mirror of
https://github.com/EGroupware/egroupware.git
synced 2024-11-08 00:54:15 +01:00
file_access_user implementation for addressbook
This commit is contained in:
Ralf Becker
parent
34a990e6ac
commit
73486cc047
@ -7,7 +7,7 @@
|
||||
* @author Ralf Becker <RalfBecker-AT-outdoor-training.de>
|
||||
* @author Joerg Lehrke <jlehrke@noc.de>
|
||||
* @package addressbook
|
||||
* @copyright (c) 2005-10 by Ralf Becker <RalfBecker-AT-outdoor-training.de>
|
||||
* @copyright (c) 2005-11 by Ralf Becker <RalfBecker-AT-outdoor-training.de>
|
||||
* @copyright (c) 2005/6 by Cornelius Weiss <egw@von-und-zu-weiss.de>
|
||||
* @license http://opensource.org/licenses/gpl-license.php GPL - GNU General Public License
|
||||
* @version $Id$
|
||||
@ -1000,18 +1000,31 @@ class addressbook_bo extends addressbook_so
|
||||
}
|
||||
|
||||
/**
|
||||
* Checks if the current user has the necessary ACL rights
|
||||
*
|
||||
* If the access of a contact is set to private, one need a private grant for a personal addressbook
|
||||
* or the group membership for a group-addressbook
|
||||
*
|
||||
* @param int $needed necessary ACL right: EGW_ACL_{READ|EDIT|DELETE}
|
||||
* @param mixed $contact contact as array or the contact-id
|
||||
* @param boolean $deny_account_delete=false if true never allow to delete accounts
|
||||
* @return boolean true permission granted, false for permission denied, null for contact does not exist
|
||||
*/
|
||||
function check_perms($needed,$contact,$deny_account_delete=false)
|
||||
* Checks if the current user has the necessary ACL rights
|
||||
*
|
||||
* If the access of a contact is set to private, one need a private grant for a personal addressbook
|
||||
* or the group membership for a group-addressbook
|
||||
*
|
||||
* @param int $needed necessary ACL right: EGW_ACL_{READ|EDIT|DELETE}
|
||||
* @param mixed $contact contact as array or the contact-id
|
||||
* @param boolean $deny_account_delete=false if true never allow to delete accounts
|
||||
* @param int $user=null for which user to check, default current user
|
||||
* @return boolean true permission granted, false for permission denied, null for contact does not exist
|
||||
*/
|
||||
function check_perms($needed,$contact,$deny_account_delete=false,$user=null)
|
||||
{
|
||||
if (!$user) $user = $this->user;
|
||||
if ($user == $this->user)
|
||||
{
|
||||
$grants = $this->grants;
|
||||
$memberships = $this->memberships;
|
||||
}
|
||||
else
|
||||
{
|
||||
$grants = $this->get_grants($user);
|
||||
$memberships = $GLOBALS['egw']->accounts->memberships($user,true);
|
||||
}
|
||||
|
||||
if ((!is_array($contact) || !isset($contact['owner'])) &&
|
||||
!($contact = parent::read(is_array($contact) ? $contact['id'] : $contact)))
|
||||
{
|
||||
@ -1020,24 +1033,42 @@ class addressbook_bo extends addressbook_so
|
||||
$owner = $contact['owner'];
|
||||
|
||||
// allow the user to edit his own account
|
||||
if (!$owner && $needed == EGW_ACL_EDIT && $contact['account_id'] == $this->user && $this->own_account_acl)
|
||||
if (!$owner && $needed == EGW_ACL_EDIT && $contact['account_id'] == $user && $this->own_account_acl)
|
||||
{
|
||||
return true;
|
||||
$access = true;
|
||||
}
|
||||
// dont allow to delete own account (as admin handels it too)
|
||||
if (!$owner && $needed == EGW_ACL_DELETE && ($deny_account_delete || $contact['account_id'] == $this->user))
|
||||
elseif (!$owner && $needed == EGW_ACL_DELETE && ($deny_account_delete || $contact['account_id'] == $user))
|
||||
{
|
||||
return false;
|
||||
$access = false;
|
||||
}
|
||||
// for reading accounts (owner == 0) and account_selection == groupmembers, check if current user and contact are groupmembers
|
||||
if ($owner == 0 && $needed == EGW_ACL_READ &&
|
||||
elseif ($owner == 0 && $needed == EGW_ACL_READ &&
|
||||
$GLOBALS['egw_info']['user']['preferences']['common']['account_selection'] == 'groupmembers')
|
||||
{
|
||||
return !!array_intersect($GLOBALS['egw']->accounts->memberships($this->user,true),
|
||||
$GLOBALS['egw']->accounts->memberships($contact['account_id'],true));
|
||||
$access = !!array_intersect($memberships,$GLOBALS['egw']->accounts->memberships($contact['account_id'],true));
|
||||
}
|
||||
return ($this->grants[$owner] & $needed) &&
|
||||
(!$contact['private'] || ($this->grants[$owner] & EGW_ACL_PRIVATE) || in_array($owner,$this->memberships));
|
||||
else
|
||||
{
|
||||
$access = ($grants[$owner] & $needed) &&
|
||||
(!$contact['private'] || ($grants[$owner] & EGW_ACL_PRIVATE) || in_array($owner,$memberships));
|
||||
}
|
||||
//error_log(__METHOD__."($needed,$contact[id],$deny_account_delete,$user) returning ".array2string($access));
|
||||
return $access;
|
||||
}
|
||||
|
||||
/**
|
||||
* Check access to the file store
|
||||
*
|
||||
* @param int|array $id id of entry or entry array
|
||||
