Révision bc175c27
Ajouté par Assos Assos il y a plus de 5 ans
drupal7/sites/all/modules/ldap/ldap_authorization/ldap_authorization_og/LdapAuthorizationConsumerOG.class.php | ||
---|---|---|
2 | 2 |
|
3 | 3 |
/** |
4 | 4 |
* @file |
5 |
* class for ldap authorization of organic groups
|
|
5 |
* Class for ldap authorization of organic groups.
|
|
6 | 6 |
* |
7 | 7 |
* @see LdapAuthorizationConsumerAbstract for property |
8 |
* |
|
9 | 8 |
*/ |
10 | 9 |
|
11 | 10 |
if (function_exists('ldap_servers_module_load_include')) { |
... | ... | |
14 | 13 |
else { |
15 | 14 |
module_load_include('php', 'ldap_authorization', 'LdapAuthorizationConsumerAbstract.class'); |
16 | 15 |
} |
17 |
|
|
16 |
/** |
|
17 |
* |
|
18 |
*/ |
|
18 | 19 |
class LdapAuthorizationConsumerOG extends LdapAuthorizationConsumerAbstract { |
19 | 20 |
|
20 | 21 |
public $consumerType = 'og_group'; |
21 | 22 |
public $allowConsumerObjectCreation = FALSE; |
22 |
public $ogVersion = NULL; // 1, 2, etc. |
|
23 | 23 |
public $defaultMembershipRid; |
24 | 24 |
public $anonymousRid; |
25 | 25 |
public $defaultConsumerConfProperties = array( |
26 |
'onlyApplyToLdapAuthenticated' => TRUE,
|
|
27 |
'useMappingsAsFilter' => TRUE,
|
|
28 |
'synchOnLogon' => TRUE,
|
|
29 |
'revokeLdapProvisioned' => TRUE,
|
|
30 |
'regrantLdapProvisioned' => TRUE,
|
|
31 |
'createConsumers' => TRUE,
|
|
32 |
);
|
|
26 |
'onlyApplyToLdapAuthenticated' => TRUE, |
|
27 |
'useMappingsAsFilter' => TRUE, |
|
28 |
'synchOnLogon' => TRUE, |
|
29 |
'revokeLdapProvisioned' => TRUE, |
|
30 |
'regrantLdapProvisioned' => TRUE, |
|
31 |
'createConsumers' => TRUE, |
|
32 |
); |
|
33 | 33 |
|
34 |
function __construct($consumer_type) { |
|
34 |
/** |
|
35 |
* |
|
36 |
*/ |
|
37 |
public function __construct($consumer_type) { |
|
35 | 38 |
|
36 |
$this->ogVersion = ldap_authorization_og_og_version(); |
|
37 |
if ($this->ogVersion == 1) { |
|
38 |
$this->defaultMembershipRid = ldap_authorization_og1_role_name_to_role_id(OG_AUTHENTICATED_ROLE); |
|
39 |
$this->anonymousRid = ldap_authorization_og1_role_name_to_role_id(OG_ANONYMOUS_ROLE); |
|
40 |
} |
|
41 |
else { |
|
42 |
//@todo these properties are not used in ldap og 2, but when they are their derivation needs to be examined and tested |
|
43 |
// as they may be per entity rids, not global. |
|
44 |
$this->defaultMembershipRid = NULL; // ldap_authorization_og_rid_from_role_name(OG_AUTHENTICATED_ROLE); |
|
45 |
$this->anonymousRid = NULL; //ldap_authorization_og_rid_from_role_name(OG_ANONYMOUS_ROLE); |
|
46 |
} |
|
39 |
// @todo these properties are not used in ldap og 2, but when they are their derivation needs to be examined and tested |
|
40 |
// as they may be per entity rids, not global. |
|
41 |
// ldap_authorization_og_rid_from_role_name(OG_AUTHENTICATED_ROLE); |
|
42 |
$this->defaultMembershipRid = NULL; |
|
43 |
// ldap_authorization_og_rid_from_role_name(OG_ANONYMOUS_ROLE); |
|
44 |
$this->anonymousRid = NULL; |
|
47 | 45 |
|
48 | 46 |
$params = ldap_authorization_og_ldap_authorization_consumer(); |
49 | 47 |
parent::__construct('og_group', $params['og_group']); |
50 | 48 |
} |
51 | 49 |
|
52 |
public function og1ConsumerIdParts($consumer_id) { |
|
53 |
if (!is_scalar($consumer_id)) { |
|
54 |
return array(NULL, NULL); |
|
55 |
} |
|
56 |
$parts = explode('-', $consumer_id); |
|
57 |
return (count($parts) != 2) ? array(NULL, NULL) : $parts; |
|
58 |
} |
|
59 |
|
|
50 |
/** |
|
51 |
* |
|
52 |
*/ |
|
60 | 53 |
public function og2ConsumerIdParts($consumer_id) { |
61 | 54 |
if (!is_scalar($consumer_id)) { |
62 | 55 |
return array(NULL, NULL, NULL); |
... | ... | |
65 | 58 |
return (count($parts) != 3) ? array(NULL, NULL, NULL) : $parts; |
66 | 59 |
} |
67 | 60 |
|
68 |
|
|
69 | 61 |
/** |
70 | 62 |
* @see LdapAuthorizationConsumerAbstract::createConsumer |
71 | 63 |
* |
... | ... | |
73 | 65 |
* if a use case for generating og groups and roles on the |
74 | 66 |
* fly existed. |
75 | 67 |
*/ |
76 |
|
|
77 | 68 |
public function createConsumer($consumer_id, $consumer) { |
78 | 69 |
return FALSE; |
79 | 70 |
} |
... | ... | |
82 | 73 |
* @see LdapAuthorizationConsumerAbstract::normalizeMappings |
83 | 74 |
*/ |
84 | 75 |
public function normalizeMappings($mappings) { |
85 |
|
|
86 | 76 |
$new_mappings = array(); |
87 |
if ($this->ogVersion == 2) { |
|
88 |
$group_entity_types = og_get_all_group_bundle(); |
|
89 |
foreach ($mappings as $i => $mapping) { |
|
90 |
$from = $mapping[0]; |
|
91 |
$to = $mapping[1]; |
|
92 |
$to_parts = explode('(raw: ', $to); |
|
93 |
$user_entered = $to_parts[0]; |
|
94 |
$new_mapping = array( |
|
95 |
'from' => $from, |
|
96 |
'user_entered' => $user_entered, |
|
97 |
'valid' => TRUE, |
|
98 |
'error_message' => '', |
|
99 |
); |
|
100 |
|
|
101 |
if (count($to_parts) == 2) { // has simplified and normalized part in (). update normalized part as validation |
|
102 |
$to_normalized = trim($to_parts[1], ')'); |
|
103 |
/** |
|
104 |
* users (node:35:1) |
|
105 |
* node:students (node:21:1) |
|
106 |
* faculty (node:33:2) |
|
107 |
* node:35:1 (node:35:1) |
|
108 |
* node:35 (node:35:1) |
|
109 |
*/ |
|
110 |
|
|
111 |
$to_simplified = $to_parts[0]; |
|
112 |
$to_simplified_parts = explode(':', trim($to_simplified)); |
|
113 |
$entity_type = (count($to_simplified_parts) == 1) ? 'node' : $to_simplified_parts[0]; |
|
114 |
$role = (count($to_simplified_parts) < 3) ? OG_AUTHENTICATED_ROLE : $to_simplified_parts[2]; |
|
115 |
$group_name = (count($to_simplified_parts) == 1) ? $to_simplified_parts[0] : $to_simplified_parts[1]; |
|
116 |
list($group_entity, $group_entity_id) = ldap_authorization_og2_get_group_from_name($entity_type, $group_name); |
|
117 |
$to_simplified = join(':', array($entity_type, $group_name)); |
|
118 |
} |
|
119 |
else { // may be simplified or normalized, but not both |
|
120 |
/** |
|
121 |
* users |
|
122 |
* node:students |
|
123 |
* faculty |
|
124 |
* node:35:1 |
|
125 |
* node:35 |
|
126 |
*/ |
|
127 |
$to_parts = explode(':', trim($to)); |
|
128 |
$entity_type = (count($to_parts) == 1) ? 'node' : $to_parts[0]; |
|
129 |
$role = (count($to_parts) < 3) ? OG_AUTHENTICATED_ROLE : $to_parts[2]; |
|
130 |
$group_name_or_entity_id = (count($to_parts) == 1) ? $to_parts[0] : $to_parts[1]; |
|
131 |
list($group_entity, $group_entity_id) = ldap_authorization_og2_get_group_from_name($entity_type, $group_name_or_entity_id); |
|
132 |
if ($group_entity) { // if load by name works, $group_name_or_entity_id is group title |
|
133 |
$to_simplified = join(':', array($entity_type, $group_name_or_entity_id)); |
|
134 |
} |
|
135 |
else { |
|
136 |
$to_simplified = FALSE; |
|
137 |
} |
|
138 |
$simplified = (boolean)($group_entity); |
|
139 |
if (!$group_entity && ($group_entity = @entity_load_single($entity_type, $group_name_or_entity_id))) { |
|
140 |
$group_entity_id = $group_name_or_entity_id; |
|
141 |
} |
|
142 |
} |
|
143 |
if (!$group_entity) { |
|
144 |
$new_mapping['normalized'] = FALSE; |
|
145 |
