Savannah Patch #370 (modified) - Fix and extend ACL - Thanks gisu

This commit is contained in:
Zone 2002-06-24 03:18:59 +00:00
parent c0570b884a
commit fc3df2e82e
2 changed files with 142 additions and 87 deletions

View File

@ -179,22 +179,35 @@ if ($phpwh_debug)
}
###
# Get their memberships to be used throughout the script
# Get their readable groups to be used throughout the script
###
$memberships = $GLOBALS['phpgw']->accounts->membership ($GLOBALS['userinfo']['username']);
$groups = array ();
if (!is_array ($memberships))
$groups = $GLOBALS['phpgw']->accounts->get_list ('groups');
$readable_groups = array ();
while (list ($num, $account) = each ($groups))
{
$memberships = array ();
if ($GLOBALS['phpgw']->vfs->acl_check (array (
'owner_id' => $account['account_id'],
'operation' => PHPGW_ACL_READ
))
)
{
$readable_groups[$account['account_lid']] = Array('account_id' => $account['account_id'], 'account_name' => $account['account_lid']);
}
}
while (list ($num, $group_array) = each ($memberships))
{
$membership_id = $GLOBALS['phpgw']->accounts->name2id ($group_array['account_name']);
$groups_applications = array ();
$group_applications = CreateObject('phpgwapi.applications', $membership_id);
$membership_applications[$group_array['account_name']] = $group_applications->read_account_specific ();
while (list ($num, $group_array) = each ($readable_groups))
{
$group_id = $GLOBALS['phpgw']->accounts->name2id ($group_array['account_name']);
$applications = CreateObject('phpgwapi.applications', $group_id);
$groups_applications[$group_array['account_name']] = $applications->read_account_specific ();
}
###
@ -277,6 +290,20 @@ if ($update || rand (0, 19) == 4)
$GLOBALS['phpgw']->vfs->update_real (array ('string' => $path, 'relatives' => array (RELATIVE_NONE)));
}
###
# Check available permissions for $path, so we can disable unusable operations in user interface
###
if ($GLOBALS['phpgw']->vfs->acl_check (array (
'string' => $path,
'relatives' => array (RELATIVE_NONE),
'operation' => PHPGW_ACL_ADD
))
)
{
$can_add = True;
}
###
# Default is to sort by name
###
@ -325,14 +352,14 @@ if ($path == $GLOBALS['fakebase'])
// $files_array = $ls_array;
// $numoffiles = count($ls_array);
reset ($memberships);
while (list ($num, $group_array) = each ($memberships))
reset ($readable_groups);
while (list ($num, $group_array) = each ($readable_groups))
{
###
# If the group doesn't have access to this app, we don't show it
###
if (!$membership_applications[$group_array['account_name']][$GLOBALS['appname']]['enabled'])
if (!$groups_applications[$group_array['account_name']][$GLOBALS['appname']]['enabled'])
{
continue;
}
@ -1044,7 +1071,6 @@ if (!$op && !$delete && !$createdir && !$renamefiles && !$move && !$copy && !$ed
{
html_form_input ('submit', 'copy', lang('Copy to:'));
html_help_link ('copy_to');
html_form_input ('submit', 'move', lang('Move to:'));
html_help_link ('move_to');
}
@ -1075,17 +1101,17 @@ if (!$op && !$delete && !$createdir && !$renamefiles && !$move && !$copy && !$ed
###
# Then we get the directories in their membership's home directories
# Then we get the directories in their readable groups' home directories
###
reset ($memberships);
while (list ($num, $group_array) = each ($memberships))
reset ($readable_groups);
while (list ($num, $group_array) = each ($readable_groups))
{
###
# Don't list directories for groups that don't have access
###
if (!$membership_applications[$group_array['account_name']][$GLOBALS['appname']]['enabled'])
if (!$groups_applications[$group_array['account_name']][$GLOBALS['appname']]['enabled'])
{
continue;
}
@ -1148,16 +1174,19 @@ if (!$op && !$delete && !$createdir && !$renamefiles && !$move && !$copy && !$ed
html_help_link ('download');
html_nbsp (3);
html_form_input ('text', 'createdir', NULL, 255, 15);
html_form_input ('submit', 'newdir', lang('Create Folder'));
html_help_link ('create_folder');
if ($can_add)
{
html_form_input ('text', 'createdir', NULL, 255, 15);
html_form_input ('submit', 'newdir', lang('Create Folder'));
html_help_link ('create_folder');
}
}
html_break (1);
html_form_input ('submit', 'update', lang('Update'));
html_help_link ('update');
if ($path != '/' && $path != $GLOBALS['fakebase'])
if ($path != '/' && $path != $GLOBALS['fakebase'] && $can_add)
{
html_nbsp (3);
html_form_input ('text', 'createfile', NULL, 255, 15);
@ -1210,7 +1239,7 @@ if (!$op && !$delete && !$createdir && !$renamefiles && !$move && !$copy && !$ed
# Show file upload boxes. Note the last argument to html (). Repeats $show_upload_boxes times
###
if ($path != '/' && $path != $GLOBALS['fakebase'])
if ($path != '/' && $path != $GLOBALS['fakebase'] && $can_add)
{
html_break (2);
html_form_begin ($GLOBALS['appname'].'/index.php?op=upload&path='.$path, 'post', 'multipart/form-data');

