 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502
  1. <?php
  2. /**
  3. * UserRightsProfile
  4. * User management Module, basing the right on profiles and a matrix (similar to UserRightsMatrix, but profiles and other decorations have been added)
  5. *
  6. * @package iTopORM
  7. * @author Romain Quetiez <romainquetiez@yahoo.fr>
  8. * @author Denis Flaven <denisflave@free.fr>
  9. * @license http://www.opensource.org/licenses/lgpl-license.php LGPL
  10. * @link www.itop.com
  11. * @since 1.0
  12. * @version 1.1.1.1 $
  13. */
  14. define('ADMIN_PROFILE_ID', 1);
  15. class UserRightsBaseClass extends cmdbAbstractObject
  16. {
  17. }
  18. class URP_Users extends UserRightsBaseClass
  19. {
  20. public static function Init()
  21. {
  22. $aParams = array
  23. (
  24. "category" => "addon/userrights",
  25. "name" => "user",
  26. "description" => "users and credentials",
  27. "key_type" => "autoincrement",
  28. "key_label" => "",
  29. "name_attcode" => "login",
  30. "state_attcode" => "",
  31. "reconc_keys" => array(),
  32. "db_table" => "priv_urp_users",
  33. "db_key_field" => "id",
  34. "db_finalclass_field" => "",
  35. "display_template" => "",
  36. );
  37. MetaModel::Init_Params($aParams);
  38. //MetaModel::Init_InheritAttributes();
  39. MetaModel::Init_AddAttribute(new AttributeExternalKey("userid", array("targetclass"=>"bizPerson", "label"=>"Contact (person)", "description"=>"Personal details from the business data", "allowed_values"=>null, "sql"=>"userid", "is_null_allowed"=>true, "depends_on"=>array())));
  40. MetaModel::Init_AddAttribute(new AttributeExternalField("last_name", array("label"=>"Last name", "description"=>"Name of the corresponding contact", "allowed_values"=>null, "extkey_attcode"=> 'userid', "target_attcode"=>"name")));
  41. MetaModel::Init_AddAttribute(new AttributeExternalField("first_name", array("label"=>"First name", "description"=>"First name of the corresponding contact", "allowed_values"=>null, "extkey_attcode"=> 'userid', "target_attcode"=>"first_name")));
  42. MetaModel::Init_AddAttribute(new AttributeExternalField("email", array("label"=>"Email", "description"=>"Email of the corresponding contact", "allowed_values"=>null, "extkey_attcode"=> 'userid', "target_attcode"=>"email")));
  43. MetaModel::Init_AddAttribute(new AttributeString("login", array("label"=>"Login", "description"=>"user identification string", "allowed_values"=>null, "sql"=>"login", "default_value"=>null, "is_null_allowed"=>false, "depends_on"=>array())));
  44. MetaModel::Init_AddAttribute(new AttributePassword("password", array("label"=>"Password", "description"=>"user authentication string", "allowed_values"=>null, "sql"=>"pwd", "default_value"=>null, "is_null_allowed"=>false, "depends_on"=>array())));
  45. MetaModel::Init_AddAttribute(new AttributeLinkedSetIndirect("profiles", array("label"=>"Profiles", "description"=>"roles, granting rights for that person", "linked_class"=>"URP_UserProfile", "ext_key_to_me"=>"userid", "ext_key_to_remote"=>"profileid", "allowed_values"=>null, "count_min"=>1, "count_max"=>0, "depends_on"=>array())));
  46. //MetaModel::Init_InheritFilters();
  47. MetaModel::Init_AddFilterFromAttribute("userid");
  48. MetaModel::Init_AddFilterFromAttribute("login");
  49. MetaModel::Init_AddFilterFromAttribute("password");
  50. // Display lists
  51. MetaModel::Init_SetZListItems('details', array('userid', 'first_name', 'email', 'login')); // Attributes to be displayed for the complete details
  52. MetaModel::Init_SetZListItems('list', array('first_name', 'last_name', 'login')); // Attributes to be displayed for a list
  53. // Search criteria
  54. MetaModel::Init_SetZListItems('standard_search', array('login', 'userid')); // Criteria of the std search form
  55. MetaModel::Init_SetZListItems('advanced_search', array('login', 'userid')); // Criteria of the advanced search form
  56. }
  57. }
  58. class URP_Profiles extends UserRightsBaseClass
  59. {
  60. public static function Init()
  61. {
  62. $aParams = array
  63. (
  64. "category" => "addon/userrights",
  65. "name" => "profile",
  66. "description" => "usage profiles",
  67. "key_type" => "autoincrement",
  68. "key_label" => "",
  69. "name_attcode" => "name",
  70. "state_attcode" => "",
  71. "reconc_keys" => array(),
  72. "db_table" => "priv_urp_profiles",
  73. "db_key_field" => "id",
  74. "db_finalclass_field" => "",
  75. "display_template" => "",
  76. );
  77. MetaModel::Init_Params($aParams);
  78. //MetaModel::Init_InheritAttributes();
  79. MetaModel::Init_AddAttribute(new AttributeString("name", array("label"=>"Name", "description"=>"label", "allowed_values"=>null, "sql"=>"name", "default_value"=>null, "is_null_allowed"=>false, "depends_on"=>array())));
  80. MetaModel::Init_AddAttribute(new AttributeString("description", array("label"=>"Description", "description"=>"one line description", "allowed_values"=>null, "sql"=>"description", "default_value"=>null, "is_null_allowed"=>false, "depends_on"=>array())));
  81. MetaModel::Init_AddAttribute(new AttributeLinkedSetIndirect("users", array("label"=>"Users", "description"=>"persons having this role", "linked_class"=>"URP_UserProfile", "ext_key_to_me"=>"profileid", "ext_key_to_remote"=>"userid", "allowed_values"=>null, "count_min"=>1, "count_max"=>0, "depends_on"=>array())));
  82. //MetaModel::Init_InheritFilters();
  83. MetaModel::Init_AddFilterFromAttribute("name");
  84. MetaModel::Init_AddFilterFromAttribute("description");
  85. // Display lists
  86. MetaModel::Init_SetZListItems('details', array('name', 'description')); // Attributes to be displayed for the complete details
  87. MetaModel::Init_SetZListItems('list', array('name', 'description')); // Attributes to be displayed for a list
  88. // Search criteria
  89. MetaModel::Init_SetZListItems('standard_search', array('name')); // Criteria of the std search form
  90. MetaModel::Init_SetZListItems('advanced_search', array('name')); // Criteria of the advanced search form
  91. }
  92. function GetGrantAsHtml($oUserRights, $sClass, $sAction)
  93. {
  94. $oGrant = $oUserRights->GetClassActionGrant($this->GetKey(), $sClass, $sAction);
  95. if (is_object($oGrant) && ($oGrant->Get('permission') == 'yes'))
  96. {
  97. return '<span style="background-color: #ddffdd;">yes</span>';
  98. }
  99. else
  100. {
  101. return '<span style="background-color: #ffdddd;">no</span>';
  102. }
  103. }
  104. function DoShowGrantSumary($oPage)
  105. {
  106. if ($this->GetName() == "Administrator")
  107. {
  108. // Looks dirty, but ok that's THE ONE
  109. $oPage->p('Has Read/Write access to any object in the database.');
  110. return;
  111. }
  112. // Note: for sure, we assume that the instance is derived from UserRightsProfile
  113. $oUserRights = UserRights::GetModuleInstance();
  114. $aDisplayData = array();
  115. foreach (MetaModel::GetClasses('bizmodel') as $sClass)
  116. {
  117. $aStimuli = array();
  118. foreach (MetaModel::EnumStimuli($sClass) as $sStimulusCode => $oStimulus)
  119. {
  120. $oGrant = $oUserRights->GetClassStimulusGrant($this->GetKey(), $sClass, $sStimulusCode);
  121. if (is_object($oGrant) && ($oGrant->Get('permission') == 'yes'))
  122. {
  123. $aStimuli[] = '<span title="'.$sStimulusCode.': '.htmlentities($oStimulus->Get('description')).'">'.htmlentities($oStimulus->Get('label')).'</span>';
  124. }
  125. }
  126. $sStimuli = implode(', ', $aStimuli);
  127. $aDisplayData[] = array(
  128. 'class' => MetaModel::GetName($sClass),
  129. 'read' => $this->GetGrantAsHtml($oUserRights, $sClass, 'Read'),
  130. 'bulkread' => $this->GetGrantAsHtml($oUserRights, $sClass, 'Bulk Read'),
  131. 'write' => $this->GetGrantAsHtml($oUserRights, $sClass, 'Modify'),
  132. 'bulkwrite' => $this->GetGrantAsHtml($oUserRights, $sClass, 'Bulk Modify'),