$new_mapping['simplified'] = FALSE; |
|
146 |
$new_mapping['valid'] = FALSE; |
|
147 |
$new_mapping['error_message'] = t("cannot find matching group: !to", array('!to' => $to)); |
|
148 |
} |
|
149 |
else { |
|
150 |
$role_id = is_numeric($role) ? $role : ldap_authorization_og2_rid_from_role_name($entity_type, $group_entity->type, $group_entity_id, $role); |
|
151 |
$roles = og_roles($entity_type, isset($group_entity->type) ? $group_entity->type : NULL, 0, FALSE, TRUE); |
|
152 |
$role_name = is_numeric($role) ? $roles[$role] : $role; |
|
153 |
$to_normalized = join(':', array($entity_type, $group_entity_id, $role_id)); |
|
154 |
$to_simplified = ($to_simplified) ? $to_simplified . ':' . $role_name : $to_normalized; |
|
155 |
$new_mapping['normalized'] = $to_normalized; |
|
156 |
$new_mapping['simplified'] = $to_simplified; |
|
157 |
if ($to == $to_normalized) { |
|
158 |
/** if not using simplified notation, do not convert to simplified. |
|
159 |
this would create a situation where an og group |
|
160 |
can change its title and the authorizations change when the |
|
161 |
admin specified the group by entity id |
|
162 |
*/ |
|
163 |
$new_mapping['user_entered'] = $to; |
|
164 |
} |
|
165 |
else { |
|
166 |
$new_mapping['user_entered'] = $to_simplified . ' (raw: ' . $to_normalized . ')'; |
|
167 |
} |
|
168 |
|
|
169 |
|
|
170 |
} |
|
77 |
$group_entity_types = og_get_all_group_bundle(); |
|
78 |
foreach ($mappings as $i => $mapping) { |
|
79 |
$from = $mapping[0]; |
|
80 |
$to = $mapping[1]; |
|
81 |
$to_parts = explode('(raw: ', $to); |
|
82 |
$user_entered = $to_parts[0]; |
|
83 |
$new_mapping = array( |
|
84 |
'from' => $from, |
|
85 |
'user_entered' => $user_entered, |
|
86 |
'valid' => TRUE, |
|
87 |
'error_message' => '', |
|
88 |
); |
|
171 | 89 |
|
172 |
$new_mappings[] = $new_mapping; |
|
90 |
// Has simplified and normalized part in (). update normalized part as validation. |
|
91 |
if (count($to_parts) == 2) { |
|
92 |
$to_normalized = trim($to_parts[1], ')'); |
|
93 |
/** |
|
94 |
* users (node:35:1) |
|
95 |
* node:students (node:21:1) |
|
96 |
* faculty (node:33:2) |
|
97 |
* node:35:1 (node:35:1) |
|
98 |
* node:35 (node:35:1) |
|
99 |
*/ |
|
100 |
|
|
101 |
$to_simplified = $to_parts[0]; |
|
102 |
$to_simplified_parts = explode(':', trim($to_simplified)); |
|
103 |
$entity_type = (count($to_simplified_parts) == 1) ? 'node' : $to_simplified_parts[0]; |
|
104 |
$role = (count($to_simplified_parts) < 3) ? OG_AUTHENTICATED_ROLE : $to_simplified_parts[2]; |
|
105 |
$group_name = (count($to_simplified_parts) == 1) ? $to_simplified_parts[0] : $to_simplified_parts[1]; |
|
106 |
list($group_entity, $group_entity_id) = ldap_authorization_og2_get_group_from_name($entity_type, $group_name); |
|
107 |
$to_simplified = join(':', array($entity_type, $group_name)); |
|
173 | 108 |
} |
174 |
} |
|
175 |
else { // og 1 |
|
176 |
foreach ($mappings as $i => $mapping) { |
|
177 |
$new_mapping = array( |
|
178 |
'from' => $mapping[0], |
|
179 |
'user_entered' => $mapping[1], |
|
180 |
'normalized' => NULL, |
|
181 |
'simplified' => NULL, |
|
182 |
'valid' => TRUE, |
|
183 |
'error_message' => '', |
|
184 |
); |
|
185 |
|
|
186 |
$gid = NULL; |
|
187 |
$rid = NULL; |
|
188 |
$correct_syntax = "gid=43,rid=2 or group-name=students,role-name=member or node.title=students,role-name=member"; |
|
189 |
$incorrect_syntax = t('Incorrect mapping syntax. Correct examples are:') . $correct_syntax; |
|
190 |
$targets = explode(',', $mapping[1]); |
|
191 |
if (count($targets) != 2) { |
|
192 |
$new_mapping['valid'] = FALSE; |
|
193 |
$new_mapping['error_message'] = $incorrect_syntax; |
|
194 |
continue; |
|
195 |
} |
|
196 |
|
|
197 |
$group_target_and_value = explode('=', $targets[0]); |
|
198 |
if (count($group_target_and_value) != 2) { |
|
199 |
$new_mapping['valid'] = FALSE; |
|
200 |
$new_mapping['error_message'] = $incorrect_syntax; |
|
201 |
continue; |
|
202 |
} |
|
203 |
|
|
204 |
list($group_target, $group_target_value) = $group_target_and_value; |
|
205 |
|
|
206 |
$role_target_and_value = explode('=', $targets[1]); |
|
207 |
if (count($role_target_and_value) != 2) { |
|
208 |
$new_mapping['valid'] = FALSE; |
|
209 |
$new_mapping['error_message'] = $incorrect_syntax; |
|
210 |
continue; |
|
211 |
} |
|
212 |
list($role_target, $role_target_value) = $role_target_and_value; |
|
213 |
|
|
214 |
|
|
215 |
$og_group = FALSE; |
|
216 |
if ($group_target == 'gid') { |
|
217 |
$gid = $group_target_value; |
|
218 |
} |
|
219 |
elseif ($group_target == 'group-name') { |
|
220 |
list($og_group, $og_node) = ldap_authorization_og1_get_group($group_target_value, 'group_name', 'object'); |
|
221 |
if (is_object($og_group) && property_exists($og_group, 'gid') && $og_group->gid) { |
|
222 |
$gid = $og_group->gid; |
|
223 |
} |
|
109 |
// May be simplified or normalized, but not both. |
|
110 |
else { |
|
111 |
/** |
|
112 |
* users |
|
113 |
* node:students |
|
114 |
* faculty |
|
115 |
* node:35:1 |
|
116 |
* node:35 |
|
117 |
*/ |
|
118 |
$to_parts = explode(':', trim($to)); |
|
119 |
$entity_type = (count($to_parts) == 1) ? 'node' : $to_parts[0]; |
|
120 |
$role = (count($to_parts) < 3) ? OG_AUTHENTICATED_ROLE : $to_parts[2]; |
|
121 |
$group_name_or_entity_id = (count($to_parts) == 1) ? $to_parts[0] : $to_parts[1]; |
|
122 |
list($group_entity, $group_entity_id) = ldap_authorization_og2_get_group_from_name($entity_type, $group_name_or_entity_id); |
|
123 |
// If load by name works, $group_name_or_entity_id is group title. |
|
124 |
if ($group_entity) { |
|
125 |
$to_simplified = join(':', array($entity_type, $group_name_or_entity_id)); |
|
224 | 126 |
} |
225 | 127 |
else { |
226 |
$entity_type_and_field = explode('.', $group_target); |
|
227 |
if (count($entity_type_and_field) != 2) { |
|
228 |
$new_mapping['valid'] = FALSE; |
|
229 |
$new_mapping['error_message'] = $incorrect_syntax; |
|
230 |
continue; |
|
231 |
} |
|
232 |
list($entity_type, $field) = $entity_type_and_field; |
|
233 |
|
|
234 |
$query = new EntityFieldQuery(); |
|
235 |
$query->entityCondition('entity_type', $entity_type) |
|
236 |
->fieldCondition($field, 'value', $group_target_value, '=') |
|
237 |
->addMetaData('account', user_load(1)); // run the query as user 1 |
|
238 |
|
|
239 |
$result = $query->execute(); |
|
240 |
if (is_array($result) && isset($result[$entity_type]) && count($result[$entity_type]) == 1) { |
|
241 |
$entities = array_keys($result[$entity_type]); |
|
242 |
$gid = ldap_authorization_og1_entity_id_to_gid($entities[0]); |
|
243 |
} |
|
244 |
|
|
128 |
$to_simplified = FALSE; |
|
245 | 129 |
} |
246 |
if (!$og_group && $gid) { |
|
247 |
$og_group = og_load($gid); |
|
130 |
$simplified = (boolean) ($group_entity); |
|
131 |
if (!$group_entity && ($group_entity = @entity_load_single($entity_type, $group_name_or_entity_id))) { |
|
132 |
$group_entity_id = $group_name_or_entity_id; |
|
248 | 133 |
} |
249 |
|
|
250 |
|
|
251 |
if ($role_target == 'rid') { |
|
