Changeset 26287


Ignore:
Timestamp:
06/06/10 15:59:50 (7 years ago)
Author:
flack
Message:

unify user_id lookup and refactor to a separate method so that it can be re-used in batch checks

refs #1848

Location:
branches/ragnaroek/midcom/midcom.core/midcom
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • branches/ragnaroek/midcom/midcom.core/midcom/core/collector.php

    r25214 r26287  
    116116
    117117    /**
     118     * This private helper holds the user id for ACL checks. This is set when executing
     119     * to avoid unnecessary overhead
     120     *
     121     * @var string
     122     * @access private
     123     */
     124    private $_user_id = false;
     125
     126    /**
    118127     * The constructor wraps the class resolution into the MidCOM DBA system.
    119128     * Currently, Midgard requires the actual MgdSchema base classes to be used
     
    153162        // MidCOM's collector always uses the GUID as the key for ACL purposes
    154163        $this->_mc->set_key_property('guid');
    155        
     164
    156165        if ($GLOBALS['midcom_config']['i18n_multilang_strict'])
    157166        {
     
    191200            return false;
    192201        }
     202
     203        if (!$_MIDCOM->auth->admin)
     204        {
     205            $this->_user_id = $_MIDCOM->auth->get_user_id();
     206        }
     207
    193208        $this->_executed = true;
    194209        return true;
     
    267282        $newresult = array();
    268283        $classname = $this->_real_class;
     284
     285        $user_id = false;
     286
    269287        foreach ($result as $object_guid => $empty_copy)
    270288        {
    271             if (!$_MIDCOM->auth->can_do_byguid('midgard:read', $object_guid, $classname))
     289            if (    $this->_user_id
     290                && !$_MIDCOM->auth->can_do_byguid('midgard:read', $object_guid, $classname, $this->_user_id))
    272291            {
    273292                debug_add("Failed to load result, read privilege on {$object_guid} not granted for the current user.", MIDCOM_LOG_INFO);
     
    314333        $offset = $this->_offset;
    315334        $classname = $this->_real_class;
     335
     336        $user_id = false;
     337        if (!$_MIDCOM->auth->admin)
     338        {
     339            $user_id = $_MIDCOM->auth->get_user_id();
     340        }
     341
    316342        foreach ($result as $object_guid => $empty_copy)
    317343        {
     
    323349            }
    324350
    325             if (!$_MIDCOM->auth->can_do_byguid('midgard:read', $object_guid, $classname))
     351            if (    $this->_user_id
     352                && !$_MIDCOM->auth->can_do_byguid('midgard:read', $object_guid, $classname, $this->_user_id))
    326353            {
    327354                debug_add("Failed to load result, read privilege on {$object_guid} not granted for the current user.", MIDCOM_LOG_INFO);
     
    361388    function get_subkey($key, $property)
    362389    {
    363         if (!$_MIDCOM->auth->can_do_byguid('midgard:read', $key, $this->_real_class))
     390        if (   $this->_user_id
     391            && !$_MIDCOM->auth->can_do_byguid('midgard:read', $key, $this->_real_class, $this->_user_id))
    364392        {
    365393            midcom_application::set_error(MGD_ERR_ACCESS_DENIED);
     
    371399    function get($key)
    372400    {
    373         if (!$_MIDCOM->auth->can_do_byguid('midgard:read', $key, $this->_real_class))
     401        if (   $this->_user_id
     402            && !$_MIDCOM->auth->can_do_byguid('midgard:read', $key, $this->_real_class, $this->_user_id))
    374403        {
    375404            midcom_application::set_error(MGD_ERR_ACCESS_DENIED);
     
    561590            return false;
    562591        }
    563        
     592
    564593        return true;
    565594    }
  • branches/ragnaroek/midcom/midcom.core/midcom/services/auth.php

    r26286 r26287  
    861861        }
    862862
    863         return $this->can_do_byguid($privilege, $content_object->guid, get_class($content_object), $user);
     863        if (   is_null($user)
     864            && ! is_null($this->user)
     865            && $this->admin)
     866        {
     867            // Administrators always have access.
     868            return true;
     869        }
     870
     871        $user_id = $this->get_user_id($user);
     872
     873        return $this->can_do_byguid($privilege, $content_object->guid, get_class($content_object), $user_id);
    864874    }
    865875
     
    872882     * @param string $object_guid A Midgard GUID pointing to an object
    873883     * @param string $object_class Class of the object in question
    874      * @param midcom_core_user $user The user against which to check the privilege, defaults to the currently authenticated user.
     884     * @param string $user_id The user against which to check the privilege, defaults to the currently authenticated user.
    875885     *     You may specify "EVERYONE" instead of an object to check what an anonymous user can do.
    876886     * @return boolean True if the privilege has been granted, false otherwise.
    877887     */
    878     function can_do_byguid($privilege, $object_guid, $object_class, $user = null)
    879     {
    880         if (   is_null($user)
    881             && ! is_null($this->user)
    882             && $this->admin)
    883         {
    884             // Administrators always have access.
    885             return true;
    886         }
    887 
     888    function can_do_byguid($privilege, $object_guid, $object_class, $user_id)
     889    {
    888890        if ($this->_internal_sudo)
    889891        {
     
