From de74e8b6ce21a12f90c499b67fc10b2ba31843ff Mon Sep 17 00:00:00 2001 From: Ralf Becker Date: Fri, 21 Mar 2008 11:49:28 +0000 Subject: [PATCH] "using global db object" --- phpgwapi/inc/class.acl.inc.php | 1362 ++++++++++++++++---------------- 1 file changed, 660 insertions(+), 702 deletions(-) diff --git a/phpgwapi/inc/class.acl.inc.php b/phpgwapi/inc/class.acl.inc.php index 142678a518..8330e3ac83 100644 --- a/phpgwapi/inc/class.acl.inc.php +++ b/phpgwapi/inc/class.acl.inc.php @@ -1,349 +1,279 @@ * - * Security scheme based on ACL design * - * Copyright (C) 2000, 2001 Dan Kuykendall * - * -------------------------------------------------------------------------* - * This library is part of the eGroupWare API * - * http://www.egroupware.org/api * - * ------------------------------------------------------------------------ * - * This library is free software; you can redistribute it and/or modify it * - * under the terms of the GNU Lesser General Public License as published by * - * the Free Software Foundation; either version 2.1 of the License, * - * or any later version. * - * This library is distributed in the hope that it will be useful, but * - * WITHOUT ANY WARRANTY; without even the implied warranty of * - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. * - * See the GNU Lesser General Public License for more details. * - * You should have received a copy of the GNU Lesser General Public License * - * along with this library; if not, write to the Free Software Foundation, * - * Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA * - \**************************************************************************/ +/** + * eGroupWare API - Applications + * + * @link http://www.egroupware.org + * @author Dan Kuykendall + * Copyright (C) 2000, 2001 Dan Kuykendall + * @license http://opensource.org/licenses/lgpl-license.php LGPL - GNU Lesser General Public License + * @package api + * @subpackage accounts + * @version $Id$ + */ - /* $Id$ */ +/** + * Access Control List System + * + * This class provides an ACL security scheme. + * This can manage rights to 'run' applications, and limit certain features within an application. + * It is also used for granting a user "membership" to a group, or making a user have the security equivilance of another user. + * It is also used for granting a user or group rights to various records, such as todo or calendar items of another user. + * $acl =& CreateObject('phpgwapi.acl',5); // 5 is the user id + */ +class acl +{ + /** + * @var int $account_id the account-id this class is instanciated for + */ + var $account_id = 0; + /** + * @var $account_type + */ + var $account_type; + /** + * @var array $data internal repository with acl rows for the given app and account-id (incl. memberships) + */ + var $data = Array(); + /** + * internal copy of the db-object + * + * @var egw_db + */ + var $db; + /** + * @var string $table_name name of the acl_table + */ + const TABLE = 'egw_acl'; /** - * Access Control List System + * ACL constructor for setting account id * - * This class provides an ACL security scheme. - * This can manage rights to 'run' applications, and limit certain features within an application. - * It is also used for granting a user "membership" to a group, or making a user have the security equivilance of another user. - * It is also used for granting a user or group rights to various records, such as todo or calendar items of another user. - * $acl =& CreateObject('phpgwapi.acl',5); // 5 is the user id + * Sets the ID for $acl->account_id. Can be used to change a current instances id as well. + * Some functions are specific to this account, and others are generic. * - * @author Seek3r and others - * @copyright LGPL - * @package api - * @subpackage accounts - * @access public + * @example acl->acl(5); // 5 is the user id + * @param int $account_id int-the user id */ - class acl + function acl($account_id = '') { - /** - * @var int $account_id the account-id this class is instanciated for - */ - var $account_id = 0; - /** - * @var $account_type - */ - var $account_type; - /** - * @var array $data internal repository with acl rows for the given app and account-id (incl. memberships) - */ - var $data = Array(); - /** - * internal copy of the db-object - * - * @var egw_db - */ - var $db; - /** - * @var string $table_name name of the acl_table - */ - var $table_name = 'egw_acl'; - - /** - * ACL constructor for setting account id - * - * Sets the ID for $acl->account_id. Can be used to change a current instances id as well. - * Some functions are specific to this account, and others are generic. - * - * @example acl->acl(5); // 5 is the user id - * @param int $account_id int-the user id - */ - function acl($account_id = '') + if (is_object($GLOBALS['egw_setup']->db)) { - if (is_object($GLOBALS['egw_setup']->db)) - { - $this->db = clone($GLOBALS['egw_setup']->db); - } - else - { - $this->db = clone($GLOBALS['egw']->db); - } - $this->db->set_app('phpgwapi'); + $this->db = $GLOBALS['egw_setup']->db; + } + else + { + $this->db = $GLOBALS['egw']->db; + } + if ((int)$this->account_id != (int)$account_id) + { + $this->account_id = get_account_id((int)$account_id,@$GLOBALS['egw_info']['user']['account_id']); + } + } - if ((int)$this->account_id != (int)$account_id) - { - $this->account_id = get_account_id((int)$account_id,@$GLOBALS['egw_info']['user']['account_id']); - } + function DONTlist_methods($_type='xmlrpc') + { + /* + This handles introspection or discovery by the logged in client, + in which case the input might be an array. The server always calls + this function to fill the server dispatch map using a string. + */ + + if (is_array($_type)) + { + $_type = $_type['type'] ? $_type['type'] : $_type[0]; } - function DONTlist_methods($_type='xmlrpc') + switch($_type) { - /* - This handles introspection or discovery by the logged in client, - in which case the input might be an array. The server always calls - this function to fill the server dispatch map using a string. - */ + case 'xmlrpc': + $xml_functions = array( + 'read_repository' => array( + 'function' => 'read_repository', + 'signature' => array(array(xmlrpcStruct)), + 'docstring' => lang('FIXME!') + ), + 'get_rights' => array( + 'function' => 'get_rights', + 'signature' => array(array(xmlrpcStruct,xmlrpcStruct)), + 'docstring' => lang('FIXME!') - if (is_array($_type)) + ), + 'list_methods' => array( + 'function' => 'list_methods', + 'signature' => array(array(xmlrpcStruct,xmlrpcString)), + 'docstring' => lang('Read this list of methods.') + ) + ); + return $xml_functions; + break; + case 'soap': + return $this->soap_functions; + break; + default: + return array(); + break; + } + } + + /**************************************************************************\ + * These are the standard $this->account_id specific functions * + \**************************************************************************/ + + /** + * Read acl records for $acl->account_id from reposity + * + * @internal + * @return array along with storing it in $acl->data.