252 |
$role_name = ldap_authorization_og1_role_name_from_rid($role_target_value); |
|
253 |
$rid = $role_target_value; |
|
134 |
} |
|
135 |
if (!$group_entity) { |
|
136 |
$new_mapping['normalized'] = FALSE; |
|
137 |
$new_mapping['simplified'] = FALSE; |
|
138 |
$new_mapping['valid'] = FALSE; |
|
139 |
$new_mapping['error_message'] = t("cannot find matching group: !to", array('!to' => $to)); |
|
140 |
} |
|
141 |
else { |
|
142 |
$role_id = is_numeric($role) ? $role : ldap_authorization_og2_rid_from_role_name($entity_type, $group_entity->type, $group_entity_id, $role); |
|
143 |
$roles = og_roles($entity_type, isset($group_entity->type) ? $group_entity->type : NULL, 0, FALSE, TRUE); |
|
144 |
$role_name = is_numeric($role) ? $roles[$role] : $role; |
|
145 |
$to_normalized = join(':', array($entity_type, $group_entity_id, $role_id)); |
|
146 |
$to_simplified = ($to_simplified) ? $to_simplified . ':' . $role_name : $to_normalized; |
|
147 |
$new_mapping['normalized'] = $to_normalized; |
|
148 |
$new_mapping['simplified'] = $to_simplified; |
|
149 |
if ($to == $to_normalized) { |
|
150 |
/** if not using simplified notation, do not convert to simplified. |
|
151 |
* this would create a situation where an og group |
|
152 |
* can change its title and the authorizations change when the |
|
153 |
* admin specified the group by entity id |
|
154 |
*/ |
|
155 |
$new_mapping['user_entered'] = $to; |
|
254 | 156 |
} |
255 |
elseif ($role_target == 'role-name') { |
|
256 |
$rid = ldap_authorization_og_rid_from_role_name($role_target_value); |
|
257 |
$role_name = $role_target_value; |
|
157 |
else { |
|
158 |
$new_mapping['user_entered'] = $to_simplified . ' (raw: ' . $to_normalized . ')'; |
|
258 | 159 |
} |
259 | 160 |
|
260 |
$new_mapping['simplified'] = $og_group->label . ', '. $role_name; |
|
261 |
$new_mapping['normalized'] = ($gid && $rid) ? ldap_authorization_og_authorization_id($gid, $rid) : FALSE; |
|
262 |
|
|
263 |
$new_mappings[] = $new_mapping; |
|
264 | 161 |
} |
265 | 162 |
|
163 |
$new_mappings[] = $new_mapping; |
|
266 | 164 |
} |
267 | 165 |
return $new_mappings; |
268 | 166 |
} |
269 | 167 |
|
270 |
/** |
|
271 |
* in organic groups 7.x-1.x, consumer ids are in form gid-rid such as 3-2, 3-3. We want highest authorization available granted. |
|
272 |
* But, granting member role (2), revokes other roles such as admin in OG. So for granting we want the order: |
|
273 |
* 3-1, 3-2, 3-3 such that 3-3 is retained. For revoking, the order should not matter, but reverse sorting makes |
|
274 |
* intuitive sense. |
|
275 |
*/ |
|
276 |
|
|
168 |
/** |
|
169 |
* In organic groups 7.x-1.x, consumer ids are in form gid-rid such as 3-2, 3-3. We want highest authorization available granted. |
|
170 |
* But, granting member role (2), revokes other roles such as admin in OG. So for granting we want the order: |
|
171 |
* 3-1, 3-2, 3-3 such that 3-3 is retained. For revoking, the order should not matter, but reverse sorting makes |
|
172 |
* intuitive sense. |
|
173 |
*/ |
|
277 | 174 |
public function sortConsumerIds($op, &$consumers) { |
278 | 175 |
if ($op == 'revoke') { |
279 | 176 |
krsort($consumers, SORT_STRING); |
... | ... | |
286 | 183 |
/** |
287 | 184 |
* @see LdapAuthorizationConsumerAbstract::populateConsumersFromConsumerIds |
288 | 185 |
*/ |
289 |
|
|
290 | 186 |
public function populateConsumersFromConsumerIds(&$consumers, $create_missing_consumers = FALSE) { |
291 | 187 |
|
292 |
// generate a query for all og groups of interest
|
|
188 |
// Generate a query for all og groups of interest.
|
|
293 | 189 |
$gids = array(); |
294 | 190 |
foreach ($consumers as $consumer_id => $consumer) { |
295 |
if (ldap_authorization_og_og_version() == 1) { |
|
296 |
list($gid, $rid) = $this->og1ConsumerIdParts($consumer_id); |
|
297 |
$gids[] = $gid; |
|
298 |
} |
|
299 |
else { |
|
300 |
list($entity_type, $gid, $rid) = explode(':', $consumer_id); |
|
301 |
$gids[$entity_type][] = $gid; |
|
302 |
} |
|
191 |
list($entity_type, $gid, $rid) = explode(':', $consumer_id); |
|
192 |
$gids[$entity_type][] = $gid; |
|
303 | 193 |
|
304 | 194 |
} |
305 |
if (ldap_authorization_og_og_version() == 1) { |
|
306 |
$og_group_entities = og_load_multiple($gids); |
|
307 |
} |
|
308 |
else { |
|
309 |
foreach ($gids as $entity_type => $gid_x_entity) { |
|
310 |
$og_group_entities[$entity_type] = @entity_load($entity_type, $gid_x_entity); |
|
311 |
} |
|
195 |
|
|
196 |
foreach ($gids as $entity_type => $gid_x_entity) { |
|
197 |
$og_group_entities[$entity_type] = @entity_load($entity_type, $gid_x_entity); |
|
312 | 198 |
} |
313 | 199 |
|
314 | 200 |
foreach ($consumers as $consumer_id => $consumer) { |
315 |
if (ldap_authorization_og_og_version() == 1) { |
|
316 |
list($gid, $rid) = $this->og1ConsumerIdParts($consumer_id); |
|
317 |
$consumer['exists'] = isset($og_group_entities[$gid]); |
|
318 |
if ($consumer['exists']) { |
|
319 |
$consumer['value'] = $og_group_entities[$gid]; |
|
320 |
if (empty($consumer['name']) && property_exists($og_group_entities[$gid], 'title')) { |
|
321 |
$consumer['name'] = $og_group_entities[$gid]->title; |
|
322 |
} |
|
323 |
$consumer['name'] = $consumer_id; |
|
324 |
} |
|
325 |
else { |
|
326 |
$consumer['value'] = NULL; |
|
327 |
$consumer['name'] = NULL; |
|
328 |
} |
|
329 |
|
|
330 |
$consumer['map_to_string'] = $consumer_id; |
|
331 |
} |
|
332 |
else { |
|
333 |
list($entity_type, $gid, $rid) = explode(':', $consumer_id); |
|
334 |
$consumer['exists'] = isset($og_group_entities[$entity_type][$gid]); |
|
335 |
$consumer['value'] = ($consumer['exists']) ? $og_group_entities[$entity_type][$gid] : NULL; |
|
336 |
$consumer['map_to_string'] = $consumer_id; |
|
337 |
if ( |
|
338 |
empty($consumer['name']) && |
|
339 |
!empty($og_group_entities[$entity_type][$gid]) && |
|
340 |
property_exists($og_group_entities[$entity_type][$gid], 'title') |
|
341 |
) { |
|
342 |
$consumer['name'] = $og_group_entities[$entity_type][$gid]->title; |
|
343 |
} |
|
201 |
list($entity_type, $gid, $rid) = explode(':', $consumer_id); |
|
202 |
$consumer['exists'] = isset($og_group_entities[$entity_type][$gid]); |
|
203 |
$consumer['value'] = ($consumer['exists']) ? $og_group_entities[$entity_type][$gid] : NULL; |
|
204 |
$consumer['map_to_string'] = $consumer_id; |
|
205 |
if ( |
|
206 |
empty($consumer['name']) && |
|
207 |
!empty($og_group_entities[$entity_type][$gid]) && |
|
208 |
property_exists($og_group_entities[$entity_type][$gid], 'title') |
|
209 |
) { |
|
210 |
$consumer['name'] = $og_group_entities[$entity_type][$gid]->title; |
|
344 | 211 |
} |
345 | 212 |
|
346 | 213 |
if (!$consumer['exists'] && $create_missing_consumers) { |
347 |
// @todo if creation of og groups were implemented, function would be called here
|
|
348 |
// this would mean mapping would need to have enough info to configure a group,
|
|
349 |
// or settings would need to include a default group type to create (entity type,
|
|
350 |
// bundle, etc.)