  133. 'stimuli' => $sStimuli,
  134. );
  135. }
  136. $aDisplayConfig = array();
  137. $aDisplayConfig['class'] = array('label' => 'Class', 'description' => '');
  138. $aDisplayConfig['read'] = array('label' => 'Read', 'description' => '');
  139. $aDisplayConfig['bulkread'] = array('label' => 'Bulk read', 'description' => 'List objects or export massively');
  140. $aDisplayConfig['write'] = array('label' => 'Write', 'description' => 'Create and edit (modify)');
  141. $aDisplayConfig['bulkwrite'] = array('label' => 'Bulk write', 'description' => 'Massively create/edit (CSV import)');
  142. $aDisplayConfig['stimuli'] = array('label' => 'Stimuli', 'description' => 'Allowed (compound) actions');
  143. $oPage->table($aDisplayConfig, $aDisplayData);
  144. }
  145. function DisplayBareRelations(web_page $oPage)
  146. {
  147. parent::DisplayBareRelations($oPage);
  148. $oPage->SetCurrentTabContainer('Related Objects');
  149. $oPage->SetCurrentTab('Grants matrix');
  150. $this->DoShowGrantSumary($oPage);
  151. }
  152. }
  153. class URP_Dimensions extends UserRightsBaseClass
  154. {
  155. public static function Init()
  156. {
  157. $aParams = array
  158. (
  159. "category" => "addon/userrights",
  160. "name" => "dimension",
  161. "description" => "application dimension (defining silos)",
  162. "key_type" => "autoincrement",
  163. "key_label" => "",
  164. "name_attcode" => "name",
  165. "state_attcode" => "",
  166. "reconc_keys" => array(),
  167. "db_table" => "priv_urp_dimensions",
  168. "db_key_field" => "id",
  169. "db_finalclass_field" => "",
  170. "display_template" => "../business/templates/default.html",
  171. );
  172. MetaModel::Init_Params($aParams);
  173. //MetaModel::Init_InheritAttributes();
  174. MetaModel::Init_AddAttribute(new AttributeString("name", array("label"=>"Name", "description"=>"label", "allowed_values"=>null, "sql"=>"name", "default_value"=>null, "is_null_allowed"=>false, "depends_on"=>array())));
  175. MetaModel::Init_AddAttribute(new AttributeString("description", array("label"=>"Description", "description"=>"one line description", "allowed_values"=>null, "sql"=>"description", "default_value"=>null, "is_null_allowed"=>false, "depends_on"=>array())));
  176. MetaModel::Init_AddAttribute(new AttributeString("type", array("label"=>"Type", "description"=>"class name or data type (projection unit)", "allowed_values"=>new ValueSetEnumClasses('bizmodel', 'String,Integer'), "sql"=>"type", "default_value"=>'String', "is_null_allowed"=>false, "depends_on"=>array())));
  177. //MetaModel::Init_InheritFilters();
  178. MetaModel::Init_AddFilterFromAttribute("name");
  179. MetaModel::Init_AddFilterFromAttribute("description");
  180. MetaModel::Init_AddFilterFromAttribute("type");
  181. // Display lists
  182. MetaModel::Init_SetZListItems('details', array('name', 'description', 'type')); // Attributes to be displayed for the complete details
  183. MetaModel::Init_SetZListItems('list', array('name', 'description')); // Attributes to be displayed for a list
  184. // Search criteria
  185. MetaModel::Init_SetZListItems('standard_search', array('name')); // Criteria of the std search form
  186. MetaModel::Init_SetZListItems('advanced_search', array('name')); // Criteria of the advanced search form
  187. }
  188. public function CheckProjectionSpec($oProjectionSpec, $sProjectedClass)
  189. {
  190. $sExpression = $oProjectionSpec->Get('value');
  191. $sAttribute = $oProjectionSpec->Get('attribute');
  192. // Shortcut: "any value" or "no value" means no projection
  193. if (empty($sExpression)) return;
  194. if ($sExpression == '<any>') return;
  195. // 1st - compute the data type for the dimension
  196. //
  197. $sType = $this->Get('type');
  198. if (MetaModel::IsValidClass($sType))
  199. {
  200. $sExpectedType = $sType;
  201. }
  202. else
  203. {
  204. $sExpectedType = '_scalar_';
  205. }
  206. // 2nd - compute the data type for the projection
  207. //
  208. $sTargetClass = '';
  209. if (($sExpression == '<this>') || ($sExpression == '<user>'))
  210. {
  211. $sTargetClass = $sProjectedClass;
  212. }
  213. elseif ($sExpression == '<any>')
  214. {
  215. $sTargetClass = '';
  216. }
  217. else
  218. {
  219. // Evaluate wether it is a constant or not
  220. try
  221. {
  222. $oObjectSearch = DBObjectSearch::FromOQL($sExpression);
  223. $sTargetClass = $oObjectSearch->GetClass();
  224. }
  225. catch (OqlException $e)
  226. {
  227. }
  228. }
  229. if (empty($sTargetClass))
  230. {
  231. $sFoundType = '_void_';
  232. }
  233. else
  234. {
  235. if (empty($sAttribute))
  236. {
  237. $sFoundType = $sTargetClass;
  238. }
  239. else
  240. {
  241. if (!MetaModel::IsValidAttCode($sTargetClass, $sAttribute))
  242. {
  243. throw new CoreException('Unkown attribute code in projection specification', array('found' => $sAttribute, 'expecting' => MetaModel::GetAttributesList($sTargetClass), 'class' => $sTargetClass, 'projection' => $oProjectionSpec));
  244. }
  245. $oAttDef = MetaModel::GetAttributeDef($sTargetClass, $sAttribute);
  246. if ($oAttDef->IsExternalKey())
  247. {
  248. $sFoundType = $oAttDef->GetTargetClass();
  249. }
  250. else
  251. {
  252. $sFoundType = '_scalar_';
  253. }
  254. }
  255. }
  256. // Compare the dimension type and projection type
  257. if (($sFoundType != '_void_') && ($sFoundType != $sExpectedType))
  258. {
  259. throw new CoreException('Wrong type in projection specification', array('found' => $sFoundType, 'expecting' => $sExpectedType, 'expression' => $sExpression, 'attribute' => $sAttribute, 'projection' => $oProjectionSpec));
  260. }
  261. }
  262. }
  263. class URP_UserProfile extends UserRightsBaseClass
  264. {
  265. public static function Init()
  266. {
  267. $aParams = array
  268. (
  269. "category" => "addon/userrights",
  270. "name" => "User to profile",
  271. "description" => "user profiles",
  272. "key_type" => "autoincrement",
  273. "key_label" => "",
  274. "name_attcode" => "userid",
  275. "state_attcode" => "",
  276. "reconc_keys" => array(),
  277. "db_table" => "priv_urp_userprofile",
  278. "db_key_field" => "id",
  279. "db_finalclass_field" => "",
  280. "display_template" => "../business/templates/default.html",
  281. );
  282. MetaModel::Init_Params($aParams);
  283. //MetaModel::Init_InheritAttributes();
  284. MetaModel::Init_AddAttribute(new AttributeExternalKey("userid", array("targetclass"=>"URP_Users", "jointype"=> "", "label"=>"User", "description"=>"user account", "allowed_values"=>null, "sql"=>"userid", "is_null_allowed"=>false, "depends_on"=>array())));
  285. MetaModel::Init_AddAttribute(new AttributeExternalField("userlogin", array("label"=>"Login", "description"=>"User's login", "allowed_values"=>null, "extkey_attcode"=> 'userid', "target_attcode"=>"login")));
  286. MetaModel::Init_AddAttribute(new AttributeExternalKey("profileid", array("targetclass"=>"URP_Profiles", "jointype"=> "", "label"=>"Profile", "description"=>"usage profile", "allowed_values"=>null, "sql"=>"profileid", "is_null_allowed"=>false, "depends_on"=>array())));
  287. MetaModel::Init_AddAttribute(new AttributeExternalField("profile", array("label"=>"Profile", "description"=>"Profile name", "allowed_values"=>null, "extkey_attcode"=> 'profileid', "target_attcode"=>"name")));
  288. MetaModel::Init_AddAttribute(new AttributeString("reason", array("label"=>"Reason", "description"=>"explain why this person may have this role", "allowed_values"=>null, "sql"=>"description", "default_value"=>null, "is_null_allowed"=>false, "depends_on"=>array())));
  289. //MetaModel::Init_InheritFilters();
  290. MetaModel::Init_AddFilterFromAttribute("userid");
  291. MetaModel::Init_AddFilterFromAttribute("profileid");
  292. // Display lists