+ */ + function read_repository() + { + // For some reason, calling this via XML-RPC doesn't call the constructor. + // Here is yet another work around(tm) (jengo) + if (!$this->account_id) + { + $this->acl(); + } + $acl_acc_list = $GLOBALS['egw']->accounts->memberships($this->account_id,true); + @array_unshift($acl_acc_list,$this->account_id); + + + $this->data = Array(); + foreach($this->db->select(acl::TABLE,'*',array('acl_account' => $acl_acc_list ),__LINE__,__FILE__) as $row) + { + $this->data[$row['acl_appname'].'-'.$row['acl_location'].'-'.$row['acl_account']] = egw_db::strip_array_keys($row,'acl_'); + } + return $this->data; + } + + /** + * Read acl records from $acl->data + * + * @return array all ACL records from $this->data. + */ + function read() + { + if (!count($this->data)) + { + $this->read_repository(); + } + return $this->data; + } + + /** + * Adds ACL record to the repository of the class + * + * Adds ACL record to $this->data. + * + * @param string $appname default False derives value from $GLOBALS['egw_info']['flags']['currentapp'] + * @param string $location location + * @param int $rights rights + * @return array all ACL records from $this->data. + */ + function add($appname,$location,$rights) + { + if (!$appname) $appname = $GLOBALS['egw_info']['flags']['currentapp']; + + $row = array( + 'appname' => $appname, + 'location' => $location, + 'account' => (int) $this->account_id, + 'rights' => (int) $rights + ); + $this->data[$row['appname'].'-'.$row['location'].'-'.$row['account']] = $row; + + return $this->data; + } + + /** + * Delete ACL record in the repository of the class + * + * @param string $appname appname or '' for $GLOBALS['egw_info']['flags']['currentapp'] + * @param string/boolean $location location or false for all locations + * @return array all ACL records from $this->data. + */ + function delete($appname,$location) + { + if (!$appname) $appname = $GLOBALS['egw_info']['flags']['currentapp']; + + foreach($this->data as $idx => $value) + { + if ($value['appname'] == $appname && + ($location === false || $value['location'] == $location) && + $value['account'] == $this->account_id) { - $_type = $_type['type'] ? $_type['type'] : $_type[0]; - } - - switch($_type) - { - case 'xmlrpc': - $xml_functions = array( - 'read_repository' => array( - 'function' => 'read_repository', - 'signature' => array(array(xmlrpcStruct)), - 'docstring' => lang('FIXME!') - ), - 'get_rights' => array( - 'function' => 'get_rights', - 'signature' => array(array(xmlrpcStruct,xmlrpcStruct)), - 'docstring' => lang('FIXME!') - - ), - 'list_methods' => array( - 'function' => 'list_methods', - 'signature' => array(array(xmlrpcStruct,xmlrpcString)), - 'docstring' => lang('Read this list of methods.') - ) - ); - return $xml_functions; - break; - case 'soap': - return $this->soap_functions; - break; - default: - return array(); - break; + unset($this->data[$idx]); } } + return $this->data; + } - /**************************************************************************\ - * These are the standard $this->account_id specific functions * - \**************************************************************************/ + /** + * save the internal repository or the class + * + * @return array all ACL records from $this->data. + */ + function save_repository() + { + $this->db->delete(acl::TABLE,array( + 'acl_account' => $this->account_id, + ),__LINE__,__FILE__); - /** - * Read acl records for $acl->account_id from reposity - * - * @internal - * @return array along with storing it in $acl->data.
