Révision bc175c27
Ajouté par Assos Assos il y a plus de 5 ans
| drupal7/sites/all/modules/ldap/ldap_authorization/ldap_authorization_og/LdapAuthorizationConsumerOG.class.php | ||
|---|---|---|
| 2 | 2 |
|
| 3 | 3 |
/** |
| 4 | 4 |
* @file |
| 5 |
* class for ldap authorization of organic groups
|
|
| 5 |
* Class for ldap authorization of organic groups.
|
|
| 6 | 6 |
* |
| 7 | 7 |
* @see LdapAuthorizationConsumerAbstract for property |
| 8 |
* |
|
| 9 | 8 |
*/ |
| 10 | 9 |
|
| 11 | 10 |
if (function_exists('ldap_servers_module_load_include')) {
|
| ... | ... | |
| 14 | 13 |
else {
|
| 15 | 14 |
module_load_include('php', 'ldap_authorization', 'LdapAuthorizationConsumerAbstract.class');
|
| 16 | 15 |
} |
| 17 |
|
|
| 16 |
/** |
|
| 17 |
* |
|
| 18 |
*/ |
|
| 18 | 19 |
class LdapAuthorizationConsumerOG extends LdapAuthorizationConsumerAbstract {
|
| 19 | 20 |
|
| 20 | 21 |
public $consumerType = 'og_group'; |
| 21 | 22 |
public $allowConsumerObjectCreation = FALSE; |
| 22 |
public $ogVersion = NULL; // 1, 2, etc. |
|
| 23 | 23 |
public $defaultMembershipRid; |
| 24 | 24 |
public $anonymousRid; |
| 25 | 25 |
public $defaultConsumerConfProperties = array( |
| 26 |
'onlyApplyToLdapAuthenticated' => TRUE,
|
|
| 27 |
'useMappingsAsFilter' => TRUE,
|
|
| 28 |
'synchOnLogon' => TRUE,
|
|
| 29 |
'revokeLdapProvisioned' => TRUE,
|
|
| 30 |
'regrantLdapProvisioned' => TRUE,
|
|
| 31 |
'createConsumers' => TRUE,
|
|
| 32 |
);
|
|
| 26 |
'onlyApplyToLdapAuthenticated' => TRUE, |
|
| 27 |
'useMappingsAsFilter' => TRUE, |
|
| 28 |
'synchOnLogon' => TRUE, |
|
| 29 |
'revokeLdapProvisioned' => TRUE, |
|
| 30 |
'regrantLdapProvisioned' => TRUE, |
|
| 31 |
'createConsumers' => TRUE, |
|
| 32 |
); |
|
| 33 | 33 |
|
| 34 |
function __construct($consumer_type) {
|
|
| 34 |
/** |
|
| 35 |
* |
|
| 36 |
*/ |
|
| 37 |
public function __construct($consumer_type) {
|
|
| 35 | 38 |
|
| 36 |
$this->ogVersion = ldap_authorization_og_og_version(); |
|
| 37 |
if ($this->ogVersion == 1) {
|
|
| 38 |
$this->defaultMembershipRid = ldap_authorization_og1_role_name_to_role_id(OG_AUTHENTICATED_ROLE); |
|
| 39 |
$this->anonymousRid = ldap_authorization_og1_role_name_to_role_id(OG_ANONYMOUS_ROLE); |
|
| 40 |
} |
|
| 41 |
else {
|
|
| 42 |
//@todo these properties are not used in ldap og 2, but when they are their derivation needs to be examined and tested |
|
| 43 |
// as they may be per entity rids, not global. |
|
| 44 |
$this->defaultMembershipRid = NULL; // ldap_authorization_og_rid_from_role_name(OG_AUTHENTICATED_ROLE); |
|
| 45 |
$this->anonymousRid = NULL; //ldap_authorization_og_rid_from_role_name(OG_ANONYMOUS_ROLE); |
|
| 46 |
} |
|
| 39 |
// @todo these properties are not used in ldap og 2, but when they are their derivation needs to be examined and tested |
|
| 40 |
// as they may be per entity rids, not global. |
|
| 41 |
// ldap_authorization_og_rid_from_role_name(OG_AUTHENTICATED_ROLE); |
|
| 42 |
$this->defaultMembershipRid = NULL; |
|
| 43 |
// ldap_authorization_og_rid_from_role_name(OG_ANONYMOUS_ROLE); |
|
| 44 |
$this->anonymousRid = NULL; |
|
| 47 | 45 |
|
| 48 | 46 |
$params = ldap_authorization_og_ldap_authorization_consumer(); |
| 49 | 47 |
parent::__construct('og_group', $params['og_group']);
|
| 50 | 48 |
} |
| 51 | 49 |
|
| 52 |
public function og1ConsumerIdParts($consumer_id) {
|
|
| 53 |
if (!is_scalar($consumer_id)) {
|
|
| 54 |
return array(NULL, NULL); |
|
| 55 |
} |
|
| 56 |
$parts = explode('-', $consumer_id);
|
|
| 57 |
return (count($parts) != 2) ? array(NULL, NULL) : $parts; |
|
| 58 |
} |
|
| 59 |
|
|
| 50 |
/** |
|
| 51 |
* |
|
| 52 |
*/ |
|
| 60 | 53 |
public function og2ConsumerIdParts($consumer_id) {
|
| 61 | 54 |
if (!is_scalar($consumer_id)) {
|
| 62 | 55 |
return array(NULL, NULL, NULL); |
| ... | ... | |
| 65 | 58 |
return (count($parts) != 3) ? array(NULL, NULL, NULL) : $parts; |
| 66 | 59 |
} |
| 67 | 60 |
|
| 68 |
|
|
| 69 | 61 |
/** |
| 70 | 62 |
* @see LdapAuthorizationConsumerAbstract::createConsumer |
| 71 | 63 |
* |
| ... | ... | |
| 73 | 65 |
* if a use case for generating og groups and roles on the |
| 74 | 66 |
* fly existed. |
| 75 | 67 |
*/ |
| 76 |
|
|
| 77 | 68 |
public function createConsumer($consumer_id, $consumer) {
|
| 78 | 69 |
return FALSE; |
| 79 | 70 |
} |
| ... | ... | |
| 82 | 73 |
* @see LdapAuthorizationConsumerAbstract::normalizeMappings |
| 83 | 74 |
*/ |
| 84 | 75 |
public function normalizeMappings($mappings) {
|
| 85 |
|
|
| 86 | 76 |
$new_mappings = array(); |
| 87 |
if ($this->ogVersion == 2) {
|
|
| 88 |
$group_entity_types = og_get_all_group_bundle(); |
|
| 89 |
foreach ($mappings as $i => $mapping) {
|
|
| 90 |
$from = $mapping[0]; |
|
| 91 |
$to = $mapping[1]; |
|
| 92 |
$to_parts = explode('(raw: ', $to);
|
|
| 93 |
$user_entered = $to_parts[0]; |
|
| 94 |
$new_mapping = array( |
|
| 95 |
'from' => $from, |
|
| 96 |
'user_entered' => $user_entered, |
|
| 97 |
'valid' => TRUE, |
|
| 98 |
'error_message' => '', |
|
| 99 |
); |
|
| 100 |
|
|
| 101 |
if (count($to_parts) == 2) { // has simplified and normalized part in (). update normalized part as validation
|
|
| 102 |
$to_normalized = trim($to_parts[1], ')'); |
|
| 103 |
/** |
|
| 104 |
* users (node:35:1) |
|
| 105 |
* node:students (node:21:1) |
|
| 106 |
* faculty (node:33:2) |
|
| 107 |
* node:35:1 (node:35:1) |
|
| 108 |
* node:35 (node:35:1) |
|
| 109 |
*/ |
|
| 110 |
|
|
| 111 |
$to_simplified = $to_parts[0]; |
|
| 112 |
$to_simplified_parts = explode(':', trim($to_simplified));
|
|
| 113 |
$entity_type = (count($to_simplified_parts) == 1) ? 'node' : $to_simplified_parts[0]; |
|
| 114 |
$role = (count($to_simplified_parts) < 3) ? OG_AUTHENTICATED_ROLE : $to_simplified_parts[2]; |
|
| 115 |
$group_name = (count($to_simplified_parts) == 1) ? $to_simplified_parts[0] : $to_simplified_parts[1]; |
|
| 116 |
list($group_entity, $group_entity_id) = ldap_authorization_og2_get_group_from_name($entity_type, $group_name); |
|
| 117 |
$to_simplified = join(':', array($entity_type, $group_name));
|
|
| 118 |
} |
|
| 119 |
else { // may be simplified or normalized, but not both
|
|
| 120 |
/** |
|
| 121 |
* users |
|
| 122 |
* node:students |
|
| 123 |
* faculty |
|
| 124 |
* node:35:1 |
|
| 125 |
* node:35 |
|
| 126 |
*/ |
|
| 127 |
$to_parts = explode(':', trim($to));
|
|
| 128 |
$entity_type = (count($to_parts) == 1) ? 'node' : $to_parts[0]; |
|
| 129 |
$role = (count($to_parts) < 3) ? OG_AUTHENTICATED_ROLE : $to_parts[2]; |
|
| 130 |
$group_name_or_entity_id = (count($to_parts) == 1) ? $to_parts[0] : $to_parts[1]; |
|
| 131 |
list($group_entity, $group_entity_id) = ldap_authorization_og2_get_group_from_name($entity_type, $group_name_or_entity_id); |
|
| 132 |
if ($group_entity) { // if load by name works, $group_name_or_entity_id is group title
|
|
| 133 |
$to_simplified = join(':', array($entity_type, $group_name_or_entity_id));
|
|
| 134 |
} |
|
| 135 |
else {
|
|
| 136 |
$to_simplified = FALSE; |
|
| 137 |
} |
|
| 138 |
$simplified = (boolean)($group_entity); |
|
| 139 |
if (!$group_entity && ($group_entity = @entity_load_single($entity_type, $group_name_or_entity_id))) {
|
|
| 140 |
$group_entity_id = $group_name_or_entity_id; |
|
| 141 |
} |
|
| 142 |
} |
|
| 143 |
if (!$group_entity) {
|
|
| 144 |
$new_mapping['normalized'] = FALSE; |