|
|
214 |
// @todo if creation of og groups were implemented, function would be called here |
|
215 |
// this would mean mapping would need to have enough info to configure a group, |
|
216 |
// or settings would need to include a default group type to create (entity type, |
|
217 |
// bundle, etc.) |
|
351 | 218 |
} |
352 | 219 |
$consumers[$consumer_id] = $consumer; |
353 | 220 |
} |
354 | 221 |
} |
355 | 222 |
|
356 |
|
|
223 |
/** |
|
224 |
* |
|
225 |
*/ |
|
357 | 226 |
public function hasAuthorization(&$user, $consumer_id) { |
358 |
|
|
359 |
if ($this->ogVersion == 1) { |
|
360 |
$result = FALSE; |
|
361 |
list($gid, $rid) = $this->og1ConsumerIdParts($consumer_id); |
|
362 |
return ldap_authorization_og1_has_membership($gid, $user->uid) && ldap_authorization_og1_has_role($gid, $user->uid, $rid); |
|
363 |
} |
|
364 |
else { |
|
365 |
return ldap_authorization_og2_has_consumer_id($consumer_id, $user->uid); |
|
366 |
} |
|
227 |
return ldap_authorization_og2_has_consumer_id($consumer_id, $user->uid); |
|
367 | 228 |
} |
368 | 229 |
|
369 |
|
|
230 |
/** |
|
231 |
* |
|
232 |
*/ |
|
370 | 233 |
public function flushRelatedCaches($consumers = NULL, $user = NULL) { |
371 | 234 |
if ($user) { |
372 |
$this->usersAuthorizations($user, TRUE, FALSE); // clear user authorizations cache |
|
373 |
} |
|
374 |
|
|
375 |
if ($this->ogVersion == 1) { |
|
376 |
og_group_membership_invalidate_cache(); |
|
377 |
} |
|
378 |
else { |
|
379 |
og_membership_invalidate_cache(); |
|
235 |
// Clear user authorizations cache. |
|
236 |
$this->usersAuthorizations($user, TRUE, FALSE); |
|
380 | 237 |
} |
381 |
|
|
238 |
|
|
239 |
og_membership_invalidate_cache(); |
|
240 |
|
|
382 | 241 |
if ($consumers) { |
383 | 242 |
$gids_to_clear_cache = array(); |
384 | 243 |
foreach ($consumers as $i => $consumer_id) { |
385 |
if ($this->ogVersion == 1) { // og 7.x-1.x |
|
386 |
list($gid, $rid) = $this->og1ConsumerIdParts($consumer_id); |
|
387 |
} |
|
388 |
else { |
|
389 |
list($entity_type, $gid, $rid) = $this->og2ConsumerIdParts($consumer_id); |
|
390 |
} |
|
244 |
list($entity_type, $gid, $rid) = $this->og2ConsumerIdParts($consumer_id); |
|
391 | 245 |
$gids_to_clear_cache[$gid] = $gid; |
392 | 246 |
} |
393 | 247 |
og_invalidate_cache(array_keys($gids_to_clear_cache)); |
... | ... | |
397 | 251 |
} |
398 | 252 |
} |
399 | 253 |
|
400 |
/** |
|
401 |
* @param string $op 'grant' or 'revoke' signifying what to do with the $consumer_ids |
|
254 |
/** |
|
255 |
* @param string $op |
|
256 |
* 'grant' or 'revoke' signifying what to do with the $consumer_ids. |
|
402 | 257 |
* @param drupal user object $object |
403 |
* @param array $user_auth_data is array specific to this consumer_type. Stored at $user->data['ldap_authorizations'][<consumer_type>] |
|
404 |
* @param $consumers as associative array in form of LdapAuthorizationConsumerAbstract::populateConsumersFromConsumerIds |
|
405 |
* @param array $ldap_entry, when available user's ldap entry. |
|
406 |
* @param boolean $user_save indicates is user data array should be saved or not. this is always overridden for og |
|
258 |
* @param array $user_auth_data |
|
259 |
* is array specific to this consumer_type. Stored at $user->data['ldap_authorizations'][<consumer_type>]. |
|
260 |
* @param $consumers |
|
261 |
* as associative array in form of LdapAuthorizationConsumerAbstract::populateConsumersFromConsumerIds |
|
262 |
* @param array $ldap_entry, |
|
263 |
* when available user's ldap entry. |
|
264 |
* @param bool $user_save |
|
265 |
* indicates is user data array should be saved or not. this is always overridden for og. |
|
407 | 266 |
*/ |
408 | 267 |
public function authorizationDiff($existing, $desired) { |
409 |
if ($this->ogVersion != 1) { |
|
410 |
return parent::authorizationDiff($existing, $desired); |
|
411 |
} |
|
412 |
|
|
413 |
/** |
|
414 |
* for og 1.5, goal is not to recognize X-2 consumer ids if X-N exist |
|
415 |
* since X-2 consumer ids are granted as a prerequisite of X-N |
|
416 |
*/ |
|
417 |
|
|
418 |
$diff = array_diff($existing, $desired); |
|
419 |
$desired_group_ids = array(); |
|
420 |
foreach ($desired as $i => $consumer_id) { |
|
421 |
list($gid, $rid) = $this->og1ConsumerIdParts($consumer_id); |
|
422 |
$desired_group_ids[$gid] = TRUE; |
|
423 |
} |
|
424 |
foreach ($diff as $i => $consumer_id) { |
|
425 |
list($gid, $rid) = $this->og1ConsumerIdParts($consumer_id); |
|
426 |
// if there are still roles in this group that are desired, do |
|
427 |
// not remove default mambership role id |
|
428 |
if ($rid == $this->defaultMembershipRid && !empty($desired_group_ids[$gid])) { |
|
429 |
unset($diff[$i]); |
|
430 |
} |
|
431 |
} |
|
432 |
return $diff; |
|
268 |
return parent::authorizationDiff($existing, $desired); |
|
433 | 269 |
} |
434 | 270 |
|
271 |
/** |
|
272 |
* |
|
273 |
*/ |
|
435 | 274 |
protected function grantsAndRevokes($op, &$user, &$user_auth_data, $consumers, &$ldap_entry = NULL, $user_save = TRUE) { |
436 | 275 |
|
437 | 276 |
if (!is_array($user_auth_data)) { |
... | ... | |
472 | 311 |
} |
473 | 312 |
$log = "consumer_id=$consumer_id, op=$op,"; |
474 | 313 |
|
475 |
$user_has_authorization = in_array($consumer_id, $users_authorization_consumer_ids); // does user already have authorization ? |
|
476 |
$user_has_authorization_recorded = isset($user_auth_data[$consumer_id]); // is authorization attribute to ldap_authorization_og in $user->data ? |
|
477 |
|
|
478 |
if ($this->ogVersion == 1) { |
|
479 |
list($gid, $rid) = $this->og1ConsumerIdParts($consumer_id); |
|
480 |
if ($rid == $this->anonymousRid) { |
|
481 |
continue; |
|
482 |
} |
|
483 |
} |
|
484 |
else { |
|
485 |
list($entity_type, $gid, $rid) = $this->og2ConsumerIdParts($consumer_id); |
|
486 |
} |
|
487 |
|
|
314 |
// Does user already have authorization ? |
|
315 |
$user_has_authorization = in_array($consumer_id, $users_authorization_consumer_ids); |
|
316 |
// Is authorization attribute to ldap_authorization_og in $user->data ? |
|
317 |
$user_has_authorization_recorded = isset($user_auth_data[$consumer_id]); |
|
318 |
|
|
319 |
list($entity_type, $gid, $rid) = $this->og2ConsumerIdParts($consumer_id); |
|
320 |
|
|
488 | 321 |
/** grants **/ |
489 | 322 |
if ($op == 'grant') { |
490 | 323 |
if ($user_has_authorization && !$user_has_authorization_recorded) { |
491 |
// grant case 1: authorization id already exists for user, but is not ldap provisioned. mark as ldap provisioned, but don't regrant
|
|
324 |
// Grant case 1: authorization id already exists for user, but is not ldap provisioned. mark as ldap provisioned, but don't regrant.
