Changeset 26290


Ignore:
Timestamp:
06/07/10 14:39:36 (7 years ago)
Author:
flack
Message:

move more functionality to the new ACL class, refs #1848

Location:
branches/ragnaroek/midcom/midcom.core/midcom
Files:
4 edited

Legend:

Unmodified
Added
Removed
  • branches/ragnaroek/midcom/midcom.core/midcom/core/group/virtual.php

    r25323 r26290  
    132132                return false;
    133133            }
    134            
     134
    135135            $interface = $_MIDCOM->componentloader->get_interface_class($this->_component);
    136136
    137137            // Set internal sudo mode during the retrieval of vgroup members,
    138138            // otherwise any DBA access control check can lead to an infinite loop.
    139             $_MIDCOM->auth->_internal_sudo = true;
     139            $_MIDCOM->auth->acl->_internal_sudo = true;
    140140            $members[$this->id] = $interface->retrieve_vgroup_members($this->_localname);
    141             $_MIDCOM->auth->_internal_sudo = false;
     141            $_MIDCOM->auth->acl->_internal_sudo = false;
    142142
    143143            if (is_null($members[$this->id]))
     
    165165    {
    166166        debug_push_class(__CLASS__, __FUNCTION__);
    167        
     167
    168168        $result = Array();
    169        
     169
    170170        foreach ($_MIDCOM->auth->get_all_vgroups() as $id => $name)
    171171        {
    172             $vgroup = $_MIDCOM->auth->get_group($id);           
     172            $vgroup = $_MIDCOM->auth->get_group($id);
    173173            $members = $vgroup->list_members();
    174174            if (! $members)
     
    182182            }
    183183        }
    184        
     184
    185185        debug_pop();
    186        
     186
    187187        return $result;
    188188    }
  • branches/ragnaroek/midcom/midcom.core/midcom/core/privilege.php

    r26289 r26290  
    435435            {
    436436                // Didn't get privileges from cache, get them from DB
    437                 $return = midcom_core_privilege::_query_all_privileges($guid);
     437                $return = self::_query_all_privileges($guid);
    438438                $_MIDCOM->cache->memcache->put('ACL', $guid, $return);
    439439            }
     