View File

@ -149,7 +149,7 @@
}
else
{
$query = $GLOBALS['phpgw']->db->query ("SELECT directory, name, link_directory, link_name FROM phpgw_vfs WHERE (link_directory IS NOT NULL or link_directory != '') AND (lilnk_name IS NOT NULL or link_name != '')" . $this->extra_sql (array ('query_type' => VFS_SQL_SELECT)), __LINE__,__FILE__);
$query = $GLOBALS['phpgw']->db->query ("SELECT directory, name, link_directory, link_name FROM phpgw_vfs WHERE (link_directory IS NOT NULL or link_directory != '') AND (link_name IS NOT NULL or link_name != '')" . $this->extra_sql (array ('query_type' => VFS_SQL_SELECT)), __LINE__,__FILE__);
}
@ -1067,8 +1067,12 @@
/*!
@function acl_check
@abstract Check ACL access to $file for $GLOBALS['phpgw_info']["user"]["account_id"];
@discussion To check the access for a file or directory, pass 'string'/'relatives'/'must_exist'.
To check the access to another user or group, pass 'owner_id'.
If 'owner_id' is present, we bypass checks on 'string'/'relatives'/'must_exist'
@param string File to check access of
@param relatives Standard relativity array
@param owner_id Owner id to check access of (see discussion above)
@param operation Operation to check access to. In the form of a PHPGW_ACL defines bitmask. Default is read
@param must_exist Boolean. Set to True if 'string' must exist. Otherwise, we check the parent directory as well
@result Boolean. True if access is ok, False otherwise
@ -1095,87 +1099,97 @@
return True;
}
$p = $this->path_parts (array(
'string' => $data['string'],
'relatives' => array ($data['relatives'][0])
)
);
/* Temporary, until we get symlink type files set up */
if ($p->outside)
if (!$data['owner_id'])
{
return True;
}
/* If the file doesn't exist, we get ownership from the parent directory */
if (!$this->file_exists (array(
'string' => $p->fake_full_path,
'relatives' => array ($p->mask)
))
)
{
if ($data['must_exist'])
{
return False;
}
$data['string'] = $p->fake_leading_dirs;
$p2 = $this->path_parts (array(
$p = $this->path_parts (array(
'string' => $data['string'],
'relatives' => array ($p->mask)
'relatives' => array ($data['relatives'][0])
)
);
/* Temporary, until we get symlink type files set up */
if ($p->outside)
{
return True;
}
/* Read access is always allowed here, but nothing else is */
if ($data['string'] == '/' || $data['string'] == $this->fakebase)
{
if ($data['operation'] == PHPGW_ACL_READ)
{
return True;
}
else
{
return False;
}
}
/* If the file doesn't exist, we get ownership from the parent directory */
if (!$this->file_exists (array(
'string' => $data['string'],
'string' => $p->fake_full_path,
'relatives' => array ($p->mask)
))
)
{
return False;
}
}
else
{
$p2 = $p;
}
if ($data['must_exist'])
{
return False;
}
/* Read access is always allowed here, but nothing else is */
if ($data['string'] == '/' || $data['string'] == $this->fakebase)
{
if ($data['operation'] == PHPGW_ACL_READ)
{
return True;
$data['string'] = $p->fake_leading_dirs;
$p2 = $this->path_parts (array(
'string' => $data['string'],
'relatives' => array ($p->mask)
)
);
if (!$this->file_exists (array(
