|
1
|
<?php
|
|
2
|
|
|
3
|
/**
|
|
4
|
* @file
|
|
5
|
* Contains administrative screens for the access control plugins.
|
|
6
|
*
|
|
7
|
* Access control can be implemented by creating a list of 0 or more access
|
|
8
|
* plugins, each with settings. This list can be ANDed together or ORed
|
|
9
|
* together. When testing access, each plugin is tested until success
|
|
10
|
* or failure can be determined. We use short circuiting techniques to
|
|
11
|
* ensure we are as efficient as possible.
|
|
12
|
*
|
|
13
|
* Access plugins are part of the context system, and as such can require
|
|
14
|
* contexts to work. That allows the use of access based upon visibility
|
|
15
|
* of an object, or even more esoteric things such as node type, node language
|
|
16
|
* etc. Since a lot of access depends on the logged in user, the logged in
|
|
17
|
* user should always be provided as a context.
|
|
18
|
*
|
|
19
|
* In the UI, the user is presented with a table and a 'add access method' select.
|
|
20
|
* When added, the user will be presented with the config wizard and, when
|
|
21
|
* confirmed, table will be refreshed via AJAX to show the new access method.
|
|
22
|
* Each item in the table will have controls to change the settings or remove
|
|
23
|
* the item. Changing the settings will invoke the modal for update.
|
|
24
|
*
|
|
25
|
* Currently the modal is not degradable, but it could be with only a small
|
|
26
|
* amount of work.
|
|
27
|
*
|
|
28
|
* A simple radio
|
|
29
|
* control is used to let the user pick the and/or logic.
|
|
30
|
*
|
|
31
|
* Access control is stored in an array:
|
|
32
|
* @code
|
|
33
|
* array(
|
|
34
|
* 'plugins' => array(
|
|
35
|
* 0 => array(
|
|
36
|
* 'name' => 'name of access plugin',
|
|
37
|
* 'settings' => array(), // These will be set by the form
|
|
38
|
* ),
|
|
39
|
* // ... as many as needed
|
|
40
|
* ),
|
|
41
|
* 'logic' => 'AND', // or 'OR',
|
|
42
|
* ),
|
|
43
|
* @endcode
|
|
44
|
*
|
|
45
|
* To add this widget to your UI, you need to do a little bit of setup.
|
|
46
|
*
|
|
47
|
* The form will utilize two callbacks, one to get the cached version
|
|
48
|
* of the access settings, and one to store the cached version of the
|
|
49
|
* access settings. These will be used from AJAX forms, so they will
|
|
50
|
* be completely out of the context of this page load and will not have
|
|
51
|
* knowledge of anything sent to this form (the 'module' and 'argument'
|
|
52
|
* will be preserved through the URL only).
|
|
53
|
*
|
|
54
|
* The 'module' is used to determine the location of the callback. It
|
|
55
|
* does not strictly need to be a module, so that if your module defines
|
|
56
|
* multiple systems that use this callback, it can use anything within the
|
|
57
|
* module's namespace it likes.
|
|
58
|
*
|
|
59
|
* When retrieving the cache, the cache may not have already been set up;
|
|
60
|
* In order to efficiently use cache space, we want to cache the stored
|
|
61
|
* settings *only* when they have changed. Therefore, the get access cache
|
|
62
|
* callback should first look for cache, and if it finds nothing, return
|
|
63
|
* the original settings.
|
|
64
|
*
|
|
65
|
* The callbacks:
|
|
66
|
* - $module . _ctools_access_get($argument) -- get the 'access' settings
|
|
67
|
* from cache. Must return array($access, $contexts); This callback can
|
|
68
|
* perform access checking to make sure this URL is not being gamed.
|
|
69
|
* - $module . _ctools_access_set($argument, $access) -- set the 'access'
|
|
70
|
* settings in cache.
|
|
71
|
* - $module . _ctools_access_clear($argument) -- clear the cache.