- */ - function read_repository() + foreach($this->data as $value) { - // For some reason, calling this via XML-RPC doesn't call the constructor. - // Here is yet another work around(tm) (jengo) - if (!$this->account_id) + if ($value['account'] == $this->account_id) { - $this->acl(); + $this->db->insert(acl::TABLE,array( + 'acl_appname' => $value['appname'], + 'acl_location' => $value['location'], + 'acl_account' => $this->account_id, + 'acl_rights' => $value['rights'], + ),false,__LINE__,__FILE__); } - $acl_acc_list = $GLOBALS['egw']->accounts->memberships($this->account_id,true); - @array_unshift($acl_acc_list,$this->account_id); - $this->db->select($this->table_name,'*',array('acl_account' => $acl_acc_list ),__LINE__,__FILE__); - - $this->data = Array(); - while(($row = $this->db->row(true,'acl_'))) - { - $this->data[$row['appname'].'-'.$row['location'].'-'.$row['account']] = $row; - } - return $this->data; + } + if ($this->account_id == $GLOBALS['egw_info']['user']['account_id'] && + method_exists($GLOBALS['egw'],'invalidate_session_cache')) // egw object in setup is limited + { + $GLOBALS['egw']->invalidate_session_cache(); + } + return $this->data; + } + + /**************************************************************************\ + * These are the non-standard $this->account_id specific functions * + \**************************************************************************/ + + /** + * get rights from the class repository (included rights of $this->account_id and all it's memberships) + * + * @param string $location app location to get rights from + * @param string $appname optional defaults to $GLOBALS['egw_info']['flags']['currentapp']; + * @return int all rights or'ed together + */ + function get_rights($location,$appname = '') + { + // For XML-RPC, change this once its working correctly for passing parameters (jengo) + if (is_array($location)) + { + $appname = $location['appname']; + $location = $location['location']; } - /** - * Read acl records from $acl->data - * - * @return array all ACL records from $this->data. - */ - function read() + if (!count($this->data)) { - if (!count($this->data)) - { - $this->read_repository(); - } - return $this->data; + $this->read_repository(); } + if (!$appname) $appname = $GLOBALS['egw_info']['flags']['currentapp']; - /** - * Adds ACL record to the repository of the class - * - * Adds ACL record to $this->data. - * - * @param string $appname default False derives value from $GLOBALS['egw_info']['flags']['currentapp'] - * @param string $location location - * @param int $rights rights - * @return array all ACL records from $this->data. - */ - function add($appname,$location,$rights) + if (!count($this->data) && $GLOBALS['egw_info']['server']['acl_default'] != 'deny') { - if (!$appname) $appname = $GLOBALS['egw_info']['flags']['currentapp']; - - $row = array( - 'appname' => $appname, - 'location' => $location, - 'account' => (int) $this->account_id, - 'rights' => (int) $rights - ); - $this->data[$row['appname'].'-'.$row['location'].'-'.$row['account']] = $row; - - return $this->data; + return True; } - - /** - * Delete ACL record in the repository of the class - * - * @param string $appname appname or '' for $GLOBALS['egw_info']['flags']['currentapp'] - * @param string/boolean $location location or false for all locations - * @return array all ACL records from $this->data. - */ - function delete($appname,$location) + $rights = 0; + foreach($this->data as $idx => $value) { - if (!$appname) $appname = $GLOBALS['egw_info']['flags']['currentapp']; - - foreach($this->data as $idx => $value) + if ($value['appname'] == $appname) { - if ($value['appname'] == $appname && - ($location === false || $value['location'] == $location) && - $value['account'] == $this->account_id) - { - unset($this->data[$idx]); - } - } - return $this->data; - } - - /** - * save the internal repository or the class - * - * @return array all ACL records from $this->data. - */ - function save_repository() - { - $this->db->delete($this->table_name,array( - 'acl_account' => $this->account_id, - ),__LINE__,__FILE__); - - foreach($this->data as $value) - { - if ($value['account'] == $this->account_id) - { - $this->db->insert($this->table_name,array( - 'acl_appname' => $value['appname'], - 'acl_location' => $value['location'], - 'acl_account' => $this->account_id, - 'acl_rights' => $value['rights'], - ),false,__LINE__,__FILE__); - } - } - if ($this->account_id == $GLOBALS['egw_info']['user']['account_id'] && - method_exists($GLOBALS['egw'],'invalidate_session_cache')) // egw object in setup is limited - { - $GLOBALS['egw']->invalidate_session_cache(); - } - return $this->data; - } - - /**************************************************************************\ - * These are the non-standard $this->account_id specific functions * - \**************************************************************************/ - - /** - * get rights from the class repository (included rights of $this->account_id and all it's memberships) - * - * @param string $location app location to get rights from - * @param string $appname optional defaults to $GLOBALS['egw_info']['flags']['currentapp']; - * @return int all rights or'ed together - */ - function get_rights($location,$appname = '') - { - // For XML-RPC, change this once its working correctly for passing parameters (jengo) - if (is_array($location)) - { - $appname = $location['appname']; - $location = $location['location']; - } - - if (!count($this->data)) - { - $this->read_repository(); - } - if (!