|
| 145 |
$new_mapping['simplified'] = FALSE; |
|
| 146 |
$new_mapping['valid'] = FALSE; |
|
| 147 |
$new_mapping['error_message'] = t("cannot find matching group: !to", array('!to' => $to));
|
|
| 148 |
} |
|
| 149 |
else {
|
|
| 150 |
$role_id = is_numeric($role) ? $role : ldap_authorization_og2_rid_from_role_name($entity_type, $group_entity->type, $group_entity_id, $role); |
|
| 151 |
$roles = og_roles($entity_type, isset($group_entity->type) ? $group_entity->type : NULL, 0, FALSE, TRUE); |
|
| 152 |
$role_name = is_numeric($role) ? $roles[$role] : $role; |
|
| 153 |
$to_normalized = join(':', array($entity_type, $group_entity_id, $role_id));
|
|
| 154 |
$to_simplified = ($to_simplified) ? $to_simplified . ':' . $role_name : $to_normalized; |
|
| 155 |
$new_mapping['normalized'] = $to_normalized; |
|
| 156 |
$new_mapping['simplified'] = $to_simplified; |
|
| 157 |
if ($to == $to_normalized) {
|
|
| 158 |
/** if not using simplified notation, do not convert to simplified. |
|
| 159 |
this would create a situation where an og group |
|
| 160 |
can change its title and the authorizations change when the |
|
| 161 |
admin specified the group by entity id |
|
| 162 |
*/ |
|
| 163 |
$new_mapping['user_entered'] = $to; |
|
| 164 |
} |
|
| 165 |
else {
|
|
| 166 |
$new_mapping['user_entered'] = $to_simplified . ' (raw: ' . $to_normalized . ')'; |
|
| 167 |
} |
|
| 168 |
|
|
| 169 |
|
|
| 170 |
} |
|
| 77 |
$group_entity_types = og_get_all_group_bundle(); |
|
| 78 |
foreach ($mappings as $i => $mapping) {
|
|
| 79 |
$from = $mapping[0]; |
|
| 80 |
$to = $mapping[1]; |
|
| 81 |
$to_parts = explode('(raw: ', $to);
|
|
| 82 |
$user_entered = $to_parts[0]; |
|
| 83 |
$new_mapping = array( |
|
| 84 |
'from' => $from, |
|
| 85 |
'user_entered' => $user_entered, |
|
| 86 |
'valid' => TRUE, |
|
| 87 |
'error_message' => '', |
|
| 88 |
); |
|
| 171 | 89 |
|
| 172 |
$new_mappings[] = $new_mapping; |
|
| 90 |
// Has simplified and normalized part in (). update normalized part as validation. |
|
| 91 |
if (count($to_parts) == 2) {
|
|
| 92 |
$to_normalized = trim($to_parts[1], ')'); |
|
| 93 |
/** |
|
| 94 |
* users (node:35:1) |
|
| 95 |
* node:students (node:21:1) |
|
| 96 |
* faculty (node:33:2) |
|
| 97 |
* node:35:1 (node:35:1) |
|
| 98 |
* node:35 (node:35:1) |
|
| 99 |
*/ |
|
| 100 |
|
|
| 101 |
$to_simplified = $to_parts[0]; |
|
| 102 |
$to_simplified_parts = explode(':', trim($to_simplified));
|
|
| 103 |
$entity_type = (count($to_simplified_parts) == 1) ? 'node' : $to_simplified_parts[0]; |
|
| 104 |
$role = (count($to_simplified_parts) < 3) ? OG_AUTHENTICATED_ROLE : $to_simplified_parts[2]; |
|
| 105 |
$group_name = (count($to_simplified_parts) == 1) ? $to_simplified_parts[0] : $to_simplified_parts[1]; |
|
| 106 |
list($group_entity, $group_entity_id) = ldap_authorization_og2_get_group_from_name($entity_type, $group_name); |
|
| 107 |
$to_simplified = join(':', array($entity_type, $group_name));
|
|
| 173 | 108 |
} |
| 174 |
} |
|
| 175 |
else { // og 1
|
|
| 176 |
foreach ($mappings as $i => $mapping) {
|
|
| 177 |
$new_mapping = array( |
|
| 178 |
'from' => $mapping[0], |
|
| 179 |
'user_entered' => $mapping[1], |
|
| 180 |
'normalized' => NULL, |
|
| 181 |
'simplified' => NULL, |
|
| 182 |
'valid' => TRUE, |
|
| 183 |
'error_message' => '', |
|
| 184 |
); |
|
| 185 |
|
|
| 186 |
$gid = NULL; |
|
| 187 |
$rid = NULL; |
|
| 188 |
$correct_syntax = "gid=43,rid=2 or group-name=students,role-name=member or node.title=students,role-name=member"; |
|
| 189 |
$incorrect_syntax = t('Incorrect mapping syntax. Correct examples are:') . $correct_syntax;
|
|
| 190 |
$targets = explode(',', $mapping[1]);
|
|
| 191 |
if (count($targets) != 2) {
|
|
| 192 |
$new_mapping['valid'] = FALSE; |
|
| 193 |
$new_mapping['error_message'] = $incorrect_syntax; |
|
| 194 |
continue; |
|
| 195 |
} |
|
| 196 |
|
|
| 197 |
$group_target_and_value = explode('=', $targets[0]);
|
|
| 198 |
if (count($group_target_and_value) != 2) {
|
|
| 199 |
$new_mapping['valid'] = FALSE; |
|
| 200 |
$new_mapping['error_message'] = $incorrect_syntax; |
|
| 201 |
continue; |
|
| 202 |
} |
|
| 203 |
|
|
| 204 |
list($group_target, $group_target_value) = $group_target_and_value; |
|
| 205 |
|
|
| 206 |
$role_target_and_value = explode('=', $targets[1]);
|
|
| 207 |
if (count($role_target_and_value) != 2) {
|
|
| 208 |
$new_mapping['valid'] = FALSE; |
|
| 209 |
$new_mapping['error_message'] = $incorrect_syntax; |
|
| 210 |
continue; |
|
| 211 |
} |
|
| 212 |
list($role_target, $role_target_value) = $role_target_and_value; |
|
| 213 |
|
|
| 214 |
|
|
| 215 |
$og_group = FALSE; |
|
| 216 |
if ($group_target == 'gid') {
|
|
| 217 |
$gid = $group_target_value; |
|
| 218 |
} |
|
| 219 |
elseif ($group_target == 'group-name') {
|
|
| 220 |
list($og_group, $og_node) = ldap_authorization_og1_get_group($group_target_value, 'group_name', 'object'); |
|
| 221 |
if (is_object($og_group) && property_exists($og_group, 'gid') && $og_group->gid) {
|
|
| 222 |
$gid = $og_group->gid; |
|
| 223 |
} |
|
| 109 |
// May be simplified or normalized, but not both. |
|
| 110 |
else {
|
|
| 111 |
/** |
|
| 112 |
* users |
|
| 113 |
* node:students |
|
| 114 |
* faculty |
|
| 115 |
* node:35:1 |
|
| 116 |
* node:35 |
|
| 117 |
*/ |
|
| 118 |
$to_parts = explode(':', trim($to));
|
|
| 119 |
$entity_type = (count($to_parts) == 1) ? 'node' : $to_parts[0]; |
|
| 120 |
$role = (count($to_parts) < 3) ? OG_AUTHENTICATED_ROLE : $to_parts[2]; |
|
| 121 |
$group_name_or_entity_id = (count($to_parts) == 1) ? $to_parts[0] : $to_parts[1]; |
|
| 122 |
list($group_entity, $group_entity_id) = ldap_authorization_og2_get_group_from_name($entity_type, $group_name_or_entity_id); |
|
| 123 |
// If load by name works, $group_name_or_entity_id is group title. |
|
| 124 |
if ($group_entity) {
|
|
| 125 |
$to_simplified = join(':', array($entity_type, $group_name_or_entity_id));
|
|
| 224 | 126 |
} |
| 225 | 127 |
else {
|
| 226 |
$entity_type_and_field = explode('.', $group_target);
|
|
| 227 |
if (count($entity_type_and_field) != 2) {
|
|
| 228 |
$new_mapping['valid'] = FALSE; |
|
| 229 |
$new_mapping['error_message'] = $incorrect_syntax; |
|
| 230 |
continue; |
|
| 231 |
} |
|
| 232 |
list($entity_type, $field) = $entity_type_and_field; |
|
| 233 |
|
|
| 234 |
$query = new EntityFieldQuery(); |
|
| 235 |
$query->entityCondition('entity_type', $entity_type)
|
|
| 236 |
->fieldCondition($field, 'value', $group_target_value, '=') |
|
| 237 |
->addMetaData('account', user_load(1)); // run the query as user 1
|
|
| 238 |
|
|
| 239 |
$result = $query->execute(); |
|
| 240 |
if (is_array($result) && isset($result[$entity_type]) && count($result[$entity_type]) == 1) {
|
|
| 241 |
$entities = array_keys($result[$entity_type]); |
|
| 242 |
$gid = ldap_authorization_og1_entity_id_to_gid($entities[0]); |
|
| 243 |
} |
|
| 244 |
|
|
| 128 |
$to_simplified = FALSE; |
|
| 245 | 129 |
} |
| 246 |
if (!$og_group && $gid) {
|
|
| 247 |
$og_group = og_load($gid); |
|
| 130 |
$simplified = (boolean) ($group_entity); |
|
| 131 |
if (!$group_entity && ($group_entity = @entity_load_single($entity_type, $group_name_or_entity_id))) {
|
|
| 132 |
$group_entity_id = $group_name_or_entity_id; |
|
| 248 | 133 |
} |
| 249 |
|
|
| 250 |
|
|
| 251 |
