forked from extern/egroupware
591 lines
18 KiB
PHP
591 lines
18 KiB
PHP
<?php
|
|
/**
|
|
* EGroupware - Mail Folder ACL- interface class
|
|
*
|
|
* @link http://www.egroupware.org
|
|
* @package mail
|
|
* @author Hadi Nategh [hn@egroupware.org]
|
|
* @copyright (c) 2013-16 by EGroupware GmbH <info-AT-egroupware.org>
|
|
* @license http://opensource.org/licenses/gpl-license.php GPL - GNU General Public License
|
|
* @version $Id$
|
|
*/
|
|
|
|
/*
|
|
* Reference: RFC 4314 DOCUMENTATION - RIGHTS (https://tools.ietf.org/html/rfc4314)
|
|
*
|
|
* Standard Rights:
|
|
*
|
|
* The currently defined standard rights are (note that the list below
|
|
* doesn't list all commands that use a particular right):
|
|
*
|
|
* l - lookup (mailbox is visible to LIST/LSUB commands, SUBSCRIBE mailbox)
|
|
* r - read (SELECT the mailbox, perform STATUS)
|
|
* s - keep seen/unseen information across sessions (set or clear \SEEN flag
|
|
* via STORE, also set \SEEN during APPEND/COPY/ FETCH BODY[...])
|
|
* w - write (set or clear flags other than \SEEN and \DELETED via
|
|
* STORE, also set them during APPEND/COPY)
|
|
* i - insert (perform APPEND, COPY into mailbox)
|
|
* p - post (send mail to submission address for mailbox,
|
|
* not enforced by IMAP4 itself)
|
|
* k - create mailboxes (CREATE new sub-mailboxes in any
|
|
* implementation-defined hierarchy, parent mailbox for the new
|
|
* mailbox name in RENAME)
|
|
* x - delete mailbox (DELETE mailbox, old mailbox name in RENAME)
|
|
* t - delete messages (set or clear \DELETED flag via STORE, set
|
|
* \DELETED flag during APPEND/COPY)
|
|
* e - perform EXPUNGE and expunge as a part of CLOSE
|
|
* a - administer (perform SETACL/DELETEACL/GETACL/LISTRIGHTS)
|
|
*
|
|
*
|
|
*
|
|
* Obsolete Rights:
|
|
*
|
|
* Due to ambiguity in RFC 2086, some existing RFC 2086 server
|
|
* implementations use the "c" right to control the DELETE command.
|
|
* Others chose to use the "d" right to control the DELETE command. For
|
|
* the former group, let's define the "create" right as union of the "k"
|
|
* and "x" rights, and the "delete" right as union of the "e" and "t"
|
|
* rights. For the latter group, let's define the "create" rights as a
|
|
* synonym to the "k" right, and the "delete" right as union of the "e",
|
|
* "t", and "x" rights.
|
|
* For compatibility with RFC 2086, this section defines two virtual
|
|
* rights "d" and "c".
|
|
* If a client includes the "d" right in a rights list, then it MUST be
|
|
* treated as if the client had included every member of the "delete"
|
|
* right. (It is not an error for a client to specify both the "d"
|
|
* right and one or more members of the "delete" right, but the effect
|
|
* is no different than if just the "d" right or all members of the
|
|
* "delete" right had been specified.)