|
|
492 | 325 |
$results[$consumer_id] = TRUE; |
493 | 326 |
$user_auth_data[$consumer_id] = array( |
494 | 327 |
'date_granted' => time(), |
... | ... | |
498 | 331 |
$log .= $consumer_id; |
499 | 332 |
} |
500 | 333 |
elseif (!$user_has_authorization && $consumer['exists']) { |
501 |
// grant case 2: consumer exists, but user is not member. grant authorization |
|
502 |
if ($this->ogVersion == 1) { |
|
503 |
$og_actions['grants'][$gid][] = $rid; |
|
504 |
} |
|
505 |
else { |
|
506 |
$og_actions['grants'][$entity_type][$gid][] = $rid; |
|
507 |
} |
|
334 |
// Grant case 2: consumer exists, but user is not member. grant authorization. |
|
335 |
$og_actions['grants'][$entity_type][$gid][] = $rid; |
|
508 | 336 |
$log .= "grant case 2: consumer exists, but user is not member. grant authorization"; |
509 |
$log .= " ".$entity_type . ":" . $gid .":" . $rid;
|
|
337 |
$log .= " " . $entity_type . ":" . $gid . ":" . $rid;
|
|
510 | 338 |
} |
511 | 339 |
elseif ($consumer['exists'] !== TRUE) { |
512 |
// grant case 3: something is wrong. consumers should have been created before calling grantsAndRevokes
|
|
340 |
// Grant case 3: something is wrong. consumers should have been created before calling grantsAndRevokes.
|
|
513 | 341 |
$results[$consumer_id] = FALSE; |
514 | 342 |
$log .= "grant case 3: something is wrong. consumers should have been created before calling grantsAndRevokes"; |
515 |
$log .= " ".$consumer_id; } |
|
343 |
$log .= " " . $consumer_id; |
|
344 |
} |
|
516 | 345 |
elseif ($consumer['exists'] === TRUE) { |
517 |
// grant case 4: consumer exists and user has authorization recorded. do nothing
|
|
346 |
// Grant case 4: consumer exists and user has authorization recorded. do nothing.
|
|
518 | 347 |
$results[$consumer_id] = TRUE; |
519 | 348 |
$log .= "grant case 4: consumer exists and user has authorization recorded. do nothing"; |
520 |
$log .= " ".$consumer_id;
|
|
349 |
$log .= " " . $consumer_id;
|
|
521 | 350 |
} |
522 | 351 |
else { |
523 |
// grant case 5: $consumer['exists'] has not been properly set before calling function
|
|
352 |
// Grant case 5: $consumer['exists'] has not been properly set before calling function.
|
|
524 | 353 |
$results[$consumer_id] = FALSE; |
525 | 354 |
watchdog('ldap_authorization', "grantsAndRevokes consumer[exists] not properly set. consumer_id=$consumer_id, op=$op, username=%username", $watchdog_tokens, WATCHDOG_ERROR); |
526 |
$log .= "grantsAndRevokes consumer[exists] not properly set. consumer_id=$consumer_id, op=$op, username=%username"; |
|
527 |
} |
|
528 |
$consumer_ids_log .= $log; } |
|
355 |
$log .= "grantsAndRevokes consumer[exists] not properly set. consumer_id=$consumer_id, op=$op, username=%username"; |
|
356 |
} |
|
357 |
$consumer_ids_log .= $log; |
|
358 |
} |
|
529 | 359 |
/** revokes **/ |
530 | 360 |
elseif ($op == 'revoke') { |
531 | 361 |
if ($user_has_authorization) { |
532 |
// revoke case 1: user has authorization, revoke it. revokeSingleAuthorization will remove $user_auth_data[$consumer_id] |
|
533 |
if ($this->ogVersion == 1) { |
|
534 |
$og_actions['revokes'][$gid][] = $rid; |
|
535 |
} |
|
536 |
else { |
|
537 |
$og_actions['revokes'][$entity_type][$gid][] = $rid; |
|
538 |
} |
|
362 |
// Revoke case 1: user has authorization, revoke it. revokeSingleAuthorization will remove $user_auth_data[$consumer_id]. |
|
363 |
$og_actions['revokes'][$entity_type][$gid][] = $rid; |
|
539 | 364 |
$log .= "revoke case 1: user has authorization, revoke it. revokeSingleAuthorization will remove $consumer_id"; |
540 |
$log .=" ".$entity_type . ":" . $gid .":" . $rid ;
|
|
365 |
$log .= " " . $entity_type . ":" . $gid . ":" . $rid;
|
|
541 | 366 |
} |
542 |
elseif ($user_has_authorization_recorded) {
|
|
543 |
// revoke case 2: user does not have authorization, but has record of it. remove record of it.
|
|
367 |
elseif ($user_has_authorization_recorded) { |
|
368 |
// Revoke case 2: user does not have authorization, but has record of it. remove record of it.
|
|
544 | 369 |
unset($user_auth_data[$consumer_id]); |
545 | 370 |
$results[$consumer_id] = TRUE; |
546 | 371 |
$log .= "revoke case 2: user does not have authorization, but has record of it. remove record of it."; |
547 | 372 |
$log .= $consumer_id; |
548 | 373 |
} |
549 | 374 |
else { |
550 |
// revoke case 3: trying to revoke something that isn't there
|
|
375 |
// Revoke case 3: trying to revoke something that isn't there.