    899901        }
    900902
    901         if (!is_null($user))
    902         {
    903             $for_user = $user;
    904         }
    905         else
    906         {
    907             $for_user = $this->user;
    908         }
    909 
    910         if (is_null($for_user))
    911         {
    912             $cache_key = "{$object_guid}";
    913         }
    914         elseif (is_string($for_user))
    915         {
    916             $cache_key = "{$for_user}::{$object_guid}";
    917         }
    918         else
    919         {
    920             $cache_key = "{$for_user->id}::{$object_guid}";
    921         }
     903        $cache_key = "{$user_id}::{$object_guid}";
    922904
    923905        if (!isset(self::$_privileges_cache[$cache_key]))
     
    927909            //debug_pop();
    928910
    929             $this->_load_privileges_byguid($object_guid, $object_class, $for_user);
     911            $this->_load_privileges_byguid($object_guid, $object_class, $user_id);
    930912        }
    931913
     
    11161098
    11171099    /**
     1100     * Determine the user identifier for accessing the privilege cache. This is the passed user's
     1101     * identifier with the current user and anonymous as fallback
     1102     *
     1103     * @param mixed $user The user to check for as string or object.
     1104     * @return string The identifier
     1105     */
     1106    public function get_user_id($user = null)
     1107    {
     1108        $user_id = 'ANONYMOUS';
     1109
     1110        // TODO: Clean if/else shorthands, make sure this works correctly for magic assignees as well
     1111        if (is_null($user))
     1112        {
     1113            $user = $this->user;
     1114
     1115            if (!empty($user))
     1116            {
     1117                $user_id = $user->id;
     1118            }
     1119        }
     1120        else if (is_string($user))
     1121        {
     1122            if ($user != 'EVERYONE'
     1123                && (    mgd_is_guid($user)
     1124                    || is_numeric($user)))
     1125            {
     1126                $user = $_MIDCOM->auth->get_user($user);
     1127                $user_id = $user->id;
     1128            }
     1129            else
     1130            {
     1131                $user_id = $user;
     1132                $user = null;
     1133            }
     1134        }
     1135        else if (is_object($user))
     1136        {
     1137            $user_id = $user->id;
     1138        }
     1139        else
     1140        {
     1141            $user_id = $user;
     1142        }
     1143
     1144        return $user_id;
     1145    }
     1146
     1147    /**
    11181148     * Returns a full listing of all currently known privileges for a certain object/user
    11191149     * combination.
     
    11301160    function get_privileges(&$content_object, $user = null)
    11311161    {
    1132         return $this->_get_privileges_byguid($content_object->guid, get_class($content_object), $user);
     1162        $user_id = $this->get_user_id($user);
     1163        $this->_load_privileges_byguid($content_object->guid, get_class($content_object), $user_id);
     1164        return ;
    11331165    }
    11341166
     
    11431175     * @param string $object_guid A Midgard GUID pointing to an object
    11441176     * @param string $object_class Class of the object in question
    1145      * @param midcom_core_user $user The user against which to check the privilege, defaults to the currently authenticated user.
     1177     * @param string $user_id The user against which to check the privilege, defaults to the currently authenticated user.
    11461178     *     You may specify "EVERYONE" instead of an object to check what an anonymous user can do.
    11471179     */
    1148     private function _load_privileges_byguid($object_guid, $object_class, $user = null)
     1180    private function _load_privileges_byguid($object_guid, $object_class, $user_id)
    11491181    {
    11501182        /* No idea if there should be some special log message written */
     
    11611193        }
    11621194
    1163         // TODO: Clean if/else shorthands, make sure this works correctly for magic assignees as well
    1164         if (is_null($user))
    1165         {
    1166             $user = $this->user;
    1167 
    1168             if (empty($user))
    1169             {
    1170                 $cache_user_id = 'anonymous';
    1171             }
    1172             else
    1173             {
    1174                 $cache_user_id = $user->id;
    1175             }
    1176         }
    1177         elseif (is_string($user))
    1178         {
    1179             if ($user != 'EVERYONE'
    1180                 && (    mgd_is_guid($user)
    1181                     || is_numeric($user)))
    1182             {
    1183                 $user = $_MIDCOM->auth->get_user($user);
    1184                 $cache_user_id = $user->id;
    1185             }
    1186             else
    1187             {
    1188                 $cache_user_id = $user;
    1189                 $user = null;
    1190             }
    1191         }
    1192 
    1193         // safety
    1194         if (!isset($cache_user_id))
    1195         {
    1196             if (is_object($user))
    1197             {
    1198                 $cache_user_id = $user->id;
    1199             }
    1200             else
    1201             {
    1202                 $cache_user_id = $user;
    1203             }
    1204         }
    1205 
    12061195        // Check for a cache Hit.
    1207         $cache_id = "{$cache_user_id}::{$object_guid}";
     1196        $cache_id = "{$user_id}::{$object_guid}";
    12081197
    12091198        if (array_key_exists($cache_id, self::$_privileges_cache))
     
    12431232
    12441233        // content privileges
    1245         $content_privileges = midcom_core_privilege::collect_content_privileges($dummy_object, $cache_user_id);
     1234        $content_privileges = midcom_core_privilege::collect_content_privileges($dummy_object, $user_id);
     1235
     1236        $user = $this->get_user($user_id);
    12461237
    12471238        // user privileges
Note: See TracChangeset for help on using the changeset viewer.