|
|
*
|
|
*/
|
|
|
|
|
|
use EGroupware\Api;
|
|
use EGroupware\Api\Framework;
|
|
use EGroupware\Api\Etemplate;
|
|
use EGroupware\Api\Mail;
|
|
|
|
class mail_acl
|
|
{
|
|
/**
|
|
* Methods callable via menuaction
|
|
*
|
|
* @var array
|
|
*/
|
|
var $public_functions = array(
|
|
'edit' => True,
|
|
);
|
|
|
|
/**
|
|
* static used define abbreviations for common access rights
|
|
*
|
|
* @array
|
|
*
|
|
*/
|
|
var $aclRightsAbbrvs = array(
|
|
'lrs' => array('label'=>'readable','title'=>'Allows a user to read the contents of the mailbox.'),
|
|
'lprs' => array('label'=>'post','title'=>'Allows a user to read the mailbox and post to it through the delivery system by sending mail to the submission address of the mailbox.'),
|
|
'ilprs' => array('label'=>'append','title'=>'Allows a user to read the mailbox and append messages to it, either via IMAP or through the delivery system.'),
|
|
'ilprsw' => array('label'=>'write','title'=>'Allows a user to read and write the maibox, post to it, append messages to it.'),
|
|
'eilprswtk' => array('label'=>'write & delete','title'=>'Allows a user to read, write and create folders and mails, post to it, append messages to it and delete messages.'),
|
|
'aeiklprstwx'=> array('label'=>'all','title'=>'The user has all possible rights on the mailbox. This is usually granted to users only on the mailboxes they own.'),
|
|
'custom' => array('label'=>'custom','title'=>'User defined combination of rights for the ACL'),
|
|
);
|
|
|
|
/**
|
|
* imap object instantiated in constructor for account to edit
|
|
*
|
|
* @var Mail\Imap
|
|
*/
|
|
var $imap;
|
|
|
|
/**
|
|
*
|
|
* @var mail_account
|
|
*/
|
|
var $current_account;
|
|
|
|
/**
|
|
* Edit folder ACLs of account(s)
|
|
*
|
|
* @param string $content = null
|
|
* @param string $msg = ''
|
|
*
|
|
*/
|
|
function edit(array $content=null ,$msg='')
|
|
{
|
|
$tmpl = new Etemplate('mail.acl');
|
|
if (!is_array($content))
|
|
{
|
|
$acc_id = $_GET['acc_id']?$_GET['acc_id']:$GLOBALS['egw_info']['user']['preferences']['mail']['ActiveProfileID'];
|
|
if (isset($_GET['account_id']) && !isset($GLOBALS['egw_info']['user']['apps']['admin']))
|
|
{
|
|
Framework::window_close(lang('Permission denied'));
|
|
}
|
|
$account_id = $_GET['account_id'];
|
|
}
|
|
else
|
|
{
|
|
$acc_id = $content['acc_id'];
|
|
$account_id = $content['account_id'];
|
|
}
|
|
$account = Mail\Account::read($acc_id, $account_id);
|
|
$this->imap = $account->imapServer(isset($account_id) ? (int)$account_id : false);
|
|
|
|
$mailbox = $_GET['mailbox']? base64_decode($_GET['mailbox']):
|
|
preg_replace("/^".$acc_id."::/",'',$content['mailbox'][0]);
|
|
if (empty($mailbox))
|
|
{
|
|
$mailbox = $this->imap->isAdminConnection ? $this->imap->getUserMailboxString($account_id) : 'INBOX';
|
|
}
|
|
if (!$this->imap->isAdminConnection)
|
|
{
|
|
$tmpl->setElementAttribute('mailbox', 'autocomplete_url', 'mail.mail_compose.ajax_searchFolder');
|
|
$tmpl->setElementAttribute('mailbox', 'autocomplete_params', array('mailaccount' => $acc_id));
|
|
}
|
|
else
|
|
{
|
|
//Todo: Implement autocomplete_url function with admin stuffs consideration