|
|
551 | 376 |
$results[$consumer_id] = TRUE; |
552 | 377 |
$log .= "revoke case 3: trying to revoke something that isn't there"; |
553 | 378 |
$log .= $consumer_id; |
... | ... | |
558 | 383 |
} |
559 | 384 |
$consumer_ids_log .= $log; |
560 | 385 |
} |
561 |
|
|
386 |
|
|
562 | 387 |
$watchdog_tokens['%consumer_ids_log'] = $consumer_ids_log; |
563 |
|
|
388 |
|
|
564 | 389 |
/** |
565 | 390 |
* Step #2: from array of form: |
566 |
* og1.5: $og_actions['grants'|'revokes'][$gid][$rid]\ |
|
567 |
* og2: $og_actions['grants'|'revokes'][$entity_type][$gid][$rid] |
|
391 |
* $og_actions['grants'|'revokes'][$entity_type][$gid][$rid] |
|
568 | 392 |
* - generate $user->data['ldap_authorizations'][<consumer_id>] |
569 | 393 |
* - remove and grant og memberships |
570 | 394 |
* - remove and grant og roles |
571 | 395 |
* - flush appropriate caches |
572 | 396 |
*/ |
573 |
if ($this->ogVersion == 1) { |
|
574 |
$this->og1Grants($og_actions, $user, $user_auth_data); |
|
575 |
$this->og1Revokes($og_actions, $user, $user_auth_data); |
|
576 |
} |
|
577 |
else { |
|
578 |
$this->og2Grants($og_actions, $user, $user_auth_data); |
|
579 |
$this->og2Revokes($og_actions, $user, $user_auth_data); |
|
580 |
} |
|
397 |
$this->og2Grants($og_actions, $user, $user_auth_data); |
|
398 |
$this->og2Revokes($og_actions, $user, $user_auth_data); |
|
581 | 399 |
|
582 | 400 |
$user_edit = array('data' => $user->data); |
583 | 401 |
$user_edit['data']['ldap_authorizations'][$this->consumerType] = $user_auth_data; |
... | ... | |
588 | 406 |
$user = user_load($user->uid, TRUE); |
589 | 407 |
$user = user_save($user, $user_edit); |
590 | 408 |
|
591 |
$user_auth_data = $user->data['ldap_authorizations'][$this->consumerType]; // reset this variable because user save hooks can impact it. |
|
409 |
// Reset this variable because user save hooks can impact it. |
|
410 |
$user_auth_data = $user->data['ldap_authorizations'][$this->consumerType]; |
|
592 | 411 |
|
593 | 412 |
$this->flushRelatedCaches($consumers, $user); |
594 | 413 |
|
... | ... | |
600 | 419 |
} |
601 | 420 |
} |
602 | 421 |
|
603 |
public function og1Grants($og_actions, &$user, &$user_auth_data) { |
|
604 |
foreach ($og_actions['grants'] as $gid => $rids) { |
|
605 |
$existing_roles = og_get_user_roles($gid, $user->uid); |
|
606 |
if (!in_array($this->defaultMembershipRid, array_values($existing_roles))) { |
|
607 |
$user->{OG_AUDIENCE_FIELD}[LANGUAGE_NONE][] = array('gid' => $gid); |
|
608 |
og_entity_presave($user, 'user'); |
|
609 |
$consumer_id = ldap_authorization_og_authorization_id($gid, $this->defaultMembershipRid); |
|
610 |
$user_auth_data[$consumer_id] = array( |
|
611 |
'date_granted' => time(), |
|
612 |
'consumer_id_mixed_case' => $consumer_id, |
|
613 |
); |
|
614 |
} |
|
615 |
foreach ($rids as $rid) { |
|
616 |
if ($rid != $this->defaultMembershipRid && $rid != $this->anonymousRid) { |
|
617 |
og_role_grant($gid, $user->uid, $rid); |
|
618 |
$consumer_id = ldap_authorization_og_authorization_id($gid, $rid); |
|
619 |
$user_auth_data[$consumer_id] = array( |
|
620 |
'date_granted' => time(), |
|
621 |
'consumer_id_mixed_case' => $consumer_id, |
|
622 |
); |
|
623 |
} |
|
624 |
} |
|
625 |
} |
|
626 |
} |
|
627 |
|
|
422 |
/** |
|
423 |
* |
|
424 |
*/ |
|
628 | 425 |
public function og2Grants($og_actions, &$user, &$user_auth_data) { |
629 | 426 |
foreach ($og_actions['grants'] as $group_entity_type => $gids) { |
630 |
foreach ($gids as $gid => $granting_rids) { // all rids ldap believes user should be granted and attributed to ldap |
|
631 |
$all_group_roles = og_roles($group_entity_type, FALSE, $gid, FALSE, TRUE); // all roles rid => role_name array w/ authen or anon roles |
|
427 |
// All rids ldap believes user should be granted and attributed to ldap. |
|
428 |
foreach ($gids as $gid => $granting_rids) { |
|
429 |
// All roles rid => role_name array w/ authen or anon roles. |
|
430 |
$all_group_roles = og_roles($group_entity_type, FALSE, $gid, FALSE, TRUE); |
|
632 | 431 |
$authenticated_rid = array_search(OG_AUTHENTICATED_ROLE, $all_group_roles); |
633 | 432 |
$anonymous_rid = array_search(OG_ANONYMOUS_ROLE, $all_group_roles); |
634 |
$all_group_rids = array_keys($all_group_roles); // all rids array w/ authen or anon rids |
|
635 |
$users_group_rids = array_keys(og_get_user_roles($group_entity_type, $gid, $user->uid, TRUE)); // users current rids w/authen or anon roles returned |
|
433 |
// All rids array w/ authen or anon rids. |
|
434 |
$all_group_rids = array_keys($all_group_roles); |
|
435 |
// Users current rids w/authen or anon roles returned. |
|
436 |
$users_group_rids = array_keys(og_get_user_roles($group_entity_type, $gid, $user->uid, TRUE)); |
|
636 | 437 |
$users_group_rids = array_diff($users_group_rids, array($anonymous_rid)); |
637 |
$new_rids = array_diff($granting_rids, $users_group_rids, array($anonymous_rid)); // rids to be added without anonymous rid |
|
438 |
// Rids to be added without anonymous rid. |
|
439 |
$new_rids = array_diff($granting_rids, $users_group_rids, array($anonymous_rid)); |
|
638 | 440 |
|
639 |
// if adding OG_AUTHENTICATED_ROLE or any other role and does not currently have OG_AUTHENTICATED_ROLE, group
|
|
441 |
// If adding OG_AUTHENTICATED_ROLE or any other role and does not currently have OG_AUTHENTICATED_ROLE, group.
|
|
640 | 442 |
if (!in_array($authenticated_rid, $users_group_rids) && count($new_rids) > 0) { |
641 | 443 |
$values = array( |
642 | 444 |
'entity_type' => 'user', |
... | ... | |
650 | 452 |
'date_granted' => time(), |
651 | 453 |
'consumer_id_mixed_case' => $consumer_id, |
652 | 454 |
); |
653 |
$new_rids = array_diff($new_rids, array($authenticated_rid)); // granted on membership creation |
|
654 |
|
|
455 |
// Granted on membership creation. |
|
456 |
$new_rids = array_diff($new_rids, array($authenticated_rid)); |
|
457 |
|
|
655 | 458 |
} |
656 | 459 |
foreach ($new_rids as $i => $rid) { |
657 | 460 |
og_role_grant($group_entity_type, $gid, $user->uid, $rid); |
658 | 461 |
} |
659 | 462 |
foreach ($granting_rids as $i => $rid) { |
660 |
// attribute to ldap regardless of if is being granted.
|
|
463 |
// Attribute to ldap regardless of if is being granted.
|
|
661 | 464 |
$consumer_id = join(':', array($group_entity_type, $gid, $rid)); |
662 | 465 |
$user_auth_data[$consumer_id] = array( |
663 | 466 |
'date_granted' => time(), |
... | ... | |
667 | 470 |
} |
668 | 471 |
} |
669 | 472 |
} |
670 |
|
|
671 |
|
|
672 |
public function og1Revokes($og_actions, &$user, &$user_auth_data) { |
|
673 |
$group_audience_gids = empty($user->{OG_AUDIENCE_FIELD}[LANGUAGE_NONE]['gid']) ? array() : $user->{OG_AUDIENCE_FIELD}[LANGUAGE_NONE]['gid']; |
|
674 |
foreach ($og_actions['revokes'] as $gid => $rids) { |
|
675 |
$existing_roles = og_get_user_roles($gid, $user->uid); |
|
676 |
if (in_array($this->defaultMembershipRid, array_values($existing_roles))) { |
|
677 |
// ungroup and set audience |
|
678 |
foreach ($group_audience_gids as $i => $_audience_gid) { |
|
679 |
if ($_audience_gid == $gid) { |
|
680 |
unset($user->{OG_AUDIENCE_FIELD}[LANGUAGE_NONE][$i]); |
|
681 |
} |
|
682 |
} |
|
683 |
og_entity_presave($user, 'user'); |
|
684 |
$user = og_ungroup($gid, 'user', $user, TRUE); |
|
685 |
foreach (array_values($existing_roles) as $rid) { |
|
686 |
$consumer_id = ldap_authorization_og_authorization_id($gid, $rid); |
|
687 |
if (isset($user_auth_data[$consumer_id])) { |
|
688 |
unset($user_auth_data[$consumer_id]); |
|
689 |
} |
|
690 |
} |
|
691 |
} |
|
692 |
else { |
|
693 |
foreach ($existing_roles as $rid) { |
|
694 |
if ($rid != $this->defaultMembershipRid && $this->defaultMembershipRid != 1) { |
|
695 |
og_role_revoke($gid, $user->uid, $rid); |
|
696 |
unset($user_auth_data[ldap_authorization_og_authorization_id($gid, $rid)]); |
|
697 |
} |
|
698 |
} |
|
699 |
} |
|
700 |
} |
|
701 |
} |
|
702 |
|
|
473 |
|
|
474 |
/** |
|
475 |
* |
|
476 |
*/ |
|
703 | 477 |
public function og2Revokes($og_actions, &$user, &$user_auth_data) { |
704 | 478 |
foreach ($og_actions['revokes'] as $group_entity_type => $gids) { |
705 |
foreach ($gids as $gid => $revoking_rids) { // $revoking_rids are all rids to be removed. may include authen rids |
|
706 |
$all_group_roles = og_roles($group_entity_type, FALSE, $gid, FALSE, TRUE); // all roles rid => role_name array w/ authen or anon roles |
|
707 |
$all_group_rids = array_keys($all_group_roles); // all rids array w/ authen or anon rids |
|
708 |
$users_group_rids = array_keys(og_get_user_roles($group_entity_type, $gid, $user->uid, TRUE)); // users current rids w/authen or anon roles returned |
|
709 |
$remaining_rids = array_diff($users_group_rids, $revoking_rids); // rids to be left at end of revoke process |
|
479 |
// $revoking_rids are all rids to be removed. may include authen rids. |
|
480 |
foreach ($gids as $gid => $revoking_rids) { |
|
481 |
// All roles rid => role_name array w/ authen or anon roles. |
|
482 |
$all_group_roles = og_roles($group_entity_type, FALSE, $gid, FALSE, TRUE); |
|
483 |
// All rids array w/ authen or anon rids. |
|
484 |
$all_group_rids = array_keys($all_group_roles); |
|
485 |
// Users current rids w/authen or anon roles returned. |
|
486 |
$users_group_rids = array_keys(og_get_user_roles($group_entity_type, $gid, $user->uid, TRUE)); |
|
487 |
// Rids to be left at end of revoke process. |
|
488 |
$remaining_rids = array_diff($users_group_rids, $revoking_rids); |
|
710 | 489 |
$authenticated_rid = array_search(OG_AUTHENTICATED_ROLE, $all_group_roles); |
711 |
// remove autenticated and anon rids here
|
|
490 |
// Remove autenticated and anon rids here.