if ($role_target == 'rid') {
|
|
| 252 |
$role_name = ldap_authorization_og1_role_name_from_rid($role_target_value); |
|
| 253 |
$rid = $role_target_value; |
|
| 134 |
} |
|
| 135 |
if (!$group_entity) {
|
|
| 136 |
$new_mapping['normalized'] = FALSE; |
|
| 137 |
$new_mapping['simplified'] = FALSE; |
|
| 138 |
$new_mapping['valid'] = FALSE; |
|
| 139 |
$new_mapping['error_message'] = t("cannot find matching group: !to", array('!to' => $to));
|
|
| 140 |
} |
|
| 141 |
else {
|
|
| 142 |
$role_id = is_numeric($role) ? $role : ldap_authorization_og2_rid_from_role_name($entity_type, $group_entity->type, $group_entity_id, $role); |
|
| 143 |
$roles = og_roles($entity_type, isset($group_entity->type) ? $group_entity->type : NULL, 0, FALSE, TRUE); |
|
| 144 |
$role_name = is_numeric($role) ? $roles[$role] : $role; |
|
| 145 |
$to_normalized = join(':', array($entity_type, $group_entity_id, $role_id));
|
|
| 146 |
$to_simplified = ($to_simplified) ? $to_simplified . ':' . $role_name : $to_normalized; |
|
| 147 |
$new_mapping['normalized'] = $to_normalized; |
|
| 148 |
$new_mapping['simplified'] = $to_simplified; |
|
| 149 |
if ($to == $to_normalized) {
|
|
| 150 |
/** if not using simplified notation, do not convert to simplified. |
|
| 151 |
* this would create a situation where an og group |
|
| 152 |
* can change its title and the authorizations change when the |
|
| 153 |
* admin specified the group by entity id |
|
| 154 |
*/ |
|
| 155 |
$new_mapping['user_entered'] = $to; |
|
| 254 | 156 |
} |
| 255 |
elseif ($role_target == 'role-name') {
|
|
| 256 |
$rid = ldap_authorization_og_rid_from_role_name($role_target_value); |
|
| 257 |
$role_name = $role_target_value; |
|
| 157 |
else {
|
|
| 158 |
$new_mapping['user_entered'] = $to_simplified . ' (raw: ' . $to_normalized . ')'; |
|
| 258 | 159 |
} |
| 259 | 160 |
|
| 260 |
$new_mapping['simplified'] = $og_group->label . ', '. $role_name; |
|
| 261 |
$new_mapping['normalized'] = ($gid && $rid) ? ldap_authorization_og_authorization_id($gid, $rid) : FALSE; |
|
| 262 |
|
|
| 263 |
$new_mappings[] = $new_mapping; |
|
| 264 | 161 |
} |
| 265 | 162 |
|
| 163 |
$new_mappings[] = $new_mapping; |
|
| 266 | 164 |
} |
| 267 | 165 |
return $new_mappings; |
| 268 | 166 |
} |
| 269 | 167 |
|
| 270 |
/** |
|
| 271 |
* in organic groups 7.x-1.x, consumer ids are in form gid-rid such as 3-2, 3-3. We want highest authorization available granted. |
|
| 272 |
* But, granting member role (2), revokes other roles such as admin in OG. So for granting we want the order: |
|
| 273 |
* 3-1, 3-2, 3-3 such that 3-3 is retained. For revoking, the order should not matter, but reverse sorting makes |
|
| 274 |
* intuitive sense. |
|
| 275 |
*/ |
|
| 276 |
|
|
| 168 |
/** |
|
| 169 |
* In organic groups 7.x-1.x, consumer ids are in form gid-rid such as 3-2, 3-3. We want highest authorization available granted. |
|
| 170 |
* But, granting member role (2), revokes other roles such as admin in OG. So for granting we want the order: |
|
| 171 |
* 3-1, 3-2, 3-3 such that 3-3 is retained. For revoking, the order should not matter, but reverse sorting makes |
|
| 172 |
* intuitive sense. |
|
| 173 |
*/ |
|
| 277 | 174 |
public function sortConsumerIds($op, &$consumers) {
|
| 278 | 175 |
if ($op == 'revoke') {
|
| 279 | 176 |
krsort($consumers, SORT_STRING); |
| ... | ... | |
| 286 | 183 |
/** |
| 287 | 184 |
* @see LdapAuthorizationConsumerAbstract::populateConsumersFromConsumerIds |
| 288 | 185 |
*/ |
| 289 |
|
|
| 290 | 186 |
public function populateConsumersFromConsumerIds(&$consumers, $create_missing_consumers = FALSE) {
|
| 291 | 187 |
|
| 292 |
// generate a query for all og groups of interest
|
|
| 188 |
// Generate a query for all og groups of interest.
|
|
| 293 | 189 |
$gids = array(); |
| 294 | 190 |
foreach ($consumers as $consumer_id => $consumer) {
|
| 295 |
if (ldap_authorization_og_og_version() == 1) {
|
|
| 296 |
list($gid, $rid) = $this->og1ConsumerIdParts($consumer_id); |
|
| 297 |
$gids[] = $gid; |
|
| 298 |
} |
|
| 299 |
else {
|
|
| 300 |
list($entity_type, $gid, $rid) = explode(':', $consumer_id);
|
|
| 301 |
$gids[$entity_type][] = $gid; |
|
| 302 |
} |
|
| 191 |
list($entity_type, $gid, $rid) = explode(':', $consumer_id);
|
|
| 192 |
$gids[$entity_type][] = $gid; |
|
| 303 | 193 |
|
| 304 | 194 |
} |
| 305 |
if (ldap_authorization_og_og_version() == 1) {
|
|
| 306 |
$og_group_entities = og_load_multiple($gids); |
|
| 307 |
} |
|
| 308 |
else {
|
|
| 309 |
foreach ($gids as $entity_type => $gid_x_entity) {
|
|
| 310 |
$og_group_entities[$entity_type] = @entity_load($entity_type, $gid_x_entity); |
|
| 311 |
} |
|
| 195 |
|
|
| 196 |
foreach ($gids as $entity_type => $gid_x_entity) {
|
|
| 197 |
$og_group_entities[$entity_type] = @entity_load($entity_type, $gid_x_entity); |
|
| 312 | 198 |
} |
| 313 | 199 |
|
| 314 | 200 |
foreach ($consumers as $consumer_id => $consumer) {
|
| 315 |
if (ldap_authorization_og_og_version() == 1) {
|
|
| 316 |
list($gid, $rid) = $this->og1ConsumerIdParts($consumer_id); |
|
| 317 |
$consumer['exists'] = isset($og_group_entities[$gid]); |
|
| 318 |
if ($consumer['exists']) {
|
|
| 319 |
$consumer['value'] = $og_group_entities[$gid]; |
|
| 320 |
if (empty($consumer['name']) && property_exists($og_group_entities[$gid], 'title')) {
|
|
| 321 |
$consumer['name'] = $og_group_entities[$gid]->title; |
|
| 322 |
} |
|
| 323 |
$consumer['name'] = $consumer_id; |
|
| 324 |
} |
|
| 325 |
else {
|
|
| 326 |
$consumer['value'] = NULL; |
|
| 327 |
$consumer['name'] = NULL; |
|
| 328 |
} |
|
| 329 |
|
|
| 330 |
$consumer['map_to_string'] = $consumer_id; |
|
| 331 |
} |
|
| 332 |
else {
|
|
| 333 |
list($entity_type, $gid, $rid) = explode(':', $consumer_id);
|
|
| 334 |
$consumer['exists'] = isset($og_group_entities[$entity_type][$gid]); |
|
| 335 |
$consumer['value'] = ($consumer['exists']) ? $og_group_entities[$entity_type][$gid] : NULL; |
|
| 336 |
$consumer['map_to_string'] = $consumer_id; |
|
| 337 |
if ( |
|
| 338 |
empty($consumer['name']) && |
|
| 339 |
!empty($og_group_entities[$entity_type][$gid]) && |
|
| 340 |
property_exists($og_group_entities[$entity_type][$gid], 'title') |
|
| 341 |
) {
|
|
| 342 |
$consumer['name'] = $og_group_entities[$entity_type][$gid]->title; |
|
| 343 |
} |
|
| 201 |
list($entity_type, $gid, $rid) = explode(':', $consumer_id);
|
|
| 202 |
$consumer['exists'] = isset($og_group_entities[$entity_type][$gid]); |
|
| 203 |
$consumer['value'] = ($consumer['exists']) ? $og_group_entities[$entity_type][$gid] : NULL; |
|
| 204 |
$consumer['map_to_string'] = $consumer_id; |
|
| 205 |
if ( |
|
| 206 |
empty($consumer['name']) && |
|
| 207 |
!empty($og_group_entities[$entity_type][$gid]) && |
|
| 208 |
property_exists($og_group_entities[$entity_type][$gid], 'title') |
|
| 209 |
) {
|
|
| 210 |
$consumer['name'] = $og_group_entities[$entity_type][$gid]->title; |
|
| 344 | 211 |
} |
| 345 | 212 |
|
| 346 | 213 |
if (!$consumer['exists'] && $create_missing_consumers) {
|
| 347 |
// @todo if creation of og groups were implemented, function would be called here
|
|
| 348 |
// this would mean mapping would need to have enough info to configure a group,
|
|
| 349 |
// or settings would need to include a default group type to create (entity type,
|
|
| 350 |
// bundle, etc.)
