mirror of
https://github.com/EGroupware/egroupware.git
synced 2024-12-26 16:48:49 +01:00
file_access_user implementation for addressbook
This commit is contained in:
parent
34a990e6ac
commit
73486cc047
@ -7,7 +7,7 @@
|
|||||||
* @author Ralf Becker <RalfBecker-AT-outdoor-training.de>
|
* @author Ralf Becker <RalfBecker-AT-outdoor-training.de>
|
||||||
* @author Joerg Lehrke <jlehrke@noc.de>
|
* @author Joerg Lehrke <jlehrke@noc.de>
|
||||||
* @package addressbook
|
* @package addressbook
|
||||||
* @copyright (c) 2005-10 by Ralf Becker <RalfBecker-AT-outdoor-training.de>
|
* @copyright (c) 2005-11 by Ralf Becker <RalfBecker-AT-outdoor-training.de>
|
||||||
* @copyright (c) 2005/6 by Cornelius Weiss <egw@von-und-zu-weiss.de>
|
* @copyright (c) 2005/6 by Cornelius Weiss <egw@von-und-zu-weiss.de>
|
||||||
* @license http://opensource.org/licenses/gpl-license.php GPL - GNU General Public License
|
* @license http://opensource.org/licenses/gpl-license.php GPL - GNU General Public License
|
||||||
* @version $Id$
|
* @version $Id$
|
||||||
@ -1008,10 +1008,23 @@ class addressbook_bo extends addressbook_so
|
|||||||
* @param int $needed necessary ACL right: EGW_ACL_{READ|EDIT|DELETE}
|
* @param int $needed necessary ACL right: EGW_ACL_{READ|EDIT|DELETE}
|
||||||
* @param mixed $contact contact as array or the contact-id
|
* @param mixed $contact contact as array or the contact-id
|
||||||
* @param boolean $deny_account_delete=false if true never allow to delete accounts
|
* @param boolean $deny_account_delete=false if true never allow to delete accounts
|
||||||
|
* @param int $user=null for which user to check, default current user
|
||||||
* @return boolean true permission granted, false for permission denied, null for contact does not exist
|
* @return boolean true permission granted, false for permission denied, null for contact does not exist
|
||||||
*/
|
*/
|
||||||
function check_perms($needed,$contact,$deny_account_delete=false)
|
function check_perms($needed,$contact,$deny_account_delete=false,$user=null)
|
||||||
{
|
{
|
||||||
|
if (!$user) $user = $this->user;
|
||||||
|
if ($user == $this->user)
|
||||||
|
{
|
||||||
|
$grants = $this->grants;
|
||||||
|
$memberships = $this->memberships;
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
$grants = $this->get_grants($user);
|
||||||
|
$memberships = $GLOBALS['egw']->accounts->memberships($user,true);
|
||||||
|
}
|
||||||
|
|
||||||
if ((!is_array($contact) || !isset($contact['owner'])) &&
|
if ((!is_array($contact) || !isset($contact['owner'])) &&
|
||||||
!($contact = parent::read(is_array($contact) ? $contact['id'] : $contact)))
|
!($contact = parent::read(is_array($contact) ? $contact['id'] : $contact)))
|
||||||
{
|
{
|
||||||
@ -1020,24 +1033,42 @@ class addressbook_bo extends addressbook_so
|
|||||||
$owner = $contact['owner'];
|
$owner = $contact['owner'];
|
||||||
|
|
||||||
// allow the user to edit his own account
|
// allow the user to edit his own account
|
||||||
if (!$owner && $needed == EGW_ACL_EDIT && $contact['account_id'] == $this->user && $this->own_account_acl)
|
if (!$owner && $needed == EGW_ACL_EDIT && $contact['account_id'] == $user && $this->own_account_acl)
|
||||||
{
|
{
|
||||||
return true;
|
$access = true;
|
||||||
}
|
}
|
||||||
// dont allow to delete own account (as admin handels it too)
|
// dont allow to delete own account (as admin handels it too)
|
||||||
if (!$owner && $needed == EGW_ACL_DELETE && ($deny_account_delete || $contact['account_id'] == $this->user))
|
elseif (!$owner && $needed == EGW_ACL_DELETE && ($deny_account_delete || $contact['account_id'] == $user))
|
||||||
{
|
{
|
||||||
return false;
|
$access = false;
|
||||||
}
|
}
|
||||||
// for reading accounts (owner == 0) and account_selection == groupmembers, check if current user and contact are groupmembers
|
// for reading accounts (owner == 0) and account_selection == groupmembers, check if current user and contact are groupmembers
|
||||||