|
|
72
|
*
|
|
73
|
* The ctools_object_cache is recommended for this purpose, but you can use
|
|
74
|
* any caching mechanism you like. An example:
|
|
75
|
*
|
|
76
|
* @code{
|
|
77
|
* ctools_include('object-cache');
|
|
78
|
* ctools_object_cache_set("$module:argument", $access);
|
|
79
|
* }
|
|
80
|
*
|
|
81
|
* To utilize this form:
|
|
82
|
* @code
|
|
83
|
* ctools_include('context-access-admin');
|
|
84
|
* $form_state = array(
|
|
85
|
* 'access' => $access,
|
|
86
|
* 'module' => 'module name',
|
|
87
|
* 'callback argument' => 'some string',
|
|
88
|
* 'contexts' => $contexts, // an array of contexts. Optional if no contexts.
|
|
89
|
* // 'logged-in-user' will be added if not present as the access system
|
|
90
|
* // requires this context.
|
|
91
|
* ),
|
|
92
|
* $output = drupal_build_form('ctools_access_admin_form', $form_state);
|
|
93
|
* if (!empty($form_state['executed'])) {
|
|
94
|
* // save $form_state['access'] however you like.
|
|
95
|
* }
|
|
96
|
* @endcode
|
|
97
|
*
|
|
98
|
* Additionally, you may add 'no buttons' => TRUE if you wish to embed this
|
|
99
|
* form into your own, and instead call
|
|
100
|
*
|
|
101
|
* @code{
|
|
102
|
* $form = ctools_access_admin_form($form, $form_state);
|
|
103
|
* }
|
|
104
|
*
|
|
105
|
* You'll be responsible for adding a submit button.
|
|
106
|
*
|
|
107
|
* You may use ctools_access($access, $contexts) which will return
|
|
108
|
* TRUE if access is passed or FALSE if access is not passed.
|
|
109
|
*/
|
|
110
|
|
|
111
|
/**
|
|
112
|
* Administrative form for access control.
|
|
113
|
*/
|
|
114
|
function ctools_access_admin_form($form, &$form_state) {
|
|
115
|
ctools_include('context');
|
|
116
|
$argument = isset($form_state['callback argument']) ? $form_state['callback argument'] : '';
|
|
117
|
$fragment = $form_state['module'];
|
|
118
|
if ($argument) {
|
|
119
|
$fragment .= '-' . $argument;
|
|
120
|
}
|
|
121
|
|
|
122
|
$contexts = isset($form_state['contexts']) ? $form_state['contexts'] : array();
|
|
123
|
|
|
124
|
$form['access_table'] = array(
|
|
125
|
'#markup' => ctools_access_admin_render_table($form_state['access'], $fragment, $contexts),
|
|
126
|
);
|
|
127
|
|
|
128
|
$form['add-button'] = array(
|
|
129
|
'#theme' => 'ctools_access_admin_add',
|
|
130
|
);
|
|
131
|
// This sets up the URL for the add access modal.
|
|
132
|
$form['add-button']['add-url'] = array(
|
|
133
|
'#attributes' => array('class' => array("ctools-access-add-url")),
|
|
134
|
'#type' => 'hidden',
|
|
135
|
'#value' => url("ctools/context/ajax/access/add/$fragment", array('absolute' => TRUE)),
|
|
136
|
);
|
|
137
|
|
|
138
|
$plugins = ctools_get_relevant_access_plugins($contexts);
|
|
139
|
$options = array();
|
|
140
|
foreach ($plugins as $id => $plugin) {
|
|
141
|
$options[$id] = $plugin['title'];
|
|
142
|
}
|
|
143
|
|
|
144
|
asort($options);
|
|
145
|
|
|
146
|
$form['add-button']['type'] = array(
|
|
147
|
// This ensures that the form item is added to the URL.