$appname) $appname = $GLOBALS['egw_info']['flags']['currentapp']; - - if (!count($this->data) && $GLOBALS['egw_info']['server']['acl_default'] != 'deny') - { - return True; - } - $rights = 0; - foreach($this->data as $idx => $value) - { - if ($value['appname'] == $appname) - { - if ($value['location'] == $location || $value['location'] == 'everywhere') - { - if ($value['rights'] == 0) - { - return False; - } - $rights |= $value['rights']; - } - } - } - return $rights; - } - - /** - * check required rights agains the internal repository (included rights of $this->account_id and all it's memberships) - * - * @param $location app location - * @param $required required right to check against - * @param $appname optional defaults to currentapp - * @return boolean - */ - function check($location, $required, $appname = False) - { - $rights = $this->get_rights($location,$appname); - - return !!($rights & $required); - } - - /** - * get specific rights for this->account_id for an app location - * - * @param string $location app location - * @param string $appname='' optional defaults to currentapp - * @param int $account_id=0 optional defaults to $this->account_id - * @return int $rights - */ - function get_specific_rights($location, $appname = '') - { - if (!$appname) $appname = $GLOBALS['egw_info']['flags']['currentapp']; - - if (!count($this->data) && $GLOBALS['egw_info']['server']['acl_default'] != 'deny') - { - return True; - } - $rights = 0; - - foreach($this->data as $idx => $value) - { - if ($value['appname'] == $appname && - ($value['location'] == $location || $value['location'] == 'everywhere') && - $value['account'] == $this->account_id) + if ($value['location'] == $location || $value['location'] == 'everywhere') { if ($value['rights'] == 0) { @@ -352,429 +282,457 @@ $rights |= $value['rights']; } } - return $rights; } + return $rights; + } - /** - * check specific rights - * - * @param string $location app location - * @param int $required required rights - * @param string $appname optional defaults to currentapp - * @return boolean - */ - function check_specific($location, $required, $appname = '') + /** + * check required rights agains the internal repository (included rights of $this->account_id and all it's memberships) + * + * @param $location app location + * @param $required required right to check against + * @param $appname optional defaults to currentapp + * @return boolean + */ + function check($location, $required, $appname = False) + { + $rights = $this->get_rights($location,$appname); + + return !!($rights & $required); + } + + /** + * get specific rights for this->account_id for an app location + * + * @param string $location app location + * @param string $appname='' optional defaults to currentapp + * @param int $account_id=0 optional defaults to $this->account_id + * @return int $rights + */ + function get_specific_rights($location, $appname = '') + { + if (!$appname) $appname = $GLOBALS['egw_info']['flags']['currentapp']; + + if (!count($this->data) && $GLOBALS['egw_info']['server']['acl_default'] != 'deny') { - $rights = $this->get_specific_rights($location,$appname); - - return !!($rights & $required); - } - - /**************************************************************************\ - * These are the generic functions. Not specific to $this->account_id * - \**************************************************************************/ - - /** - * add repository information / rights for app/location/account_id to the database - * - * @param string $app appname - * @param string $location location - * @param int $account_id account id - * @param int $rights rights - * @return boolean allways true - */ - function add_repository($app, $location, $account_id, $rights) - { - //echo "

acl::add_repository('$app','$location',$account_id,$rights);

\n"; - $this->db->insert($this->table_name,array( - 'acl_rights' => $rights, - ),array( - 'acl_appname' => $app, - 'acl_location' => $location, - 'acl_account' => $account_id, - ),__LINE__,__FILE__); - - if ($account_id == $GLOBALS['egw_info']['user']['account_id'] && - method_exists($GLOBALS['egw'],'invalidate_session_cache')) // egw object in setup is limited - { - $GLOBALS['egw']->invalidate_session_cache(); - } return True; } + $rights = 0; - /** - * delete repository information / rights for app/location[/account_id] from the DB - * - * @param string $app appname - * @param string $location location - * @param int/boolean $account_id account id, default 0=$this->account_id, or false to delete all entries for $app/$location - * @return int number of rows deleted - */ - function delete_repository($app, $location, $accountid='') + foreach($this->data as $idx => $value) { - static $cache_accountid; - - $where = array( - 'acl_appname' => $app, - 'acl_location' => $location, - ); - if ($accountid !