  293. MetaModel::Init_SetZListItems('details', array('userid', 'profileid', 'reason')); // Attributes to be displayed for the complete details
  294. MetaModel::Init_SetZListItems('list', array('userid', 'profileid', 'reason')); // Attributes to be displayed for a list
  295. // Search criteria
  296. MetaModel::Init_SetZListItems('standard_search', array('userid', 'profileid')); // Criteria of the std search form
  297. MetaModel::Init_SetZListItems('advanced_search', array('userid', 'profileid')); // Criteria of the advanced search form
  298. }
  299. }
  300. class URP_ProfileProjection extends UserRightsBaseClass
  301. {
  302. public static function Init()
  303. {
  304. $aParams = array
  305. (
  306. "category" => "addon/userrights",
  307. "name" => "profile_projection",
  308. "description" => "profile projections",
  309. "key_type" => "autoincrement",
  310. "key_label" => "",
  311. "name_attcode" => "profileid",
  312. "state_attcode" => "",
  313. "reconc_keys" => array(),
  314. "db_table" => "priv_urp_profileprojection",
  315. "db_key_field" => "id",
  316. "db_finalclass_field" => "",
  317. "display_template" => "../business/templates/default.html",
  318. );
  319. MetaModel::Init_Params($aParams);
  320. //MetaModel::Init_InheritAttributes();
  321. MetaModel::Init_AddAttribute(new AttributeExternalKey("dimensionid", array("targetclass"=>"URP_Dimensions", "jointype"=> "", "label"=>"Dimension", "description"=>"application dimension", "allowed_values"=>null, "sql"=>"dimensionid", "is_null_allowed"=>false, "depends_on"=>array())));
  322. MetaModel::Init_AddAttribute(new AttributeExternalField("dimension", array("label"=>"Dimension", "description"=>"application dimension", "allowed_values"=>null, "extkey_attcode"=> 'dimensionid', "target_attcode"=>"name")));
  323. MetaModel::Init_AddAttribute(new AttributeExternalKey("profileid", array("targetclass"=>"URP_Profiles", "jointype"=> "", "label"=>"Profile", "description"=>"usage profile", "allowed_values"=>null, "sql"=>"profileid", "is_null_allowed"=>false, "depends_on"=>array())));
  324. MetaModel::Init_AddAttribute(new AttributeExternalField("profile", array("label"=>"Profile", "description"=>"Profile name", "allowed_values"=>null, "extkey_attcode"=> 'profileid', "target_attcode"=>"name")));
  325. MetaModel::Init_AddAttribute(new AttributeString("value", array("label"=>"Value expression", "description"=>"OQL expression (using \$user) | constant | <any> | <user>+attribute code", "allowed_values"=>null, "sql"=>"value", "default_value"=>"", "is_null_allowed"=>false, "depends_on"=>array())));
  326. MetaModel::Init_AddAttribute(new AttributeString("attribute", array("label"=>"Attribute", "description"=>"Target attribute code (optional)", "allowed_values"=>null, "sql"=>"attribute", "default_value"=>"", "is_null_allowed"=>false, "depends_on"=>array())));
  327. //MetaModel::Init_InheritFilters();
  328. MetaModel::Init_AddFilterFromAttribute("dimensionid");
  329. MetaModel::Init_AddFilterFromAttribute("profileid");
  330. // Display lists
  331. MetaModel::Init_SetZListItems('details', array('dimensionid', 'profileid', 'value', 'attribute')); // Attributes to be displayed for the complete details
  332. MetaModel::Init_SetZListItems('list', array('dimensionid', 'profileid', 'value', 'attribute')); // Attributes to be displayed for a list
  333. // Search criteria
  334. MetaModel::Init_SetZListItems('standard_search', array('dimensionid', 'profileid')); // Criteria of the std search form
  335. MetaModel::Init_SetZListItems('advanced_search', array('dimensionid', 'profileid')); // Criteria of the advanced search form
  336. }
  337. public function ProjectUser(URP_Users $oUser)
  338. {
  339. $sExpr = $this->Get('value');
  340. if ($sExpr == '<user>')
  341. {
  342. $sColumn = $this->Get('attribute');
  343. if (empty($sColumn))
  344. {
  345. $aRes = array($oUser->GetKey());
  346. }
  347. else
  348. {
  349. $aRes = array($oUser->Get($sColumn));
  350. }
  351. }
  352. elseif ($sExpr == '<any>')
  353. {
  354. $aRes = null;
  355. }
  356. elseif (strtolower(substr($sExpr, 0, 6)) == 'select')
  357. {
  358. $sColumn = $this->Get('attribute');
  359. // SELECT...
  360. $oValueSetDef = new ValueSetObjects($sExpr, $sColumn);
  361. $aValues = $oValueSetDef->GetValues(array('user' => $oUser), '');
  362. $aRes = array_keys($aValues);
  363. }
  364. else
  365. {
  366. // Constant value(s)
  367. $aRes = explode(';', trim($sExpr));
  368. }
  369. return $aRes;
  370. }
  371. }
  372. class URP_ClassProjection extends UserRightsBaseClass
  373. {
  374. public static function Init()
  375. {
  376. $aParams = array
  377. (
  378. "category" => "addon/userrights",
  379. "name" => "class_projection",
  380. "description" => "class projections",
  381. "key_type" => "autoincrement",
  382. "key_label" => "",
  383. "name_attcode" => "dimensionid",
  384. "state_attcode" => "",
  385. "reconc_keys" => array(),
  386. "db_table" => "priv_urp_classprojection",
  387. "db_key_field" => "id",
  388. "db_finalclass_field" => "",
  389. "display_template" => "../business/templates/default.html",
  390. );
  391. MetaModel::Init_Params($aParams);
  392. //MetaModel::Init_InheritAttributes();
  393. MetaModel::Init_AddAttribute(new AttributeExternalKey("dimensionid", array("targetclass"=>"URP_Dimensions", "jointype"=> "", "label"=>"Dimension", "description"=>"application dimension", "allowed_values"=>null, "sql"=>"dimensionid", "is_null_allowed"=>false, "depends_on"=>array())));
  394. MetaModel::Init_AddAttribute(new AttributeExternalField("dimension", array("label"=>"Dimension", "description"=>"application dimension", "allowed_values"=>null, "extkey_attcode"=> 'dimensionid', "target_attcode"=>"name")));
  395. MetaModel::Init_AddAttribute(new AttributeString("class", array("label"=>"Class", "description"=>"Target class", "allowed_values"=>null, "sql"=>"class", "default_value"=>"", "is_null_allowed"=>false, "depends_on"=>array())));
  396. MetaModel::Init_AddAttribute(new AttributeString("value", array("label"=>"Value expression", "description"=>"OQL expression (using \$this) | constant | <any> | <this>+attribute code", "allowed_values"=>null, "sql"=>"value", "default_value"=>"", "is_null_allowed"=>false, "depends_on"=>array())));
  397. MetaModel::Init_AddAttribute(new AttributeString("attribute", array("label"=>"Attribute", "description"=>"Target attribute code (optional)", "allowed_values"=>null, "sql"=>"attribute", "default_value"=>"", "is_null_allowed"=>false, "depends_on"=>array())));
  398. //MetaModel::Init_InheritFilters();
  399. MetaModel::Init_AddFilterFromAttribute("dimensionid");
  400. // #@# verifier
  401. MetaModel::Init_AddFilterFromAttribute("class");
  402. // Display lists
  403. MetaModel::Init_SetZListItems('details', array('dimensionid', 'class', 'value', 'attribute')); // Attributes to be displayed for the complete details
  404. MetaModel::Init_SetZListItems('list', array('dimensionid', 'class', 'value', 'attribute')); // Attributes to be displayed for a list
  405. // Search criteria
  406. MetaModel::Init_SetZListItems('standard_search', array('dimensionid', 'class')); // Criteria of the std search form
  407. MetaModel::Init_SetZListItems('advanced_search', array('dimensionid', 'class')); // Criteria of the advanced search form
  408. }
  409. public function ProjectObject($oObject)
  410. {
  411. $sExpr = $this->Get('value');
  412. if ($sExpr == '<this>')
  413. {
  414. $sColumn = $this->Get('attribute');
  415. if (empty($sColumn))
  416. {
  417. $aRes = array($oObject->GetKey());
  418. }
  419. else
  420. {
  421. $aRes = array($oObject->Get($sColumn));
  422. }
  423. }
  424. elseif ($sExpr == '<any>')
  425. {
  426. $aRes = null;
  427. }
  428. elseif (strtolower(substr($sExpr, 0, 6)) == 'select')
  429. {
  430. $sColumn = $this->Get('attribute');
  431. // SELECT...