|
|
148
|
'#attributes' => array('class' => array("ctools-access-add-url")),
|
|
149
|
'#type' => 'select',
|
|
150
|
'#options' => $options,
|
|
151
|
'#required' => FALSE,
|
|
152
|
);
|
|
153
|
|
|
154
|
$form['add-button']['add'] = array(
|
|
155
|
'#type' => 'submit',
|
|
156
|
'#attributes' => array('class' => array('ctools-use-modal')),
|
|
157
|
'#id' => "ctools-access-add",
|
|
158
|
'#value' => t('Add'),
|
|
159
|
);
|
|
160
|
|
|
161
|
$form['logic'] = array(
|
|
162
|
'#type' => 'radios',
|
|
163
|
'#options' => array(
|
|
164
|
'and' => t('All criteria must pass.'),
|
|
165
|
'or' => t('Only one criteria must pass.'),
|
|
166
|
),
|
|
167
|
'#default_value' => isset($form_state['access']['logic']) ? $form_state['access']['logic'] : 'and',
|
|
168
|
);
|
|
169
|
|
|
170
|
if (empty($form_state['no buttons'])) {
|
|
171
|
$form['buttons']['save'] = array(
|
|
172
|
'#type' => 'submit',
|
|
173
|
'#value' => t('Save'),
|
|
174
|
'#submit' => array('ctools_access_admin_form_submit'),
|
|
175
|
);
|
|
176
|
}
|
|
177
|
|
|
178
|
return $form;
|
|
179
|
}
|
|
180
|
|
|
181
|
/**
|
|
182
|
* Render the table. This is used both to render it initially and to rerender
|
|
183
|
* it upon ajax response.
|
|
184
|
*/
|
|
185
|
function ctools_access_admin_render_table($access, $fragment, $contexts) {
|
|
186
|
ctools_include('ajax');
|
|
187
|
ctools_include('modal');
|
|
188
|
$rows = array();
|
|
189
|
|
|
190
|
if (empty($access['plugins'])) {
|
|
191
|
$access['plugins'] = array();
|
|
192
|
}
|
|
193
|
|
|
194
|
foreach ($access['plugins'] as $id => $test) {
|
|
195
|
$row = array();
|
|
196
|
$plugin = ctools_get_access_plugin($test['name']);
|
|
197
|
$title = isset($plugin['title']) ? $plugin['title'] : t('Broken/missing access plugin %plugin', array('%plugin' => $test['name']));
|
|
198
|
|
|
199
|
$row[] = array('data' => $title, 'class' => array('ctools-access-title'));
|
|
200
|
|
|
201
|
$description = ctools_access_summary($plugin, $contexts, $test);
|
|
202
|
$row[] = array('data' => $description, 'class' => array('ctools-access-description'));
|
|
203
|
|
|
204
|
$operations = ctools_modal_image_button(ctools_image_path('icon-configure.png'), "ctools/context/ajax/access/configure/$fragment/$id", t('Configure settings for this item.'));
|
|
205
|
$operations .= ctools_ajax_image_button(ctools_image_path('icon-delete.png'), "ctools/context/ajax/access/delete/$fragment/$id", t('Remove this item.'));
|
|
206
|
|
|
207
|
$row[] = array('data' => $operations, 'class' => array('ctools-access-operations'), 'align' => 'right');
|
|
208
|
|
|
209
|
$rows[] = $row;
|
|
210
|
}
|
|
211
|
|
|
212
|
$header = array(
|
|
213
|
array('data' => t('Title'), 'class' => array('ctools-access-title')),
|
|
214
|
array('data' => t('Description'), 'class' => array('ctools-access-description')),
|
|
215
|
array('data' => '', 'class' => array('ctools-access-operations'), 'align' => 'right'),
|
|
216
|
);
|
|
217
|
|
|
218
|
if (empty($rows)) {
|
|
219
|
$rows[] = array(array('data' => t('No criteria selected, this test will pass.'), 'colspan' => count($header)));
|
|
220
|
}
|
|
221
|
|
|
222
|
ctools_modal_add_js();
|
|
223
|
return theme('table', array('header' => $header, 'rows' => $rows, 'attributes' => array('id' => 'ctools-access-table')));
|
|
224
|
}
|
|
225
|
|
|
226
|
/**
|
|
227
|
* Theme the 'add' portion of the access form into a table.
