resolved TG-1120, TG-1118 and added the isPublic field to tgCrudCheckAccessResponse.

git-svn-id: https://textgridlab.org/svn/textgrid/trunk/middleware/tgauth@8940 7c539038-3410-0410-b1ec-0f2a7bf1c452

resolved TG-1120, TG-1118 and added the isPublic field to tgCrudCheckAccessResponse.
e98b2981 · Martin Haase · 90835b0e · e98b2981
Commit e98b2981 authored 14 years ago by Martin Haase
--- a/info.textgrid.middleware.tgauth.rbac/rbacSoap/TgExtra.class.php
+++ b/info.textgrid.middleware.tgauth.rbac/rbacSoap/TgExtra.class.php
@@ -216,6 +216,12 @@ class TgExtra {
  // -----------------------------------------------------
  public function tgCrudCheckAccess( $inRequest ) {

+    // Must check in the following order:
+    // 1. Check if the tgcrud secret is correctly set, if not > authenticationFault
+    // 2. Check if the resource is existing, if not > unknownResourceFault
+    // 3. Check the session ID, if not valid > set result to false and return
+    // 4. Set the other results and return true
+
    $result = new tgCrudCheckAccessResponse();
    $objProjectInfo = new stdClass();
    $objFaultDetail = new stdClass();
@@ -239,7 +245,11 @@ class TgExtra {

        // Add the PDP result
        $result->result = $this->rbac->checkAccess( $inRequest->auth, $inRequest->operation, $inRequest->resource );
-
+	if( !isset( $arrResource[0]['tgispublic'] ) ) {
+	  $result->public = false;
+	} else {
+	  preg_match( "/^true$/i", $arrResource[0]['tgispublic'][0] ) ? $result->public = true : $result->public = false;
+	}

        // See if the object is a project role...
        for( $loObjectclass = 0; $loObjectclass < sizeof( $arrResource[0]['objectclass'] ); $loObjectclass++ ) {
@@ -283,6 +293,7 @@ class TgExtra {
        // Finally add the username and allowed
        // operations for the current session.
        $result->username = $this->rbac->sessionUser( $inRequest->auth );
+	

        try {

@@ -1557,9 +1568,10 @@ class TgExtra {
       return result;
    }

-    $filter = "(&";
+    $filter = "(|(&";
    if (strlen ($inRequest->name) > 0) {
-      $filter .= "(cn=" . $inRequest->name . ")";
+      // search also in sn or givenName if they are fully specified
+      $filter .= "(|(displayname=" . $inRequest->name . ")(sn=" . $inRequest->name . ")(givenname=". $inRequest->name . "))";
    }
    if	(strlen	($inRequest->mail) > 0) {
      $filter .= "(mail=" . $inRequest->mail . ")";
@@ -1568,6 +1580,11 @@ class TgExtra {
      $filter .= "(o=" . $inRequest->organisation . ")";
    }
    $filter .= "(!(tgagreesearch=FALSE)))";
+    // overload the name field for ePPN search in case someone has tgagreesearch=FALSE but client specified a UID completely 
+    if ( ! preg_match( "/\*/", $inRequest->name) ) {
+      $filter .= "(uid=" . $inRequest->name . ")";
+    }
+    $filter .= ")";

    $arrUserEntry = $this->connection['user']->search( $this->config->getValue( "authentication", "base" ), $filter, "sub" );