if ($owner == 0 && $needed == EGW_ACL_READ &&
|
elseif ($owner == 0 && $needed == EGW_ACL_READ &&
|
||||||
$GLOBALS['egw_info']['user']['preferences']['common']['account_selection'] == 'groupmembers')
|
$GLOBALS['egw_info']['user']['preferences']['common']['account_selection'] == 'groupmembers')
|
||||||
{
|
{
|
||||||
return !!array_intersect($GLOBALS['egw']->accounts->memberships($this->user,true),
|
$access = !!array_intersect($memberships,$GLOBALS['egw']->accounts->memberships($contact['account_id'],true));
|
||||||
$GLOBALS['egw']->accounts->memberships($contact['account_id'],true));
|
|
||||||
}
|
}
|
||||||
return ($this->grants[$owner] & $needed) &&
|
else
|
||||||
(!$contact['private'] || ($this->grants[$owner] & EGW_ACL_PRIVATE) || in_array($owner,$this->memberships));
|
{
|
||||||
|
$access = ($grants[$owner] & $needed) &&
|
||||||
|
(!$contact['private'] || ($grants[$owner] & EGW_ACL_PRIVATE) || in_array($owner,$memberships));
|
||||||
|
}
|
||||||
|
//error_log(__METHOD__."($needed,$contact[id],$deny_account_delete,$user) returning ".array2string($access));
|
||||||
|
return $access;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Check access to the file store
|
||||||
|
*
|
||||||
|
* @param int|array $id id of entry or entry array
|
||||||
|
* @param int $check EGW_ACL_READ for read and EGW_ACL_EDIT for write or delete access
|
||||||
|
* @param string $rel_path=null currently not used in InfoLog
|
||||||
|
* @param int $user=null for which user to check, default current user
|
||||||
|
* @return boolean true if access is granted or false otherwise
|
||||||
|
*/
|
||||||
|
function file_access($id,$check,$rel_path=null,$user=null)
|
||||||
|
{
|
||||||
|
return $this->check_perms($check,$id,false,$user);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -1382,17 +1413,6 @@ class addressbook_bo extends addressbook_so
|
|||||||
|
|
||||||
return $this->link_query($pattern,$options);
|
return $this->link_query($pattern,$options);
|
||||||
}
|
}
|
||||||
/**
|
|
||||||
* Check access to the projects file store
|
|
||||||
*
|
|
||||||
* @param int $id id of entry
|
|
||||||
* @param int $check EGW_ACL_READ for read and EGW_ACL_EDIT for write or delete access
|
|
||||||
* @return boolean true if access is granted or false otherwise
|
|
||||||
*/
|
|
||||||
function file_access($id,$check,$rel_path)
|
|
||||||
{
|
|
||||||
return $this->check_perms($check,$id);
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* returns info about contacts for calender
|
* returns info about contacts for calender
|
||||||
|
@ -362,6 +362,7 @@ class addressbook_hooks
|
|||||||
'add_app' => 'link_app',
|
'add_app' => 'link_app',
|
||||||
'add_id' => 'link_id',
|
'add_id' => 'link_id',
|
||||||
'add_popup' => '870x440',
|
'add_popup' => '870x440',
|
||||||
|
'file_access_user' => true, // file_access supports 4th parameter $user
|
||||||
'file_access'=> 'addressbook.addressbook_bo.file_access',
|
'file_access'=> 'addressbook.addressbook_bo.file_access',
|
||||||
'default_types' => array('n' => array('name' => 'contact', 'options' => array('icon' => 'navbar.png','template' => 'addressbook.edit'))),
|
'default_types' => array('n' => array('name' => 'contact', 'options' => array('icon' => 'navbar.png','template' => 'addressbook.edit'))),
|
||||||
// registers an addtional type 'addressbook-email', returning only contacts with email, title has email appended
|
// registers an addtional type 'addressbook-email', returning only contacts with email, title has email appended
|
||||||
|
@ -6,7 +6,7 @@
|
|||||||
* @author Cornelius Weiss <egw-AT-von-und-zu-weiss.de>
|
* @author Cornelius Weiss <egw-AT-von-und-zu-weiss.de>
|
||||||
* @author Ralf Becker <RalfBecker-AT-outdoor-training.de>
|
* @author Ralf Becker <RalfBecker-AT-outdoor-training.de>
|
||||||
* @package addressbook
|
* @package addressbook
|
||||||
* @copyright (c) 2005-10 by Ralf Becker <RalfBecker-AT-outdoor-training.de>
|
* @copyright (c) 2005-11 by Ralf Becker <RalfBecker-AT-outdoor-training.de>