|
|
228
|
*/
|
|
229
|
function theme_ctools_access_admin_add($vars) {
|
|
230
|
$rows = array(array(drupal_render_children($vars['form'])));
|
|
231
|
$output = '<div class="container-inline">';
|
|
232
|
$output .= theme('table', array('rows' => $rows));
|
|
233
|
$output .= '</div>';
|
|
234
|
return $output;
|
|
235
|
}
|
|
236
|
|
|
237
|
function ctools_access_admin_form_submit($form, &$form_state) {
|
|
238
|
$form_state['access']['logic'] = $form_state['values']['logic'];
|
|
239
|
|
|
240
|
$function = $form_state['module'] . '_ctools_access_clear';
|
|
241
|
if (function_exists($function)) {
|
|
242
|
$function($form_state['callback argument']);
|
|
243
|
}
|
|
244
|
}
|
|
245
|
|
|
246
|
// --------------------------------------------------------------------------
|
|
247
|
// AJAX menu entry points.
|
|
248
|
|
|
249
|
/**
|
|
250
|
* AJAX callback to add a new access test to the list.
|
|
251
|
*/
|
|
252
|
function ctools_access_ajax_add($fragment = NULL, $name = NULL) {
|
|
253
|
ctools_include('ajax');
|
|
254
|
ctools_include('modal');
|
|
255
|
ctools_include('context');
|
|
256
|
|
|
257
|
if (empty($fragment) || empty($name)) {
|
|
258
|
ctools_ajax_render_error();
|
|
259
|
}
|
|
260
|
|
|
261
|
$plugin = ctools_get_access_plugin($name);
|
|
262
|
if (empty($plugin)) {
|
|
263
|
ctools_ajax_render_error();
|
|
264
|
}
|
|
265
|
|
|
266
|
// Separate the fragment into 'module' and 'argument'
|
|
267
|
if (strpos($fragment, '-') === FALSE) {
|
|
268
|
$module = $fragment;
|
|
269
|
$argument = NULL;
|
|
270
|
}
|
|
271
|
else {
|
|
272
|
list($module, $argument) = explode('-', $fragment, 2);
|
|
273
|
}
|
|
274
|
|
|
275
|
$function = $module . '_ctools_access_get';
|
|
276
|
if (!function_exists($function)) {
|
|
277
|
ctools_ajax_render_error(t('Missing callback hooks.'));
|
|
278
|
}
|
|
279
|
|
|
280
|
list($access, $contexts) = $function($argument);
|
|
281
|
|
|
282
|
// Make sure we have the logged in user context
|
|
283
|
if (!isset($contexts['logged-in-user'])) {
|
|
284
|
$contexts['logged-in-user'] = ctools_access_get_loggedin_context();
|
|
285
|
}
|
|
286
|
|
|
287
|
if (empty($access['plugins'])) {
|
|
288
|
$access['plugins'] = array();
|
|
289
|
}
|
|
290
|
|
|
291
|
$test = ctools_access_new_test($plugin);
|
|
292
|
|
|
293
|
$id = $access['plugins'] ? max(array_keys($access['plugins'])) + 1 : 0;
|
|
294
|
$access['plugins'][$id] = $test;
|
|
295
|
|
|
296
|
$form_state = array(
|
|
297
|
'plugin' => $plugin,
|
|
298
|
'id' => $id,
|
|
299
|
'test' => &$access['plugins'][$id],
|
|
300
|
'access' => &$access,
|
|
301
|
'contexts' => $contexts,
|
|
302
|
'title' => t('Add criteria'),
|
|
303
|
'ajax' => TRUE,
|
|
304
|
'modal' => TRUE,
|
|
305
|
'modal return' => TRUE,
|
|
306
|
);
|
|
307
|
|
|
308
|
$output = ctools_modal_form_wrapper('ctools_access_ajax_edit_item', $form_state);
|
|
309
|
if (!isset($output[0])) {
|
|
310
|
$function = $module . '_ctools_access_set';
|
|
311
|
if (function_exists($function)) {
|
|
312
|
$function($argument, $access);
|
|
313
|
}
|
|
314
|
|
|
315
|
$table = ctools_access_admin_render_table($access, $fragment, $contexts);
|
|
316
|
$output = array();
|
|
317
|
$output[] = ajax_command_replace('table#ctools-access-table', $table);
|
|
318
|
$output[] = ctools_modal_command_dismiss();
|
|
319
|
}
|
|
320
|
|
|
321
|
print ajax_render($output);
|
|
322
|
}
|
|
323
|
|
|
324
|
/**
|
|
325
|
* AJAX callback to edit an access test in the list.