|
|
}
|
|
// Unset the content if folder is changed, in order to read acl rights for new selected folder
|
|
if (!is_array($content['button']) && is_array($content['mailbox']) && !is_array($content['grid']['delete'])) unset($content);
|
|
|
|
if (!is_array($content))
|
|
{
|
|
if (!empty($mailbox))
|
|
{
|
|
$content['mailbox'] = $mailbox;
|
|
$acl = (array)$this->retrieve_acl($mailbox, $msg);
|
|
if ($acl[0] === FALSE)
|
|
{
|
|
Api\Framework::window_close($msg);
|
|
}
|
|
$n = 1;
|
|
foreach ($acl as $key => $value)
|
|
{
|
|
$virtuals = array_pop(array_values((array)$value));
|
|
$rights = array_shift(array_values((array)$value));
|
|
|
|
foreach ($rights as $right)
|
|
{
|
|
$content['grid'][$n]['acl_'. $right] = true;
|
|
}
|
|
$virtualD = array('e','t');
|
|
$content['grid'][$n]['acl_c'] = array_diff($virtuals['c'],array_intersect($rights,$virtuals['c']))? false: true; //c=kx more information rfc4314, Obsolote Rights
|
|
$content['grid'][$n]['acl_d'] = array_diff($virtualD,array_intersect($rights,$virtuals['d']))? false: true; //d=et more information rfc4314, Obsolote Rights
|
|
|
|
sort($rights);
|
|
$acl_abbrvs = implode('',$rights);
|
|
|
|
if (array_key_exists($acl_abbrvs, $this->aclRightsAbbrvs))
|
|
{
|
|
$content['grid'][$n]['acl'] = $acl_abbrvs;
|
|
}
|
|
else
|
|
{
|
|
$content['grid'][$n]['acl'] = 'custom';
|
|
}
|
|
if (($user = $this->imap->getMailBoxAccountId($key)))
|
|
{
|
|
$content['grid'][$n++]['acc_id'] = $user;
|
|
}
|
|
else
|
|
{
|
|
$content['grid'][$n++]['acc_id'] = $key;
|
|
}
|
|
}
|
|
//error_log(__METHOD__."() acl=".array2string($acl).' --> grid='.array2string($content['grid']));
|
|
}
|
|
//Set the acl entry in the last row with lrs as default ACL
|
|
array_push($content['grid'], array(
|
|
'acc_id'=>'',
|
|
'acl_l' => true,
|
|
'acl_r' => true,
|
|
'acl_s' => true));
|
|
}
|
|
else
|
|
{
|
|
list($button) = @each($content['button']);
|
|
if (!empty ($content['grid']['delete']))
|
|
{
|
|
$button = 'delete';
|
|
}
|
|
switch ($button)
|
|
{
|
|
case 'save':
|
|
case 'apply':
|
|
if ($content)
|
|
{
|
|
$validation_err = $this->update_acl($content,$msg);
|
|
if ($validation_err)
|
|
{
|
|
foreach ($validation_err as &$row)
|
|
{
|
|
$tmpl->set_validation_error('grid['.$row.']'.'[acc_id]', "You must fill this field!");
|
|
}
|
|
}
|
|
|
|
//Add new row at the end
|
|
if ($content['grid'][count($content['grid'])]['acc_id'])
|
|
array_push($content['grid'], array('acc_id'=>''));
|
|
}
|
|
else
|
|
{
|
|
$msg .= "\n".lang("Error: Could not save ACL").' '.lang("reason!");
|
|
}
|
|
//Send message
|
|
Framework::message($msg);
|
|
if ($button == "apply") break;
|
|
Framework::window_close();
|
|
exit;
|
|
|
|
case 'delete':
|
|
$aclRvmCnt = $this->remove_acl($content, $msg);
|
|
if (is_array($aclRvmCnt))
|
|
{
|
|
$content['grid'] = $aclRvmCnt;
|
|
}
|
|
else
|
|
{
|
|
error_log(__METHOD__.__LINE__. "()" . "The remove_acl suppose to return an array back, something is wrong there");
|
|
}
|
|
Framework::message($msg);
|
|
}
|
|
}
|
|
$readonlys = $sel_options = array();
|
|