== false) + if ($value['appname'] == $appname && + ($value['location'] == $location || $value['location'] == 'everywhere') && + $value['account'] == $this->account_id) { - if(isset($cache_accountid[$accountid]) && $cache_accountid[$accountid]) - { - $where['acl_account'] = $cache_accountid[$accountid]; - } - else - { - $where['acl_account'] = $cache_accountid[$accountid] = get_account_id($accountid,$this->account_id); - } - } - if (method_exists($GLOBALS['egw'],'invalidate_session_cache')) // egw object in setup is limited - { - $GLOBALS['egw']->invalidate_session_cache(); - } - if ($app == '%' || $app == '%%') unset($where['acl_appname']); - - $this->db->delete($this->table_name,$where,__LINE__,__FILE__); - - return $this->db->affected_rows(); - } - - /** - * Get rights for a given account, location and application - * - * @param int $account_id - * @param string $location - * @param string $appname='' defaults to current app - * @return int/boolean rights or false if none exist - */ - function get_specific_rights_for_account($account_id,$location,$appname='') - { - if (!$appname) $appname = $GLOBALS['egw_info']['flags']['currentapp']; - - $this->db->select($this->table_name,'acl_rights',array( - 'acl_location' => $location, - 'acl_account' => $account_id, - 'acl_appname' => $appname, - ),__LINE__,__FILE__); - - return $this->db->next_record() ? $this->db->f('acl_rights') : false; - } - - /** - * Get all rights for a given location and application - * - * @param string $location - * @param string $appname='' defaults to current app - * @return array with account => rights pairs - */ - function get_all_rights($location,$appname='') - { - if (!$appname) $appname = $GLOBALS['egw_info']['flags']['currentapp']; - - $this->db->select($this->table_name,'acl_account,acl_rights',array( - 'acl_location' => $location, - 'acl_appname' => $appname, - ),__LINE__,__FILE__); - - $rights = array(); - while($this->db->next_record()) - { - $rights[$this->db->f('acl_account')] = $this->db->f('acl_rights'); - } - return $rights; - } - - /** - * Get the rights for all locations - * - * @param int $account_id - * @param string $appname='' defaults to current app - * @param boolean $use_memberships=true - * @return array with location => rights pairs - */ - function get_all_location_rights($account_id,$appname='',$use_memberships=true) - { - if (!$appname) $appname = $GLOBALS['egw_info']['flags']['currentapp']; - - $accounts = array($account_id); - if ($use_memberships) - { - foreach((array)$GLOBALS['egw']->accounts->membership($account_id) as $group) - { - $accounts[] = $group['account_id']; - } - } - $this->db->select($this->table_name,'acl_location,acl_rights',array( - 'acl_account' => $accounts, - 'acl_appname' => $appname, - ),__LINE__,__FILE__); - - $rights = array(); - while($this->db->next_record()) - { - $rights[$this->db->f('acl_location')] |= $this->db->f('acl_rights'); - } - return $rights; - } - - /** - * get application list for an account id - * - * @param string $location location - * @param int $required required rights - * @param int $account_id account id defaults to $GLOBALS['egw_info']['user']['account_id']; - * @return array/boolean false if there are no matching row in the db, else array with app-names - */ - function get_app_list_for_id($location, $required, $accountid = '') - { - static $cache_accountid; - - if($cache_accountid[$accountid]) - { - $account_id = $cache_accountid[$accountid]; - } - else - { - $account_id = get_account_id($accountid,$this->account_id); - $cache_accountid[$accountid] = $account_id; - } - $this->db->select($this->table_name,array('acl_appname','acl_rights'),array( - 'acl_location' => $location, - 'acl_account' => $account_id, - ),__LINE__,__FILE__); - - $rights = 0; - $apps = false; - while ($this->db->next_record()) - { - if ($this->db->f('acl_rights') == 0) + if ($value['rights'] == 0) { return False; } - $rights |= $this->db->f('acl_rights'); - if (!!($rights & $required)) - { - $apps[] = $this->db->f('acl_appname'); - } + $rights |= $value['rights']; } - return $apps; } + return $rights; + } - /** - * get location list for id - * - * @param string $app app - * @param int $required required rights - * @param int $accountid optional defaults to $GLOBALS['egw_info']['user']['account_id']; - * @return array/boolean false if there are no matching rows in the db or array with location-strings - */ - function get_location_list_for_id($app, $required, $accountid = '') + /** + * check specific rights + * + * @param string $location app location + * @param int $required required rights + * @param string $appname optional defaults to currentapp + * @return boolean + */ + function check_specific($location, $required, $appname = '') + { + $rights = $this->get_specific_rights($location,$appname); + + return !!($rights & $required); + } + + /**************************************************************************\ + * These are the generic functions. Not specific to $this->account_id * + \**************************************************************************/ + + /** + * add repository information / rights for app/location/account_id to the database + * + * @param string $app appname + * @param string $location location + * @param int $account_id account id + * @param int $rights rights + * @return boolean allways true + */ + function add_repository($app, $location, $account_id, $rights) + { + //echo "

acl::add_repository('$app','$location',$account_id,$rights);