|
|
| 214 |
// @todo if creation of og groups were implemented, function would be called here |
|
| 215 |
// this would mean mapping would need to have enough info to configure a group, |
|
| 216 |
// or settings would need to include a default group type to create (entity type, |
|
| 217 |
// bundle, etc.) |
|
| 351 | 218 |
} |
| 352 | 219 |
$consumers[$consumer_id] = $consumer; |
| 353 | 220 |
} |
| 354 | 221 |
} |
| 355 | 222 |
|
| 356 |
|
|
| 223 |
/** |
|
| 224 |
* |
|
| 225 |
*/ |
|
| 357 | 226 |
public function hasAuthorization(&$user, $consumer_id) {
|
| 358 |
|
|
| 359 |
if ($this->ogVersion == 1) {
|
|
| 360 |
$result = FALSE; |
|
| 361 |
list($gid, $rid) = $this->og1ConsumerIdParts($consumer_id); |
|
| 362 |
return ldap_authorization_og1_has_membership($gid, $user->uid) && ldap_authorization_og1_has_role($gid, $user->uid, $rid); |
|
| 363 |
} |
|
| 364 |
else {
|
|
| 365 |
return ldap_authorization_og2_has_consumer_id($consumer_id, $user->uid); |
|
| 366 |
} |
|
| 227 |
return ldap_authorization_og2_has_consumer_id($consumer_id, $user->uid); |
|
| 367 | 228 |
} |
| 368 | 229 |
|
| 369 |
|
|
| 230 |
/** |
|
| 231 |
* |
|
| 232 |
*/ |
|
| 370 | 233 |
public function flushRelatedCaches($consumers = NULL, $user = NULL) {
|
| 371 | 234 |
if ($user) {
|
| 372 |
$this->usersAuthorizations($user, TRUE, FALSE); // clear user authorizations cache |
|
| 373 |
} |
|
| 374 |
|
|
| 375 |
if ($this->ogVersion == 1) {
|
|
| 376 |
og_group_membership_invalidate_cache(); |
|
| 377 |
} |
|
| 378 |
else {
|
|
| 379 |
og_membership_invalidate_cache(); |
|
| 235 |
// Clear user authorizations cache. |
|
| 236 |
$this->usersAuthorizations($user, TRUE, FALSE); |
|
| 380 | 237 |
} |
| 381 |
|
|
| 238 |
|
|
| 239 |
og_membership_invalidate_cache(); |
|
| 240 |
|
|
| 382 | 241 |
if ($consumers) {
|
| 383 | 242 |
$gids_to_clear_cache = array(); |
| 384 | 243 |
foreach ($consumers as $i => $consumer_id) {
|
| 385 |
if ($this->ogVersion == 1) { // og 7.x-1.x
|
|
| 386 |
list($gid, $rid) = $this->og1ConsumerIdParts($consumer_id); |
|
| 387 |
} |
|
| 388 |
else {
|
|
| 389 |
list($entity_type, $gid, $rid) = $this->og2ConsumerIdParts($consumer_id); |
|
| 390 |
} |
|
| 244 |
list($entity_type, $gid, $rid) = $this->og2ConsumerIdParts($consumer_id); |
|
| 391 | 245 |
$gids_to_clear_cache[$gid] = $gid; |
| 392 | 246 |
} |
| 393 | 247 |
og_invalidate_cache(array_keys($gids_to_clear_cache)); |
| ... | ... | |
| 397 | 251 |
} |
| 398 | 252 |
} |
| 399 | 253 |
|
| 400 |
/** |
|
| 401 |
* @param string $op 'grant' or 'revoke' signifying what to do with the $consumer_ids |
|
| 254 |
/** |
|
| 255 |
* @param string $op |
|
| 256 |
* 'grant' or 'revoke' signifying what to do with the $consumer_ids. |
|
| 402 | 257 |
* @param drupal user object $object |
| 403 |
* @param array $user_auth_data is array specific to this consumer_type. Stored at $user->data['ldap_authorizations'][<consumer_type>] |
|
| 404 |
* @param $consumers as associative array in form of LdapAuthorizationConsumerAbstract::populateConsumersFromConsumerIds |
|
| 405 |
* @param array $ldap_entry, when available user's ldap entry. |
|
| 406 |
* @param boolean $user_save indicates is user data array should be saved or not. this is always overridden for og |
|
| 258 |
* @param array $user_auth_data |
|
| 259 |
* is array specific to this consumer_type. Stored at $user->data['ldap_authorizations'][<consumer_type>]. |
|
| 260 |
* @param $consumers |
|
| 261 |
* as associative array in form of LdapAuthorizationConsumerAbstract::populateConsumersFromConsumerIds |
|
| 262 |
* @param array $ldap_entry, |
|
| 263 |
* when available user's ldap entry. |
|
| 264 |
* @param bool $user_save |
|
| 265 |
* indicates is user data array should be saved or not. this is always overridden for og. |
|
| 407 | 266 |
*/ |
| 408 | 267 |
public function authorizationDiff($existing, $desired) {
|
| 409 |
if ($this->ogVersion != 1) {
|
|
| 410 |
return parent::authorizationDiff($existing, $desired); |
|
| 411 |
} |
|
| 412 |
|
|
| 413 |
/** |
|
| 414 |
* for og 1.5, goal is not to recognize X-2 consumer ids if X-N exist |
|
| 415 |
* since X-2 consumer ids are granted as a prerequisite of X-N |
|
| 416 |
*/ |
|
| 417 |
|
|
| 418 |
$diff = array_diff($existing, $desired); |
|
| 419 |
$desired_group_ids = array(); |
|
| 420 |
foreach ($desired as $i => $consumer_id) {
|
|
| 421 |
list($gid, $rid) = $this->og1ConsumerIdParts($consumer_id); |
|
| 422 |
$desired_group_ids[$gid] = TRUE; |
|
| 423 |
} |
|
| 424 |
foreach ($diff as $i => $consumer_id) {
|
|
| 425 |
list($gid, $rid) = $this->og1ConsumerIdParts($consumer_id); |
|
| 426 |
// if there are still roles in this group that are desired, do |
|
| 427 |
// not remove default mambership role id |
|
| 428 |
if ($rid == $this->defaultMembershipRid && !empty($desired_group_ids[$gid])) {
|
|
| 429 |
unset($diff[$i]); |
|
| 430 |
} |
|
| 431 |
} |
|
| 432 |
return $diff; |
|
| 268 |
return parent::authorizationDiff($existing, $desired); |
|
| 433 | 269 |
} |
| 434 | 270 |
|
| 271 |
/** |
|
| 272 |
* |
|
| 273 |
*/ |
|
| 435 | 274 |
protected function grantsAndRevokes($op, &$user, &$user_auth_data, $consumers, &$ldap_entry = NULL, $user_save = TRUE) {
|
| 436 | 275 |
|
| 437 | 276 |
if (!is_array($user_auth_data)) {
|
| ... | ... | |
| 472 | 311 |
} |
| 473 | 312 |
$log = "consumer_id=$consumer_id, op=$op,"; |
| 474 | 313 |
|
| 475 |
$user_has_authorization = in_array($consumer_id, $users_authorization_consumer_ids); // does user already have authorization ? |
|
| 476 |
$user_has_authorization_recorded = isset($user_auth_data[$consumer_id]); // is authorization attribute to ldap_authorization_og in $user->data ? |
|
| 477 |
|
|
| 478 |
if ($this->ogVersion == 1) {
|
|
| 479 |
list($gid, $rid) = $this->og1ConsumerIdParts($consumer_id); |
|
| 480 |
if ($rid == $this->anonymousRid) {
|
|
| 481 |
continue; |
|
| 482 |
} |
|
| 483 |
} |
|
| 484 |
else {
|
|
| 485 |
list($entity_type, $gid, $rid) = $this->og2ConsumerIdParts($consumer_id); |
|
| 486 |
} |
|
| 487 |
|
|
| 314 |
// Does user already have authorization ? |
|
| 315 |
$user_has_authorization = in_array($consumer_id, $users_authorization_consumer_ids); |
|
| 316 |
// Is authorization attribute to ldap_authorization_og in $user->data ? |
|
| 317 |
$user_has_authorization_recorded = isset($user_auth_data[$consumer_id]); |
|
| 318 |
|
|
| 319 |
list($entity_type, $gid, $rid) = $this->og2ConsumerIdParts($consumer_id); |
|
| 320 |
|
|
| 488 | 321 |
/** grants **/ |
| 489 | 322 |
if ($op == 'grant') {
|
| 490 | 323 |
if ($user_has_authorization && !$user_has_authorization_recorded) {
|
| 491 |
// grant case 1: authorization id already exists for user, but is not ldap provisioned. mark as ldap provisioned, but don't regrant
|
|
| 324 |
// Grant case 1: authorization id already exists for user, but is not ldap provisioned. mark as ldap provisioned, but don't regrant.