$sel_options['acl'] = $this->aclRightsAbbrvs;
|
|
|
|
//Make the account owner's fields all readonly as owner has all rights and should not be able to change them
|
|
foreach($content['grid'] as $key => $fields)
|
|
{
|
|
if (self::_extract_acc_id($fields['acc_id']) == $this->imap->acc_imap_username ||
|
|
$this->imap->getMailBoxUserName(self::_extract_acc_id($fields['acc_id'])) == $this->imap->acc_imap_username)
|
|
{
|
|
foreach (array_keys($fields) as $index)
|
|
{
|
|
$readonlys['grid'][$key][$index] = true;
|
|
}
|
|
$readonlys['grid']['delete['.$key.']'] = true;
|
|
$readonlys['grid'][$key]['acl_recursive'] = true;
|
|
$preserv ['grid'][$key] = $fields;
|
|
$preserv['grid'][$key]['acl_recursive'] = false;
|
|
}
|
|
if (count($content['grid']) != $key)
|
|
{
|
|
$preserv ['grid'][$key]['acc_id'] = self::_extract_acc_id($fields['acc_id']);
|
|
$preserv['grid'][$key]['acl_recursive'] = false;
|
|
$readonlys['grid'][$key]['acc_id'] = true;
|
|
}
|
|
}
|
|
//Make entry row's delete button readonly
|
|
$readonlys['grid']['delete['.count($content['grid']).']'] = true;
|
|
|
|
$preserv['mailbox'] = $content['mailbox'];
|
|
$preserv['acc_id'] = $acc_id;
|
|
$preserv['account_id'] = $account_id;
|
|
$content['grid']['account_type'] = $this->imap->supportsGroupAcl() ? 'both' : 'accounts';
|
|
|
|
// set a custom autocomplete method for mailbox taglist
|
|
if ($account_id)
|
|
{
|
|
$tmpl->setElementAttribute('mailbox', 'autocomplete_url', __CLASS__.'::ajax_folders');
|
|
$tmpl->setElementAttribute('mailbox', 'autocomplete_params', array(
|
|
'acc_id' => $acc_id,
|
|
'account_id' => $account_id,
|
|
));
|
|
}
|
|
|
|
$tmpl->exec('mail.mail_acl.edit', $content, $sel_options, $readonlys, $preserv,2);
|
|
}
|
|
|
|
/**
|
|
* Autocomplete for folder taglist
|
|
*
|
|
* @throws Api\Exception\NoPermission\Admin
|
|
*/
|
|
public static function ajax_folders()
|
|
{
|
|
if (!empty($_GET['account_id']) && !$GLOBALS['egw_info']['user']['apps']['admin'])
|
|
{
|
|
throw new Api\Exception\NoPermission\Admin;
|
|
}
|
|
$account = Mail\Account::read($_GET['acc_id'], $_GET['account_id']);
|
|
$imap = $account->imapServer(!empty($_GET['account_id']) ? (int)$_GET['account_id'] : false);
|
|
$mailbox = $imap->isAdminConnection ? $imap->getUserMailboxString($imap->isAdminConnection) : 'INBOX';
|
|
|
|
$folders = array();
|
|
foreach(self::getSubfolders($mailbox, $imap) as $folder)
|
|
{
|
|
if (stripos($folder, $_GET['query']) !== false)
|
|
{
|
|
$folders[] = array(
|
|
'id' => $folder,
|
|
'label' => $folder,
|
|
);
|
|
}
|
|
}
|
|
// switch regular JSON response handling off
|
|
Api\Json\Request::isJSONRequest(false);
|
|
|
|
header('Content-Type: application/json; charset=utf-8');
|
|
echo json_encode($folders);
|
|
|
|
exit;
|
|
}
|
|
|
|
/**
|
|
* Update ACL rights of a folder or including subfolders for an account(s)
|
|
*
|
|
* @param array $content content including the acl rights
|
|
* @param Boolean $recursive boolean flag FALSE|TRUE. If it is FALSE, only the folder take in to account, but in case of TRUE
|
|
* the mailbox including all its subfolders will be considered.