|
|
326
|
*/
|
|
327
|
function ctools_access_ajax_edit($fragment = NULL, $id = NULL) {
|
|
328
|
ctools_include('ajax');
|
|
329
|
ctools_include('modal');
|
|
330
|
ctools_include('context');
|
|
331
|
|
|
332
|
if (empty($fragment) || !isset($id)) {
|
|
333
|
ctools_ajax_render_error();
|
|
334
|
}
|
|
335
|
|
|
336
|
// Separate the fragment into 'module' and 'argument'
|
|
337
|
if (strpos($fragment, '-') === FALSE) {
|
|
338
|
$module = $fragment;
|
|
339
|
$argument = NULL;
|
|
340
|
}
|
|
341
|
else {
|
|
342
|
list($module, $argument) = explode('-', $fragment, 2);
|
|
343
|
}
|
|
344
|
|
|
345
|
$function = $module . '_ctools_access_get';
|
|
346
|
if (!function_exists($function)) {
|
|
347
|
ctools_ajax_render_error(t('Missing callback hooks.'));
|
|
348
|
}
|
|
349
|
|
|
350
|
list($access, $contexts) = $function($argument);
|
|
351
|
|
|
352
|
if (empty($access['plugins'][$id])) {
|
|
353
|
ctools_ajax_render_error();
|
|
354
|
}
|
|
355
|
|
|
356
|
// Make sure we have the logged in user context
|
|
357
|
if (!isset($contexts['logged-in-user'])) {
|
|
358
|
$contexts['logged-in-user'] = ctools_access_get_loggedin_context();
|
|
359
|
}
|
|
360
|
|
|
361
|
$plugin = ctools_get_access_plugin($access['plugins'][$id]['name']);
|
|
362
|
$form_state = array(
|
|
363
|
'plugin' => $plugin,
|
|
364
|
'id' => $id,
|
|
365
|
'test' => &$access['plugins'][$id],
|
|
366
|
'access' => &$access,
|
|
367
|
'contexts' => $contexts,
|
|
368
|
'title' => t('Edit criteria'),
|
|
369
|
'ajax' => TRUE,
|
|
370
|
'modal' => TRUE,
|
|
371
|
'modal return' => TRUE,
|
|
372
|
);
|
|
373
|
|
|
374
|
$output = ctools_modal_form_wrapper('ctools_access_ajax_edit_item', $form_state);
|
|
375
|
if (!isset($output[0])) {
|
|
376
|
$function = $module . '_ctools_access_set';
|
|
377
|
if (function_exists($function)) {
|
|
378
|
$function($argument, $access);
|
|
379
|
}
|
|
380
|
|
|
381
|
$table = ctools_access_admin_render_table($access, $fragment, $contexts);
|
|
382
|
$output = array();
|
|
383
|
$output[] = ajax_command_replace('table#ctools-access-table', $table);
|
|
384
|
$output[] = ctools_modal_command_dismiss();
|
|
385
|
}
|
|
386
|
|
|
387
|
print ajax_render($output);
|
|
388
|
}
|
|
389
|
|
|
390
|
/**
|
|
391
|
* Form to edit the settings of an access test.