|
|
712 | 491 |
foreach ($revoking_rids as $i => $rid) { |
713 |
// revoke if user has role
|
|
492 |
// Revoke if user has role.
|
|
714 | 493 |
if (in_array($rid, $users_group_rids)) { |
715 | 494 |
og_role_revoke($group_entity_type, $gid, $user->uid, $rid); |
716 | 495 |
} |
717 |
// unattribute to ldap even if user does not currently have role
|
|
496 |
// Unattribute to ldap even if user does not currently have role.
|
|
718 | 497 |
unset($user_auth_data[ldap_authorization_og_authorization_id($gid, $rid, $group_entity_type)]); |
719 | 498 |
} |
720 | 499 |
// define('OG_ANONYMOUS_ROLE', 'non-member'); define('OG_AUTHENTICATED_ROLE', 'member'); |
721 |
if (in_array($authenticated_rid, $revoking_rids) || count($remaining_rids) == 0) { // ungroup if only authenticated and anonymous role left |
|
500 |
// ungroup if only authenticated and anonymous role left. |
|
501 |
if (in_array($authenticated_rid, $revoking_rids) || count($remaining_rids) == 0) { |
|
722 | 502 |
$entity = og_ungroup($group_entity_type, $gid, 'user', $user->uid); |
723 |
$result = (boolean)($entity); |
|
503 |
$result = (boolean) ($entity);
|
|
724 | 504 |
} |
725 | 505 |
} |
726 | 506 |
} |
... | ... | |
729 | 509 |
/** |
730 | 510 |
* @see ldapAuthorizationConsumerAbstract::usersAuthorizations |
731 | 511 |
*/ |
732 |
|
|
733 | 512 |
public function usersAuthorizations(&$user, $reset = FALSE, $return_data = TRUE) { |
734 | 513 |
|
735 | 514 |
static $users; |
736 | 515 |
if (!is_array($users)) { |
737 |
$users = array(); // no cache exists, create static array |
|
516 |
// No cache exists, create static array. |
|
517 |
$users = array(); |
|
738 | 518 |
} |
739 | 519 |
elseif ($reset && isset($users[$user->uid])) { |
740 |
unset($users[$user->uid]); // clear users cache |
|
520 |
// Clear users cache. |
|
521 |
unset($users[$user->uid]); |
|
741 | 522 |
} |
742 | 523 |
elseif (!$return_data) { |
743 |
return NULL; // simply clearing cache |
|
524 |
// Simply clearing cache. |
|
525 |
return NULL; |
|
744 | 526 |
} |
745 | 527 |
elseif (!empty($users[$user->uid])) { |
746 |
return $users[$user->uid]; // return cached data |
|
528 |
// Return cached data. |
|
529 |
return $users[$user->uid]; |
|
747 | 530 |
} |
748 | 531 |
|
749 | 532 |
$authorizations = array(); |
750 | 533 |
|
751 |
if ($this->ogVersion == 1) { |
|
752 |
$gids = og_get_groups_by_user($user); |
|
753 |
foreach ($gids as $i => $gid) { |
|
754 |
$roles = og_get_user_roles($gid, $user->uid); |
|
755 |
if (!empty($roles[$this->defaultMembershipRid])) { // if you aren't a member, doesn't matter what roles you have in og 1.5 |
|
756 |
if (isset($roles[$this->anonymousRid])) { |
|
757 |
unset($roles[$this->anonymousRid]); |
|
758 |
} // ignore anonymous role |
|
759 |
$rids = array_values($roles); |
|
760 |
asort($rids, SORT_NUMERIC); // go low to high to get default memberships first |
|
761 |
foreach ($rids as $rid) { |
|
762 |
$authorizations[] = ldap_authorization_og_authorization_id($gid, $rid); |
|
763 |
} |
|
764 |
} |
|
765 |
} |
|
766 |
} |
|
767 |
else { // og 7.x-2.x |
|
768 |
$user_entities = entity_load('user', array($user->uid)); |
|
769 |
$memberships = og_get_entity_groups('user', $user_entities[$user->uid]); |
|
770 |
foreach ($memberships as $entity_type => $entity_memberships) { |
|
771 |
foreach ($entity_memberships as $og_membership_id => $gid) { |
|
772 |
$roles = og_get_user_roles($entity_type, $gid, $user->uid); |
|
773 |
foreach ($roles as $rid => $discard) { |
|
774 |
$authorizations[] = ldap_authorization_og_authorization_id($gid, $rid, $entity_type); |
|
775 |
} |
|
534 |
$user_entities = entity_load('user', array($user->uid)); |
|
535 |
$memberships = og_get_entity_groups('user', $user_entities[$user->uid]); |
|
536 |
foreach ($memberships as $entity_type => $entity_memberships) { |
|
537 |
foreach ($entity_memberships as $og_membership_id => $gid) { |
|
538 |
$roles = og_get_user_roles($entity_type, $gid, $user->uid); |
|
539 |
foreach ($roles as $rid => $discard) { |
|
540 |
$authorizations[] = ldap_authorization_og_authorization_id($gid, $rid, $entity_type); |
|
776 | 541 |
} |
777 | 542 |
} |
778 | 543 |
} |
779 | 544 |
$users[$user->uid] = $authorizations; |
780 |
|
|
545 |
|
|
781 | 546 |
return $authorizations; |
782 | 547 |
} |
783 | 548 |
|
... | ... | |
796 | 561 |
* @see ldapAuthorizationConsumerAbstract::validateAuthorizationMappingTarget |
797 | 562 |
*/ |
798 | 563 |
public function validateAuthorizationMappingTarget($mapping, $form_values = NULL, $clear_cache = FALSE) { |
799 |
// these mappings have already been through the normalizeMappings() method, so no real querying needed here. |
|
800 |
|
|
564 |
// These mappings have already been through the normalizeMappings() method, so no real querying needed here. |
|
801 | 565 |
$has_form_values = is_array($form_values); |
802 | 566 |
$message_type = NULL; |
803 | 567 |
$message_text = NULL; |
... | ... | |
812 | 576 |
'!from' => $mapping['from'], |
813 | 577 |
'!user_entered' => $mapping['user_entered'], |
814 | 578 |
'!error' => $mapping['error_message'], |
815 |
);
|
|
579 |
); |
|
816 | 580 |
$message_text = '<code>"' . t('!map_to|!user_entered', $tokens) . '"</code> ' . t('has the following error: !error.', $tokens); |
817 | 581 |
} |
818 | 582 |
return array($message_type, $message_text); |
819 | 583 |
} |
820 | 584 |
|
821 | 585 |
/** |
822 |
* Get list of mappings based on existing Organic Groups and roles |
|
586 |
* Get list of mappings based on existing Organic Groups and roles. |
|
587 |
* |
|
588 |
* @param array $tokens |
|
589 |
* Array of tokens and replacement values. |
|
823 | 590 |
* |
824 |
* @param associative array $tokens of tokens and replacement values
|
|
825 |
* @return html examples of mapping values
|
|
591 |
* @return
|
|
592 |
* HTML examples of mapping values.