* @param int $check EGW_ACL_READ for read and EGW_ACL_EDIT for write or delete access
|
||||
* @param string $rel_path=null currently not used in InfoLog
|
||||
* @param int $user=null for which user to check, default current user
|
||||
* @return boolean true if access is granted or false otherwise
|
||||
*/
|
||||
function file_access($id,$check,$rel_path=null,$user=null)
|
||||
{
|
||||
return $this->check_perms($check,$id,false,$user);
|
||||
}
|
||||
|
||||
/**
|
||||
@ -1382,17 +1413,6 @@ class addressbook_bo extends addressbook_so
|
||||
|
||||
return $this->link_query($pattern,$options);
|
||||
}
|
||||
/**
|
||||
* Check access to the projects file store
|
||||
*
|
||||
* @param int $id id of entry
|
||||
* @param int $check EGW_ACL_READ for read and EGW_ACL_EDIT for write or delete access
|
||||
* @return boolean true if access is granted or false otherwise
|
||||
*/
|
||||
function file_access($id,$check,$rel_path)
|
||||
{
|
||||
return $this->check_perms($check,$id);
|
||||
}
|
||||
|
||||
/**
|
||||
* returns info about contacts for calender
|
||||
|
||||
@ -362,6 +362,7 @@ class addressbook_hooks
|
||||
'add_app' => 'link_app',
|
||||
'add_id' => 'link_id',
|
||||
'add_popup' => '870x440',
|
||||
'file_access_user' => true, // file_access supports 4th parameter $user
|
||||
'file_access'=> 'addressbook.addressbook_bo.file_access',
|
||||
'default_types' => array('n' => array('name' => 'contact', 'options' => array('icon' => 'navbar.png','template' => 'addressbook.edit'))),
|
||||
// registers an addtional type 'addressbook-email', returning only contacts with email, title has email appended
|
||||
|
||||
@ -6,7 +6,7 @@
|
||||
* @author Cornelius Weiss <egw-AT-von-und-zu-weiss.de>
|
||||
* @author Ralf Becker <RalfBecker-AT-outdoor-training.de>
|
||||
* @package addressbook
|
||||
* @copyright (c) 2005-10 by Ralf Becker <RalfBecker-AT-outdoor-training.de>
|
||||
* @copyright (c) 2005-11 by Ralf Becker <RalfBecker-AT-outdoor-training.de>
|
||||
* @copyright (c) 2005/6 by Cornelius Weiss <egw@von-und-zu-weiss.de>
|
||||
* @license http://opensource.org/licenses/gpl-license.php GPL - GNU General Public License
|
||||
* @version $Id$
|
||||
@ -233,15 +233,6 @@ class addressbook_so
|
||||
$this->contact_repository = 'ldap';
|
||||
$this->somain = new addressbook_ldap();
|
||||
|
||||
if ($this->user) // not set eg. in setup
|
||||
{
|
||||
// static grants from ldap: all rights for the own personal addressbook and the group ones of the meberships
|
||||
$this->grants = array($this->user => ~0);
|
||||
foreach($this->memberships as $gid)
|
||||
{
|
||||
$this->grants[$gid] = ~0;
|
||||
}
|
||||
}
|
||||
$this->columns_to_search = $this->ldap_search_attributes;
|
||||
}
|
||||
else // sql or sql->ldap
|
||||
@ -252,15 +243,13 @@ class addressbook_so
|
||||
}
|
||||
$this->somain = new addressbook_sql($db);
|
||||
|
||||
if ($this->user) // not set eg. in setup
|
||||
{
|
||||
// group grants are now grants for the group addressbook and NOT grants for all its members,
|
||||
// therefor the param false!
|
||||
$this->grants = $GLOBALS['egw']->acl->get_grants($contact_app,false);
|
||||
}
|
||||
// remove some columns, absolutly not necessary to search in sql
|
||||
$this->columns_to_search = array_diff(array_values($this->somain->db_cols),$this->sql_cols_not_to_search);
|
||||
}
|
||||
if ($this->user)
|
||||
{
|
||||
$this->grants = $this->get_grants($this->user);
|
||||
}
|
||||
if ($this->account_repository == 'ldap' && $this->contact_repository == 'sql')
|
||||
{
|
||||
if ($this->account_repository != $this->contact_repository)
|
||||
@ -338,6 +327,40 @@ class addressbook_so
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Get grants for a given user, taking into account static LDAP ACL
|
||||
*
|
||||
* @param int $user
|
||||
* @return array
|
||||
*/
|
||||
function get_grants($user)
|
||||
{
|
||||
if ($user)
|
||||
{
|
||||
// contacts backend (contacts in LDAP require accounts in LDAP!)
|
||||
if($GLOBALS['egw_info']['server']['contact_repository'] == 'ldap' && $this->account_repository == 'ldap')
|
||||
{
|
||||
// static grants from ldap: all rights for the own personal addressbook and the group ones of the meberships
|
||||
$grants = array($user => ~0);
|
||||
foreach($GLOBALS['egw']->accounts->memberships($user,true) as $gid)
|
||||
{
|
||||
$grants[$gid] = ~0;
|
||||
}
|
||||
}
|
||||
else // sql or sql->ldap
|
||||
{
|
||||
// group grants are now grants for the group addressbook and NOT grants for all its members,
|
||||
// therefor the param false!
|
||||
$grants = $GLOBALS['egw']->acl->get_grants($contact_app,false,$user);
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
$grants = array();
|
||||
}
|
||||
return $grants;
|
||||
}
|
||||
|
||||
/**
|
||||
* Check if the user is an admin (can unconditionally edit accounts)
|
||||
*
|
||||
|
||||
Loading…
Reference in New Issue
Block a user