|
|
| 492 | 325 |
$results[$consumer_id] = TRUE; |
| 493 | 326 |
$user_auth_data[$consumer_id] = array( |
| 494 | 327 |
'date_granted' => time(), |
| ... | ... | |
| 498 | 331 |
$log .= $consumer_id; |
| 499 | 332 |
} |
| 500 | 333 |
elseif (!$user_has_authorization && $consumer['exists']) {
|
| 501 |
// grant case 2: consumer exists, but user is not member. grant authorization |
|
| 502 |
if ($this->ogVersion == 1) {
|
|
| 503 |
$og_actions['grants'][$gid][] = $rid; |
|
| 504 |
} |
|
| 505 |
else {
|
|
| 506 |
$og_actions['grants'][$entity_type][$gid][] = $rid; |
|
| 507 |
} |
|
| 334 |
// Grant case 2: consumer exists, but user is not member. grant authorization. |
|
| 335 |
$og_actions['grants'][$entity_type][$gid][] = $rid; |
|
| 508 | 336 |
$log .= "grant case 2: consumer exists, but user is not member. grant authorization"; |
| 509 |
$log .= " ".$entity_type . ":" . $gid .":" . $rid;
|
|
| 337 |
$log .= " " . $entity_type . ":" . $gid . ":" . $rid;
|
|
| 510 | 338 |
} |
| 511 | 339 |
elseif ($consumer['exists'] !== TRUE) {
|
| 512 |
// grant case 3: something is wrong. consumers should have been created before calling grantsAndRevokes
|
|
| 340 |
// Grant case 3: something is wrong. consumers should have been created before calling grantsAndRevokes.
|
|
| 513 | 341 |
$results[$consumer_id] = FALSE; |
| 514 | 342 |
$log .= "grant case 3: something is wrong. consumers should have been created before calling grantsAndRevokes"; |
| 515 |
$log .= " ".$consumer_id; } |
|
| 343 |
$log .= " " . $consumer_id; |
|
| 344 |
} |
|
| 516 | 345 |
elseif ($consumer['exists'] === TRUE) {
|
| 517 |
// grant case 4: consumer exists and user has authorization recorded. do nothing
|
|
| 346 |
// Grant case 4: consumer exists and user has authorization recorded. do nothing.
|
|
| 518 | 347 |
$results[$consumer_id] = TRUE; |
| 519 | 348 |
$log .= "grant case 4: consumer exists and user has authorization recorded. do nothing"; |
| 520 |
$log .= " ".$consumer_id;
|
|
| 349 |
$log .= " " . $consumer_id;
|
|
| 521 | 350 |
} |
| 522 | 351 |
else {
|
| 523 |
// grant case 5: $consumer['exists'] has not been properly set before calling function
|
|
| 352 |
// Grant case 5: $consumer['exists'] has not been properly set before calling function.
|
|
| 524 | 353 |
$results[$consumer_id] = FALSE; |
| 525 | 354 |
watchdog('ldap_authorization', "grantsAndRevokes consumer[exists] not properly set. consumer_id=$consumer_id, op=$op, username=%username", $watchdog_tokens, WATCHDOG_ERROR);
|
| 526 |
$log .= "grantsAndRevokes consumer[exists] not properly set. consumer_id=$consumer_id, op=$op, username=%username"; |
|
| 527 |
} |
|
| 528 |
$consumer_ids_log .= $log; } |
|
| 355 |
$log .= "grantsAndRevokes consumer[exists] not properly set. consumer_id=$consumer_id, op=$op, username=%username"; |
|
| 356 |
} |
|
| 357 |
$consumer_ids_log .= $log; |
|
| 358 |
} |
|
| 529 | 359 |
/** revokes **/ |
| 530 | 360 |
elseif ($op == 'revoke') {
|
| 531 | 361 |
if ($user_has_authorization) {
|
| 532 |
// revoke case 1: user has authorization, revoke it. revokeSingleAuthorization will remove $user_auth_data[$consumer_id] |
|
| 533 |
if ($this->ogVersion == 1) {
|
|
| 534 |
$og_actions['revokes'][$gid][] = $rid; |
|
| 535 |
} |
|
| 536 |
else {
|
|
| 537 |
$og_actions['revokes'][$entity_type][$gid][] = $rid; |
|
| 538 |
} |
|
| 362 |
// Revoke case 1: user has authorization, revoke it. revokeSingleAuthorization will remove $user_auth_data[$consumer_id]. |
|
| 363 |
$og_actions['revokes'][$entity_type][$gid][] = $rid; |
|
| 539 | 364 |
$log .= "revoke case 1: user has authorization, revoke it. revokeSingleAuthorization will remove $consumer_id"; |
| 540 |
$log .=" ".$entity_type . ":" . $gid .":" . $rid ;
|
|
| 365 |
$log .= " " . $entity_type . ":" . $gid . ":" . $rid;
|
|
| 541 | 366 |
} |
| 542 |
elseif ($user_has_authorization_recorded) {
|
|
| 543 |
// revoke case 2: user does not have authorization, but has record of it. remove record of it.
|
|
| 367 |
elseif ($user_has_authorization_recorded) {
|
|
| 368 |
// Revoke case 2: user does not have authorization, but has record of it. remove record of it.
|
|
| 544 | 369 |
unset($user_auth_data[$consumer_id]); |
| 545 | 370 |
$results[$consumer_id] = TRUE; |
| 546 | 371 |
$log .= "revoke case 2: user does not have authorization, but has record of it. remove record of it."; |
| 547 | 372 |
$log .= $consumer_id; |
| 548 | 373 |
} |
| 549 | 374 |
else {
|
| 550 |
// revoke case 3: trying to revoke something that isn't there
|
|
| 375 |
// Revoke case 3: trying to revoke something that isn't there.