|
||||||
* @copyright (c) 2005/6 by Cornelius Weiss <egw@von-und-zu-weiss.de>
|
* @copyright (c) 2005/6 by Cornelius Weiss <egw@von-und-zu-weiss.de>
|
||||||
* @license http://opensource.org/licenses/gpl-license.php GPL - GNU General Public License
|
* @license http://opensource.org/licenses/gpl-license.php GPL - GNU General Public License
|
||||||
* @version $Id$
|
* @version $Id$
|
||||||
@ -233,15 +233,6 @@ class addressbook_so
|
|||||||
$this->contact_repository = 'ldap';
|
$this->contact_repository = 'ldap';
|
||||||
$this->somain = new addressbook_ldap();
|
$this->somain = new addressbook_ldap();
|
||||||
|
|
||||||
if ($this->user) // not set eg. in setup
|
|
||||||
{
|
|
||||||
// static grants from ldap: all rights for the own personal addressbook and the group ones of the meberships
|
|
||||||
$this->grants = array($this->user => ~0);
|
|
||||||
foreach($this->memberships as $gid)
|
|
||||||
{
|
|
||||||
$this->grants[$gid] = ~0;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
$this->columns_to_search = $this->ldap_search_attributes;
|
$this->columns_to_search = $this->ldap_search_attributes;
|
||||||
}
|
}
|
||||||
else // sql or sql->ldap
|
else // sql or sql->ldap
|
||||||
@ -252,15 +243,13 @@ class addressbook_so
|
|||||||
}
|
}
|
||||||
$this->somain = new addressbook_sql($db);
|
$this->somain = new addressbook_sql($db);
|
||||||
|
|
||||||
if ($this->user) // not set eg. in setup
|
|
||||||
{
|
|
||||||
// group grants are now grants for the group addressbook and NOT grants for all its members,
|
|
||||||
// therefor the param false!
|
|
||||||
$this->grants = $GLOBALS['egw']->acl->get_grants($contact_app,false);
|
|
||||||
}
|
|
||||||
// remove some columns, absolutly not necessary to search in sql
|
// remove some columns, absolutly not necessary to search in sql
|
||||||
$this->columns_to_search = array_diff(array_values($this->somain->db_cols),$this->sql_cols_not_to_search);
|
$this->columns_to_search = array_diff(array_values($this->somain->db_cols),$this->sql_cols_not_to_search);
|
||||||
}
|
}
|
||||||
|
if ($this->user)
|
||||||
|
{
|
||||||
|
$this->grants = $this->get_grants($this->user);
|
||||||
|
}
|
||||||
if ($this->account_repository == 'ldap' && $this->contact_repository == 'sql')
|
if ($this->account_repository == 'ldap' && $this->contact_repository == 'sql')
|
||||||
{
|
{
|
||||||
if ($this->account_repository != $this->contact_repository)
|
if ($this->account_repository != $this->contact_repository)
|
||||||
@ -338,6 +327,40 @@ class addressbook_so
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Get grants for a given user, taking into account static LDAP ACL
|
||||||
|
*
|
||||||
|
* @param int $user
|
||||||
|
* @return array
|
||||||
|
*/
|
||||||
|
function get_grants($user)
|
||||||
|
{
|
||||||
|
if ($user)
|
||||||
|
{
|
||||||
|
// contacts backend (contacts in LDAP require accounts in LDAP!)
|
||||||
|
if($GLOBALS['egw_info']['server']['contact_repository'] == 'ldap' && $this->account_repository == 'ldap')
|
||||||
|
{
|
||||||
|
// static grants from ldap: all rights for the own personal addressbook and the group ones of the meberships
|
||||||
|
$grants = array($user => ~0);
|
||||||
|
foreach($GLOBALS['egw']->accounts->memberships($user,true) as $gid)
|
||||||
|
{
|
||||||
|
$grants[$gid] = ~0;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else // sql or sql->ldap
|
||||||
|
{
|
||||||
|
// group grants are now grants for the group addressbook and NOT grants for all its members,
|
||||||
|
// therefor the param false!
|
||||||
|
$grants = $GLOBALS['egw']->acl->get_grants($contact_app,false,$user);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
$grants = array();
|
||||||
|
}
|
||||||
|
return $grants;
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Check if the user is an admin (can unconditionally edit accounts)
|
* Check if the user is an admin (can unconditionally edit accounts)
|
||||||
*
|
*
|
||||||
|
Loading…
Reference in New Issue
Block a user