\n"; + $this->db->insert(acl::TABLE,array( + 'acl_rights' => $rights, + ),array( + 'acl_appname' => $app, + 'acl_location' => $location, + 'acl_account' => $account_id, + ),__LINE__,__FILE__); + + if ($account_id == $GLOBALS['egw_info']['user']['account_id'] && + method_exists($GLOBALS['egw'],'invalidate_session_cache')) // egw object in setup is limited { - static $cache_accountid; - - if($cache_accountid[$accountid]) + $GLOBALS['egw']->invalidate_session_cache(); + } + return True; + } + + /** + * delete repository information / rights for app/location[/account_id] from the DB + * + * @param string $app appname + * @param string $location location + * @param int/boolean $account_id account id, default 0=$this->account_id, or false to delete all entries for $app/$location + * @return int number of rows deleted + */ + function delete_repository($app, $location, $accountid='') + { + static $cache_accountid; + + $where = array( + 'acl_appname' => $app, + 'acl_location' => $location, + ); + if ($accountid !== false) + { + if(isset($cache_accountid[$accountid]) && $cache_accountid[$accountid]) { - $accountid = $cache_accountid[$accountid]; + $where['acl_account'] = $cache_accountid[$accountid]; } else { - $accountid = $cache_accountid[$accountid] = get_account_id($accountid,$this->account_id); + $where['acl_account'] = $cache_accountid[$accountid] = get_account_id($accountid,$this->account_id); } - $this->db->select($this->table_name,'acl_location,acl_rights',array( - 'acl_appname' => $app, - 'acl_account' => $accountid, - ),__LINE__,__FILE__); - - $locations = false; - while ($this->db->next_record()) - { - if ($this->db->f('acl_rights') & $required) - { - $locations[] = $this->db->f('acl_location'); - } - } - return $locations; } - - /** - * get ids for location - * - * @param string $location location - * @param int $required required rights - * @param string $app app optional defaults to $GLOBALS['egw_info']['flags']['currentapp']; - * @return boolean/array false if there are no matching rows in the db or array of account-ids - */ - function get_ids_for_location($location, $required, $app = '') + if (method_exists($GLOBALS['egw'],'invalidate_session_cache')) // egw object in setup is limited { - if (!$app) $app = $GLOBALS['egw_info']['flags']['currentapp']; - - $this->db->select($this->table_name,array('acl_account','acl_rights'),array( - 'acl_appname' => $app, - 'acl_location' => $location, - ),__LINE__,__FILE__); - - $accounts = false; - while ($this->db->next_record()) - { - if (!!($this->db->f('acl_rights') & $required)) - { - $accounts[] = (int) $this->db->f('acl_account'); - } - } - return $accounts; + $GLOBALS['egw']->invalidate_session_cache(); } + if ($app == '%' || $app == '%%') unset($where['acl_appname']); - /** - * get the locations for an app (excluding the run location !!!) - * - * @param string $app app optional defaults to $GLOBALS['egw_info']['flags']['currentapp']; - * @return boolean/array false if there are no matching location in the db or array of locations - */ - function get_locations_for_app($app='') + $this->db->delete(acl::TABLE,$where,__LINE__,__FILE__); + + return $this->db->affected_rows(); + } + + /** + * Get rights for a given account, location and application + * + * @param int $account_id + * @param string $location + * @param string $appname='' defaults to current app + * @return int/boolean rights or false if none exist + */ + function get_specific_rights_for_account($account_id,$location,$appname='') + { + if (!$appname) $appname = $GLOBALS['egw_info']['flags']['currentapp']; + + return $this->db->select(acl::TABLE,'acl_rights',array( + 'acl_location' => $location, + 'acl_account' => $account_id, + 'acl_appname' => $appname, + ),__LINE__,__FILE__)->fetchSingle(); + } + + /** + * Get all rights for a given location and application + * + * @param string $location + * @param string $appname='' defaults to current app + * @return array with account => rights pairs + */ + function get_all_rights($location,$appname='') + { + if (!$appname) $appname = $GLOBALS['egw_info']['flags']['currentapp']; + + $rights = array(); + foreach($this->db->select(acl::TABLE,'acl_account,acl_rights',array( + 'acl_location' => $location, + 'acl_appname' => $appname, + ),__LINE__,__FILE__) as $row) { - if (!$app) $app = $GLOBALS['egw_info']['flags']['currentapp']; - - $this->db->select($this->table_name,'DISTINCT '.'acl_location',array( - 'acl_appname' => $app, - ),__LINE__,__FILE__); - - $locations = false; - while ($this->db->next_record()) - { - if (($location = $this->db->f(0)) != 'run') - { - $locations[] = $location; - } - } - return $locations; + $rights[$row['acl_account']] = $row['acl_rights']; } + return $rights; + } - /** - * get a list of applications a user has rights to - * - * @param int $account_id optional defaults to $GLOBALS['egw_info']['user']['account_id']; - * @return boolean/array containing list of apps or false if there are none - */ - function get_user_applications($accountid = '') + /** + * Get the rights for all locations + * + * @param int $account_id + * @param string $appname='' defaults to current app + * @param boolean $use_memberships=true + * @return array with location => rights pairs + */ + function get_all_location_rights($account_id,$appname='',$use_memberships=true) + { + if (!