  432. $oValueSetDef = new ValueSetObjects($sExpr, $sColumn);
  433. $aValues = $oValueSetDef->GetValues(array('this' => $oObject), '');
  434. $aRes = array_keys($aValues);
  435. }
  436. elseif ($sExpr == '<any>')
  437. {
  438. $aRes = null;
  439. }
  440. else
  441. {
  442. // Constant value(s)
  443. $aRes = explode(';', trim($sExpr));
  444. }
  445. return $aRes;
  446. }
  447. }
  448. class URP_ActionGrant extends UserRightsBaseClass
  449. {
  450. public static function Init()
  451. {
  452. $aParams = array
  453. (
  454. "category" => "addon/userrights",
  455. "name" => "action_permission",
  456. "description" => "permissions on classes",
  457. "key_type" => "autoincrement",
  458. "key_label" => "",
  459. "name_attcode" => "profileid",
  460. "state_attcode" => "",
  461. "reconc_keys" => array(),
  462. "db_table" => "priv_urp_grant_actions",
  463. "db_key_field" => "id",
  464. "db_finalclass_field" => "",
  465. "display_template" => "../business/templates/default.html",
  466. );
  467. MetaModel::Init_Params($aParams);
  468. //MetaModel::Init_InheritAttributes();
  469. // Common to all grant classes (could be factorized by class inheritence, but this has to be benchmarked)
  470. MetaModel::Init_AddAttribute(new AttributeExternalKey("profileid", array("targetclass"=>"URP_Profiles", "jointype"=> "", "label"=>"Profile", "description"=>"usage profile", "allowed_values"=>null, "sql"=>"profileid", "is_null_allowed"=>false, "depends_on"=>array())));
  471. MetaModel::Init_AddAttribute(new AttributeExternalField("profile", array("label"=>"Profile", "description"=>"usage profile", "allowed_values"=>null, "extkey_attcode"=> 'profileid', "target_attcode"=>"name")));
  472. MetaModel::Init_AddAttribute(new AttributeString("class", array("label"=>"Class", "description"=>"class name", "allowed_values"=>null, "sql"=>"class", "default_value"=>null, "is_null_allowed"=>false, "depends_on"=>array())));
  473. MetaModel::Init_AddAttribute(new AttributeEnum("permission", array("label"=>"Permission", "description"=>"allowed or not allowed?", "allowed_values"=>new ValueSetEnum('yes,no'), "sql"=>"permission", "default_value"=>"yes", "is_null_allowed"=>false, "depends_on"=>array())));
  474. MetaModel::Init_AddAttribute(new AttributeString("action", array("label"=>"Action", "description"=>"operations to perform on the given class", "allowed_values"=>null, "sql"=>"action", "default_value"=>"", "is_null_allowed"=>false, "depends_on"=>array())));
  475. //MetaModel::Init_InheritFilters();
  476. // Common to all grant classes (could be factorized by class inheritence, but this has to be benchmarked)
  477. MetaModel::Init_AddFilterFromAttribute("profileid");
  478. MetaModel::Init_AddFilterFromAttribute("profile");
  479. MetaModel::Init_AddFilterFromAttribute("class");
  480. MetaModel::Init_AddFilterFromAttribute("permission");
  481. MetaModel::Init_AddFilterFromAttribute("action");
  482. // Display lists
  483. MetaModel::Init_SetZListItems('details', array('profileid', 'class', 'permission', 'action')); // Attributes to be displayed for the complete details
  484. MetaModel::Init_SetZListItems('list', array('profileid', 'class', 'permission', 'action')); // Attributes to be displayed for a list
  485. // Search criteria
  486. MetaModel::Init_SetZListItems('standard_search', array('profileid', 'class', 'permission', 'action')); // Criteria of the std search form
  487. MetaModel::Init_SetZListItems('advanced_search', array('profileid', 'class', 'permission', 'action')); // Criteria of the advanced search form
  488. }
  489. }
  490. class URP_StimulusGrant extends UserRightsBaseClass
  491. {
  492. public static function Init()
  493. {
  494. $aParams = array
  495. (
  496. "category" => "addon/userrights",
  497. "name" => "stimulus_permission",
  498. "description" => "permissions on stimilus in the life cycle of the object",
  499. "key_type" => "autoincrement",
  500. "key_label" => "",
  501. "name_attcode" => "profileid",
  502. "state_attcode" => "",
  503. "reconc_keys" => array(),
  504. "db_table" => "priv_urp_grant_stimulus",
  505. "db_key_field" => "id",
  506. "db_finalclass_field" => "",
  507. "display_template" => "../business/templates/default.html",
  508. );
  509. MetaModel::Init_Params($aParams);
  510. //MetaModel::Init_InheritAttributes();
  511. // Common to all grant classes (could be factorized by class inheritence, but this has to be benchmarked)
  512. MetaModel::Init_AddAttribute(new AttributeExternalKey("profileid", array("targetclass"=>"URP_Profiles", "jointype"=> "", "label"=>"Profile", "description"=>"usage profile", "allowed_values"=>null, "sql"=>"profileid", "is_null_allowed"=>false, "depends_on"=>array())));
  513. MetaModel::Init_AddAttribute(new AttributeExternalField("profile", array("label"=>"Profile", "description"=>"usage profile", "allowed_values"=>null, "extkey_attcode"=> 'profileid', "target_attcode"=>"name")));
  514. MetaModel::Init_AddAttribute(new AttributeString("class", array("label"=>"Class", "description"=>"class name", "allowed_values"=>null, "sql"=>"class", "default_value"=>null, "is_null_allowed"=>false, "depends_on"=>array())));
  515. MetaModel::Init_AddAttribute(new AttributeEnum("permission", array("label"=>"Permission", "description"=>"allowed or not allowed?", "allowed_values"=>new ValueSetEnum('yes,no'), "sql"=>"permission", "default_value"=>"yes", "is_null_allowed"=>false, "depends_on"=>array())));
  516. MetaModel::Init_AddAttribute(new AttributeString("stimulus", array("label"=>"Stimulus", "description"=>"stimulus code", "allowed_values"=>null, "sql"=>"action", "default_value"=>"", "is_null_allowed"=>false, "depends_on"=>array())));
  517. //MetaModel::Init_InheritFilters();
  518. // Common to all grant classes (could be factorized by class inheritence, but this has to be benchmarked)
  519. MetaModel::Init_AddFilterFromAttribute("profileid");
  520. MetaModel::Init_AddFilterFromAttribute("profile");
  521. MetaModel::Init_AddFilterFromAttribute("class");
  522. MetaModel::Init_AddFilterFromAttribute("permission");
  523. MetaModel::Init_AddFilterFromAttribute("stimulus");
  524. // Display lists
  525. MetaModel::Init_SetZListItems('details', array('profileid', 'class', 'permission', 'stimulus')); // Attributes to be displayed for the complete details
  526. MetaModel::Init_SetZListItems('list', array('profileid', 'class', 'permission', 'stimulus')); // Attributes to be displayed for a list
  527. // Search criteria
  528. MetaModel::Init_SetZListItems('standard_search', array('profileid', 'class', 'permission', 'stimulus')); // Criteria of the std search form
  529. MetaModel::Init_SetZListItems('advanced_search', array('profileid', 'class', 'permission', 'stimulus')); // Criteria of the advanced search form
  530. }
  531. }
  532. class URP_AttributeGrant extends UserRightsBaseClass
  533. {
  534. public static function Init()
  535. {
  536. $aParams = array
  537. (
  538. "category" => "addon/userrights",
  539. "name" => "attribute_permission",
  540. "description" => "permissions at the attributes level",
  541. "key_type" => "autoincrement",
  542. "key_label" => "",
  543. "name_attcode" => "actiongrantid",
  544. "state_attcode" => "",
  545. "reconc_keys" => array(),
  546. "db_table" => "priv_urp_grant_attributes",
  547. "db_key_field" => "id",
  548. "db_finalclass_field" => "",
  549. "display_template" => "../business/templates/default.html",
  550. );
  551. MetaModel::Init_Params($aParams);
  552. //MetaModel::Init_InheritAttributes();
  553. MetaModel::Init_AddAttribute(new AttributeExternalKey("actiongrantid", array("targetclass"=>"URP_ActionGrant", "jointype"=> "", "label"=>"Action grant", "description"=>"action grant", "allowed_values"=>null, "sql"=>"actiongrantid", "is_null_allowed"=>false, "depends_on"=>array())));
