file_access_user implementation for addressbook

This commit is contained in:
Ralf Becker 2011-06-26 13:55:25 +00:00
parent 34a990e6ac
commit 73486cc047
3 changed files with 92 additions and 48 deletions

View File

@ -7,7 +7,7 @@
* @author Ralf Becker <RalfBecker-AT-outdoor-training.de> * @author Ralf Becker <RalfBecker-AT-outdoor-training.de>
* @author Joerg Lehrke <jlehrke@noc.de> * @author Joerg Lehrke <jlehrke@noc.de>
* @package addressbook * @package addressbook
* @copyright (c) 2005-10 by Ralf Becker <RalfBecker-AT-outdoor-training.de> * @copyright (c) 2005-11 by Ralf Becker <RalfBecker-AT-outdoor-training.de>
* @copyright (c) 2005/6 by Cornelius Weiss <egw@von-und-zu-weiss.de> * @copyright (c) 2005/6 by Cornelius Weiss <egw@von-und-zu-weiss.de>
* @license http://opensource.org/licenses/gpl-license.php GPL - GNU General Public License * @license http://opensource.org/licenses/gpl-license.php GPL - GNU General Public License
* @version $Id$ * @version $Id$
@ -1008,10 +1008,23 @@ class addressbook_bo extends addressbook_so
* @param int $needed necessary ACL right: EGW_ACL_{READ|EDIT|DELETE} * @param int $needed necessary ACL right: EGW_ACL_{READ|EDIT|DELETE}
* @param mixed $contact contact as array or the contact-id * @param mixed $contact contact as array or the contact-id
* @param boolean $deny_account_delete=false if true never allow to delete accounts * @param boolean $deny_account_delete=false if true never allow to delete accounts
* @param int $user=null for which user to check, default current user
* @return boolean true permission granted, false for permission denied, null for contact does not exist * @return boolean true permission granted, false for permission denied, null for contact does not exist
*/ */
function check_perms($needed,$contact,$deny_account_delete=false) function check_perms($needed,$contact,$deny_account_delete=false,$user=null)
{ {
if (!$user) $user = $this->user;
if ($user == $this->user)
{
$grants = $this->grants;
$memberships = $this->memberships;
}
else
{
$grants = $this->get_grants($user);
$memberships = $GLOBALS['egw']->accounts->memberships($user,true);
}
if ((!is_array($contact) || !isset($contact['owner'])) && if ((!is_array($contact) || !isset($contact['owner'])) &&
!($contact = parent::read(is_array($contact) ? $contact['id'] : $contact))) !($contact = parent::read(is_array($contact) ? $contact['id'] : $contact)))
{ {
@ -1020,24 +1033,42 @@ class addressbook_bo extends addressbook_so
$owner = $contact['owner']; $owner = $contact['owner'];
// allow the user to edit his own account // allow the user to edit his own account
if (!$owner && $needed == EGW_ACL_EDIT && $contact['account_id'] == $this->user && $this->own_account_acl) if (!$owner && $needed == EGW_ACL_EDIT && $contact['account_id'] == $user && $this->own_account_acl)
{ {
return true; $access = true;
} }
// dont allow to delete own account (as admin handels it too) // dont allow to delete own account (as admin handels it too)
if (!$owner && $needed == EGW_ACL_DELETE && ($deny_account_delete || $contact['account_id'] == $this->user)) elseif (!$owner && $needed == EGW_ACL_DELETE && ($deny_account_delete || $contact['account_id'] == $user))
{ {
return false; $access = false;
} }
// for reading accounts (owner == 0) and account_selection == groupmembers, check if current user and contact are groupmembers // for reading accounts (owner == 0) and account_selection == groupmembers, check if current user and contact are groupmembers
if ($owner == 0 && $needed == EGW_ACL_READ && elseif ($owner == 0 && $needed == EGW_ACL_READ &&
$GLOBALS['egw_info']['user']['preferences']['common']['account_selection'] == 'groupmembers') $GLOBALS['egw_info']['user']['preferences']['common']['account_selection'] == 'groupmembers')
{ {
return !!array_intersect($GLOBALS['egw']->accounts->memberships($this->user,true), $access = !!array_intersect($memberships,$GLOBALS['egw']->accounts->memberships($contact['account_id'],true));
$GLOBALS['egw']->accounts->memberships($contact['account_id'],true));
} }
return ($this->grants[$owner] & $needed) && else
(!$contact['private'] || ($this->grants[$owner] & EGW_ACL_PRIVATE) || in_array($owner,$this->memberships)); {
$access = ($grants[$owner] & $needed) &&
(!$contact['private'] || ($grants[$owner] & EGW_ACL_PRIVATE) || in_array($owner,$memberships));
}
//error_log(__METHOD__."($needed,$contact[id],$deny_account_delete,$user) returning ".array2string($access));
return $access;
}
/**
* Check access to the file store
*
* @param int|array $id id of entry or entry array
* @param int $check EGW_ACL_READ for read and EGW_ACL_EDIT for write or delete access
* @param string $rel_path=null currently not used in InfoLog
* @param int $user=null for which user to check, default current user
* @return boolean true if access is granted or false otherwise
*/
function file_access($id,$check,$rel_path=null,$user=null)
{
return $this->check_perms($check,$id,false,$user);
} }
/** /**
@ -1382,17 +1413,6 @@ class addressbook_bo extends addressbook_so
return $this->link_query($pattern,$options); return $this->link_query($pattern,$options);
} }
/**
* Check access to the projects file store
*
* @param int $id id of entry
* @param int $check EGW_ACL_READ for read and EGW_ACL_EDIT for write or delete access
* @return boolean true if access is granted or false otherwise
*/
function file_access($id,$check,$rel_path)
{
return $this->check_perms($check,$id);
}
/** /**
* returns info about contacts for calender * returns info about contacts for calender