$appname) $appname = $GLOBALS['egw_info']['flags']['currentapp']; + + $accounts = array($account_id); + if ($use_memberships) { - static $cache_accountid; - - if($cache_accountid[$accountid]) - { - $account_id = $cache_accountid[$accountid]; - } - else - { - $account_id = get_account_id($accountid,$this->account_id); - $cache_accountid[$accountid] = $account_id; - } - $memberships = array($account_id); foreach((array)$GLOBALS['egw']->accounts->membership($account_id) as $group) { - $memberships[] = $group['account_id']; + $accounts[] = $group['account_id']; } - $db2 = clone($this->db); - $db2->select($this->table_name,array('acl_appname','acl_rights'),array( - 'acl_location' => 'run', - 'acl_account' => $memberships, - ),__LINE__,__FILE__); - - $apps = false; - while ($db2->next_record()) - { - $app = $db2->f('acl_appname'); - if(!isset($apps[$app])) - { - $apps[$app] = 0; - } - $apps[$app] |= (int) $db2->f('acl_rights'); - } - return $apps; } - - /** - * Read the grants other users gave $this->account_id for $app, group ACL is taken into account - * - * @param string $app optional defaults to $GLOBALS['egw_info']['flags']['currentapp'] - * @param boolean/array $enum_group_acls=true should group acls be returned for all members of that group, default yes - * if an array of group-id's is given, that id's will NOT be enumerated! - * @return array with account-ids (of owners) and granted rights as values - */ - function get_grants($app='',$enum_group_acls=true) + $rights = array(); + foreach($this->db->select(acl::TABLE,'acl_location,acl_rights',array( + 'acl_account' => $accounts, + 'acl_appname' => $appname, + ),__LINE__,__FILE__) as $row) { - if (!$app) $app = $GLOBALS['egw_info']['flags']['currentapp']; - - $memberships = array($this->account_id); - foreach((array)$GLOBALS['egw']->accounts->membership($this->account_id) as $group) - { - $memberships[] = $group['account_id']; - } - $db2 = clone($this->db); - $db2->select($this->table_name,array('acl_account','acl_rights','acl_location'),array( - 'acl_appname' => $app, - 'acl_location' => $memberships, - ),__LINE__,__FILE__); - - $grants = $accounts = Array(); - while ($db2->next_record()) - { - $grantor = $db2->f('acl_account'); - $rights = $db2->f('acl_rights'); - $granted_to = (int) $db2->f('acl_location'); - - if(!isset($grants[$grantor])) - { - $grants[$grantor] = 0; - } - $grants[$grantor] |= $rights; - - // if the right is granted from a group and we enummerated group ACL's - if ($GLOBALS['egw']->accounts->get_type($grantor) == 'g' && $enum_group_acls && - (!is_array($enum_group_acls) || !in_array($grantor,$enum_group_acls))) - { - // return the grant for each member of the group - foreach((array)$GLOBALS['egw']->accounts->member($grantor) as $member) - { - if (!$member) continue; // can happen if group has no members - - // Don't allow to override private with group ACL's! - $rights &= ~EGW_ACL_PRIVATE; - - $grantor = $member['account_id']; - - if(!isset($grants[$grantor])) - { - $grants[$grantor] = 0; - } - $grants[$grantor] |= $rights; - } - } - } - // user has implizit all rights on own data - $grants[$GLOBALS['egw_info']['user']['account_id']] = ~0; - - //echo "acl::get_grants('$app',$enum_group_acls) ".function_backtrace(); _debug_array($grants); - return $grants; + $rights[$row['acl_location']] |= $row['acl_rights']; } + return $rights; + } + + /** + * get application list for an account id + * + * @param string $location location + * @param int $required required rights + * @param int $account_id account id defaults to $GLOBALS['egw_info']['user']['account_id']; + * @return array/boolean false if there are no matching row in the db, else array with app-names + */ + function get_app_list_for_id($location, $required, $accountid = '') + { + static $cache_accountid; + + if($cache_accountid[$accountid]) + { + $account_id = $cache_accountid[$accountid]; + } + else + { + $account_id = get_account_id($accountid,$this->account_id); + $cache_accountid[$accountid] = $account_id; + } + $rights = 0; + $apps = false; + foreach($this->db->select(acl::TABLE,array('acl_appname','acl_rights'),array( + 'acl_location' => $location, + 'acl_account' => $account_id, + ),__LINE__,__FILE__) as $row) + { + if ($row['acl_rights'] == 0) + { + return False; + } + $rights |= $row['acl_rights']; + if (!!($rights & $required)) + { + $apps[] = $row['acl_appname']; + } + } + return $apps; + } + + /** + * get location list for id + * + * @param string $app app + * @param int $required required rights + * @param int $accountid optional defaults to $GLOBALS['egw_info']['user']['account_id']; + * @return array/boolean false if there are no matching rows in the db or array with location-strings + */ + function get_location_list_for_id($app, $required, $accountid = '') + { + static $cache_accountid; - /** - * Deletes all ACL entries for an account (user or group) - * - * @param int $account_id acount-id - */ - function delete_account($account_id) + if($cache_accountid[$accountid]) { - if ((int) $account_id) + $accountid = $cache_accountid[$accountid]; + } + else + { + $accountid = $cache_accountid[$accountid] = get_account_id($accountid,$this->account_id); + } + $locations = false; + foreach($this->db->select(acl::TABLE,'acl_location,acl_rights',array( + 'acl_appname' => $app, + 'acl_account' => $accountid, + ),__LINE__,__FILE__) as $row) + { + if ($row['acl_rights'] & $required) { - $this->db->delete($this->table_name,array( - 'acl_account' => $account_id - ),__LINE__,__FILE__); - // delete all memberships in account_id (if it is a group) - $this->db->delete($this->table_name,array( - 'acl_appname' => 'phpgw_group', - 'acl_location' => $account_id, - ),__LINE__,__FILE__); + $locations[] = $row['acl_location']; } } - } //end of acl class + return $locations; + } + + /** + * get ids for location + * + * @param string $location location + * @param int $required required rights + * @param string $app app optional defaults to $GLOBALS['egw_info']['flags']['currentapp']; + * @return boolean/array false if there are no matching rows in the db or array of account-ids + */ + function get_ids_for_location($location, $required, $app = '') + { + if (!