  554. MetaModel::Init_AddAttribute(new AttributeString("attcode", array("label"=>"Attribute", "description"=>"attribute code", "allowed_values"=>null, "sql"=>"attcode", "default_value"=>null, "is_null_allowed"=>false, "depends_on"=>array())));
  555. //MetaModel::Init_InheritFilters();
  556. MetaModel::Init_AddFilterFromAttribute("actiongrantid");
  557. MetaModel::Init_AddFilterFromAttribute("attcode");
  558. // Display lists
  559. MetaModel::Init_SetZListItems('details', array('actiongrantid', 'attcode')); // Attributes to be displayed for the complete details
  560. MetaModel::Init_SetZListItems('list', array('actiongrantid', 'attcode')); // Attributes to be displayed for a list
  561. // Search criteria
  562. MetaModel::Init_SetZListItems('standard_search', array('actiongrantid', 'attcode')); // Criteria of the std search form
  563. MetaModel::Init_SetZListItems('advanced_search', array('actiongrantid', 'attcode')); // Criteria of the advanced search form
  564. }
  565. }
  566. class UserRightsProfile extends UserRightsAddOnAPI
  567. {
  568. static public $m_aActionCodes = array(
  569. UR_ACTION_READ => 'read',
  570. UR_ACTION_MODIFY => 'modify',
  571. UR_ACTION_DELETE => 'delete',
  572. UR_ACTION_BULK_READ => 'bulk read',
  573. UR_ACTION_BULK_MODIFY => 'bulk modify',
  574. UR_ACTION_BULK_DELETE => 'bulk delete',
  575. );
  576. // Installation: create the very first user
  577. public function CreateAdministrator($sAdminUser, $sAdminPwd)
  578. {
  579. $oOrg = new bizOrganization();
  580. $oOrg->Set('name', 'My Company/Department');
  581. $oOrg->Set('code', 'SOMECODE');
  582. $oOrg->Set('status', 'implementation');
  583. //$oOrg->Set('parent_id', xxx);
  584. $iOrgId = $oOrg->DBInsertNoReload();
  585. // Location : optional
  586. //$oLocation = new bizLocation();
  587. //$oLocation->Set('name', 'MyOffice');
  588. //$oLocation->Set('status', 'implementation');
  589. //$oLocation->Set('org_id', $iOrgId);
  590. //$oLocation->Set('severity', 'high');
  591. //$oLocation->Set('address', 'my building in my city');
  592. //$oLocation->Set('country', 'my country');
  593. //$oLocation->Set('parent_location_id', xxx);
  594. //$iLocationId = $oLocation->DBInsertNoReload();
  595. $oContact = new bizPerson();
  596. $oContact->Set('name', 'My last name');
  597. $oContact->Set('first_name', 'My first name');
  598. $oContact->Set('status', 'available');
  599. $oContact->Set('org_id', $iOrgId);
  600. $oContact->Set('email', 'my.email@foo.org');
  601. $oContact->Set('phone', '');
  602. //$oContact->Set('location_id', $iLocationId);
  603. $oContact->Set('employee_number', '');
  604. $iContactId = $oContact->DBInsertNoReload();
  605. $oUser = new URP_Users();
  606. $oUser->Set('login', $sAdminUser);
  607. $oUser->Set('password', $sAdminPwd);
  608. $oUser->Set('userid', $iContactId);
  609. $iUserId = $oUser->DBInsertNoReload();
  610. // Add this user to the very specific 'admin' profile
  611. $oUserProfile = new URP_UserProfile();
  612. $oUserProfile->Set('userid', $iUserId);
  613. $oUserProfile->Set('profileid', ADMIN_PROFILE_ID);
  614. $oUserProfile->Set('reason', 'By definition, the administrator must have the administrator profile');
  615. $oUserProfile->DBInsertNoReload();
  616. return true;
  617. }
  618. public function IsAdministrator($iUserId)
  619. {
  620. if (in_array($iUserId, $this->m_aAdmins))
  621. {
  622. return true;
  623. }
  624. else
  625. {
  626. return false;
  627. }
  628. }
  629. public function Setup()
  630. {
  631. SetupITILProfiles::DoCreateDimensions();
  632. SetupITILProfiles::DoCreateProfiles();
  633. return true;
  634. }
  635. public function Init()
  636. {
  637. MetaModel::RegisterPlugin('userrights', 'ACbyProfile', array($this, 'CacheData'));
  638. }
  639. protected $m_aUsers = array(); // id -> object
  640. protected $m_aDimensions = array(); // id -> object
  641. protected $m_aClassProj = array(); // class,dimensionid -> object
  642. protected $m_aProfiles = array(); // id -> object
  643. protected $m_aUserProfiles = array(); // userid,profileid -> object
  644. protected $m_aProPro = array(); // profileid,dimensionid -> object
  645. protected $m_aLogin2UserId = array(); // login -> id
  646. protected $m_aAdmins = array(); // id of users being linked to the well-known admin profile
  647. protected $m_aClassActionGrants = array(); // profile, class, action -> permission
  648. protected $m_aClassStimulusGrants = array(); // profile, class, stimulus -> permission
  649. protected $m_aObjectActionGrants = array(); // userid, class, id, action -> permission, list of attributes
  650. public function CacheData()
  651. {
  652. // Could be loaded in a shared memory (?)
  653. $oUserSet = new DBObjectSet(DBObjectSearch::FromOQL("SELECT URP_Users"));
  654. while ($oUser = $oUserSet->Fetch())
  655. {
  656. $this->m_aUsers[$oUser->GetKey()] = $oUser;
  657. $this->m_aLogin2UserId[$oUser->Get('login')] = $oUser->GetKey();
  658. }
  659. $oDimensionSet = new DBObjectSet(DBObjectSearch::FromOQL("SELECT URP_Dimensions"));
  660. while ($oDimension = $oDimensionSet->Fetch())
  661. {
  662. $this->m_aDimensions[$oDimension->GetKey()] = $oDimension;
  663. }
  664. $oClassProjSet = new DBObjectSet(DBObjectSearch::FromOQL("SELECT URP_ClassProjection"));
  665. while ($oClassProj = $oClassProjSet->Fetch())
  666. {
  667. $this->m_aClassProjs[$oClassProj->Get('class')][$oClassProj->Get('dimensionid')] = $oClassProj;
  668. }
  669. $oProfileSet = new DBObjectSet(DBObjectSearch::FromOQL("SELECT URP_Profiles"));
  670. while ($oProfile = $oProfileSet->Fetch())
  671. {
  672. $this->m_aProfiles[$oProfile->GetKey()] = $oProfile;
  673. }
  674. $oUserProfileSet = new DBObjectSet(DBObjectSearch::FromOQL("SELECT URP_UserProfile"));
  675. while ($oUserProfile = $oUserProfileSet->Fetch())
  676. {
  677. $this->m_aUserProfiles[$oUserProfile->Get('userid')][$oUserProfile->Get('profileid')] = $oUserProfile;
  678. if ($oUserProfile->Get('profileid') == ADMIN_PROFILE_ID)
  679. {
  680. $this->m_aAdmins[] = $oUserProfile->Get('userid');
  681. }
  682. }
  683. $oProProSet = new DBObjectSet(DBObjectSearch::FromOQL("SELECT URP_ProfileProjection"));
  684. while ($oProPro = $oProProSet->Fetch())
  685. {
  686. $this->m_aProPros[$oProPro->Get('profileid')][$oProPro->Get('dimensionid')] = $oProPro;
  687. }
  688. /*
  689. echo "<pre>\n";
  690. print_r($this->m_aUsers);
  691. print_r($this->m_aDimensions);
  692. print_r($this->m_aClassProjs);
  693. print_r($this->m_aProfiles);
  694. print_r($this->m_aUserProfiles);
  695. print_r($this->m_aProPros);
  696. echo "</pre>\n";
  697. exit;
  698. */
  699. return true;
  700. }
  701. public function CheckCredentials($sUserName, $sPassword)
  702. {
  703. $oSet = new DBObjectSet(DBObjectSearch::FromOQL("SELECT URP_Users WHERE login = :login"), array(), array('login' => $sUserName));
  704. if ($oSet->Count() < 1)
  705. {
  706. // todo: throw an exception?
  707. return false;
  708. }
  709. $oUser = $oSet->Fetch();
  710. if ($oUser->Get('password') == $sPassword)
  711. {
  712. return $oUser->GetKey();
  713. }
  714. // todo: throw an exception?
  715. return false;
  716. }
  717. public function GetUserId($sUserName)
  718. {
  719. if (array_key_exists($sUserName, $this->m_aLogin2UserId))
  720. {
  721. // This happens really when the list of users is being loaded into the cache!!!
  722. $iUserId = $this->m_aLogin2UserId[$sUserName];
  723. return $iUserId;
  724. }
  725. return null;
  726. }
  727. public function GetContactId($sUserName)
  728. {
  729. if (array_key_exists($sUserName, $this->m_aLogin2UserId))
  730. {
  731. // This happens really when the list of users is being loaded into the cache!!!