|
|
| 551 | 376 |
$results[$consumer_id] = TRUE; |
| 552 | 377 |
$log .= "revoke case 3: trying to revoke something that isn't there"; |
| 553 | 378 |
$log .= $consumer_id; |
| ... | ... | |
| 558 | 383 |
} |
| 559 | 384 |
$consumer_ids_log .= $log; |
| 560 | 385 |
} |
| 561 |
|
|
| 386 |
|
|
| 562 | 387 |
$watchdog_tokens['%consumer_ids_log'] = $consumer_ids_log; |
| 563 |
|
|
| 388 |
|
|
| 564 | 389 |
/** |
| 565 | 390 |
* Step #2: from array of form: |
| 566 |
* og1.5: $og_actions['grants'|'revokes'][$gid][$rid]\ |
|
| 567 |
* og2: $og_actions['grants'|'revokes'][$entity_type][$gid][$rid] |
|
| 391 |
* $og_actions['grants'|'revokes'][$entity_type][$gid][$rid] |
|
| 568 | 392 |
* - generate $user->data['ldap_authorizations'][<consumer_id>] |
| 569 | 393 |
* - remove and grant og memberships |
| 570 | 394 |
* - remove and grant og roles |
| 571 | 395 |
* - flush appropriate caches |
| 572 | 396 |
*/ |
| 573 |
if ($this->ogVersion == 1) {
|
|
| 574 |
$this->og1Grants($og_actions, $user, $user_auth_data); |
|
| 575 |
$this->og1Revokes($og_actions, $user, $user_auth_data); |
|
| 576 |
} |
|
| 577 |
else {
|
|
| 578 |
$this->og2Grants($og_actions, $user, $user_auth_data); |
|
| 579 |
$this->og2Revokes($og_actions, $user, $user_auth_data); |
|
| 580 |
} |
|
| 397 |
$this->og2Grants($og_actions, $user, $user_auth_data); |
|
| 398 |
$this->og2Revokes($og_actions, $user, $user_auth_data); |
|
| 581 | 399 |
|
| 582 | 400 |
$user_edit = array('data' => $user->data);
|
| 583 | 401 |
$user_edit['data']['ldap_authorizations'][$this->consumerType] = $user_auth_data; |
| ... | ... | |
| 588 | 406 |
$user = user_load($user->uid, TRUE); |
| 589 | 407 |
$user = user_save($user, $user_edit); |
| 590 | 408 |
|
| 591 |
$user_auth_data = $user->data['ldap_authorizations'][$this->consumerType]; // reset this variable because user save hooks can impact it. |
|
| 409 |
// Reset this variable because user save hooks can impact it. |
|
| 410 |
$user_auth_data = $user->data['ldap_authorizations'][$this->consumerType]; |
|
| 592 | 411 |
|
| 593 | 412 |
$this->flushRelatedCaches($consumers, $user); |
| 594 | 413 |
|
| ... | ... | |
| 600 | 419 |
} |
| 601 | 420 |
} |
| 602 | 421 |
|
| 603 |
public function og1Grants($og_actions, &$user, &$user_auth_data) {
|
|
| 604 |
foreach ($og_actions['grants'] as $gid => $rids) {
|
|
| 605 |
$existing_roles = og_get_user_roles($gid, $user->uid); |
|
| 606 |
if (!in_array($this->defaultMembershipRid, array_values($existing_roles))) {
|
|
| 607 |
$user->{OG_AUDIENCE_FIELD}[LANGUAGE_NONE][] = array('gid' => $gid);
|
|
| 608 |
og_entity_presave($user, 'user'); |
|
| 609 |
$consumer_id = ldap_authorization_og_authorization_id($gid, $this->defaultMembershipRid); |
|
| 610 |
$user_auth_data[$consumer_id] = array( |
|
| 611 |
'date_granted' => time(), |
|
| 612 |
'consumer_id_mixed_case' => $consumer_id, |
|
| 613 |
); |
|
| 614 |
} |
|
| 615 |
foreach ($rids as $rid) {
|
|
| 616 |
if ($rid != $this->defaultMembershipRid && $rid != $this->anonymousRid) {
|
|
| 617 |
og_role_grant($gid, $user->uid, $rid); |
|
| 618 |
$consumer_id = ldap_authorization_og_authorization_id($gid, $rid); |
|
| 619 |
$user_auth_data[$consumer_id] = array( |
|
| 620 |
'date_granted' => time(), |
|
| 621 |
'consumer_id_mixed_case' => $consumer_id, |
|
| 622 |
); |
|
| 623 |
} |
|
| 624 |
} |
|
| 625 |
} |
|
| 626 |
} |
|
| 627 |
|
|
| 422 |
/** |
|
| 423 |
* |
|
| 424 |
*/ |
|
| 628 | 425 |
public function og2Grants($og_actions, &$user, &$user_auth_data) {
|
| 629 | 426 |
foreach ($og_actions['grants'] as $group_entity_type => $gids) {
|
| 630 |
foreach ($gids as $gid => $granting_rids) { // all rids ldap believes user should be granted and attributed to ldap
|
|
| 631 |
$all_group_roles = og_roles($group_entity_type, FALSE, $gid, FALSE, TRUE); // all roles rid => role_name array w/ authen or anon roles |
|
| 427 |
// All rids ldap believes user should be granted and attributed to ldap. |
|
| 428 |
foreach ($gids as $gid => $granting_rids) {
|
|
| 429 |
// All roles rid => role_name array w/ authen or anon roles. |
|
| 430 |
$all_group_roles = og_roles($group_entity_type, FALSE, $gid, FALSE, TRUE); |
|
| 632 | 431 |
$authenticated_rid = array_search(OG_AUTHENTICATED_ROLE, $all_group_roles); |
| 633 | 432 |
$anonymous_rid = array_search(OG_ANONYMOUS_ROLE, $all_group_roles); |
| 634 |
$all_group_rids = array_keys($all_group_roles); // all rids array w/ authen or anon rids |
|
| 635 |
$users_group_rids = array_keys(og_get_user_roles($group_entity_type, $gid, $user->uid, TRUE)); // users current rids w/authen or anon roles returned |
|
| 433 |
// All rids array w/ authen or anon rids. |
|
| 434 |
$all_group_rids = array_keys($all_group_roles); |
|
| 435 |
// Users current rids w/authen or anon roles returned. |
|
| 436 |
$users_group_rids = array_keys(og_get_user_roles($group_entity_type, $gid, $user->uid, TRUE)); |
|
| 636 | 437 |
$users_group_rids = array_diff($users_group_rids, array($anonymous_rid)); |
| 637 |
$new_rids = array_diff($granting_rids, $users_group_rids, array($anonymous_rid)); // rids to be added without anonymous rid |
|
| 438 |
// Rids to be added without anonymous rid. |
|
| 439 |
$new_rids = array_diff($granting_rids, $users_group_rids, array($anonymous_rid)); |
|
| 638 | 440 |
|
| 639 |
// if adding OG_AUTHENTICATED_ROLE or any other role and does not currently have OG_AUTHENTICATED_ROLE, group
|
|
| 441 |
// If adding OG_AUTHENTICATED_ROLE or any other role and does not currently have OG_AUTHENTICATED_ROLE, group.
|
|
| 640 | 442 |
if (!in_array($authenticated_rid, $users_group_rids) && count($new_rids) > 0) {
|
| 641 | 443 |
$values = array( |
| 642 | 444 |
'entity_type' => 'user', |
| ... | ... | |
| 650 | 452 |
'date_granted' => time(), |
| 651 | 453 |
'consumer_id_mixed_case' => $consumer_id, |
| 652 | 454 |
); |
| 653 |
$new_rids = array_diff($new_rids, array($authenticated_rid)); // granted on membership creation |
|
| 654 |
|
|
| 455 |
// Granted on membership creation. |
|
| 456 |
$new_rids = array_diff($new_rids, array($authenticated_rid)); |
|
| 457 |
|
|
| 655 | 458 |
} |
| 656 | 459 |
foreach ($new_rids as $i => $rid) {
|
| 657 | 460 |
og_role_grant($group_entity_type, $gid, $user->uid, $rid); |
| 658 | 461 |
} |
| 659 | 462 |
foreach ($granting_rids as $i => $rid) {
|
| 660 |
// attribute to ldap regardless of if is being granted.
|
|
| 463 |
// Attribute to ldap regardless of if is being granted.
|
|
| 661 | 464 |
$consumer_id = join(':', array($group_entity_type, $gid, $rid));
|
| 662 | 465 |
$user_auth_data[$consumer_id] = array( |
| 663 | 466 |
'date_granted' => time(), |
| ... | ... | |
| 667 | 470 |
} |
| 668 | 471 |
} |
| 669 | 472 |
} |
| 670 |
|
|
| 671 |
|
|
| 672 |
public function og1Revokes($og_actions, &$user, &$user_auth_data) {
|
|
| 673 |
$group_audience_gids = empty($user->{OG_AUDIENCE_FIELD}[LANGUAGE_NONE]['gid']) ? array() : $user->{OG_AUDIENCE_FIELD}[LANGUAGE_NONE]['gid'];
|
|
| 674 |
foreach ($og_actions['revokes'] as $gid => $rids) {
|
|
| 675 |
$existing_roles = og_get_user_roles($gid, $user->uid); |
|
| 676 |
if (in_array($this->defaultMembershipRid, array_values($existing_roles))) {
|
|
| 677 |
// ungroup and set audience |
|
| 678 |
foreach ($group_audience_gids as $i => $_audience_gid) {
|
|
| 679 |
if ($_audience_gid == $gid) {
|
|
| 680 |
unset($user->{OG_AUDIENCE_FIELD}[LANGUAGE_NONE][$i]);
|
|
| 681 |
} |
|
| 682 |
} |
|
| 683 |
og_entity_presave($user, 'user'); |
|
| 684 |
$user = og_ungroup($gid, 'user', $user, TRUE); |
|
| 685 |
foreach (array_values($existing_roles) as $rid) {
|
|
| 686 |
$consumer_id = ldap_authorization_og_authorization_id($gid, $rid); |
|
| 687 |
if (isset($user_auth_data[$consumer_id])) {
|
|
| 688 |
unset($user_auth_data[$consumer_id]); |
|
| 689 |
} |
|
| 690 |
} |
|
| 691 |
} |
|
| 692 |
else {
|
|
| 693 |
foreach ($existing_roles as $rid) {
|
|
| 694 |
if ($rid != $this->defaultMembershipRid && $this->defaultMembershipRid != 1) {
|
|
| 695 |
og_role_revoke($gid, $user->uid, $rid); |
|
| 696 |
unset($user_auth_data[ldap_authorization_og_authorization_id($gid, $rid)]); |
|
| 697 |
} |
|
| 698 |
} |
|
| 699 |
} |
|
| 700 |
} |
|
| 701 |
} |
|
| 702 |
|
|
| 473 |
|
|
| 474 |
/** |
|
| 475 |
* |
|
| 476 |
*/ |
|
| 703 | 477 |
public function og2Revokes($og_actions, &$user, &$user_auth_data) {
|
| 704 | 478 |
foreach ($og_actions['revokes'] as $group_entity_type => $gids) {
|
| 705 |
foreach ($gids as $gid => $revoking_rids) { // $revoking_rids are all rids to be removed. may include authen rids
|
|
| 706 |
$all_group_roles = og_roles($group_entity_type, FALSE, $gid, FALSE, TRUE); // all roles rid => role_name array w/ authen or anon roles |
|
| 707 |
$all_group_rids = array_keys($all_group_roles); // all rids array w/ authen or anon rids |
|
| 708 |
$users_group_rids = array_keys(og_get_user_roles($group_entity_type, $gid, $user->uid, TRUE)); // users current rids w/authen or anon roles returned |
|
| 709 |
$remaining_rids = array_diff($users_group_rids, $revoking_rids); // rids to be left at end of revoke process |
|
| 479 |
// $revoking_rids are all rids to be removed. may include authen rids. |
|
| 480 |
foreach ($gids as $gid => $revoking_rids) {
|
|
| 481 |
// All roles rid => role_name array w/ authen or anon roles. |
|
| 482 |
$all_group_roles = og_roles($group_entity_type, FALSE, $gid, FALSE, TRUE); |
|
| 483 |
// All rids array w/ authen or anon rids. |
|
| 484 |
$all_group_rids = array_keys($all_group_roles); |
|
| 485 |
// Users current rids w/authen or anon roles returned. |
|
| 486 |
$users_group_rids = array_keys(og_get_user_roles($group_entity_type, $gid, $user->uid, TRUE)); |
|
| 487 |
// Rids to be left at end of revoke process. |
|
| 488 |
$remaining_rids = array_diff($users_group_rids, $revoking_rids); |
|
| 710 | 489 |
$authenticated_rid = array_search(OG_AUTHENTICATED_ROLE, $all_group_roles); |
| 711 |
// remove autenticated and anon rids here
|
|
| 490 |
// Remove autenticated and anon rids here.