    578578
    579579    /**
    580      * Collects all privileges applicable for a user over a content object.
    581      * It takes the complete content object tree (using the get_parent methods)
    582      * into account and merges the privileges according to mRFC 15. It will
    583      * only look at privileges that are applicable to the current user, with
    584      * user privileges taking precedence over group privileges.
    585      *
    586      * <i>Known Issue:</i> Currently, group privileges are merged in no particular
    587      * order, in reality they should at least take the group tree into account when
    588      * merging. They do take the "depth" into account correctly though when looking
    589      * at a single group chain.
    590      *
    591      * This function is for use in the authentication framework only and may only
    592      * be called statically.
    593      *
    594      * This function tries to operate on GUIDs whenever possible, to keep runtime up,
    595      * only in the case of nonpersistent objects (no valid GUID yet), it will revert to
    596      * regular object usage.
    597      *
    598      * @access private
    599      * @param mixed &$arg A reference to the GUID or the full object instance for which we should load privileges.
    600      * @param string $user_id The MidCOM user assignee for which we should collect the privileges.
    601      * @return Array An array of privilege_name => privilege_value pairs valid for the given user.
    602      * @static
    603      */
    604     public static function collect_content_privileges($arg, $user_id)
    605     {
    606         // set $object and $guid
    607         if (mgd_is_guid($arg))
    608         {
    609             $object = null;
    610             $guid = $arg;
    611         }
    612         elseif (is_object($arg))
    613         {
    614             $object = $arg;
    615             $guid = null;
    616 
    617             if (   isset($object->guid)
    618                 && mgd_is_guid($object->guid))
    619             {
    620                 $guid = $object->guid;
    621             }
    622             elseif (   isset($object->__guid)
    623                     && mgd_is_guid($object->__guid))
    624             {
    625                 $guid = $object->__guid;
    626             }
    627         }
    628 
    629         // guid not found => err
    630         if ($guid === null)
    631         {
    632             return array();
    633         }
    634 
    635         static $cached_collected_privileges = array();
    636 
    637         $cache_key = $user_id . '::' . $guid;
    638 
    639         // check cache
    640         if (isset($cached_collected_privileges[$cache_key]))
    641         {
    642             return $cached_collected_privileges[$cache_key];
    643         }
    644 
    645         // If we have a parent, we recurse. {{{
    646         //
    647         // We look up the parent guid in internal sudo mode, as we could run into a fully fledged loop
    648         // otherwise. (get_parent_guid calling get_object_by_guid calling can_do ...)
    649 
    650         // ==> into SUDO
    651         $previous_sudo = $_MIDCOM->auth->_internal_sudo;
    652         $_MIDCOM->auth->_internal_sudo = true;
    653 
    654         // We need to be careful here in case we have non-persistent objects.
    655         if ($object !== null)
    656         {
    657             $parent_class = $object->get_dba_parent_class();
    658             $parent_guid = $_MIDCOM->dbfactory->get_parent_guid($guid, get_class($object));
    659         }
    660         else
    661         {
    662             $parent_class = null;
    663             $parent_guid = $_MIDCOM->dbfactory->get_parent_guid($guid);
    664         }
    665 
    666         $_MIDCOM->auth->_internal_sudo = $previous_sudo;
    667         // <== out of SUDO
    668 
    669         if (   $parent_guid === null
    670             || $parent_guid == $guid)
    671         {
    672             $base_privileges = array();
    673         }
    674         elseif ($parent_class === null)
    675         {
    676             // recursion
    677             $base_privileges = self::collect_content_privileges($parent_guid, $user_id);
    678         }
    679         else
    680         {
    681             $parent_dummy_object = new $parent_class();
    682             $parent_dummy_object->__guid = $parent_guid;
    683 
    684             // recursion
    685             $base_privileges = self::collect_content_privileges($parent_dummy_object, $user_id);
    686         }
    687 
    688         // Determine parent ownership
    689         $is_owner = false;
    690         $last_owner_scope = -1;
    691         if (   array_key_exists('midgard:owner', $base_privileges)
    692             && $base_privileges['midgard:owner'] == MIDCOM_PRIVILEGE_ALLOW)
    693         {
    694             $is_owner = true;
    695         }
    696 
    697         // }}}
    698 
    699 
    700         // This array holds values in the schema
    701         // $valid_privs[scope][priv_name] = priv_value
    702         // where scope is an integer determining the scope, with 0 being everyone and
    703         // larger values indicating smaller scopes (1 = top level group, 2 = its sub-group
    704         // etc. up to the magic value -1 which is equal to the user level privileges)
