From 794597d534c44c9b3844be251aa8b0d5bb450359 Mon Sep 17 00:00:00 2001
From: Martin Haase <martin.haase@daasi.de>
Date: Fri, 26 Feb 2010 12:55:07 +0000
Subject: [PATCH] Resolved TG-652 (no more a priori public projectfiles)
git-svn-id: https://textgridlab.org/svn/textgrid/trunk/middleware/tgauth@5604 7c539038-3410-0410-b1ec-0f2a7bf1c452
---
.../rbac/RBACcore.class.php | 3 +-
.../rbac/RBAClimitedHirarchical.class.php | 12 ++++--
.../rbacSoap/TgExtra.class.php | 27 ++++---------
.../rbacSoap/TgReview.class.php | 1 -
.../rbacSoap/examples/getUserRole.php | 8 +---
.../rbacSoap/tgextra.php | 4 +-
.../tgExtensions/PublicResource.class.php | 39 ++++++++++++-------
7 files changed, 44 insertions(+), 50 deletions(-)
diff --git a/info.textgrid.middleware.tgauth.rbac/rbac/RBACcore.class.php b/info.textgrid.middleware.tgauth.rbac/rbac/RBACcore.class.php
index 1b2e1e6..af844a8 100755
--- a/info.textgrid.middleware.tgauth.rbac/rbac/RBACcore.class.php
+++ b/info.textgrid.middleware.tgauth.rbac/rbac/RBACcore.class.php
@@ -814,6 +814,7 @@ class RBACcore implements iRBACcore {
// Get the role-entry
$arrRoleEntry = $this->conn['role']->getEntry( $inRole );
+
$this->arrEntryStorage['assignedusersrole'][$inRole] = $arrRoleEntry;
}
@@ -1698,12 +1699,10 @@ class RBACcore implements iRBACcore {
$filter = "(&" . $this->conf->getValue( "user", "filter" );
$filter .= "(" . $this->conf->getValue( "user", "namingattribute" ) . "=" . $inUsername . "))";
-
// Ask the directory
$arrUserEntry = $this->conn['user']->search( $this->conf->getValue( "user", "base" ), $filter,
"sub", Array( $namingAttribute ) );
-
// The user has to exist
if( sizeof( $arrUserEntry ) == 1 ) {
diff --git a/info.textgrid.middleware.tgauth.rbac/rbac/RBAClimitedHirarchical.class.php b/info.textgrid.middleware.tgauth.rbac/rbac/RBAClimitedHirarchical.class.php
index 570f6d5..6213b59 100755
--- a/info.textgrid.middleware.tgauth.rbac/rbac/RBAClimitedHirarchical.class.php
+++ b/info.textgrid.middleware.tgauth.rbac/rbac/RBAClimitedHirarchical.class.php
@@ -517,7 +517,7 @@ class RBAClimitedHirarchical extends RBACcore implements iRBAClimitedHirarchical
- // ## authorizedRoles ###############################################
+ // ## authorizedUsers ###############################################
public function authorizedUsers( $inRole, $inUseStoredRole = false ) {
$arrRole; // The roles ldap-entry
@@ -539,6 +539,7 @@ class RBAClimitedHirarchical extends RBACcore implements iRBAClimitedHirarchical
// Get the role-entry
$arrRole = $this->conn['role']->getEntry( $inRole );
+
$this->arrEntryStorage['assignedusersrole'][$inRole] = $arrRole;
}
@@ -557,17 +558,20 @@ class RBAClimitedHirarchical extends RBACcore implements iRBAClimitedHirarchical
$this->conf->getValue( "role", "assignedattribute" ) ) );
- for( $i = 0; $i < sizeof( $arrRoleAscendant ); $i++ ) {
+// $file = fopen ("/tmp/xxxAU.log", "w+");
+// fwrite ($file, serialize ($arrRoleAscendant) ."\n");
+// fclose ($file);
- for( $j = 0; $j < sizeof( $arrRoleAscendant[$i][$this->conf->getValue( "role", "assignedattribute" )] ); $j++ ) {
+ for( $i = 0; $i < sizeof( $arrRoleAscendant ); $i++ ) {
+ for( $j = 0; $j < sizeof( $arrRoleAscendant[$i][$this->conf->getValue( "role", "assignedattribute" )] ); $j++ ) {
+
$arrUser[] = $arrRoleAscendant[$i][$this->conf->getValue( "role", "assignedattribute" )][$j];
}
}
-
return $this->removeDuplicates( $arrUser );
}
diff --git a/info.textgrid.middleware.tgauth.rbac/rbacSoap/TgExtra.class.php b/info.textgrid.middleware.tgauth.rbac/rbacSoap/TgExtra.class.php
index ec96180..c765df4 100755
--- a/info.textgrid.middleware.tgauth.rbac/rbacSoap/TgExtra.class.php
+++ b/info.textgrid.middleware.tgauth.rbac/rbacSoap/TgExtra.class.php
@@ -321,7 +321,7 @@ class TgExtra {
}
- $filter .= "(TgIsPublic=TRUE)))";
+ $filter .= "(TgIsPublic=TRUE)(TgIsProjectFile=TRUE)))";
// If we do not free some memory we might