  732. $iUserId = $this->m_aLogin2UserId[$sUserName];
  733. $oUser = $this->m_aUsers[$iUserId];
  734. return $oUser->Get('userid');
  735. }
  736. return null;
  737. }
  738. public function GetFilter($sUserName, $sClass)
  739. {
  740. $oNullFilter = new DBObjectSearch($sClass);
  741. return $oNullFilter;
  742. }
  743. // This verb has been made public to allow the development of an accurate feedback for the current configuration
  744. public function GetClassActionGrant($iProfile, $sClass, $sAction)
  745. {
  746. if (isset($this->m_aClassActionGrants[$iProfile][$sClass][$sAction]))
  747. {
  748. return $this->m_aClassActionGrants[$iProfile][$sClass][$sAction];
  749. }
  750. // Get the permission for this profile/class/action
  751. $oSearch = DBObjectSearch::FromOQL("SELECT URP_ActionGrant WHERE class = :class AND action = :action AND profileid = :profile AND permission = 'yes'");
  752. $oSet = new DBObjectSet($oSearch, array(), array('class'=>$sClass, 'action'=>$sAction, 'profile'=>$iProfile));
  753. if ($oSet->Count() >= 1)
  754. {
  755. $oGrantRecord = $oSet->Fetch();
  756. }
  757. else
  758. {
  759. $sParentClass = MetaModel::GetParentPersistentClass($sClass);
  760. if (empty($sParentClass))
  761. {
  762. $oGrantRecord = null;
  763. }
  764. else
  765. {
  766. $oGrantRecord = $this->GetClassActionGrant($iProfile, $sParentClass, $sAction);
  767. }
  768. }
  769. $this->m_aClassActionGrants[$iProfile][$sClass][$sAction] = $oGrantRecord;
  770. return $oGrantRecord;
  771. }
  772. protected function GetObjectActionGrant($oUser, $sClass, $iActionCode, $oObject)
  773. {
  774. // load and cache permissions for the current user on the given object
  775. //
  776. $aTest = @$this->m_aObjectActionGrants[$oUser->GetKey()][$sClass][$oObject->GetKey][$iActionCode];
  777. if (is_array($aTest)) return $aTest;
  778. $sAction = self::$m_aActionCodes[$iActionCode];
  779. $iInstancePermission = UR_ALLOWED_NO;
  780. $aAttributes = array();
  781. foreach($this->GetMatchingProfiles($oUser, $oObject) as $iProfile)
  782. {
  783. $oGrantRecord = $this->GetClassActionGrant($iProfile, $sClass, $sAction);
  784. if (is_null($oGrantRecord))
  785. {
  786. continue; // loop to the next profile
  787. }
  788. else
  789. {
  790. $iInstancePermission = UR_ALLOWED_YES;
  791. // update the list of attributes with those allowed for this profile
  792. //
  793. $oSearch = DBObjectSearch::FromOQL("SELECT URP_AttributeGrant WHERE actiongrantid = :actiongrantid");
  794. $oSet = new DBObjectSet($oSearch, array(), array('actiongrantid' => $oGrantRecord->GetKey()));
  795. $aProfileAttributes = $oSet->GetColumnAsArray('attcode', false);
  796. if (count($aProfileAttributes) == 0)
  797. {
  798. $aAllAttributes = array_keys(MetaModel::ListAttributeDefs($sClass));
  799. $aAttributes = array_merge($aAttributes, $aAllAttributes);
  800. }
  801. else
  802. {
  803. $aAttributes = array_merge($aAttributes, $aProfileAttributes);
  804. }
  805. }
  806. }
  807. $aRes = array(
  808. 'permission' => $iInstancePermission,
  809. 'attributes' => $aAttributes,
  810. );
  811. $this->m_aObjectActionGrants[$oUser->GetKey()][$sClass][$oObject->GetKey()][$iActionCode] = $aRes;
  812. return $aRes;
  813. }
  814. public function IsActionAllowed($iUserId, $sClass, $iActionCode, dbObjectSet $oInstances)
  815. {
  816. if ($this->IsAdministrator($iUserId)) return true;
  817. $oUser = $this->m_aUsers[$iUserId];
  818. $oInstances->Rewind();
  819. while($oObject = $oInstances->Fetch())
  820. {
  821. $aObjectPermissions = $this->GetObjectActionGrant($oUser, $sClass, $iActionCode, $oObject);
  822. $iInstancePermission = $aObjectPermissions['permission'];
  823. if (isset($iGlobalPermission))
  824. {
  825. if ($iInstancePermission != $iGlobalPermission)
  826. {
  827. $iGlobalPermission = UR_ALLOWED_DEPENDS;
  828. break;
  829. }
  830. }
  831. else
  832. {
  833. $iGlobalPermission = $iInstancePermission;
  834. }
  835. }
  836. $oInstances->Rewind();
  837. if (isset($iGlobalPermission))
  838. {
  839. return $iGlobalPermission;
  840. }
  841. else
  842. {
  843. return UR_ALLOWED_NO;
  844. }
  845. }
  846. public function IsActionAllowedOnAttribute($iUserId, $sClass, $sAttCode, $iActionCode, dbObjectSet $oInstances)
  847. {
  848. if ($this->IsAdministrator($iUserId)) return true;
  849. $oUser = $this->m_aUsers[$iUserId];
  850. $oInstances->Rewind();
  851. while($oObject = $oInstances->Fetch())
  852. {
  853. $aObjectPermissions = $this->GetObjectActionGrant($oUser, $sClass, $iActionCode, $oObject);
  854. $aAttributes = $aObjectPermissions['attributes'];
  855. if (in_array($sAttCode, $aAttributes))
  856. {
  857. $iInstancePermission = $aObjectPermissions['permission'];
  858. }
  859. else
  860. {
  861. $iInstancePermission = UR_ALLOWED_NO;
  862. }
  863. if (isset($iGlobalPermission))
  864. {
  865. if ($iInstancePermission != $iGlobalPermission)
  866. {
  867. $iGlobalPermission = UR_ALLOWED_DEPENDS;
  868. }
  869. }
  870. else
  871. {
  872. $iGlobalPermission = $iInstancePermission;
  873. }
  874. }
  875. $oInstances->Rewind();
  876. if (isset($iGlobalPermission))
  877. {
  878. return $iGlobalPermission;
  879. }
  880. else
  881. {
  882. return UR_ALLOWED_NO;
  883. }
  884. }
  885. // This verb has been made public to allow the development of an accurate feedback for the current configuration
  886. public function GetClassStimulusGrant($iProfile, $sClass, $sStimulusCode)
  887. {
  888. if (isset($this->m_aClassStimulusGrants[$iProfile][$sClass][$sStimulusCode]))
  889. {
  890. return $this->m_aClassStimulusGrants[$iProfile][$sClass][$sStimulusCode];
  891. }
  892. // Get the permission for this profile/class/stimulus
  893. $oSearch = DBObjectSearch::FromOQL("SELECT URP_StimulusGrant WHERE class = :class AND stimulus = :stimulus AND profileid = :profile AND permission = 'yes'");
  894. $oSet = new DBObjectSet($oSearch, array(), array('class'=>$sClass, 'stimulus'=>$sStimulusCode, 'profile'=>$iProfile));
  895. if ($oSet->Count() >= 1)
  896. {
  897. $oGrantRecord = $oSet->Fetch();
  898. }
  899. else
  900. {
  901. $oGrantRecord = null;
  902. }
  903. $this->m_aClassStimulusGrants[$iProfile][$sClass][$sStimulusCode] = $oGrantRecord;
  904. return $oGrantRecord;
  905. }
  906. public function IsStimulusAllowed($iUserId, $sClass, $sStimulusCode, dbObjectSet $oInstances)
  907. {
  908. if ($this->IsAdministrator($iUserId)) return true;
  909. $oUser = $this->m_aUsers[$iUserId];
  910. // Note: this code is VERY close to the code of IsActionAllowed()
  911. $oInstances->Rewind();
  912. while($oObject = $oInstances->Fetch())
  913. {
  914. $iInstancePermission = UR_ALLOWED_NO;
  915. foreach($this->GetMatchingProfiles($oUser, $oObject) as $iProfile)
  916. {
  917. // Get the permission for this profile/class/stimulus
  918. $oSearch = DBObjectSearch::FromOQL("SELECT URP_StimulusGrant WHERE class = :class AND stimulus = :stimulus AND profileid = :profile AND permission = 'yes'");
  919. $oSet = new DBObjectSet($oSearch, array(), array('class'=>$sClass, 'stimulus'=>$sStimulusCode, 'profile'=>$iProfile));
  920. if ($oSet->Count() < 1)
  921. {
  922. return UR_ALLOWED_NO;
  923. }
  924. // no need to fetch the record, we've requested the records having permission = 'yes'
  925. $iInstancePermission = UR_ALLOWED_YES;
  926. }
  927. if (isset($iGlobalPermission))
  928. {
  929. if ($iInstancePermission != $iGlobalPermission)
  930. {
  931. $iGlobalPermission = UR_ALLOWED_DEPENDS;
  932. }
  933. }
  934. else
  935. {
  936. $iGlobalPermission = $iInstancePermission;
  937. }
  938. }
  939. $oInstances->Rewind();
  940. if (isset($iGlobalPermission))
  941. {
  942. return $iGlobalPermission;
  943. }
  944. else
  945. {
  946. return UR_ALLOWED_NO;
  947. }
  948. }
  949. protected function GetMatchingProfilesByDim($oUser, $oObject, $oDimension)
  950. {
  951. //
  952. // List profiles for which the user projection overlaps the object projection in the given dimension
  953. //
  954. $iUser = $oUser->GetKey();
  955. $sClass = get_class($oObject);
  956. $iPKey = $oObject->GetKey();
  957. $iDimension = $oDimension->GetKey();
  958. $aObjectProjection = $this->m_aClassProjs[$sClass][$iDimension]->ProjectObject($oObject);
  959. $aRes = array();
  960. if (array_key_exists($iUser, $this->m_aUserProfiles) > 0)
  961. {
  962. foreach ($this->m_aUserProfiles[$iUser] as $iProfile => $oProfile)
  963. {
  964. if (is_null($aObjectProjection))
  965. {
  966. $aRes[] = $iProfile;
  967. }
  968. else
  969. {
  970. // user projection to be cached on a given page !