    705         // noting it this way is required to ensure proper scoping of several privileges
    706         // assigned to a single object.
    707         $valid_privileges = array();
    708         $valid_privileges[MIDCOM_PRIVILEGE_SCOPE_OWNER] = $_MIDCOM->auth->acl->get_owner_default_privileges();
    709 
    710         $object_privileges = self::get_content_privileges($guid);
    711 
    712         foreach ($object_privileges as $privilege)
    713         {
    714             // Check whether we need to take this privilege into account
    715             if (!$privilege->_does_privilege_apply($user_id))
    716             {
    717                 continue;
    718             }
    719 
    720             // The privilege applies if we arrive here, so we merge it into the current collection
    721             // taking its scope into account.
    722             switch ($privilege->assignee)
    723             {
    724                 case 'EVERYONE':
    725                     $scope = MIDCOM_PRIVILEGE_SCOPE_EVERYONE;
    726                     break;
    727                 case 'USERS':
    728                     $scope = MIDCOM_PRIVILEGE_SCOPE_USERS;
    729                     break;
    730                 case 'ANONYMOUS':
    731                     $scope = MIDCOM_PRIVILEGE_SCOPE_ANONYMOUS;
    732                     break;
    733                 case 'OWNER':
    734                     $scope = MIDCOM_PRIVILEGE_SCOPE_OWNER;
    735                     break;
    736                 default:
    737                     $assignee = $privilege->get_assignee();
    738                     if (! $assignee)
    739                     {
    740                         debug_push_class(__CLASS__, __FUNCTION__);
    741                         debug_print_r('Could not resolve the assignee of this privilege, skipping it:', $privilege);
    742                         debug_pop();
    743                         // Skip broken privileges.
    744                         continue;
    745                     }
    746                     $scope = $assignee->scope;
    747 
    748                     break;
    749             }
    750 
    751             switch ($privilege->value)
    752             {
    753                 case MIDCOM_PRIVILEGE_ALLOW:
    754                     $valid_privileges[$scope][$privilege->privilegename] = $privilege->value;
    755                     if (   $privilege->privilegename == 'midgard:owner'
    756                         && $scope > $last_owner_scope)
    757                     {
    758                         $is_owner = true;
    759                         $last_owner_scope = $scope;
    760                     }
    761                     break;
    762 
    763                 case MIDCOM_PRIVILEGE_DENY:
    764                     $valid_privileges[$scope][$privilege->privilegename] = $privilege->value;
    765                     if (   $privilege->privilegename == 'midgard:owner'
    766                         && $scope > $last_owner_scope)
    767                     {
    768                         $is_owner = false;
    769                         $last_owner_scope = $scope;
    770                     }
    771                     break;
    772 
    773                 default:
    774                     break;
    775             }
    776         }
    777 
    778 
    779         // Process owner privileges
    780         if (! $is_owner)
    781         {
    782             // Drop the owner privileges from the merging chain again, we are not an owner
    783             unset ($valid_privileges[MIDCOM_PRIVILEGE_SCOPE_OWNER]);
    784         }
    785 
    786         ksort($valid_privileges);
    787 
    788         $collected_privileges = array();
    789         // Note, that this merging order does not take the group order into account, it just
    790         // follows the basic rule that the deeper the group is, the smaller is its scope.
    791         foreach ($valid_privileges as $privileges)
    792         {
    793             foreach ($privileges as $name => $value)
    794             {
    795                 $collected_privileges[$name] = $value;
    796             }
    797         }
    798 
    799 
    800         // printing debug-statements if object doesn't override base privileges
    801         if ($GLOBALS['midcom_config']['log_level'] >= MIDCOM_LOG_DEBUG)
    802         {
    803             foreach ($base_privileges as $name => $value)
    804             {
    805                 if (!isset($collected_privileges[$name]))
    806                 {
    807                     debug_push_class(__CLASS__, __FUNCTION__);
    808                     debug_add("Object privilege {$name} has no value, from parent {$parent_guid} it is {$value}.");
    809                     debug_pop();
    810                     continue;
    811                 }
    812             }
    813         }
    814         $final_privileges = array_merge($base_privileges, $collected_privileges);
    815 
    816         // caching value
    817         $cached_collected_privileges[$cache_key] = $final_privileges;
    818 
    819         return $final_privileges;
    820     }
    821 
    822     /**
    823580     * Internal helper function, determines whether a given privilege applies for the given
    824581     * user in content mode. This means, that all SELF privileges are skipped at this point,
     