|
|
392
|
*/
|
|
393
|
function ctools_access_ajax_edit_item($form, &$form_state) {
|
|
394
|
$test = &$form_state['test'];
|
|
395
|
$plugin = &$form_state['plugin'];
|
|
396
|
if (isset($plugin['required context'])) {
|
|
397
|
$form['context'] = ctools_context_selector($form_state['contexts'], $plugin['required context'], $test['context']);
|
|
398
|
}
|
|
399
|
$form['settings'] = array('#tree' => TRUE);
|
|
400
|
if ($function = ctools_plugin_get_function($plugin, 'settings form')) {
|
|
401
|
$form = $function($form, $form_state, $test['settings']);
|
|
402
|
}
|
|
403
|
|
|
404
|
$form['not'] = array(
|
|
405
|
'#type' => 'checkbox',
|
|
406
|
'#title' => t('Reverse (NOT)'),
|
|
407
|
'#default_value' => !empty($test['not']),
|
|
408
|
);
|
|
409
|
|
|
410
|
$form['save'] = array(
|
|
411
|
'#type' => 'submit',
|
|
412
|
'#value' => t('Save'),
|
|
413
|
);
|
|
414
|
|
|
415
|
return $form;
|
|
416
|
}
|
|
417
|
|
|
418
|
/**
|
|
419
|
* Validate handler for argument settings.
|
|
420
|
*/
|
|
421
|
function ctools_access_ajax_edit_item_validate($form, &$form_state) {
|
|
422
|
if ($function = ctools_plugin_get_function($form_state['plugin'], 'settings form validate')) {
|
|
423
|
$function($form, $form_state);
|
|
424
|
}
|
|
425
|
}
|
|
426
|
|
|
427
|
/**
|
|
428
|
* Submit handler for argument settings.
|
|
429
|
*/
|
|
430
|
function ctools_access_ajax_edit_item_submit($form, &$form_state) {
|
|
431
|
if ($function = ctools_plugin_get_function($form_state['plugin'], 'settings form submit')) {
|
|
432
|
$function($form, $form_state);
|
|
433
|
}
|
|
434
|
|
|
435
|
$form_state['test']['settings'] = $form_state['values']['settings'];
|
|
436
|
if (isset($form_state['values']['context'])) {
|
|
437
|
$form_state['test']['context'] = $form_state['values']['context'];
|
|
438
|
}
|
|
439
|
$form_state['test']['not'] = !empty($form_state['values']['not']);
|
|
440
|
}
|
|
441
|
|
|
442
|
/**
|
|
443
|
* AJAX command to remove an access control item.
|
|
444
|
*/
|
|
445
|
function ctools_access_ajax_delete($fragment = NULL, $id = NULL) {
|
|
446
|
ctools_include('ajax');
|
|
447
|
ctools_include('modal');
|
|
448
|
ctools_include('context');
|
|
449
|
|
|
450
|
if (empty($fragment) || !isset($id)) {
|
|
451
|
ajax_render_error();
|
|
452
|
}
|
|
453
|
|
|
454
|
// Separate the fragment into 'module' and 'argument'
|
|
455
|
if (strpos($fragment, '-') === FALSE) {
|
|
456
|
$module = $fragment;
|
|
457
|
$argument = NULL;
|
|
458
|
}
|
|
459
|
else {
|
|
460
|
list($module, $argument) = explode('-', $fragment, 2);
|
|
461
|
}
|
|
462
|
|
|
463
|
$function = $module . '_ctools_access_get';
|
|
464
|
if (!function_exists($function)) {
|
|
465
|
ajax_render_error(t('Missing callback hooks.'));
|
|
466
|
}
|
|
467
|
|
|
468
|
list($access, $contexts) = $function($argument);
|
|
469
|
|
|
470
|
if (isset($access['plugins'][$id])) {
|
|
471
|
unset($access['plugins'][$id]);
|
|
472
|
}
|
|
473
|
|
|
474
|
// re-cache
|
|
475
|
$function = $module . '_ctools_access_set';
|
|
476
|
if (function_exists($function)) {
|
|
477
|
$function($argument, $access);
|
|
478
|
}
|
|
479
|
|
|
480
|
$table = ctools_access_admin_render_table($access, $fragment, $contexts);
|
|
481
|
$output = array();
|
|
482
|
$output[] = ajax_command_replace('table#ctools-access-table', $table);
|
|
483
|
|
|
484
|
print ajax_render($output);
|
|
485
|
}
|