|
|
826 | 593 |
*/ |
827 |
|
|
828 | 594 |
public function mappingExamples($tokens) { |
595 |
/** |
|
596 |
* OG 7.x-2.x mappings: |
|
597 |
* $entity_type = $group_type, |
|
598 |
* $bundle = $group_bundle |
|
599 |
* $etid = $gid where edid is nid, uid, etc. |
|
600 |
* |
|
601 |
* og group is: entity_type (eg node) x entity_id ($gid) eg. node:17 |
|
602 |
* group identifier = group_type:gid; aka entity_type:etid e.g. node:17 |
|
603 |
* |
|
604 |
* membership identifier is: group_type:gid:entity_type:etid |
|
605 |
* in our case: group_type:gid:user:uid aka entity_type:etid:user:uid e.g. node:17:user:2 |
|
606 |
* |
|
607 |
* roles are simply rids ((1,2,3) and names (non-member, member, and administrator member) in og_role table |
|
608 |
* og_users_roles is simply uid x rid x gid |
|
609 |
* |
|
610 |
* .. so authorization mappings should look like: |
|
611 |
* <ldap group>|group_type:gid:rid such as staff|node:17:2 |
|
612 |
*/ |
|
829 | 613 |
|
830 |
if ($this->ogVersion == 1) { |
|
831 |
$groups = og_get_all_group(); |
|
832 |
$ogEntities = og_load_multiple($groups); |
|
833 |
$OGroles = og_roles(0); |
|
834 |
|
|
835 |
$rows = array(); |
|
836 |
foreach ($ogEntities as $group) { |
|
837 |
foreach ($OGroles as $rid => $role) { |
|
838 |
$example = "<code>ou=IT,dc=myorg,dc=mytld,dc=edu|gid=" . $group->gid . ',rid=' . $rid . '</code><br/>' . |
|
839 |
'<code>ou=IT,dc=myorg,dc=mytld,dc=edu|group-name=' . $group->label . ',role-name=' . $role . '</code>'; |
|
840 |
$rows[] = array( |
|
841 |
$group->label, |
|
842 |
$group->gid, |
|
843 |
$role, |
|
844 |
$example, |
|
845 |
); |
|
846 |
} |
|
847 |
} |
|
848 |
|
|
849 |
$variables = array( |
|
850 |
'header' => array('Group Name', 'OG Group ID', 'OG Membership Type', 'example'), |
|
851 |
'rows' => $rows, |
|
852 |
'attributes' => array(), |
|
853 |
); |
|
854 |
} |
|
855 |
else { |
|
614 |
$og_fields = field_info_field(OG_GROUP_FIELD); |
|
615 |
$rows = array(); |
|
616 |
$role_name = OG_AUTHENTICATED_ROLE; |
|
856 | 617 |
|
857 |
/** |
|
858 |
* OG 7.x-2.x mappings: |
|
859 |
* $entity_type = $group_type, |
|
860 |
* $bundle = $group_bundle |
|
861 |
* $etid = $gid where edid is nid, uid, etc. |
|
862 |
* |
|
863 |
* og group is: entity_type (eg node) x entity_id ($gid) eg. node:17 |
|
864 |
* group identifier = group_type:gid; aka entity_type:etid e.g. node:17 |
|
865 |
* |
|
866 |
* membership identifier is: group_type:gid:entity_type:etid |
|
867 |
* in our case: group_type:gid:user:uid aka entity_type:etid:user:uid e.g. node:17:user:2 |
|
868 |
* |
|
869 |
* roles are simply rids ((1,2,3) and names (non-member, member, and administrator member) in og_role table |
|
870 |
* og_users_roles is simply uid x rid x gid |
|
871 |
* |
|
872 |
* .. so authorization mappings should look like: |
|
873 |
* <ldap group>|group_type:gid:rid such as staff|node:17:2 |
|
874 |
*/ |
|
875 |
|
|
876 |
$og_fields = field_info_field(OG_GROUP_FIELD); |
|
877 |
$rows = array(); |
|
878 |
$role_name = OG_AUTHENTICATED_ROLE; |
|
879 |
|
|
880 |
if (!empty($og_fields['bundles'])) { |
|
881 |
foreach ($og_fields['bundles'] as $entity_type => $bundles) { |
|
882 |
foreach ($bundles as $i => $bundle) { |
|
883 |
$query = new EntityFieldQuery(); |
|
884 |
$query->entityCondition('entity_type', $entity_type) |
|
885 |
->entityCondition('bundle', $bundle) |
|
886 |
->range(0, 5) |
|
887 |
->addMetaData('account', user_load(1)); // run the query as user 1 |
|
888 |
$result = $query->execute(); |
|
889 |
if (!empty($result)) { |
|
890 |
$entities = entity_load($entity_type, array_keys($result[$entity_type])); |
|
891 |
$i=0; |
|
618 |
if (!empty($og_fields['bundles'])) { |
|
619 |
foreach ($og_fields['bundles'] as $entity_type => $bundles) { |
|
620 |
foreach ($bundles as $i => $bundle) { |
|
621 |
$query = new EntityFieldQuery(); |
|
622 |
$query->entityCondition('entity_type', $entity_type) |
|
623 |
->entityCondition('bundle', $bundle) |
|
624 |
->range(0, 5) |
|
625 |
// Run the query as user 1. |
|
626 |
->addMetaData('account', user_load(1)); |
|
627 |
$result = $query->execute(); |
|
628 |
if (!empty($result)) { |
|
629 |
$entities = entity_load($entity_type, array_keys($result[$entity_type])); |
|
630 |
$i = 0; |
|
631 |
if ($entities) { |
|
892 | 632 |
foreach ($entities as $entity_id => $entity) { |
893 | 633 |
$i++; |
894 | 634 |
$rid = ldap_authorization_og2_rid_from_role_name($entity_type, $bundle, $entity_id, OG_AUTHENTICATED_ROLE); |
... | ... | |
896 | 636 |
$middle = ($title && $i < 3) ? $title : $entity_id; |
897 | 637 |
$group_role_identifier = ldap_authorization_og_authorization_id($middle, $rid, $entity_type); |
898 | 638 |
$example = "<code>ou=IT,dc=myorg,dc=mytld,dc=edu|$group_role_identifier</code>"; |
899 |
$rows[] = array("$entity_type $title - $role_name", $example);
|
|
639 |
$rows[] = ["$entity_type $title - $role_name", $example];
|
|
900 | 640 |
} |
901 | 641 |
} |
902 | 642 |
} |
903 | 643 |
} |
904 | 644 |
} |
905 |
|
|
906 |
$variables = array( |
|
907 |
'header' => array('Group Entity - Group Title - OG Membership Type', 'example'), |
|
908 |
'rows' => $rows, |
|
909 |
'attributes' => array(), |
|
910 |
); |
|
911 | 645 |
} |
912 | 646 |
|
647 |
$variables = array( |
|
648 |
'header' => array('Group Entity - Group Title - OG Membership Type', 'example'), |
|
649 |
'rows' => $rows, |
|
650 |
'attributes' => array(), |
|
651 |
); |
|
652 |
|
|
913 | 653 |
$table = theme('table', $variables); |
914 | 654 |
$link = l(t('admin/config/people/ldap/authorization/test/og_group'), 'admin/config/people/ldap/authorization/test/og_group'); |
915 | 655 |
|
916 |
$examples = |
|
917 |
<<<EOT |
|
656 |
$examples =
|
|
657 |
<<<EOT
|
|
918 | 658 |
|
919 | 659 |
<br/> |
920 | 660 |
Examples for some (or all) existing OG Group IDs can be found in the table below. |
Formats disponibles : Unified diff
Weekly update of contrib modules