@@ -749,6 +749,10 @@ class TgExtra {
. $this->rbac->getConfiguration()->getValue( "role", "namingattribute" ) . "="
. $this->config->getValue( "project", "base" )
. "," . $this->rbac->getConfiguration()->getValue( "role", "base" ) );
+// $file = fopen ("/tmp/xxxUR.log", "w+");
+// fwrite ($file, serialize ($arrMember) ."\n");
+// fclose ($file);
+
$strFilter .= "(objectClass=rbacRole)";
@@ -758,13 +762,11 @@ class TgExtra {
$this->rbac->getConfiguration()->getValue( "role", "base" ),
$strFilter, "one" );
-// $file = fopen ("/tmp/xxx.log", "w+");
// want to be case-independent
$arrMember = array_map ( "strtolower", $arrMember);
$arrMember = $this->rbac->removeDuplicates($arrMember);
-
// The user has to be in the project to be
// allowed to see other's roles
if( in_array( strtolower( $this->rbac->sessionUser( $inRequest->auth ) ), $arrMember ) ) {
@@ -773,7 +775,7 @@ class TgExtra {
for( $i = 0; $i < sizeof ( $arrMember ) ; $i++ ) {
$roles = array();
for( $j = 0; $j < sizeof ( $arrRole ); $j++) {
- if (in_array($arrMember[$i], $arrRole[$j]["rbacperformer"])) {
+ if (in_array($arrMember[$i], array_map ("strtolower", $arrRole[$j]["rbacperformer"]))) {
array_push($roles, $arrRole[$j]["rbacname"][0]);
}
}
@@ -784,8 +786,6 @@ class TgExtra {
}
-// fwrite ($file, serialize ($result) ."\n");
-// fclose ($file);
return $result;
}
@@ -1503,7 +1503,6 @@ class TgExtra {
$result->username = $this->rbac->assignedUsers( "Projektleiter," . $inRequest->project . ","
. $this->config->getValue( "project", "base" ) );
-
return $result;
}
@@ -1625,7 +1624,6 @@ class TgExtra {
$projectDn = $this->rbac->getConfiguration()->getValue( "role", "namingattribute" ) . "=TGPR";
$projectDn .= ($maxNumber + 1) . "," . $this->rbac->getConfiguration()->getValue( "project", "base" );
-
// The user of the session-ID will be the Leader
// of this new project.
$this->rbac->assignUser( $username,
@@ -1822,9 +1820,6 @@ class TgExtra {
$arrRole = $this->rbac->getConnection( "role" )->search( $this->rbac->getConfiguration()->getValue( "role", "base" ), $strFilter, "sub" );
-// $file = fopen ("/tmp/xxx.log", "w+");
-// fwrite ($file, serialize ($arrRole) ."\n");
-
for( $i = 0; $i < sizeof( $arrRole ); $i++ ) {
if( preg_match( "/Projektleiter/", $arrRole[$i]["dn"] ) ) {
@@ -1836,8 +1831,6 @@ class TgExtra {
",rbacName=Projekt-Teilnehmer," .
$this->rbac->getConfiguration()->getValue( "role", "base" ) );
-// fwrite ($file, serialize( $arrProject ) . "\n");
-
$result->project[] = new ProjectInfo( $arrProject[$this->rbac->getConfiguration()->getValue( "role", "namingattribute" )][0],
$arrProject['tgprojectname'][0], $arrProject['tgprojectdescription'][0],
$arrProject['tgprojectfile'] );
@@ -1846,7 +1839,6 @@ class TgExtra {
}
-// fclose($file);
return $result;
}
@@ -2167,11 +2159,6 @@ class TgExtra {
$username = ""; // The username corresponding to the session-ID
- $file = fopen( "/tmp/debug.log", "a+" );
- fwrite( $file, "Auth: " . $inRequest->auth . "\n\n" );
- fclose( $file );
-
-
$username = $this->rbac->sessionUser( $inRequest->auth );
@@ -2320,7 +2307,7 @@ class TgExtra {
$arrModify = Array( "rbacpermission" =>
Array( $this->rbac->getConfiguration()->getValue( "role", "namingattribute" ) . "=Projektleiter," . $inProjectDn . ":-:write",
$this->rbac->getConfiguration()->getValue( "role", "namingattribute" ) . "=Projektleiter," . $inProjectDn . ":-:delete" ),
- "tgispublic" => "TRUE" );
+ "tgisprojectfile" => "TRUE" );
$connection->modify( $inDn, $arrModify );
diff --git a/info.textgrid.middleware.tgauth.rbac/rbacSoap/TgReview.class.php b/info.textgrid.middleware.tgauth.rbac/rbacSoap/TgReview.class.php
index 63ff097..e4391e8 100755
--- a/info.textgrid.middleware.tgauth.rbac/rbacSoap/TgReview.class.php
+++ b/info.textgrid.middleware.tgauth.rbac/rbacSoap/TgReview.class.php
@@ -508,7 +508,6 @@ class TgReview {