|
|
| 712 | 491 |
foreach ($revoking_rids as $i => $rid) {
|
| 713 |
// revoke if user has role
|
|
| 492 |
// Revoke if user has role.
|
|
| 714 | 493 |
if (in_array($rid, $users_group_rids)) {
|
| 715 | 494 |
og_role_revoke($group_entity_type, $gid, $user->uid, $rid); |
| 716 | 495 |
} |
| 717 |
// unattribute to ldap even if user does not currently have role
|
|
| 496 |
// Unattribute to ldap even if user does not currently have role.
|
|
| 718 | 497 |
unset($user_auth_data[ldap_authorization_og_authorization_id($gid, $rid, $group_entity_type)]); |
| 719 | 498 |
} |
| 720 | 499 |
// define('OG_ANONYMOUS_ROLE', 'non-member'); define('OG_AUTHENTICATED_ROLE', 'member');
|
| 721 |
if (in_array($authenticated_rid, $revoking_rids) || count($remaining_rids) == 0) { // ungroup if only authenticated and anonymous role left
|
|
| 500 |
// ungroup if only authenticated and anonymous role left. |
|
| 501 |
if (in_array($authenticated_rid, $revoking_rids) || count($remaining_rids) == 0) {
|
|
| 722 | 502 |
$entity = og_ungroup($group_entity_type, $gid, 'user', $user->uid); |
| 723 |
$result = (boolean)($entity); |
|
| 503 |
$result = (boolean) ($entity);
|
|
| 724 | 504 |
} |
| 725 | 505 |
} |
| 726 | 506 |
} |
| ... | ... | |
| 729 | 509 |
/** |
| 730 | 510 |
* @see ldapAuthorizationConsumerAbstract::usersAuthorizations |
| 731 | 511 |
*/ |
| 732 |
|
|
| 733 | 512 |
public function usersAuthorizations(&$user, $reset = FALSE, $return_data = TRUE) {
|
| 734 | 513 |
|
| 735 | 514 |
static $users; |
| 736 | 515 |
if (!is_array($users)) {
|
| 737 |
$users = array(); // no cache exists, create static array |
|
| 516 |
// No cache exists, create static array. |
|
| 517 |
$users = array(); |
|
| 738 | 518 |
} |
| 739 | 519 |
elseif ($reset && isset($users[$user->uid])) {
|
| 740 |
unset($users[$user->uid]); // clear users cache |
|
| 520 |
// Clear users cache. |
|
| 521 |
unset($users[$user->uid]); |
|
| 741 | 522 |
} |
| 742 | 523 |
elseif (!$return_data) {
|
| 743 |
return NULL; // simply clearing cache |
|
| 524 |
// Simply clearing cache. |
|
| 525 |
return NULL; |
|
| 744 | 526 |
} |
| 745 | 527 |
elseif (!empty($users[$user->uid])) {
|
| 746 |
return $users[$user->uid]; // return cached data |
|
| 528 |
// Return cached data. |
|
| 529 |
return $users[$user->uid]; |
|
| 747 | 530 |
} |
| 748 | 531 |
|
| 749 | 532 |
$authorizations = array(); |
| 750 | 533 |
|
| 751 |
if ($this->ogVersion == 1) {
|
|
| 752 |
$gids = og_get_groups_by_user($user); |
|
| 753 |
foreach ($gids as $i => $gid) {
|
|
| 754 |
$roles = og_get_user_roles($gid, $user->uid); |
|
| 755 |
if (!empty($roles[$this->defaultMembershipRid])) { // if you aren't a member, doesn't matter what roles you have in og 1.5
|
|
| 756 |
if (isset($roles[$this->anonymousRid])) {
|
|
| 757 |
unset($roles[$this->anonymousRid]); |
|
| 758 |
} // ignore anonymous role |
|
| 759 |
$rids = array_values($roles); |
|
| 760 |
asort($rids, SORT_NUMERIC); // go low to high to get default memberships first |
|
| 761 |
foreach ($rids as $rid) {
|
|
| 762 |
$authorizations[] = ldap_authorization_og_authorization_id($gid, $rid); |
|
| 763 |
} |
|
| 764 |
} |
|
| 765 |
} |
|
| 766 |
} |
|
| 767 |
else { // og 7.x-2.x
|
|
| 768 |
$user_entities = entity_load('user', array($user->uid));
|
|
| 769 |
$memberships = og_get_entity_groups('user', $user_entities[$user->uid]);
|
|
| 770 |
foreach ($memberships as $entity_type => $entity_memberships) {
|
|
| 771 |
foreach ($entity_memberships as $og_membership_id => $gid) {
|
|
| 772 |
$roles = og_get_user_roles($entity_type, $gid, $user->uid); |
|
| 773 |
foreach ($roles as $rid => $discard) {
|
|
| 774 |
$authorizations[] = ldap_authorization_og_authorization_id($gid, $rid, $entity_type); |
|
| 775 |
} |
|
| 534 |
$user_entities = entity_load('user', array($user->uid));
|
|
| 535 |
$memberships = og_get_entity_groups('user', $user_entities[$user->uid]);
|
|
| 536 |
foreach ($memberships as $entity_type => $entity_memberships) {
|
|
| 537 |
foreach ($entity_memberships as $og_membership_id => $gid) {
|
|
| 538 |
$roles = og_get_user_roles($entity_type, $gid, $user->uid); |
|
| 539 |
foreach ($roles as $rid => $discard) {
|
|
| 540 |
$authorizations[] = ldap_authorization_og_authorization_id($gid, $rid, $entity_type); |
|
| 776 | 541 |
} |
| 777 | 542 |
} |
| 778 | 543 |
} |
| 779 | 544 |
$users[$user->uid] = $authorizations; |
| 780 |
|
|
| 545 |
|
|
| 781 | 546 |
return $authorizations; |
| 782 | 547 |
} |
| 783 | 548 |
|
| ... | ... | |
| 796 | 561 |
* @see ldapAuthorizationConsumerAbstract::validateAuthorizationMappingTarget |
| 797 | 562 |
*/ |
| 798 | 563 |
public function validateAuthorizationMappingTarget($mapping, $form_values = NULL, $clear_cache = FALSE) {
|
| 799 |
// these mappings have already been through the normalizeMappings() method, so no real querying needed here. |
|
| 800 |
|
|
| 564 |
// These mappings have already been through the normalizeMappings() method, so no real querying needed here. |
|
| 801 | 565 |
$has_form_values = is_array($form_values); |
| 802 | 566 |
$message_type = NULL; |
| 803 | 567 |
$message_text = NULL; |
| ... | ... | |
| 812 | 576 |
'!from' => $mapping['from'], |
| 813 | 577 |
'!user_entered' => $mapping['user_entered'], |
| 814 | 578 |
'!error' => $mapping['error_message'], |
| 815 |
);
|
|
| 579 |
); |
|
| 816 | 580 |
$message_text = '<code>"' . t('!map_to|!user_entered', $tokens) . '"</code> ' . t('has the following error: !error.', $tokens);
|
| 817 | 581 |
} |
| 818 | 582 |
return array($message_type, $message_text); |
| 819 | 583 |
} |
| 820 | 584 |
|
| 821 | 585 |
/** |
| 822 |
* Get list of mappings based on existing Organic Groups and roles |
|
| 586 |
* Get list of mappings based on existing Organic Groups and roles. |
|
| 587 |
* |
|
| 588 |
* @param array $tokens |
|
| 589 |
* Array of tokens and replacement values. |
|
| 823 | 590 |
* |
| 824 |
* @param associative array $tokens of tokens and replacement values
|
|
| 825 |
* @return html examples of mapping values
|
|
| 591 |
* @return
|
|
| 592 |
* HTML examples of mapping values.