    826583     * user.
    827584     *
    828      * This function may be called statically.
    829      *
    830585     * @param string $user The user id in question.
    831586     * @return boolean Indicating whether the privilege record applies for the user, or not.
    832587     */
    833     private function _does_privilege_apply($user_id)
     588    public function does_privilege_apply($user_id)
    834589    {
    835590        if (!is_array($this->__privilege))
  • branches/ragnaroek/midcom/midcom.core/midcom/services/auth.php

    r26289 r26290  
    9090
    9191    /**
    92      * This is an internal flag used to override all regular permission checks with a sort-of
    93      * read-only privilege set. While internal_sudo is enabled, the system automatically
    94      * grants all privileges except midgard:create, midgard:update, midgard:delete and
    95      * midgard:privileges, which will always be denied. These checks go after the basic checks
    96      * for not authenticated users or admin level users.
    97      *
    98      * Danger, Will Robinson: You MUST NEVER touch this flag unless you are working with the
    99      * authentication core itself and now very much exactly what you are doing. Misusage of this
    100      * flag can result in serious secruity risks.
    101      *
    102      * All parts of the core may change this variable (as for example midcom_core_group_virtual
    103      * does during vgroup member loading).
    104      *
    105      * @var boolean
    106      * @access private
    107      */
    108     var $_internal_sudo = false;
    109 
    110     /**
    11192     * This flag indicates if sudo mode is active during execution. This will only be the
    11293     * case if the sudo system actually grants this privileges, and only until components
     
    457438
    458439    /**
    459      * This internal helper checks if a privilege is available during internal
    460      * sudo mode, as outlined in the corresponding variable.
    461      *
    462      * @param string $privilege The privilege to check for
    463      * @return boolean True if the privilege has been granted, false otherwise.
    464      * @access private
    465      * @see $_internal_sudo
    466      */
    467     function _can_do_internal_sudo($privilege)
    468     {
    469         switch($privilege)
    470         {
    471             case 'midgard:create':
    472             case 'midgard:update':
    473             case 'midgard:delete':
    474             case 'midgard:privileges':
    475                 // We do not allow this, for security reasons.
    476                 return false;
    477 
    478             default:
    479                 // allow everything else.
    480                 return true;
    481         }
    482     }
    483 
    484     /**
    485440     * Checks whether a user has a certain privilege on the given content object.
    486441     * Works on the currently authenticated user by default, but can take another
     
    557512        }
    558513
     514        if ($this->_component_sudo)
     515        {
     516            return true;
     517        }
     518
    559519        if (   is_string($user)
    560520            && $user == 'EVERYONE')
     
    577537            debug_add("Querying privilege {$privilege} for user {$user->id} to class {$classname}", MIDCOM_LOG_DEBUG);
    578538            debug_pop();
    579         }
    580 
    581         if ($this->_internal_sudo)
    582         {
    583             debug_push_class(__CLASS__, __FUNCTION__);
    584             debug_add('INTERNAL SUDO mode is enabled. Generic Read-Only mode set.', MIDCOM_LOG_DEBUG);
    585             debug_pop();
    586             return $this->_can_do_internal_sudo($privilege);
    587         }
    588 
    589         if ($this->_component_sudo)
    590         {
    591             return true;
    592539        }
    593540
  • branches/ragnaroek/midcom/midcom.core/midcom/services/auth/acl.php

    r26289 r26290  
    273273    var $auth = null;
    274274
     275    /**
     276     * This is an internal flag used to override all regular permission checks with a sort-of
     277     * read-only privilege set. While internal_sudo is enabled, the system automatically
     278     * grants all privileges except midgard:create, midgard:update, midgard:delete and
     279     * midgard:privileges, which will always be denied. These checks go after the basic checks
     280     * for not authenticated users or admin level users.
     281     *
     282     * Danger, Will Robinson: You MUST NEVER touch this flag unless you are working with the
     283     * authentication core itself and now very much exactly what you are doing. Misusage of this
     284     * flag can result in serious security risks.
     285     *
     286     * All parts of the core may change this variable (as for example midcom_core_group_virtual
     287     * does during vgroup member loading).
     288     *
     289     * @var boolean
     290     * @access private
     291     */
     292    var $_internal_sudo = false;
    275293
    276294    /**
     