$arrTmpDomain = preg_split( "/[@]/", $inRequest->username );
$userDomain = $arrTmpDomain[1];
-
// Test if the user has apropriate rights
if( $this->rbac->checkAccess( $inRequest->intSid, "review", "user_" . $userDomain )
|| $this->rbac->checkAccess( $inRequest->intSid, "review", "user_base" ) ) {
diff --git a/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/getUserRole.php b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/getUserRole.php
index 43071e5..6e423d4 100755
--- a/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/getUserRole.php
+++ b/info.textgrid.middleware.tgauth.rbac/rbacSoap/examples/getUserRole.php
@@ -49,15 +49,9 @@ if( isset( $_POST['project'] ) ) {
}
- }
- elseif( preg_match( "/.+/", $memResponse->userRole ) ) {
-
- echo serialize ($memResponse->userRole);
-
}
else {
-
- echo "No UserRoles found!<BR>";
+ echo serialize ($memResponse->userRole);
}
diff --git a/info.textgrid.middleware.tgauth.rbac/rbacSoap/tgextra.php b/info.textgrid.middleware.tgauth.rbac/rbacSoap/tgextra.php
index 5ee86d2..21d5d35 100755
--- a/info.textgrid.middleware.tgauth.rbac/rbacSoap/tgextra.php
+++ b/info.textgrid.middleware.tgauth.rbac/rbacSoap/tgextra.php
@@ -1,4 +1,6 @@
-<?php
+<?php
+/* Set internal character encoding to UTF-8 */
+//mb_internal_encoding("UTF-8");
// #######################################################
// Author: Markus Widmer
// Creation date: 07.07.2007
diff --git a/info.textgrid.middleware.tgauth.rbac/tgExtensions/PublicResource.class.php b/info.textgrid.middleware.tgauth.rbac/tgExtensions/PublicResource.class.php
index cf89eba..fa4e306 100755
--- a/info.textgrid.middleware.tgauth.rbac/tgExtensions/PublicResource.class.php
+++ b/info.textgrid.middleware.tgauth.rbac/tgExtensions/PublicResource.class.php
@@ -46,26 +46,35 @@ class PublicResource extends RBACExtension {
$filter = "";
- // Filter to search for the resource
- $filter = "(&" . $this->conf->getValue( "resource", "filter" );
- $filter .= "(|(" . $this->conf->getValue( "resource", "namingattribute" ) . "=" . $arrParameter[2] . ")";
- $filter .= " (" . $this->conf->getValue( "resource", "aliasattribute" ) . "=" . $arrParameter[2] . ")))";
+ if( preg_match( "/^read$/", $operation ) ) {
+ // Filter to search for the resource
+ $filter = "(&" . $this->conf->getValue( "resource", "filter" );
+ $filter .= "(|(" . $this->conf->getValue( "resource", "namingattribute" ) . "=" . $arrParameter[2] . ")";
+ $filter .= " (" . $this->conf->getValue( "resource", "aliasattribute" ) . "=" . $arrParameter[2] . ")))";
- // Search for the resource
- $arrResource = $this->conn['resource']->search( $this->conf->getValue( "resource", "base" ), $filter, "sub", Array( "tgispublic" ) );
+ // Search for the resource
+ $arrResource = $this->conn['resource']->search( $this->conf->getValue( "resource", "base" ), $filter, "sub", Array( "tgispublic" ) );
+
+
+ // Only if the flag "tgIsPublic" is true and the operation
+ // is "read", we grant access to the resource even if
+ // the read-operation would not be granted. Otherwise we
+ // keep the decision of the checkAccess-function.
+ if( isset( $arrResource[0] )
+ && preg_match( "/^true$/i", $arrResource[0]['tgispublic'][0] ) ) {
+// && preg_match( "/^read$/", $operation ) ) {
- // Only if the flag "tgIsPublic" is true and the operation
- // is "read", we grant access to the resource even if
- // the read-operation would not be granted. Otherwise we
- // keep the decision of the checkAccess-function.
- if( isset( $arrResource[0] )
- && preg_match( "/^true$/i", $arrResource[0]['tgispublic'][0] )
- && preg_match( "/^read$/", $operation ) ) {
+ $inContext->changeSecurityChain( true );
+ $inContext->setValue( "decision", true );
- $inContext->changeSecurityChain( true );
- $inContext->setValue( "decision", true );
+ }
+ else {
+
+ $inContext->changeSecurityChain( $inContext->getValue( "decision" ) );
+
+ }
}
else {
--
GitLab