|
|
| 826 | 593 |
*/ |
| 827 |
|
|
| 828 | 594 |
public function mappingExamples($tokens) {
|
| 595 |
/** |
|
| 596 |
* OG 7.x-2.x mappings: |
|
| 597 |
* $entity_type = $group_type, |
|
| 598 |
* $bundle = $group_bundle |
|
| 599 |
* $etid = $gid where edid is nid, uid, etc. |
|
| 600 |
* |
|
| 601 |
* og group is: entity_type (eg node) x entity_id ($gid) eg. node:17 |
|
| 602 |
* group identifier = group_type:gid; aka entity_type:etid e.g. node:17 |
|
| 603 |
* |
|
| 604 |
* membership identifier is: group_type:gid:entity_type:etid |
|
| 605 |
* in our case: group_type:gid:user:uid aka entity_type:etid:user:uid e.g. node:17:user:2 |
|
| 606 |
* |
|
| 607 |
* roles are simply rids ((1,2,3) and names (non-member, member, and administrator member) in og_role table |
|
| 608 |
* og_users_roles is simply uid x rid x gid |
|
| 609 |
* |
|
| 610 |
* .. so authorization mappings should look like: |
|
| 611 |
* <ldap group>|group_type:gid:rid such as staff|node:17:2 |
|
| 612 |
*/ |
|
| 829 | 613 |
|
| 830 |
if ($this->ogVersion == 1) {
|
|
| 831 |
$groups = og_get_all_group(); |
|
| 832 |
$ogEntities = og_load_multiple($groups); |
|
| 833 |
$OGroles = og_roles(0); |
|
| 834 |
|
|
| 835 |
$rows = array(); |
|
| 836 |
foreach ($ogEntities as $group) {
|
|
| 837 |
foreach ($OGroles as $rid => $role) {
|
|
| 838 |
$example = "<code>ou=IT,dc=myorg,dc=mytld,dc=edu|gid=" . $group->gid . ',rid=' . $rid . '</code><br/>' . |
|
| 839 |
'<code>ou=IT,dc=myorg,dc=mytld,dc=edu|group-name=' . $group->label . ',role-name=' . $role . '</code>'; |
|
| 840 |
$rows[] = array( |
|
| 841 |
$group->label, |
|
| 842 |
$group->gid, |
|
| 843 |
$role, |
|
| 844 |
$example, |
|
| 845 |
); |
|
| 846 |
} |
|
| 847 |
} |
|
| 848 |
|
|
| 849 |
$variables = array( |
|
| 850 |
'header' => array('Group Name', 'OG Group ID', 'OG Membership Type', 'example'),
|
|
| 851 |
'rows' => $rows, |
|
| 852 |
'attributes' => array(), |
|
| 853 |
); |
|
| 854 |
} |
|
| 855 |
else {
|
|
| 614 |
$og_fields = field_info_field(OG_GROUP_FIELD); |
|
| 615 |
$rows = array(); |
|
| 616 |
$role_name = OG_AUTHENTICATED_ROLE; |
|
| 856 | 617 |
|
| 857 |
/** |
|
| 858 |
* OG 7.x-2.x mappings: |
|
| 859 |
* $entity_type = $group_type, |
|
| 860 |
* $bundle = $group_bundle |
|
| 861 |
* $etid = $gid where edid is nid, uid, etc. |
|
| 862 |
* |
|
| 863 |
* og group is: entity_type (eg node) x entity_id ($gid) eg. node:17 |
|
| 864 |
* group identifier = group_type:gid; aka entity_type:etid e.g. node:17 |
|
| 865 |
* |
|
| 866 |
* membership identifier is: group_type:gid:entity_type:etid |
|
| 867 |
* in our case: group_type:gid:user:uid aka entity_type:etid:user:uid e.g. node:17:user:2 |
|
| 868 |
* |
|
| 869 |
* roles are simply rids ((1,2,3) and names (non-member, member, and administrator member) in og_role table |
|
| 870 |
* og_users_roles is simply uid x rid x gid |
|
| 871 |
* |
|
| 872 |
* .. so authorization mappings should look like: |
|
| 873 |
* <ldap group>|group_type:gid:rid such as staff|node:17:2 |
|
| 874 |
*/ |
|
| 875 |
|
|
| 876 |
$og_fields = field_info_field(OG_GROUP_FIELD); |
|
| 877 |
$rows = array(); |
|
| 878 |
$role_name = OG_AUTHENTICATED_ROLE; |
|
| 879 |
|
|
| 880 |
if (!empty($og_fields['bundles'])) {
|
|
| 881 |
foreach ($og_fields['bundles'] as $entity_type => $bundles) {
|
|
| 882 |
foreach ($bundles as $i => $bundle) {
|
|
| 883 |
$query = new EntityFieldQuery(); |
|
| 884 |
$query->entityCondition('entity_type', $entity_type)
|
|
| 885 |
->entityCondition('bundle', $bundle)
|
|
| 886 |
->range(0, 5) |
|
| 887 |
->addMetaData('account', user_load(1)); // run the query as user 1
|
|
| 888 |
$result = $query->execute(); |
|
| 889 |
if (!empty($result)) {
|
|
| 890 |
$entities = entity_load($entity_type, array_keys($result[$entity_type])); |
|
| 891 |
$i=0; |
|
| 618 |
if (!empty($og_fields['bundles'])) {
|
|
| 619 |
foreach ($og_fields['bundles'] as $entity_type => $bundles) {
|
|
| 620 |
foreach ($bundles as $i => $bundle) {
|
|
| 621 |
$query = new EntityFieldQuery(); |
|
| 622 |
$query->entityCondition('entity_type', $entity_type)
|
|
| 623 |
->entityCondition('bundle', $bundle)
|
|
| 624 |
->range(0, 5) |
|
| 625 |
// Run the query as user 1. |
|
| 626 |
->addMetaData('account', user_load(1));
|
|
| 627 |
$result = $query->execute(); |
|
| 628 |
if (!empty($result)) {
|
|
| 629 |
$entities = entity_load($entity_type, array_keys($result[$entity_type])); |
|
| 630 |
$i = 0; |
|
| 631 |
if ($entities) {
|
|
| 892 | 632 |
foreach ($entities as $entity_id => $entity) {
|
| 893 | 633 |
$i++; |
| 894 | 634 |
$rid = ldap_authorization_og2_rid_from_role_name($entity_type, $bundle, $entity_id, OG_AUTHENTICATED_ROLE); |
| ... | ... | |
| 896 | 636 |
$middle = ($title && $i < 3) ? $title : $entity_id; |
| 897 | 637 |
$group_role_identifier = ldap_authorization_og_authorization_id($middle, $rid, $entity_type); |
| 898 | 638 |
$example = "<code>ou=IT,dc=myorg,dc=mytld,dc=edu|$group_role_identifier</code>"; |
| 899 |
$rows[] = array("$entity_type $title - $role_name", $example);
|
|
| 639 |
$rows[] = ["$entity_type $title - $role_name", $example];
|
|
| 900 | 640 |
} |
| 901 | 641 |
} |
| 902 | 642 |
} |
| 903 | 643 |
} |
| 904 | 644 |
} |
| 905 |
|
|
| 906 |
$variables = array( |
|
| 907 |
'header' => array('Group Entity - Group Title - OG Membership Type', 'example'),
|
|
| 908 |
'rows' => $rows, |
|
| 909 |
'attributes' => array(), |
|
| 910 |
); |
|
| 911 | 645 |
} |
| 912 | 646 |
|
| 647 |
$variables = array( |
|
| 648 |
'header' => array('Group Entity - Group Title - OG Membership Type', 'example'),
|
|
| 649 |
'rows' => $rows, |
|
| 650 |
'attributes' => array(), |
|
| 651 |
); |
|
| 652 |
|
|
| 913 | 653 |
$table = theme('table', $variables);
|
| 914 | 654 |
$link = l(t('admin/config/people/ldap/authorization/test/og_group'), 'admin/config/people/ldap/authorization/test/og_group');
|
| 915 | 655 |
|
| 916 |
$examples = |
|
| 917 |
<<<EOT |
|
| 656 |
$examples =
|
|
| 657 |
<<<EOT
|
|
| 918 | 658 |
|
| 919 | 659 |
<br/> |
| 920 | 660 |
Examples for some (or all) existing OG Group IDs can be found in the table below. |
Formats disponibles : Unified diff
Weekly update of contrib modules