  971. $aUserProjection = $this->m_aProPros[$iProfile][$iDimension]->ProjectUser($oUser);
  972. if (is_null($aUserProjection))
  973. {
  974. $aRes[] = $iProfile;
  975. }
  976. else
  977. {
  978. $aMatchingValues = array_intersect($aObjectProjection, $aUserProjection);
  979. if (count($aMatchingValues) > 0)
  980. {
  981. $aRes[] = $iProfile;
  982. }
  983. }
  984. }
  985. }
  986. }
  987. return $aRes;
  988. }
  989. protected $m_aMatchingProfiles = array(); // cache of the matching profiles for a given user/object
  990. protected function GetMatchingProfiles($oUser, $oObject)
  991. {
  992. $iUser = $oUser->GetKey();
  993. $sClass = get_class($oObject);
  994. $iObject = $oObject->GetKey();
  995. //
  996. // List profiles for which the user projection overlaps the object projection in each and every dimension
  997. // Caches the result
  998. //
  999. $aTest = @$this->m_aMatchingProfiles[$iUser][$sClass][$iObject];
  1000. if (is_array($aTest))
  1001. {
  1002. return $aTest;
  1003. }
  1004. $aProfileRes = array();
  1005. foreach ($this->m_aDimensions as $iDimension => $oDimension)
  1006. {
  1007. foreach ($this->GetMatchingProfilesByDim($oUser, $oObject, $oDimension) as $iProfile)
  1008. {
  1009. @$aProfileRes[$iProfile] += 1;
  1010. }
  1011. }
  1012. $aRes = array();
  1013. $iDimCount = count($this->m_aDimensions);
  1014. foreach ($aProfileRes as $iProfile => $iMatches)
  1015. {
  1016. if ($iMatches == $iDimCount)
  1017. {
  1018. $aRes[] = $iProfile;
  1019. }
  1020. }
  1021. $this->m_aMatchingProfiles[$iUser][$sClass][$iObject] = $aRes;
  1022. return $aRes;
  1023. }
  1024. }
  1025. //
  1026. // Here is the code that will create some profiles into our user management model, given an ITIL representation of the user profiles
  1027. //
  1028. class SetupITILProfiles
  1029. {
  1030. /*
  1031. Later, maybe ?
  1032. protected static $m_aDimensions = array(
  1033. 'organization' => array(
  1034. 'description' => '',
  1035. 'type' => 'bizOrganization',
  1036. ),
  1037. 'site' => array(
  1038. 'description' => '',
  1039. 'type' => '',
  1040. ),
  1041. );
  1042. */
  1043. protected static $m_aDimensions = array(
  1044. 'organization' => array(
  1045. 'description' => '',
  1046. 'type' => 'bizOrganization',
  1047. ),
  1048. );
  1049. protected static $m_aActions = array(
  1050. UR_ACTION_READ => 'Read',
  1051. UR_ACTION_MODIFY => 'Modify',
  1052. UR_ACTION_DELETE => 'Delete',
  1053. UR_ACTION_BULK_READ => 'Bulk Read',
  1054. UR_ACTION_BULK_MODIFY => 'Bulk Modify',
  1055. UR_ACTION_BULK_DELETE => 'Bulk Delete',
  1056. );
  1057. // It is possible to specify the same class in several modules
  1058. //
  1059. protected static $m_aModules = array(
  1060. 'General' => array(
  1061. 'bizOrganization',
  1062. ),
  1063. 'Documentation' => array(
  1064. 'bizDocVersion',
  1065. 'lnkDocumentRealObject',
  1066. 'lnkDocumentContract',
  1067. 'lnkDocumentError',
  1068. ),
  1069. 'Configuration' => array(
  1070. 'logRealObject',
  1071. 'lnkContactRealObject',
  1072. 'lnkInterfaces',
  1073. 'ClientServerLinks',
  1074. 'lnkInfraGrouping',
  1075. ),
  1076. 'Incident' => array(
  1077. 'bizIncidentTicket',
  1078. 'lnkRelatedTicket',
  1079. 'lnkInfraTicket',
  1080. 'lnkContactTicket',
  1081. ),
  1082. 'Problem' => array(
  1083. 'bizKnownError',
  1084. 'lnkInfraError',
  1085. 'lnkDocumentError',
  1086. ),
  1087. 'Change' => array(
  1088. 'bizChangeTicket',
  1089. 'lnkInfraChangeTicket',
  1090. 'lnkContactChange',
  1091. ),
  1092. 'Service' => array(
  1093. 'bizContract',
  1094. 'lnkInfraContract',
  1095. 'lnkContactContract',
  1096. 'lnkDocumentContract',
  1097. ),
  1098. 'Call' => array(
  1099. 'bizServiceCall',
  1100. 'lnkCallTicket',
  1101. 'lnkInfraCall',
  1102. ),
  1103. );
  1104. protected static $m_aProfiles = array(
  1105. 'Configuration Manager' => array(
  1106. 'description' => 'Person in charge of the documentation of the managed CIs',
  1107. 'write_modules' => 'Documentation,Configuration',
  1108. 'stimuli' => array(
  1109. 'bizServer' => 'any',
  1110. //'bizServer' => 'ev_store,ev_ship,ev_plug,ev_configuration_finished,ev_val_failed,ev_mtp,ev_start_change,ev_end_change,ev_decomission,ev_obsolete,ev_recycle',
  1111. 'bizContract' => 'none',
  1112. 'bizIncidentTicket' => 'none',
  1113. 'bizChangeTicket' => 'none',
  1114. ),
  1115. ),
  1116. /* 'Requestor pb granularite actions (create/delete)' => array(
  1117. 'description' => 'Person notifying an incident',
  1118. 'write_modules' => 'Incident',
  1119. 'stimuli' => array(
  1120. 'bizServer' => 'none',
  1121. 'bizContract' => 'none',
  1122. 'bizIncidentTicket' => 'none',
  1123. 'bizChangeTicket' => 'none',
  1124. ),
  1125. ),
  1126. */
  1127. 'Service Desk Agent' => array(
  1128. 'description' => 'Person in charge of creating incident reports',
  1129. 'write_modules' => 'Documentation,Incident,Call',
  1130. 'stimuli' => array(
  1131. 'bizServer' => 'none',
  1132. 'bizContract' => 'none',
  1133. 'bizIncidentTicket' => 'ev_assign',
  1134. 'bizChangeTicket' => 'none',
  1135. 'bizServiceCall' => 'any',
  1136. ),
  1137. ),
  1138. 'Support Agent' => array(
  1139. 'description' => 'Person analyzing and solving the current incidents or problems',
  1140. 'write_modules' => 'Documentation,Incident,Problem',
  1141. 'stimuli' => array(
  1142. 'bizIncidentTicket' => 'any',
  1143. //'bizIncidentTicket' => 'ev_assign,ev_reassign,ev_start_working,ev_close',
  1144. ),
  1145. ),
  1146. 'Change Implementor' => array(
  1147. 'description' => 'Person executing the changes',
  1148. 'write_modules' => 'Documentation,Configuration,Change',
  1149. 'stimuli' => array(
  1150. 'bizServer' => 'none',
  1151. 'bizContract' => 'none',
  1152. 'bizIncidentTicket' => 'none',
  1153. 'bizChangeTicket' => 'ev_plan,ev_replan,ev_implement,ev_monitor',
  1154. ),
  1155. ),
  1156. 'Change Supervisor' => array(
  1157. 'description' => 'Person responsible for the overall change execution',
  1158. 'write_modules' => 'Documentation,Change',
  1159. 'stimuli' => array(
  1160. 'bizServer' => 'none',
  1161. 'bizContract' => 'none',
  1162. 'bizIncidentTicket' => 'none',
  1163. 'bizChangeTicket' => 'ev_validate,ev_reject,ev_reopen,ev_finish',
  1164. ),
  1165. ),
  1166. 'Change Approver' => array(
  1167. 'description' => 'Person who could be impacted by some changes',
  1168. 'write_modules' => 'Documentation,Change',