View File

@ -362,6 +362,7 @@ class addressbook_hooks
'add_app' => 'link_app', 'add_app' => 'link_app',
'add_id' => 'link_id', 'add_id' => 'link_id',
'add_popup' => '870x440', 'add_popup' => '870x440',
'file_access_user' => true, // file_access supports 4th parameter $user
'file_access'=> 'addressbook.addressbook_bo.file_access', 'file_access'=> 'addressbook.addressbook_bo.file_access',
'default_types' => array('n' => array('name' => 'contact', 'options' => array('icon' => 'navbar.png','template' => 'addressbook.edit'))), 'default_types' => array('n' => array('name' => 'contact', 'options' => array('icon' => 'navbar.png','template' => 'addressbook.edit'))),
// registers an addtional type 'addressbook-email', returning only contacts with email, title has email appended // registers an addtional type 'addressbook-email', returning only contacts with email, title has email appended

View File

@ -6,7 +6,7 @@
* @author Cornelius Weiss <egw-AT-von-und-zu-weiss.de> * @author Cornelius Weiss <egw-AT-von-und-zu-weiss.de>
* @author Ralf Becker <RalfBecker-AT-outdoor-training.de> * @author Ralf Becker <RalfBecker-AT-outdoor-training.de>
* @package addressbook * @package addressbook
* @copyright (c) 2005-10 by Ralf Becker <RalfBecker-AT-outdoor-training.de> * @copyright (c) 2005-11 by Ralf Becker <RalfBecker-AT-outdoor-training.de>
* @copyright (c) 2005/6 by Cornelius Weiss <egw@von-und-zu-weiss.de> * @copyright (c) 2005/6 by Cornelius Weiss <egw@von-und-zu-weiss.de>
* @license http://opensource.org/licenses/gpl-license.php GPL - GNU General Public License * @license http://opensource.org/licenses/gpl-license.php GPL - GNU General Public License
* @version $Id$ * @version $Id$
@ -233,15 +233,6 @@ class addressbook_so
$this->contact_repository = 'ldap'; $this->contact_repository = 'ldap';
$this->somain = new addressbook_ldap(); $this->somain = new addressbook_ldap();
if ($this->user) // not set eg. in setup
{
// static grants from ldap: all rights for the own personal addressbook and the group ones of the meberships
$this->grants = array($this->user => ~0);
foreach($this->memberships as $gid)
{
$this->grants[$gid] = ~0;
}
}
$this->columns_to_search = $this->ldap_search_attributes; $this->columns_to_search = $this->ldap_search_attributes;
} }
else // sql or sql->ldap else // sql or sql->ldap
@ -252,15 +243,13 @@ class addressbook_so
} }
$this->somain = new addressbook_sql($db); $this->somain = new addressbook_sql($db);
if ($this->user) // not set eg. in setup
{
// group grants are now grants for the group addressbook and NOT grants for all its members,
// therefor the param false!
$this->grants = $GLOBALS['egw']->acl->get_grants($contact_app,false);
}
// remove some columns, absolutly not necessary to search in sql // remove some columns, absolutly not necessary to search in sql
$this->columns_to_search = array_diff(array_values($this->somain->db_cols),$this->sql_cols_not_to_search); $this->columns_to_search = array_diff(array_values($this->somain->db_cols),$this->sql_cols_not_to_search);
} }
if ($this->user)
{
$this->grants = $this->get_grants($this->user);
}
if ($this->account_repository == 'ldap' && $this->contact_repository == 'sql') if ($this->account_repository == 'ldap' && $this->contact_repository == 'sql')
{ {
if ($this->account_repository != $this->contact_repository) if ($this->account_repository != $this->contact_repository)
@ -338,6 +327,40 @@ class addressbook_so
} }
} }
/**
* Get grants for a given user, taking into account static LDAP ACL
*
* @param int $user
* @return array
*/
function get_grants($user)
{
if ($user)
{
// contacts backend (contacts in LDAP require accounts in LDAP!)
if($GLOBALS['egw_info']['server']['contact_repository'] == 'ldap' && $this->account_repository == 'ldap')
{
// static grants from ldap: all rights for the own personal addressbook and the group ones of the meberships
$grants = array($user => ~0);
foreach($GLOBALS['egw']->accounts->memberships($user,true) as $gid)
{
$grants[$gid] = ~0;
}
}
else // sql or sql->ldap
{
// group grants are now grants for the group addressbook and NOT grants for all its members,
// therefor the param false!
$grants = $GLOBALS['egw']->acl->get_grants($contact_app,false,$user);
}
}
else
{
$grants = array();
}
return $grants;
}
/** /**
* Check if the user is an admin (can unconditionally edit accounts) * Check if the user is an admin (can unconditionally edit accounts)
* *