$app) $app = $GLOBALS['egw_info']['flags']['currentapp']; + + $accounts = false; + foreach($this->db->select(acl::TABLE,array('acl_account','acl_rights'),array( + 'acl_appname' => $app, + 'acl_location' => $location, + ),__LINE__,__FILE__) as $row) + { + if (!!($row['acl_rights'] & $required)) + { + $accounts[] = (int) $row['acl_account']; + } + } + return $accounts; + } + + /** + * get the locations for an app (excluding the run location !!!) + * + * @param string $app app optional defaults to $GLOBALS['egw_info']['flags']['currentapp']; + * @return boolean/array false if there are no matching location in the db or array of locations + */ + function get_locations_for_app($app='') + { + if (!$app) $app = $GLOBALS['egw_info']['flags']['currentapp']; + + $locations = false; + foreach($this->db->select(acl::TABLE,'DISTINCT '.'acl_location',array( + 'acl_appname' => $app, + ),__LINE__,__FILE__) as $row) + { + if (($location = $row['acl_location']) != 'run') + { + $locations[] = $location; + } + } + return $locations; + } + + /** + * get a list of applications a user has rights to + * + * @param int $account_id optional defaults to $GLOBALS['egw_info']['user']['account_id']; + * @return boolean/array containing list of apps or false if there are none + */ + function get_user_applications($accountid = '') + { + static $cache_accountid; + + if($cache_accountid[$accountid]) + { + $account_id = $cache_accountid[$accountid]; + } + else + { + $account_id = get_account_id($accountid,$this->account_id); + $cache_accountid[$accountid] = $account_id; + } + $memberships = $GLOBALS['egw']->accounts->memberships($account_id,true); + $memberships[] = $account_id; + + $apps = false; + foreach($this->db->select(acl::TABLE,array('acl_appname','acl_rights'),array( + 'acl_location' => 'run', + 'acl_account' => $memberships, + ),__LINE__,__FILE__) as $row) + { + $app = $row['acl_appname']; + if(!isset($apps[$app])) + { + $apps[$app] = 0; + } + $apps[$app] |= (int) $row['acl_rights']; + } + return $apps; + } + + /** + * Read the grants other users gave $this->account_id for $app, group ACL is taken into account + * + * @param string $app optional defaults to $GLOBALS['egw_info']['flags']['currentapp'] + * @param boolean/array $enum_group_acls=true should group acls be returned for all members of that group, default yes + * if an array of group-id's is given, that id's will NOT be enumerated! + * @return array with account-ids (of owners) and granted rights as values + */ + function get_grants($app='',$enum_group_acls=true) + { + if (!$app) $app = $GLOBALS['egw_info']['flags']['currentapp']; + + $memberships = array($this->account_id); + foreach((array)$GLOBALS['egw']->accounts->membership($this->account_id) as $group) + { + $memberships[] = $group['account_id']; + } + $grants = $accounts = Array(); + foreach($this->db->select(acl::TABLE,array('acl_account','acl_rights','acl_location'),array( + 'acl_appname' => $app, + 'acl_location' => $memberships, + ),__LINE__,__FILE__) as $row) + { + $grantor = $row['acl_account']; + $rights = $row['acl_rights']; + $granted_to = (int) $row['acl_location']; + + if(!isset($grants[$grantor])) + { + $grants[$grantor] = 0; + } + $grants[$grantor] |= $rights; + + // if the right is granted from a group and we enummerated group ACL's + if ($GLOBALS['egw']->accounts->get_type($grantor) == 'g' && $enum_group_acls && + (!is_array($enum_group_acls) || !in_array($grantor,$enum_group_acls))) + { + // return the grant for each member of the group + foreach((array)$GLOBALS['egw']->accounts->member($grantor) as $member) + { + if (!$member) continue; // can happen if group has no members + + // Don't allow to override private with group ACL's! + $rights &= ~EGW_ACL_PRIVATE; + + $grantor = $member['account_id']; + + if(!isset($grants[$grantor])) + { + $grants[$grantor] = 0; + } + $grants[$grantor] |= $rights; + } + } + } + // user has implizit all rights on own data + $grants[$GLOBALS['egw_info']['user']['account_id']] = ~0; + + //echo "acl::get_grants('$app',$enum_group_acls) ".function_backtrace(); _debug_array($grants); + return $grants; + } + + /** + * Deletes all ACL entries for an account (user or group) + * + * @param int $account_id acount-id + */ + function delete_account($account_id) + { + if ((int) $account_id) + { + $this->db->delete(acl::TABLE,array( + 'acl_account' => $account_id + ),__LINE__,__FILE__); + // delete all memberships in account_id (if it is a group) + $this->db->delete(acl::TABLE,array( + 'acl_appname' => 'phpgw_group', + 'acl_location' => $account_id, + ),__LINE__,__FILE__); + } + } +} //end of acl class