  1169. 'stimuli' => array(
  1170. 'bizServer' => 'none',
  1171. 'bizContract' => 'none',
  1172. 'bizIncidentTicket' => 'none',
  1173. 'bizChangeTicket' => 'ev_approve,ev_notapprove',
  1174. ),
  1175. ),
  1176. 'Service Manager' => array(
  1177. 'description' => 'Person responsible for the service delivered to the [internal] customer',
  1178. 'write_modules' => 'Documentation,Service',
  1179. 'stimuli' => array(
  1180. 'bizServer' => 'none',
  1181. 'bizContract' => 'any',
  1182. //'bizContract' => 'ev_freeze_version,ev_sign,ev_begin,ev_notice,ev_terminate,ev_elapsed',
  1183. 'bizIncidentTicket' => 'none',
  1184. 'bizChangeTicket' => 'none',
  1185. ),
  1186. ),
  1187. );
  1188. protected static function DoCreateClassProjection($iDimension, $sClass)
  1189. {
  1190. $oNewObj = MetaModel::NewObject("URP_ClassProjection");
  1191. $oNewObj->Set('dimensionid', $iDimension);
  1192. $oNewObj->Set('class', $sClass);
  1193. $oNewObj->Set('attribute', '');
  1194. $iId = $oNewObj->DBInsertNoReload();
  1195. return $iId;
  1196. }
  1197. protected static function DoCreateDimension($sName, $aDimensionData)
  1198. {
  1199. $oNewObj = MetaModel::NewObject("URP_Dimensions");
  1200. $oNewObj->Set('name', $sName);
  1201. $oNewObj->Set('description', $aDimensionData['description']);
  1202. $oNewObj->Set('type', $aDimensionData['type']);
  1203. $iId = $oNewObj->DBInsertNoReload();
  1204. return $iId;
  1205. }
  1206. protected static function DoCreateProfileProjection($iProfile, $iDimension)
  1207. {
  1208. $oNewObj = MetaModel::NewObject("URP_ProfileProjection");
  1209. $oNewObj->Set('profileid', $iProfile);
  1210. $oNewObj->Set('dimensionid', $iDimension);
  1211. $oNewObj->Set('value', '<any>');
  1212. $oNewObj->Set('attribute', '');
  1213. $iId = $oNewObj->DBInsertNoReload();
  1214. return $iId;
  1215. }
  1216. protected static function DoCreateActionGrant($iProfile, $iAction, $sClass)
  1217. {
  1218. $oNewObj = MetaModel::NewObject("URP_ActionGrant");
  1219. $oNewObj->Set('profileid', $iProfile);
  1220. $oNewObj->Set('permission', true);
  1221. $oNewObj->Set('class', $sClass);
  1222. $oNewObj->Set('action', self::$m_aActions[$iAction]);
  1223. $iId = $oNewObj->DBInsertNoReload();
  1224. return $iId;
  1225. }
  1226. protected static function DoCreateStimulusGrant($iProfile, $sStimulusCode, $sClass)
  1227. {
  1228. $oNewObj = MetaModel::NewObject("URP_StimulusGrant");
  1229. $oNewObj->Set('profileid', $iProfile);
  1230. $oNewObj->Set('permission', true);
  1231. $oNewObj->Set('class', $sClass);
  1232. $oNewObj->Set('stimulus', $sStimulusCode);
  1233. $iId = $oNewObj->DBInsertNoReload();
  1234. return $iId;
  1235. }
  1236. protected static function DoCreateAdminProfile()
  1237. {
  1238. $oNewObj = MetaModel::NewObject("URP_Profiles");
  1239. $oNewObj->Set('name', 'Administrator');
  1240. $oNewObj->Set('description', 'Has the rights on everything (bypassing any control)');
  1241. $iNewId = $oNewObj->DBInsertNoReload();
  1242. if ($iNewId != ADMIN_PROFILE_ID)
  1243. {
  1244. throw new CoreException('Admin profile could not be created with its standard id', array('requested'=>ADMIN_PROFILE_ID, 'obtained'=>$iNewId));
  1245. }
  1246. }
  1247. protected static function DoCreateOneProfile($sName, $aProfileData)
  1248. {
  1249. $sDescription = $aProfileData['description'];
  1250. $aWriteModules = explode(',', $aProfileData['write_modules']);
  1251. $aStimuli = $aProfileData['stimuli'];
  1252. $oNewObj = MetaModel::NewObject("URP_Profiles");
  1253. $oNewObj->Set('name', $sName);
  1254. $oNewObj->Set('description', $sDescription);
  1255. $iProfile = $oNewObj->DBInsertNoReload();
  1256. // Project in every dimension
  1257. //
  1258. $oDimensionSet = new DBObjectSet(DBObjectSearch::FromOQL("SELECT URP_Dimensions"));
  1259. while ($oDimension = $oDimensionSet->Fetch())
  1260. {
  1261. $iDimension = $oDimension->GetKey();
  1262. self::DoCreateProfileProjection($iProfile, $iDimension);
  1263. }
  1264. // Grant read rights for everything
  1265. //
  1266. foreach (MetaModel::GetClasses('bizmodel') as $sClass)
  1267. {
  1268. self::DoCreateActionGrant($iProfile, UR_ACTION_READ, $sClass);
  1269. self::DoCreateActionGrant($iProfile, UR_ACTION_BULK_READ, $sClass);
  1270. }
  1271. // Grant write for given modules
  1272. // Start by compiling the information, because some modules may overlap
  1273. $aWriteableClasses = array();
  1274. foreach ($aWriteModules as $sModule)
  1275. {
  1276. // $oPage->p('Granting write access for the module"'.$sModule.'" - '.count(self::$m_aModules[$sModule]).' classes');
  1277. foreach (self::$m_aModules[$sModule] as $sClass)
  1278. {
  1279. $aWriteableClasses[] = $sClass;
  1280. }
  1281. }
  1282. foreach ($aWriteableClasses as $sClass)
  1283. {
  1284. self::DoCreateActionGrant($iProfile, UR_ACTION_MODIFY, $sClass);
  1285. self::DoCreateActionGrant($iProfile, UR_ACTION_DELETE, $sClass);
  1286. self::DoCreateActionGrant($iProfile, UR_ACTION_BULK_MODIFY, $sClass);
  1287. self::DoCreateActionGrant($iProfile, UR_ACTION_BULK_DELETE, $sClass);
  1288. }
  1289. // Grant stimuli for given classes
  1290. foreach ($aStimuli as $sClass => $sAllowedStimuli)
  1291. {
  1292. if ($sAllowedStimuli == 'any')
  1293. {
  1294. $aAllowedStimuli = array_keys(MetaModel::EnumStimuli($sClass));
  1295. }
  1296. elseif ($sAllowedStimuli == 'none')
  1297. {
  1298. $aAllowedStimuli = array();
  1299. }
  1300. else
  1301. {
  1302. $aAllowedStimuli = explode(',', $sAllowedStimuli);
  1303. }
  1304. foreach ($aAllowedStimuli as $sStimulusCode)
  1305. {
  1306. self::DoCreateStimulusGrant($iProfile, $sStimulusCode, $sClass);
  1307. }
  1308. }
  1309. }
  1310. public static function DoCreateDimensions()
  1311. {
  1312. $aClass = MetaModel::GetClasses();
  1313. foreach(self::$m_aDimensions as $sName => $aDimensionData)
  1314. {
  1315. $iDimension = self::DoCreateDimension($sName, $aDimensionData);
  1316. foreach($aClass as $sClass)
  1317. {
  1318. self::DoCreateClassProjection($iDimension, $sClass);
  1319. }
  1320. }
  1321. }
  1322. public static function DoCreateProfiles()
  1323. {
  1324. self::DoCreateAdminProfile();
  1325. foreach(self::$m_aProfiles as $sName => $aProfileData)
  1326. {
  1327. self::DoCreateOneProfile($sName, $aProfileData);
  1328. }
  1329. }
  1330. }
  1331. UserRights::SelectModule('UserRightsProfile');
  1332. ?>