    400418     * usage. It will assign them to the $_*_default_class_privileges members.
    401419     *
    402      * @param MidcomDBAObject $classname An instance of the object for which the class defaults should be
     420     * @param MidcomDBAObject $class An instance of the object for which the class defaults should be
    403421     *     loaded. Be aware, that this may be a simply a default constructed class instance.
    404422     * @access private
     
    503521    function can_do_byguid($privilege, $object_guid, $object_class, $user_id)
    504522    {
    505         if ($this->auth->_internal_sudo)
     523        if ($this->_internal_sudo)
    506524        {
    507525            //debug_push_class(__CLASS__, __FUNCTION__);
    508526            //debug_add('INTERNAL SUDO mode is enabled. Generic Read-Only mode set.', MIDCOM_LOG_DEBUG);
    509527            //debug_pop();
    510             return $this->auth->_can_do_internal_sudo($privilege);
     528            return $this->_can_do_internal_sudo($privilege);
    511529        }
    512530
     
    540558    function can_do_byclass($privilege, $user, $class, $component)
    541559    {
     560        if ($this->_internal_sudo)
     561        {
     562            debug_push_class(__CLASS__, __FUNCTION__);
     563            debug_add('INTERNAL SUDO mode is enabled. Generic Read-Only mode set.', MIDCOM_LOG_DEBUG);
     564            debug_pop();
     565            return $this->_can_do_internal_sudo($privilege);
     566        }
     567
    542568        // Initialize this one to be sure to have it.
    543569        $default_magic_class_privileges = Array();
     
    651677    }
    652678
     679    /**
     680     * This internal helper checks if a privilege is available during internal
     681     * sudo mode, as outlined in the corresponding variable.
     682     *
     683     * @param string $privilege The privilege to check for
     684     * @return boolean True if the privilege has been granted, false otherwise.
     685     * @access private
     686     * @see $_internal_sudo
     687     */
     688    private function _can_do_internal_sudo($privilege)
     689    {
     690        switch($privilege)
     691        {
     692            case 'midgard:create':
     693            case 'midgard:update':
     694            case 'midgard:delete':
     695            case 'midgard:privileges':
     696                // We do not allow this, for security reasons.
     697                return false;
     698
     699            default:
     700                // allow everything else.
     701                return true;
     702        }
     703    }
    653704
    654705    /**
     
    792843
    793844        // content privileges
    794         $content_privileges = midcom_core_privilege::collect_content_privileges($dummy_object, $user_id);
     845        $content_privileges = self::_collect_content_privileges($dummy_object, $user_id);
    795846
    796847        $user = $this->auth->get_user($user_id);
     