|
|
* @param string $msg Message
|
|
*
|
|
*/
|
|
function update_acl ($content, &$msg)
|
|
{
|
|
$validator = array();
|
|
|
|
foreach ($content['grid'] as $keys => $value)
|
|
{
|
|
$recursive = $value['acl_recursive'];
|
|
unset($value['acc_id']);
|
|
unset($value['acl_recursive']);
|
|
unset($value['acl']);
|
|
|
|
$options = array();
|
|
foreach (array_keys($value) as $key)
|
|
{
|
|
if ($value[$key] == true)
|
|
{
|
|
$right = explode("acl_" ,$key);
|
|
if ($right[1] === 'c') $right[1] = 'kx'; // c = kx , rfc 4314
|
|
if ($right[1] === 'd') $right[1] = 'et'; // d = et , rfc 4314
|
|
$options['rights'] .= $right[1];
|
|
}
|
|
}
|
|
$username = self::_extract_acc_id($content['grid'][$keys]['acc_id']);
|
|
|
|
//error_log(__METHOD__."(".__LINE__.") setACL($content[mailbox], $username, ".array2string($options).", $recursive)");
|
|
if (is_numeric($username) && ($u = $this->imap->getMailBoxUserName($username)))
|
|
{
|
|
$username = $u;
|
|
}
|
|
if (!empty($username))
|
|
{
|
|
//error_log(__METHOD__."() setACL($content[mailbox], $username, ".array2string($options).", $recursive)");
|
|
if (($ret=$this->setACL($content['mailbox'], $username, $options, $recursive, $msg)))
|
|
{
|
|
$msg = lang("The Folder %1 's ACLs saved", $content['mailbox']);
|
|
|
|
}
|
|
else
|
|
{
|
|
$msg = lang('Error while setting ACL for folder %1!', $content['mailbox']).' '.$msg;
|
|
}
|
|
}
|
|
else
|
|
{
|
|
if($keys !== count($content['grid']))
|
|
{
|
|
array_push($validator, $keys);
|
|
$msg = lang("Could not save the ACL because some names are empty");
|
|
}
|
|
}
|
|
}
|
|
if (is_array($validator))
|
|
{
|
|
return $validator;
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Retrieve Folder ACL rights
|
|
* @todo rights 'c' and 'd' should be fixed
|
|
*/
|
|
function retrieve_acl ($mailbox, &$msg)
|
|
{
|
|
if (($acl = $this->getACL($mailbox)))
|
|
{
|
|
$msg = lang('ACL rights retrieved successfully');
|
|
return $acl;
|
|
}
|
|
else
|
|
{
|
|
$msg = lang('Get ACL rights failed from IMAP server!');
|
|
return false;
|
|
}
|
|
}
|
|
|
|
/**
|
|
* remove_acl
|
|
* This method take content of acl rights, and will delete the one from ACL IMAP,
|
|
* for selected folder and/or its subfolders
|
|
*
|
|
* @param Array $content content array of popup window
|
|
* @param string $msg message
|
|
*
|
|
* @return Array An array as new content for grid
|
|
*/
|
|
function remove_acl($content, &$msg)
|
|
{
|
|
$row_num = array_keys($content['grid']['delete'],"pressed");
|
|
if ($row_num) $row_num = $row_num[0];
|
|
$recursive = $content['grid'][$row_num]['acl_recursive'];
|
|
$identifier = self::_extract_acc_id($content['grid'][$row_num]['acc_id']);
|
|
$content['mailbox'] = is_array($content['mailbox'])? $content['mailbox'][0] : $content['mailbox'];
|
|
if (is_numeric($identifier) && ($u = $this->imap->getMailBoxUserName($identifier)))
|
|
{
|
|
$identifier = $u;
|
|
}
|
|
//error_log(__METHOD__.__LINE__."(".$content['mailbox'].", ".$identifier.", ".$recursive.")");
|
|
if(($res = $this->deleteACL($content['mailbox'], $identifier,$recursive)))
|
|
{
|
|
unset($content['grid'][$row_num]);
|
|
unset($content['grid']['delete']);
|
|
if ($recursive)
|
|
{
|
|
$msg = lang("The %1 's acl, including its subfolders, removed from the %2",$content['mailbox'],$identifier);
|
|
}
|
|
else
|
|
{
|
|
$msg = lang("The %1 's acl removed from the %2",$content['mailbox'],$identifier);
|
|
}
|
|
|
|
return array_combine(range(1, count($content['grid'])), array_values($content['grid']));
|
|
}
|
|
else
|
|
{
|
|
$msg = lang("An error happend while trying to remove ACL rights from the account %1!",$identifier);
|
|
return false;
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Delete ACL rights of a folder or including subfolders from an account
|
|
*
|
|
* @param String $mailbox folder name that needs to be edited
|
|
* @param String $identifier The identifier to delete.
|
|
* @param Boolean $recursive boolean flag FALSE|TRUE. If it is FALSE, only the folder take in to account, but in case of TRUE
|
|
* the mailbox including all its subfolders will be considered.