'string' => $data['string'],
'relatives' => array ($p->mask)
))
)
{
return False;
}
}
else
{
return False;
$p2 = $p;
}
/*
We don't use ls () to get owner_id as we normally would,
because ls () calls acl_check (), which would create an infinite loop
*/
$query = $GLOBALS['phpgw']->db->query ("SELECT owner_id FROM phpgw_vfs WHERE directory='".$p2->fake_leading_dirs_clean."' AND name='".$p2->fake_name_clean."'" . $this->extra_sql (array ('query_type' => VFS_SQL_SELECT)), __LINE__, __FILE__);
$GLOBALS['phpgw']->db->next_record ();
$owner_id = $GLOBALS['phpgw']->db->Record['owner_id'];
}
else
{
$owner_id = $data['owner_id'];
}
/*
We don't use ls () to get owner_id as we normally would,
because ls () calls acl_check (), which would create an infinite loop
*/
$query = $GLOBALS['phpgw']->db->query ("SELECT owner_id FROM phpgw_vfs WHERE directory='".$p2->fake_leading_dirs_clean."' AND name='".$p2->fake_name_clean."'" . $this->extra_sql (array ('query_type' => VFS_SQL_SELECT)), __LINE__, __FILE__);
$GLOBALS['phpgw']->db->next_record ();
$group_id = $GLOBALS['phpgw']->db->Record['owner_id'];
$user_id = $GLOBALS['phpgw_info']['user']['account_id'];
/* They always have access to their own files */
if ($group_id == $GLOBALS['phpgw_info']['user']['account_id'])
if ($owner_id == $user_id)
{
return True;
}
/* Check if they're in the group. If so, they have access */
$memberships = $GLOBALS['phpgw']->accounts->membership ($GLOBALS['phpgw_info']['user']['account_id']);
/* Check if they're in the group */
$memberships = $GLOBALS['phpgw']->accounts->membership ($user_id);
if (is_array ($memberships))
{
@reset ($memberships);
while (list ($num, $group_array) = @each ($memberships))
reset ($memberships);
while (list ($num, $group_array) = each ($memberships))
{
if ($group_id == $GLOBALS['phpgw']->accounts->name2id ($group_array['account_name']))
if ($owner_id == $group_array['account_id'])
{
$group_ok = 1;
break;
@ -1183,26 +1197,38 @@
}
}
if (!$group_id)
$acl = CreateObject ('phpgwapi.acl', $owner_id);
$acl->account_id = $owner_id;
$acl->read_repository ();
$rights = $acl->get_rights ($user_id);
/* Add privileges from the groups this user belongs to */
if (is_array ($memberships))
{
if (!$group_id = $this->account_id)
reset ($memberships);
while (list ($num, $group_array) = each ($memberships))
{
$group_id = 0;
$rights |= $acl->get_rights ($group_array['account_id']);
}
}
$acl = CreateObject ('phpgwapi.acl', $group_id);
$acl->account_id = $group_id;
$acl->read_repository ();
$rights = $acl->get_rights ($account_id);
if ($rights & $data['operation'])
{
return True;
}
elseif (!$rights && $group_ok)
{
return True;
$conf = CreateObject('phpgwapi.config', 'phpgwapi');
$conf->read_repository();
if ($conf->config_data['acl_default'] == 'grant')
{
return True;
}
else
{
return False;
}
}
else
{
@ -3343,7 +3369,7 @@
return $data;
}
/* This fetchs all available file system information for $string (not using the database) */
/* This fetchs all available file system information for string (not using the database) */
function get_real_info ($data)
{
if (!is_array ($data))