    831882    }
    832883
     884    /**
     885     * Collects all privileges applicable for a user over a content object.
     886     * It takes the complete content object tree (using the get_parent methods)
     887     * into account and merges the privileges according to mRFC 15. It will
     888     * only look at privileges that are applicable to the current user, with
     889     * user privileges taking precedence over group privileges.
     890     *
     891     * <i>Known Issue:</i> Currently, group privileges are merged in no particular
     892     * order, in reality they should at least take the group tree into account when
     893     * merging. They do take the "depth" into account correctly though when looking
     894     * at a single group chain.
     895     *
     896     * This function is for use in the authentication framework only and may only
     897     * be called statically.
     898     *
     899     * This function tries to operate on GUIDs whenever possible, to keep runtime up,
     900     * only in the case of nonpersistent objects (no valid GUID yet), it will revert to
     901     * regular object usage.
     902     *
     903     * @access private
     904     * @param mixed &$arg A reference to the GUID or the full object instance for which we should load privileges.
     905     * @param string $user_id The MidCOM user assignee for which we should collect the privileges.
     906     * @return Array An array of privilege_name => privilege_value pairs valid for the given user.
     907     * @static
     908     */
     909    private static function _collect_content_privileges($arg, $user_id)
     910    {
     911        // set $object and $guid
     912        if (mgd_is_guid($arg))
     913        {
     914            $object = null;
     915            $guid = $arg;
     916        }
     917        elseif (is_object($arg))
     918        {
     919            $object = $arg;
     920            $guid = null;
     921
     922            if (   isset($object->guid)
     923                && mgd_is_guid($object->guid))
     924            {
     925                $guid = $object->guid;
     926            }
     927            elseif (   isset($object->__guid)
     928                    && mgd_is_guid($object->__guid))
     929            {
     930                $guid = $object->__guid;
     931            }
     932        }
     933
     934        // guid not found => err
     935        if ($guid === null)
     936        {
     937            return array();
     938        }
     939
     940        static $cached_collected_privileges = array();
     941
     942        $cache_key = $user_id . '::' . $guid;
     943
     944        // check cache
     945        if (isset($cached_collected_privileges[$cache_key]))
     946        {
     947            return $cached_collected_privileges[$cache_key];
     948        }
     949
     950        // If we have a parent, we recurse. {{{
     951        //
     952        // We look up the parent guid in internal sudo mode, as we could run into a fully fledged loop
     953        // otherwise. (get_parent_guid calling get_object_by_guid calling can_do ...)
     954
     955        // ==> into SUDO
     956        $previous_sudo = $_MIDCOM->auth->acl->_internal_sudo;
     957        $_MIDCOM->auth->acl->_internal_sudo = true;
     958
     959        // We need to be careful here in case we have non-persistent objects.
     960        if ($object !== null)
     961        {
     962            $parent_class = $object->get_dba_parent_class();
     963            $parent_guid = $_MIDCOM->dbfactory->get_parent_guid($guid, get_class($object));
     964        }
     965        else
     966        {
     967            $parent_class = null;
     968            $parent_guid = $_MIDCOM->dbfactory->get_parent_guid($guid);
     969        }
     970
     971        $_MIDCOM->auth->acl->_internal_sudo = $previous_sudo;
     972        // <== out of SUDO
     973
     974        if (   $parent_guid === null
     975            || $parent_guid == $guid)
     976        {
     977            $base_privileges = array();
     978        }
     979        elseif ($parent_class === null)
     980        {
     981            // recursion
     982            $base_privileges = self::_collect_content_privileges($parent_guid, $user_id);
     983        }
     984        else
     985        {
     986            $parent_dummy_object = new $parent_class();
     987            $parent_dummy_object->__guid = $parent_guid;
     988
     989            // recursion
     990            $base_privileges = self::_collect_content_privileges($parent_dummy_object, $user_id);
     991        }
     992
     993        // Determine parent ownership
     994        $is_owner = false;
     995        $last_owner_scope = -1;
     996        if (   array_key_exists('midgard:owner', $base_privileges)
     997            && $base_privileges['midgard:owner'] == MIDCOM_PRIVILEGE_ALLOW)
     998        {
     999            $is_owner = true;
     1000        }
     1001
     1002        // }}}
     1003
     1004
     1005        // This array holds values in the schema
     1006        // $valid_privs[scope][priv_name] = priv_value
     1007        // where scope is an integer determining the scope, with 0 being everyone and
     1008        // larger values indicating smaller scopes (1 = top level group, 2 = its sub-group
     1009        // etc. up to the magic value -1 which is equal to the user level privileges)