|
|
*
|
|
* @return Boolean FALSE in case of any exceptions and TRUE in case of success
|
|
*/
|
|
function deleteACL ($mailbox, $identifier, $recursive)
|
|
{
|
|
if ($recursive)
|
|
{
|
|
$folders = self::getSubfolders($mailbox, $this->imap);
|
|
}
|
|
else
|
|
{
|
|
$folders = (array)$mailbox;
|
|
}
|
|
foreach($folders as $sbFolders)
|
|
{
|
|
try
|
|
{
|
|
$this->imap->deleteACL($sbFolders, $identifier);
|
|
}
|
|
catch (Exception $e)
|
|
{
|
|
error_log(__METHOD__. "Could not delete ACL rights of folder " . $mailbox . " for account ". $identifier ."." .$e->getMessage());
|
|
return false;
|
|
}
|
|
}
|
|
return true;
|
|
}
|
|
|
|
/**
|
|
* Get subfolders of a mailbox
|
|
*
|
|
* @param string $mailbox structural folder name
|
|
* @param Mail\Imap $imap
|
|
* @return Array an array including all subfolders of given mailbox| returns an empty array in case of no subfolders
|
|
*/
|
|
protected static function getSubfolders($mailbox, Mail\Imap $imap)
|
|
{
|
|
$delimiter = $imap->getDelimiter();
|
|
$nameSpace = $imap->getNameSpace();
|
|
$prefix = $imap->getFolderPrefixFromNamespace($nameSpace, $mailbox);
|
|
if (($subFolders = $imap->getMailBoxesRecursive($mailbox, $delimiter, $prefix)))
|
|
{
|
|
return $subFolders;
|
|
}
|
|
else
|
|
{
|
|
return array();
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Set ACL rights of a folder or including subfolders to an account
|
|
* @param String $mailbox folder name that needs to be edited
|
|
* @param String $identifier The identifier to set.
|
|
* @param Array $options Additional options:
|
|
* - rights: (string) The rights to alter or set.
|
|
* - action: (string, optional) If 'add' or 'remove', adds or removes the
|
|
* specified rights. Sets the rights otherwise.
|
|
* @param Boolean $recursive boolean flag FALSE|TRUE. If it is FALSE, only the folder take in to account, but in case of TRUE
|
|
* the mailbox including all its subfolders will be considered.
|
|
* @param String $msg message
|
|
* @return Boolean FALSE in case of any exceptions and TRUE in case of success,
|
|
*
|
|
*/
|
|
function setACL($mailbox, $identifier,$options, $recursive, &$msg)
|
|
{
|
|
if ($recursive)
|
|
{
|
|
$folders = self::getSubfolders($mailbox, $this->imap);
|
|
}
|
|
else
|
|
{
|
|
$folders = (array)$mailbox;
|
|
}
|
|
foreach($folders as $sbFolders)
|
|
{
|
|
try
|
|
{
|
|
$this->imap->setACL($sbFolders,$identifier,$options);
|
|
}
|
|
catch (Exception $e)
|
|
{
|
|
$msg = $e->getMessage();
|
|
error_log(__METHOD__. "Could not set ACL rights on folder " . $mailbox . " for account ". $identifier . "." .$e->getMessage());
|
|
return false;
|
|
}
|
|
}
|
|
return true;
|
|
}
|
|
|
|
/**
|
|
* Get ACL rights of a folder from an account
|
|
*
|
|
* @param String $mailbox folder name that needs to be read
|
|
* @return Boolean FALSE in case of any exceptions and if TRUE in case of success,
|
|
*/
|
|
function getACL ($mailbox)
|
|
{
|
|
try
|
|
{
|
|
$acl = $this->imap->getACL($mailbox);
|
|
return $acl;
|
|
} catch (Exception $e) {
|
|
error_log(__METHOD__. "Could not get ACL rights from folder " . $mailbox . "." .$e->getMessage());
|
|
return false;
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Method to get acc_id id value whether if is a flat value or an array
|
|
*
|
|
* @param type $acc_id acc_id value comming from client-side
|
|
*
|
|
* @return string returns acc_id in flat format
|
|
*/
|
|
private static function _extract_acc_id ($acc_id)
|
|
{
|
|
return is_array($acc_id)?$acc_id[0]:$acc_id;
|
|
}
|
|
}
|