     1010        // noting it this way is required to ensure proper scoping of several privileges
     1011        // assigned to a single object.
     1012        $valid_privileges = array();
     1013        $valid_privileges[MIDCOM_PRIVILEGE_SCOPE_OWNER] = $_MIDCOM->auth->acl->get_owner_default_privileges();
     1014
     1015        $object_privileges = midcom_core_privilege::get_content_privileges($guid);
     1016
     1017        foreach ($object_privileges as $privilege)
     1018        {
     1019            // Check whether we need to take this privilege into account
     1020            if (!$privilege->does_privilege_apply($user_id))
     1021            {
     1022                continue;
     1023            }
     1024
     1025            // The privilege applies if we arrive here, so we merge it into the current collection
     1026            // taking its scope into account.
     1027            switch ($privilege->assignee)
     1028            {
     1029                case 'EVERYONE':
     1030                    $scope = MIDCOM_PRIVILEGE_SCOPE_EVERYONE;
     1031                    break;
     1032                case 'USERS':
     1033                    $scope = MIDCOM_PRIVILEGE_SCOPE_USERS;
     1034                    break;
     1035                case 'ANONYMOUS':
     1036                    $scope = MIDCOM_PRIVILEGE_SCOPE_ANONYMOUS;
     1037                    break;
     1038                case 'OWNER':
     1039                    $scope = MIDCOM_PRIVILEGE_SCOPE_OWNER;
     1040                    break;
     1041                default:
     1042                    $assignee = $privilege->get_assignee();
     1043                    if (! $assignee)
     1044                    {
     1045                        debug_push_class(__CLASS__, __FUNCTION__);
     1046                        debug_print_r('Could not resolve the assignee of this privilege, skipping it:', $privilege);
     1047                        debug_pop();
     1048                        // Skip broken privileges.
     1049                        continue;
     1050                    }
     1051                    $scope = $assignee->scope;
     1052
     1053                    break;
     1054            }
     1055
     1056            switch ($privilege->value)
     1057            {
     1058                case MIDCOM_PRIVILEGE_ALLOW:
     1059                    $valid_privileges[$scope][$privilege->privilegename] = $privilege->value;
     1060                    if (   $privilege->privilegename == 'midgard:owner'
     1061                        && $scope > $last_owner_scope)
     1062                    {
     1063                        $is_owner = true;
     1064                        $last_owner_scope = $scope;
     1065                    }
     1066                    break;
     1067
     1068                case MIDCOM_PRIVILEGE_DENY:
     1069                    $valid_privileges[$scope][$privilege->privilegename] = $privilege->value;
     1070                    if (   $privilege->privilegename == 'midgard:owner'
     1071                        && $scope > $last_owner_scope)
     1072                    {
     1073                        $is_owner = false;
     1074                        $last_owner_scope = $scope;
     1075                    }
     1076                    break;
     1077
     1078                default:
     1079                    break;
     1080            }
     1081        }
     1082
     1083
     1084        // Process owner privileges
     1085        if (! $is_owner)
     1086        {
     1087            // Drop the owner privileges from the merging chain again, we are not an owner
     1088            unset ($valid_privileges[MIDCOM_PRIVILEGE_SCOPE_OWNER]);
     1089        }
     1090
     1091        ksort($valid_privileges);
     1092
     1093        $collected_privileges = array();
     1094        // Note, that this merging order does not take the group order into account, it just
     1095        // follows the basic rule that the deeper the group is, the smaller is its scope.
     1096        foreach ($valid_privileges as $privileges)
     1097        {
     1098            foreach ($privileges as $name => $value)
     1099            {
     1100                $collected_privileges[$name] = $value;
     1101            }
     1102        }
     1103
     1104
     1105        // printing debug-statements if object doesn't override base privileges
     1106        if ($GLOBALS['midcom_config']['log_level'] >= MIDCOM_LOG_DEBUG)
     1107        {
     1108            foreach ($base_privileges as $name => $value)
     1109            {
     1110                if (!isset($collected_privileges[$name]))
     1111                {
     1112                    debug_push_class(__CLASS__, __FUNCTION__);
     1113                    debug_add("Object privilege {$name} has no value, from parent {$parent_guid} it is {$value}.");
     1114                    debug_pop();
     1115                    continue;
     1116                }
     1117            }
     1118        }
     1119        $final_privileges = array_merge($base_privileges, $collected_privileges);
     1120
     1121        // caching value
     1122        $cached_collected_privileges[$cache_key] = $final_privileges;
     1123
     1124        return $final_privileges;
     1125    }
     1126
    8331127}
    8341128
Note: See TracChangeset for help on using the changeset viewer.